Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware

btarunr · Sep 1, 2021

Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there. Execution from video memory may not be new, but they've mostly been confined to the academic space, and unrefined. This would be the first time a proof-of-concept of a working tool that injects executables to video memory, surfaced on a hacker forum.

The tool relies on OpenCL 2.0, and its developers claim to have successfully tested it on Intel Gen9, AMD RDNA, NVIDIA Kepler, and NVIDIA Turing graphics architectures (i.e. UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M, and GTX 1650). What makes this ingenious is that the malware binary is stored entirely in GPU memory address-space and is executed by the GPU, rather than the CPUs. Conventional anti-malware software are only known to scan the system memory, disks, and network traffic for malware; but not video memory. Hopefully this will change.

View at TechPowerUp Main Site

Deleted member 24505 · Sep 1, 2021

The hackers might be twots, but no denying they are clever.

ZoneDymo · Sep 1, 2021

henceforth nothing made to this day will meet the requirements of windows 11, cannot be too careful !!

Metroid · Sep 1, 2021

Directstorage is coming and that will make easier for this hack to work.

Kelutrel · Sep 1, 2021

Any microchip can be a malware if you are brave enough...

freeagent · Sep 1, 2021

How do windows 11 users fare?

P4-630 · Sep 1, 2021

freeagent said:
How do windows 11 users fare?

I was reading somewhere they could store and execute malware from TPM....

lexluthermiester · Sep 1, 2021

btarunr said:
Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there.

I've wondered if that would work for decades, guess we have an answer now. THIS will piss a few people off!

Gruffalo.Soldier said:
The hackers might be twots, but no denying they are clever.

True!

P4-630 said:
I was reading somewhere they could store and execute malware from TPM....

Yuppers. It takes some doing but can be done. This is also why TPM is useless outside of a certain usage context and why microsoft requiring it for Windows 11 is as pointless as it is transparent.

zlobby · Sep 1, 2021

I'm pretty sure some guys in some govt agencies are now swearing profoundly because someone was lame enough to reveal this lucrative hax.

MentalAcetylide · Sep 1, 2021

Proof-of-concept has been known for years, but there really wasn't much need for it given the simpler alternatives available.

lexluthermiester said:
I've wondered if that would work for decades, guess we have an answer now. THIS will piss a few people off!

Eventually we're all going to be using AV programs running mirrors of our system on virtual machines because sometimes the only way to detect this stuff is by identification through its behavior(dynamic analysis).

Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.

R-T-B · Sep 1, 2021

P4-630 said:
I was reading somewhere they could store and execute malware from TPM....

First I've heard of it. Malware can use the TPM to store keys away from the user, but it can't run from it.

zlobby · Sep 1, 2021

Even NIC's have some sort of firmware and write-enabled memory.

Usually all firmware have some interface for writing things in its memory. Also, usually vendors rely on non-documented interfaces or ones that are under NDA with the OEM/ODM, i.e. bad for us.

There are so many places to hide malware or exploit freely writeable memory that I get the hibbidyjibbies just thinking about it.

MentalAcetylide said:
Proof-of-concept has been known for years, but there really wasn't much need for it given the simpler alternatives available.

Eventually we're all going to be using AV programs running mirrors of our system on virtual machines because sometimes the only way to detect this stuff is by identification through its behavior(dynamic analysis).

Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.

Complete virtualization and isolation, in combination with dynamic root of trust can solve 99% (or maybe around 95%?) of all problems.

It's not yet implemented because it is expensive and has a significant performance hit. Also, very few SOHO users demand it. Enterprises already run almost everything on some form of (somewhat) secure virtualization platform.

Tartaros · Sep 1, 2021

MentalAcetylide said:
Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.

Forget about that, that's were everyone get their security operators/advisors/hackers for their own interests. It's the same as demilitarizing, should be the common goal, no ones does because of what others might do.

zlobby · Sep 1, 2021

MentalAcetylide said:
Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.

And what if it's the countries themselves?

