Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads

tl;dr

Previously we explored the use of Windows Process Canaries to detect and disrupt ransomware. In this post we build on the concept of targeting tradecraft. Specifically we focus on that used by the cryptomining actor known as LemonDuck who exploited the Microsoft Exchange vulnerabilities in 2021.

As part of their first stage .NET cradle this threat actor uninstalled specific security related products before deploying their second stage. We target this TTP by generating a Microsoft Windows install package (.msi) that fire a Canary token when uninstalled.

Background – LemonDuck TTPs

The first stage of the LemonDuck crypto mining initially executes the following to detect and uninstall a number of security products. This was caught on NCC Grou’s Research & Intelligence Fusion Team Exchange Honeypots on March 16th, 2021.

cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive

cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive

cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart

Thesis

Given that a number of packages are uninstalled prior to the second stage there exists the opportunity for detection with a very high signal. That is any uninstallation of these security packages will be of interest to the defensive function.

The thesis is we can deploy a number of Canary Windows Installation Packages with various names we know targeted or close to due to their lazy matching. If these packages are uninstalled we can use custom actions to fire a canary token to provide the alert.

Prototype

The implementation follows what we describe. It is installed in place of commonly targeted applications by name. If this package is uninstalled we then fire said DNS canary token.

The Code

Code is here

https://github.com/nccgroup/UninstalledAppCanary

We’ve also suggested to the Thinkst team they could/should automate the package generation as part of canarytokens.org. We believe they are exploring this.

Feedback etc.

Feedback welcome via pull requests, e-mail (ollie dot whitehouse at nccgroup dot com) or @ollieatnccgroup on Twitter.