Threat Report: What is the Denis Malware and How Does it Work?

Denis is a Windows backdoor and Trojan used by the threat group APT32. Denis is believed to be associated to the soundbite backdoor and has been used in conjunction with the Goopy backdoor. Denis affects the Windows operating system and has been known to evade detection by security tools. 

Denis uses the `IsDebuggerPresent`, `OutputDebugString`, and `SetLastError` APIs to avoid debugging. Denis uses `GetProcAddress` and `LoadLibrary` to dynamically resolve APIs. Denis also uses the `Wow64SetThreadContext` API as part of a process hollowing process. Denis employs various techniques to obfuscate its code and encrypt its payload. 

Denis also uses Base64 encoding to encode its data. Denis has several commands to search for files on the victim's machine. Denis also collects OS information and the computer name. Denis communicates via DNS for C2 purposes.

Denis Malware Capabilities:

Denis is may interact with native OS APIs to execute behaviors, hide configuration information in the Windows Registry, compress or encrypt data, delete files, side-load DLLs, or make files difficult to discover or analyze. Denis may also gather network configuration information, encode data, or hijack the way operating systems run programs.

• Denis may interact with the native OS application programming interface to execute behaviors. This may include hiding configuration information within Registry keys, removing information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Additionally, Denis may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries.
• Denis may delete files left behind by their intrusion activity in order to minimize their footprint. They may also execute their own malicious payloads by side-loading DLLs. Additionally, they may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents.
• Denis may use various techniques to gather information about systems they access, including network configuration and settings. They may also encode data with a standard data encoding system to make it more difficult to detect. Additionally, Denis may execute their own malicious payloads by hijacking the way operating systems run programs.
• Denis may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. They may use this information to determine how to best infect the target and what specific actions to take. Denis may also interact with the Windows Registry to gather information about the system, configuration, and installed software. To hide their tracks, Denis may use obfuscated files or information that require special decoding or deobfuscation in order to be read.
• Denis may attempt to transfer tools or files from an external system into a compromised environment in order to evade process-based defenses. Additionally, Denis may inject malicious code into suspended and hollowed processes in order to evade detection. Window listings collected by Denis could give context to information collected by a keylogger, providing valuable insights into how the system is used.
• Denis may attempt to gain access to a system by abusing the Windows command shell or PowerShell. Additionally, Denis may enumerate files and directories or search for specific information within a file system in order to shape follow-on behaviors.
• The malware known as Denis may attempt to evade detection by virtualization and sandbox environment checks, as well as by identifying the primary user of a system. Additionally, Denis may communicate using the Domain Name System in order to blend in with existing traffic.

Ways to Mitigate Denis Malware Attacks Capabilities

• The article discusses how Denis malware attacks can be mitigated. One way to do this is to monitor API calls and correlate them with other events to determine if they are malicious. Another way to mitigate these attacks is to monitor for modifications to the Registry, including new entries or changes to existing ones. Finally, monitoring processes for access to archival libraries may also yield clues about potential malware activity.
• The best way to mitigate Denis  is to monitor process activity and track changes in DLL metadata. It may also be possible to detect the malicious activity that caused an obfuscated file.
• The Denis  can be mitigated by analyzing network data for uncommon data flows, monitoring file systems for moving, renaming, replacing, or modifying DLLs, and by modifications to or creation of .manifest and .local redirection files.
• Denis  can be mitigated by system and network discovery techniques. Data and events should be viewed as part of a chain of behavior that could lead to other activities. Deobfuscating or decoding files or information may be difficult to detect. Process and command-line monitoring can help to detect malicious behavior.
• The Denis malware attack can be mitigated by monitoring file creation and files transferred into the network for unusual processes with external network connections that create files on-system. Additionally, Windows API calls indicative of code injection should be monitored. System and network discovery techniques can help identify potential malicious activity.
• The Denis malware attack can be mitigated by restricting the usage of the Windows command shell, capturing scripts from the file system, and setting the proper execution policy. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. System and network discovery techniques should be used to identify potential malicious activity.
• The above text describes how Denis  can be mitigated. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Analyzing network data for uncommon data flows and packet contents to detect application layer protocols that do not follow the expected protocol standards can help to detect these types of attacks.