February 19, 2021 in Anti-Forensics, Compromise Detection, Living off the land, Reusigned Binaries
The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.
Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).
I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.
Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.
Immediately after start they kick off a GET request:
… and once the bin file is downloaded, it’s executed.
There are lots of signed samples like this available.
The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).
Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).