Exposing the Unseen: Malware Hunting from the Dark Corners of Memory

Monnappa K A, an independent researcher, delivered a Tech Talk on "Exposing the Unseen: Malware Hunting from the Dark Corners of Memory, at VULNCON 2025. As the author of Learning Malware Analysis, and a former incident responder and threat hunter for major corporations like Microsoft and Cisco, he shared a powerful investigation technique known as memory forensics. In his talk, he explored how memory forensics is essential for uncovering malicious threats that traditional disk forensics often misses. He stressed that, as adversaries employ complex tactics like cyber espionage and sabotage, security professionals must understand how to investigate and respond to these attacks

What is Memory Forensics and Why is it Critical?

Memory forensics is an investigative technique that analyzes a computer's RAM (Random Access Memory) for forensic artifacts.

Why is this approach necessary?

1. Runtime State: A computer's memory contains the system's entire runtime state, including which applications are running, active network connections, loaded kernel drivers and DLLs, and which files or registry keys are being accessed.
2. File-less Malware: Sometimes, attackers do not write the malicious component to the hard disk at all; it exists only in the memory. In such cases (often called "in-memory malware"), file system analysis and disk forensics will not reveal the malicious component.

The speaker focused on memory analysis, noting that memory acquisition (acquiring the memory image of a suspected system) is the first general step, followed by analysis.

Volatility: The Advanced Forensic Framework

To analyze memory images effectively, specialized tools are required. The primary tool demonstrated throughout the session was Volatility, an advanced, plug-in-based memory forensic framework. Volatility allows investigators to extract digital artifacts and analyze memory images from 32-bit and 64-bit Windows, Linux, and Mac operating systems.

Monappa KA is a recognized expert in this domain, having won the Volatility plug-in contest in 2016 for developing a plug-in that detects anti-memory forensic tricks used by attackers to bypass memory forensics.

Case Study 1: The Simple Execution Chain (Keybase Malware)

The first demonstration showed the investigation of a system suspected of infection after a user opened an email attachment.

1. Process Identification: Using the PS list plug-in, the investigator identified a suspicious process: doc6.exe.
2. Attack Chain Mapping: The crucial step was running the PS tree plug-in, which revealed the parent-child relationships between processes. The chain was identified as: explorer.exe > outlook.exe > Excel.exe > command.exe > doc6.exe. The connection of Excel.exe launching command.exe (which then launched the suspect file) was a strong indicator of compromise, likely due to an exploit or malicious macro within the Excel sheet.
3. Command Line Arguments: To understand how command.exe the malware was launched, the command line plug-in was used, revealing that command.exe it had invoked PowerShell. PowerShell downloaded the malicious executable (doc6.exe) from a command and control (C2) domain and dropped it onto the hard disk before terminating itself.
4. Actionable Artifact: The investigator used memory forensics to dump the malicious executable (doc6.exe) from the memory to the hard disk, enabling further analysis (e.g., debugging, disassembly, or VirusTotal scan). This malware, identified as Keybase, was used in targeted attacks against some Indian organizations.

Case Study 2: Hunting the Malicious DLL (Sednit Group)

The second demo addressed malware used by the Russian actor group known as Sednit (or Dondel).

1. Initial Alert: The investigation began with an alert about a callback connection to a C2 IP address on port 80.
2. Network and Process Tracing: The Netscan plug-in confirmed the closed connection. To link the network connection to a process, the investigator ran the Yarascan plug-in, scanning for the C2 IP address pattern across all process memory. This pinpointed the reference to the malicious IP address inside the memory of rundl32.exe.
3. DLL Investigation: Because rundl32.exe it is a legitimate Windows binary often used to load DLLs, the DLLS plug-in was used to examine what it had loaded. The analysis rundl32.exe was explicitly made to load a malicious DLL (often running from a non-standard directory).
4. Artifact Extraction: The malicious DLL was extracted from memory using the DL dump plug-in. Subsequent analysis confirmed it was malicious, with vendors detecting it as Sednit.

Case Study 3: Advanced Persistence, Mutexes, and Code Injection (Dark Comet RAT)

The final demonstration showed the investigation of a system infected with Dark Comet RAT.

1. Suspicious Activity: An active connection was found to a C2 domain on a non-standard port (1604) made by the process winlogon.exe (process ID 1516).
2. Process Path Verification: Since winlogon.exe it is a legitimate process, the investigator checked the path. While the legitimate instance (process ID 460) ran from the standard path (C:\Windows\system32), the malicious instance (process ID 1516) ran from the non-standard path (C:\system32), confirming it was a malicious binary.
3. Persistence Mechanism: The legitimate winlogon.exe was found to have started the malicious one. This is typically done via registry persistence. By dumping the registry hives from memory, the investigator found that the malicious binary had been added to the Userinit value under the Winlogon registry key. This technique is used to force the legitimate win log on.exe process to launch the malicious process upon user authentication.
4. Synchronization and Mutexes: The investigator also hunted for artifacts used by the malware for synchronization. By filtering the process handles for Mutant objects (Mutexes) using the handles plug-in, a suspicious Mutex named "dc" (standing for Dark Comet) was identified. This name acts as a strong, unique indicator for hunting other infections across the environment.
5. Code Injection: The Dark Comet malware was also observed opening a handle to the legitimate explorer.exe. Scanning the memory of explorer.exe revealed an executable loaded with the memory protection setting PAGE_EXECUTE_READWRITE. This is an abnormal state for a normally loaded binary, indicating that code was injected. The injected component was then dumped using the V dump plug-in and confirmed to be malicious.
6. The Threat of Code Injection and API Hooking: The core motivation behind code injection is to force a legitimate process to execute malicious activity.

The talk concluded by briefly covering API Hooking, demonstrated using the Zissbot malware. Attackers can inject code and then redirect legitimate API function calls (e.g., HTTP Send Request) to a malicious function within the injected code. This allows the malware to alter the legitimate process's functionality, such as stealing credentials before they are sent to a banking website.

In summary, memory forensics provides a vital lens into the execution process, enabling investigators to expose the techniques used by adversaries—whether they employ executables, DLLs, advanced persistence through the registry, or file-less in-memory code injection.