State-Sponsored Cyberspies Use Sophisticated Server Firewall Bypass Technique February 25, 2020 https://www.securityweek.com/state-...ophisticated-server-firewall-bypass-technique Sophos: ‘Cloud Snooper’ Attack Bypasses Firewall Security Measures
Well, it sounds a bit complex to me, and I'm not exactly a firewall expert. But my question is, how does it install the Netfilter hook? Seems like Gh0stRAT needs to install a service or driver, so I assume that if you block this, it's neutralized.
The two main components of this attack are a perimeter firewall bypass and a backdoor. Gh0stRAT is the backdoor. The firewall bypass involves: https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/ The best example of this would be a network adapter mini-port filter driver. In this attack, this type of driver was deployed as a rootkit making it "invisible" on the server. Note that mini-port drivers are kernel space extensions. You can see how they are mapped in kernel space using a tool such as SysInternal's WinObj. You can read the Sophos article for details on how Gh0stRAT was deployed on both Linux and Windows.
I also copied the Sophos pictorial representation of this attack which I thought was quite clever employing the truism "A picture is worth a thousand words:"
Yes, but isn't it true that the attack can't succeed without the Gh0stRAT backdoor? Also, the Netfilter hook seems to be related to Linux, but on Windows you would probably need to install a driver like you already said. And Gh0stRAT needs to install a service, this should always be monitored by HIPS.
Easier said than done. Both regsvc32.exe and sc.exe are used by legit processes. Ditto for writing to the reg. service related areas.
Actually, it shouldn't be this hard to monitor service and driver registration. If HIPS fail to block, then EDR should step in.
Here's an example. I monitor sc.exe use with an Eset HIPS rule. Yesterday I reinstalled my nVidia graphics drivers. The installer uses sc.exe to create their service. I had no issue with allowing this activity. But what about the average user?
I was talking in general. Companies that employ HIPS+EDR should have no difficulty blocking or at least detecting this stuff. And to answer your question, average users don't use HIPS. But people like us know if it's normal or not if some app wants to register some service or driver. Let's say Gh0stRAT is disguised as some video downloader, why should it need to register/install a service?
Gh0stRat has been around for a very long time. The are multiple variants to the original malware. Lets talk about the plain vanilla one and how it installed it's service component: https://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/ Note that Install.exe is actually a legit program: https://www.file.net/process/install.exe.html
That's the thing, it doesn't matter if a legitimate process like install.exe or server.exe is performing the service installation. AFAIK, SpyShelter will alert about it.
