The Malware Hiding in Your Windows System32 Folder: Certutil and Alternate Data Streams

The Malware Hiding in Your Windows System32 Folder: Certutil and Alternate Data Streams

We don’t like to think that the core Window binaries on our servers are disguised malware, but it’s not such a strange idea. OS tools such as regsrv32 and mshta (LoL-ware) are the equivalent in the non-virtual world of garden tools and stepladders left near the kitchen window. Sure these tools are useful for work around the yard, but unfortunately they can also be exploited by the bad guys.

For example HTML Application or HTA, which I wrote about last time.  At one point, it was a useful development tool that allowed IT people to leverage HTML and JavaScript or VBScript to create webby apps (without all the browser chrome). That was back in the early ‘aughts.

Microsoft no longer supports HTA, but they left the underlying executable, mshta.exe, lying around on Windows’ virtual lawn – the Windows\System32 folder.

And hackers have only been too eager to take advantage of it. To make the matters worse, on far too many Windows installations, the .hta file extension is still associated with mshta. A phishmail victim who receives an .hta file attachments,  will automatically launch the app if she clicks on it.

Of course, you’ll have to do more than just disassociate the .hta extension to stop all attacks — see, for example, the Windows Firewall mitigation in the previous post. For kicks, I tried directly executing an .hta file using mshta, and you can see the results below:

Still crazy after all these years: mshta .and .hta

It worked fine.

In a hacking scenario where the attacker is already on the victim’s computer, she could download the next phase using say curl, wget, or PowerShell’s DownloadString, and then run the embedded JavaScript with mshta.

But hackers are far too smart to reveal what they’re doing through obvious file transfer commands! The whole point of living off the land using existing Windows binaries is to hide activities.

Certutil and Curl-free Remote Downloading

This leads to certutil, which is yet another Windows binary that serves dual purposes. Its function is to dump, display, and configure certification authority (CA) information. You can read more about it here.

In 2017, Casey Smith, the same infosec researcher who told us about the risks in regsrv32, found a dual use for certutil. Smith noticed that certutil can be used to download a remote file.

It’s a certification tool. No, it’s a stealthy way to download malware. Certutil is both!

This is not completely surprising since certutil has remote capabilities, but it’s clearly not checking the format of the file — effectively turning certutil into LoL-ware version of curl.

As it turns out, hackers were way ahead of the researchers. It was reported that Brazilians have been using certutil for some time.

So if hackers obtain shell access through, say, an SQL injection attack, they can use certutil to download, say, a remote PowerShell script to continue the attack — without triggering any virus or malware scanners searching for obvious hacking tools.

Hiding Executables With Alternate Data Streams (ADS)

Can the attackers get even stealthier? Unfortunately, yes!

The amazingly clever Oddvar Moe has a great post on Alternate Data Streams, and how it can be used to hide malware scripts and executables in a file.

ADS was Microsoft’s answer to supporting compatibility with Apple McIntosh’s file system. In the Mac word, files have a lot of metadata in addition to regular data associated with them. To make it possible to store this metadata in Windows, Microsoft created ADS.

For example, I can do something like this:

Omg , I directed text into a file and the file size didn’t change! Where did it go? It’s in ADS. #stealthy

On a first review, it might look like I’m directing the text of my .hta file into “stuff.txt”.

Take a closer look at the above screenshot, and notice the “:evil.ps1” that’s tacked on. And then shift your focus to the size of “stuff.txt”: it remains at 0 bytes!

What happened to the text I directed into the file? It’s hidden in the ADS part of the Windows file system. It turns out that I can directly run scripts and binaries that are secretly held in the ADS part of the file system.

And One More Thing

We’ll take a deeper dive into ADS next time. The larger point is the high-level of stealthiness one can achieve with the LoL approach to hacking. There are other binaries that serve dual masters, and you can find a complete list of them on github.

For example, there are  whole class of Windows binaries — for example, esentutil, extrac32, and others — that act as a file copy tool. In other words, the attackers don’t have to necessarily reveal themselves by using the obvious Windows “copy” command.

So security detection software that’s based on scanning the Windows Event log looking for the usual Windows file commands will miss sneaky LoL-based hacker file activity.

The lesson is that you need, ahem, a security platform that can analyze the raw file system activity to determine what’s really going on. And then notify your security team when it detects unusual access to the underlying files and directories.

Does the Lol-ware approach to hacking scare you, just a little? Our Varonis Data Security Platform can spot what the hackers don’t want you to see. Lean more!

 

 

 

Continue reading the next post in "Living off the Land With Microsoft"

Get the latest security news in your inbox.