-
Notifications
You must be signed in to change notification settings - Fork 8
1 ‐ Covert Malware Delivery and Ingress Tool Transfer
For phase one of the project, this is where we have focused the most attention, in large part because this is where we have seen adversaries using AutoIT and AHK the most in the wild. AutoIT in particular, seems to provide several key advantages for hiding malware, including the ability to hide an AutoIT script within another file type, the application having a valid certificate, and if a script is compiled to an executable the associated file is not very easy to analyze.
In our experience, payloads delivered that include AutoIT and AHK seem to be relatively evasive. The most convincing proof of this by far, is that adversaries are using this tactic in the wild. Far less important, is the testing that we have done, showing multiple tactics that can do bad things, apparently without the intervention of popular AV and EDR products. How many things and how bad?
That is really why this is a community project, because we are not quite sure - and, our coverage is far more likely to be exhaustive with a lot of participation. That is also why we have set up the project with the potential for almost end-to-end exploit/post-exploit functionality, even though our initial release is a little light in some categories. While the initial release is mostly intended to showcase covert payload delivery, we have found multiple useful post-exploit scenarios already and we were wondering if a complete end-to-end exploit/assessment framework could be built on this foundation.
Focusing back in on covert payload delivery and ingress tool transfer: We have examples demonstrating the ability to embed an AutoIT script within other file types (e.g., GIF), which could establish a reverse shell, download and execute a file, or even carry out a direct action (e.g., file encryption). The shell for phase one will be basic, but it should be more than enough to test execution of secondary payloads on a host or launching other scripts included within this (or other) project(s).
We have been both excited and alarmed by the results of our initial testing, although we hope the community will improve and expand upon it, making the project more useful and valuable to defenders/testers everywhere. Also, we hope the community discovers and contributes new detection logic and rules as we go, to strengthen our resiliency against this attack vector.