Threat Intelligence

2/20/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Researcher to Release Free Attack Obfuscation Tool

Cybercrime gang FIN7, aka Carbanak, spotted hiding behind another Windows function, according to research to be presented at Black Hat Asia next month.

Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks - and their latest method ups the ante in abuses of the basic command prompt.

The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was spotted by FireEye  exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.

Bohannon will release his new Invoke-DOSfuscation framework tool next month at Black Hat Asia in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets' systems. 

"The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation," Bohannon says of FIN7's activity.

The command prompt obfuscation method is another twist in what researchers refer to as "living off the land," or fileless malware attacks, where attackers use native Windows tools on a victim's machine to hide their activity and malware from detection-based security tools and whitelisting. "Attackers don't need to drop custom malware on disk. They can use native tools and run everything in memory," Bohannon explains.

PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to a recent report from Carbon Black. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.

Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.

In Command

In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.

"I'm sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot that's never seen [being] used in the wild, and I expect them to change" their tactics once the Invoke-DOSfuscation gets released, he says.

The caret (^) and quote-mark ("") symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it "breaks rigid detection rules," Bohannon explains.

FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to "Wor" + "d.Application" in stead of "Word.Application," for example, and other replacement characters in cmd.exe in order to fly under the radar.

Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. "A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] 'did I detect all these commands?'"

If not, they can tune their detection rules, he says.

"[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against," basically automating the detecting testing process, he says. The goal is to get organizations "in front of" the command obfuscation method before it hits them.

Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. "Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command," he notes.

Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. "It's fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they don't have to spend R&D and build custom stuff" when they go open-source, Mandiant's Bohannon says.

 

 

See Mandiant's Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.