BLOGS

/

MALWARE CAMPAIGNS

MALWARE CAMPAIGNS

MALWARE CAMPAIGNS

What are the Common APIs used in Malware?

Discover how malware uses Windows APIs to blend in with normal operations, evade detection, & perform malicious actions.

Discover how malware uses Windows APIs to blend in with normal operations, evade detection, & perform malicious actions.

Wednesday, 31 July, 2024

API - Cyberware Hub
API - Cyberware Hub
API - Cyberware Hub

What is API?

An API (Application Programming Interface) is a set of rules and protocols that enable software applications to communicate and exchange data. It defines the methods and data formats for requests and responses between systems. APIs simplify complex operations by providing a consistent way to access specific functionalities. They include web, library, and operating system APIs. Security measures like authentication ensure that only authorized users can access API services.

Why Malware Uses Windows APIs for Infection?

Malware frequently exploits legitimate Windows APIs to execute malicious activities while evading detection. By leveraging these well-established APIs, malware can blend in with regular system operations and bypass heuristic or signature-based detection methods. These APIs grant access to crucial system resources, enabling malware to perform actions such as file manipulation, network communication, and process control. This approach allows malware to mimic benign applications, complicating detection efforts.

Here's the Common APIs used in Malware:

System Information:

GetFileVersionInfo                - Retrieves the information about a particular file.
GetFileVersionInfoSize	          - Checks whether retrieval of information is possible and returs size, if true.
GetSystemInfo/GetNativeSystemInfo - Retrieves system information.
IsDebuggerPresent	              - Identifies a user-mode debugger on the excecutable.
QueryPerformanceCounter	          - Get the current value of the performance monitor

Threads and Processes:

CreateProcess	                  - Create a new process along with threads.
GetCurrentProcess	              - Retrieve a pseudo-handle for a process.
GetCurrentProessId	              - Retrieve the key process identifier.
CreateThread	                  - Create a thread within a process.
SetThreadPriority/GetThreadPriority	- Set and retrieve the priority for the thread within the context of a process
GetProcessTimes	Retrieves the timing information about the process.
ExitProcess	                      - Exit a process and the threads it spawned

Registry API Calls:

RegSetValueEx	 - Set the data-type and value of a certain registry key.
RegCreateKeyEx	 - Create a registry key.
RegEnumKeyEx	 - Extract the data-type and value of a specific registry key.
RegQueryValueEx	 - Get the data-type and value of a specific registry key.
RegOpenKeyEx	 - Open a specific key.
RegCloseKey	     - Close the open handle to the specified registry key.
RegEnumValue	 - Enumerate through the values from a given registry key path

Persistence Mechanisms:

CreateService        - Create Windows services.
StartService         - Start Windows services.
ShellExecute/WinExec - Execute files or commands.
SetWindowsHookEx     - Install hooks for keylogging

Cryptographic Operations:

CryptEncrypt/CryptDecrypt       - Encrypt or decrypt data.
CryptGenKey/CryptImportKey      - Generate or import cryptographic keys.
CryptHashData/CryptGetHashParam - Create and manage cryptographic hashes

Privilege Escalation:

AdjustTokenPrivileges    - Change token privileges.
LookupPrivilegeValue     - Get the value of a privilege.
ImpersonateLoggedOnUser  - Impersonate another user

DLL Injection:

LoadLibrary         - Load DLLs into a process.
FreeLibrary         - Unload DLLs.
GetProcAddress      - Get the address of a function in a DLL.
LdrLoadDll          - Load a DLL using the native API

Process Injection:

CreateRemoteThread  - Creates a thread in the virtual address space of another process.
WriteProcessMemory  - Writes data into the memory of another process.
VirtualAllocEx      - Allocates memory in the address space of another process.
NtCreateThreadEx    - Creates a thread in another process using the native API.
SetThreadContext    - Sets the execution context for a specific thread.
GetThreadContext    - Retrieves the execution context of a specific thread.
QueueUserAPC        - Adds an asynchronous procedure call (APC) to the queue of a specified thread

In Conclusion, by leveraging legitimate Windows APIs, malware can seamlessly integrate into normal system activities, making it harder to detect. This technique allows malware to perform malicious actions while avoiding suspicion from security software. Understanding these tactics is crucial for improving detection methods and enhancing overall cybersecurity defenses.

Happy Hunting !!