Forgotten ‘Heaven’s Gate’ technique abused by malwares

Malwares are still successfully using ‘Heaven’s Gate’ technique to bypass antivirus detection these days, although it was first detailed in hacker e-zine(online magazine) more than ten years before.

Cisco’s cybersecurity division Talos recently discovered recent malwares using ‘Heaven’s Gate’ technique to play the antivirus detection methodologies, and published a detailed report yesterday.

Researchers at Talos identified at least three malware campaigns which successfully infect user’s systems successfully evading antivirus detection using the ‘Heaven’s Gate’ technique, which consisted of various cryptocurrency mining trojans including HawkEye Reborn keylogger and the Remcos remote access trojan.

All of these malware campaigns included the malware loaded which at first infected the user’s systems, and then later downloaded the other main malwares to do the work. According to the Talos researchers, the malware loader which was infected first used the Heaven’s Gate technique to infect the system with other malwares without triggering antivirus’s attention.

Heaven’s Gate Technique? How it works

This technique was first detailed years back in the 2000s by an anonymous hacker and a member of the website run by the 29A coding group which was then abused frequently through the malware loaders.

The technique basically tricks the 64-bit systems. It was discovered by them that running a 32-bit application could trick 64-bit systems to execute 64-bit code while starting as a 32-bit process.

The technique majorly relies on running the code on native 64-bit system by jumping out of the WOW64 environment (a sub system on 64-it operating systems running 32-bit code). At that time, the antivirus and the operating systems both were incapable of detecting and blocking such jumps within a program.

Heaven’s Gate was put aside when Microsoft rolled out a security feature in Windows 10 named ‘Control Flow Guard’ which blocked such jumps from the WOW64 environment to the native 64-bit system.

The malware campaigns using this technique are undoubtedly targeting the older systems. Previously such malware campaigns also made Florida city pay a huge ransom which is why you shouldn’t be thinking twice before having an updated OS already installed.

Leave a Reply

Your email address will not be published. Required fields are marked *