New Memory Forensics Techniques to Defeat Device Monitoring Malware

The presentation discusses the development of memory forensics algorithms to detect malware that monitors hardware devices and steals data. The focus is on Windows 10, but Linux and Mac are also covered.

• The development of memory forensics algorithms to detect malware that monitors hardware devices and steals data
• Focus on Windows 10, but Linux and Mac are also covered
• Abuse of APIs and subsystems by malware to gain access to hardware devices
• Proof-of-concept applications developed to implement malware behavior in a controlled manner
• Importance of memory forensics in detecting memory-only malware
• Anecdote about Microsoft destroying a company that sells commercial spyware that uses memory-only malware

The presenter mentions a recent incident where Microsoft destroyed a company in Australia that sells commercial spyware used by governments across the world. The tool set had memory-only capabilities, highlighting the importance of memory forensics in detecting memory-only malware.

Malware that is capable of monitoring hardware devices poses a significant threat to the privacy and security of users and organizations. Common capabilities of such malware include keystroke logging, clipboard monitoring, sampling of microphone audio, and recording of web camera footage. All modern operating systems implement APIs that provide hardware access to processes and all have been abused to monitor the activity of journalists and dissidents, conduct espionage operations, and gather data needed for blackmail. Existing memory forensic methods for detecting these techniques are largely confined to malware that operates within kernel space. The use of kernel rootkits has waned in recent years though as operating systems have sharply locked down access to kernel memory. These limitations placed upon kernel rootkits, along with the easy-to-use APIs in userland that allow for access to hardware devices, has led to many device monitoring malware samples that operate solely within process memory. Unfortunately, current methods for detection of such malware are severely outdated or completely lacking. These include attempts at live forensics, which relies on system APIs, but these APIs are often hooked by malware to hide their activity. Partial memory forensics techniques for Windows exist, but are outdated, and there are techniques across operating systems that have no detection support. Given the recent emphasis on memory analysis, such as in CISA directives related to ProxyLogon and SolarWindows, it is imperative that memory forensic techniques are able to properly detect modern threats. In this presentation, we present our effort to develop algorithms capable of detecting userland device monitoring malware across all major operating systems. Our efforts led to several Volatility plugins being created that are capable of automatically locating all information about processes that are monitoring hardware devices. We plan to contribute our Volatility additions to the community during Black Hat.