Full Report
Authors: Boudewijn Meijer && Rick Veldhoven Introduction As defensive security products improve, attackers must refine their craft. Gone are the days of executing malicious binaries from disk, especially ones well known to antivirus and Endpoint Detection and Reponse (EDR) vendors. Now, attackers focus on in-memory payload execution for both native and managed applications to evade … Continue reading Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation →
Analysis Summary
# Tool/Technique: Malware Virtualization (Fox-IT Custom VM)
## Overview
This technique involves the use of a custom-designed virtual machine (VM) and bytecode interpreter to execute malicious logic. Instead of executing native x86/x64 instructions that EDRs can easily monitor and signature, the malware runs a custom instruction set. This obfuscates the program's intent, as security tools cannot natively "understand" or emulate the custom bytecode, effectively moving the execution logic into an opaque environment.
## Technical Details
- **Type:** Evasion Technique / Custom Packer
- **Platform:** Windows (primarily targeted at x86/x64 architectures)
- **Capabilities:** Bytecode interpretation, instruction obfuscation, dynamic API resolution, anti-emulation, and in-memory execution.
- **First Seen:** Publicly detailed September 25, 2024 (developed internally by Fox-IT for Red Teaming).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information**
- **T1027.009 - Virtualized Code**
- **T1497 - Virtualization/Sandbox Evasion**
- **T1622 - Debugger Evasion**
- **TA0002 - Execution**
- **T1106 - Native API**
## Functionality
### Core Capabilities
- **Custom ISA (Instruction Set Architecture):** Uses a non-standard set of opcodes, making standard disassemblers (like IDA Pro or Ghidra) ineffective without a custom plugin.
- **Bytecode Interpreter:** A dedicated "VM loop" that fetches, decodes, and executes custom instructions.
- **In-Memory Execution:** Payloads are unpacked and executed directly in memory, avoiding the creation of suspicious files on disk.
- **Metamorphic Interpreter:** Each build of the VM stub can have its instruction set scrambled, ensuring that even if one version is "solved," the next remains undetected.
### Advanced Features
- **Handler Randomization:** The mapping between bytecode values and their functional handlers (e.g., `ADD`, `XOR`, `JMP`) is randomized per sample.
- **Multi-stage Decoding:** The bytecode itself can be encrypted and only decrypted in small chunks as the VM instruction pointer advances.
- **Context Protection:** Manages its own virtual registers and stack, isolated from the host CPU's physical registers until a native API call is required.
## Indicators of Compromise
- **File Hashes:** No specific static hashes provided as the tool generates unique samples per use.
- **File Names:** Variable; often mimicking legitimate Windows system files or internal corporate software.
- **Registry Keys:** N/A (focuses on in-memory evasion).
- **Network Indicators:** C2 communication occurs via the interpreted payload, not the VM itself (Check for standard C2 frameworks like Cobalt Strike or Silver redirected through the VM).
- **Behavioral Indicators:**
- High CPU usage in a single thread (due to the overhead of the interpreter loop).
- Indirect syscalls or frequent use of `GetProcAddress`/`LdrGetProcedureAddress` to bridge the VM with native APIs.
- Large blobs of high-entropy data within the `.data` or `.rdata` sections of a PE file.
## Associated Threat Actors
- **Fox-SRT (Fox-IT Super Reconnaissance Team):** Used during professional Red Teaming engagements.
- **Advanced Persistent Threats (APTs):** Similar logic is historically seen in high-end malware like **FinFisher** or **Equation Group** tools.
## Detection Methods
- **Behavioral Detection:** Monitoring for "unnatural" execution flows where a small section of code (the VM loop) is executed millions of times while data pointers move through an opaque buffer.
- **Memory Scanning:** Utilizing tools like `Moneta` or `HollowsHunter` to find private executable memory regions or modified module headers.
- **Hardware Breakpoints/Tracing:** Using Intel PT (Processor Trace) or Last Branch Record (LBR) to observe the transition between the interpreter and native API calls.
- **YARA Rules:** Focus on identifying the "VM Entry" or "Dispatcher" patterns—specifically the switch-case or table-jump logic used to route bytecode to handlers.
## Mitigation Strategies
- **Endpoint Detection & Response (EDR):** Deploy EDRs that utilize **AmsiScanBuffer** and ETW-Ti (Event Tracing for Windows Threat Intelligence) to monitor API calls after they have been "de-virtualized."
- **Reduced Attack Surface:** Implement strict Application Control policies (e.g., Windows Defender Application Control - WDAC) to prevent unsigned or untrusted binaries from executing the initial VM stub.
- **Memory Integrity:** Enable Hypervisor-Protected Code Integrity (HVCI) to prevent the execution of non-signed code in memory.
## Related Tools/Techniques
- **VMProtect / Themida:** Commercial software protection tools that use similar virtualization techniques.
- **Lua-based Malware:** Use of embedded legitimate interpreters to run malicious logic.
- **Tigress:** A diversifying virtualizing compiler used for research and obfuscation.