You are browsing the archive for Reusigned Binaries.

DownLOLoloaders

February 19, 2021 in Anti-Forensics, Compromise Detection, Living off the land, Reusigned Binaries

The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.

Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).

I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.

Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.

Immediately after start they kick off a GET request:

… and once the bin file is downloaded, it’s executed.

There are lots of signed samples like this available.

The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).

Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).

Sitting on the Lolbins, 12

September 6, 2019 in Anti-Forensics, Living off the land, LOLBins, Reusigned Binaries

What is a LOLBIN? Does it need to be signed?

These questions are not important really. If you can find a clean executable and make it run another program then it is already a… lolwin.

The unsigned SetupProxy.exe program does exactly that. All you have to do is to provide a setup.ini file that the setup program expects to see. Inside this .ini file you have to specify what programs to run for 32- and 64- bit systems e.g.:

[SETUP]
InstallPath=..\..\windows\system32\notepad.exe
InstallPath64=..\..\windows\system32\notepad.exe

You need to use a directory traversal trick as the program expects paths relative to the one it is ran from.

That’s it really.

Okay, one more thing… the program stores a verbose info about the setup progress inside a %TEMP%\LxProxy.log file:

/———————————————————————–\
| Friday, September 06, 2019 14:31:42
| Setup.exe
| Version:
|
| SetupProxy: to Launch Install GUI.
———————————————————————–/
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy::read registry for the language: Software\inkjet\install
SetupProxy::language from the regstry:
OSInfo::initialize: invalid NT version (major: 6, minor 1)
SetupProxy:: the setup.ini exists; Launch InstallGUI: C:\foo\bar….\windows\system32\notepad.exe
Finished SetupProxy : Friday, September 06, 2019 14:31:44

Sample:

1DFFF3F5934AB61C861620CF2C6BC81FF8AF9A1E5F6A3D31B3315F8BE8BC3360