{"id":11724,"date":"2018-03-13T15:47:05","date_gmt":"2018-03-13T23:47:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/13\/news-5494\/"},"modified":"2018-03-13T15:47:05","modified_gmt":"2018-03-13T23:47:05","slug":"news-5494","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/13\/news-5494\/","title":{"rendered":"Hancitor: fileless attack with a DLL copy trick"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Tue, 13 Mar 2018 16:00:00 +0000<\/strong><\/p>\n

This article was authored by David S\u00e1nchez, Micka\u00ebl Roger, and J\u00e9r\u00f4me Segura<\/em><\/p>\n

During the past few years, malicious spam campaigns have proven to be one of the most efficient infection vectors, in part due to a combination of social engineering and a regular number of Office vulnerabilities.<\/p>\n

The interesting aspect about social engineering is that it capitalizes on the user\u2019s poor decision to execute code that would have been much harder to inject, or that could have been caught by security solutions otherwise. In other words, letting victims do the work remains an effective means for attackers to compromise endpoints.<\/p>\n

We recently came across an interesting attack vector brought to us courtesy of a fresh Hancitor (a payload delivery piece of malware) spam run where users are tricked to download a fake Paypal invoice laced with malicious code.<\/p>\n

\"\"<\/a><\/p>\n

Hancitor has had a clever delivery mechanism that allows for fileless infections. A blog post from Morphisec<\/a> in 2016 already detailed a technique via process hollowing that allowed it to bypass security products.<\/p>\n

While this latest attack also shares the same process hollowing technique, it performs different actions to subvert hook protections, and ultimately results in infections that are harder to detect.<\/p>\n

Overview<\/h3>\n

The attack involves making a copy of the kernel32.dll library, which exposes some of the most important Windows APIs, in order to create a new malicious process via this innocuous copy. As we will see, this simple trick bypasses Ring 3 hook protections.<\/p>\n

\"\"<\/a><\/p>\n

Technical analysis<\/h3>\n

The Word macro decodes the first stage of the payload and then calls the NtAllocateVirtualMemory<\/strong> API to copy the decoded code to a newly allocated memory area. Then, the macro takes the pointer to that code and calls the CreateTimerQueueTimer<\/strong> API so that the malicious code will be executed directly in memory.<\/p>\n

By setting a breakpoint there, we can catch the payload before it executes:<\/p>\n

\"\"<\/a><\/p>\n

The payload then gets the address of the ntdll.ldrLoadDll<\/strong> API and calls it to get the handle of the kernel32.dll<\/strong> and psapi.dll<\/strong> libraries, the latter being used to obtain information on the status of processes and drivers.<\/p>\n

\"\"<\/a><\/p>\n

It then finds the addresses of the following APIs:<\/p>\n