Created the Wednesday 13 December 2023. Updated 7 months, 1 week ago.

FuncIn involves a payload staging strategy wherein the entire set of malicious functionalities is not contained within the malware file itself or any third-party file/network location (e.g., a web server). Instead, these functionalities are transmitted over the network by the Command and Control (C2) server when required.

This approach addresses three primary issues in malware development. Firstly, it mitigates the size of the malware, as most functionalities are not directly embedded in the malware. Functioning as a network loader, the malware can be very compact (often just a few kilobytes). Secondly, it tackles the challenges posed by malware analysis and detection. The absence of most malicious functionalities physically within the malware or its immediate dependencies can make reverse engineering and detection more challenging. For instance, if the malware loader expects specific characteristics to be met before transmitting the rest of the payload (e.g., geographic location, system requirements, certain user or host machine behaviour, and properties), analysis becomes difficult until the complete payload is downloaded. Lastly, it addresses maintenance concerns. The majority of the code residing on the C2 side makes maintenance more convenient. Malicious actors do not need to update the remote loader but only the shellcodes (functionalities) located on the C2, transmitted when needed.

One notable example of malware leveraging the FuncIn technique is PoisonIvy RAT, a famous Remote Access Trojan. Despite its compact size, typically less than 8 kilobytes, PoisonIvy RAT incorporated a wide range of expected functions for a RAT, including webcam capture, screen capture, password enumeration, system management, and file management etc..

The author of PoisonIvy RAT employed an approach of using precompiled pieces of code (shellcodes). However, with the advent of more modern tools, it is now easily feasible to compile the shellcodes just in time (JIT) before sending them to the loader. This JIT compilation enhances the adaptability and sophistication of the malware, allowing it to dynamically adjust its functionalities based on specific criteria.

Unlike classic PIC , shellcodes commonly used in binary exploitation, FuncIn doesn't rely on library loading or API hashing mechanisms (at least, it don’t need to, except for additional evasion mechanisms) directly within the shellcode. Instead, these tasks are delegated to the loader, which then transmits essential information to the Command and Control (C2) server for shellcode JIT compilation or patching.

Another alternative to the FuncIn technique is loading malware functionalities through extra DLL files that are reflected to avoid being written to disk, minimising physical evidence. This approach relies on DLLs rather than shellcode, offering several advantages. In addition to supporting any high-level programming language for coding extra features, using DLLs makes it easier to maintain and extend the malware's capabilities.

However, it's important to note that while relying on DLLs provides advantages in terms of ease of maintenance, extensibility, and language support, it may be less optimised and stealthy compared to the approach of utilising small, fully controlled pieces of code that the malware author has mastered. The choice between these techniques often involves trade-offs, considering factors such as the specific goals of the malware, the targeted systems, and the overall strategy of the threat actor.

Attached to this description, you will discover a comprehensive project showcasing the FuncIn Evasion Technique, implemented with the assistance of the Keystone Engine. This project is designed to expand, incorporating additional examples in various programming languages. Given that the majority of the functionality resides in the shellcode, the choice of programming language for the loader is not highly restrictive. It's essential to note that the loader is typically compact and straightforward, tasked with loading and executing pieces of code within its process space.

Technique Identifiers

U0132 U0221 U0308

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.


Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.