Monday, March 4, 2024

Using n1n3 to Simulate an Evasive Fileless Malware – Proof Of Concept

Fileless malware are types of malicious code used in cyber attacks that don’t use files to launch the attack and carry on the infection on the affected device or network.

The infection is run in the RAM memory of the device, so traditional antivirus and antimalware solutions can’t detect it at all.

Malicious hackers use fileless malware to achieve stealth, privilege escalation, to gather sensitive information and achieve persistence in the system, so the malware infection can continue to carry on its effect for a longer period of time.

Creating Obstacles To Forensics

Malware Researcher’s Published a Researcher paper Under Proof of Concepts(PoC) in EForensics Magazine, Infection attack is very simple: the request made by the victim’s machine goes through a channel in which there is an attacker’s proxy that will capture the requests made by the target machine. For example, assuming that the victim visits a website that contains n1n3 (here disguised as an image for the WhatsApp application).

                                                          The attack scenario

How does it work?

Once downloaded, the n1n3 will run on the target machine, releasing the doors of this machine for data capture.Once its role in the victim machine is completed, the n1n3 self-destructs. The attack is the drive-by-download type and the appeal is the availability of images to the messaging application.

Attacks of this nature are common and are made daily in search of an unsuspecting user. The victim views a website with an image that it downloads (one n1n3 container is the image). The n1n3 runs and connects to the proxy and the attacker exploits the victim machine.

In our scenario, the proxy server was set to be the intermediary between the victim and the

The proxy scenario simulating a server of the attacker already configured on the victim machine, starting this moment all shipping this victim will pass the attacker’s server, and this full facility to collect the most relevant information, the passwords banks, email, and social networks, but also can make connections and kidnap a victim using this machine to make more complex attacks.

The attacker’s proxy is configured with packet capture tools (like sniffers), causing all traffic to be diverted so it can be captured .

                                                  Proxy simulation

The structure of n1n3.exe is a small malicious artifact with size 182kb in a binary file. Once running on the victim machine its size becomes little more than being 184kb .

We can clearly see in the figure below that n1n3 is presented under a Whatsapp icon, forcing an attractive social engineering to the careless user.

                                            1.  Structure of n1n3.exe

Below image shows ,Your script has instructions for variants that directly affect the registry W10, disabling vital registry system functions, such as the firewall, changing the port connection and the Defender’s defense properties and changing important key features of the system

                                    2.  The structure of n1n3.exe

The features that the script n1n3 has shown below: access to important libraries like USER32.dll and LoadLibraryAGetProcAddress is evidence that malware needs these libraries to work.

“Another important function of n1n3 is to operate at the level of Kernel32, calling procedures in free memory (VirtualFree) and allocation (VirtualAlloc), respectively, at the addresses 0x00410F50 and 0x00410F4C, both at the operating level of the Kernel.”

                           3.  The library’s requisition of n1n3.exe

Up to this point of the research, we can identify the address where n1n3.exe begins the execution on the victim machine at the address 0x0040F390

                          4.  Start pointer address of n1n3.exe

The Sysinternals can detect the process n1n3.exe, in this case, the PID is 3320. But then the process disappears as if it had been finished. Initially, the PID 3320 appears in green, then marked in red.

Researcher’s said “This is the forensic challenge of our research. The processes marked in a green color are processes that starton the machine. When it is marked in a red color this means that the process (jobs and handles) has finished, but n1n3 is still in an operating state.”

                       5.   The “Narnia realm” of n1n3 malware

Evidence of malicious artifacts

As if we are archaeologists looking for evidence of malicious artifacts on the victim machine basically using Sysinternals as an ally in this quest, we chose a dynamic analysis and run the n1n3 the second time, now with PID 2688.

What did we find?

First of all, the distribution of the n1n3 memory requests shows that the area destined for the own memory heap 1488k with a stack of 3072K against a paging table with only 336k. This shows us that the n1n3 has an interesting fragmentation.

                                      6.    In the depths of HD

Despite the process being identified as finalized, it is observed that the file’s timeline shows that it is possible to identify the mapped the n1n3.exe files with a high fragmentation distributed in various ways of the W10 system.

                                      7.  Mapped file of n1n3.exe

The offsets of ntdll.dll libraries point to the addresses 0x5008d 0x72e50 (Figure 13). All other offsets point to the location of the file on the C drive in the “Users” folder where the careless user installed n1n3.

This feature of Sysinternals, called Call Tree, is extremely important when we are looking for evidence that the malicious artifact is still running in the background and was not finalized. An inattentive user could interpret this signal as if the file was inactive in the system.

                               8.  Offsets and ntdll.dll libraries

Some other evidence that n1n3 is still in the system and making requests even with low intensity of use of themachine memory may be observed in the figures below.

The malicious file is still requesting the rpcrt4.dll services at 0x4036a1 address with the clear intention of causing collateral fault system (known vulnerability and released for part of Windows systems [6]).

The implementation of n1n3 listed on Heap area is 0x405ef7 for addressing, but its location is 0x5ef7 and 0x4036a1 .

                             9. Heap Allocations for ntdll.dll

Researcher’s said , Finally, considering that we still have ongoing research, our next goal will be to explore the n1n3 by adding more code elements in the script becoming more evasive to the point of fragmentation and can apply “ Fileless Malware ” name.


Malicious code created in the laboratory solely for research purposes. The last stage of the research will be the defenses proposition, based on the Windows platform.

Original Author’s & Credits :

  •     PEREIRA, Paulo Henrique – Researcher at the University Nove de Julho
  •     BORBOLLA, Renato Basante Security and Computer Forensics consultant
  •     FERREIRA, Thiago Geronimo – Security and Computer Forensics consultant
  •     VIEIRA, Rubens Louro –  Researcher –information security


[4]. MUGGAH, R. and THOMPSON, N. Brazil’s Cybercrime Problem. Foreign Affairs. In:

Also Read :


Latest articles

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles