Rope: Bypassing Behavioral Detection of Malware with Distributed ROP-Driven Execution

Conference:  BlackHat USA 2021



The presentation discusses the limitations of current approaches to behavioral analysis and proposes a concept called Rob, which improves upon existing methods. The presentation also covers two new bypasses for Windows 10's Windows Defender Exploit Guard component and suggests directions for further research in the field of cybersecurity.
  • Behavioral analysis has limitations in detecting malware, especially in the case of distributed malware
  • Rob is a concept that improves upon existing methods by using duplication of objects handles and sharing of objects to track injection techniques
  • Rob also suggests code reuse aware analysis and technologies for intercepting sensitive APIs
  • The presentation covers two new bypasses for Windows 10's Windows Defender Exploit Guard component
  • The presentation suggests further research in the field of cybersecurity to defend against next generation malware and exploits
The presentation uses the example of distributed malware, which dilutes the temporal and spatial footprint of a payload by spreading it across multiple cooperating entities, to illustrate the limitations of current approaches to behavioral analysis.


Distributed malware concepts challenge the behavioral detection of AV and EDR solutions by diluting the temporal and spatial features of a malicious execution across multiple processes. Several notable families already adopt a modular design with distinct features delegated to cooperating individual components. Recent research pushed this idea further by splitting the code of a single component into chunks to be run by emulators injected in multiple processes. The shortcoming of these approaches, however, are the conspicuous features and primitives they rely on, which make them easy prey for state-of-the-art AV or EDR systems and may also conflict with OS mitigations for hardening processes.In this talk, we will present Rope, a new covert distributed execution technique. Rope builds on transactional NTFS as non-inspectable covert channel for payload distribution and execution coordination, and on return-oriented programming to encode the desired actions. Our technique seeks to minimize IoCs on the machine: for instance, it does not need any RWX region. Return-oriented programming is central for achieving the desired properties of our design and brings advantages against code-based detections. For its implementation, we designed a stealth, usable injection primitive that temporarily hijacks threads from possibly hardened processes and ignites the distributed execution.Every technique we use in Rope complies with presently available Windows 10 mitigations or bypasses them in original ways that the talk will detail. Our Rope malware samples successfully eluded popular AV and EDR solutions.