Introduction
You probably saw one of those reports in the news about drug smugglers who come up with stupid to really clever ways to smuggle drugs to avoid police detection. They mostly hide the drugs in legitimate stuff, such as pineapples or any kind of innocent fruit/vegetable to shoes, magazines’ covers, soaps, canned food, you name it. Some goes to put the drugs inside multiple layers to hide the smell and make the final package looks like a normal unsuspicious object that will pass through police checks.
Hackers often employ similar tactics to conceal their delivery of malware. They package it within innocent-looking emails or ads on websites you might visit. They aim to gain initial access into victims’ machines while disguising their activity. The goal is to evade detection by protection programs and cyber security analysts.
So what is this blog post about
In this blog post, we will go through some of the techniques that threat actors are using in 2024 to deliver malware, mostly used to harvest credentials and sensitive information or targeting banking applications to eventually steal money from victims.
I have tried to make the explanation simple, clear and then a bit technical. This way, even if you are not very technical, you can grasp enough information to avoid falling victim to such evasive attacks. If you are more technical, I will give extra details that can be helpful for both blue teamers to be able to point out such malicious behaviour, and for red teamers to have an insight on initial access techniques to test during a red team exercise.
What do I mean by Malware Delivery
It is basically the techniques that cyber criminals use to infect your device with a malicious program. And here we will not talk about the malicious program itself, but more about how it can get there to your device without being detected or stopped by security solutions. We also will not talk about credentials and cookies stealing with a man-in-the-middle reverse-proxy.
Long time ago, this delivery process would be so simple. You receive an email with a file attached to it, or download something from the internet, or plug in a USB, and bang! you are infected.
Luckily with the enhancement of security solutions such as Anti-Virus, Endpoint Detection and Response (EDR), anti-spam, anti-malware and email filtering, this process is no longer a walk in the park for attackers.
However, as defenses against infection attempts advance, cyber criminals and their techniques grow more sophisticated. Attackers study the latest defense tactics and devise ways to bypass them, turning this malware delivery thing into a cat-and-mouse game. Security teams enhance defenses based on attackers’ tactics, while attackers develop new bypass techniques against implemented defenses.
So, in short, modern malware delivery, is finding a way to get an initial access to a device by delivering and executing a malicious program without detection or prevention by any installed security solution on the target device or its connected network.
Why cyber criminals want to deliver malware?
There are different kind of cyber criminals with different objectives varying from infecting your device with an infostealer, which basically will try to steal juicy information from your device, such as login information, emails, files, cryptocurrency wallets… to infecting your corporate device to use it in more sophisticated attacks, to compromise sensitive applications or devices in your internal corporate network.
There are different vectors in which attackers achieve initial access. In this blog post we will speak in more details about vectors coming from phishing attacks.
Use cases of real scenarios of initial access
In the past few months, I have researched initial access techniques for red teaming exercises. During this time, I reviewed many articles on the methods threat actors currently use to bypass advanced detection solutions. In the following sections, I tried to map and explain the most interesting techniques used in recent attacks since the beginning of this year (2024) until the date of writing this post. So, let’s dive into the art of malware delivery and initial access techniques 😊
The final trigger underneath the multi-layer of deception
Before diving into more detailed attacks, I want to mention first that many of those attacks have some common characteristics. More specifically, I want to talk about how different threat actors are mostly using multi-phases infection process. The first phases have legitimate looking files and seemingly benign behaviour. The malicious step is only triggered in later or even the final step of a chain of actions. Or as combination of multiple steps. Attackers use this tactic to evade detection and trick EDRs into considering the activity as legitimate behaviour. The malicious step goes unnoticed, once the defense is convinced that nothing harmful is happening. In those different phases the attackers use different “building blocks” (if I may call them that) that lead to the final payload.
Many of those attacks share some common building blocks, but different threat actors may put them together differently to create a payload that does not look like the others. Eventually, they will lead to the same result. Those building blocks include legitimate files that we use in everyday work. Examples include: Archive files, HTML, SVG, WSF, JavaScript, Shortcuts (.LNK), PDFs, Office Documents, Cloud hosted content, Batch files and the infamous PowerShell scripts. Let’s see more concrete example.
Archiving the power of evil
Archived files are a very common starting point for an initial access scenario. You receive an email with a .zip file, where the sender urging you to unzip the file and open the invoice of a purchase that you may made. Why would you receive an archived file? Because it is more likely to reach your email than other types of files. Whatever email client you are using, there should be some kind of email filtering that tries to protect you from malicious attachments. For example, email filters may block extension such as .exe (for an executable file) or JS (for JavaScript files) and not forward them, because they can cause immediate damage when executed.
