RunPE technique, also known as RunPortableExecutable, is a Windows-based technique used to replace the functionality of a legitimate Windows binary with malicious code. It is widely used by malicious actors to evade detection and keep their malicious activities under the radar.
The RunPE technique works by loading the malicious program in memory and then use the PEB (a memory data structure used by Windows) to modify the original program. It is usually used to inject malicious code to replace the original program content as well as execute the payload included in the malicious code. In order to further evade detection, the malicious code is usually disguised as a legitimate Windows binary, such as an executable or dynamic library.
RunPE technique’s combination of speed and stealth make it a common technique employed by malicious actors. It has been employed in many malicious campaigns such as Zeus and ransomware. It is also used to propagate malicious executable bundles, malicious emails and other malicious objects. Furthermore, it is also used in many other forms of malicious software such as keyloggers, downloaders, and information stealers.
As a result of its effectiveness and utility, the RunPE technique is often seen as a security challenge for the conventional antivirus solutions and even despite corrective measures some signatures, as well as exploit prevention, some malicious actors have been able to remain undetected.
