How to Eavesdrop on Winnti in a Live Environment Using Virtual Machine Introspection (VMI)
2023-04-23 | 16:55 – 17:35
This paper explains how we used VMI to detect an infection with the remote access trojan Winnti, specifically version 3.0, and how to extract and decrypt its communication data with its C&C servers. It should be seen as proof of concept work as we did not use an actual attacker-controlled machine for our experiments. Instead, we simulated real traffic, thus making the malware believe it was connected to a genuine C&C server. We used Virtual Machine Introspection accessed physical memory through the hypervisor. This allowed us to spy on the malware in a manner where even the operating system is unaware about the fact that it is being virtualized. Therefore an attacker would not know that an analyst is monitoring every step. The centerpiece of our approach is a method to extract and decrypt the communication data from in- and output parameters of systemcalls used by the malware, which is explained in detail along the way.