Archived files have legitimate use. You normally archive/compress some files and send them to your colleagues or clients, nothing bad, right? So, they are less likely to be considered blacklisted files. And that is one reason why attackers use them. Another reason is that they might include some hidden files, in addition to the file that the victim will open. That hidden file plays a part in the chain phases, that will lead to the final malware execution.
Archived files used in initial access scenarios come in different flavours. There is the most famous ZIP file. However, attackers may also use RAR, tar.gz, or 7z formats, or disk image files (such as ISO, IMG and VHD).
Encrypted archived files
Here is the twist: If an attacker sends a normal ZIP file with a suspicious file, the anti-malware protection will mostly block it. Because it is able to read the data inside the ZIP, and detect the malicious content. Now what some threat actors do, is sending an encrypted ZIP file (protected by a password). In that case, the email anti-malware protection cannot read the encrypted content to detect whether it is malicious or not. So encrypted archived files (such password-protected ZIP, RAR or 7z files) will pass.
Bypassing the Mark-of-the-Web (MOTW)
Mark-of-the-Web (MOTW) is a security feature that indicates that a file is originated from the Internet. This allows Microsoft Defender SmartScreen to perform additional inspection of the content of the marked file. For example, downloading a Word document from the internet will result in it having the mark of the web, which disables macros by default. Even if the Word document is in a ZIP archive downloaded from the internet, it should still carry this mark.
However, if the victim uses a utility such as 7-Zip to extract the archive, the mark of the web could be bypassed. For example, a word document that is sent in a 7z file, will not have the mark of the web when extracted using 7-Zip, and thus macros will not be disabled by default.
Thus, the archived file could serve as the first link in the initial access chain, a pattern observed in many large-scale attacks. For example, Iranian cyber espionage group called Mint Sandstorm send emails with links to download protected RAR file as a starting point to deploy malware to harvest sensitive information from the victims.
Another threat actor also used a ZIP file sent directly in emails. The file contained a Jscript that drops a batch file and a base64-encoded file. The attackers decode the file using certuti to a Portable Executable (PE) DLL that will be executed using rundll32.
Other examples of how threat actors are using archives as starting point: Cybercriminals Targeting Latin America with Sophisticated Phishing Scheme, Keylogger Disguised as Bank Payment Notice , New JinxLoader Targeting Users with Formbook and XLoader Malware, Banking Trojans Target Latin America and Europe.
The Legend of Shortcut: A Link to The Bypass
You know that you can create a shortcut for a program and put it wherever you want to access that program, let’s say from the Desktop, while the program is in a different location, right! But do you know that you can actually execute other commands in that shortcut. Why? Because this is what the shortcut looks like:
When opening the shortcut, the command in this target field will be executed (in this case executing the calculator application). But what if we put some other commands there?
As can you see in the following example, what probably will look like a pdf shortcut, can actually execute a command like this:
Opening the shortcut executes the command in the Target field, creating the file Link.txt:
For a more concrete example, a threat actor used shortcuts (.LNK files) that executes a PowerShell command to run an HTA file. The JavaScript within the HTA decodes a PowerShell decrypter, which decrypts a PowerShell loader. This loader executes in memory, initiating the download and execution of payloads such as Cryptbot, LummaC2, or Rhadamanthys information stealers.
It is just a PDF! It is just a PDF?!
PDFs is something you might be receiving every day in your email or downloading from the internet. That is why it is very tempting target for attackers. But how can they use that innocent report, invoice or new policy PDF maliciously. Here is a bunch of real initial access scenarios that threat actors use, where the starting point was a PDF attachment:
This attack starts with PDF attachment presents as invoice-themed email, like the one below. (This is a demonstration example, not the real thing):
Clicking the link downloads a ZIP file containing either an MSI or HTA file. This file will drop a VB script that downloads another VB script for execution. Consequently, a Mispadu (a known trojan) DLL is injected and executed in memory. This grants attackers control on the victim machine.
Other threat actors used PDF that downloads a ZIP file with .LNK file. The final goal is to inject a DarkGate payload. Attackers will then gain access to the victim device to steal information.
Other examples of recent attacks using PDF attachments as an initial point: From PDFs to Payload, Venom RAT Targeting Multiple Sectors, Banking Trojan CHAVECLOAK
(Don’t) Mark My Words
In Microsoft Office Documents (like Word or Excel), you can create something called macro to automate some tasks in the document. This macro is actually a piece of code (Visual Basic for Applications or VBA). Attackers have been using these macros to inject malicious code in the documents since long time ago. That is why it became a known vector of attacks. Microsoft, and security solutions took steps to reduce the risk coming from macros. However, attackers can get really creative in bypassing whatever obstacles in the way.
Remote Template Injection
Here is a real example of this threat actor who used malicious Microsoft Word Document as their initial access point. The attackers used a technique called Remote Template Injection. In this attack, instead of including a malicious macro in the sent document, the attackers retrieve the macro from a remote template hosted on the adversary’s infrastructure every time the victim opens the lure Word document containing the template.
