Hancitor: fileless attack with a kernel trick
Overview The attack involves making a copy of the kernel32.dll library, which exposes some of the most important Windows APIs, in order to create a new malicious process via this innocuous copy. Technical analysis The Word macro decodes the first stage of the payload and then calls the NtAllocateVirtualMemory API to copy the decoded code to a newly allocated memory area. The payload then gets the address of the ntdll.ldrLoadDll API and calls it to get the handle of the kernel32.dll and psapi.dll libraries, the latter being used to obtain information on the status of processes and drivers. After finding those API functions it calls the kernel32!ExandEnvironmentStringsW API to get the path of the %temp%\krnl32.dll string. Then the payload uses the krnl32.CreateProcessW API instead of calling kernel32.dll as one would have expected. Finally, it calls to the WriteProcessMemory API to overwrite other areas of the suspended svchost process and eventually resumes the process (process hollowing trick).