Hackers Exploit COM Objects for Fileless Malware and Lateral Movement

Security researchers Dylan Tran and Jimmy Bayne have unveiled a new fileless lateral movement technique that exploits trapped Component Object Model (COM) objects in Windows systems.

This method, based on research by James Forshaw of Google Project Zero, allows attackers to execute .NET managed code in the context of a server-side Distributed COM (DCOM) process.

The technique involves manipulating the Windows Registry to hijack the StdFont object and redirect it to instantiate System.Object from the .NET Framework.

By leveraging the IDispatch interface and performing .NET reflection over DCOM, attackers can load arbitrary .NET assemblies into the COM server without leaving any files on disk.

Implications for Cybersecurity

This new attack vector presents significant challenges for defenders.

The fileless nature of the technique makes it difficult to detect using traditional file-based security measures.

Additionally, the abuse of legitimate Windows components like COM and DCOM may allow attackers to bypass certain security controls.

The researchers demonstrated the technique’s effectiveness by creating a proof-of-concept tool called ForsHops.exe.

According to the Report, this tool can establish a remote connection to a target machine, manipulate the necessary registry keys, and execute malicious code within a Protected Process Light (PPL) svchost.exe process.

One limitation of the current implementation is that the malicious payload’s lifetime is tied to the COM client process.

When ForsHops.exe exits or cleans up its COM references, the remote payload also terminates.

The researchers attempted various solutions to this issue but noted that further improvements could be made.

Defensive Recommendations

To mitigate this threat, security professionals should implement several defensive measures.

These include monitoring for CLR load events within the WaaSMedicSvc svchost.exe process, detecting registry manipulations related to the StandardFont CLSID, and hunting for enabled OnlyUseLatestCLR and AllowDCOMReflection values in the .NETFramework registry key.

Additionally, organizations should consider restricting DCOM ephemeral port access where possible using host-based firewalls.

The researchers also provided a YARA rule to detect the standard ForsHops.exe executable, which can be integrated into existing security tools.

As this technique demonstrates, attackers continue to find innovative ways to exploit Windows components for malicious purposes.

Security teams must stay vigilant and adapt their defenses to address these evolving threats.

By implementing the recommended controls and maintaining awareness of such advanced techniques, organizations can better protect themselves against fileless malware and lateral movement attacks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.