Newly discovered malware campaigns use ‘Heaven’s Gate’ technique for evading detection

• These campaigns distributed widely known malware such as HawkEye Reborn, Remcos, and various cryptocurrency mining trojans.
• ‘Heaven’s Gate’ is a decade-old technique which allows 32-bit malware to hide API calls on 64-bit machines.

Security researchers from Cisco Talos discovered a string of malware campaigns that leveraged a decade-old technique for evasion. The technique, known as ‘Heaven’s Gate’, allows malware developed in 32-bit to hide API calls in 64-bit machines. According to the researchers, one of the campaigns distributed the HawkEye Reborn keylogger. Other campaigns mainly spread Remcos, Agent Tesla or cryptocurrency mining trojans.

The big picture

• In a detailed blog post, Cisco Talos researchers highlight how the malware from these campaigns hid inside loaders for execution.
• The malware executed API calls and used ‘Heaven’s Gate’ technique to prevent getting detected by antivirus software.
• All the reported campaigns relied on emails to distribute malware. These emails came in the form of fake invoices, banking statements or other bogus finance-related material.
• The emails either contained malicious Excel spreadsheets or Word documents. These malicious attachments exploited a remote code execution (CVE-2017-11882) flaw present in unpatched Microsoft Office products.
• When opened, the attachments download malware and communicate with the web server on which it is hosted.
• The campaigns are still ongoing and are believed to be using new emails and binaries.

‘Heaven’s Gate’ for attack proliferation

Cisco Talos researchers suggest that the ten-year-old technique might be used extensively to make malware attacks more successful.

“This activity demonstrates how advanced techniques such as Heaven's Gate can be quickly integrated across large portions of the threat landscape. In many cases, the cybercriminals leveraging these kits lack the expertise to implement this type of functionality natively, but can instead leverage available loaders to achieve the same goal,” the researchers wrote.