MentalAcetylide · Sep 1, 2021

zlobby said:
And what if it's the countries themselves?

We set them adrift with fierce rebukes and nukes.

zlobby · Sep 1, 2021

MentalAcetylide said:
We set them adrift with fierce rebukes and nukes.

Ah, if only... Sorry, I ran out of nukes.

MentalAcetylide · Sep 2, 2021

zlobby said:
Ah, if only... Sorry, I ran out of nukes.

Sheesh, nobody here lives in Sherwood Forrest? :mad:

You can at least buy some uranium glassware. Just be sure to aim for the brain bucket!

InhaleOblivion · Sep 2, 2021

Takes buying an open box or used GPU to a whole different level. :laugh:

System Name	RBMK-1000
Processor	AMD Ryzen 7 5700G
Motherboard	Gigabyte B550 AORUS Elite V2
Cooling	DeepCool Gammax L240 V2
Memory	2x 16GB DDR4-3200
Video Card(s)	Galax RTX 4070 Ti EX
Storage	Samsung 990 1TB
Display(s)	BenQ 1440p 60 Hz 27-inch
Case	Corsair Carbide 100R
Audio Device(s)	ASUS SupremeFX S1220A
Power Supply	Cooler Master MWE Gold 650W
Mouse	ASUS ROG Strix Impact
Keyboard	Gamdias Hermes E2
Software	Windows 11 Pro

System Name	Cyberline
Processor	Intel Core i7 2600k -> 12600k
Motherboard	Asus P8P67 LE Rev 3.0 -> Gigabyte Z690 Auros Elite DDR4
Cooling	Tuniq Tower 120 -> Custom Watercoolingloop
Memory	Corsair (4x2) 8gb 1600mhz -> Crucial (8x2) 16gb 3600mhz
Video Card(s)	AMD RX480 -> RX7800XT
Storage	Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb -> 2tb MVMe SSD
Display(s)	Philips 32inch LPF5605H (television) -> Dell S3220DGF
Case	antec 600 -> Thermaltake Tenor HTCP case
Audio Device(s)	Focusrite 2i4 (USB)
Power Supply	Seasonic 620watt 80+ Platinum
Mouse	Elecom EX-G
Keyboard	Rapoo V700
Software	Windows 10 Pro 64bit

System Name	KAAN
Processor	AMD 5950X B2
Motherboard	Asus Crosshair VIII Formula
Cooling	ARCTIC Liquid Freezer II 280
Memory	G.SKILL 4000C16 @3666C14 - 4x16GB - Samsung B-Die
Video Card(s)	MSI GeForce RTX 3080 SUPRIM X 10G
Storage	Kingston KC3000 2TB
Display(s)	ASUS ROG Swift PG279Q 27"
Case	Phanteks ECLIPSE P600s
Audio Device(s)	Audeze Mobius
Power Supply	Corsair HX750i
Mouse	Logitech G604 LIGHTSPEED
Keyboard	Logitech G815
Software	Windows 11 (VBS)

Processor	AMD R9 9900X @ booost
Motherboard	Asus Strix X670E-F
Cooling	Thermalright Phantom Spirit 120 EVO, 2x T30
Memory	2x 16GB Lexar Ares @ 6400 28-36-36-68 1.55v
Video Card(s)	Zotac 4070 Ti Trinity OC @ 3045/1500
Storage	WD SN850 1TB, SN850X 2TB, 2x SN770 1TB
Display(s)	LG 50UP7100
Case	Asus ProArt PA602
Audio Device(s)	JBL Bar 700
Power Supply	Seasonic Vertex GX-1000, Monster HDP1800
Mouse	Logitech G502 Hero
Keyboard	Logitech G213
VR HMD	Oculus 3
Software	Yes
Benchmark Scores	Yes

