Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

The Malware Hiding in Your Windows System32 Folder: Certutil and Alternate Data Streams

We don’t like to think that the core Window binaries on our servers are disguised malware, but it’s not such a strange idea. OS tools such as regsrv32 and mshta...
Michael Buckbee
3 min read
Published June 14, 2018
Last updated August 19, 2022

We don’t like to think that the core Window binaries on our servers are disguised malware, but it’s not such a strange idea. OS tools such as regsrv32 and mshta (LoL-ware) are the equivalent in the non-virtual world of garden tools and stepladders left near the kitchen window. Sure these tools are useful for work around the yard, but unfortunately they can also be exploited by the bad guys.

For example HTML Application or HTA, which I wrote about last time.  At one point, it was a useful development tool that allowed IT people to leverage HTML and JavaScript or VBScript to create webby apps (without all the browser chrome). That was back in the early ‘aughts.

Get the Free Pentesting Active
Directory Environments E-Book

Microsoft no longer supports HTA, but they left the underlying executable, mshta.exe, lying around on Windows’ virtual lawn – the Windows\System32 folder.

And hackers have only been too eager to take advantage of it. To make the matters worse, on far too many Windows installations, the .hta file extension is still associated with mshta. A phishmail victim who receives an .hta file attachments,  will automatically launch the app if she clicks on it.

Of course, you’ll have to do more than just disassociate the .hta extension to stop all attacks — see, for example, the Windows Firewall mitigation in the previous post. For kicks, I tried directly executing an .hta file using mshta, and you can see the results below:

mshta direct

Still crazy after all these years: mshta .and .hta

It worked fine.

In a hacking scenario where the attacker is already on the victim’s computer, she could download the next phase using say curl, wget, or PowerShell’s DownloadString, and then run the embedded JavaScript with mshta.

But hackers are far too smart to reveal what they’re doing through obvious file transfer commands! The whole point of living off the land using existing Windows binaries is to hide activities.

Certutil and Curl-free Remote Downloading

This leads to certutil, which is yet another Windows binary that serves dual purposes. Its function is to dump, display, and configure certification authority (CA) information. You can read more about it here.

In 2017, Casey Smith, the same infosec researcher who told us about the risks in regsrv32, found a dual use for certutil. Smith noticed that certutil can be used to download a remote file.

certutil

It’s a certification tool. No, it’s a stealthy way to download malware. Certutil is both!

This is not completely surprising since certutil has remote capabilities, but it’s clearly not checking the format of the file — effectively turning certutil into LoL-ware version of curl.

As it turns out, hackers were way ahead of the researchers. It was reported that Brazilians have been using certutil for some time.

So if hackers obtain shell access through, say, an SQL injection attack, they can use certutil to download, say, a remote PowerShell script to continue the attack — without triggering any virus or malware scanners searching for obvious hacking tools.

Hiding Executables With Alternate Data Streams (ADS)

Can the attackers get even stealthier? Unfortunately, yes!

The amazingly clever Oddvar Moe has a great post on Alternate Data Streams, and how it can be used to hide malware scripts and executables in a file.

ADS was Microsoft’s answer to supporting compatibility with Apple McIntosh’s file system. In the Mac word, files have a lot of metadata in addition to regular data associated with them. To make it possible to store this metadata in Windows, Microsoft created ADS.

For example, I can do something like this:

ADS

Omg , I directed text into a file and the file size didn’t change! Where did it go? It’s in ADS. #stealthy

On a first review, it might look like I’m directing the text of my .hta file into “stuff.txt”.

Take a closer look at the above screenshot, and notice the “:evil.ps1” that’s tacked on. And then shift your focus to the size of “stuff.txt”: it remains at 0 bytes!

What happened to the text I directed into the file? It’s hidden in the ADS part of the Windows file system. It turns out that I can directly run scripts and binaries that are secretly held in the ADS part of the file system.

And One More Thing

We’ll take a deeper dive into ADS next time. The larger point is the high-level of stealthiness one can achieve with the LoL approach to hacking. There are other binaries that serve dual masters, and you can find a complete list of them on github.

For example, there is a class of Windows binaries — for example, esentutil, extrac32, and others — that acts as a file copy tool. In other words, the attackers don’t have to necessarily reveal themselves by using the obvious Windows “copy” command.

So security detection software that’s based on scanning the Windows Event log looking for the usual Windows file commands will miss sneaky LoL-based hacker file activity.

The lesson is that you need, ahem, a security platform that can analyze the raw file system activity to determine what’s really going on. And then notify your security team when it detects unusual access to the underlying files and directories.

Does the Lol-ware approach to hacking scare you, just a little? Our Varonis Data Security Platform can spot what the hackers don’t want you to see. Lean more!

 

 

 

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

the-malware-hiding-in-your-windows-system32-folder:-more-alternate-data-streams-and-rundll32
The Malware Hiding in Your Windows System32 Folder: More Alternate Data Streams and Rundll32
Last time, we saw how sneaky hackers can copy malware into the Alternate Data Stream (ADS) associated with a Windows file. I showed how this can be done with the...
the-malware-hiding-in-your-windows-system32-folder:-mshta,-hta,-and-ransomware
The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
The LoL approach to hacking is a lot like the “travel light” philosophy for tourists. Don’t bring anything to your destination that you can’t find or inexpensively purchase once you’re…
the-malware-hiding-in-your-windows-system32-folder:-more-rundll32-and-lol-security-defense-tips
The Malware Hiding in Your Windows System32 Folder: More Rundll32 and LoL Security Defense Tips
When we left off last, I showed how it’s possible to run VBScript directly from mshta. I can play a similar trick with another LoL-ware binary, our old friend rundll32....
the-malware-hiding-in-your-windows-system32-folder:-intro-to-regsvr32
The Malware Hiding in Your Windows System32 Folder: Intro to Regsvr32
In our epic series on Malware-Free Hacking, I wrote about techniques that let you use well-known Microsoft apps and tools to run evil custom scripts. This file-less hack-craft usually involves sneaking...