A Threat-Informed Approach to Malware Evasion Using DRM and TLS Callbacks

IF 3.6 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Access Pub Date : 2025-09-02 DOI:10.1109/ACCESS.2025.3605020

Swayam Tejas Padhy;P. B. Shanthi;Gururaj Bijur;S. Hemalatha

{"title":"A Threat-Informed Approach to Malware Evasion Using DRM and TLS Callbacks","authors":"Swayam Tejas Padhy;P. B. Shanthi;Gururaj Bijur;S. Hemalatha","doi":"10.1109/ACCESS.2025.3605020","DOIUrl":null,"url":null,"abstract":"As adversaries refine their techniques to avoid detection, Advanced Persistent Threats (APTs) are increasingly exploring unconventional mechanisms to maintain stealth. This paper introduces a novel approach that leverages Digital Rights Management (DRM) as an anti-analysis shield to prevent reverse engineering and forensic investigation. By binding malware execution to a specific machine through DRM fingerprinting, sandbox, and virtual-machine analysis are effectively thwarted. To harden this mechanism, anti-debugging via Thread Local Storage (TLS) callbacks is implemented to detect debuggers before the main execution begins, rendering any debugging attempt futile by nullifying the malware’s main function. The paper presents a proof-of-concept in the form of a DLL injector, showcasing a stealthy persistence mechanism and anti-analysis measures. To further complicate analysis, Import Address Table (IAT) camouflage introduces whitelisted API noise, misleading defenders and evading static detection. While the current implementation is a minimal loader and persistence mechanism, the techniques outlined here provide a blueprint for more sophisticated operations by advanced threat actors. This paper aims to highlight a unique attack chain that could be utilized to essentially nullify modern defensive mechanisms.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"155195-155202"},"PeriodicalIF":3.6000,"publicationDate":"2025-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11146733","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11146733/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

As adversaries refine their techniques to avoid detection, Advanced Persistent Threats (APTs) are increasingly exploring unconventional mechanisms to maintain stealth. This paper introduces a novel approach that leverages Digital Rights Management (DRM) as an anti-analysis shield to prevent reverse engineering and forensic investigation. By binding malware execution to a specific machine through DRM fingerprinting, sandbox, and virtual-machine analysis are effectively thwarted. To harden this mechanism, anti-debugging via Thread Local Storage (TLS) callbacks is implemented to detect debuggers before the main execution begins, rendering any debugging attempt futile by nullifying the malware’s main function. The paper presents a proof-of-concept in the form of a DLL injector, showcasing a stealthy persistence mechanism and anti-analysis measures. To further complicate analysis, Import Address Table (IAT) camouflage introduces whitelisted API noise, misleading defenders and evading static detection. While the current implementation is a minimal loader and persistence mechanism, the techniques outlined here provide a blueprint for more sophisticated operations by advanced threat actors. This paper aims to highlight a unique attack chain that could be utilized to essentially nullify modern defensive mechanisms.

查看原文本刊更多论文

一种利用DRM和TLS回调来规避恶意软件的威胁知情方法

随着对手不断改进他们的技术以避免被发现，高级持续威胁（apt）越来越多地探索非常规机制来保持隐身。本文介绍了一种利用数字版权管理（DRM）作为反分析屏障来防止逆向工程和法医调查的新方法。通过DRM指纹识别将恶意软件的执行绑定到特定的机器上，可以有效地阻止沙箱和虚拟机分析。为了加强这种机制，通过线程本地存储（TLS）回调实现反调试，以便在主执行开始之前检测调试器，通过使恶意软件的主要功能无效，使任何调试尝试都无效。本文以DLL注入器的形式提出了一个概念验证，展示了一个隐形的持久机制和反分析措施。导入地址表（IAT）伪装引入了白名单API噪声，误导防御者并逃避静态检测，使分析更加复杂。虽然目前的实现是一个最小的加载程序和持久机制，但这里概述的技术为高级威胁参与者进行更复杂的操作提供了蓝图。本文旨在强调一个独特的攻击链，可以用来从根本上消除现代防御机制。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Access COMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

9.80

自引率

7.70%

发文量

6673

审稿时长

6 weeks

期刊介绍： IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest. IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on: Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals. Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering. Development of new or improved fabrication or manufacturing techniques. Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.