How to create a Word Document with a remote template that contains a malicious macro? Piece of cake! Create a Word Document with the malicious macro -> save it as Word 97-2003 Template (*.dot) -> host it -> Create a new document from the blank template located in C:\Users\Attacker\Documents\Custom Office Templates -> Put some convincing content there -> save it as .docx -> Right click it and open the archive -> Navigate to word > _rels, right-click on settings.xml.rels and select Edit -> In this XML file change the “Target” to the remote location where you hosted your template -> Send the document to the victim. You can also use remoteInjector to automate stuff.
OLE Template Manipulation
Macros are not the only thing that attackers abuse in Office Documents. Here is another real example of threat actors leveraging OLE (Object Linking and Embedding) template manipulation, to exploit Microsoft Office document templates to execute malicious code while evading detection. Long story short, the attackers send a password protected (encrypted) Word Document to evade detection. The document includes the instructions to: download the report, enter the password, and enable editing. The document includes instructions to click a printer icon to view their “salary graph”. The icon is actually an OLE package, a feature in Microsoft Windows that allows embedding and linking to documents and other objects. When the victim clicks the icon, a zip archive that contains a LNK file (again) is opened. This LNK file will drop a PowerShell loader. Some steps later a registry key is established to run the Trojan as a persistence mechanism.
Smugglers wearing HTML/SVG suits
Attackers always try to abuse legitimate features to perform bad stuff. HTML smuggling is a nice example of that. End goal: Opening an HTML or SVG file (which could be sent as an email attachment) triggers the download of a file to your device without further notice. This file, which could be ISO, IMG, VHD… may include whatever chain of files and payloads that will eventually lead to the infection. In this attack, the file intended for download, is encoded within a blob of data within JavaScript code in the HTML/SVG file. Upon opening via a web browser, this data blob gets decoded into a file. Here is a simple demonstration, you open an HTML/SVG file, and you get this:
But attackers are even going one step further. In this example, rather than directly downloading the file, the attackers’ website hosted on Google Sites triggers a reCAPTCHA page. The payload is only downloaded after successfully checking “I am not a robot.” Moreover, unlike typical HTML smuggling scenarios where attackers include the malicious file in the JavaScript within the HTML, in this case, the attackers embed the malicious file in a separate JSON file. A GET request fetches the file from a different domain when the victim accesses the page. So, with these extra steps, the attackers add a sense of legitimacy for the victim to trust what they are clicking (the reCAPTCHA check), and they hide the malicious file further from public scanners such as VirusTotal.
WTF is WSF?!
Wikipedia says that “A Windows Script File (WSF) is a file type used by the Microsoft Windows Script Host. It allows mixing the scripting languages JScript and VBScript within a single file, or other scripting languages such as Perl, Object REXX, Python, or Kixtart if installed by the user.” Executing Jscript and VBScript sounds very delicious for an attacker.
Attackers typically abuse WSF and HTA (HTML Application). However, due to their frequent use in attacks, they have become more detectable by security solutions. However, that does not stop attackers from finding ways to still use those vectors.
A new wave of Raspberry Robin worm infections is using wsf files to infect the victims. Attackers may deliver the file to the victim through spam or malvertising campaigns. What is interesting about this campaign, is that attackers heavily obfuscated the wsf file. It has 0% detection rate on VirusTotal.
Adding obfuscation
For obfuscation, the attackers used multiple techniques including, adding too much useless junk characters to hide the malicious content. The attackers decode functions and obfuscate the script’s flow. They include unused code. But they also check in other parts of the code if this unused code has been removed (possibly by a blue team analyst attempting to analyze the code). If the unused code is detected as missing, the script terminates, significantly complicating analysis. Additionally, they employ anti-debugging techniques and include an exception to Microsoft Defender, which excludes the entire main drive from antivirus scanning. If the script detects that the victim machine is running another antivirus solution, it terminates.
When executed and after this series of anti-analysis and anti-virtual machine evaluations to ensure the payload is not running in a virtualized environment, the main DLL payload of the worm is retrieved from remote server and executed.
Batches here PowerShells there
In many of the previously mentioned attack scenarios, attackers used either Windows Batch files (.bat) or PowerShell scripts at some point in the initial access chain before gaining final control.
Attackers can save PowerShell commands that trigger the final infection step in script files (.ps1) or batch files (.bat). They can execute the batch file directly or by creating a scheduled task that runs the batch file based on a pre-defined trigger. These PowerShell scripts and batch files are often highly obfuscated to conceal the attackers and evade detection.
Attackers use PowerShell scripts to bypass the Anti-malware Scan Interface (AMSI) as an evasion step before executing any malicious payloads. They also use PowerShell to load and execute malicious payloads in memory without writing them to disk.
