Beyond good ol’ Run key, Part 132

February 24, 2021 in Anti-Forensics, Autostart (Persistence)

This is a very unpromising persistence mechanism relying on environment variables (again).

Combing through OpenSSL source code I came across two variables that it relies on and they are described here:

  • OPENSSL_MODULES – Specifies the directory from which cryptographic providers are loaded.
  • OPENSSL_ENGINES – Specifies the directory from which dynamic engines are loaded

Example of a code excerpt from a signed DLL that is compiled with a support for OPENSSL_MODULES is shown below:

The good news is that most of Windows-based executables and DLLs that are compiled from OpenSSL sources do not have these variables built-in. I have checked my repo and online repositories as well and it looks like there really are not too many of them available (barely a few). Second good news is that even if compiled with support for these variables, they won’t be used unless specific functions of OpenSSL are called. Despite some moderate efforts to produce a POC I couldn’t find any good candidate. As such, using them as a persistence mechanism is a poor choice indeed. Still, worth documenting, as usual.

DownLOLoloaders

February 19, 2021 in Anti-Forensics, Compromise Detection, Living off the land, Reusigned Binaries

The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.

Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).

I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.

Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.

Immediately after start they kick off a GET request:

… and once the bin file is downloaded, it’s executed.

There are lots of signed samples like this available.

The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).

Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).