Repeat after me: Installation after Exploitation

Time-traveling back to our previous blog post, we explored a stage deep into the attack lifecycle called Exploitation. Following the delivery of malicious code, successful exploitation opens up an opportunity. Namely, a foot in the door to your network for the unauthorized installation of malicious software, aka malware. Essentially, exploitation is a precursor for the next stage of an attack, Installation.

Think of the opening scene in Home Alone when Harry dressed as a policeman. He stands in the doorway of the McAllister home, unimpeded and unnoticed. Harry exploited some weakness or vulnerability to get to this point (hinthint) and now can complete other actions from within the house. So, he conducts some internal reconnaissance. Initially, he talks to a few kids attempting to figure out who has authority amongst the absolute chaos. Eventually, he ends up conversing with Kevin’s parents. They openly discuss their vacation plans and security measures in place during their absence, with them none-the-wiser thanks to his friendly-appearing disguise.

In the technical world, an attacker could use native applications and components or install custom malware to move and act on the network. Options at this point are vast and differ depending on the attacker’s intentions.

#Squadgoals? More like #HackerGoals

Strictly speaking, the goal of this phase of the Cyber Kill Chain is to install code that enables an attacker to return to the environment effortlessly. Why ‘return’? This way the attacker can take their time. In the event of a reboot or a network communication failure between the attacker and the victim, they still have their backdoor open. Malware needs a mechanism to gain and maintain persistence to survive. Remember, malware is an application, a set of code designed to accomplish a set of tasks. Per the attacker’s needs, it needs a means of executing itself whenever you turn on your system.

Imagine a typical glorious Monday morning in the office setting. Walk in the door. Grab some coffee. Approach your workstation. Press the power button. Sip some coffee. Wait for the login screen. Type in your username and a strong passphrase. Wait for the desktop to load. Click on some shortcuts to execute and open Chrome and Outlook and so on. Pause and reflect on the following: Malware does not have the luxury of users willingly and knowingly running their code. Thus, they need to use components of the operating system and make this happen in the background.

In Windows-land, there are many, very technical ways for malware to survive and remain undetected. Most common techniques include modification of registry keys, DLL hijacking, and creation of scheduled tasks. That last one sort of speaks for itself. This technique allows malware to persist by scheduling programs to execute at certain times, though it’s easily detected. But what is a registry entry and what is a DLL?

When a Registry becomes Key to Survival

The Windows registry is a massive repository for settings (entries) that control nearly every aspect of the operating system. Keys refer to settings, and one such key defines the applications that execute automatically during startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Legitimate applications listed here could include cloud storage applications that sync files between a workstation and Dropbox, OneDrive, etc. These applications would need to run at startup to provide their full functionality to the user. If malware is coded to enter itself as a value within this key during the Exploitation and Installation stages, then it could survive reboots.

The Down-Low on the DLL

Another survival technique, called DLL hijacking, is based on a core principle of Windows application development. In the Windows operating system, there is something called a Dynamic Link Library. Tiny bits of code fill this library, and each bit provides common functions across many different applications. This library is a reference point so that application developers don’t have to package them into each application. Each time an application needs to call a specific function, it looks for the applicable DLL by name in a particular location. This library works similarly to a phone book.

In the Yellow Pages, if you had a company, you would be listed under the relevant subjects of your business profile. Part of a typical business strategy was whether or not to pay for multiple ad listings under different headings. Having a phonebook was helpful in that all entries were easily found by anyone, sorted by category. Nobody had to memorize every limo service’s number. They could look for all the entries under ‘limousines,’ and find what they needed.

How can Malware use a Phonebook?

The Dynamic Link Library relates to malware persistence because genuine applications search for their DLLs in particular locations and a specific order. If an attacker can copy the name of a legitimate DLL and place the malicious DLL in a position that the application will search first, then the malicious DLL will load instead.

In Home Alone 2, there is a scene where Kevin uses the phonebook to find a limo. Say you have AAA Limo Service – their customer base is mainly those who want to get from a hotel to the airport and back. They decide to print their ad in the ‘Airport Transport Service’ section. Then they don’t have to pay for multiple listings. AAA Taxicab Services finds out & chooses to put their number as “AAA Limo Service” under the ‘Limousine’ Listings. Kevin looks for a limo, checks under ‘Limousine,’ finds AAA Limo Services and bam! The fake AAA Limo Services company gets a customer, and Kevin uses the service as though it were the real company. 

Since DLLs are merely tiny bits of code, the malicious DLL could be written to launch the malware, followed by loading the legitimate DLL to avoid suspicion.

What is the purpose of Malware?

At this point, an attacker found a point of entry. They exploited one or more weaknesses in the system or network and managed to execute a malicious program on some asset within the organization. What are the objectives? The likelihood that an attacker now has some control over a critical workstation is pretty small. However, the malware could now harvest additional information:

  • user accounts with remote access
  • clear text passwords
  • credentials to accounts with elevated privileges

All of these will help an attacker move with little resistance within your network. Then they can find and exploit critical assets: a database containing confidential information, a vital manufacturing system or a point of sale terminal.

What You Can Do About It

How can organizations deploy controls to prevent installation and persistence of malware? First and foremost, roll out some form of advanced anti-malware agents. The solution should use technology more advanced than signatures to detect threats. With the rapid evolution in malware and creation of new threats, waiting for vendors to develop signatures is unaffordable.

Instead, invest in a solution at least capable of observing and capably identifying malicious behavior. By carefully watching how applications behave versus what they look like, you’re essentially equipping Angie’s List with accurate business listings and reviews in real time. If the phone number lists the company AAA Limo Services, and the answering line you get is for AAA Taxicab Services(fake company), time for a full stop. Look on Yelp (anti-malware) for that company to make sure you’re not getting yourself into a 0-star rated situation.

What does Defense mean to you?

More advanced means of defense include user privilege management, application whitelisting and file integrity monitoring. User privilege management isn’t technically advanced but requires some changes to IT processes and functions within the organization. For example, user accounts that use and access the internet and email on a regular basis should not have administrative permissions. This principle is because if a user opens a malicious Word document with macros enabled, malicious script will attempt to run with the full permissions of the user account. If the “full permissions” add up to nothing, then installation and persistence will be harder to achieve. Conversely, if “full permissions” add up to a local system administrator, then installation and persistence will be relatively trivial for the hacker to complete.

Application Whitelisting and File Integrity Monitoring as means of defense are somewhat outside of the scope of this post, and they require extensive planning and engineering to implement In closing, give user management and advanced anti-malware serious consideration. Don’t allow the disguised attacker to keep a foot in the door and choose to be a hard target instead.

Stage V: Installation – Best Defense: User Management & Behavior-Based Anti-Malware