Malware Families Adapting To COM Hijacking Technique For Persistence

   March 11, 2024  Posted in CyberSecurityNews


COM (Component Object Model) hijacking is a technique in which threat actors exploit the core architecture of Windows by adding a new value on a specific registry key related to the COM object.

This allows the threat actors to achieve both persistence and privilege escalation on target systems.

However, several malware families have been found to be utilizing this technique to abuse COM objects.

Several samples of these kinds of malware have been discovered by researchers at VirusTotal since 2023.

According to the reports shared with Cyber Security News, threat actors also abused several COM objects for persistent access to the compromised systems.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data

    • If you want to test all these features now with completely free access to the sandbox:

Some of the malware families that used CLSID (Class ID) for utilizing this technique which were,

  • Berbew
  • RATs
  • RATs w/ vulnerabilities and
  • Adware

Berbew

This is one of the most main malware families that abused this COM technique for persistence. This malware family focuses on stealing credentials and exfiltrating them to C2 servers.

However, several malware samples of this family used a second registry key for persistence by abusing the below COM objects:

  • {79ECA078-17FF-726B-E811-213280E5C831}
  • {79F CFF-OFFICE-815E-A900-316290B5B738}
  • {79FAA099-1BAE-816E-D711-115290CEE717}

RATs

Most of the Remote Access Trojans (RATs) used COM abusing techniques such as the RemcosRAT and AsyncRAT using the CLSID {89565275-A714-4a43-912E-978B935EDCCC}.

Moreover, there were also other RATs such as BitRATs and  SugarGh0st RAT. 

In the majority of the cases, the DLL used by these malware families was using the dynwrapx.dll.

However, some of the malware types such as the XiaoBa used the same techniques by utilizing the same DLL for ransomware deployment.

RATs w/ Vulnerabilities

While there were RATs that never utilized a vulnerability for abusing the COM objects, there were also RATs that utilized this technique, such as the Darkme RAT, which used the CVE-2024-21412 (Internet shortcut files security feature bypass) for compromising the systems. 

Multiple CLSID Usage

In some cases, the malware families used more than one CLSIDs for abusing this COM hijacking technique.

The samples of these malware families also turned off the Windows Firewall and UAC for performing additional actions during the infection stages. 

One example is the Allaple worm malware family, which used several COM objects and made them point to a malicious DLL during execution.

Alliaple worm (Source: Virustotal)

Adware

Citrio was one of the adware that was designed by the Catalina group, which, in its recent version, uses the COM object hijacking technique for persistence.

The adware drops several malicious DLLs under the disguise of Google Update, which possesses the ability to establish services on the system.

All of these malware families have different execution and usage folders for dropping their payloads. Some of the most common folders used by these malware are 

  • qmacro
  • mymacro
  • MacroCommerce
  • Plugin
  • Microsoft
Adware (Source:Virustotal)

Indicators Of Compromise

CLSID – COM Objects

  • 79FAA099-1BAE-816E-D711-115290CEE717
  • EBEB87A6-E151-4054-AB45-A6E094C5334B
  • 241D7F03-9232-4024-8373-149860BE27C0
  • C07DB6A3-34FC-4084-BE2E-76BB9203B049
  • 79ECA078-17FF-726B-E811-213280E5C831
  • 22C6C651-F6EA-46BE-BC83-54E83314C67F
  • F4CBF20B-F634-4095-B64A-2EBCDD9E560E
  • 57477331-126E-4FC8-B430-1C6143484AA9
  • C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9
  • 89565275-A714-4a43-912E-978B935EDCCC
  • 26037A0E-7CBD-4FFF-9C63-56F2D0770214
  • 16426152-126E-4FC8-B430-1C6143484AA9
  • 33414471-126E-4FC8-B430-1C6143484AA9
  • 23716116-126E-4FC8-B430-1C6143484AA9
  • D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4
  • 79FEACFF-FFCE-815E-A900-316290B5B738
  • 74A94F46-4FC5-4426-857B-FCE9D9286279

Common Paths Used During COM Object Persistence

  • C:UsersAppDataRoaming
  • C:UsersAppDataRoamingqmacro
  • C:UsersAppDataRoamingmymacro
  • C:UsersAppDataRoamingMacroCommerce
  • C:UsersAppDataRoamingPlugin
  • C:UsersAppDataRoamingMicrosoft
  • C:WindowsSysWow64
  • C:Program Files (x86)
  • C:Program Files (x86)Google
  • C:Program Files (x86)Mozilla Firefox
  • C:Program Files (x86)Microsoft
  • C:Program Files (x86)Common Files
  • C:Program Files (x86)Internet Download Manager
  • C:UsersAppDataLocal
  • C:UsersAppDataLocalTemp
  • C:UsersAppDataLocalMicrosoft
  • C:UsersAppDataLocalGoogle
  • C:WindowsTemp

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link