Looking for Trouble: Windows Troubleshooting Platform Leveraged to Deliver Malware

[Batu69]

Overview

Proofpoint researchers have uncovered a new technique of attachment-based delivery. In the observed campaign, the attackers abuse a feature in Windows called the Windows Troubleshooting Platform (WTP), intended for troubleshooting problems, to socially engineer the recipients into executing malware.

 

This attack is particularly effective since execution of WTP is not accompanied by a security warning and users have been conditioned to run the troubleshooter when it appears in Windows. In this case, though, running the troubleshooter leads to the installation of LatentBot [4], a well-documented modular bot used for surveillance, information stealing, and remote access.

 

Figure 1: Diagram of the Windows Troubleshooting Platform [5]

 

Analysis

The lure document in this case was delivered as an email attachment, although this technique could be used with any delivery technique for malicious documents. When the user opens the file, they are presented with a document that has a lure asking the user to “double-click to auto detect charset”. If the recipient complies, they are really opening an embedded OLE object.

 

This object is a digitally signed DIAGCAB file, which is the Windows extension for a Troubleshooting pack [1][2][3]. When the crafted pack is opened, the user is presented with another convincingly realistic window (Figure 2). If the user clicks "Next" in this dialog, the application launches the scripts associated with the troubleshooting package. In this case a PowerShell command will be executed to download and launch the payload.

 

Figure 2: The document lure; note the social engineering convincing the user to double-click and inadvertently launch the OLE object

 

Figure 3: The code-signed troubleshooting pack; note that the publisher specified by the certificate was uninvolved but rather a valid certificate was compromised and used for delivering this attack

 

Figure 4: The Troubleshooting Pack downloads the malware payload in the background using a PowerShell script without user awareness

 

As can be seen in Figures 3 and 4, the troubleshooting package allows customization of the dialog's appearance, actions it performs, and scripts it runs, via XML formatting. For example, XML formatting sets the dialog title “Encoding detection” and specifies the “Troubleshooter” to be a PowerShell script “TS_1.ps1” with following directives:

 

Figure 5: Diagnostic pack referencing a malicious PowerShell file as a script

 

The PowerShell script responsible for downloading payload in this campaign is shown in Figure 6:

 

Figure 6: PowerShell command used to download payload

 

This method of malware execution bypasses observation by many existing sandbox products because the malicious activity is carried out outside of the msdt.exe binary loading the .diagcab file.  This continues the trend of malware authors seeking new sandbox evasion methods via COM-based non-standard execution flow; previous examples of these methods are WMI, Office Interoperability, Background Intelligent Transfer Service, and the Task Scheduler.  In this instance, via the creation of an IScriptedDiagnosticHost COM object in msdt.exe, the DcomLaunch service starts the Scripted Diagnostics Host (sdiagnhost.exe) which will launch the command shell and PowerShell commands shown above.

 

The payload in this case is a modular backdoor known as LatentBot [4], analyzed in detail by FireEye in late 2015. During our analysis of this case, we observed the following bot plugins being loaded for exfiltration and remote access:

• Bot_Engine
• remote_desktop_service
• send_report
• security
• vnc_hide_desktop

Conclusion

Attackers continue to find new ways to take advantage of built-in Microsoft Windows features in order to provide a seamless and low-resistance process for their victims to execute the intended payloads. In this case the attackers provide a very natural “Windows” experience that could fool even experienced users. In addition, this technique provides an unusual execution chain which bypasses observation by many sandbox products, making detection considerably more difficult.

 

Article source

[straycat19]

New Windows, same old Microsoft.  The 'best' version of Windows is actually the worst version, saying it is the best doesn't make it so.  Saw a website today that is offering Microsoft Lumia phones for $10 and still can't sell them.  People are learning that if you want a substandard product then buy Microsoft.  Phones, Windows, and laptops, you are guaranteed the worst product on the market if it says Microsoft.