Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.
Adversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host.
An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[1] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[2]
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.[3] |
G1023 | APT5 |
APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.[4][5] |
S0486 | Bonadan |
Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[6] |
S1118 | BUSHWALK |
BUSHWALK can embed into the legitimate |
C0029 | Cutting Edge |
During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code.[9][10][7] |
S0377 | Ebury |
Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[11] |
S1120 | FRAMESTING |
FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in |
S0604 | Industroyer |
Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.[3] |
S0487 | Kessel |
Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[6] |
S0641 | Kobalos |
Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[12] |
S1119 | LIGHTWIRE |
LIGHTWIRE can imbed itself into the legitimate |
S1121 | LITTLELAMB.WOOLTEA |
LITTLELAMB.WOOLTEA can append malicious components to the |
S1104 | SLOWPULSE |
SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.[5] |
S0595 | ThiefQuest |
ThiefQuest searches through the |
S1116 | WARPWIRE |
WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.[9] |
S1115 | WIREFIRE |
WIREFIRE can modify the |
S0658 | XCSSET |
XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[15] |
ID | Mitigation | Description |
---|---|---|
M1045 | Code Signing |
Ensure all application component binaries are signed by the correct application developers. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems. |
File Deletion |
Monitor for unexpected deletion of client software binaries to establish persistent access to systems. |
||
File Metadata |
Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment |
||
File Modification |
Monitor changes to client software that do not correlate with known software or patch cycles. |