What’s turning up in cloud honeypots. An update on Cl0p’s exploitation of a MOVEit vulnerability. Fraudsters abuse generative AI. Embedded URLs found in malware. Update on Barracuda ESG exploitation. Patch news. Crime and punishment. Courts and torts. Policies, procurements, and agency equities. Company news. Labor markets. Studies and reports. Investments and exits. Read More
Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus
Cybersecurity researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber attacks targeting entities in Russia and Belarus.
The phishing attacks were aimed at a pharmaceutical company, a Russian research institute dealing with microbiology and vaccine development, and the aviation sector, expanding beyond their initial focus of government Read More
Malware Families Adapting To COM Hijacking Technique For Persistence
[[{“value”:”
COM (Component Object Model) hijacking is a technique in which threat actors exploit the core architecture of Windows by adding a new value on a specific registry key related to the COM object.
This allows the threat actors to achieve both persistence and privilege escalation on target systems.
However, several malware families have been found to be utilizing this technique to abuse COM objects.
Several samples of these kinds of malware have been discovered by researchers at VirusTotal since 2023.
COM Hijacking Technique For Persistence
According to the reports shared with Cyber Security News, threat actors also abused several COM objects for persistent access to the compromised systems.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
Some of the malware families that used CLSID (Class ID) for utilizing this technique which were,
Berbew
RATs
RATs w/ vulnerabilities and
Adware
Berbew
This is one of the most main malware families that abused this COM technique for persistence. This malware family focuses on stealing credentials and exfiltrating them to C2 servers.
However, several malware samples of this family used a second registry key for persistence by abusing the below COM objects:
{79ECA078-17FF-726B-E811-213280E5C831}
{79F CFF-OFFICE-815E-A900-316290B5B738}
{79FAA099-1BAE-816E-D711-115290CEE717}
RATs
Most of the Remote Access Trojans (RATs) used COM abusing techniques such as the RemcosRAT and AsyncRAT using the CLSID {89565275-A714-4a43-912E-978B935EDCCC}.
Moreover, there were also other RATs such as BitRATs and SugarGh0st RAT.
In the majority of the cases, the DLL used by these malware families was using the dynwrapx.dll.
However, some of the malware types such as the XiaoBa used the same techniques by utilizing the same DLL for ransomware deployment.
RATs w/ Vulnerabilities
While there were RATs that never utilized a vulnerability for abusing the COM objects, there were also RATs that utilized this technique, such as the Darkme RAT, which used the CVE-2024-21412 (Internet shortcut files security feature bypass) for compromising the systems.
Multiple CLSID Usage
In some cases, the malware families used more than one CLSIDs for abusing this COM hijacking technique.
The samples of these malware families also turned off the Windows Firewall and UAC for performing additional actions during the infection stages.
One example is the Allaple worm malware family, which used several COM objects and made them point to a malicious DLL during execution.
Alliaple worm (Source: Virustotal)
Adware
Citrio was one of the adware that was designed by the Catalina group, which, in its recent version, uses the COM object hijacking technique for persistence.
The adware drops several malicious DLLs under the disguise of Google Update, which possesses the ability to establish services on the system.
All of these malware families have different execution and usage folders for dropping their payloads. Some of the most common folders used by these malware are
qmacro
mymacro
MacroCommerce
Plugin
Microsoft
Adware (Source:Virustotal)
Indicators Of Compromise
CLSID – COM Objects
79FAA099-1BAE-816E-D711-115290CEE717
EBEB87A6-E151-4054-AB45-A6E094C5334B
241D7F03-9232-4024-8373-149860BE27C0
C07DB6A3-34FC-4084-BE2E-76BB9203B049
79ECA078-17FF-726B-E811-213280E5C831
22C6C651-F6EA-46BE-BC83-54E83314C67F
F4CBF20B-F634-4095-B64A-2EBCDD9E560E
57477331-126E-4FC8-B430-1C6143484AA9
C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9
89565275-A714-4a43-912E-978B935EDCCC
26037A0E-7CBD-4FFF-9C63-56F2D0770214
16426152-126E-4FC8-B430-1C6143484AA9
33414471-126E-4FC8-B430-1C6143484AA9
23716116-126E-4FC8-B430-1C6143484AA9
D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4
79FEACFF-FFCE-815E-A900-316290B5B738
74A94F46-4FC5-4426-857B-FCE9D9286279
Common Paths Used During COM Object Persistence
C:Users<user>AppDataRoaming
C:Users<user>AppDataRoamingqmacro
C:Users<user>AppDataRoamingmymacro
C:Users<user>AppDataRoamingMacroCommerce
C:Users<user>AppDataRoamingPlugin
C:Users<user>AppDataRoamingMicrosoft
C:WindowsSysWow64
C:Program Files (x86)
C:Program Files (x86)Google
C:Program Files (x86)Mozilla Firefox
C:Program Files (x86)Microsoft
C:Program Files (x86)Common Files
C:Program Files (x86)Internet Download Manager
C:Users<user>AppDataLocal
C:Users<user>AppDataLocalTemp
C:Users<user>AppDataLocalMicrosoft
C:Users<user>AppDataLocalGoogle
C:WindowsTemp
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.