從 BYOVD 到 0-day：揭露網絡招聘騙局中的高級漏洞利用.pdf

《從 BYOVD 到 0-day：揭露網絡招聘騙局中的高級漏洞利用.pdf》由會員分享，可在線閱讀，更多相關《從 BYOVD 到 0-day：揭露網絡招聘騙局中的高級漏洞利用.pdf（33頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHASIA BlackHatEventsFrom BYOVD to a 0-day:Unveiling Advanced Exploits inCyber Recruiting ScamsSpeakers:Luigino Camastra,Igor MorgensternContributor:Jan Vojtesek#BHASIA BlackHatEventsAgenda Introduction to prior research Attack chain analysis Initial ISO image Loaders RAT 0-day and vulnerability an

2、alysis Rootkit analysis#BHASIA BlackHatEventsPrior research#BHASIA BlackHatEventsAttack chain analysisThe attack is initiated by presenting a fabricated job offerContacting via LinkedIn,WhatsApp,email or other platforms#BHASIA BlackHatEventsAttack chain analysisRollFling LoaderShellcode executed in

3、memoryDiscovered a new loader we called RollFling and NLS fileMalicious DLL established as a serviceKickstart execution chainLoading next stageobtaining XOR key by calling GetSystemFirmwareTable APIXOR decryption of file with.nls extensionRollSling loader is encrypted in NLS fileLoading decrypted Ro

4、llSling into memory#BHASIA BlackHatEventsAttack chain analysisRollSling is a loader discussed in Microsoft research(Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability)Code similarities with the RollSling version discussed in the Microsoft research Gen Digitale68

5、ff1087c45a1711c3037dad427733ccb1211634d070b03cb3a3c7e836d210f Microsoft d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca#BHASIA BlackHatEventsAttack chain analysisRollSling LoaderLocate binary blobHolds various stages and configuration dataRollMid,2x DLL binaries and address of C&C s

6、erverLocated without file extensionExtracting the next stage from binary blobSearching for export function StartActionLoading and executing the next stage RollMid(by calling StartAction export function)#BHASIA BlackHatEventsAttack chain analysisRollMid LoaderLoading network module binary,parsing add

7、ress of the C&C serverObtaining HTML file from the First C&C serverGet PNG image from the Second C&C serverSteganography to extract the address of the Third C&C serverSending POST req to get Data BlobData blob contains configuration data for next stageAppends part of Data Blob to the KaolinRAT DLL o

8、n disk as an overlayLoading and executing next stage,called Kaolin RAT#BHASIA BlackHatEventsAttack chain analysisKaolin RATCommunication with C&C server Network module DLL binary Encrypted with AESCustom RATFile compression capabilitiesUploading file to C&CChanging files last write timestampDownload

9、ing a DLL file from C&C server and loading it in a memoryLoading exploit with a FudModule rootkit#BHASIA BlackHatEventsTechniquesLiving Off the Land:Vulnerable DriversLiving Off the Land:Vulnerable DriversData-only attacksSigned Malicious DriversVulnerable DriversDSE(Driver Signature Enforcement)HVC

10、ISMEPObstaclesBenefitsDisrupt security softwareHide indicators of infectionDisable kernel-mode telemetry#BHASIA BlackHatEventsN-Day BYOVDLiving Off the Land:Vulnerable DriversLiving Off the Land:Vulnerable Drivers Attacker needs to discover a zero-day vulnerability Stealthier than n-day hw.sys explo

11、ited by Candiru Generates suspicious event Easy to pull off Lazarus previously abused dbutil_2_3.sys(Dell),ene.sys(ENE Technology Inc.)Straightforward to detectAbuse built-in Windows driversReduced attack surfaceHighest level of stealthZero-Day BYOVDZero-Day OS#BHASIA BlackHatEventsCVE-2024-21338Vul

