Ten years later, malware authors are still abusing 'Heaven's Gate' technique

Mid-2000s antivirus evasion technique is still popular even today, more than a decade later.

Data-stealing malware returns upgraded with cryptominer and trojan Large parts of the Scranos operation were taken out in April - but it's already back and the criminals behind it seem more determined than ever, adding a trojan and a cryptojacker to their adware scheme.

More than ten years after it was first detailed in a hacker e-zine (online magazine), malware strains are still successfully using the "Heaven's Gate" technique to avoid antivirus detection, even today.

The most recent Heaven's Gate sighting was detailed in a report published yesterday by Cisco's cyber-security division Talos.

Talos researchers said they've spotted at least three malware distribution campaigns in which the malware which infected users' systems used the Heaven's Gate technique to run malicious code without triggering an antivirus detection.

The three campaigns were distributing the HawkEye Reborn keylogger, the Remcos remote access trojan (RAT), and various cryptocurrency mining trojans.

The piece in common in all three campaigns was a malware loader -- a malware strain that first infects systems, only to download a more dangerous and advanced malware strain at a later point. Talos said this new malware loader was abusing the Heaven's Gate technique to bypass antivirus engines and download and install the three more potent malware strains.

What is the Heaven's Gate technique?

The technique used by this malware loader is not new. It was first detailed in the mid-2000s on the website managed by the 29A virus coding group. The Heaven's Gate tutorial was written by an anonymous hacker going online as Roy G. Biv, a member of the 29A group. After the group disbanded and their e-zine's site went down, the Heaven's Gate technique was later reprinted in the 2009 edition of the Valhalla hacker e-zine.

The actual technique is a clever misdirection on Windows 64-bit systems. Biv discovered that 32-bit applications running on 64-bit systems could trick the operating system into executing 64-bit code, despite initially declaring themselves as 32-bit processes.

The trick -- as explained in write-ups by famous security researchers like Alex Ionescu and Marcus Hutchins [1, 2], but also others -- relies on jumping outside the WOW64 environment (a subsystem on 64-bit OSes for running 32-bit code) and running code on the native 64-bit system.

At the time, both antivirus software and OS security features were incapable of detecting a 32-bit process jumps from running 32-bit compatible code to 64-bit code.

While initially, the technique was somewhat advanced, it slowly made its way into a large number of commodity malware strains through the years. By the early 2010s, it was primarily being abused by a multitude of rootkits, but later spread to the Phenom trojan, the Pony infostealer, and the Vawtrack (NeverQuest), Scylex, Nymaim, Ursnif (Gozi), and TrickBot banking trojans.

The technique's popularity and usage in modern malware has somewhat subsided, mainly after Microsoft rolled out a security feature named Control Flow Guard in Windows 10, which effectively blocked the code jump from WOW64 32-bit execution to the native 64-bit code execution space.

Nevertheless, some malware authors are still using the technique, mainly to target legacy systems. Before Talos' report this week, the technique had been sighted last year, in 2018, by Malwarebytes, being abused by cryptocurrency miners, and by Sophos this year in the code of the highly dangerous Emotet trojan.

Any malware using the Heaven's Gate technique is effectively going after older systems, which shows once more why using a modern OS is always a good idea.

Related malware and cybercrime coverage: