Reading view

There are new articles available, click to refresh the page.

Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth

✇Synack Blog
By: Synack

The exploit that Kaspersky researchers uncovered is unnamed, so we’re calling it “ThrowShell”

By Kim Crawley

The key to cyberattacks evading detection from antivirus software and intrusion detection systems is often to exploit operating system processes. That’s a feature of a recently discovered fileless Windows exploit discovered by Kaspersky researchers.

Fileless malware attacks computer systems without writing new files to a computer’s data storage. If antivirus software scans a hard drive for malware, it won’t find any files related to a fileless attack. It’s a popular obfuscation technique with cyber threat actors. 

Kaspersky hasn’t given this new exploit any particular name. Kaspersky’s Denis Legezo explained that some DLLs (Windows Dynamic Link Libraries) involved in the exploit resemble tools in commercial pentesting platforms:

“Regarding the commercial tools, traces of SilentBreak and Cobalt Strike toolset usage in this campaign are quite visible. Trojans named ThrowbackDLL.dll and SlingshotDLL.dll remind us of Throwback and Slingshot, which are both tools in SilentBreak’s framework, while the ‘sb’ associated with the dropper (sb.dll) could be an abbreviation of the vendor’s name.

Here we want to mention that several .pdb paths inside binaries contain the project’s directory C:\Users\admin\source\repos\drx\ and other modules not named after Throwback or Slingshot, such as drxDLL.dll. However, encryption functions are the same as in the publicly available Throwback code.”

The new exploit puts malicious shellcode into Windows event logs. Cyberattacks that use fundamental code libraries such as “Log4Shell” and “Spring4Shell” are recent concerns in the cybersecurity community. So, I’ll call this attack “ThrowShell.” Maybe it’ll stick.

How “ThrowShell” works

The ThrowShell attack starts by persuading a user to download a file with a Cobalt Strike module. Kaspersky researchers have observed this as a RAR archive file with a Cobalt Strike certificate distributed through file.io, a file sharing site the researchers consider to be legitimate. Yes, “ThrowShell” starts as a Trojan. But interestingly, when I tried to visit file.io in Firefox, my Malwarebytes Browser Guard extension blocked the site as a suspected phishing domain. I’ve personally never visited file.io.

Anti-detection wrappers are used with the Trojans. MSVC, Go compiler 1.17.2 and GCC under MinGW are the compilers researchers have seen. 

Once the RAR file has been extracted and its contents executed, it’s then much easier for the attacker to send additional malicious DLLs to the targeted device. 

Werfault.exe is the initial Windows executable file that’s targeted for code injection by ThrowShell. It’s Microsoft Windows Error Reporting Fault Reporter in Windows 10 and Windows 11. The important role that the process serves in Windows assures that the file is whitelisted in endpoint security applications. It’s almost as sneaky as exploiting svchost.exe, in my opinion.

The malicious executed code is signed with a certificate for an application called “Fast Invest,” which the researchers didn’t see any legitimate code signed with. Once extracted, decrypted and signed, ThrowShell’s malicious code spreads within Windows through dropper injection with Cobalt Strike pentesting software. Explorer.exe, the main file manager for all supported versions of Windows, is one of the processes that ThrowShell targets for code injection. That’s the way fileless malware typically works; inject malicious code into ordinary OS processes and execute it that way. 

While spreading through a variety of ordinary Windows DLLs and processes, shellcode is eventually inserted into Windows event logs. Researchers have seen ThrowShell fingerprint Windows targets for MachineGUID, computer names, local IP addresses, OS version, CPU architecture, and SeDebugPrivilege status in processes currently running in memory.

This is all a really stealthy way to infect client Windows targets, get right into the memory, evade detection, establish persistence, and maintain a backdoor right into the Windows shell. This exploit can possibly sit in a Windows client for months or longer with an easy way for the attacker to perform all kinds of malicious activity with administrative privileges.

The post Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth appeared first on Synack.

What’s the Spring4Shell Vulnerability and Why it Matters

✇Synack Blog
By: Synack

By Kim Crawley

The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.

The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.

Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.

Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.

One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously. 

First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.

Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.

Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix. 

Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.

Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks. 

Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities. 

Reach out today to discover how Synack can help. 

The post What’s the Spring4Shell Vulnerability and Why it Matters appeared first on Synack.

❌