Researcher to Release Free Attack Obfuscation Tool

  /     /     /  
Publicated : 22/11/2024   Category : security


Researcher to Release Free Attack Obfuscation Tool


Cybercrime gang FIN7, aka Carbanak, spotted hiding behind another Windows function, according to research to be presented at Black Hat Asia next month.



Advanced nation-state and cybercrime groups increasingly are hiding behind legitimate Microsoft Windows functions to mask their hacks - and their latest method ups the ante in abuses of the basic command prompt.
The FIN7, aka Carbanak, cybercrime gang known for attacking banks and most recently, the hospitality and restaurant industries, last year was
spotted by FireEye
 exploiting the cmd.exe Windows binary. The unique use of their technique inspired Daniel Bohannon, senior applied security researcher for Mandiant, a FireEye company, to create a tool that helps organizations better defend against attackers who hide their payloads behind the legitimate Windows commands.
Bohannon will release his new Invoke-DOSfuscation framework tool next month
at Black Hat Asia
 in Singapore, where he will present his research on how attackers like FIN7 use the relatively basic cmd.exe to slip malware into their targets systems. 
The way they used the [command process] blew my mind, so from that point forward, I started looking at command-execution obfuscation, Bohannon says of FIN7s activity.
The command prompt obfuscation method is another twist in what researchers refer to as living off the land, or fileless malware attacks, where attackers use native Windows tools on a victims machine to hide their activity and malware from detection-based security tools and whitelisting. Attackers dont need to drop custom malware on disk. They can use native tools and run everything in memory, Bohannon explains.
PowerShell and Windows Management Instrumentation (WMI) tools were used in more than half of all attacks last year, according to
a recent report from Carbon Black
. Many organizations can only detect attacks when the file is written to the disk, so in-memory attacks using legitimate Windows tools mostly go unnoticed. Attackers also use the tools to move around and laterally to avoid getting caught in the act.
Living off the land attacks can span the initial intrusion to the full compromise of a system, Bohannon notes. An attacker can send a malicious Word file via email that spawns commands and PowerShell execution, he says.
In Command
In his Black Hat presentation next month, Bohannon will detail the entire process he pieced together on how attackers such as FIN7 are using the basic command-line function to hide their activity. FIN7 employs a string removal/replacement method as well as some unique encoding methods in system memory, using cmd.exe.
Im sharing the whole process because defenders need to be informed about why these [techniques] work. They [attackers] do a lot thats never seen [being] used in the wild, and I expect them to change their tactics once the Invoke-DOSfuscation gets released, he says.
The caret (^) and quote-mark () symbols, for example, are placed in the command string to obfuscate their payloads. So if an attacker inserts quote marks around his malicious string, it evades detection because it breaks rigid detection rules, Bohannon explains.
FIN7 traditionally had been known for hiding LNK shortcut files in DOCX and RTF documents, which allowed their phishing attacks to slip by most traditional security measures. Bohannon and his team last June discovered the group also hiding behind JavaScript and cmd.exe. The attackers tweaked the string to Wor + d.Application in stead of Word.Application, for example, and other replacement characters in cmd.exe in order to fly under the radar.
Bohannon says his homegrown Invoke-DOSfuscation tool lets intrusion detection investigators and red teams perform the steps attackers are taking to hide their payloads behind cmd.exe. It allows them to input any cmd.ex or PowerShell command and then create different levels of obfuscated output commands. That in turn helps them improve their detection methods, he says. A defender can take any command and obfuscate it. They are able to plug in detection rules, and [check] did I detect all these commands?
If not, they can tune their detection rules, he says.
[It] allows defenders to generate hundreds and even thousands of unique obfuscated commands to test their defenses against, basically automating the detecting testing process, he says. The goal is to get organizations in front of the command obfuscation method before it hits them.
Bohannon also previously released other PowerShell obfuscation frameworks, including Invoke-Obfuscation and Invoke-CradleCrafter, and a detection tool, Revoke-Obfuscation. The new Invoke-DOSfuscation tool represents his first cmd.exe obfuscation tool. Invoke-DOSfuscation automates the application of numerous kinds and levels of obfuscation to any arbitrary input cmd.exe command, he notes.
Meanwhile, advanced hacking teams are using more open-source tools both to hide in plain sight, and to save on the labor and cost of writing custom malware. Its fascinating seeing nation-state actors using off-the-shelf open-source tooling because … they dont have to spend R&D and build custom stuff when they go open-source, Mandiants Bohannon says.
 
 
See Mandiants Daniel Bohannon demonstrate these advanced obfuscation methods at Black Hat Asia next month. Go here for more information on the
conference
 and
to register.
Related Content:
Fileless Malware: Not Just a Threat, but a Super-Threat
17 Things We Should Have Learned in 2017 But Probably Didnt
Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists
Carbanaks Back And Using Google Services For Command-and-Control

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researcher to Release Free Attack Obfuscation Tool