TL;DR; Detect DLL injection with Comae Stardust. #MemoryForensics #Blockchain

Last year, I discussed potential risks with storing money on software-based solutions from smart-contracts security vulnerabilities to centralized exchanges.

Given the rising number of crypto-currency exchanges being targeted and hacked by criminals, a rising number of users are opting for having their wallet locally hosted on their machines. We will see one of the potential attack that could be used by malwares or attackers against wallets.

As I described in Decembermany wallet installers have been targeted and subverted by attackers — insuring to access to a critical mass of victims.

Although, by definition, a wallet is a piece of software and as any piece of software they can be vulnerable to security vulnerabilities and if they are not they can be modified such as the installer themselves or even in memory directly to leave a smaller footprint and making detection harder for the victims.

One popular technique used by fileless malwares is Reflective DLL injection into a target process. Unlike classic, DLL injection — the DLL is loaded from memory rather than from the disk. This technique has been described in the past by Stephen Fewer on his GitHub repository, and used in public post-exploitation framework such as PowerSploit.

Such techniques and malwares require extensive use of memory forensics to be detected. Hence using a platform such as Comae Stardust and utilities like Comae DumpIt to automate their detection during incident response or threat hunting exercises.

In the below examples we used three popular cryptocurrency wallets:

  • Ethereum Wallet (Ethereum Wallet.exe)
  • Bitcoin Wallet (bitcoin-qt.exe)
  • Monero Wallet (monero-wallet-gui.exe)

DLL injection is a fairly popular and mature concept used very frequently by attackers once they have code execution on a machine in order to either steal credentials or listen to the activity of a user. Those activities are usually left undetected due to their silent nature.

image

Create your Comae account now and get started with DumpIt on https://my.comae.com !

Annexes

image

Acquisition with Comae DumpIt via Comae PowerShell Command Line Interface.

image

Injected DLL inside Ethereum Wallet

image

Injected DLL inside Monero Wallet

image

Injected DLL in svchost and Bitcoin wallet