12、nerable IOCTL dispatcher in appid.sys(AppLocker)Allows calling arbitrary kernel functionPartial control of the first argumentSMEP prevents calling user-mode codekCFG requires a valid kCFG call targetsIOCTL is exposed through DeviceAppIdUser should be running as LOCAL SERVICE#BHASIA BlackHatEventsCVE

13、-2024-21338-exploitationLoad the driver by writing an event to AppLocker-related ETW providerImpersonates the LOCAL SERVICE account Write primitive to change PreviousMode of the current threadCan read and write arbitrary kernel memory with NtWriteVirtualMemoryFixed by introducingExGetPreviousMode ch

14、eck#BHASIA BlackHatEvents Data-only rootkit(user space)DKOM Techniques 0 x1-Registry Callbacks 0 x2-Object Callbacks(no update)0 x4-Process,Thread,and Image Kernel Callbacks 0 x8-File System MiniFilters 0 x10-Windows Filtering Platform 0 x40-Event Tracing for Windows:System Loggers 0 x80-Event Traci

15、ng for Windows:Provider GUIDs 0 x100-Image Verification Callbacks 0 x200-Direct Attacks on Security SoftwareFudModule 2.0#BHASIA BlackHatEvents Allow drivers to monitor and respond to changes in the registry Registered via CmRegisterCallbackEx DKOMResolve CmUnRegisterCallback(export of ntoskrnl)Scan

16、ning function for lea rcx,nt!CallbackListHeadFind the address of nt!CallbackListHeadNew-Skip callbacks from ntoskrnl.exe,applockerfltr.sys,bfs.sysReplace callback with ObIsKernelHandle and unlink the callback entryFudModule 2.00 x01 Registry Callbacks#BHASIA BlackHatEvents Monitor and respond to thr

17、ead,process,and desktop handle operations Registered via ObRegisterCallbacks DKOMResolve ObGetObjectType(export of ntoskrnl)Find nt!ObTypeIndexTableNt!ObTypeIndexTable is an array of pointers to _OBJECT_TYPE structuresIterate over CallbackListMake each point to itself FudModule 2.00 x02 Object Callb

18、acks-no update#BHASIA BlackHatEvents Registered viaPsSetCreateProcessNotifyRoutinePsSetCreateThreadNotifyRoutinePsSetLoadImageNotifyRoutine DKOMResolve nt!PspNotifyEnableMask,nt!Psp(LoadImage|CreateThread|CreateProcess)NotifyRoutineClear nt!PspNotifyEnableMaskCreate new arrays containing callbacks f

19、rom whitelisted modulesRevert nt!PspNotifyEnableMaskFudModule 2.00 x04-Process,Thread,and Image Kernel Callbacksntoskrnl.exeahcache.sysmmcss.syscng.sysksecdd.systcpip.sysiorate.sysci.dlldxgkrnl.syspeauth.syswtd.sysWhitelisted modules#BHASIA BlackHatEvents Mechanism for drivers to intercept file syst

20、em operations HVCI prevents patching the filter function Iterates over _FLT_VOLUME.Callbacks.OperationsLists Indexed by IRP major function codes An array of linked lists of FLTMGR!_CALLBACK_NODEFudModule 2.00 x08 Minifilter Drivers#BHASIA BlackHatEvents Mechanism for drivers to intercept file system

21、 operations HVCI prevents patching the filter function Iterates over _FLT_VOLUME.Callbacks.OperationsLists Indexed by IRP major function codes An array of linked lists of FLTMGR!_CALLBACK_NODEFudModule 2.00 x08 Minifilter Drivers#BHASIA BlackHatEvents Mechanism for drivers to intercept file system o

22、perations HVCI prevents patching the filter function Iterates over _FLT_VOLUME.Callbacks.OperationsLists Indexed by IRP major function codes An array of linked lists of FLTMGR!_CALLBACK_NODEFudModule 2.00 x08 Minifilter Drivers#BHASIA BlackHatEvents Mechanism for drivers to intercept file system ope

23、rations HVCI prevents patching the filter function Iterates over _FLT_VOLUME.Callbacks.OperationsLists Indexed by IRP major function codes An array of linked lists of FLTMGR!_CALLBACK_NODEFudModule 2.00 x08 Minifilter Drivers#BHASIA BlackHatEvents Checks for Kaspersky drivers Locate netio!gWfpGlobal

24、 Iterate over the array of CALLOUT structs Set FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW Call the callout function only if there is a context associated with the data flowFudModule 2.00 x10 Windows Filtering Platform(WFP)Network traffic filtering Packet inspection#BHASIA BlackHatEvents High-performance m

25、echanism for tracing and logging events Zeroing out EtwpActiveSystemLoggersFudModule 2.00 x40 Event Tracing for Windows System Loggers#BHASIA BlackHatEvents Contains a hardcoded list of 95 GUIDs Zero out four masks,namely EnableMask,GroupEnableMask,HostEnableMask,and HostGroupEnableMaskFudModule 2.0

26、0 x80 Event Tracing for Windows:Provider GUIDs#BHASIA BlackHatEvents#BHASIA BlackHatEventsInvoked whenever a new driver Image is loaded into a kernel memoryUseful functionality for anti-malware software to block malicious or vulnerable driversSeRegisterImageVerificationCallback(registering callback)

27、FudModule 2.00 x100 Image Verification Callbacks#BHASIA BlackHatEventsInvoked whenever a new driver Image is loaded into a kernel memoryUseful functionality for anti-malware software to block malicious or vulnerable driversSeRegisterImageVerificationCallback(registering callback)FudModule 2.00 x100

28、Image Verification Callbacks#BHASIA BlackHatEvents_EPROCESS of asdsvc.exe(AhnLab Smart Defense Service)Targeting security solutions:AhnLab V3 Endpoint SecurityThis modification makes it just a regular non-protected processIts opened up for further attacks from user modeDisrupt the link between user-

29、mode and kernel-mode componentsFudModule 2.00 x200 Direct Attacks on Security Softwarestruct _EPROCESS struct _KPROCESS Pcb;struct _EX_PUSH_LOCK ProcessLock;VOID*UniqueProcessId;struct _LIST_ENTRY ActiveProcessLinks;struct _EX_RUNDOWN_REF RundownProtect;.struct _EJOB*ServerSilo;UCHAR SignatureLevel;

30、UCHAR SectionSignatureLevel;struct _PS_PROTECTION Protection;UCHAR HangCount:3;UCHAR GhostCount:3;UCHAR PrefilterException:1;.#BHASIA BlackHatEventsThis is used to increase stabilityLeaks its own _EPROCESS structureZeroes out MitigationFlagsClears“EnableHandleExceptions”flag from“_EPROCESS.ObjectTab

31、le.Flags”FudModule 2.00 x200 Direct Attacks on Security Software#BHASIA BlackHatEventsWhat is the Handle Table used for?Kernel must be able to translate the handle to the corresponding objectFudModule 2.00 x200 Direct Attacks on Security Software#BHASIA BlackHatEventsCreate a dummy thread with“THREA

32、D_ALL_ACCESS”rightsModifying ObjectPointerBitsThis will make the handle reference that arbitrary object and enable the rootkit to perform a privileged operations on itTarget _EPROCESS structure on one of the targeted processes MsSense.exe(Windows Defender),MsMpEng.exe(Malware Protection Engine),CSFa

33、lconService.exe(CrowdStrike),Hmpalert.exe(HitmanPro)Suspending process and all threads for targeted processesFudModule 2.00 x200 Direct Attacks on Security Software#BHASIA BlackHatEventsConclusion Lazarus group is investing significant resources Despite various mitigations,the kernel-based security solutions remain vulnerable Lazarus despite sophisticated attacks is still using phishing as an infection vector#BHASIA BlackHatEventsThank you