System Name	AlderLake
Processor	Intel i7 12700K P-Cores @ 5Ghz
Motherboard	Gigabyte Z690 Aorus Master
Cooling	Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory	32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s)	MSI RTX 2070 Super Gaming X Trio
Storage	Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s)	23.8" Dell S2417DG 165Hz G-Sync 1440p
Case	Be quiet! Silent Base 600 - Window
Audio Device(s)	Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply	Seasonic Focus Plus Gold 750W
Mouse	Logitech MX Anywhere 2 Laser wireless
Keyboard	RAPOO E9270P Black 5GHz wireless
Software	Windows 11
Benchmark Scores	Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock

Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware

btarunr

Editor & Senior Moderator

Deleted member 24505

Guest

ZoneDymo

Metroid

Kelutrel

freeagent

Moderator

P4-630

lexluthermiester

zlobby

MentalAcetylide

R-T-B

zlobby

Tartaros

zlobby

MentalAcetylide

zlobby

MentalAcetylide

InhaleOblivion

System Name	Pioneer
Processor	Ryzen 9 9950X
Motherboard	MSI MAG X670E Tomahawk Wifi
Cooling	Noctua NH-D15 + A whole lotta Sunon, Phanteks and Corsair Maglev blower fans...
Memory	128GB (4x 32GB) G.Skill Flare X5 @ DDR5-4200(Running 1:1:1 w/FCLK)
Video Card(s)	XFX RX 7900 XTX Speedster Merc 310
Storage	Intel 5800X Optane 800GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs, 1x 2TB Seagate Exos 3.5"
Display(s)	55" LG 55" B9 OLED 4K Display
Case	Thermaltake Core X31
Audio Device(s)	TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply	FSP Hydro Ti Pro 850W
Mouse	Logitech G305 Lightspeed Wireless
Keyboard	WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software	Gentoo Linux x64, other office machines run Windows 11 Enterprise

System Name	Rectangulote 2
Processor	Ryzen 7 9800X3D
Motherboard	Asus TUF Gaming B650-PLUS
Cooling	Alphacool Eisbaer Pro Aurora 360 + 240 ST30
Memory	64 GB DDR5 6000mhz Corsair Vengeance
Video Card(s)	Asus TUF Gaming RTX 4090 OC
Storage	3 x WD Black SN-850X 1TB
Display(s)	2 x Asus ROG Swift PG278QR / LG C4
Case	Corsair 5000D Airflow
Audio Device(s)	Evga Nu Audio + Beyerdynamic DT 150 + Trust GTX 258
Power Supply	Corsair RMX1000
Mouse	Razer Naga Wireless Pro
Keyboard	Keychron K4
Software	Windows 11 Pro

System Name	Mass Effect/Lost Ark
Processor	AMD Ryzen 5 5600X/AMD Ryzen 7 2700X
Motherboard	Asus ROG Strix X470-F Gaming/Asus ROG Strix B450-F Gaming II
Cooling	Noctua NH-D15S/AMD Wraith Max
Memory	G.Skill Ripjaws V Series 16GB (2x8GB) DDR4-3200/Corsair Vengeance RGB Pro 16GB (2x8GB) DDR4-3200
Video Card(s)	MSI AMD Radeon RX 6750 XT Mech 2x/MSI AMD Radeon RX 5700 XT Mech OC
Storage	Samsung 860 Evo 500GB 2.5" SSDs x2, WD Black 4TB 3.5" 7200RPM, Samsung 970 EVO 500GB 1TB NVME M.2
Display(s)	Acer XF270H 1920x1080p @ 144Hz
Case	Thermaltake Core P3 TG ATX Mid Tower/CoolerMaster MasterCase Pro 5
Audio Device(s)	SteelSeries Actis Nova 3 RGB
Power Supply	Cooler Master V850 80+ Gold/Corsair CX650M 80+ Bronze
Mouse	Thermaltake Level 10 M/Logitech G502
Keyboard	Corsair K70 RGB MK.2 Wired Gaming Edition/Steelseries Apex 3 RGB
Software	Windows 10 Pro OEM 64bit/Ubuntu 22.04.1 64bit