enSilo Terminates DLL Search Order Hijacking

In June 2018, Cybereason posted a blog about a malicious Dynamic-Link Library (DLL) file exhibiting a behavior associated with credential theft. Their analysis discovered that the malicious DLL MSVCR100.dll was leveraging the DLL search-order hijacking technique to load itself during the execution of unpack200.exe – an Oracle verified Portable Executable (PE) file. In an effort to avoid detection by a typical security control;  once loaded by the unpack200.exe process, MSVCR100.dll executes an embedded Mimikatz command line tool.

 

Mimikatz is a very popular tool that is typically used for credential theft. Mimikatz is capable of extracting plaintext passwords, hashes, PIN codes and Kerberos tickets from memory and can also perform pass-the-hash, pass-the-ticket or craft golden tickets. Threat actors typically use modified, packed and obfuscated versions of Mimikatz to avoid signature-based detection.

 

In this blog post, we’ll provide additional technical details about the malicious execution, including both dynamic and static analysis of the search order hijacking technique, used by the DLL. Finally, we will demonstrate how the enSilo Endpoint Security Platform with post-infection protection blocks the malicious actions in real-time.

Technical Analysis

DLL Hijacking Vulnerable File – unpack200.exe

As mentioned, the PE unpack200.exe is a signed and trusted Oracle PE file. The following is this file static characteristics:

File Name:    unpack200.exe
File Hash:    ee50f0851106c66f462bbb10101d1ace08d95349 
File Size:    197152
Compile Time: 2016-06-22 08:29:52

The functionality of unpack200.exe is to unpack Java GZIP compressed JAR files into a Java Archive (JAR).  During, its initialization, this executable statically imports APIs from two DLL libraries (as shown in Figure 1):

  • Kernel32.dll – This DLL file contains core functionality, such as access and manipulation of memory, files, hardware ant etc.
  • MSVCR100.dll - Microsoft Visual C++ Redistributable DLL. Needed for projects built with Visual Studio 2010.

Picture1-2

Figure 1: Loading DLL libraries

Windows Operating Systems (OS) use a common method to look for required DLLs to load into a program. Adversaries may take this to a malicious use, in order to achieve privilege escalation or persistence. This abusing technique is called, DLL Search Order Hijacking and more on this can be found in Microsoft’s well-written documentation.

As unpack200.exe is vulnerable to this attack vector, we can see that in an ordinary execution, the program would load msvcr100.dll from Windows/System32 folder:

Picture2-2

Figure 2: Loading msvcr100.dll

However, using the DLL search order hijacking technique would cause loading the DLL file from the directory, from which the application was loaded, causing the malicious DLL to execute in the context of the unpack200.exe process – which is a verified and trusted program as shown in Figure 3.

Picture3-2

Figure 3: Loading malicious msvcr100.dll 

Thus, the legitimate unpack200.exe file could be used to run Mimikatz with any argument to evade detection.

Malicious Payload – MSVCR100.dll

During the time of writing this blog post, this malicious DLL file had a very low detection rate in VirusTotal as shown in Figure 4.


Picture4-3

Figure 4: Low Detection Rate

The following is this file's static characteristics:

File Name:     MSVCR100.DLL
File Hash:     24767bc051703eae10f7e093b37d6c52de31a069 
File Size:     969216
Compile Time:  2016-11-29 13:16:19

At the start of its execution, MSVCR100.dll DLL checks whether it was loaded by unpack200.exe and if not, it terminates itself. This is an effective way to avoid detection by sandboxes since running the DLL in the wrong context will not trigger any malicious activity.

This is shown within the code in Figure 5.

Picture5

Figure 5: unpack200.exe Loading Confirmation

Once, the DLL confirms that it was loaded by unpack200.exe, it uses a RC4 routine to decrypt its malicious content. This is the key used by the decryption routine:  kasdjf;lajsd;lfjasopfjuoiawfo45464562930579dhsfhlashfkahsfklashfalsdfhladf21q3432f2d22.

This decryption process is shown in Figure 6.

Picture6-1

Figure 6: Decryption process

If the decryption process succeeds and the new undecrypted memory area has passed all PE header comparisons, the DLL builds the embedded Mimikatz and dynamically loads its libraries. This process is shown in Figure 7 and Figure 8.

Picture7-1

Figure 7: Dynamic load libraries procedure


Picture8

Figure 8: Strings related to the load library procedure


The malware then changes the permissions of the region meant to be executed into Read Write Execute (RWX), then changes the Image Base in the Process Environment Block (PEB) and jumps to the Original Entry Point (OEP), as shown in Figure 9 and Figure 10.

Picture9-1

Figure 9: Permission change and jump to the OEP


Picture10

Figure 10: Original Entry Point

 

The MSVCR100.dll file contains an embedded, slightly different Mimikatz 2.1.1 command line tool. The malware authors decided to remove the Mimikatz banner and to change the command line output from “mimikatz (command line)” to “bing (command line)”. Figure 11 presents the output for the command line: 
"
unpack200.exe privilege::debug sekurlsa::logonPasswords"

Picture11

Figure 11: Malicious MSVCR100.dll output

enSilo Platform Protection

Figure 12 illustrates how the enSilo Endpoint Security Platform visualizes the entire attack chain from detection to prevention. Within the diagram you can see in how in real-time enSilo automatically classifies the attack as malicious, prevents any damage by blocking the malware at the point when it attempts to steal credentials from the victim’s machine and terminates the attempt to exfiltrate data.

 

Picture12

Figure 12: enSilo detecting and blocking the attack

FINAL NOTE

This blog post demystified the process in which a legitimate application such as unpack200.exe could be leveraged to load a malicious DLL via an attack such as DLL search order hijacking. That said, the most important part in this blog post shows how enSilo post infection protection is capable of detecting, blocking and preventing from attacks in this nature to execute successfully on victims’ system. 

Indicators of Compromise:

File Name:     unpack200.exe
File Hash:     ee50f0851106c66f462bbb10101d1ace08d95349
File Size:     197152
Compile Time:  2016-06-22 08:29:52

File Name:     MSVCR100.DLL
File Hash:     24767bc051703eae10f7e093b37d6c52de31a069
File Size:     969216
Compile Time:  2016-11-29 13:16:19

Sign Up for a Demo Today

 

 

 

 

 

 

 

 

 

 

 

 

Related Blog Posts

Customers Say It Best - Managed Security Service Provider one

cybersecurity , enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo RECOMMENDED in NSS Labs 2018 Advanced Endpoint Protection (AEP) Group Test

cybersecurity , enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More