Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/20/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Researcher to Release Free Attack Obfuscation Tool

Cybercrime gang FIN7, aka Carbanak, spotted hiding behind another Windows function, according to research to be presented at Black Hat Asia next month.

Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks - and their latest method ups the ante in abuses of the basic command prompt.

The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was spotted by FireEye  exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.

Bohannon will release his new Invoke-DOSfuscation framework tool next month at Black Hat Asia in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets' systems. 

"The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation," Bohannon says of FIN7's activity.

The command prompt obfuscation method is another twist in what researchers refer to as "living off the land," or fileless malware attacks, where attackers use native Windows tools on a victim's machine to hide their activity and malware from detection-based security tools and whitelisting. "Attackers don't need to drop custom malware on disk. They can use native tools and run everything in memory," Bohannon explains.

PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to a recent report from Carbon Black. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.

Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.

In Command

In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.

"I'm sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot that's never seen [being] used in the wild, and I expect them to change" their tactics once the Invoke-DOSfuscation gets released, he says.

The caret (^) and quote-mark ("") symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it "breaks rigid detection rules," Bohannon explains.

FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to "Wor" + "d.Application" in stead of "Word.Application," for example, and other replacement characters in cmd.exe in order to fly under the radar.

Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. "A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] 'did I detect all these commands?'"

If not, they can tune their detection rules, he says.

"[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against," basically automating the detecting testing process, he says. The goal is to get organizations "in front of" the command obfuscation method before it hits them.

Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. "Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command," he notes.

Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. "It's fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they don't have to spend R&D and build custom stuff" when they go open-source, Mandiant's Bohannon says.

 

 

See Mandiant's Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the conference and to register.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .