Daha fazla
- Cinsiyet
- Erkek
- Meslek
- Network/IT Security & Threat Specialist
- Tanım:
Github üzerinde kişiselleştirme amacıyla yayınlanan açık kaynaklı ExplorerBlurMica aracında potansiyel COM Hijacking açığı şüphesi.
- Uygulama temiz, riskli bir eylemde bulunmuyor. Explorer patchliyor ve çeşitli sistem servislerini kullanarak kendi paketini enjekte ediyor. Ancak kullandığı paket ve yöntem, COM Hijacking için oldukça müsait. Ayrı bir uygulama olarak kullanılmadığı için izole belleğe sahip değil, explorer'ın izole alanını kullanıyor.
Ancak kendi paketi sebebiyle izole alana müdahale edilebiliyor. İstismara müsait. Kullanacak kişilerin göz önünde bulundurması gerekli. Talep üzerine inceledim ve bu tarz Windows patch uygulamalarının hiçbir zaman güvenliği garanti edemeyeceğini göstermek amacıyla bu raporu hazırladım. Detaylar aşağıdadır.
- Kritik Registry Erişimi
- Overwrite Regs
- Patches
- Auto YARA Rule
SHA256: 9d6f554604111405e48f7fdf0eba972bdde5e0a275d2e7dd66240681ea595344
Hybrid Analysis - Filescan.IO - VirusTotal servisleri kullanılmıştır.
- Dutchman
Github üzerinde kişiselleştirme amacıyla yayınlanan açık kaynaklı ExplorerBlurMica aracında potansiyel COM Hijacking açığı şüphesi.
- Etkilenen Araçlar: ExplorerBlurMica (Zararlı aktivite yok)
- Etkilenen Yapı: Win32 Native Win10 1089-2004-22H2
- Potansiyel Risk: İlgili araç zararlı aktivite barındırmasa da, çalışma yöntemi sebebiyle COM Hijacking için bir açık oluşturabilir.
- Uygulama temiz, riskli bir eylemde bulunmuyor. Explorer patchliyor ve çeşitli sistem servislerini kullanarak kendi paketini enjekte ediyor. Ancak kullandığı paket ve yöntem, COM Hijacking için oldukça müsait. Ayrı bir uygulama olarak kullanılmadığı için izole belleğe sahip değil, explorer'ın izole alanını kullanıyor.
Ancak kendi paketi sebebiyle izole alana müdahale edilebiliyor. İstismara müsait. Kullanacak kişilerin göz önünde bulundurması gerekli. Talep üzerine inceledim ve bu tarz Windows patch uygulamalarının hiçbir zaman güvenliği garanti edemeyeceğini göstermek amacıyla bu raporu hazırladım. Detaylar aşağıdadır.
| MITRE Tactic | Techniques | API Reference |
|---|---|---|
| Discovery | System Owner/User Discovery | [email protected] |
| Defense Evasion | Access Token Manipulation T1134 | [email protected]
[email protected] |
| Defense Evasion | Process Injection | [email protected]
[email protected]
[email protected] |
| Collection | Screen Capture | [email protected]
[email protected] |
Kod:
MITRE ATT&CK DB
TA0002
T1129
TA0003
T1176
T1547.001
T1574.002
TA0004
T1134
T1547.001
T1574.002
TA0005
T1112
T1134
T1218.010
T1218.011
T1497
T1497.001
T1574.002
TA0006
T1056.001
TA0007
T1012
T1057
T1082
T1083
T1497
T1497.001
T1518.001
TA0009
T1056.001
T1185| Crowdsource Sigma Rule | Event Set |
|---|---|
| HIGH | Potential Persistence Via COM Hijacking From Suspicious Locations
Kod:
|
| MED | Potential Persistence Via COM Search Order Hijacking
Kod:
Kod:
|
- Kritik Registry Erişimi
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersionHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\LayersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regsvr32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\FIDs\ByFIDHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}- Overwrite Regs
