See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/375531872

Exploring Common Malware Persistence Techniques on Windows Operating

Systems (OS) for Enhanced Cybersecurity Management

Chapter · November 2023

DOI: 10.1201/9781003369042-7

CITATIONS READS

0 567

5 authors, including:

Tran Duc Le Duy Truong Dinh

University of Wisconsin - Stout Posts and Telecommunications Institute of Technology
50 PUBLICATIONS 121 CITATIONS 25 PUBLICATIONS 111 CITATIONS

SEE PROFILE SEE PROFILE

Phuoc Nguyen T. H. Ammar Muthanna

Vietnam National University, Ho Chi Minh City Saint-Petersburg State University of Telecommunications
13 PUBLICATIONS 26 CITATIONS 216 PUBLICATIONS 3,025 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Tran Duc Le on 26 November 2023.

The user has requested enhancement of the downloaded file.

 1 Exploring Common Malware Persistence Techniques on
2 Windows Operating Systems (OS) for Enhanced Cybersecurity
3 Management: Detection and Mitigation Strategies

4 Duc Tran Le,1 Truong Duy Dinh,2 Phuoc Hoang Tan Nguyen,3 , Ammar Muthanna6, and
5 Ahmed A. Abd El-Latif4,5

6 1
NetSec-ITDUT Lab, University of Science and Technology – The University of Danang,
7 Danang 550000, Vietnam, [email protected].
2
8 Faculty of Information Security, Posts and Telecommunications Institute of Technology,
9 Hanoi, Vietnam, [email protected].
3
10 University of Information Technology - Vietnam National University Ho Chi Minh City, Ho
11 Chi Minh, Vietnam, [email protected].
4
12 EIAS Data Science Lab, College of Computer and Information Sciences, Prince Sultan
13 University, Riyadh 11586, Saudi Arabia, [email protected].
5
14 Department of Mathematics and Computer Science, Faculty of Science, Menoufia
15 University, 32511, Egypt.
16 6
Department of Applied Probability and Informatics, Peoples’ Friendship University of
17 Russia (RUDN University), Moscow 117198, Russia, [email protected].

18

19 Correspondence should be addressed to Duc Tran Le; [email protected] and Ahmed A.

20 Abd El-Latif; [email protected]

21 Abstract

22 This paper reviews ten popular persistence techniques widely used by malware on Windows
23 OS. This review aims to detail the principle of techniques that help malicious programs
24 maintain their existence in the system. We also present typical malware for each technique and
25 valuable tools to detect them. Some mitigation methods and recommendations are provided so
26 that the users or/and malware analysts can remove or prevent the malware persistence
27 techniques.

28 Introduction

29 Malware is one of the direct threats to information safety and security. The statistics recently
30 pointed out that network security attacks using malware occur increasingly numerous and
31 complicated [1]. There are thousands of new malware, and their variants are created every day.
32 Not only that, but the forms of malware also spreading over the Internet are becoming more
33 diverse and sophisticated. Besides, due to the user's lack of knowledge, malware spreads
34 quickly, leading to more significant damage caused by malware.

35 There are several types of malware. Based on their purposes and infectious vectors, they are
36 generically grouped as viruses, worms, trojan horses, backdoors, rootkits, ransomware, adware,
37 spyware, downloaders, botnets, and fileless malware [2, 3]. Malware attacks frequently

1
38 combine many types of malware to get more effective since each type has a varied potential
39 for harm.

40 These malicious files spread silently and quickly through advanced techniques such as injection
41 mechanisms, anti-VM, anti-debug, obfuscation, data encryption, and persistence [4, 5]. Among
42 these techniques, the persistence technique is an essential technique widely used by almost all
43 current malware. This technique includes configuration changes, adding startup code, hijacking
44 legitimate code, etc., maintaining system access despite restarts, changing credentials, and
45 other disruptions.

46 Although many persistence techniques and sub-techniques exist, not all of them are used
47 regularly. This paper will provide an overview of ten persistence techniques commonly used
48 by malware in the Windows environment. We choose the Windows environment since it is the
49 operating system that is commonly used and suffers from high potential malware attacks. We
50 will detail the principle of these persistence techniques by analyzing typical malware or
51 advanced persistent threat (APT). In addition, we also recall various tools that malware analysts
52 often apply to detect and analyze persistence techniques.

53 The rest of the paper is organized as follows: the next section presents related works in
54 persistence techniques. Then we review in detail the ten popular persistence techniques used
55 by malware. The following section presents the conclusions, summarizes the paper, and
56 discusses future work.

57 Related Works

58 The persistence techniques are commonly employed by malware. However, the number of
59 studies focusing on these techniques is not significant.

60 The paper [6] surveyed some persistence techniques by analyzing emerging-malware such as
61 Emotet, Trickbot, Oceanlotus. Because of the small number of analyzed malware, the number
62 of persistence techniques described in that paper is also tiny. In addition, the authors did not
63 interpret each technique's general principle of operation.

64 In the thesis [7], Jennifer Mankin used the Disk I/O aNalysis Engine (DIONE) to detect when
65 a persistence mechanism is installed. Since DIONE provides comprehensive, high-integrity
66 events taking place at the disk level, the thesis shows that they can infer high-level properties
67 relating to the persistence capabilities of malware. However, except for two techniques: (i)
68 utilizing the Windows service mechanism to load code or drivers at boot time automatically
69 and (ii) pointing special auto-start registry keys to the malicious code, the remaining techniques
70 that this thesis is interested in, such as trojanizing a system binary, overwriting the MBR to
71 force malware to load are less used by malware in practice.

72 In the thesis [8], Matthew Webb studied tools to discover how malware persists on an infected
73 system. They are FLOSS, Autoruns, Regshot, Capture-BAT, Procmon, and Volatility. These
74 tools' operations are automated to mimic how they could be carried out manually, producing
75 data on the tested material.

76 In addition, several other studies also consider the persistence capabilities of the malware on
77 other operating systems such as MAC OS [9] and Linux [10].

2
 78 In the next section, we will focus on the popular persistence techniques used by malware on
79 Windows OS in detail.

80 Malware Persistence Techniques on Windows OS

81 Malware is used for different things. Banking malware is required to remain on the device and
82 monitor browser activity. A keylogger must reside on the computer to monitor keystrokes. All
83 malware aims cannot be accomplished in a minute or even in days. In APTs, the malware might
84 take months or even years to reach its goals. To operate for extended durations, the malware
85 must guarantee that it survives system restarts, shutdowns, and multiple user logins. Malware
86 employs a variety of persistence tactics to enable this level of resistance. These techniques
87 ensure that malware can activate and deploy its activities without the user's and attackers'
88 intervention [6].

89 Registry Run/RunOnce Key

90 Registry Run/RunOnce Key (RRK) is a typical sub-technique in the Boot or Logon Autostart
91 Execution group. According to our assessment, this is malware's most used persistence
92 technique. It is easy to implement, and malware exploits the run registry key for privilege
93 elevation.

94 In the Windows OS, when a new program is installed or configured with Run/RunOnce key
95 values in the registry, they will automatically launch each time a user logs on into the system
96 or at the boot stage. That is why these programs will have the account's associated permissions
97 level. These Registry Run Keys will be executed through a command line.

98 The following run keys are created by default in Windows 32-bit version:

99 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
100 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
101 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
102 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

103 For Windows 64-bit:

104 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey

105 It should be noted that if Windows runs with administrative rights, keys in
106 HKEY_LOCAL_MACHINE will be executed. On the contrary, if Windows logs in with a
107 specific user, the keys in HKEY_CURRENT_USER will be executed. In addition, the
108 RunOnce keys will run the programs when Windows boots the next time only, and then the
109 entries will be deleted and not executed again. This type of registry key is generated by creating
110 a new string value in the RunOnce key and adding a full path to the malware's payload that the
111 malware wants to run for the value.

112 From 2012 to 2016, a spying backdoor named Advstoreshell used by APT28 [11] added itself
113 to the registry Run key to achieve persistence. This malware is used for long-term spying.
114 Another example is the attack caused by Cobalt Strike [12] from C0d0so0 group APT19 [13].
115 These malware implemented different techniques to compromise targets, and after that phase,

3
116 an HTTP malware created the registry key
117 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-
118 %LOCALAPPDATA%\ to perform persistence. Besides modern malware, several classical
119 malware still effectively use this technique, for example, rootkit [14]. Rootkits conceal
120 themselves and infect files in the Windows registry or allow-listed areas to cheat the anti-
121 malware software. There are many other typical attacks like BBSRAT [15], Bisal [16],
122 BitPaymer [17], ChChes [18], Cozycar [19], Cobian Rat [20], Dark Caracal [21], Dustysky
123 [22], Fatduke [23], Empire [24], Njrat [25] causing long-term damage by using persistence
124 techniques. In addition to the registry keys mentioned above, attackers can utilize the following
125 two registry keys to specify startup programs based on policy settings:

126 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explore
127 r\Run
128 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
129 Run

130 These techniques can be detected through tracking changes of Run Registry Keys that are not
131 associated with the known programs. Analyzing embedded strings or using tools like PPEE,
132 AutoRuns, and PEstudio can also detect this technique. We can analyze a famous malware
133 named LokiBot (MD5: 2df7a83872148d20484b66975d30fee6) [26] to see how it exploits Run
134 Registry Key. LokiBot is a kind of info-stealer malware. It performs the persistence technique
135 by adding a new autostart entry in the Registry Run key to run its malicious .vbs file wscript.exe
136 (Windows Script Host) at system startup.

