Gardeners know that worms are good. Cybersecurity professionals know that worms are unhealthy. Very unhealthy. The truth is, worms are actually probably the most devasting pressure for evil identified to the computing world. The MyDoom worm holds the doubtful place of costliest laptop malware ever – accountable for some $52 billion in injury. In second place… Sobig, one other worm.
It seems, nonetheless, that there are exceptions to each rule. Some organic worms are literally not welcome in most gardens. And a few cyber worms, it appears, can use their powers for good …
Meet Hopper, The Good Worm
Detection instruments aren’t good at catching non-exploit-based propagation, which is what worms do greatest. Most cybersecurity options are much less resilient to worm assault strategies like token impersonation and others that make the most of poor inside configurations – PAM, segmentation, insecure credential storage, and extra.
So, what higher approach to beat a stealthy worm than with … one other stealthy worm?
And thus was born Hopper! Hopper is an actual worm, with command and management, built-in privilege escalation, and plenty of extra of wormkind’s most devious capabilities. However opposite to most worms, Hopper was constructed to do good. As an alternative of inflicting hurt, Hopper tells its White Hat operators the place and the way it succeeded in infiltrating a community. It experiences how far it obtained in, what it discovered alongside the way in which, and how one can enhance defenses.
Up Shut and Private with Hopper
The event group at Cymulate primarily based Hopper on a typical malware stager – a small executable that serves as an preliminary payload, with its major goal being to arrange a bigger payload. Our stager additionally serves as a PE packer, a program that hundreds and executes packages not directly, normally from a package deal.
Hopper’s stager was written in such a approach that the preliminary payload would not need to be modified if we make an replace to Hopper. Because of this excluding hashes on each replace become historical past, and Hopper customers solely have to exclude the stager’s hash as soon as. Writing the stager on this approach additionally opened up the trail for executing different instruments that Hopper wants.
To maximise Hopper’s flexibility, our group added completely different preliminary execution strategies, further communication strategies, varied methods to fetch the primary stage payload, completely different injection strategies, and extra. And, to create a really stealthy worm, we have to enable for optimum customization of stealthy options, so we made configurations virtually solely operator-controlled:
- Preliminary payload configuration – absolutely configurable execution strategies together with executables, libraries, python scripts, shellcodes, PowerShell scripts, and extra
- First stage payload configuration – customizable package deal fetching strategies and package deal injection strategies (for instance, reflective injection)
- Second stage beacon configuration – tailor-made communication channels, hold alive timing and timeout, and jitter
- API – over the air addition of latest capabilities to permit simpler future enlargement of capabilities, together with communication strategies, unfold strategies, and exploits
Execution, Credential Administration, and Spreading
Hopper’s preliminary execution is in-mem and in phases. The primary stage is a small stub with restricted functionality. This stub is aware of how one can run a extra important piece of code as a substitute of containing the code inside itself – making it more durable to flag this as a malicious file. For privilege escalation, we selected completely different UAC bypass strategies, exploiting weak providers resembling Spooler and utilizing misconfigured providers or autoruns to achieve privilege elevation or persistency. The thought right here is for Hopper to make use of the minimal privileges wanted to attain its objectives. For instance, if a machine gives consumer entry to our goal machine, Hopper may not have to elevate privileges to unfold to that concentrate on machine.
Hopper options centralized credentials administration, which allows it to distribute credentials between Hopper cases by necessity – that means that each one Hoppers have entry to credentials collected, eliminating the necessity to duplicate the delicate credentials database throughout different machines.
To unfold, Hopper prefers misconfigurations over exploits. The rationale? Exploits can doubtlessly crash techniques, they stand out extra and are simply recognized by IPS/community monitoring merchandise and EDR merchandise. Misconfigurations, alternatively, aren’t simply detected as malicious exercise. For instance, Lively Listing misconfigurations could lead a consumer to achieve entry to a useful resource that she or he shouldn’t have had entry to, and due to this fact result in spreading. Equally, software program misconfigurations could enable a consumer to execute code remotely and due to this fact result in spreading.
Stealth and C&C Communications
The Cymulate group selected in-memory execution for Hopper, since encrypting malware code in-memory as soon as now not in use can disrupt EDR merchandise’ skill to fingerprint in-memory content material. Furthermore, in-memory execution makes use of direct system calls as a substitute of API calls, which can be monitored by EDR merchandise. If Hopper does want to make use of API features, it detects and unloads EDR hooks earlier than doing so.
To keep up stealth, Hopper communicates with Command and Management throughout working hours by masking the exercise with regular working hour exercise in random timing patterns. It additionally communicates solely with allow-listed servers or servers that are not thought of malicious, like Slack channels, Google Sheets, or different public providers.
The Backside Line
To preempt worm assaults, a White Hat worm-like Hopper is a perfect resolution. By seeing the community from a worm’s perspective, so to talk, Hopper turns the worm’s best benefit to the defender’s best benefit.
Word: This text is written and contributed by Yoni Oren, Workforce Chief, Senior Safety Researcher and Developer at Cymulate.
