Persistence

To secure the access to a compromised system, attackers use persistence in order to make sure their backdoor remains installed and running across system reboots. This allows intruders to control the infected system in the future and proceed with further exploitation of the target or its infrastructure. The sophistication of the persistence method used by the attackers usually depends on the system access rights they have gained and their tactics. The higher the access level, the more sophisticated and stealthy persistence can be applied.

In most cases persistence is a result of the system’s configuration change which makes sure that a payload, deployed by the attacker, is executed every time system is started and keeps running after that providing the possibility of remote access to the attacker. In such a case, attackers alter the configuration of a target computer’s file system, modifying registry, etc. [1] However, techniques which do not alter the configuration of the target system exist and are usually more difficult to detect. An example of such a technique is the compromise of a Domain controller in a Windows OS environment. In such a case an attacker has control over the whole inventory of the Windows domain and therefore may instruct to execute malware on all or selected systems remotely [2]. In this case the malware on the infected system runs completely in memory and is difficult to detect its origin. Additionally, the attacker can compromise the way authentication works on the network and therefore access systems without knowing the actual password of a user (known as skeleton key technique) having administrative access to a specified computer.

Persistence Techniques

One of the most basic approaches for deploying persistence is the usage of startup folders. These folders are looked up by the Operating System during the startup and files, residing in such locations, are executed. Windows Operating system maintains two types of startup folder: user wide and system wide. While files located in the user’s startup folder is executed only for that particular user, files residing in the system wide startup folder is executed for every single user that logs onto the system.

A simple example of the persistence via startup folders for a specific user requires no administrative privileges and therefore is a common technique used across various attackers. In order to deploy persistence for all users via this technique administrative privileges are required as the system wide startup folder is protected by the operating system. This technique can be easily demonstrated by copying a file or a shortcut to one of the following folders.

Current User
Windows XP
C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup
Windows Vista and later
C:\Users\%USERNAME%\Start Menu\Programs\Startup

All Users
Windows XP
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows Vista and later
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Another common technique used for persistence can be reproduced by creating registry keys under certain locations. Similar to the previous example, there are user wide and system wide registry location for program startup. Here again administrative privileges are required while deploying persistence for all users. The following list provides only the most common locations used for persistence via registry keys.

Current User
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

All Users
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

In order to implement a registry based persistence it is sufficient to execute one of the following commands.

Current User
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v calc /t REG_SZ /d C:\Windows\System32\calc.exe

All users
REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v calc /t REG_SZ /d C:\Windows\System32\calc.exe

As a result of the above commands, the calculator application gets executed for the current user or for all users logging into the system.

While the provided examples are not advanced and can be easily discovered by an experienced computer user or system administrator it is often the case that attackers use more sophisticated approaches to deploy persistence. A few examples of such are service installation, DLL hijacking, rootkits, bootkits, etc. As an example of a more sophisticated way to maintain persistence is to upload a DLL to the victim’s computer and create a special registry key as shown below.

reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d C:\Users\<username>\evil.dll

This registry key results in the malicious DLL being loaded every time when a Microsoft Office program, such as Word or Excel, is started [3]. It’s an uncommon technique, but yet quite effective as the user interaction triggers the malicious payload making it trickier for the Anti-Virus solutions to detect similar approaches.

Real World Example: APT28 / Sofacy

This section covers two persistence mechanisms used by APT28: a common approach via Auto-Start Extensibility Point (ASEP) artefacts and a DLL hijacking persistence mechanism recently adopted by APT28. ASEP approach targets operating system’s configuration points that allow programs to register as an auto-start extension. The DLL hijacking approach exploits the way certain applications load dynamic libraries upon startup. The later technique is more difficult to detect and therefore can be considered as more sophisticated compared to ASEP.

Persistence via ASEP artefacts

The most common persistence tactic used by APT28 relies on creating registry entries and shortcuts to ensure persistence of their backdoor. However, the registry entries and shortcuts differ depending on which backdoor variant is used. The following table provides some of the registry and file system locations used by APT28 for deploying persistence [4].

Table 1: ASEP points used by APT28
Registry entries
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjectDelayLoad\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
File system locations
%ALLUSERSPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\
%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\

DLL hijacking persistence mechanism

In June 2016, researchers observed a new persistence method which APT28 used during its campaign against the DNC. The technique itself has been known since 2014 [5], but has not been observed in any attack campaigns orchestrated by this group. The technique relies on a special registry key being created once the initial Trojan, delivered via the malicious attachment, is executed. The following registry key is created by the Trojan [3].

Registry path: HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf\
Value: C:\Users\[username]\AppData\Roaming\btecache.dll

This entry contains a path to a DLL which gets loaded each time a user opens any of the Microsoft Office applications. In order to load and execute the malicious payload, user interaction is required which makes automated analysis more challenging and can be seen as a clever mechanism for sandbox evasion.

