Get best of the week

Cylance vs Sality

Hello everyone. In anticipation of the start of the course β€œReverse Engineering 2.0” , another interesting translation was prepared.



Sality has been terrorizing computer users since 2003, when personal digital assistants (PDAs or PDAs) made headlines for technical publications and office PCs were running Windows XP. Over the years, users managed to exchange their PDAs for smartphones, and desktop computers switched to new operating systems and digital solutions for workstations. Sality, however, has survived the frantic pace of technological innovation and continues to threaten organizations to this day.

Sality virus infects local executables, removable media, and remotely used drives. It creates a peer-to-peer (P2P) botnet that facilitates the download and execution of other malware. Sality can perform malicious code injection and modify its entry point to force code execution. This malware remains viable, adopting successful strategies of other threats, including methods such as rootkit / backdoor, keylogging and worm-like distribution.

Attack chain analysis




Sality Analysis


Our analysis begins with a screenshot of a Windows Defender service file infected with malicious code. Note the malicious code embedded in the last section of this file (Figure 1) :


Figure 1: The last line shows the read / write executable file

Sality creates three copies of itself. The first copy is saved in the folder %AppData%\local\temp\ (Figure 2) and embedded in the explorer process (Figure 3) :


Figure 2: The first copy of Sality is saved in the folder %temp%with the name xelag.exe


Figure 3: The malicious process is embedded in the explorer process ( xelag.exe)

The second copy of this malware is saved in the folder %AppData%\local\temp\%random_folder_name%\with name WinDefender.exe (figure 4) :


Figure 4. The second copy of Sality with the nameWinDefender.exe

The third copy of Sality is stored in the virtual memory of the remote process in the folder %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Download_Manager.exe(Figure 5) :


Figure 5: The third copy of Sality saved with the name Download_Manager.exe.

To ensure sustainability, Sality modifies the registry (Figure 6) :


Figure 6: Sality is written to the registry.

Then the virus tries to establish a P2P connection to download additional malware (Figure 7) :


Figure 7: Sality turns to suspicious IP to get more malware.

When the victim restarts the computer, all three copies of the malware are embedded in explorer.exe (Figure 8) :


Figure 8: All three copies of Sality are embedded in the explorer process.

Why is Sality important and why should I be bothered?


Sality made its debut the same year that Apple opened the iTunes store, and cinemas put together a box office at King's Return. He remains a threat today. Only one longevity of the Sality virus is evidence of its effectiveness, adaptability and adaptability. Any malware that is still viable a decade and a half after its initial detection should not be out of sight of users and security professionals.

Compared to Nemucod, Sality is a more complete and mature malware example. It has a long history of changes that point to a diverse set of use cases with the ability to deploy Sality depending on the objectives and complexity of the attack. Comparing Sality's capabilities with the categories of MITER ATT & CK tactics, this malware is able to play a role at every internal stage of the attack chain after execution, which means that Sality needs a delivery method on the environment before it can get to work.

If necessary, Sality can act as the main operational agent, providing the attacker with a basic set of functions for performing various actions on the goal, aimed at maintaining and expanding access. It also has the ability to modular download additional features as needed by an attacker. The flexibility offered by this basic feature set makes Sality suitable for a wide range of offensive campaigns.

The flexibility afforded by common malware such as Sality offers more sophisticated attackers the ability to hide the activity and intent of a targeted attack under the guise of a broad, indiscriminate campaign. An attacker can use the capabilities of Sality in the first wave of a targeted attack, establishing a foothold in the environment. Thanks to this access, an attacker can open up more sophisticated or destructive malware after he estimates the operational risk based on the defensive position of the target.

Cylance Stops Sality


CylancePROTECT users will be happy to know that we detect and prevent Sality before it launches. By preventing the launch of Sality, we protect our customers from this masticative malware and many other threats that it seeks to deploy. Sality may or may not be long-lived, but it will not survive on machines protected by CylancePROTECT.


Get a discount on the course.

More articles:


All Articles