Spyware hunters expand their toolset

The for-hire surveillance industry Powerful mobile spyware tools have attracted increasing attention lately as tech companies and governments grapple with the scale of the threat. But spyware that targets laptops and desktops is extremely common in an array of cyberattacks, from state-sponsored espionage to financially motivated scams. Due to this growing threat, researchers from incident response firm Volexity and Louisiana State University presented new, advanced tools at the Black Hat Security Conference in Las Vegas last week that practitioners can use to detect more PC spyware in Windows 10, macOS 12 and Linux Computers.

Widely used PC spyware (the type that often logs targets, tracks their mouse movement and clicks, listens through a computer’s microphone, and pulls photos or videos from the camera) can be tricky to detect because attackers intentionally design it to leave a minimal footprint. Rather than installing itself on a target’s hard drive like a normal application, the malware (or its most important components) exists and runs only in the target computer’s memory or RAM. That means it doesn’t throw some classic red flags, doesn’t show up in regular logs, and gets cleared when a device is restarted.

Enter the field of “memory forensics”, which aims precisely to develop techniques to assess what is happening in this liminal space. At Black Hat, researchers specifically announced new detection algorithms based on their findings for the open-source memory forensic framework Volatility.

“Memory forensics was very different five or six years ago in terms of how it was used in the field both for incident response and by law enforcement,” said Andrew Case, director of Volexity, to WIRED. (Case is also one of the main developers of Volatility). But for evidence or artifacts from a memory sample to be used in court or in some type of legal proceeding, we need to know that the tools are working as intended and the algorithms are validated. These latest additions to Black Hat are truly hardcore new techniques in our efforts to build verified frameworks.”

Case points out that extensive spyware detection tools are needed because Volexity and other security companies regularly see real-life examples of hackers deploying memory-only spyware in their attacks. In late July, for example, Microsoft and security firm RiskIQ released detailed findings and mitigations to counter the Subzero malware from an Austrian commercial spyware company, DSIRF.

“Victims noted [targeted with Subzero] to date include law firms, banks and strategic consultants in countries including Austria, the UK and Panama,” Microsoft and RiskIQ wrote. Subzero’s primary payload, they added, “resides exclusively in memory to evade detection. It contains a variety of features, including keylogging, capturing screenshots, file exfiltration, running a remote shell, and running arbitrary plugins.

The researchers particularly focused on refining their detections of how different operating systems communicate with “hardware devices” or sensors and components such as the keyboard and camera. By monitoring how different parts of the system work and communicate with each other and looking for new behaviors or connections, memory forensic algorithms can detect and analyze more potentially malicious activity. One such potential, for example, is to monitor an operating system process that is still running, such as the functionality that allows users to log into a system, and report it if additional code is injected into this process after it starts. If the code was introduced later, it could be a sign of malicious manipulation.

Geraldine D. Luckett