Spyware Hunters Are Expanding Their Tool Set

This invasive malware isn’t just for phones—it can target your PC too. But a new batch of algorithms aims to weed out this threat.
macbooks
Photograph: Justin Sullivan/Getty Images

The surveillance-for-hire industry's powerful mobile spyware tools have gotten increasing attention lately as tech companies and governments grapple with the scale of the threat. But spyware that targets laptops and desktop PCs is extremely common in an array of cyberattacks, from state-backed espionage to financially motivated scams. Due to this growing threat, researchers from the incident response firm Volexity and Louisiana State University presented at the Black Hat security conference in Las Vegas last week new and refined tools that practitioners can use to catch more PC spyware in Windows 10, macOS 12, and Linux computers.

Widely used PC spyware—the type that often keylogs targets, tracks the movement of their mouse and clicks, listens in through a computer's microphone, and pulls still photos or video from the camera—can be difficult to detect because attackers intentionally design it to leave a minimal footprint. Rather than installing itself on a target's hard drive like a regular application, the malware (or its most important components) exists and runs only in the target computer's memory or RAM. This means that it doesn't generate certain classic red flags, doesn't show up in regular logs, and gets wiped away when a device is restarted. 

Enter the field of “memory forensics,” which is geared precisely toward developing techniques to assess what's going on in this liminal space. At Black Hat, the researchers specifically announced new detection algorithms based on their findings for the open source memory forensics framework Volatility

“Memory forensics was very different five or six years ago as far as how it was being used in the field both for incident response and by law enforcement,” Volexity director Andrew Case tells WIRED. (Case is also a lead developer of Volatility.) “It’s gotten to the point where even outside really intense malware investigations, memory forensics is needed. But for evidence or artifacts from a memory sample to be used in court or some type of legal proceeding, we need to know that the tools are working as expected and that the algorithms are validated. This latest stuff for Black Hat is really some hardcore new techniques as part of our effort to build out verified frameworks."

Case emphasizes that expanded spyware detection tools are needed because Volexity and other security firms regularly see real examples of hackers deploying memory-only spyware in their attacks. At the end of July, for example, Microsoft and the security firm RiskIQ published detailed findings and mitigations to counter the Subzero malware from an Austrian commercial spyware company, DSIRF.

“Observed victims [targeted with Subzero] to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama,” Microsoft and RiskIQ wrote. Subzero’s main payload, they added, “resides exclusively in memory to evade detection. It contains a variety of capabilities including keylogging, capturing screenshots, exfiltrating files, running a remote shell, and running arbitrary plugins.”

The researchers particularly focused on honing their detections for how the different operating systems talk to “hardware devices” or sensors and components like the keyboard and camera. By monitoring how the different parts of the system run and communicate with each other and looking for new behaviors or connections, memory forensic algorithms can catch and analyze more potentially malicious activity. One potential tell, for example, is to monitor an operating system process that’s always running, say the feature that lets users log in to a system, and to flag it if additional code gets injected into that process after it starts running. If code was introduced later it could be a sign of malicious manipulation.

“If you work in the incident response field, you likely see this malware all the time,” Case said during his Black Hat talk last week. “We see this targeted at our clients on a daily basis. And if you read the reports from other security vendors, it’s pretty much universal that when you have a motivated threat group targeting an organization—whether that’s a research group inside the organization, whether it’s executives, whether it’s down to just an individual person—the malware that gets deployed on those machines are going to leverage access to hardware devices for truly sensitive information.”

To do forensic analysis of what's happening in a device's memory at a given time, researchers dump the memory into a sort of snapshot file of everything that was in there at that moment. If your laptop has 16 GB of RAM and the memory is full, you'll pull out a 16-GB file from it. But to detect attacks in real time, organizations need to set up forensic monitoring on their devices in advance. And not all operating systems make it easy to conduct such monitoring.

Apple, in particular, is known for locking down access to macOS and iOS to minimize system visibility. The company says it takes this approach as a security measure because, in its estimation, users shouldn't need that level of access to operate within the tightly controlled Apple ecosystem. But the stance has been controversial for a number of reasons and has created tension with some security advocates, who say that when exploitable vulnerabilities do inevitably crop up in Apple's software, particularly iOS, the approach gives the hackers an advantage because defenders have more limited insight and control. 

“It can make exploitation harder, and it can make gaining malware persistence on a system harder,” Case says. “But it also makes forensics harder, so the argument goes both ways.” 

The team was able to make progress on developing detection tools for all three major desktop operating systems, though. And Case emphasizes that the goal is simply to detect as much spyware as possible wherever it can be done as the malware proliferates more and more.

“We work with a ton of very targeted organizations around the world and in the US, and it's organizations themselves being targeted. But also, many times, it’s individuals within the organization or within a political movement—these are the people who get targeted with this type of malware,” he says. “So the further we get on this research and the better our forensic tools are, the more we can find this behavior and make it harder for attackers to get into an environment, stay there, and get to data they want.”