In 2022, Volexity collaborated with the University of Applied Sciences Leiden, Digital Forensics & E-Discovery to establish a minor in memory and malware forensics. Peter van der Wijden, head lecturer, proposed the minor as part of the BSc program, with the intention of also integrating these topics into the MSc program. The Minor Memory and Malware Forensics program consists of a 20-week period. First, students participate in the well-known Malware and Memory Forensics with Volatility course to establish a baseline of knowledge regarding memory and malware forensics. After successful completion of the course, the students propose a research topic they are interested in investigating. They focus on this research for the remainder of the time period.
Part 1: Volatility Training
Volexity has hosted a number of interns specializing in software engineering from universities in the US. As part of its international expansion, Volexity agreed to host two interns, based in the Netherlands, as part of Leiden’s Digital Forensics & E-Discover Minor Memory and Malware Forensics program. In February 2022, Lukas van Rijn and Anthony Branger were onboarded. Both students are specializing in digital forensics and electronic discovery. They were interested in augmenting their current curriculum with a deeper dive into the field of memory and malware forensics.
To begin their internship, Lukas and Anthony completed the Malware and Memory Forensics with Volatility course over a two-week period.
“The minor started off with the great Malware and Memory Forensics Training course. This course really kickstarted my understanding and boosted my interest even more. The training course is very nicely paced and structured with all the various subjects it covers. I felt that it also translated very well into online-only education with clear assignments and well-explained lesson videos. What I also very much appreciated was that we (Mr. Mora, the other student and I) together set the deadlines for the completion of the course.
“After completion of the training course we picked a subject I would be researching for the main part of the minor. Mr Sean Koessel came up with the great idea to examine a memory sample infected with Cobalt Strike. I knew that this malware is having a very big impact on a lot of businesses, so researching it would be thrilling and the results could be very helpful.”
Part 2: Research
Cobalt Strike Investigation
In collaboration with the Red Team of Shell Cyberdefense, Lukas investigated which traces of Cobalt Strike—an infamous adversary simulation framework often leveraged by (ransomware) threat actors—were left behind in memory after a successful compromise and how better detections could be made. In his research, three scenarios were investigated:
- Scenario 1 – Default Cobalt Strike configuration
- Scenario 2 – Mimicking threat actor ransomware group Conti with Cobalt Strike
- Scenario 3 – The blind Cobalt Strike session
Before starting this research, Lukas had a limited understanding of memory forensics and no prior knowledge of Cobalt Strike. Armed with the Volatility framework and Yara, Lukas was able to reconstruct many of the memory resident artifacts.
“Creating the memory samples were very fun, interesting, and educative moments. This happened in three parts, the first memory sample being an unmodified Cobalt Strike payload , the second one where a threat actor was emulated and the last one a heavily modified payload. Here I would like to give special thanks to Mariami Gonashvili and Roy Duisters, the red teamers from Shell CyberDefense. They facilitated the Cobalt Strike payload configuration and delivery and without them this research would not have been possible. Seeing them work was riveting and informative. ”
Kernel-level Backdoor in Memory
Anthony already had a reversing engineering background and had the novel idea to develop and manually map a kernel-level driver (backdoor) in memory. The concept of manually mapping a kernel-level driver originates from game hacking, where users try to bypass the anti-cheat system used in popular video games. The goal of his research was to make his driver as stealthy as possible, and even bypass detection capabilities in Volatility. Anthony’s research led to novel ways threat actors could use this technique to bypass EDR technology and even some Volatility detections. For example, Kaspersky reported in 2021 on a threat actor, GhostEmporer, who also used a popular cheat engine to bypass detection. Anthony’s kernel-level backdoor obtained the process list over the network, created files on the filesystem, and killed the process without crashing the compromised system. He also demonstrated techniques for bypassing popular plugins in the Volatility framework.
“Looking back on the experience, seeing how much has been accomplished in such a short period of time… I think it’s safe to say that this has been a great experience to learn and develop new skills. The constant stream of challenges, brought with perfect supervising and support, made it a blast to take them head on. Ranging from moments where we were all brainstorming in regards to certain obstacles, to finding new and interesting accomplishments… There was always a feeling of fulfillment; it was nothing short of a fun yet instructive experience. Even if I came in with some experience, there’s always more to be found. Which makes this digital scavenger hunt a perfect example. Having to constantly adapt to ‘trends’, finding solutions and all the analyses that came with it made it hard to lose motivation. Every day was filled with interesting new things. Thanks to everyone that made this possible.”
Anthony produced two memory sample scenarios with his own rootkit that other students can further investigate to enhance their memory forensics skills.
From left to right: Lukas van Rijn, Anthony Branger, and head lecturer/researcher Peter van der Wijden (University of Applied Sciences Leiden)
The Extra Credit
Both Lukas and Anthony were exposed to software regression testing during their minor and helped test Volexity’s new Volcano One beta release. They were able to submit several interesting enhancements and fixes. Volexity Threat team lead, Tom Lancaster, also taught both students how Volexity tracks nation-state threat actors.
“Speaking of threat actors, during the minor we were given a presentation by Tom Lancaster. I really learned a lot about how threat actors are identified. It was awesome to see how an entire industry works together to contribute to all of our security. ”
We would like to thank our interns for their perseverance, hard work, and wish them the best of luck in the upcoming school year!
If you are interested in future internship opportunities at Volexity, please contact us.