Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks a malicious payload to multiple processes. Researchers have explored methods chop payloads, spread victim applications through process injection techniques, and orchestrate the execution. However, these can hardly be practical as they exhibit conspicuous features make use primitives that operating system mitigations readily detect. In this paper we reason on fundamental requirements properties for stealth implementation distributed malware. We propose new covert design, Rope, minimizes its footprint making commodity techniques like transacted files return-oriented programming communication distribution. report how synthetic Rope samples eluded number state-of-the-art anti-virus endpoint security solutions, bypassed opt-in Windows 10 hardening applications. then discuss directions remediations mitigate such threats.