Real World Example: APT30

In order to establish persistence on the compromised computer, the malware components of APT30 use two different methods. The first method is a common Autostart technique, where the malware places a Shortcut file into a Startup folder pointing to the malware’s component on the disk and therefore enables its automatic execution at every system startup [6]. The second method relies on a technique of modifying Run/RunOnce registry keys in order to achieve the same effect. The main Startup folders are generally identified as CSIDL_STARTUP and CSIDL_COMMON_STARTUP by Microsoft Windows. The first directory corresponds to a Startup program group associated with the current user. When the user logs on, programs in this directory are started by the system. A typical path for this directory is C:\Documents and Settings\<username>\Start Menu\Programs\Startup. The second Startup folder is associated with all users. The common path for this directory is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. The BACKSPACE backdoor uses these Startup directories in order to deploy persistence by creating shortcuts under names of legitimate software, such as Messenger or Microsoft Word. These shortcuts point to backdoor’s binaries which are located under the paths that are intended to impersonate legitimate software [7]. The registry technique is reported to be used by two malware components – NETEAGLE and FLASHFLOOD. These components create a registry value under the following path: HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Interestingly, the modification of a registry key in HKEY_LOCAL_MACHINE requires admin/system level privilege. In other words, the malware component needs to be able to obtain the admin/system level privileges in order to modify a system level registry key.

The following tables outline files and registry keys created by each component of the APT30 malware kit.

Table 2: SPACESHIP persistence artefacts
Procedure	Tactic	Technique
1	Creates a shortcut in the Startup folder for persistence.	Shortcut in Startup folder
1	Name: Visual Studio.lnk Comment: “Visual Studio 2005” Target path: %HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\IDE\MSDEV.EXE
2	Creates registry key with the encoded name of the Shortcut file.
2	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\ShipUp Value: lnk Data: Wjtvbm!Tuvejp/mol (encoded text Visual Studio.lnk)

Table 3: SHIPSHAPE persistence artefacts
Procedure	Tactic	Technique
1	Creates a shortcut in the Startup folder for persistence.	Shortcut in Startup folder
1	Name: VFP6.lnk Comment: “Visual FoxPro” Target path: %HOMEPATH%\My Documents\Visual Studio 2005\MSDEV\FoxPro\VFP6.EXE
2	Creates registry key with the encoded name of the Shortcut file.
2	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\ShipTr Value: lnk Data: WGQ7/mol (encoded text VFP6.lnk)

Table 4: BACKSPACE persistence artefacts
Procedure	Tactic	Technique
1	Creates a shortcut in the Startup folder for persistence.	Shortcut in Startup folder
1	Name: WINWORD.lnk In: <CSIDL_STARTUP> or <CSIDL_COMMON_STARTUP> pointing to <CSIDL_PROFILE>\Microsoft Office\BIN\WINWORD.EXE Description: Microsoft Office Word
2	Creates registry key with the encoded name of the Shortcut file.
2	Key: HKEY_CURRENT_USER\Software\Microsoft\CurrentPnpSetup Value: lnk Data: XJOXPSE/mol (encoded text WINWORD.lnk)

Table 5: BACKSPACE persistence artefacts. Another variant
Procedure	Tactic	Technique
1	Creates a shortcut in the Startup folder for persistence.	Shortcut in Startup folder
1	Name: MSN.lnk In: <CSIDL_STARTUP> pointing to <CSIDL_PROGRAMS>\Messenger\BIN\msmsgs.exe Description: Windows Messanger
2	Creates registry key with the encoded name of the Shortcut file.
2	Key: HKEY_CURRENT_USER\Software\Microsoft\CurrentHalInf Value: lnk (type REG_SZ), hosted(REG_DWORD) Data: NTO/mol (encoded text MSN.lnk)

Table 6: FLASHFLOOD persistence artefacts
Procedure	Tactic	Technique
1	Creates a registry entry for persistence.	Registry Key
1	Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Value: msinm.exe Data: [Path to install]	Registry Key

Table 7: FLASHFLOOD persistence artefacts
Procedure	Tactic	Technique
1	Creates a registry entry for persistence.	Registry Key
1	Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\msmsgr.exe Data: C:\Program Files\Messenger\msmsgr.exe	Registry Key

References

1. Infosec Institute. (2016).
http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/

2. Kaspersky Lab. (2015). The Duqu 2.0 Technical Details.
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

3. Falcone, R. (2016, July 20).
http://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/

4. Microsoft Corporation. (2015). Microsoft Security Intelligence Report Volume 19.
https://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf

5. Hexacorn Ltd. (2014, April 16).
http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/

6. msdn.microsoft.com. (n.d.).
https://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx

7. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Intro

Stages of APT