CyberSecurity updates
Updated: 2024-10-17 20:24:09 Pacfic

Flag This

learn.microsoft.com

Call Stack Spoofing Technique Used by APT41: Obfuscating Malicious Activity - 3h


Read more: learn.microsoft.com

APT41 has been observed utilizing call stack spoofing techniques to evade detection by EDR and other security software. Call stack spoofing involves constructing a fake call stack that mimics a legitimate call stack, obscuring the true origin of function calls and hindering analysis. This technique was observed in the Dodgebox malware, which was used by APT41 to trick antivirus and EDR software that rely on stack call analysis for detection. The malware retrieves the address of functions, such as NtCreateFile, and manipulates the call stack to hide the true origin of the function call. This technique highlights the evolving tactics used by sophisticated threat actors and emphasizes the need for advanced detection and mitigation strategies to counter these evasive techniques.

References:

  • cybergeeks.tech - This blog post provides a detailed technical explanation of the call stack spoofing technique used by APT41. - 4h
  • Malware Analysis, News and Indicators - Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, and so on). - 4h

Classification:






This site is an experimental news aggregator using feeds I personally follow. You can reach me using contacts here if you have feedback. You can also find Flathis at Mastodon.