New Blog Post: Hancitor + COM Objects
Recently, Hancitor incorporated the use of COM to spawn IE and download stage 2 payloads. While many may have not understood the true risk of what the Hancitor campaign stumbled into it, its very dangerous.
dodgethissecurity.com/2019/11/01/han…
Recently, Hancitor incorporated the use of COM to spawn IE and download stage 2 payloads. While many may have not understood the true risk of what the Hancitor campaign stumbled into it, its very dangerous.
dodgethissecurity.com/2019/11/01/han…
Specifically, my research partners and myself around 1 year ago theorized that COM objects if used to spawn IE could be used to get around/through proxy servers in environments. Proxy servers have provided a severely overestimated layer of protection.
Organization's security teams have come to assume that "Since the malware doesn't know the proxy details, auth mechanism or have user credentials callouts will fail". However, this is a faulty assumption as with COM objects + IE you can automatically get that information!
We proved through our own private testing around 6 months ago that if COM is used to call IE and COM is used to control the instance of IE that it will automatically use the current users credentials, proxy information, etc to automatically authenticate with Proxy servers.
This is all pulled automatically by the browser as Windows already has access to all of this information (cached credentials, systems proxy server+port, etc). When we tested the POC code my research partner wrote it successfully called out through our test proxy.
EDR/EPP, OS and Proxy Vendors have been aware of COM abuse for years. Yet 10 years after this was first published online NONE of them appear to have visibility, detections or preventions or mitigation for COM object abuse.
Now that Hancitor commodity malware is utilizing COM objects for the very scenario my research partners and myself feared, with the lack of protections available we fear for companies, organizations, etc everywhere.
As such we have decided to publish this information to let SOC's in companies everywhere know about this threat. We don't believe COM object abuse + auto pulling of cached creds will end with just C2 callouts and stage 2 downloads. We believe this is just a single avenue of abuse
We theorize that there may be similar ways to do lateral movement via COM object calls to SMB, RDP, etc to other systems. We also believe that since IE is as integrated into windows as these other protocols are that they may be able to use cached credentials as well.
This being the case without security companies and operating system vendors stepping up to mitigate the risk of COM object abuse we believe this is only the begging of how this could utilized. There are 13,000+ COM objects in Windows 10, they can control nearly OS function.
@threadreaderapp unroll
@James_inthe_box @JAMESWT_MHT @lazyactivist192 @JayTHL @JRoosen @Arkbird_SOLG @Hexacorn @anyrun_app @BleepinComputer @malware_traffic @DrunkBinary @virusbtn @campuscodi @cyb3rops @ItsReallyNick @josephfcox @UK_Daniel_Card Tags2) @HackingDave @dvk01uk @D00RT_RM @Ledtech3 @eric_capuano @GossiTheDog @VK_Intel @InfoSecHotSpot @MalwareJake @killamjr @KorbenD_Intel @MalwareTechBlog @malwrhunterteam @MisterCh0c @MeltX0R @NakedSecurity @ps66uk @Rmy_Reserve @SwiftOnSecurity @Timele9527 @vysecurity
@James_inthe_box @JAMESWT_MHT @lazyactivist192 @JayTHL @JRoosen @Arkbird_SOLG @Hexacorn @anyrun_app @BleepinComputer @malware_traffic @DrunkBinary @virusbtn @campuscodi @cyb3rops @ItsReallyNick @josephfcox @UK_Daniel_Card @HackingDave @dvk01uk @D00RT_RM @Ledtech3 @eric_capuano @GossiTheDog @VK_Intel @InfoSecHotSpot @MalwareJake @killamjr @KorbenD_Intel @MalwareTechBlog @malwrhunterteam @MisterCh0c @MeltX0R @NakedSecurity @ps66uk @Rmy_Reserve @SwiftOnSecurity @Timele9527 Tags3 - InfoSec Media) @TheRegister @ZDNet @CyberScoopNews @TheHackersNews @CSOonline @arstechnica @sans_isc @sansforensics @SCMagazine @SecurityWeek @threatpost @DarkReading @Bank_Security