137 Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "JKCGJJ"

138 /t REG_SZ /F /D "%WINDIR%\System32\WScript.exe
139 %LOCALAPPDATA%\jkcgjj\jkcgjj.vbs"

140 Where /V flag specifies the name of the registry entry to add (JKCGIJ), /t flag specifies the
141 type for the registry entry (REG_SZ), /F flag adds the registry entry without prompting for
142 confirmation, /D specifies the data for the new registry entry (jkcgjj.vbs). We will rely on the
143 change of the registry key to detect this technique. Initially, there are only Default and
144 OneDrive items in HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Figure 1).

145
146 Figure 1: Registry Run Key on a clean system.

147 After executing LokiBot malware by double-clicking it, a new entry named jkcgjj is added
148 (Figure 2) in Run.

4
149
150 Figure 2: LokiBot adds a new entry in Run.

151 We verify this process with the Sysinternals AutoRuns tool and get the result as in Figure 3.

152 We can see all malware behaviors using the procDOT tool (Figure 4). First, it will create a
153 payload file in the hidden folders of the system like AppData, then the payload named jkcgjj.vbs
154 with the path C:\User\rhy\AppData\Local\jkcgjj\jkcgjj.vbs is loaded to set as a new value in
155 Run.

156
157 Figure 3: Monitoring the changes in the registry key using AutoRuns tool.

158
159 Figure 4: LokiBot’s behavior when it establishes persistence via the Run registry key.

160 Startup Folder

161 The Startup Folder is a feature available in Windows OS that enables a user to run a specified
162 set of programs automatically when Windows starts. This folder aims to provide convenience
163 for the users to gain instant access to the programs used frequently.

5
164 Like Registry Run Key, Startup Folder is a preferred location of malware to deploy persistence
165 because putting software in a startup folder also causes the application to run when a user logs
166 in. It should be noted that the system access level of malware depends on the location of the
167 startup folder that it uses: for individual user accounts (user-wide) or system-wide startup
168 folders. Startup Folder User-Wide is used only for a specific user. Meanwhile, Startup Folder
169 System-Wide executes when users log on to the system. Therefore, it needs administrative
170 privilege.

171 C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

172 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

173 The working principle of this technique is as follows: when Windows starts, it will check the
174 Startup Folder, and the files residing in this folder will be executed. Typically, malware
175 downloads payloads to a specific hidden location (e.g., AppData), then builds a shortcut to
176 those files and places them in the Startup Folder. This way, when Windows checks the Startup
177 Folder, it will launch the malware's payload. Similar results can be achieved if malware copies
178 itself to the Startup Folder.

179 Besides the registry keys mentioned above, there is a series of shell directory paths on the
180 system that can also be used for the same purpose:

181 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User
182 Shell Folders
183 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
184 Folders
185 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Sh
186 ell Folders
187 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Us
188 er Shell Folders

189 Many malware attacks employ Startup Folder as the primary persistence technique. For
190 example, in the campaign to interfere with the US Presidential election in 2016, APT28 has
191 deployed Fancy Bear malware [27], which can copy itself to the Startup Folder for persistence.
192 Another example is APT3, also known as the Operation Clandestine Fox campaign. APT3 [28]
193 utilizes many tools and techniques, including zero-day exploits, remote access tools, and
194 spearphishing attacks. Instead of copying the payloads into the Startup Folder, the malware in
195 this attack has placed scripts in the Startup Folder and then executed those scripts for
196 persistence.

197 This technique is also caught in many other attacks such as Felixroot [29], Fin7 [30], Gold
198 Dragon [31], Grandoreiro [32], InvisiMole [33], KONNI [34], Leviathan [35], Machete [36],
199 Metamorfo [37], Molerats [38]. Here is an example of this technique with the malware named
200 cache_1.exe (MD5: 62c01f1b2ac0a7bab6c3b50fd51e6a36).

201 After activating, this malware drops its copy into Startup Folder, as in Figure 5.

202 When checking the Startup tab in Task Manager, we can see the appearance of a strange
203 program that has been installed (Figure 6).

6
204 The AutoRuns tool in Sysinternals Suite [39] is very useful in finding this persistence technique.
205 Tracking other startup folders for changes also needs to be performed when conducting
206 malware analysis.

207

208

209

210

211

212 Figure 5: The malware creates a shortcut to execute itself from Startup Folder.

213
214
215
216
217
218
219
220
221
222
223
224
225
226

227

228 Figure 6: A strange program is installed in Startup (Task Manager)

229 Scheduled Task/Job

230 Another way to perform persistence is to take advantage of the scheduling functionality when
231 executing malware or for repeated malware execution. This technique is also called Scheduled
232 Task (or Job). Attackers can configure to execute the malware at a specified time or during
233 system startup via Windows utilities such as schtasks or at. This technique can even be
234 deployed on remote systems. It requires administrative or SYSTEM permissions, and
235 sometimes, it can be implemented by a regular user. Each task in Windows includes several
236 components like triggers (the conditions to start a task), actions (the actions that will get
237 executed when the task is run), principals (the security context in which the task is run),
238 settings, registration information, and data.

239 Some sub-techniques in this technique are applied in Windows OS as follows:

7
240 • Using schtasks.exe utility (path: %SystemRoot%\System32\schtasks.exe) on the
241 command line or the Task Scheduler GUI with administrative privilege. APT29 [15]
242 with a vast arsenal of malware toolsets such as CloudDuke, HammerDuke, MiniDuke,
243 GeminiDuke, CosmicDuke, PinchDuke, OnionDuke, CozyDuke, and SeaDuke used
244 scheduler and schtasks to create new tasks on remote hosts, then updated an existing,
245 legitimate task to execute malicious tools.
246 • Using at.exe utility (path: %SystemRoot%\System32\at.exe). This subtechnique
247 depends on the Task Scheduler service and requires administrative privilege. This
248 utility can specify a remote computer, which is useful when doing repeated jobs every
249 day, week, or month. The important reason at.exe is often used by malware is that the
250 scheduled commands are stored in the registry. As a result, the scheduled tasks of
251 malware will not be removed after restarting the scheduled service. Some threat groups
252 that use this technique are BRONZE BUTLER [41], Leviathan [42], Night Dragon [43],
253 GALLIUM [44].

254 Many malware attacks, which target Windows OS, exploit Scheduled Task to establish
255 persistence: Agent Tesla [45], ComRAT [46], CSPY Downloader [47], Emotet [48], FIN10 [49],
256 Frankenstein [50], PoisonIvy [51], Machete [36], Stuxnet [52], Maze [53].

257 Let’s consider the following example with malware BOUNDUPDATER

258 (MD5:52b6e1ef0d079f4c2572705156365c06) [54].

259 It is a kind of PowerShell-based Trojan spread via phishing email. This malware is usually
260 dropped to the system as Microsoft Word (.doc) file, namely N56.15.doc, since this file accepts
261 macro (scripts that can be executed after opening a file). Figure 7 shows the N56.15.doc file.

262

263

264

265

266

267 Figure 7: N56.15.doc document with embedded macro and PowerShell

268 When enabled, macro will create two files (VBScript AppPool.vbs and PowerShell script
269 AppPool.ps1) on the system at the location:

270 C:\ProgramData\WindowsAppPool\AppPool.vbs
271 C:\ProgramData\WindowsAppPool\AppPool.ps1

272 After creating these scripts, the malware will execute AppPool.vbs by command: wscript
273 <path_to_AppPool.vbs>. This script contains other executable commands with cmd.exe to
274 configure a scheduled task to be executed every minute, establishing persistence for the
275 malware.

8
276 cmd.exe /C schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr
277 "wscript /b "C:\ProgramData\WindowsAppPool\AppPool.vbs""

278 Analyzing the above command, we can see that the malware implements /sc flag in
279 combination with a value (daily, minute) to set the frequency of the task's execution. However,
280 it is necessary to set up an additional /mo flag to indicate the duration. /tn flag is the Taskname
281 element, and /tr flag is Taskrun element, which specifies what should be executed at the
282 scheduled time.

283 Using the AutoRuns tool, we can discover this technique (Figure 8):

284

285

286

287

288 Figure 8: Scheduled Tasks are listed in AutoRuns tool

289 When checking by Task Scheduler of Windows (Figure 9):

290

291

292

293

294

295 Figure 9: Scheduled tasks in Windows Task Scheduler

296 When creating a task in the malware analysis process, we need to check the command line
297 being passed for this persistence technique. We also need to look for any unusual task name
298 and check the parent process calling the utility to determine if it is allowed to create tasks or
299 not. The Microsoft-Windows-Task-Scheduler/Operational log and PowerShell Get-
300 ScheduledTask cmdlet are good sources for monitoring the creation, modification, deletion,
301 and use of scheduled tasks for Windows systems.

