.webp)
[[{“value”:”
COM (Component Object Model) hijacking is a technique in which threat actors exploit the core architecture of Windows by adding a new value on a specific registry key related to the COM object.
This allows the threat actors to achieve both persistence and privilege escalation on target systems.
However, several malware families have been found to be utilizing this technique to abuse COM objects.
Several samples of these kinds of malware have been discovered by researchers at VirusTotal since 2023.
COM Hijacking Technique For Persistence
According to the reports shared with Cyber Security News, threat actors also abused several COM objects for persistent access to the compromised systems.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
Some of the malware families that used CLSID (Class ID) for utilizing this technique which were,
Berbew
RATs
RATs w/ vulnerabilities and
Adware
Berbew
This is one of the most main malware families that abused this COM technique for persistence. This malware family focuses on stealing credentials and exfiltrating them to C2 servers.
However, several malware samples of this family used a second registry key for persistence by abusing the below COM objects:
{79ECA078-17FF-726B-E811-213280E5C831}
{79F CFF-OFFICE-815E-A900-316290B5B738}
{79FAA099-1BAE-816E-D711-115290CEE717}
RATs
Most of the Remote Access Trojans (RATs) used COM abusing techniques such as the RemcosRAT and AsyncRAT using the CLSID {89565275-A714-4a43-912E-978B935EDCCC}.
Moreover, there were also other RATs such as BitRATs and SugarGh0st RAT.
In the majority of the cases, the DLL used by these malware families was using the dynwrapx.dll.
However, some of the malware types such as the XiaoBa used the same techniques by utilizing the same DLL for ransomware deployment.
RATs w/ Vulnerabilities
While there were RATs that never utilized a vulnerability for abusing the COM objects, there were also RATs that utilized this technique, such as the Darkme RAT, which used the CVE-2024-21412 (Internet shortcut files security feature bypass) for compromising the systems.
Multiple CLSID Usage
In some cases, the malware families used more than one CLSIDs for abusing this COM hijacking technique.
The samples of these malware families also turned off the Windows Firewall and UAC for performing additional actions during the infection stages.
One example is the Allaple worm malware family, which used several COM objects and made them point to a malicious DLL during execution.
Adware
Citrio was one of the adware that was designed by the Catalina group, which, in its recent version, uses the COM object hijacking technique for persistence.
The adware drops several malicious DLLs under the disguise of Google Update, which possesses the ability to establish services on the system.
All of these malware families have different execution and usage folders for dropping their payloads. Some of the most common folders used by these malware are
qmacro
mymacro
MacroCommerce
Plugin
Microsoft
Indicators Of Compromise
CLSID – COM Objects
79FAA099-1BAE-816E-D711-115290CEE717
EBEB87A6-E151-4054-AB45-A6E094C5334B
241D7F03-9232-4024-8373-149860BE27C0
C07DB6A3-34FC-4084-BE2E-76BB9203B049
79ECA078-17FF-726B-E811-213280E5C831
22C6C651-F6EA-46BE-BC83-54E83314C67F
F4CBF20B-F634-4095-B64A-2EBCDD9E560E
57477331-126E-4FC8-B430-1C6143484AA9
C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9
89565275-A714-4a43-912E-978B935EDCCC
26037A0E-7CBD-4FFF-9C63-56F2D0770214
16426152-126E-4FC8-B430-1C6143484AA9
33414471-126E-4FC8-B430-1C6143484AA9
23716116-126E-4FC8-B430-1C6143484AA9
D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4
79FEACFF-FFCE-815E-A900-316290B5B738
74A94F46-4FC5-4426-857B-FCE9D9286279
Common Paths Used During COM Object Persistence
C:Users<user>AppDataRoaming
C:Users<user>AppDataRoamingqmacro
C:Users<user>AppDataRoamingmymacro
C:Users<user>AppDataRoamingMacroCommerce
C:Users<user>AppDataRoamingPlugin
C:Users<user>AppDataRoamingMicrosoft
C:WindowsSysWow64
C:Program Files (x86)
C:Program Files (x86)Google
C:Program Files (x86)Mozilla Firefox
C:Program Files (x86)Microsoft
C:Program Files (x86)Common Files
C:Program Files (x86)Internet Download Manager
C:Users<user>AppDataLocal
C:Users<user>AppDataLocalTemp
C:Users<user>AppDataLocalMicrosoft
C:Users<user>AppDataLocalGoogle
C:WindowsTemp
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The post Malware Families Adapting To COM Hijacking Technique For Persistence appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
