Threat Intelligence

2/20/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Researcher to Release Free Attack Obfuscation Tool

Cybercrime gang FIN7, aka Carbanak, spotted hiding behind another Windows function, according to research to be presented at Black Hat Asia next month.

Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks - and their latest method ups the ante in abuses of the basic command prompt.

The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was spotted by FireEye  exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.

Bohannon will release his new Invoke-DOSfuscation framework tool next month at Black Hat Asia in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets' systems. 

"The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation," Bohannon says of FIN7's activity.

The command prompt obfuscation method is another twist in what researchers refer to as "living off the land," or fileless malware attacks, where attackers use native Windows tools on a victim's machine to hide their activity and malware from detection-based security tools and whitelisting. "Attackers don't need to drop custom malware on disk. They can use native tools and run everything in memory," Bohannon explains.

PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to a recent report from Carbon Black. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.

Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.

In Command

In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.

"I'm sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot that's never seen [being] used in the wild, and I expect them to change" their tactics once the Invoke-DOSfuscation gets released, he says.

The caret (^) and quote-mark ("") symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it "breaks rigid detection rules," Bohannon explains.

FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to "Wor" + "d.Application" in stead of "Word.Application," for example, and other replacement characters in cmd.exe in order to fly under the radar.

Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. "A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] 'did I detect all these commands?'"

If not, they can tune their detection rules, he says.

"[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against," basically automating the detecting testing process, he says. The goal is to get organizations "in front of" the command obfuscation method before it hits them.

Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. "Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command," he notes.

Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. "It's fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they don't have to spend R&D and build custom stuff" when they go open-source, Mandiant's Bohannon says.

 

 

See Mandiant's Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.