302 Winlogon Helper DLL

303 Winlogon or Winlogon.exe is a legitimate process that takes care of user logons, assigns
304 security to the user shell, and loads user profiles into the registry. It can also be used to run the
305 DLLs or executable files when a user logs in. For a regular system, this process takes place
306 after the authentication process is completed. At that time, Winlogon.exe will initiate the
307 userinit.exe process (path: C:\Windows\system32\userinit.exe) to launch the logon scripts and
308 set up network connections if necessary. The userinit.exe process will then launch the

9
309 explorer.exe process. At this point, the attackers can exploit and perform malicious activities
310 on a system because the userinit.exe will decide or indicate which programs need to be
311 executed by the Winlogon process. The programs that Winlogon launches are placed under the
312 following registry keys:

313 HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
314 HKLM\Software[\Wow6432Node\]\Microsoft\Windows NT\CurrentVersion\Winlogon

315 Attackers can modify these registry keys and add the path to the malware, which the Winlogon
316 process will initiate. The subkeys which are commonly utilized by malware in this persistence
317 technique are:

318 • Winlogon\Notify refers to notification package DLLs responsible for handling

319 Winlogon events. The Dipsind malware family and Bazar malware have registered as
320 a Winlogon Event Notify DLL to achieve persistence.
321 • Winlogon\Userinit refers to userinit.exe – when a user signs in, the user initialization
322 software is performed. Some malware using this type of subkey are Wizard Siper,
323 Remexi.
324 • Winlogon\Shell refers to explorer.exe. The system shell is executed when a user logs
325 on. By setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the
326 registry key, the Gazer backdoor [59] can maintain its existence and repeat malicious
327 activities on the victim system. Tropic Trooper [60] and Turla [61] malware also
328 implement a similar technique.

329 Figure 10 shows the Shell value in the registry after launching the Gazer backdoor.

330

331

332

333

334

335 Figure 10: The Shell value is modified using “explorer.exe, %malware_pathfile%”

336 AutoRuns tool or the tools that track changes in a registry such as Noriben, Procmon are helpful
337 to detect Winlogon technique. Figure 11 shows that the malware dropped a file named
338 ntuser.dat.LOG3 in C:\Users\rhy\, which is implemented for persistence purposes.

339 In addition, we also need to pay attention to the newly created DLLs in the system (specifically
340 in System32) or the abnormal processes loading specific DLLs. They are also suspicious if
341 these DLLs do not correlate with known programs.

342 Winlogon.exe is always located in the directory C:\Windows\System32. In other cases,

343 Winlogon.exe is malware. To prevent unknown DLLs, the AppLocker application can be used
344 to identify and block potentially malicious programs. Because the behavior of malware

10
345 involves Winlogon Helper cannot obtain maximum efficiency without the administrative
346 privilege or SYSTEM permission, we can limit the user's privileges so that only specified users
347 can perform Winlogon Helper changes.

348

349

350

351

352 Figure 11: AutoRuns monitors the changes in the Winlogon key

353 Image File Execution Options Injection (IFEO)

354 Image File Execution Options is a Windows registry key, a sub-technique of the Event-
355 Triggered Execution group. It means that the attackers may establish persistence and/or elevate
356 privileges using system techniques that trigger execution based on specific events. IFEO is
357 placed at:

358 HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

359 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File
360 Execution Options

361 It is a popular debugging facility that allows developers to launch an executable directly under
362 the debugger. In other words, it enables one to attach a debugger to an application for
363 application debugging. It can be helpful when trying to debug at the beginning of an application
364 launch. However, there is no mechanism on Windows OS to check if the program listed in the
365 “Debugger” value is a debugger. It creates a chance for the attackers to forge a malicious
366 executable file as a debugger of a specific process. Figure 12 is an example of using this
367 persistence technique. Here, file calc.exe (calculator application) is configured to become the
368 debugger of the notepad.exe process.

369 The malware only needs to create a subkey as follows to make this configuration:

370 Key: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution

371 Options\notepad.exe
372 Value for debugger: REG_SZ: C:\Windows\System32\calc.exe

373 If we start the notepad.exe process, we accidentally enable the calc.exe even though it is not a
374 debugger. That is the way malware establishes persistence by IFEO.

375 Usually, to evade detection from the users, malware often chooses a filename that looks like
376 the legitimate process (runs by default), such as iexplorer.exe, userinit.exe, scvhost, to make
377 the debugger. Moreover, anti-virus software often ignores the debuggers of these system
378 processes. A typical example is Ushedix malware [16], which disabled a host of security
379 programs that were popular at the time using this technique. Other malware that also employ
380 IFEO are SDBbot [62], TEMP.Veles [63], SUNBURST [64], Cobalt Strike [12].

11
381

382

383

384

385

386

387

388

389 Figure 12: Calc.exe is configured as the debugger for Notepad.exe

390 Besides establishing IFEO through the registry, malware can perform this technique with
391 Global Flags via the Gflags tool (can be found in the Windows Support Tools package and the
392 Debugging Tools for Windows package) [65]. The primary function of GFlags is to enable and
393 disable advanced debugging, diagnostic, and troubleshooting features.

394 Although this advanced technique can overcome many systems and users, it requires
395 administrative privilege and SYSTEM permission. Fortunately, this fact sometimes limits the
396 ability to deploy malware on the system. In analyzing malware, we can use the Procmon and
397 AutoRuns tools to detect this technique.

398 Accessibility Features/Programs

399 Like Image File Execution Options Injection, Accessibility Features is a persistence technique
400 belonging to the Event-Triggered Execution group. Accessibility Features in Windows OS
401 include speech recognition, onscreen keyboard, narrator, magnifier…They are used to meet the
402 particular needs of users. These programs are usually placed under the path:
403 C:\Windows\System32 and can be launched with a key combination without logging into the
404 system. By changing these programs, malware can activate a desired legitimate program (e.g.,
405 command prompt) to execute another behavior or initiate the payload as soon as users use a
406 key combination. For example, the Hikit Rootkit malware [66] takes advantage of the feature
407 sticky keys sethc.exe to gain unauthenticated access via remote desktop login screen (RDP).
408 This malware replaces sethc.exe with cmd.exe:

409 copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

410 Malware can also configure cmd.exe as the debugger for sethc.exe as in the IFEO technique to
411 avoid replacing the original files. When the users launch the sticky keys by pressing the SHIFT
412 key five times, the attacker can access the command prompt with SYSTEM privileges (Figure
413 13). This technique is also found in Axiom [67], Deep Panda [68], Fox Kitten [69], APT3 [28],
414 APT29 [40], APT41 [70].

12
415

416

417

418

419

420

421

422 Figure 13: The attacker can access the command prompt with SYSTEM privileges via sethc.exe

423 Trojan Occamy malware combines IFEO and Accessibility Features techniques using sethc.exe
424 to access the system and establish persistence illegally. This malware sets the Task Manager
425 (taskmgr.exe) as the debugger for sethc.exe:

426 REG ADD HKML\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

427 Execution Options\sethc.exe /v Debugger /t REG_SZ /d %windir%\system32\taskmgr.exe /f

428 The attackers enable Task Manager by enabling the Accessibility Feature at the login screen,
429 then they create a new task (cmd.exe) with administrative privileges (Figure 14) and execute
430 the subsequent commands.

431

432

433

434

435

436

437

438

439

440 Figure 14: The attackers enable command prompt with administrative privilege via Accessibility Feature

441 Another accessibility feature also used frequently by malware is utilman.exe, activated by the
442 key combination Windows + U. It is a file associated with the Utility Manager application of

13
443 Windows. Typically, utilman.exe is replaced by cmd.exe to activate right on the user login
444 interface.

445 Magnify.exe is also a preferred option for attackers when attacking the system with the
446 accessibility feature technique. Magnify.exe is a machine code file associated with
447 MAGNIFIER from Microsoft Corporation. If the software Microsoft® Windows® Operating
448 System on Windows is started, the commands or payload in magnify.exe will be executed on
449 the system. For this purpose, the malicious file is loaded into the main memory (RAM) and
450 runs as a MAGNIFIER process (also called a task). Framework Empire [24], used to perform
451 post-exploitation, may utilize WMI debugging to remotely change executables such as
452 sethc.exe, utilman.exe, and magnify.exe by cmd.exe or PowerShell.

453 Other accessibility features such as Display Switcher (DisplaySwitch.exe), OnScreen Keyboard
454 (osk.exe), App Switcher (AtBroker.exe), and Narrator (Narrator.exe) may also be employed in
455 the same way [71, 72].

