McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a “fileless” attack. Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network.
One fileless threat, CactusTorch, uses the DotNetToJScript technique, which loads and executes malicious .NET assemblies straight from memory. These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. As with other fileless attack techniques, DotNetToJScript does not write any part of the malicious .NET assembly on a computer’s hard drive; hence traditional file scanners fail to detect these attacks.
In 2018 we have seen rapid growth in the use of CactusTorch, which can execute custom shellcode on Windows systems. The following chart shows the rise of CactusTorch variants in the wild.
Source: McAfee Labs.
The DotNetToJScript tool kit
Figure 2: CactusTorch code.
Before we dive into this code, we need to understand .NET and its COM exposure. When we install the .NET framework on any system, several .NET libraries are exposed via Microsoft’s Component Object Model (COM).
Figure 3: COM exposing the .NET library System.Security.Cryptography.FromBase64Transform.
If we look at the exposed interfaces, we can see IDispatch, which allows the COM object to be accessed from the script host or a browser.
Figure 4: Exposed interfaces in a .NET library.
To execute malicious code using the DotNetToJScript vector, an attack uses the following COM objects:
Figure 5: The class definition of the embedded serialized object.
The .NET assembly embedded in the CactusTorch script runs the following steps to execute the malicious shellcode:
- Launches a new suspended process using CreateProcessA (to host the shellcode)
- Allocates some memory with VirtualAllocEx() with an EXECUTE_READWRITE privilege
- Writes the shellcode in the target’s process memory with WriteProcessMemory()
- Creates a new thread to execute the shellcode using CreateRemoteThread()
Fileless malware takes advantage of the trust factor between security software and genuine, signed Windows applications. Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect. McAfee Endpoint Security (ENS) and Host Intrusion Prevention System (HIPS) customers are protected from this class of fileless attack through Signature ID 6118.
The author thanks the following colleagues for their help with this analysis:
- Abhishek Karnik
- Deepak Setty
- Oliver Devane
- Shruti Suman
MITRE ATT&CK techniques
- Drive-by compromise
- Scripting using Windows Script Host
- Decode information
- Command-line interface
- Process injection
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.