State-Sponsored Cyberspies Use Sophisticated Server Firewall Bypass Technique

Discussion in 'malware problems & news' started by mood, Feb 25, 2020.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,671
    State-Sponsored Cyberspies Use Sophisticated Server Firewall Bypass Technique
    February 25, 2020
    https://www.securityweek.com/state-...ophisticated-server-firewall-bypass-technique
    Sophos: ‘Cloud Snooper’ Attack Bypasses Firewall Security Measures
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    Well, it sounds a bit complex to me, and I'm not exactly a firewall expert. But my question is, how does it install the Netfilter hook? Seems like Gh0stRAT needs to install a service or driver, so I assume that if you block this, it's neutralized.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    The two main components of this attack are a perimeter firewall bypass and a backdoor. Gh0stRAT is the backdoor.

    The firewall bypass involves:
    https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/

    The best example of this would be a network adapter mini-port filter driver. In this attack, this type of driver was deployed as a rootkit making it "invisible" on the server. Note that mini-port drivers are kernel space extensions. You can see how they are mapped in kernel space using a tool such as SysInternal's WinObj.

    You can read the Sophos article for details on how Gh0stRAT was deployed on both Linux and Windows.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    I also copied the Sophos pictorial representation of this attack which I thought was quite clever employing the truism "A picture is worth a thousand words:"

    Sophos_Bypass.png

     
    Last edited: Mar 1, 2020
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    Yes, but isn't it true that the attack can't succeed without the Gh0stRAT backdoor? Also, the Netfilter hook seems to be related to Linux, but on Windows you would probably need to install a driver like you already said. And Gh0stRAT needs to install a service, this should always be monitored by HIPS.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Easier said than done. Both regsvc32.exe and sc.exe are used by legit processes. Ditto for writing to the reg. service related areas.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    Actually, it shouldn't be this hard to monitor service and driver registration. If HIPS fail to block, then EDR should step in.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Here's an example. I monitor sc.exe use with an Eset HIPS rule. Yesterday I reinstalled my nVidia graphics drivers. The installer uses sc.exe to create their service. I had no issue with allowing this activity. But what about the average user?
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    I was talking in general. Companies that employ HIPS+EDR should have no difficulty blocking or at least detecting this stuff. And to answer your question, average users don't use HIPS. But people like us know if it's normal or not if some app wants to register some service or driver. Let's say Gh0stRAT is disguised as some video downloader, why should it need to register/install a service?
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,910
    Location:
    U.S.A.
    Gh0stRat has been around for a very long time. The are multiple variants to the original malware. Lets talk about the plain vanilla one and how it installed it's service component:
    https://resources.infosecinstitute.com/gh0st-rat-complete-malware-analysis-part-1/

    Note that Install.exe is actually a legit program: https://www.file.net/process/install.exe.html
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,582
    Location:
    The Netherlands
    That's the thing, it doesn't matter if a legitimate process like install.exe or server.exe is performing the service installation. AFAIK, SpyShelter will alert about it.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.