Tracking Process Hollowing Malware Using EDR

AhnLab Security Emergency response Center (ASEC) once released a report on the types and distribution trends of .NET packers as shown in the post below. As indicated in the report, most .NET packers do not create actual malicious executables hidden via packing features in the local path, injecting malware in normal processes to run them instead. 

.NET packers are being exploited as initial distribution files or as mid-process loaders for various malware types such as Remcos, FormBook, ScrubCypt, AsyncRAT, etc. It can be difficult to detect malware that is hidden within a .NET packer if it is a backdoor type controlled by C2 commands. This is because it will not engage in any specific activities other than communicating with the C2 server if the backdoor is dormant and not receiving commands.

AhnLab EDR records behavior logs of malware with .NET packers performing process hollowing. These logs help greatly in preventing additional damage by detecting breaches and securing C2 by tracking them. The figure below shows how AhnLab EDR can detect a .NET packer performing process hollowing.

Figure 1 displays the EDR detection diagram of a .NET packer (Malware_exe.exe) distributing the Remcos malware. This .NET packer (Malware_exe.exe) carries out process hollowing on a normal process (AddinProcess32.exe) with Remcos. Figure 2 shows the details about the subject and target of process hollowing. Through process hollowing, Remcos can operate within AddinProcess32.exe without having to create a file in the user environment. Remcos only communicates with the C2 server while operating within the normal process such as AddinProcess32.exe (see Figure 3). If the backdoor remains dormant without receiving commands from the C2 server, it does not exhibit any additional behavior apart from C2 communication. However, breaches can be discovered through the detection of the hollowing behavior. 

Figure 1. EDR detection diagram
Figure 2. EDR detection diagram (process hollowing)
Figure 3. EDR detection diagram (C2 communication)

It is possible to observe the details related to process hollowing and C2 communication in the timeline of AhnLab EDR detection. In Figure 4, you can see the details about the .NET packer subject performing process hollowing and the targeted process. Additionally, Figure 5 showcases the C2 communication of Remcos which is operating within the hollowed normal process (AddinProcess32.exe).

Figure 4. EDR detection timeline (process hollowing)
Figure 5. EDR detection timeline (C2 communication)

AhnLab V3 and EDR products detect these .NET packers that use the process hollowing technique with the aliases below.

[File Detection]

[Behavior Detection]

AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

Categories:AhnLab Detection

Tagged as:

5 1 vote
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post Tracking Process Hollowing Malware Using EDR appeared first on ASEC […]