Threat actors were spotted using a decade-old antivirus evasion technique in at least three malware distribution campaigns.
A HawkEye Reborn keylogger, Remcos remote access trojan (RAT), and various other cryptocurrency mining trojan campaigns are using the "Heaven's Gate" technique to avoid antivirus detection, Cisco Talos researchers said in a July 1 blog post.
The technique is a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. The malware is packed, comes with its own obfuscation, is never written to the disk, and is always hidden inside the loader making it difficult for antivirus systems to detect.
In all of the recent campaigns, researchers observed the malware infection process starting with the threat actor sending emails to victims disguised as invoices, banking statements and other financial-related topics.
The malicious emails typically contain Microsoft Excel spreadsheets or Microsoft Word documents that leverage the CVE-2017-11882 vulnerability affecting Microsoft Equation Editor, and when opened act as malware downloaders.
The Heaven’s Gate exploit was first considered an advanced technique but slowly made its way into several rootkits and later spread to the Phenom trojan, Pony infostealer, and the Vawtrack (NeverQuest), Scylex, Nymaim, Ursnif (Gozi), and TrickBot banking trojans.
“Heaven's Gate can be quickly integrated across large portions of the threat landscape,” researchers said in the blog. “In many cases, the cybercriminals leveraging these kits lack the expertise to implement this type of functionality natively, but can instead leverage available loaders to achieve the same goal.”
Use of the attack method was curtailed after Microsoft rolled out the Control Flow Guard in Windows 10 which effectively prevented the code jump from WOW64 32-bit execution to the native 64-bit code execution space.
Despite the move, some threat actors are still using the technique to target legacy systems and the like as attacks were spotted before this most recent report as early as last year when it was abused by cryptocurrency miners and the Emotet trojan.