DownLOLoloaders

The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.

Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).

I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.

Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.

Immediately after start they kick off a GET request:

… and once the bin file is downloaded, it’s executed.

There are lots of signed samples like this available.

The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).

Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).

Yet another secret of hosts file

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:

s:\windows\system32

So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:

s:\windows\system32\drivers\etc\hosts
s:\windows\system32\drivers\etc\hosts.ics

Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).