Hackers Exploit COM Objects for Fileless Malware and Lateral Motion

Safety researchers Dylan Tran and Jimmy Bayne have unveiled a brand new fileless lateral motion method that exploits trapped Part Object Mannequin (COM) objects in Home windows programs.

This technique, based mostly on analysis by James Forshaw of Google Mission Zero, permits attackers to execute .NET managed code within the context of a server-side Distributed COM (DCOM) course of.

The method includes manipulating the Home windows Registry to hijack the StdFont object and redirect it to instantiate System.Object from the .NET Framework.

By leveraging the IDispatch interface and performing .NET reflection over DCOM, attackers can load arbitrary .NET assemblies into the COM server with out leaving any recordsdata on disk.

Implications for Cybersecurity

This new assault vector presents vital challenges for defenders.

The fileless nature of the method makes it troublesome to detect utilizing conventional file-based safety measures.

Moreover, the abuse of reputable Home windows parts like COM and DCOM could permit attackers to bypass sure safety controls.

The researchers demonstrated the method’s effectiveness by making a proof-of-concept device known as ForsHops.exe.

In line with the Report, this device can set up a distant connection to a goal machine, manipulate the mandatory registry keys, and execute malicious code inside a Protected Course of Gentle (PPL) svchost.exe course of.

One limitation of the present implementation is that the malicious payload’s lifetime is tied to the COM consumer course of.

When ForsHops.exe exits or cleans up its COM references, the distant payload additionally terminates.

The researchers tried numerous options to this challenge however famous that additional enhancements may very well be made.

Defensive Suggestions

To mitigate this risk, safety professionals ought to implement a number of defensive measures.

These embrace monitoring for CLR load occasions throughout the WaaSMedicSvc svchost.exe course of, detecting registry manipulations associated to the StandardFont CLSID, and trying to find enabled OnlyUseLatestCLR and AllowDCOMReflection values within the .NETFramework registry key.

Moreover, organizations ought to think about limiting DCOM ephemeral port entry the place attainable utilizing host-based firewalls.

The researchers additionally supplied a YARA rule to detect the usual ForsHops.exe executable, which might be built-in into current safety instruments.

As this method demonstrates, attackers proceed to seek out progressive methods to take advantage of Home windows parts for malicious functions.

Safety groups should keep vigilant and adapt their defenses to handle these evolving threats.

By implementing the advisable controls and sustaining consciousness of such superior methods, organizations can higher shield themselves towards fileless malware and lateral motion assaults.

Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get reside Entry with ANY.RUN -> Begin Now for Free.