12 May 2022

Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth

Synack

The exploit that Kaspersky researchers uncovered is unnamed, so we’re calling it “ThrowShell”

By Kim Crawley

The key to cyberattacks evading detection from antivirus software and intrusion detection systems is often to exploit operating system processes. That’s a feature of a recently discovered fileless Windows exploit discovered by Kaspersky researchers.

Fileless malware attacks computer systems without writing new files to a computer’s data storage. If antivirus software scans a hard drive for malware, it won’t find any files related to a fileless attack. It’s a popular obfuscation technique with cyber threat actors. 

Kaspersky hasn’t given this new exploit any particular name. Kaspersky’s Denis Legezo explained that some DLLs (Windows Dynamic Link Libraries) involved in the exploit resemble tools in commercial pentesting platforms:

“Regarding the commercial tools, traces of SilentBreak and Cobalt Strike toolset usage in this campaign are quite visible. Trojans named ThrowbackDLL.dll and SlingshotDLL.dll remind us of Throwback and Slingshot, which are both tools in SilentBreak’s framework, while the ‘sb’ associated with the dropper (sb.dll) could be an abbreviation of the vendor’s name.

Here we want to mention that several .pdb paths inside binaries contain the project’s directory C:\Users\admin\source\repos\drx\ and other modules not named after Throwback or Slingshot, such as drxDLL.dll. However, encryption functions are the same as in the publicly available Throwback code.”

The new exploit puts malicious shellcode into Windows event logs. Cyberattacks that use fundamental code libraries such as “Log4Shell” and “Spring4Shell” are recent concerns in the cybersecurity community. So, I’ll call this attack “ThrowShell.” Maybe it’ll stick.

How “ThrowShell” works

The ThrowShell attack starts by persuading a user to download a file with a Cobalt Strike module. Kaspersky researchers have observed this as a RAR archive file with a Cobalt Strike certificate distributed through file.io, a file sharing site the researchers consider to be legitimate. Yes, “ThrowShell” starts as a Trojan. But interestingly, when I tried to visit file.io in Firefox, my Malwarebytes Browser Guard extension blocked the site as a suspected phishing domain. I’ve personally never visited file.io.

Anti-detection wrappers are used with the Trojans. MSVC, Go compiler 1.17.2 and GCC under MinGW are the compilers researchers have seen. 

Once the RAR file has been extracted and its contents executed, it’s then much easier for the attacker to send additional malicious DLLs to the targeted device. 

Werfault.exe is the initial Windows executable file that’s targeted for code injection by ThrowShell. It’s Microsoft Windows Error Reporting Fault Reporter in Windows 10 and Windows 11. The important role that the process serves in Windows assures that the file is whitelisted in endpoint security applications. It’s almost as sneaky as exploiting svchost.exe, in my opinion.

The malicious executed code is signed with a certificate for an application called “Fast Invest,” which the researchers didn’t see any legitimate code signed with. Once extracted, decrypted and signed, ThrowShell’s malicious code spreads within Windows through dropper injection with Cobalt Strike pentesting software. Explorer.exe, the main file manager for all supported versions of Windows, is one of the processes that ThrowShell targets for code injection. That’s the way fileless malware typically works; inject malicious code into ordinary OS processes and execute it that way. 

While spreading through a variety of ordinary Windows DLLs and processes, shellcode is eventually inserted into Windows event logs. Researchers have seen ThrowShell fingerprint Windows targets for MachineGUID, computer names, local IP addresses, OS version, CPU architecture, and SeDebugPrivilege status in processes currently running in memory.

This is all a really stealthy way to infect client Windows targets, get right into the memory, evade detection, establish persistence, and maintain a backdoor right into the Windows shell. This exploit can possibly sit in a Windows client for months or longer with an easy way for the attacker to perform all kinds of malicious activity with administrative privileges.