1. Home
  2. Techniques
  3. Enterprise
  4. Reflective Code Loading

Reflective Code Loading

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).[1][2][3][4][5] For example, the Assembly.Load() method executed by PowerShell may be abused to load raw code into the running process.[6]

Reflective code injection is very similar to Process Injection except that the "injection" loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.[3][4][7][8]

ID: T1620
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application control
Contributors: Jiraput Thamsongkrah; Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics; João Paulo de A. Filho, @Hug1nN__; Lior Ribak, SentinelOne; Rex Guo, @Xiaofei_REX, Confluera; Shlomi Salem, SentinelOne
Version: 1.2
Created: 05 October 2021
Last Modified: 09 February 2024
Version Permalink

Procedure Examples

ID Name Description
S1081 BADHATCH

BADHATCH can copy a large byte array of 64-bit shellcode into process memory and execute it with a call to CreateThread.[9]
S1063 Brute Ratel C4

Brute Ratel C4 has used reflective loading to execute malicious DLLs.[10]
S0154 Cobalt Strike

Cobalt Strike's execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR.[11]
S0625 Cuba

Cuba loaded the payload into memory using PowerShell.[12]

S0695 Donut

Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.[13]
S0367 Emotet

Emotet has reflectively loaded payloads into memory.[14]
S0661 FoggyWeb

FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.[15]
S0666 Gelsemium

Gelsemium can use custom shellcode to map embedded DLLs into memory.[16]
S1022 IceApple

IceApple can use reflective code loading to load .NET assemblies into MSExchangeOWAAppPool on targeted Exchange servers.[17]
G0032 Lazarus Group

Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.[18][19]
S0447 Lokibot

Lokibot has reflectively loaded the decoded DLL into memory.[20]

S1059 metaMain

metaMain has reflectively loaded a DLL to read, decrypt, and load an orchestrator file.[21]
S0194 PowerSploit

PowerSploit reflectively loads a Windows PE file into a process.[22][23]
S1085 Sardonic

Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.[24][25]
S0595 ThiefQuest

ThiefQuest uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.[26]
S0022 Uroburos

Uroburos has the ability to load new modules directly into memory using its Load Modules Mem command.[27]
S0689 WhisperGate

WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.[28]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe)
DS0009 Process OS API Execution

Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and Native API functions such as CreateThread(), memfd_create(), execve(), and/or execveat().[4][8]
DS0012 Script Script Execution

Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.[29][1]

References

  1. The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.
  2. Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.
  3. Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.
  4. 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.
  5. Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 4, 2021.
  6. Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.
  7. Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.
  8. Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.
  9. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  10. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  11. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  12. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  13. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  14. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  15. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  1. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  2. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  3. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  4. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  5. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  6. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  7. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  8. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  9. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  10. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  11. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  12. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  13. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023.
  14. MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.