Weaponizing Legacy Software

Legacy software that uses web traffic can be used to blend in with other incoming and outgoing traffic.

There are a variety of ways to gain the access needed to remotely execute commands on a compromised machine. One way that HALOCK Security Team has been able to gain access during an Assumed Breach Penetration Test is by utilizing legacy software that uses web traffic to evade detection.

HALOCK Security Labs’ Assumed Breach service begins at the point that a machine has already been compromised. In other words, the breach is “assumed.” During a recent client engagement, HALOCK created an HTML Application (HTA), let’s call it “Print Manager.hta”, and ran it on a computer within the client’s network to gain command and control (C2) access. All HALOCK Security Labs penetration tests are performed with consent in controlled environments.

How did this exploit work?

In the real world, the victim would likely have clicked on a malicious email attachment, a link on a malicious website, or they would have seen it on an already compromised file share. A variety of social engineering tactics can be used to persuade a user to click on malicious content.

Legacy software often relies on older program code, many times created during a time when security was not a priority. It’s usually kept around for aging dependent systems and services that have not been migrated to newer technology. By leveraging this software, an attacker can frequently evade endpoint protections on computers that support backwards compatibility with these older systems. When this HTA file was double clicked, Microsoft Windows opened “Print Manager.hta” with “MSHTA.EXE,” a legacy program that commonly comes pre-installed on Windows Operating systems. The “MSHTA.EXE” program opens and runs the file within the legacy Internet Explorer browser engine and gives it the additional ability to use the Windows Script Host (WSH) engine, allowing for more capable languages, including VBScript and JavaScript, to interact with the computer and its network.

Once running, the HTA presents an application window with seemingly innocuous content on the Windows Desktop, but in the background the HTA checks to see if it is running in the target client’s environment. This restricts HALOCK’s simulated malware to the target environment and adds complexities for Incident Response personnel that choose to detonate it in a sandbox environment for deeper analysis.

Up until this point, the HTA is benign. However, when the right conditions are met, the HTA makes an additional web request to a HALOCK-controlled website to download obfuscated (hard to read) weaponized JavaScript code and load it. Malicious activity using legacy software communicating over widely used protocols, such as secure web traffic (HTTPS), can get lost in the noise if security teams aren’t prioritizing inspection of what appears to be benign traffic. This allows the attacker to take advantage of blind spots in detection controls.

The weaponized JavaScript code provides HALOCK with a remote-control interface, referred to as command and control (C2). C2 is a key component in the structure of malware, botnets, and advanced persistent threats (APTs). This is the point from which attackers can communicate with compromised systems, issue commands, exfiltrate sensitive data, and maintain control over infected machines, even after detection or attempts to remove malware. During a penetration test, this is simulated to mimic a real-world scenario, in which an actual attacker would use such methods.

At this point, HALOCK has a web console to submit commands through, and the weaponized HTA receives those commands and sends the results back to HALOCK. With C2 established, HALOCK was able to download and install a covert proxy, perform password spray attacks, move within the client’s network, and ultimately gain the privileges equivalent to (or higher-than) that of the company’s computer administrator.

A covert proxy is a server that operates in an undetectable manner to relay or intercept traffic. Password spray attacks are brute force attacks meant to try to exploit weak passwords by targeting multiple accounts and staying below the lockout thresholds. It’s a popular method because it’s effective on large-scale systems and uncomplicated, particularly if employees in a business do not practice good password hygiene.

What did we learn, and how can this type of exploitation be prevented?

The weaknesses that allowed HALOCK to gain initial remote-control access to the company computer can exist for multiple reasons:

• The computer had legacy programs installed and allowed their execution.
  • If possible, uninstall legacy programs.
  • Update Windows configurations to prevent the execution of legacy programs, such as using Microsoft Application Control to block “MSHTA.EXE”, altogether.
• The computer and/or its perimeter lacked controls necessary to prevent malicious domains, activity, and script code.
  • Use DNS protection services to block known malicious domains.
  • Use network protection devices, such as an SSL inspection-capable web gateway, to block known malicious domains, perform antivirus scanning, and HTTP filtering.
• The computer allowed anomalous behavior from untrusted Windows executables.
  • Use advanced Endpoint Protection and Response (EDR) to detect and prevent Windows processes from performing activities different from what they were originally designed to do, such as spawning new short-lived processes.
• Audit Logging of Events on the Computer was inadequate.
  • Near real-time audit logging to a centralized correlation engine allows for manual and/or automated detection of activities.
• Security Operation Center (SOC) response times were inadequate.
  • Perform Security Awareness Evaluation/Social Engineering penetration tests to find gaps and improve detective and preventative controls as well as to give personnel practice to improve response times when invoking the Incident Response process.
• Security Awareness weaknesses
  • Train users not to open any file, regardless of file type, unless they know it can be trusted. Furthermore, train users how to know if they can trust something.

Preventing remote control access originating from a legacy application requires a multi-pronged effort that incorporates security awareness training, regular penetration testing, and the right controls. The more diverse the set of controls is, the more complex the environment is for the attacker. If an attacker is forced to adapt to a complex environment, this increases the chances that they may be detected early enough to invoke the Incident Response kill-chain and minimize impact to the company and their clients, who can also be negatively impacted.

Adam – Social Engineering / Assumed Breach