456 This technique causes many threats because it can execute the malware before logging in to
457 the system. However, many tools, such as Windows Defender and AppLocker, can detect and
458 stop potentially harmful applications performed via accessibility features. In addition, through
459 the analysis of the above Hikit Rootkit, we can restrain this technique by limiting access to the
460 resource over the network. For example, in the RDP case, a Remote Desktop Gateway can be
461 used to manage connections in the network with a proper RDP configuration. Another way is
462 active network-level authentication to force the remote session to authenticate. Besides, the
463 users need to be alert and easily detect malicious files using the same name as Accessibility
464 Features when these files are not placed in C:\Windows\System32.

465 AppInit DLLs

466 AppInit DLLs is a mechanism that allows custom DLLs to be loaded into the address space of
467 every interactive application. Both legitimate softwares and malware use AppInit DLLs with
468 the same purpose: to hook system APIs and implement alternate functionality. However,
469 legitimate softwares are recommended not to use AppInit DLLs because it can cause system
470 deadlocks and performance issues. Attackers can use AppInit DLLs to perform the persistence
471 technique because arbitrary DLLs that execute code when the application processes are created
472 on the system can be loaded. This technique needs administrative rights to be implemented,
473 and it is applied almost with DLL malware types or with malware that needs to use some special
474 DLL libraries.

475 The configuration values specify AppInit DLLs' operation in the registry key below. The
476 malware only needs to use a batch script or through calls APIs like RegSetValueEx to set
477 “LoadAppInit_DLLs” to value “1” to enable this technique.

478 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

479 HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows
480 NT\CurrentVersion\Windows

481 The principle of this technique is as follows: malware will creep into the system and drop
482 malicious DLL files in the locations on the disk, which are challenging to detect. Then malware
483 will change the value in the AppInit DLLs registry key to contain the malicious DLL path.

14
484 Because all DLLs indicated in AppInit DLLs are loaded by the user32.dll (used by almost all
485 applications), malicious DLLs will also be loaded into every Windows application process.

486 Some typical examples of this persistence technique are APT39 (with Bootmgr.dll) [73],
487 Cherry Picker (with pserver32.dll) [74], Ramsay (with oci.dll) [75], T9000 (with ResN32.dll)
488 [76].

489 Using the ListDLLs tool in Sysinternals Suite can obtain information about the DLL files loaded
490 into processes on the system. The command is quite simple: Listdlls64.exe -
491 v process_name_to_check. Furthermore, we may search for suspicious elements in the AppInit
492 DLLs registry value that do not correspond to a legal application via AutoRuns tool. We can
493 also monitor the processes loaded by user32.dll and look for DLLs that are not recognized or
494 not normally loaded into a process. Although this technique allows attackers to launch malware
495 quickly on the system, from Windows 8 onwards, when secure boot is enabled, the AppInit
496 DLLs technique is disabled as part of a no-compromise approach to protecting customers
497 against malware and threats.

498 Figure 15 points out how the malware Backdoor T9000 (MD5:
499 2f9e44e0cef0b4a67b7be74bc11b8e7d) [21] performs persistence on the system. First, this
500 malware changes the LoadAppInit_DLLs value to "1" to activate and point the path to its
501 ResN32.dll file via AppInit DLLs. As a result, when any process uses user32.dll, it will
502 accidentally enable ResN32.dll. Figure 16 presents the processes loading the malicious
503 ResN32.dll after restarting the system. If there is a process that runs with high integrity levels
504 in these processes, malware easily captures administrator privilege.

505

506

507

508

509

510

511

512

513

514 Figure 15: Backdoor T9000 uses AppInit DLLs as a persistence technique

15
515

516

517

518

519

520 Figure 16: The processes load ResN32.dll after rebooting the system

521 Figure 17 shows the result of monitoring AppInit DLLs by AutoRuns tool.

522

523

524

525

526 Figure 17: Suspicious entry in AppInit DLLs registry

527 All behaviors and execution processes of the Backdoor T9000 are recorded and displayed in
528 Figure 18 using the procDOT tool.

529

530

531

532

533

534

535

536

537

538

539 Figure 18: The process of establishing persistence based on AppInit DLLs of Backdoor T9000

16
540 DLL Search Order Hijacking

541 DLL Search Order Hijacking is a persistence technique in the Hijack Execution Flow group.
542 The attackers execute malware or harmful payload by manipulating the way operating systems
543 run applications. When a program is launched on the system, it loads several DLLs libraries
544 into the memory space of its process. Windows searches these files in the predefined locations
545 in specific search sequences. By taking advantage of this principle, malware will hijack the
546 search order to maintain its activities on the system. If an application does not specify where
547 to load a DLL from, Windows will load a specific DLL in the following order:

548 • Windows verifies if the DLL has previously been loaded into memory. If yes, Windows
549 uses that DLL; if not, Windows will check if the DLL is listed in the KnownDLLs
550 registry key (Figure 19), which speeds up system DLLs loading. If the DLL is loaded
551 in the list of KnownDLLs, the system uses its copy of the KnowDLLs (and the
552 KnowDLL's dependent DLLs, if any) instead of searching for the DLL.

553 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
554 Manager\KnownDLLs
555

556 • The directory the calling process was loaded from

557 • The system directory (C:\Windows\System32)
558 • The 16-bit system directory (C:\Windows\System)
559 • The Windows directory (C:\Windows)
560 • The current directory
561 • The directories that are listed in the PATH environment variable

562

563

564

565

566

567

568

569 Figure 19: List of KnownDLLs

570 Attackers may put a malicious DLL in a directory, which will be searched before the location
571 of a legitimate library is utilized. It causes Windows to load the attacker’s malicious library
572 whenever the victim process requests it.

17
573 The following example with malware resume.exe
574 (MD5: 839dd0d8a603151e4e486f5958aa1140) explains how the malware applies DLL Search
575 Order Hijacking.

576 On a clean operating system, when program explorer.exe (placed in directory C:\Windows)
577 runs, it loads a DLL library called ntshrui.dll (placed in directory C:\Windows\System32), i.e.,
578 if explorer.exe is launched, Windows will search for ntshrui.dll in the order as mentioned above
579 and find it in C:\Windows (Figure 20).

580

581

582

583

584

585

586

587 Figure 20: The explorer.exe process loads clean ntshrui.dll from C:\Windows\System32

588 Assuming that resume.exe drops a malicious DLL with the same name ntshrui.dll into the same
589 directory C:\Windows as explorer.exe:

590 [CreateFile] malware_dll_searching.exe:4068 > %WinDir%\ntshrui.dll

591 When the explorer.exe is initiated, Windows firstly searches for ntshrui.dll in the directory
592 from where the program exeplorer.exe was executed, i.e., C:\Windows. At this time, malicious
593 ntshrui.dll in C:\Windows will be loaded before the clean ntshrui.dll, placed in
594 C:\Windows\System32 (Figure 21). It means that the malicious payload is activated, and the
595 DLL Search Order Hijacking was successfully implemented.

596

597

598

599

600

601 Figure 21: Malicious ntshrui.dll is loaded by explorer.exe process

18
602 This technique is an advanced persistence technique and is highly efficient. However, if
603 attackers design DLL files poorly, the processes that loaded the malicious DLL may not work
604 correctly because they do not have enough of the required library.

605 Several typical attacks using this persistence technique are APT41 [70], FinFisher [77],
606 menuPass [78], Hikit Rootkit [66], Ramsay [75], MirageFox [79], BOOSTWRITE [80].

607 To trace this persistence technique, we need to carry out process analysis and file system
608 analysis to monitor the creation, replacing, renaming, or deletion of DLLs on the system.
609 Besides, it is needed to monitor the DLLs loaded from abnormal directories.

610 If the user activates SafeDllSearchMode mode on Windows systems, in

611 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager, the
612 system will be forced to search the %Systemroot% for the DLL before searching for the DLL
613 file in the current directory or the rest of the path. Some auditing tools, such as the PowerSploit
614 framework, can be used to find DLL hijacking weaknesses in a system. Tanium’s Incident
615 Response Module [81] helps detect potentially hijacked processes using sensor functions. This
616 sensor returns the following information: process name and path, DLL path, DLL MD5 hash,
617 the reason why DLL is suspected of being malicious during the examination.

618 Component Object Model Hijacking

619 Component Object Model (COM) is a binary-interface standard working as a client-server

620 model to implement objects used by different technologies and frameworks such as DCOM,
621 OLE, OLE Automation, ActiveX, Browser Helper Object, COM+, Windows Shell, and
622 Windows Runtime. These objects can be within a single process, in other processes, or even on
623 remote computers. In other words, COM is a technique that allows the re-use of objects (or
624 rather components), independently of the languages used by the programmer who implemented
625 the component and the programmer who uses it, and independently of whether the component
626 was implemented in the client's program or elsewhere on the machine (or network). COM
627 allows the software components to communicate and interact, even if they do not know each
628 other’s code [82].

629 When operating with the client-server model, the COM client is the programs on Windows OS
630 using the services provided by the COM server (also called COM object). A COM object is
631 determined by a unique number named Class Identifier (CLSID) in:

632 HKEY_CURRENT_USER\Software\Classes\CLSID
633 HKEY_LOCAL_MACHINE\Software\Classes\CLSID

634 Figure 22 shows the CLSID of Network object in Windows: 208D2C60-3AEA-1069-A2D7-

635 08002B30309D.

