Approach behind Windows Malware’s auto-start, hiding & persistence

Disclaimer: The information shared here is only for educational, research & study purpose. Author/creator does not support un-ethical things.

In this post, I want to showcase one of the implementation approach that malware authors might use to make their malware hidden, keep its persistence, and also get it auto-started after every boot & logon. This is specific to Windows operating system; tested on Windows 7 & above.

What is ‘Malware’ ?

As you may already know, or as described on Wikipedia; Malware is any kind of software that is intentionally designed to cause the damage to a computer, server, client, or computer network.

There exist wide range of different types of malwares, categorized by their severity, level of damage, behavior & so on. Recently while following the C++ Win32 API on Microsoft’s site, I discovered that there’re several system headers which provides various system-level functionalities such as manipulating files and their attributes, networking, compression, fetch partition tables, manipulate Windows Registry & so on.

By reading & understanding some portions of that great documentation, I developed a simple command line project in C++ called “InfoPuller” which has several ‘visible’ as well as ‘hidden’ features. The visible features are the list of menu items in the command window/terminal (see the top image) which user can see & operate on.

The overview of all those features with references are available on GitHub repo. Here we’ll cover the hidden (or sort of malicious) features exist in InfoPuller app:

1. Copy the app to different location & make it hidden.
2. Change the Windows Registry to auto-start the app & other things after every boot & logon.

Copy App & Make Hidden

When the user first time launches provided executable (.exe) file, i.e. InfoPuller.exe, the application tries to copy itself from current location to the user’s TMP/TEMP location. Then the file attributes of that copied file will be changed in order to make it hidden.

Minified function definition below achieves this:

Function to copy the app & make it hidden (actual definition might be very detailed & verbose)

The general flow can be understood by following the function definition & comments in picture but the interesting function calls are:

• GetCurrentDirectoryA() : Retrieves the current directory for the current process, means the directory location of our executable. This proves useful when copying the app as well as to avoid copying the same app that’s auto-started on boot or logon, this should get more clear later.
• GetTempPathA() : Retrieves the path of the directory designated for temporary files. Similarly, the path returned by this function is used when copying the app as well as to avoid copying the same app that’s auto-started on boot or logon. It means, the return paths of above GetCurrentDirectoryA() function & this one depends whether or not to copy the executable, and to set file’s hidden attribute.
• CopyFileA() : Copies an existing file to a new file. So here we used this to copy executable from current directory to the TMP/TEMP location.
• GetFileAttributesA() : Retrieves file system attributes for a specified file or directory. We get attributes of previously copied executable file to check & make it hidden in next step.
• SetFileAttributesA() : Sets the attributes for a file or directory. The condition “!(iResult & FILE_ATTRIBUTE_HIDDEN)” holds true if the given file’s hidden attribute is not set. If so, we called this function by specifying attributes to be set.
• SecureZeroMemory() : Fills a block of memory with zeros in a way that is guaranteed to be secure. Also note that SecureZeroMemory() expands to RtlSecureZeroMemory().

When our function copyAppAndMakeHidden() successfully executed, our executable will be a hidden file at the TMP/TEMP location (ignore the second file called “god_matrix.tmp” for now).

Copied InfoPuller.exe & made it hidden..!

Change the Windows Registry

As mentioned before, the system headers provide great power to manipulate even Registry of the Windows OS.

This function is bit lengthier because it manages to add three keys in Windows Registry for auto-start execution:

1. Calculator key — with value containing command to launch the calculator.
2. Notepad key — with value containing command to open a text file stored on computer.
3. Application key — with value containing command to launch app itself using previously hidden executable at TMP/TEMP location.

Various malwares like Emotet, PLAINTEE, Rover, Ryuk used the Windows Registry run keys / startup folder to achieve persistence. We have a great resource called MITRE ATT&CK, which is a globally-accessible knowledge base of adversary tactics & techniques based on real-world observations. There is dedicated page called “Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder” that has great explanation of such techniques observed in real world Windows malwares.

Minified function definition below achieves this:

Function to manipulate start-up Windows Registry (actual definition might be very detailed & verbose)

Even the function definition is lengthier, it should be fairly easy to get general idea with the help of comments in above picture, some very interesting function calls are:

• RegOpenCurrentUser() : Retrieves a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating. The handle obtained from this function will be used in further operations.
• RegSetKeyValueA() : Sets the data for the specified value in the specified registry key and subkey.
• GetTempPathA() : Retrieves the path of the directory designated for temporary files. Unlike previously, the intention of function here is to append the name of executable file to TMP/TEMP path & use to construct the full command which will be stored as value for respective key in Windows Registry.
• RegSetKeyValueA() : Sets the data for the specified value in the specified registry key and subkey. This function add or set the corresponding key and associated value in the Windows Registry.
• RegCloseKey() : Closes a handle to the specified registry key. It is recommended to use since registry key handles should not be left open any longer than necessary.

Once our function messStartupRegistry() successfully executed, the second hidden file called “god_matrix.tmp” is created as shown previously and also the three auto-start entries would be added in Windows Registry at the path, “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” as shown below:

Auto-start execution entries added in Windows Registry

Finally, when the user starts the computer later & logon to the desktop, we can see these three application windows gets opened automatically because of the entries we created in registry. They’ll keep re-launching after every startup until the entries are in Windows Registry & the hidden files at TMP/TEMP path exists:

Auto-started three windows after system start-up & logon

So here we can imagine how it can be extended to do crazy things & we should be careful while downloading software(s) from other third-party sites, because the adversaries may hide some malware or added malicious code in software’s source code; it’s most likely our computer might get infected resulting important data being lost or stolen..!

I haven’t provided any source code of the InfoPuller app apart from the above minified definitions but provided the executable for experimentation under ‘Executable’ directory on GitHub: https://github.com/apchavan/infopuller

I hope you enjoyed the post. Feedback is always welcome. Thank you..!

— Amey Chavan