Kab lus no yog ib feem ntawm Fileless Malware series. Tag nrho lwm qhov ntawm lub series:
- Txoj Kev Taug txuj kev nyuaj ntawm Elusive Malware, Ntu IV: DDE thiab Lo Lus Document Fields (peb nyob ntawm no)
Nyob rau hauv tsab xov xwm no, kuv tau mus dhia dej rau hauv ib qho nyuaj ntau-theem fileless nres scenario nrog pinning ntawm lub system. Tab sis tom qab ntawd kuv tuaj hla qhov yooj yim heev, tsis muaj code nres - tsis muaj Lo Lus lossis Excel macros xav tau! Thiab qhov no ua pov thawj tau zoo dua kuv qhov kev xav thawj zaug hauv qab no series ntawm cov khoom: kev rhuav tshem sab nrauv ntawm ib lub koom haum tsis yog ib txoj haujlwm nyuaj txhua.
Thawj qhov kev tawm tsam kuv yuav piav qhia txog kev siv Microsoft Word qhov tsis zoo uas yog raws li dhau lawm (DDE). Nws twb yog lawm . Qhov thib ob exploits ntau qhov tsis zoo hauv Microsoft COM thiab cov peev txheej hloov khoom.
Rov qab mus rau yav tom ntej nrog DDE
Puas muaj leej twg nco txog DDE? Tej zaum tsis muaj ntau. Nws yog ib qho ntawm thawj inter-process kev sib txuas lus raws tu qauv uas tso cai rau cov ntawv thov thiab pab kiag li lawm hloov cov ntaub ntawv.
Kuv paub me ntsis ntawm kuv tus kheej vim kuv tau siv los kuaj thiab ntsuas cov khoom siv xov tooj cua. Nyob rau lub sijhawm ntawd, DDE tau tso cai, piv txwv li, hu xov tooj rau cov tswv lag luam kom hloov tus neeg hu xov tooj mus rau CRM daim ntawv thov, uas thaum kawg qhib daim npav neeg siv khoom. Txhawm rau ua qhov no, koj yuav tsum txuas RS-232 cable ntawm koj lub xov tooj thiab koj lub computer. Cov hnub ntawd!
Raws li nws hloov tawm, Microsoft Word tseem yog DDE.
Dab tsi ua rau qhov kev tawm tsam no tsis muaj cai yog tias koj tuaj yeem nkag mus rau DDE raws tu qauv ncaj qha los ntawm cov teb tsis siv neeg hauv cov ntaub ntawv Lo Lus (kaum tawm mus rau SensePost rau txog nws).
Teb chaws lis dej num yog lwm yam qub MS Word feature uas tso cai rau koj ntxiv cov ntawv nyeem dynamic thiab me ntsis programming rau koj daim ntawv. Qhov piv txwv pom tseeb tshaj plaws yog nplooj ntawv tus lej teb, uas tuaj yeem muab tso rau hauv lub footer siv tus nqi {PAGE *MERGEFORMAT}. Qhov no tso cai rau cov nplooj ntawv tus lej raug tsim tawm.
Lus Cim: Koj tuaj yeem pom cov ntawv qhia zaub mov hauv qab Insert.
Kuv nco qab tias thaum kuv xub pom qhov no hauv Lo Lus, kuv xav tsis thoob. Thiab kom txog thaum lub thaj ua tsis taus nws, Lo Lus tseem txhawb DDE teb kev xaiv. Lub tswv yim yog tias DDE yuav tso cai rau Word sib txuas lus ncaj qha nrog daim ntawv thov, yog li ntawd nws tuaj yeem dhau qhov kev pab cuam tso tawm rau hauv ib daim ntawv. Nws yog ib qho kev siv thev naus laus zis thaum lub sijhawm ntawd - kev txhawb nqa cov ntaub ntawv sib pauv nrog cov ntawv thov sab nraud. Tom qab ntawd nws tau tsim los rau hauv COM thev naus laus zis, uas peb tseem yuav saib hauv qab no.