636 For each CLSID key, we have the InProcServer32 subkey, which indicates the DLL file name
637 that implements the COM object. Figure 23 presents shell32.dll (COM server) associated with
638 the Network object.

639

19
640

641

642

643

644 Figure 22: Class Identifier CLSID of Network object in Windows

645 It should be noted that the COM server can be in the form of the in-process server (DLL file)
646 or out-of-process server (EXE file).

647

648

649

650

651 Figure 23: Shell32.dll (COM server) is associated with the Network object

652 The principle of COM is straightforward. Every time a program (COM client) runs on the
653 system and uses the service provided by COM Server (or COM Object), it will download the
654 associated DLL into the process. It creates the opportunity for the attackers to take advantage
655 of COM Object to perform persistence. By executing malicious stuff triggered by hijacked
656 references to COM objects, malware might establish persistence or increase its level of access.
657 Usually, COM object registry entries need to be replaced to complete this process. If the COM
658 client launches, it will accidentally use the hijacked object, and a malicious DLL will be loaded.

659 Some typical attacks using this persistence technique are APT28 [11], Mosquito [61],
660 JHUHUGIT [83], BBSRAT [15], KONNI [34].

661 In the following example, we will analyze COM Hijacking used by malware named
662 KB31545547.exe (MD5: 482a70b7f29361665c80089fbf49b41f). This malware drops two
663 payloads (32-bit and 64-bit) in the hidden directory of Windows: AppData
664 (%AppData%\Roaming\Microsoft\Installer\). The purpose is to hide the existence of payloads
665 on the system. The Procmon tool indicates this behavior of the malware (Figure 24).

666

667

668

669

670 Figure 24: Malware drops two payloads in %AppData%

20
671 After that, malware creates registry entries to prepare for COM Hijacking:

672 HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-
673 88bd00b4a5e7}\InprocServer32
674 HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-
675 C4579291692E }\InprocServer32

676 The default value for each entry is the path to the malicious payload in %AppData%. Figure
677 25 shows the InprocServer32 subkey of the 32-bit version, in which the payload lbqg has the
678 form api-ms-win-downlevel-lbqg-l1-1-0._dl. Meanwhile, Figure 26 shows the InprocServer32
679 subkey of the 64-bit version with the payload bqgv in the form api-ms-win-downlevel-bqgv-l1-
680 1-0._dl.

681

682

683

684

685 Figure 25: Malicious payload lbqg in {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 (32-bit

686 version)

687

688

689

690

691 Figure 26: Malicious payload bqgv in {BCDE0395-E52F-467C-8E3D-C4579291692E}\Inprocserver32 (64-bit

692 version)

693 These registry keys define the COM objects loaded into the legitimate process.

694 In fact, two above CLSID values were used to replace the following originals, which are
695 predefined by Microsoft:b5f8350b-0548-48b1-a6ee-88bd00b4a5e7 and BCDE0395-E52F-
696 467C-8E3D-C4579291692E. Many applications in Windows OS use them.

697 With the above CLSID loading technique, the malware quickly reaches the goal of setting up
698 persistence without administrative privilege. However, the efficiency of this technique depends
699 on some of the following issues:

700 • It will not cause programs to misbehave, such as crash when a program is invoked.
701 • It will not negatively affect the user’s experience. The user will not notice that a
702 machine or application is "behaving wrong".

21
703 That is why the attackers always find a proper way to carry out the CLSID loading. Another
704 technique often exploited to enable malicious payload via CLSID key is to use rundll32.exe in
705 command prompt: rundll32.exe -sta {CLSID of Malicious Payload}. The switch -sta stands for
706 Single-Threaded Apartment, which is a vector for potential abuse. In this way, attackers trigger
707 the malware directly without needing a COM client.

708 Another approach for CLSID loading is to combine with Task Scheduler. Attackers will create
709 a scheduled task with COM Handler action configured by malicious CLSID. Thus, the
710 malicious payload is executed each time the user logs on to the system.

711 Other ways, such as using Verclsid.exe (which is used to verify a COM object before Windows
712 Explorer instantiates it) or Xwizard.exe (which checks the system performance to eliminate
713 possible application conflicts and system failures), are also implemented by attackers for this
714 persistence technique [84].

715 In order to detect this technique, the registry changes should be monitored, especially when an
716 entry with a known good path and binary is altered or modified to an unusual value to refer to
717 an unknown binary at a new location. Even using tools like AutoRuns is challenging to detect
718 COM Hijacking because it is undoubtedly silent. It is necessary to look at the presence of
719 objects within HKEY_CURRENT_USER\Software\Classes\CLSID\ because they may be
720 anomalous and should be investigated since user objects will be loaded before machine objects
721 in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID.

722 Windows Service

723 Windows Service is a sub-technique in Create or Modify System Process group. The malware
724 will be executed repeatedly by creating or modifying system-level processes. These processes
725 are referred to as services and run in the background. It is the reason why this persistence
726 technique is called Windows Service.

727 This technique requires administrative privilege to establish persistence. After gaining the
728 administrative rights using privileged escalation techniques, the attackers can install other .exe
729 malware (using Win32ownProcess Service Type), .dll malware (using Win32ShareProcess
730 Service Type), or kernel drivers malware (using kernel Driver Service Type) as Windows
731 services. They even change the existing services to serve their purposes. Windows Service
732 technique is frequently used for persistence because the system services can start automatically
733 with the system, and most of them will work with administrative privilege. If they crash, they
734 resume the service, which is an extra advantage. Some services may also be launched before
735 the user logs in, as these services are responsible for system configuration. On Windows, the
736 installed services and their configuration are stored in the following registry key:

737 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

738 The attackers have many methods to create services on Windows:

739 • Using sc utility: in this method, malware will use cmd.exe to execute commands such
740 as sc create (creating a service), sc start (starting a service). For example, to create a
741 service with the name: malwar3 for malware.exe file in C:\Temp\ and launch this
742 service automatically by sc, we can use the command: sc create malwar3
743 binpath=C:\Temp\malware.exe start = auto && sc start malwar3. The parameter

22
744 “binpath” is used to execute the arbitrary payload and the “auto” to initiate the rogue
745 service automatically.
746 • Using regsvr32.exe: to register services with command: regsvr32.exe
747 <path_to_service_dll>.
748 • Using batch script: in this method, the malware will execute a specific .bat file
749 downloaded from a Command & Control Server. The mission of the .bat file is to
750 execute the sc command to create and start the malicious service.
751 • Using Windows API functions: malware can use Windows API functions to create the
752 service like CreateService(), to start the service like StartService(). Many modern
753 malware uses these API functions, which are usually included in the Import DLL library
754 of the malware.
755 • Using Powershell: to create a service in Powershell, malware can use cmdlet New-
756 Service: New-Service -Name "malware" -BinaryPathName "C:\Temp\malware.exe" -
757 Description "DemoWinService" -StartupType Automatic and then sc start malware.
758 • Using Windows Management Instrumentation (WMI): WMI enables system
759 administrators to manage devices and applications in a Windows environment locally
760 and remotely. WMI scripts can be used to automate administrative tasks. WMI utility
761 wmic beneficial to attackers to create services or event establish persistence.

762 In addition to creating new services, attackers can modify or hijack the existing services, which
763 are unused or disabled. In this way, the possibility of malware detection will be reduced
764 because the users often tend to ignore or not focus on standard or recognized Services.

765 Malware usually carries its payload or loads another malicious file from the remote server to
766 the system and then registers secondary payload/malware as a service. Some modern malware
767 also combines this technique with the Masquerading technique [4] to manipulate the
768 characteristics of their payloads to make them appear legitimate or benign to security tools and
769 users. Masquerading techniques happen when the name or location of an object, malicious or
770 legitimate, is manipulated or abused to evade observation and defences.

771 After registering as a service, the malware will be run by the services.exe process. It runs each
772 registered service directly, if it is an executable file or through the svchost.exe process. A listing
773 of the services that are launched under svchost.exe can be found here:

774 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

775 Typical malwares applying this technique are Anchor [85], APT19 [13], AuditCred [86],
776 BitPaymer [17], Cobalt Strike [12], Elise [87], Empire [24], Emotet [48], gh0st RAT [88],
777 Kazuar [89], Kimsuky [90], TinyZBot [91], TrickBot [92].

778 We can use AutoRuns or Procmon tools to detect the Windows Service technique. We also
779 need to monitor the changes to the service registry key related to illegitimate programs and
780 check if the malware registers itself as a service using any commands like regsvr32.exe and
781 sc.exe. If it does, we must trace the exe or DLL paths to the file registered as a service.

782 Because many malware use cmd.exe as an essential tool to implement malicious services, we
783 should look for instances of the cmd.exe spawning from the services.exe, which attackers
784 employ to execute commands as the local SYSTEM account.

23
785 We can analyze how malware (MD5: 14f60998a77261a97c719b05e246716b) establishes the
786 persistence to understand the Windows Service technique.

