Beyond good ol’ Run key, Part 107

June 7, 2019 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins

This is a persistence, and a code injection trick in one. It affects only environments where NVIDIA CUDA Toolkit is present. If it is the case, the system will have these two environment variables present:

  • CUDA_INJECTION32_PATH
  • CUDA_INJECTION64_PATH

They typically point to legitimate NVIDIA DLLs, but one could replace them with anything. The DLLs are loaded via LoadLibrary.

This is not a backdoor of any sort – just a legitimate profiler interface.

Share this :)

Comments are closed.