Abusing Microsoft Windows Utilities to Deliver Malware for Fun and Profit
Last year, Cofense Intelligence™ observed an increase in abuse of features built into platforms that are all but ubiquitous throughout the corporate world. An overview of these developments in 2017 was covered in our 2017 Malware Review, which highlighted the abuse of Microsoft features such as Object Linking and Embedding (OLE) and Dynamic Data Exchange (DDE) to deliver malware. Since last year, this trend has continued as threat actors are exploiting a greater variety of features as well as combining multiple techniques into one campaign.
Threat actors abuse Microsoft Windows utilities in phishing campaigns because this tactic is more difficult to identify and detect prior to compromise than attached or embedded malware. The reason for this difficulty is that is many cases, these utilities are functioning exactly as they were designed, even when used maliciously. Some utilities we see currently abused include Certutil, Schtasks, Bitsadmin, and MpCmdRun.
Certutil is a basic command line utility that was used as part of an extensive Dreambot campaign in Marchi. Certutil, which has been abused by threat actors since as early as 2015ii, can be used to easily install fake certificates for man-in-the-middle (MITM) attacks, and to download base64 or hexadecimal encoded files disguised as certificates before decoding them. This is particularly significant because firewall rules that are triggered by an executable or malicious binary are less likely to determine that what appears to be an encoded certificate is malwareiii.
Figure 1: Example Certutil Command Used to Download Encoded File
Figure 2: Example Disguised “Certificate” Downloaded by Certutil
Figure 3: Example Certutil Command Used to Decode a Certificate
Figure 4: Example Result of the Figure 3 Certutil Command Decoding the Figure 2 “Certificate”
The way that certutil preforms its HTTP requests lends itself to further abuse. It uses two sequential HTTP GET requests with different User-Agents (see Figure 5), which can enable threat actors to allow the downloading of hosted files only when the correct User-Agents are used. By responding with a fake “Not Found” (see Figure 6), unless the correct User-Agents are supplied, the server can prevent researchers and defenders from being able to access a payload. This fake “Not Found” response can also help the server avoid detection by some automated URL scanners because they will interpret the “Not Found” response as indicating there is no malicious file.
Figure 5: Certutil Unique HTTP GET User-Agents
Figure 6: Fake “Not Found” Response
Another commonly abused legitimate Windows utility is schtasks. This program is used by threat actors as it was originally intended, simply to schedule tasks. Unfortunately, malicious actors understand how to schedule tasks and identify execution targets in order to maintain persistence on compromised systems.
Figure 7: Example Command Used to Schedule Running an Executable Every Two Days
Adversaries can schedule the execution of their script or binary to run at a specific time, such as when the user logs on or when certain conditions are met. There are a number of conditions that can be used to trigger a task to run, such as only when there is internet access and the system is idle; or in the case of a coin miner, only when the computer is plugged in so that if the computer is a laptop the battery drain will not be noticeable. (Additional conditions can be seen in Figure 8.) These conditions can be used as a simple detection evasion technique.
This tactic is more discreet than another popular way that threat actors attempt to ensure persistence—by leaving a script or executable in the Startup folder whose contents are automatically run when the user logs in. This is more easily identified because the Startup folder can be browsed to (Figure 9) and is one of the first locations checked by anti-malware programs.
Figure 8: Example Task Configuration File Created by Figure 7 Command
Figure 9: Startup Folder with Dropped Files
By using schtasks instead of relying on a file in the Startup folder, threat actors are able to better disguise their activities and to exert more control over the malware’s actions. An additional benefit is that the files used to save the task information are not required to have an extension, which is enough to make some antivirus solutions simply ignore the file.
The BITSAdmin (or Background Intelligent Transfer Service) tool is a Windows file transfer utility that has been around since Windows 2007, and is often used as part of the exploitation of a CVE or Office macro to download files in place of PowerShell. (See Figure 10.) Powershell commands are often logged and direct file downloads via Powershell can trigger behavioral detection systems, whereas BITSadmin actually uses a pre-existing svchost.exe process to perform its actions, making it appear as though svchost.exe is doing the file creation and download. It is common for svchost.exe to create files and connect to the internet, for example when downloading Windows update. Because this is considered normal behavior, some local antivirus solutions will ignore itiv.
Figure 10: Example bitsadmin Download Command
An additional benefit of BITSAdmin is that, similarly to certutil, BITSAdmin has a unique way of downloading files. BITSAdmin uses a specific User-Agent (Microsoft BITS/7.5) to request files, and rather than doing an HTTP GET request, it instead first does an HTTP HEAD request to check if a resource is available. If the resources is available, BITSAdmin then follows with an HTTP GET request. (See Figure 11.) This unique User-Agent can be used like certutil’s to allow downloading of hosted files only when the correct User-Agent is used, and an HTTP HEAD request is unusual enough that it can be used by the threat actor for the same purposev.
Figure 11: Example BITSAdmin Download Communication
MpCmdRun is a Microsoft command line utility designed to allow users to interact with Windows Defender Antivirus. MpCmdRun can be very useful for some automated tasks—for example, a system administrator might use MpCmdRun to remotely update Windows Defender on a computer if the user is not able to. In particular, this function is often used to force Windows Defender to roll back and then update signature definitions when the automatic updates are not working. However, this functionality comes with some drawbacks.
Threat actors can use this tool to reset antivirus signatures and modify the behavior of Windows Defender. Recently, this tactic was used in an Office macro script to make changes to Windows Defender before closing all open Office programs (which is necessary to modify relevant registry keys) and disabling various security settings in Microsoft Office via registry entriesvi. In the case of Figure 12 below, the command used with MpCmdRun removes dynamic signatures but does not remove all signatures. By using MpCmdRun, threat actors can avoid detection by Windows Defender without disabling it, and gain further control of the infected environment.
Figure 12: Example Office Macro Script Using MpCmdRun
You Heard it Here Before
This trend is not new, but the proliferation of feature abuse indicates that a preference for feature abuse over direct payload delivery via phishing will likely continue for the foreseeable future. To see other types of feature abuse prominent in phishing campaigns, please refer to our previous work:
- DDE – Nov 21, 2017: Microsoft Word DDE Abuse Tactics Spreads to Locky, Trickbot, and Pony Malware Campaigns
- Multiple CVEs – Mar 8, 2018 Triple threat: This phishing campaign used 3 separate vectors.
- OLE – Apr 10, 2017: Malware Delivery OLE Packages Carve Out Market Share in 2017 Threat Landscape
- Malware Review – Mar 22, 2018: Cofense™ Malware Review: 2018
- CVE-2017-11882 – Apr 6, 2018 Is .XLSX Phishing Making a Comeback?
By leveraging legitimate features that are integral for business operations against businesses, threat actors are able to circumvent antivirus and behavioral analysis in order to successfully deliver their malware. This trend is not going to go away and will likely only expand from here. Given the ease with which threat actors are able to bypass defenses by abusing features that often cannot be blocked for business purposes, it’s imperative that individuals be trained to recognize the initial threat and to report it. Combining this training with human verified intelligence helps to ensure a successful defensive strategy that does not rely solely on automated systems, which threat actors are learning to bypass.
For a look back and a look forward at major malware trends, view the 2018 Cofense Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
i. For more details, see TIDs 11170 and 11136, and the March 29, 2018 Strategic Analysis “Nefarious Use of Legitimate Platforms to Deliver Malware Extends to KeyCDN.”
vi. For more details, see TID 11979, and the February 15, 2018 Strategic Analysis “When Features and Exploits Collide.”