In the dynamic landscape of cybersecurity, attackers are continually refining their strategies to outmaneuver defenses. A stark example of this progression is the shift from the use of
pythonw.exe for DLL side-loading to the sophisticated implementation of encrypted scheduled tasks. This blog post delves into the technical details of this evolution, providing a clearer understanding of the threats and the mechanisms behind them.
Understanding DLL Side-Loading
DLL side-loading is a technique where attackers exploit the way Windows searches for dynamic link libraries (DLLs) to load their malicious code. For instance, when an application like
pythonw.exe—a legitimate Python executable that runs scripts silently without a command window—starts, it looks for specific DLLs to use. If an attacker places a malicious DLL with the correct name in the expected directory,
pythonw.exe will load and execute the malicious code, often without triggering security alerts.
Example of DLL Side-Loading:
pythonw.exestarts and searches for a DLL named
- An attacker has placed a malicious
example.dllin the search path.
pythonw.exeloads the malicious
example.dll, thinking it is legitimate.
- The attacker’s code is now running on the target machine.
The Shift to Encrypted Scheduled Tasks
The latest cyber attack campaigns have moved beyond this method. Instead of directly targeting
pythonw.exe, they create scheduled tasks with encrypted commands. These tasks are named to appear benign, such as
OneDrive Security Task-S-1-5-21-[...]-2003, which mimics a legitimate task name to avoid raising suspicion.
The Deception of Renamed Executables
In this new strategy, a file named
update.exe (which is actually the
msiexec.exe Windows Installer renamed) is used. This renaming serves to disguise the true nature of the executable. When the task runs, it initiates processes under
spoolsv.exe (the Print Spooler service) and
dllhost.exe (the COM Surrogate), both of which are legitimate Windows processes that are less likely to be scrutinized by users and security software.
Example of Encrypted Task Execution:
- A scheduled task named
OneDrive Security Tasktriggers
update.exe, which is really
msiexec.exe, starts and appears to be a legitimate update process.
- The task executes encrypted commands that spawn
dllhost.exeprocesses in specific user directories, hiding the malicious activity within normal system behavior.
The Technique of Transacted Hollowing
The campaign employs a complex technique known as transacted hollowing. This method combines elements of Process Hollowing and Process Doppelgänging. It uses Windows Native API functions to create a transactional space where file operations are prepared but not finalized. This allows the attacker to execute their code in a suspended state, avoiding immediate detection.
Transacted hollowing is an advanced and stealthy technique used by cyber attackers to inject malicious code into legitimate processes on Windows systems. This method is a sophisticated blend of two well-known tactics: Process Hollowing and Process Doppelgänging. It leverages the Windows Transactional NTFS (TxF) to execute malicious code in the guise of a legitimate process, making detection significantly more challenging for traditional security measures.
Understanding Transacted Hollowing
Transacted hollowing takes advantage of the transactional capabilities of NTFS, which were originally designed to ensure data integrity. By using these features, attackers can create a state where file operations are initiated within a transaction, which can be committed or rolled back, leaving no trace if required.
- Transaction Creation: The attack begins with the creation of a new transaction using the
NtCreateTransactionAPI. This transaction acts as an isolated environment where file operations can be safely conducted without affecting the actual file system.
- Process Creation: Next, the
CreateProcessInternalWAPI is called to create a new process in a suspended state. This process is typically a legitimate Windows process like
- Memory Unmapping: Once the process is created, its memory is unmapped from the address space using functions like
NtUnmapViewOfSection. This effectively hollows out the process, leaving a space for the malicious code.
- Malicious Code Injection: The attacker then writes the malicious code into the address space of the hollowed process. This can be done using
WriteProcessMemoryor similar APIs.
- Transaction Completion: Finally, the transaction can be committed using
NtCommitTransaction, which finalizes the changes, or it can be rolled back to erase evidence if the attack is detected.
Simulated Example of Transacted Hollowing
Let’s walk through a simulated example to illustrate how transacted hollowing might be executed:
- Setting the Stage: An attacker has gained a foothold on a target Windows machine and wishes to execute a payload without being detected by antivirus software.
- Initiating the Transaction: The attacker uses
NtCreateTransactionto start a new transaction. This transaction is associated with file operations that are yet to be determined.
- Creating a Legitimate Process: With
CreateProcessInternalW, the attacker creates a new instance of
notepad.exein a suspended state. This process will serve as the host for the malicious payload.
- Hollowing the Process: The memory of the suspended
notepad.exeis unmapped using
NtUnmapViewOfSection. The process is now an empty shell.
- Injecting the Malicious Code: The attacker writes the malicious code into the hollowed space of
- Completing the Attack: The attacker commits the transaction with
NtCommitTransaction, which makes the changes permanent. The
notepad.exeprocess now runs the malicious code instead of its original content.
- Execution and Cleanup: The process is resumed with
ResumeThread, and the malicious code is executed. If necessary, the attacker can roll back the transaction using
NtRollbackTransactionto undo the changes, helping to avoid detection.
Detection and Mitigation
Detecting transacted hollowing requires monitoring for suspicious use of the Windows Transactional APIs and unusual process behavior. Security solutions must be capable of inspecting the integrity of process memory and identifying anomalies.
Mitigation strategies include:
- Behavioral Analysis: Employing security tools that perform behavioral analysis rather than relying solely on signature-based detection.
- Privilege Reduction: Ensuring that user accounts operate with the least privileges necessary, reducing the attack surface.
- Patch Management: Keeping systems up-to-date with the latest security patches to mitigate known vulnerabilities that could be exploited in the initial stages of the attack.
- Endpoint Detection and Response (EDR): Implementing EDR solutions that can provide detailed telemetry about process behavior and transactions on the file system.
The transition from DLL side-loading to encrypted scheduled tasks demonstrates a significant advancement in attack methodology. By leveraging complex techniques like transacted hollowing, attackers can effectively conceal their presence and maintain control over compromised systems. This evolution not only highlights the ingenuity of threat actors but also emphasizes the need for robust and adaptive security measures. As defenders, it is imperative to understand these techniques, remain vigilant, and develop proactive defenses to protect against these and future threats.