(except some ransomware) •WHY? To start the application after each reboot •HOW? Windows offers various legitimate persistence ways – let’s recall them...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run The most commonly used technique (also by malware)... https://support.microsoft.com/pl-pl/help/179365/info-run,-runonce,-runservices,- runservicesonce-and-startup
measures to cover/protect 2. Abuse of other mechanisms of the system for automated injection, i.e.: • AppInit_DLL, COM Hijacking, Shims, MS Application Verifier Provider ("DoubleAgent” technique), etc 3. User-triggered persistence – hide in other elements, that are likely to be clicked/deployed by a user
v. 3) •Make sample inaccessible: ADS, special folders (i.e. Diamond Fox) •Hide in the plain sight: • behind legitimate applications: Korplug • hide the executable in the windows registry - „fileless” malware • use scripts to load malicious modules – often Powershell
malicious PE on the disk 2. Set callbacks on messages: WM_QUERYENDSESSION, WM_ENDSESSION to detect when the system is going to shut down 3. On shutdown event detected: write yourself on the disk and the Run key for the persistence 4. On system startup: delete the Run key, go to 1. https://www.cyberbit.net/wp- content/uploads/2016/09/Analysis-of-Dridex-AnD-for-IT.pdf
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} Administrative Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153} All Tasks.{ED7BA470-8E54-465E-825C-99712043E01C} History.{ff393560-c2a7-11cf-bff4-444553540000} Clicking on folder triggers different action -> no access to the content
folders: •User cannot access the content – special CLSID triggers event other than opening the folder •Cannot be removed/renamed in a typical way – restricted name prevents operating on the folder http://www.thewindowsclub.com/the-secret-behind-the-windows-7-godmode
•A feature of NTFS file system •Implemented, but practicaly not used by Windows... •Only the main stream of the file is listed/accessible in a typical way •Format: https:// hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams / <filename.extension>:<alternate_stream_name>
2. Copy the DLL into ADS of some file, i.e.: 3. Deploy the DLL from the alternate stream (DllMain): 4. Deploy a specific function (i.e. Test1) from the DLL: type demo.dll > test.txt:demo regsvr32.exe /s test.txt:demo rundll32.exe test.txt:demo,Test1
the key •Example: Kovter https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ \0c:\\users\\tester\\appdata\\local\\bcd7\\62d2.lnk Malformed key: Regedit cannot display it Still can be viewed by Autoruns...
keys leading to Microsoft apps •Example: Moker trojan https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] @="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\test.exe\"" Autoruns shows only two keys... But there are more... Malware is deployed by a Microsoft application: Rundll32
- Uses vulnerable, digitaly signed, legitimate application (old AV products) - Exploits DLL side loading (DLL is a decoder) - The real malware is decrypted in memory -> no malicious PE file on the disk -> hard to detect! https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as- antivirus/
- Uses a legitimate application (PHP) - PHP is used to deploy obfuscated script - Script decrypts and loads the malware - The real malware is revealed in memory -> no malicious PE file on the disk - > hard to detect! https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
malware - Persistence is achieved by a basic Run key – but the flow leading to the malicious executable is obfuscated - The malicious PE is stored in the registry in encrypted form - Multiple layers till the real payload is loaded... https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
that uses user32.dll: https://support.microsoft.com/pl-pl/help/197571/working-with-the-appinit-dlls-registry-value UAC Bypass required Disabled in Win 8 and above, when secure boot is enabled
a patch into selected application •Can be used to automatically load malicious modules when the target application is deployed (DLL, shellcode, etc) UAC Bypass required https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
application using the defined COM is loaded, malware is executed •Keys: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of- persistence HKCU\Software\Classes\CLSID\[hijacked CLSID]\InprocServer32 32 bit OS + 32 bit DLL Or 64 bit OS + 64 bit DLL 64 bit OS + 32 bit DLL HKCU\Software\Classes\Wow6432Node\CLSID\[hijacked CLSID]\InprocServer32
type "81d59edde88fc4969d.exe" > "%temp%\81d59edde88fc4969d.exe" && "%temp%\81d59edde88fc4969d.exe" Hidden folders Shortcuts made to replace them... Clicking the shortcut deploys the command...
- Delete: HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\IsShortcut - Hide folders and substitute them by links - Clicking the link causes opening the original program + deploying the dropped malware https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/
APT (distribution) •Similarly: existing shortcuts can be overwritten by shortcuts deploying malware https://www.uperesia.com/booby-trapped-shortcut-generator C:\ProgramData\ProxyApp.exe C:\totalcmd\TOTALCMD.exe
in the registry •Globaly defined extensions and handlers: in HKEY_CLASSES_ROOT •It can be also defined per user: HKEY_USERS -> <user SID>_Classes •Redefine a handler: no Administrator rights required https://github.com/hasherezade/persistence_demos/tree/master/extension_hijack
with hijacked extension, the malware is deployed •DEMO: •https://goo.gl/RGPiuY https://github.com/hasherezade/persistence_demos/tree/master/extension_hijack
new ways of hiding persistence •The easiest way to detect the persistence method is by observing the installation – post-infection analysis is much harder •„Fileless” malware also creates artifacts that can be found in a typical way