Kod:
"regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "(DEFAULT)"; Value: "ExplorerBlurMica BHO"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "(DEFAULT)"; Value: "C:\ExplorerBlurMica.dll"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "THREADINGMODEL"; Value: "Apartment"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "NOINTERNETEXPLORER"; Value: "01000000"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "(DEFAULT)"; Value: "ExplorerBlurMica BHO"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "(DEFAULT)"; Value: "C:\ExplorerBlurMica.dll"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "THREADINGMODEL"; Value: "Apartment"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "NOINTERNETEXPLORER"; Value: "01000000")- Patches
Kod:
"rundll32.exe" wrote bytes "20d29856fc010000f05f9756fc01000070fbd1bbf87f000020179a56fc010000" to virtual address "0xF0C4E090" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "00889956fc010000" to virtual address "0xF0C4E058" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "20d49756fc010000" to virtual address "0xF0C4E0F8" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "605d9756fc010000e08e9756fc010000a0d19856fc01000050619956fc010000" to virtual address "0xF0C4E0B8" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "a09dfeb8f87f0000608efeb8f87f000090b7fcb8f87f0000a090feb8f87f0000508dfcb8f87f0000502efcb8f87f000020c4feb8f87f000070bbfeb8f87f000080bcfeb8f87f00004078ffb8f87f0000a0bafeb8f87f00000088feb8f87f0000" to virtual address "0xBA1D4030" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "6012fdb8f87f0000" to virtual address "0xBA1D4020" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "30c0ffb8f87f000020c0ffb8f87f000000b8ffb8f87f0000c09efeb8f87f0000d0a1feb8f87f000090bafeb8f87f000080ba04b9f87f000080a2ffb8f87f0000603dfcb8f87f0000402303b9f87f0000" to virtual address "0xBA1D52B0" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "f0c0feb8f87f000030ea01b9f87f0000303ffcb8f87f0000102402b9f87f00009080fcb8f87f0000c04bfcb8f87f0000802402b9f87f00006072ffb8f87f000030f2fcb8f87f00008005feb8f87f0000" to virtual address "0xBA1D4270" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "e03b88b6f87f0000302a88b6f87f0000e02188b6f87f0000e01e88b6f87f0000c03588b6f87f0000b01588b6f87f0000c02689b6f87f0000c01488b6f87f0000" to virtual address "0xB66E10F0" (part of module "UXTHEME.DLL")
"regsvr32.exe" wrote bytes "e98102b2ff" to virtual address "0xBBD20710" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e9c108b2ff" to virtual address "0xBBD20010" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e981ffb1ff" to virtual address "0xBBD208D0" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e94106b2ff" to virtual address "0xBBD20190" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e94100b2ff" to virtual address "0xBBD20690" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e98103b2ff" to virtual address "0xBBD20290" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991f0b1ff" to virtual address "0xBBD21AC0" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911d5b1ff" to virtual address "0xBBD23680" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911edb1ff" to virtual address "0xBBD21D00" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911f3b1ff" to virtual address "0xBBD21200" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e9d1e6b1ff" to virtual address "0xBBD22300" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991dab1ff" to virtual address "0xBBD22E80" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911dbb1ff" to virtual address "0xBBD22C80" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991d2b1ff" to virtual address "0xBBD23480" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e951e4b1ff" to virtual address "0xBBD22240" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e951f8b1ff" to virtual address "0xBBD20D40" (part of module "NTDLL.DLL")- Auto YARA Rule
Kod:
rule autogen_peexe_AntiVmControlDllhostExplorerGreywareLolbinSettingsynchost_9d6f5546
{
meta:
author = "FileScan.IO Engine v1.1.0-77bd2b4"
date = "2023-08-24"
sample = "9d6f554604111405e48f7fdf0eba972bdde5e0a275d2e7dd66240681ea595344"
score = 20
tags = "anti-vm,control,dllhost,explorer,greyware,lolbin,settingsynchost"
isWeakRule = false
strings:
//IOC patterns
$req0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
$req1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\"
$req2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\\\"
$req3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
$req4 = "https://github.com/Maplespe/ExplorerBlurMica/"
$req5 = "{B44BD3C8-E597-4E08-AE43-246CE24698E7}"
//optional strings
$opt0 = "ADVAPI32.dll"
$opt1 = "AcquireSRWLockExclusive"
$opt2 = "AdjustTokenPrivileges"
$opt3 = "AreFileApisANSI"
$opt4 = "COMCTL32.dll"
$opt5 = "CloseThreadpoolTimer"
$opt6 = "CloseThreadpoolWait"
$opt7 = "CoCreateInstance"
$opt8 = "Control Panel\\Desktop\\WindowMetrics"
$opt9 = "CreateEventExW"
$opt10 = "CreateEventW"
$opt11 = "CreateFileW"
$opt12 = "CreateMutexW"
$opt13 = "CreateSemaphoreExW"
$opt14 = "CreateSemaphoreW"
$opt15 = "CreateSymbolicLinkW"
$opt16 = "CreateThread"
$opt17 = "CreateThreadpoolTimer"
$opt18 = "CreateThreadpoolWait"
$opt19 = "CreateThreadpoolWork"
$opt20 = "CreateToolhelp32Snapshot"
$opt21 = "CreateWindowExW"
$opt22 = "DeleteCriticalSection"
$opt23 = "DestroyWindow"
$opt24 = "DisableThreadLibraryCalls"
$opt25 = "DllCanUnloadNow"
$opt26 = "DllGetClassObject"
$opt27 = "DllRegisterServer"
$opt28 = "DllUnregisterServer"
$opt29 = "EncodePointer"
$opt30 = "EnterCriticalSection"
$opt31 = "EnumChildWindows"
$opt32 = "ExitProcess"
$opt33 = "FindFirstFileExW"
$opt34 = "FindFirstFileW"
$opt35 = "FindNextFileW"
$opt36 = "FlushFileBuffers"
$opt37 = "FlushInstructionCache"
$opt38 = "FlushProcessWriteBuffers"
$opt39 = "FreeEnvironmentStringsW"
$opt40 = "FreeLibrary"
$opt41 = "FreeLibraryAndExitThread"
$opt42 = "FreeLibraryWhenCallbackReturns"
$opt43 = "GetCommandLineA"
$opt44 = "GetCommandLineW"
$opt45 = "GetConsoleMode"
$opt46 = "GetConsoleOutputCP"
$opt47 = "GetCurrentPackageId"
$opt48 = "GetCurrentProcess"
$opt49 = "GetCurrentProcessId"
$opt50 = "GetCurrentProcessorNumber"
$opt51 = "GetCurrentThreadId"
$opt52 = "GetDesktopWindow"
$opt53 = "GetEnvironmentStringsW"
$opt54 = "GetFileInformationByHandleEx"
$opt55 = "GetFileSizeEx"
$opt56 = "GetFileType"
$opt57 = "GetKeyState"
$opt58 = "GetLastError"
$opt59 = "GetModuleFileNameW"