787 After being executed, this malware drops a DLL file (netdwhcw.dll) in %SystemRoot% and
788 registers a new registry key (Figure 27):

789 [RegSetValue] services_malware_sample.exe:4788 >

790 HKLM\System\CurrentControlSet\Services\netTcpSvc\Parameters\ServiceDll=%SystemRoo
791 t%\netdwhcw.dll

792

793

794

795

796 Figure 27: The malware registers netdwhcw.dll as a service on the system

797 We can see that the malware registered malicious DLL as a service netTcpSvc (Figure 28) with
798 the path pointing to the DLL file (%SystemRoot%).

799

800

801

802

803

804

805

806

807

808 Figure 28: AutoRuns tool detects the change in Services

809 A brief comparison of the abovementioned persistence techniques is presented in Table 1.

810

811

812

24
813 Table 1: A brief comparison of the popular persistence techniques.
Name Group Sub- Permissions Description Detection
technique Required
Registry Boot or Yes Administrator, Adding an entry Monitoring
Run/RunOnce Logon User to the "run keys" Registry for
Key Autostart in the Registry. changes to run
Execution It will execute keys using
the specified AutoRuns
application
whenever a user
signs in.
Startup Boot or Yes Administrator, Adding an Tracking
Folder Logon User application to a startup folders
Autostart Startup Folder for changes
Execution will force the using
application to AutoRuns or
run whenever a Task Manager
user logs in.
Winlogon Boot or Yes Administrator, Abusing Monitoring for
Helper DLL Logon SYSTEM features of changes to
Autostart Winlogon to Registry
Execution execute DLLs entries
and/or associated
executables with
when a user logs Winlogon that
in. do not
correlate with
known
software.
Scheduled Scheduled No Administrator, Abusing task Monitoring
Task/Job Task/Job SYSTEM, scheduling scheduled task
User functionality to creation from
facilitate initial standard
or recurring utilities using
execution of the command-
malware line invocation
Image File Event- Yes Administrator, Forging a Monitoring
Execution Triggered SYSTEM malicious registry values
Options Execution executable file associated
Injection as a debugger of with IFEOs, as
(IFEO) a specific well as silent
process process exit
monitoring,
for
modifications
that do not
correlate with
known
software

25
Accessibility Event- Yes Administrator Changing the Monitoring
Features/Prog Triggered accessibility the changes to
rams Execution programs by accessibility
malware then utility binaries
executing or binary paths
malicious that do not
content correlate with
triggered by key known
combinations at software
the login screen.
AppInit DLLs Event- Yes Administrator Changing the Monitoring
Triggered value in AppInit DLL loads by
Execution DLLs registry processes that
key to contain load user32.dll
the malicious and looking
DLL path, then for DLLs that
taking are not
advantage of recognized or
user32.dll to not generally
load that loaded into a
malicious DLL process
Component Event- Yes User Malware Searching for
Object Model Triggered replaces COM registry
Hijacking Execution object registry references that
entries to refer have been
to a malicious replaced and
payload. If the through
COM client registry
launches, it will operations
load the replacing
malicious known binary
payload paths with
unknown
paths or
otherwise
malicious
content
DLL Search Hijack Yes Administrator, Hijacking the Monitoring
Order Execution User search order file systems
Hijacking Flow used to load for moving,
DLLs by renaming,
dropping a replacing, or
malicious DLL modifying
in a directory, DLLs.
which will be
searched before
the location of a
legitimate
library is used

26
 Windows Create or Yes Administrator Installing the Monitoring
Service Modify malware as a processes and
System service and then command-line
Process creating registry arguments for
key value for actions that
that service to could create or
start it with the modify
system services.

814 Conclusions

815 This paper reviews the ten popular persistence techniques implemented by almost all modern
816 malware. These techniques allow the malware to survive system reboots and shutdowns. The
817 techniques that have been mentioned are:

818 • Registry Run/RunOnce Key

819 • Startup Folder
820 • Scheduled Task/Job
821 • Winlogon Helper DLL
822 • Image File Execution Options Injection (IFEO)
823 • Accessibility Features/Programs
824 • AppInit DLLs
825 • DLL Search Order Hijacking
826 • Component Object Model Hijacking
827 • Windows Service

828 It can be seen that most of the above techniques are related to the registry keys (creating a new
829 one or modifying the existing one). Therefore, monitoring changes in the registry key is a
830 mandatory task during malware analysis. Tools such as Autoruns, Procmon, Regshot,
831 procDOT, and Noriben are handy for this analysis process.

832 In the above techniques, Registry Run Key, Startup Folder, Scheduled Task, Component Object
833 Model Hijacking, and DLL Search Order Hijacking are easily exploited by malware because
834 they can be implemented with a regular user. They do not require administrative privilege,
835 although, with administrative privilege, the efficiency of these techniques will be greater.

836 Additionally, many malware will need the administrative privilege to perform persistence on
837 the system. That is why we need to be careful when granting executable rights to applications
838 or files running on the system. Also, note that many malware combine different techniques to
839 increase the effectiveness of their persistence.

840 Finally, although these techniques have appeared for a long time, there are still a few
841 countermeasures against persistence. In this paper, we have reviewed some mitigation methods
842 for these techniques. However, there is no optimal solution for all the above persistence
843 techniques. Some applications of deep learning techniques can also be considered in further
844 research for quick and automatic detection of these persistence techniques.

27
845 Conflicts of Interest

846 The authors declare that there is no conflict of interest regarding the publication of this paper.
847
848 Acknowledgments

849 This work was supported by the EIAS Data Science Lab, College of Computer and Information
850 Sciences, Prince Sultan University, Riyadh, Saudi Arabia.

851 References
852 [1] A. K. Pandey, A. K. Tripathi, G. Kapil et al., “Trends in Malware Attacks: Identification and Mitigation
853 Strategies,” In Critical Concepts, Standards, and Techniques in Cyber Forensics. IGI Global, pp 47-60,
854 2020.

855 [2] I.A. Saeed, A. Selamat, A. M. Abuagoub, “A survey on malware and malware detection systems,”
856 International Journal of Computer Applications, 67(16), 2013.

857 [3] D. Rendell, “Understanding the evolution of malware,” Computer Fraud & Security, 2019(1), pp. 17-
858 19, 2019.

859 [4] A. Afianian, S. Niksefat, B. Sadeghiyan et al., “Malware dynamic analysis evasion techniques: A
860 survey,” ACM Computing Surveys (CSUR), 52(6), pp. 1-28, 2019.

861 [5] K. Oosthoek, C. Doerr, “Sok: Att&ck techniques and trends in windows malware,” In International
862 Conference on Security and Privacy in Communication Systems, Springer, pp. 406-425, 2019.

863 [6] Z. Gittins, M. Soltys, “Malware Persistence Mechanisms,” Procedia Computer Science, 176, pp. 88-97,
864 2020

865 [7] J. Mankin, “Classification of malware persistence mechanisms using low-artifact disk instrumentation,”
866 Doctoral dissertation, Northeastern University, 2013.

867 [8] M. S. Webb, “Evaluating tool based automated malware analysis through persistence mechanism
868 detection,” Doctoral dissertation, Kansas State University, 2018.

869 [9] P. Wardle, “Methods of malware persistence on Mac OS X,” In Proceedings of the virus bulletin
870 conference, pp. 1–11, 2014.

871 [10] C. Brierley, J. Pont, B. Arief, et al., “Persistence in linux-based IoT malware,” In Nordic Conference on
872 Secure IT Systems, Springer, pp. 3-19, 2020.

873 [11] A. M. Benchea Răzvan, C. Vatamanu, V. Luncasu, “Apt28 under the scope, a journey into exfiltrating
874 intelligence and government information,”
875 https://businessresources.bitdefender.com/apt28_research_whitepaper, 2015. Accessed January, 2022.

876 [12] I. Ahl, “Privileges and credentials: Phished at the request of counsel,”
877 https://www.fireeye.com/blog/threat-research/2017/06/phished-atthe-request-of-counsel.html, 2017.
878 Accessed June, 2022.

879 [13] J. Grunzweig, B. Lee, “New attacks linked to c0d0so0 group,”

880 https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group, 2016. Accessed June, 2022.

881 [14] G. Hoglund, J. Butler, “Rootkits: subverting the Windows kernel,” Addison-Wesley Professional, 2006.

28
882 [15] B. Lee, J. Grunzweig, “Bbsrat attacks targeting russian organizations linked to roaming tiger,”
883 http://researchcenter.paloaltonetworks.com/2015/12/bbsratattacks-targeting-russian-organizations-
884 linked-to-roaming-tiger, 2015. Accessed June, 2022.

885 [16] K. Hayashi, V. Ray, “Bisonal malware used in attacks against russia and south korea,”
886 https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonalmalware-used-attacks-russia-
887 south-korea, 2018. Accessed June, 2022.

888 [17] S. Frankoff, B. Hartley, “Big game hunting: The evolution of indrik spider from dridex wire fraud to
889 bitpaymer targeted ransomware,” https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-
890 of-indrikspider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware, 2018. Accessed June,
891 2022.