Batch files are used to execute malicious commands, including fetching files, running PowerShell scripts, and deleting files to hide traces. These batch files are also obfuscated. Tools such as BatCloak was identified to be used by some threat actors to bypass traditional detection mechanism
Oh you really thought I wouldn’t mention AI here :p
It should not come as a surprise that threat actors are already using AI to enhance their payloads. ChatGPT, CoPilot and other LLMs that are developed specially to bypass the limitations that some models enforce to prevent malicious use, are already in use to aid in developing malware. However, these models can be also used earlier in the first stages of the initial access. AI can facilitate crafting phishing emails, making them, in some cases, more convincing than those written by humans.
One example of recent threat actors using AI in early initial access payloads, is the hacking group TA547. The group is suspected to be using Large Language Model (LLM) to generate PowerShell script used in a new wave of phishing attacks that hit German firms with a malware called Rhadamanthys early this April.
The deobfuscated PowerShell script revealed some characteristics that are unlikely made by human programmers, such as grammatically correct and hyper specific comments for each line in the code.
Putting the chain rings together
Have you noticed that pattern in those real attack scenarios given above? That chain of what I called earlier as building blocks… You see PDF -> ZIP -> MSI -> DLL -> infection, or ZIP -> LNK -> Batch -> PowerShell -> DLL -> InforStealler, or other combination in different order. This trend of chaining multiple stages of different file format and spreading the malicious behavior across multiple components is being adopted by many threat actors to form a complex infection chain. The main reason is to help them fly under the radar of blue teamers and make it harder to detect by security solutions.
0 Alerts: The Art of Evasion
As mentioned before threat actors are becoming more sophisticated with their attacks so that they can evade the evolving detection mechanisms.
The use of complex chain of multi-staged initial access attack seems like a good strategy. But also, in each stage, attackers use different evasion techniques. For example, they use public and private cloud services to host pieces that they will use in the different stages of the chain. This results in masquerading the malicious calls as legitimate traffic.
Moreover, as we saw earlier, attackers are using different obfuscation techniques in the different stages of the initial access chain. Whether it is the HTML file, the Jscript code included, the PowerShell script, VBScript, batch files or the final DLL or any kind of payload, attackers use different encoding, encryption, and obfuscation techniques to hide the real malicious intention of the payloads.
Threat actors are still using Living Off The Land Binaries (LOLBAS). Bitsadmin and certuril for example can be seen used frequently to encode/decode and transfer components that will be used in the initial access chain.
Attackers do not only target evading Anti-Virus, but also to go unnoticed by security solutions such as EDRs. Sophisticated hacker groups are more educated about what kind of behavior will trigger alerts on those EDRs and taking extra steps to avoid raising any kind of triggers. EDRs can be really annoying from the perspective of an attacker (or a red teamer). But having a full initial access scenario, from receiving the initial trigger to the execution of the final payload, without raising any alerts, is doable. When you attempt to bypass that EDR for 99 times and fail, understanding all the triggers that lead to that 99 alerts will surely makes the 100 attempt pass the EDR freely happily without raising any suspicious.
Conclusion & Recommendations
In this blog post I tried to take you in a tour in this Malware Masquerade hoping to give you an insight into how real threat actors are masquerading their payloads to invade people and organizations without being detected. Like they say, “to know your enemy, you must become the enemy”, understanding those techniques and tactics used by hackers, is the first step to protect from them.
Here are some recommendations to you, whether you’re a non-technical person using the internet or a technical person trying to make the internet better place for others:
For the people receiving emails with links or attachments or opening advertisement in websites…
Just don’t. Unless you really trust the sender of the email, or the origin of that website, just don’t click on stuff that you are not sure if they are safe or not. Don’t download updates or programs or whatever from untrusted sources. User awareness is crucial when it comes to phishing attempts to gain initial access. Humans are indeed the main target here; therefore, everyone should educate themselves enough to avoid falling for such deceptive attacks.
For the blue teamer…
It is crucial to be aware of the most recent tactics that threat actors are using to gain initial access and to evade detection. With such knowledge you can identify malicious behavior when you see one, rather than considering it as a false positive just because you were not aware of that attack vector. You can also enhance the rules and configuration of your detection solutions to make it more useful in catching those sneaky hackers.
For the red teamer…
“Yes, you can!”. Hackers are trying their best to find ways to fly under the radar of whatever used detection mechanism. You better understand them, find your ways to do the same, and more importantly share your knowledge with the defenders. Yeah, it is cool to bypass EDRs with 0 alerts, but for ethical hackers, that is not the goal, right! right? So, after a red team engagement, go ahead and explain what you used to evade detection, your TTPS, what would be the IOCs that would help identifying the attack. Contribute in patching that hole in the wall of cyber defense. Make it harder for the real attackers, secure the cyberspace and save the world 😉
