Description
Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.
API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)
To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.
Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)
Platforms
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged obfuscated Windows API function calls that were concealed as unique names, or has... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has leveraged dynamic API resolution using custom hashing techniques.(Citation: Gen Digital Kimsuky H... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT Janua... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S1232 | SplatDropper | Malware | [SplatDropper](https://attack.mitre.org/software/S1232) has leveraged hashed Windows API calls using a seed value of "131313".(Citation: Zscaler PAKLO... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has utilized a modified DJB2 algorithm to resolve APIs.(Citation: Zscaler) |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can resolve Windows APIs dynamically by hash.(Citation: Latrodectus APR 2024) |
| S1237 | CANONSTAGER | Malware | [CANONSTAGER](https://attack.mitre.org/software/S1237) has utilized custom API hashing to obfuscate the Windows APIs being used.(Citation: Google Thre... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can hash then resolve API calls at runtime.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group... |
| S9036 | LP-Notes | Malware | [LP-Notes](https://attack.mitre.org/software/S9036) has dynamically resolved API functions during the C runtime startup.(Citation: ESET_MuddyWater_Dec... |
| S9007 | HTTPTroy | Malware | [HTTPTroy](https://attack.mitre.org/software/S9007) has utilized dynamic API resolution by reconstructing API calls during runtime using combinations ... |
| S9023 | HiddenFace | Malware | [HiddenFace](https://attack.mitre.org/software/S9023) can dynamically resolve Windows APIs.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Eart... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can use a hashing algorithm to dynamically resolve API function addresses.(Citation: Kaspersky LOD... |
| S1053 | AvosLocker | Malware | [AvosLocker](https://attack.mitre.org/software/S1053) has used obfuscated API calls that are retrieved by their checksums.(Citation: Malwarebytes Avos... |
| S1148 | Raccoon Stealer | Malware | [Raccoon Stealer](https://attack.mitre.org/software/S1148) dynamically links key WinApi functions during execution.(Citation: Sekoia Raccoon1 2022)(Ci... |
| S0147 | Pteranodon | Malware | [Pteranodon](https://attack.mitre.org/software/S0147) can use a dynamic Windows hashing algorithm to map API components.(Citation: Microsoft Actinium ... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) can call and dynamically resolve hashed APIs.(Citation: Palo Alto Brute Ratel July 2022) |
| S1099 | Samurai | Malware | [Samurai](https://attack.mitre.org/software/S1099) can encrypt API name strings with an XOR-based algorithm.(Citation: Kaspersky ToddyCat June 2022) |
| S1236 | CLAIMLOADER | Malware | [CLAIMLOADER](https://attack.mitre.org/software/S1236) has utilized XOR-encrypted API names and native APIs of `LdrLoadDll()` and `LderGetProcedureAdd... |
References
- Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
- Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
- drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.
- spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.
Frequently Asked Questions
What is T1027.007 (Dynamic API Resolution)?
T1027.007 is a MITRE ATT&CK technique named 'Dynamic API Resolution'. It belongs to the Stealth tactic(s). Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Nat...
How can T1027.007 be detected?
Detection of T1027.007 (Dynamic API Resolution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.007?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.007?
Known threat groups using T1027.007 include: Mustang Panda, Kimsuky, Lazarus Group.