892 [18] PwC and Systems Bae, “Operation cloud hopper: Technical annex,” https://www.pwc.co.uk/cyber-
893 security/pdf/pwc-uk-operation-cloud-hopper-report-april-2017.pdf, 2017. Accessed June, 2022.

894 [19] F-security Labs, “Cozyduke: Malware analysis,” https://blog-assets.f-

895 secure.com/wpcontent/uploads/2019/10/15163418/CozyDuke.pdf, 2015. Accessed June, 2022.

896 [20] A. K. Yadav, A. Singh, D. Desai, “Cobian rat - a backdoored rat,”

897 https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat, 2017. Accessed June, 2022.

898 [21] A. Blaich, A. Kumar, J. Richards et al., “Dark caracal: Cyber-espionage at a global scale,”
899 https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf,
900 2018. Accessed June, 2022.

901 [22] ClearSky, “Operation dustysky,”

902 https://www.clearskysec.com/wpcontent/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf,
903 2016. Accessed June, 2022.

904 [23] M. Faou, M. Tartare, T. Dupuy, “Operation ghost: The dukes aren’t back - they never left,”
905 https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf,
906 2019. Accessed June, 2022.

907 [24] W. Schroeder, J. Warner, M. Nelson, “Github powershellempire,”

908 https://github.com/EmpireProject/Empire, 2018. Accessed June, 2022.

909 [25] Fidelis Cybersecurity Solutions, “Fidelis threat advisory 1009: njrat uncovered,”
910 https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf, 2013. Accessed June,
911 2022.

912 [26] M. Hoang, “Malicious activity report: Elements of lokibot infostealer,”

913 https://insights.infoblox.com/threatintelligence-reports/threat-intelligence–22, 2019. Accessed June,
914 2022.

915 [27] B. Jensen, V. B. Benjaminand, R. Maness, “Fancy bears and digital trolls: Cyber strategy with a Russian
916 twist,” Journal of Strategic Studies, 42(2), pp. 212–234, 2019.

917 [28] N. Moran, M. Scott, M. Oppenheim et al., “Operation double tap,” https://www.fireeye.com/blog/threat-
918 research/2014/11/operation_doubletap.html. 2014. Accessed June, 2022.

919 [29] A. Cherepanov, “Greyenergy a successor to blackenergy,”

920 https://www.welivesecurity.com/wpcontent/uploads/2018/10/ESET_GreyEnergy.pdf. 2018. Accessed
921 June, 2022.

29
922 [30] N. Carr, K. Goody, S. Miller et al., “On the hunt for fin7: Pursuing an enigmatic and evasive global
923 criminal operation,” https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuingan-enigmatic-
924 and-evasive-global-criminal-operation.html. 2018. Accessed June, 2022.

925 [31] R. Sherstobitoff and J. Saavedra-Morales, “Gold dragon widens Olympics malware attacks, gains
926 permanent presence on victims’ systems,” https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-
927 dragonwidens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems. 2018.
928 Accessed June, 2022.

929 [32] D. Abramov and L. Kessem, “Grandoreiro malware now targeting banks in Spain,”
930 https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/. 2020.
931 Accessed June, 2022.

932 [33] Z. Hromcova, A. Cherepanov, “Invisimole: The hidden part of the story,”
933 https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf. 2020. Accessed
934 June, 2022.

935 [34] P. Rascagneres, “Konni: A malware under the radar for years,”
936 https://blog.talosintelligence.com/2017/05/konnimalware-under-radar-for-years.html. 2017. Accessed
937 June, 2022.

938 [35] F. Axel, T. Pierre, “Leviathan: Espionage actor spearphishes maritime and defense targets,”
939 https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-
940 and-defense-targets. 2017. Accessed June, 2022.

941 [36] Kaspersky Global Research Analysis Team, “El machete,” https://securelist.com/el-machete/66108.
942 2014. Accessed June, 2022.

943 [37] C. Erlich, “The avast abuser: Metamorfo banking malware hides by abusing avast executable,”
944 https://medium.com/@chenerlich/the-avast-abuser-metamorfobanking-malware-hides-by-abusing-
945 avast-executable-ac9b8b392767. 2019. Accessed June, 2022.

946 [38] Cybereason Nocturnus Team, “Molerats in the cloud: New malware arsenal abuses cloud platforms in
947 middle east espionage campaign,”
948 https://www.cybereason.com/hubfs/dam/collateral/reports/Moleratsin-the-Cloud-New-Malware-
949 ArsenalAbuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf. 2020. Accessed June, 2022.

950 [39] M. Russinovich, A. Margosis, “A Troubleshooting with the Windows Sysinternals Tools,”
951 https://docs.microsoft.com/en-us/sysinternals/resources/troubleshooting-book. 2016. Accessed June,
952 2022.

953 [40] FireEye, “Highly evasive attacker leverages solarwinds supply chain to compromise multiple global
954 victims with sunburst backdoor,” https://www.fireeye.com/blog/threat-research/2020/12/evasive-
955 attacker-leveragessolarwinds-supply-chain-compromises-with-sunburst-backdoor.html. 2020.
956 Accessed June, 2022.

957 [41] Counter Threat Unit Research Team, “Bronze butler targets Japanese enterprises,”
958 https://www.secureworks.com/research/bronzebutler-targets-japanese-businesses. 2017. Accessed
959 June, 2022.

960 [42] F. Plan, N. Fraser, J. O’Leary et al., “Apt40: Examining a china-nexus espionage actor,”
961 https://www.fireeye.com/blog/threat-research/2019/03/apt40-examininga-china-nexus-espionage-
962 actor.html. 2019. Accessed June, 2022.

963 [43] McAfee Labs, “Global energy cyberattacks: Night dragon,” https://securingtomorrow.mcafee.com/wp-
964 content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf. 2011. Accessed June,
965 2022.

30
 966 [44] Cybereason Nocturnus, “Operation soft cell: A worldwide campaign against telecommunications
967 providers,” https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-
968 against-telecommunications-providers. 2019. Accessed June, 2022.

969 [45] J. Walter, “Agent tesla: Old rat uses new tricks to stay on top,” https://labs.sentinelone.com/agent-tesla-
970 old-rat-uses-new-tricks-to-stay-on-top. 2020. Accessed June, 2022.

971 [46] M. Faou, “From agent.btz to comrat v4: A ten-year journey,” https://www.welivesecurity.com/wp-
972 content/uploads/2020/05/ESET_- Turla_ComRAT.pdf. 2020. Accessed June, 2022.

973 [47] A. Dahan, L. Rochberger, D. Frank et al., “Back to the future: Inside the kimsuky kgh spyware suite,”
974 https://www.cybereason.com/blog/back-to-thefuture-inside-the-kimsuky-kgh-spyware-suite. 2020.
975 Accessed June, 2022.

976 [48] US-CERT, “Alert (ta18-201a) Emotet Malware,” https://www.us-cert.gov/ncas/alerts/TA18-201A. 2018.

977 Accessed June, 2022.

978 [49] FireEye iSIGHT Intelligence, “Fin10: Anatomy of a cyber-extortion operation,”

979 https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf. 2017. Accessed June, 2022.

980 [50] D. Adamitis, D. Maynor, K. McKay, “It’s alive: Threat actors cobble together open-source pieces into
981 monstrous frankenstein campaign,” https://blog.talosintelligence.com/2019/06/frankenstein-
982 campaign.html. 2019. Accessed June, 2022.

983 [51] FireEye, “Poison ivy: Assessing damage and extracting intelligence,”
984 https://www.fireeye.com/content/dam/fireeye-www/global/en/currentthreats/pdfs/rpt-poison-ivy.pdf.
985 2014. Accessed June, 2022.

986 [52] Symantec Security Response, “W32.duqu: The precursor to the next stuxnet,”
987 https://docs.broadcom.com/docs/w32-duqu-11-en. 2019. Accessed June, 2022.

988 [53] A. Brandt, P. Mackenzie, “Maze attackers adopt Ragnar locker virtual machine technique,”
989 https://news.sophos.com/en-us/2020/09/17/maze-attackersadopt-ragnar-locker-virtual-machine-
990 technique. 2020. Accessed June, 2022.

991 [54] K. Wilhoit, R. Falcone, “Oilrig uses updated bondupdater to target middle eastern government,”
992 https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updatedbondupdater-target-middle-eastern-
993 government. 2018. Accessed June, 2022.

994 [55] Windows Defender Advanced Threat Hunting Team, “Platinum: Targeted attacks in South and Southeast
995 Asia,” https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE4F5B-A77B-
996 71200928D209/Platinum%20feature%20article%20-
997 %20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf. 2016.
998 Accessed June, 2022.

999 [56] M. Sadique, A. Singh, “Spear phishing campaign delivers buer and bazar malware,”
1000 https://www.zscaler.com/blogs/research/spear-phishing-campaigndelivers-buer-and-bazar-malware.
1001 2020. Accessed June, 2022.

