Compromise Client Software Binary
Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.
Procedure Examples |
|
| Name | Description |
|---|---|
| Industroyer |
Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.(Citation: ESET Industroyer) |
| Kobalos |
Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.(Citation: ESET Kobalos Jan 2021) |
| Kessel |
Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET ForSSHe December 2018) |
| ThiefQuest |
ThiefQuest searches through the |
| Ebury |
Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.(Citation: ESET Ebury Feb 2014) |
| Bonadan |
Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET ForSSHe December 2018) |
| XCSSET |
XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.(Citation: trendmicro xcsset xcode project 2020) |
Mitigations |
|
| Mitigation | Description |
|---|---|
| Code Signing |
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
Detection
Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. Consider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.
References
- Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
- M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
- Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
Связанные риски
| Риск | Связи | |
|---|---|---|
|
Закрепление злоумышленника в ОС из-за
возможности изменения исходного кода прикладного ПО в прикладном ПО
Повышение привилегий
НСД
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.