Thaum kawg, cov hackers pom tau hais tias daim ntawv thov DDE no tuaj yeem yog lub plhaub hais kom ua, uas tau pib PowerShell, thiab los ntawm qhov ntawd cov hackers tuaj yeem ua txhua yam lawv xav tau.
Lub screenshot hauv qab no qhia tau hais tias kuv siv cov txheej txheem stealth li cas: ib tsab ntawv PowerShell me me (tom qab no hu ua PS) los ntawm DDE teb thauj lwm tsab ntawv PS, uas pib lub sijhawm thib ob ntawm kev tawm tsam.
Ua tsaug rau Windows rau cov lus ceeb toom pop-up tias qhov built-in DDEAUTO yog zais cia sim pib lub plhaub
Txoj kev nyiam ntawm kev siv qhov tsis zoo yog siv qhov sib txawv nrog DDEAUTO teb, uas cia li khiav cov ntawv. thaum qhib Cov ntaub ntawv lo lus.
Cia peb xav txog peb yuav ua li cas txog qhov no.
Raws li ib tug novice hacker, koj muaj peev xwm, piv txwv li, xa ib tug phishing email, ua txuj tias koj yog los ntawm Tsoom Fwv Teb Chaws Tax Service, thiab embed lub DDEAUTO teb nrog cov ntawv PS rau thawj theem (ib tug dropper, qhov tseem ceeb). Thiab koj tsis tas yuav ua cov coding tiag tiag ntawm macro, thiab lwm yam, zoo li kuv tau ua hauv
Tus neeg raug tsim txom qhib koj cov ntaub ntawv, cov ntawv sau tau qhib, thiab tus neeg nyiag nkag mus rau hauv lub computer. Hauv kuv qhov xwm txheej, cov ntawv PS tej thaj chaw deb tsuas yog luam tawm cov lus, tab sis nws tuaj yeem yooj yim tso tawm PS Empire tus neeg siv khoom, uas yuav muab cov chaw taws teeb nkag mus.
Thiab ua ntej tus neeg raug tsim txom muaj sij hawm los hais dab tsi, cov neeg nyiag nkas yuav dhau los ua cov hluas tshaj plaws hauv lub zos.
Lub plhaub tau pib tsis muaj me ntsis ntawm coding. Txawm ib tug me nyuam ua tau!
DDE thiab teb
Microsoft tom qab ntawd tau lov tes taw DDE hauv Lo Lus, tab sis tsis yog ua ntej lub tuam txhab tau hais tias cov yam ntxwv tsuas yog siv tsis raug. Lawv tsis kam hloov txhua yam yog nkag siab. Hauv kuv qhov kev paub dhau los, kuv tus kheej tau pom ib qho piv txwv uas hloov kho thaj chaw thaum qhib cov ntaub ntawv tau qhib, tab sis Lo Lus macros tau ua tsis taus los ntawm IT (tab sis qhia kev ceeb toom). Los ntawm txoj kev, koj tuaj yeem pom cov teeb tsa sib raug hauv Lo Lus ntu ntu.
Txawm li cas los xij, txawm tias kev hloov kho teb tau qhib, Microsoft Word tseem ceeb toom rau tus neeg siv thaum lub teb thov nkag mus rau cov ntaub ntawv tshem tawm, ib yam li DDE saum toj no. Microsoft yeej ceeb toom koj.
Tab sis feem ntau yuav, cov neeg siv tseem yuav tsis quav ntsej cov lus ceeb toom no thiab qhib cov teb hloov tshiab hauv Word. Qhov no yog ib qho ntawm cov cib fim uas tsis tshua muaj ua tsaug rau Microsoft rau kev cuam tshuam qhov txaus ntshai DDE feature.
Nws nyuaj npaum li cas los nrhiav qhov tsis tau hloov kho Windows niaj hnub no?
