LockPoS, a point-of-sale malware program discovered in 2017 stealing payment card data from computers' memory, is now using a new malware injection technique designed to bypass antivirus hooks and evade detection.
Hod Gabriel, malware analyst at Cyberbit, reported in a company blog post that LockPoS uses three main routines – all of which are exported from ntdll.dll, a core Windows dynamic link library file – in order to inject malicious code into a remote process. The three routines used are: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx.
The technique is reportedly similar to that used by Flokibot POS malware, which shares the same botnet used for distribution – except LockPoS uses different API calls for the injection.
Gabriel said that one technique "involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code."
“This new malware injection technique suggests a new trend could be developing of using old sequences in a new way that makes detection difficult. Most EDR [Endpoint Detection and Response] and next-gen antivirus products already monitor the Windows functions in user mode. But in Windows 10, the kernel space is still guarded, so kernel functions can't be monitored,” Gabriel said.