$opt60 = "GetModuleHandleExW"
$opt61 = "GetModuleHandleW"
$opt62 = "GetPrivateProfileStringW"
$opt63 = "GetProcAddress"
$opt64 = "GetProcessHeap"
$opt65 = "GetStartupInfoW"
$opt66 = "GetStdHandle"
$opt67 = "GetStringTypeW"
$opt68 = "GetSystemInfo"
$opt69 = "GetSystemTimeAsFileTime"
$opt70 = "GetSystemTimePreciseAsFileTime"
$opt71 = "GetThreadContext"
$opt72 = "GetThreadId"
$opt73 = "GetTickCount64"
$opt74 = "GetWindowLongW"
$opt75 = "HeapCreate"
$opt76 = "HeapDestroy"
$opt77 = "HeapReAlloc"
$opt78 = "InitOnceExecuteOnce"
$opt79 = "InitializeConditionVariable"
$opt80 = "InitializeCriticalSectionAndSpinCount"
$opt81 = "InitializeCriticalSectionEx"
$opt82 = "InitializeSListHead"
$opt83 = "InitializeSRWLock"
$opt84 = "InterlockedFlushSList"
$opt85 = "IsDebuggerPresent"
$opt86 = "IsProcessorFeaturePresent"
$opt87 = "KERNEL32.dll"
$opt88 = "LCMapStringW"
$opt89 = "LeaveCriticalSection"
$opt90 = "LoadLibraryExW"
$opt91 = "LoadLibraryW"
$opt92 = "LookupPrivilegeValueW"
$opt93 = "MonitorFromWindow"
$opt94 = "OpenProcessToken"
$opt95 = "OpenThread"
$opt96 = "QueryPerformanceCounter"
$opt97 = "RaiseException"
$opt98 = "RegCloseKey"
$opt99 = "RegCreateKeyExW"
$opt100 = "RegDeleteKeyW"
$opt101 = "RegGetValueW"
$opt102 = "RegOpenKeyExW"
$opt103 = "RegQueryValueExW"
$opt104 = "RegSetValueExW"
$opt105 = "ReleaseMutex"
$opt106 = "ReleaseSRWLockExclusive"
$opt107 = "ResetEvent"
$opt108 = "ResumeThread"
$opt109 = "RtlCaptureContext"
$opt110 = "RtlLookupFunctionEntry"
$opt111 = "RtlPcToFileHeader"
$opt112 = "RtlVirtualUnwind"
$opt113 = "SHCore.dll"
$opt114 = "SendMessageW"
$opt115 = "SetFileInformationByHandle"
$opt116 = "SetFilePointerEx"
$opt117 = "SetLastError"
$opt118 = "SetStdHandle"
$opt119 = "SetThreadContext"
$opt120 = "SetThreadpoolTimer"
$opt121 = "SetThreadpoolWait"
$opt122 = "SetUnhandledExceptionFilter"
$opt123 = "SetWindowCompositionAttribute"
$opt124 = "SetWindowLongW"
$opt125 = "SettingSyncHost.exe"
$opt126 = "SleepConditionVariableCS"
$opt127 = "SleepConditionVariableSRW"
$opt128 = "SubmitThreadpoolWork"
$opt129 = "SuspendThread"
$opt130 = "SystemParametersInfoW"
$opt131 = "TerminateProcess"
$opt132 = "TerminateThread"
$opt133 = "Thread32First"
$opt134 = "Thread32Next"
$opt135 = "TlsGetValue"
$opt136 = "TlsSetValue"
$opt137 = "TryAcquireSRWLockExclusive"
$opt138 = "TryEnterCriticalSection"
$opt139 = "USER32.dll"
$opt140 = "UnhandledExceptionFilter"
$opt141 = "UxTheme.dll"
$opt142 = "VirtualAlloc"
$opt143 = "VirtualFree"
$opt144 = "VirtualProtect"
$opt145 = "VirtualQuery"
$opt146 = "WaitForSingleObject"
$opt147 = "WaitForSingleObjectEx"
$opt148 = "WaitForThreadpoolTimerCallbacks"
$opt149 = "WakeAllConditionVariable"
$opt150 = "WakeConditionVariable"
$opt151 = "WriteConsoleW"
$opt152 = "dllhost.exe"
$opt153 = "dwmapi.dll"
$opt154 = "explorer.exe"
$opt155 = "gdiplus.dll"
$opt156 = "inappropriate io control operation"
$opt157 = "kernel32.dll"
$opt158 = "mscoree.dll"
$opt159 = "read only file system"
$opt160 = "user32.dll"
$opt161 = "uxtheme.dll"
$opt162 = "vmtoolsd.exe"
condition:
//require 50% of optional strings
uint16(0) == 0x5A4D and filesize > 197223 and filesize < 21913621913 and all of ($req*) and 81 of ($opt*)
}Hybrid Analysis - Filescan.IO - VirusTotal servisleri kullanılmıştır.
- Dutchman