Rau qhov kev sim no, kuv siv AWS Workspaces kom nkag mus rau lub desktop virtual. Txoj kev no kuv tau txais ib lub tshuab tsis muaj MS Office virtual uas tso cai rau kuv ntxig rau DDEAUTO teb. Kuv tsis muaj qhov tsis ntseeg tias zoo ib yam li koj tuaj yeem nrhiav lwm lub tuam txhab uas tseem tsis tau teeb tsa qhov tsim nyog kev ruaj ntseg thaj ua rau thaj.
Paub tsis meej ntawm cov khoom
Txawm hais tias koj tau teeb tsa lub thaj no, muaj lwm qhov kev nyab xeeb hauv MS Office uas tso cai rau cov neeg nyiag nkas ua qee yam zoo ib yam li peb tau ua nrog Word. Hauv qhov xwm txheej tom ntej peb yuav kawm siv Excel raws li kab nuv ntses rau phishing nres yam tsis tau sau cov lej.
Txhawm rau nkag siab qhov xwm txheej no, cia peb nco qab Microsoft Component Object Model, lossis luv luv COM (Component Object Model).
COM tau nyob ib puag ncig txij li xyoo 1990s, thiab tau txhais tias yog "lus-nruab nrab, cov khoom-oriented tivthaiv qauv" raws li RPC cov txheej txheem hu xov tooj. Rau kev nkag siab dav dav ntawm COM terminology, nyeem ntawm StackOverflow.
Yeej, koj tuaj yeem xav txog COM daim ntawv thov ua Excel lossis Lo Lus executable, lossis qee cov ntaub ntawv binary uas khiav.
Nws hloov tawm tias daim ntawv thov COM tuaj yeem ua haujlwm xwm txheej - JavaScript lossis VBScript. Technically nws hu ua tsab ntawv. Tej zaum koj yuav tau pom .sct txuas ntxiv rau cov ntaub ntawv hauv Windows - qhov no yog qhov txuas ntxiv rau cov ntawv sau. Qhov tseem ceeb, lawv yog tsab ntawv sau hauv XML wrapper:
<?XML version="1.0"?>
<scriptlet>
<registration
description="test"
progid="test"
version="1.00"
classid="{BBBB4444-0000-0000-0000-0000FAADACDC}"
remotable="true">
</registration>
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd /k powershell -c Write-Host You have been scripted!");
]]>
</script>
</scriptlet>
Hackers thiab pentesters tau tshawb pom tias muaj cov khoom siv sib cais thiab cov ntawv thov hauv Windows uas lees txais COM cov khoom thiab, raws li, cov ntawv sau ib yam nkaus.
Kuv tuaj yeem dhau ib daim ntawv sau rau Windows utility sau hauv VBS hu ua pubprn. Nws nyob hauv qhov tob ntawm C: Windowssystem32Printing_Admin_Scripts. Los ntawm txoj kev, muaj lwm cov khoom siv Windows uas lees txais cov khoom ua tsis tau. Cia peb saib qhov piv txwv no ua ntej.
Nws yog ib qho zoo heev uas lub plhaub tuaj yeem tso tawm txawm tias los ntawm cov ntawv luam tawm. Mus rau Microsoft!
Raws li kev sim, kuv tau tsim cov ntawv sau yooj yooj yim uas tso tawm lub plhaub thiab luam tawm cov lus lom zem, "Koj nyuam qhuav tau sau ntawv!" Qhov tseem ceeb, pubprn instantiates ib qho khoom siv scriptlet, tso cai rau VBScript code khiav lub wrapper. Txoj kev no muab qhov txiaj ntsig zoo rau cov neeg nyiag nkas uas xav nkag mus thiab nkaum hauv koj lub cev.
Hauv tsab xov xwm tom ntej no, kuv yuav piav qhia yuav ua li cas COM scriptlets tuaj yeem siv los ntawm hackers siv Excel spreadsheets.
Rau koj qhov homework, saib los ntawm Derbycon 2016, uas piav qhia raws nraim li cas hackers siv scriptlets. Thiab kuj nyeem hais txog scriptlets thiab qee yam ntawm moniker.
Tau qhov twg los: www.hab.com