Compromise Client Software Binary

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. An adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)[1] prior to the binary’s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.[2]

Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

ID: T1554
Sub-techniques:  No sub-techniques
Tactic: Persistence
Platforms: Linux, Windows, macOS
Contributors: CrowdStrike Falcon OverWatch
Version: 1.1
Created: 11 February 2020
Last Modified: 03 October 2023

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.[3]

S0486 Bonadan

Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[4]

S0377 Ebury

Ebury has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information.[5]

S0604 Industroyer

Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.[3]

S0487 Kessel

Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[4]

S0641 Kobalos

Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[6]

S0595 ThiefQuest

ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. [7][8]

S0658 XCSSET

XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[9]

Mitigations

ID Mitigation Description
M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.

File Deletion

Monitor for unexpected deletion of client software binaries to establish persistent access to systems.

File Metadata

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment

File Modification

Monitor changes to client software that do not correlate with known software or patch cycles.

References