Saturday, December 14, 2024
HomeInfosec- ResourcesHackers Increasing the use of "Command Line Evasion and Obfuscation" to...

Hackers Increasing the use of “Command Line Evasion and Obfuscation” to Spread Advance Level Threats

Published on

SIEM as a Service

Advance level threats are increasing day by day and attackers using more Sophisticated Techniques to bypass the Detection. Evasion and obfuscation technique give more pain to Researchers in 2017 Compare to previous years.

Command line evasion and obfuscation are the most used technique among many numbers of advance level attacks which are increased its use by attackers with their phishing and Malware attacks.

Malicious hackers use Fileless malware to achieve stealth, privilege escalation, to gather sensitive information and achieve persistence in the system, so the malware infection can continue to carry on its effect for a longer period of time.

- Advertisement - SIEM as a Service

More over sometime VB Script code aslo has highly obfuscated and it developed to evade the sandbox Detection and its make Difficult to understand

It used to create with Advanced level obfuscation to bypass both static and dynamic analysis method and attacker always on step ahead from  signature-based detection methods.

Also Read  Creating and Analyzing a Malicious PDF File with PDF-Parser Tool

Environment Variable Attack by Advance Level Threats

An earlier time of 2017 ,FIN8 malware received command using standard input to evade detection based on process command line arguments by using environment variables paired with Power Shell.

Powers hell command that ends with Dash “-“ ,that will Execute the command by using standard input (Stdin) and the only dash will appear in powershell.exe’s command line arguments.

FIN8 environment variable commands extracted (Source: FireEye)

According to FireEye , In the February 2017 phishing document “COMPLAINT Homer Glynn.doc” (MD5: cc89ddac1afe69069eb18bac58c6a9e4tt), the file contains a macro that sets the PowerShell command in one environment variable(_MICROSOFT_UPDATE_CATALOG) and then the string “powershell -” in another environment variable (MICROSOFT_UPDATE_SERVICE).

Evasion and obfuscation detection’s based parent-child process relationships. FIN8 crafted this macro to use WMI to spawn the “cmd.exe” execution.

Therefore, WinWord.exe never creates a child process, but the process tree looks like: wmiprvse.exe > cmd.exe > powershell.exe. 

Also Read  Most important considerations with Malware Analysis Cheats And Tools list

Application whitelisting Bypass

To stay away from many Detection techniques and Defenders, Attackers using extra layers of obfuscation by new application whitelisting bypass techniques.

According to FireEye , The regsvr32.exe  application whitelisting bypass exploit done by few Groups

  1. APT19 in their 2017 campaign against law firms
  2. The cyber espionage group APT32 heavily obfuscates their backdoors and scripts
  3. Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017
Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.

APT32 used cmd.exe obfuscation techniques to attempt to break signature-based detection of this argument ,Instead of using the argument /i:https for the regsvr32.exe bypass.

FireEye Identified New obfuscation Technique in both JavaScript and cmd.exe levels and perform the initial infection, it hiding shortcut files (LNK files) in their DOCX and RTF phishing documents. Read more here for complete Analyse.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...