Hardware information gathering is a technique frequently employed by a variety of malware families, including Remote Access Trojans (RATs), Information Stealers or C2 frameworks. This technique typically forms part of the system reconnaissance phase during malware execution and provides attackers with detailed insight into the physical characteristics of an infected device.

Technique may extract data such as:

• Motherboard / Hard drive serial numbers
• MAC addresses of physical network interfaces
• CPU model and core count
• Installed RAM size and configuration
• Connected peripheral devices

One of the primary uses of this information is to construct a Hardware Unique Identifier (HWID), a fingerprint based on hardware attributes that is far more resilient to tampering than identifiers like usernames or computer names, which can easily be changed. HWIDs are used by attackers for various purposes:

• Victim tracking: Ensures each infected device is uniquely identified, even if system-level changes occur.
• Malware licensing: Some malware-as-a-service (MaaS) operations use HWIDs to enforce licensing restrictions, such as limiting the number of installations per customer or binding the malware to a specific machine.
• Evasion and anti-analysis: By analyzing hardware characteristics, malware can detect execution within virtual machines, sandboxes, or other artificial environments used for malware analysis. Upon such detection, the malware may alter its behavior, delay execution, or terminate entirely to avoid detection.

In more advanced use cases, Remote Access Trojans may include features to enumerate all installed physical devices, disable or remove drivers, or otherwise interfere with hardware components. These capabilities can be leveraged to sabotage the system and hinder recovery effort or reduce system stability as a form of disruption.

Featured Windows API

• DeviceIoControl Kernel32.dll