In a recent development, cybersecurity researchers have uncovered a novel technique used by hackers to spread malware in a fileless manner, leveraging Component Object Model (COM) objects.
This approach exploits the Distributed COM (DCOM) remoting technology, allowing attackers to execute .NET managed code on remote servers without leaving any files behind.
The method builds upon research by James Forshaw of Google Project Zero, who detailed how trapped COM objects can be manipulated for malicious purposes, including privilege escalation and bypassing Protected Process Light (PPL) protections.
Exploiting COM Vulnerabilities
COM has been a cornerstone of Windows development since the 1990s, providing a binary interface standard that enables modular components to interact across different programming languages.
DCOM extends this capability by allowing COM clients to communicate with COM servers remotely.
Hackers have identified vulnerabilities in this system, particularly in the WaaSRemediation COM class, which is part of the WaaSMedicSvc service running as a protected svchost.exe process under NT AUTHORITY\SYSTEM.
By manipulating the IDispatch interface and hijacking the StdFont object, attackers can redirect it to execute .NET code, exploiting features like .NET reflection over DCOM.
Researchers Dylan Tran and Jimmy Bayne have developed a proof-of-concept technique for fileless lateral movement using these trapped COM objects.
Their approach involves manipulating registry keys on the target machine to hijack the StdFont object and enable .NET reflection.
This allows them to load .NET assemblies into the COM server without transferring any files, making the attack stealthy and difficult to detect.
The technique relies on setting specific registry values, such as AllowDCOMReflection and OnlyUseLatestCLR, to facilitate the execution of arbitrary .NET methods.
Challenges and Defensive Measures
While this technique offers a sophisticated method for spreading malware, it also presents operational challenges.
According to the Report, The lifetime of the spawned beacon is tied to the application lifetime of the weaponization binary, limiting its persistence.
To improve detection and defense, security teams can monitor for CLR load events within svchost.exe processes, registry manipulations related to COM objects, and DACL changes.
Implementing host-based firewalls to restrict DCOM ephemeral port access can also help mitigate these threats.
Additionally, YARA rules can be used to detect specific executable patterns associated with this attack method.
Despite these challenges, the technique underscores the evolving landscape of fileless malware and the need for enhanced security measures to counter such sophisticated attacks.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=In a recent development, cybersecurity researchers have uncovered a novel technique used by hackers to spread malware in a fileless manner.){kind=link}