About a month ago, I was involved in an investigation that revealed a targeted attacker using an interesting variation of a well-known persistence mechanism - a technique that is relevant both to incident responders hunting for evil and penetration testers looking to add post-exploitation methods to their toolkit. Today, I'm going to talk about this persistence mechanism and discuss some ways you might go about identifying it in your environment.
I think that the majority of folks reading this blog have encountered malware that maintains persistence via the startup folder. The startup folder is a directory that may contain binaries, scripts or shortcut files. A folder exists for each user on the system as well as for "all users." On Windows 7, for example, the Administrator startup folder resides at "C:UsersAdministratorAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup".
When a user successfully authenticates, Windows will attempt to execute any binary, run any script, or follow-up and execute any shortcut that is present within that user's startup folder. If scripts or applications are placed in the "all users" startup folder, these will be executed shortly after the system boots.
I often see the startup folder used legitimately to execute maintenance scripts written in Visual Basic or in Microsoft's batch scripting language. I also frequently see that applications install shortcut, or LNK, files within the startup folder that point to applications on disk. Malicious use of this directory, however, is most often associated with commodity malware - often accomplished by dropping an executable into the startup folder.
I've also seen a few variants of commodity malware that install a LNK file in the startup folder and deploy an EXE into a directory that the user can write to, like " C: users local settings emp ". LNK files contain several kinds of useful metadata, but for today's purposes we're interested in LNK files as pointers to other files.
In this recent case, we identified a novel technique that indirectly loads malicious scripts by means of LNK files in a user's start-up folder. The LNK file was designed to invoke the Windows scripting host (WSH). The WSH comes in both a GUI version, "wscript.exe", and a command-line version, "cscript.exe". The WSH can interpret Visual Basic scripts, commonly denoted by the file extension ".vbs", and Jscripts (Microsoft's implementation of JavaScript), commonly denoted by the file extension ".js". The malicious LNK file invoked "wscript.exe" to interpret a JScript file stored within a specific user's profile. Here's a cleaned-up excerpt parsed from the LNK file using lnk-parser, depicting the relative path to the WSH (in yellow) and an argument (in green) which points to a JScript file:
The JScript we found used an ActiveXObject object to create an instance of Internet Explorer and open a URL hosted by a code-sharing cloud service. Here's what that looks like:
This script connected to a remote system that provided command and control (C2) functionality , which included collecting system information from the infected machine and providing the attacker with the ability to execute commands via the command console, "cmd.exe". During analysis of the affected system, we found significant evidence in URL History for the Internet Explorer browser that depicted requests to the malicious URL. The requests for URLs looked like "http://hostname-4. legitcloudservice .com/?action=get&mt==". As depicted in the code snippet above, the base64-encoded string consisted of the Windows domain, username, and NetBIOS name values separated by the pipe (|) character.
Though somewhat convoluted and reliant on basic techniques, this persistence mechanism provides several advantages to an attacker. It avoids the need to create or execute a malicious binary on the targeted system, and similarly does not require any registry keys or settings to automatically load upon start-up or user login. This can help bypass application whitelisting and host-based intrusion prevention systems tuned to detect or block such activity. In this specific case, the attacker used network traffic generated by the malicious script to access legitimate, commonly-used web sites via HTTP. This traffic would blend into the normal "noise" of an enterprise network and evade detection.
One way to detect this form of persistence is to use an IOC that examines files within the Startup folder for references to the WSH. Investigators should examine each LNK file that this IOC identifies to determine whether the WSH is being used to launch a script; investigators should also analyze all scripts for malicious functions and network indicators. Here is an example IOC:
Network detection is a little trickier because an attacker could implement network communication in a multitude of ways, depending on the purpose of the script, the scripting language and the protocol. For the example we referenced, the URL parameters "?action=get&mt=" might make a good network indicator; here's an example SNORT signature to identify those parameters:
Click to Open Code Editor