1002 [57] K. Goody, J. Kennelly, J. Shilko et al., “Unhappy hour special: Kegtap and singlemalt with a ransomware
1003 chaser,” https://www.fireeye.com/blog/threat-research/2020/10/kegtap-andsinglemalt-with-a-
1004 ransomware-chaser.html. 2020. Accessed June, 2022.

1005 [58] D. Legezo, “Chafer used remexi malware to spy on iran-based foreign diplomatic entities,”
1006 https://securelist.com/chafer-used-remexi-malware/89538. 2019. Accessed June, 2022.

31
1007 [59] ESET, “Gazing at gazer: Turla’s new second stage backdoor,” https://www.welivesecurity.com/wp-
1008 content/uploads/2017/08/eset-gazer.pdf. 2017. Accessed June, 2022.

1009 [60] J. Chen, “Tropic trooper’s back: Usbferry attack targets air gapped environments,”
1010 https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Troopers-Back-USBferry-Attack-Targets-
1011 Air-gapped-Environments.pdf. 2020. Accessed June, 2022.

1012 [61] ESET, “Diplomats in eastern europe bitten by a turla mosquito,”

1013 https://www.welivesecurity.com/wpcontent/uploads/2018/01/ESET_Turla_Mosquito.pdf. 2018.
1014 Accessed June, 2022.

1015 [62] Proofpoint Threat Insight Team, “Ta505 distributes new sdbbot remote access Trojan with get2
1016 downloader,” https://www.proofpoint.com/us/threat-insight/post/ta505-distributesnew-sdbbot-remote-
1017 access-trojan-get2-downloader. 2019. Accessed June, 2022.

1018 [63] S. Miller, N. Brubaker, D. K. Zafra, “Triton actor ttp profile, custom attack tools, detections, and att&ck
1019 mapping,” https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttpprofile-custom-attack-
1020 tools-detections.html. 2019. Accessed June, 2022.

1021 [64] MSTIC and CDOC and 365 Defender Research Team, “Deep dive into the solorigate second-stage
1022 activation: From sunburst to teardrop and raindrop,”
1023 https://www.microsoft.com/security/blog/2021/01/20/deep-dive-intothe-solorigate-second-stage-
1024 activation-from-sunburst-to-teardrop-and-raindrop. 2021. Accessed June, 2022.

1025 [65] Microsoft, “Gflags overview,” https://docs.microsoft.com/en-

1026 us/windowshardware/drivers/debugger/gflags-overview. 2017. Accessed June, 2022.

1027 [66] R. Kazanciyan, “The “hikit” rootkit: Advanced and persistent attack techniques (part 1),”
1028 https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkitadvanced-persistent-attack-
1029 techniques-part-1.html. 2012. Accessed June, 2022.

1030 [67] Novetta, “Operation smn: Axiom threat actor group report,”
1031 http://www.novetta.com/wpcontent/uploads/2014/11/Executive_Summary-Final_1.pdf. 2014. Accessed
1032 June, 2022.

1033 [68] Response RI, “RSA incident response emerging threat profile: Shell crew,”
1034 https://www.rsa.com/content/dam/en/whitepaper/rsa-incident-response-emerging-threat-profile-shell-
1035 crew.pdf. 2014. Accessed June, 2022.

1036 [69] CISA, “Iran-based threat actor exploits VPN vulnerabilities,” https://uscert.cisa.gov/ncas/alerts/aa20-
1037 259a. 2020. Accessed June, 2022.

1038 [70] F. Nalani, P. Fred, O. Jacqueline et al., “Apt41: A dual espionage and cyber crime operation,”
1039 https://www.fireeye.com/blog/threat-research/2019/08/apt41-dualespionage-and-cyber-crime-
1040 operation.html. 2019. Accessed June, 2022.

1041 [71] D. Maldonado, T. McGuffin, “Sticky keys to the kingdom,”

1042 https://www.slideshare.net/DennisMaldonado5/stickykeys-to-the-kingdom. 2016. Accessed June, 2022.

1043 [72] G. Comi, “Abusing windows 10 narrator’s ’feedback-hub’ uri for fileless persistence,”
1044 https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narratorsfeedback.html. 2019. Accessed
1045 June, 2022.

1046 [73] FBI, “Indicators of compromise associated with rana intelligence computing, also known as advanced
1047 persistent threat 39, chafer, cadelspy, remexi, and itg07,”
1048 https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf. 2020. Accessed June, 2022.

32
1049 [74] E. Merritt, “Shining the spotlight on Cherry Picker POS malware,”
1050 https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-theSpotlight-on-Cherry-Picker-PoS-
1051 Malware. 2015. Accessed June, 2022.

1052 [75] I. Sanmillan, “Ramsay: A cyberespionage toolkit tailored for air-gapped networks,”
1053 https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkitairgapped-networks. 2020.
1054 Accessed June, 2022.

1055 [76] J. Grunzweig, J. MillerOsborn, “T9000: Advanced modular backdoor uses complex anti-analysis
1056 techniques,” https://unit42.paloaltonetworks.com/t9000-advanced-modular-backdoor-usescomplex-
1057 anti-analysis-techniques. 2016. Accessed June, 2022.

1058 [77] Kaspersky Team, “Blackoasis APT and new targeted attacks leveraging zero-day exploit,”
1059 https://securelist.com/blackoasis-apt-andnew-targeted-attacks-leveraging-zero-day-exploit/82732.
1060 2017. Accessed June, 2022.

1061 [78] FireEye iSIGHT Intelligence, “Apt10 (menupass group): New tools, global campaign latest
1062 manifestation of longstanding threat,”
1063 https://www.fireeye.com/blog/threatresearch/2017/04/apt10_menupass_grou.html. 2017. Accessed
1064 June, 2022.

1065 [79] J. Rosenberg, “Miragefox: Apt15 resurfaces with new tools based on old ones,”
1066 https://www.intezer.com/miragefox-apt15-resurfaces-with-newtools-based-on-old-ones. 2018.
1067 Accessed June, 2022.

1068 [80] N. Carr, J. Yoder, K. Goody et al., “Mahalo fin7: Responding to the criminal operators’ new tools and
1069 techniques,” https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-
1070 tools-and-techniques.html. 2019. Accessed June, 2022.

1071 [81] M. Hastings, “Don’t get hijacked! searching for DLL load order attacks with Tanium,”
1072 https://www.tanium.com/blog/dont-hijack-me-bro-searching-for-dllload-order-attacks-with-tanium.
1073 2016. Accessed June, 2022.

1074 [82] K. A. Monnappa, “Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze
1075 and investigate Windows malware,” Packt Publishing Ltd., 2018.

1076 [83] W. Mercer, P. Rascagneres, V. Ventura, “Cyber conflict: Decoy document used in real cyber conflict,”
1077 https://blog.talosintelligence.com/2017/10/cyber-conflictdecoy-document.html. 2017. Accessed June,
1078 2022.

1079 [84] Bohops, “Abusing the com registry structure (part 2): Hijacking & loading techniques,”
1080 https://bohops.com/2018/08/18/abusing-the-com-registry-structurepart-2-loading-techniques-for-
1081 evasion-and-persistence. 2018. Accessed June, 2022.

1082 [85] A. Dahan, L. Rochberger, E. Salem et al., “Dropping anchor: From a trickbot infection to the discovery
1083 of the anchor Malware,” https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-
1084 infectionto-the-discovery-of-the-anchor-malware. 2019. Accessed June, 2022.

1085 [86] L. Bermejo, J. Soares, “Lazarus continues heists, mounts attacks on financial organizations in Latin
1086 America,” https://blog.trendmicro.com/trendlabs-security- intelligence/lazarus-continuesheists-
1087 mounts-attacks-on-financial-organizations-in-latin-america. 2018. Accessed June, 2022.

1088 [87] R. Falcone, J. Grunzweig, J. Miller, “Operation lotus blossom,”

1089 https://www.paloaltonetworks.com/resources/research/unit42-operationlotus-blossom.html. 2018.
1090 Accessed June, 2022.

33
1091 [88] N. Pantazopoulos, “Decoding network data from a gh0st rat variant,”
1092 https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/. 2018.
1093 Accessed June, 2022.

1094 [89] B. Levene, R. Falcone, T. Halfpop, “Kazuar: Multiplatform espionage backdoor with API access,”
1095 https://unit42.paloaltonetworks.com/unit42-kazuarmultiplatform-espionage-backdoor-api-access.
1096 2017. Accessed June, 2022.

1097 [90] D. Tarakanov, “The “kimsuky” operation: A North Korean APT?,” https://securelist.com/the-kimsuky-
1098 operation-a-north-korean-apt/57915. 2013. Accessed June, 2022.

1099 [91] Cylance, “Operation cleaver,” https://www.cylance.com/content/dam/cylance/pages/operation-

1100 cleaver/Cylance_- Operation_Cleaver_Report.pdf. 2014. Accessed June, 2022.

1101 [92] N. A. Llimos, C. M. Pascual, “Trickbot shows off new trick: Password grabber module,”
1102 https://blog.trendmicro.com/trendlabs-security-intelligence/trickbotshows-off-new-trick-password-
1103 grabber-module. 2018. Accessed June, 2022.

34

View publication stats