Cybercrime gang FIN7, aka Carbanak, spotted hiding behind another Windows function, according to research to be presented at Black Hat Asia next month.

Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks - and their latest method ups the ante in abuses of the basic command prompt.

The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was spotted by FireEye  exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.

Bohannon will release his new Invoke-DOSfuscation framework tool next month at Black Hat Asia in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets' systems. 

"The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation," Bohannon says of FIN7's activity.

The command prompt obfuscation method is another twist in what researchers refer to as "living off the land," or fileless malware attacks, where attackers use native Windows tools on a victim's machine to hide their activity and malware from detection-based security tools and whitelisting. "Attackers don't need to drop custom malware on disk. They can use native tools and run everything in memory," Bohannon explains.

PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to a recent report from Carbon Black. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.

Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.

In Command

In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.

"I'm sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot that's never seen [being] used in the wild, and I expect them to change" their tactics once the Invoke-DOSfuscation gets released, he says.

The caret (^) and quote-mark ("") symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it "breaks rigid detection rules," Bohannon explains.

FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to "Wor" + "d.Application" in stead of "Word.Application," for example, and other replacement characters in cmd.exe in order to fly under the radar.

Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. "A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] 'did I detect all these commands?'"

If not, they can tune their detection rules, he says.

"[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against," basically automating the detecting testing process, he says. The goal is to get organizations "in front of" the command obfuscation method before it hits them.

Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. "Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command," he notes.

Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. "It's fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they don't have to spend R&D and build custom stuff" when they go open-source, Mandiant's Bohannon says.

 

 

See Mandiant's Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the conference and to register.

Related Content:

Read more about:

Black Hat News

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights