Threat Signal Report

Mortar Loader: New tool for Process Hollowing written in Pascal

Description

Mortar Loader is a new process hollowing tool that can be leveraged by threat actors. Process Hollowing is a well-known evasion technique used by adversaries to defeat detection and prevention by security products. Mortar Loader is implemented as an open-source tool for red teamers in the Pascal programming language.

A loader is malicious code or program used for loading the actual payload on the infected machine.

What is Process Hollowing?

Process Hollowing is a method of executing arbitrary code in the address space of a separate live process. It is commonly performed by creating a process in a suspended state then unmapping its memory, which can then be replaced with malicious code.

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

How does Mortar Loader work?

Mortar has two components, the payload encryptor and the loader itself.

The encryptor runs on the attacker's machine to prepare the selected PE payload. It encrypts it with the blowfish symmetric encryption algorithm and encodes the ciphertext with base64.

The Loader uses memory stream objects to reverse the operations and decode and decrypt the payload using a hardcoded key. It can be compiled as a standalone executable or a DLL. The plaintext payload is executed using the vanilla Process Hollowing technique without writing it to a file on disk

What is the Status of Coverage?

FortiEDR detects and blocks payloads executed by Mortar Loader out-of-the-box as it detects Process Hollowing from the operating system's perspective.

Depending on the enabled set of policies, FortiEDR can block creation of such malicious processes (pre-execution) or malicious operations performed by the payload (post-infection).

Figure 1 - Detection of mimikatz while running disguised as cmd.exe by Mortar Loader.