Back

Malware Families Adapting To COM Hijacking Technique For Persistence

COM (Component Object Model) hijacking is a technique in which threat actors exploit the core architecture of Windows by adding a new value on a specific registry key related to the COM object.

This allows the threat actors to achieve both persistence and privilege escalation on target systems.

However, several malware families have been found to be utilizing this technique to abuse COM objects.

Several samples of these kinds of malware have been discovered by researchers at VirusTotal since 2023.

COM Hijacking Technique For Persistence

According to the reports shared with Cyber Security News, threat actors also abused several COM objects for persistent access to the compromised systems.

Some of the malware families that used CLSID (Class ID) for utilizing this technique which were,

  • Berbew
  • RATs
  • RATs w/ vulnerabilities and
  • Adware

Berbew

This is one of the most main malware families that abused this COM technique for persistence. This malware family focuses on stealing credentials and exfiltrating them to C2 servers.

However, several malware samples of this family used a second registry key for persistence by abusing the below COM objects:

  • {79ECA078-17FF-726B-E811-213280E5C831}
  • {79F CFF-OFFICE-815E-A900-316290B5B738
  • {79FAA099-1BAE-816E-D711-115290CEE717}

RATs

Most of the Remote Access Trojans (RATs) used COM abusing techniques such as the RemcosRAT and AsyncRAT using the CLSID {89565275-A714-4a43-912E-978B935EDCCC}.

Moreover, there were also other RATs such as BitRATs and  SugarGh0st RAT.

In the majority of the cases, the DLL used by these malware families was using the dynwrapx.dll.

However, some of the malware types such as the XiaoBa used the same techniques by utilizing the same DLL for ransomware deployment.

RATs w/ Vulnerabilities

While there were RATs that never utilized a vulnerability for abusing the COM objects, there were also RATs that utilized this technique, such as the Darkme RAT, which used the CVE-2024-21412 (Internet shortcut files security feature bypass) for compromising the systems.

Multiple CLSID Usage

In some cases, the malware families used more than one CLSIDs for abusing this COM hijacking technique.

The samples of these malware families also turned off the Windows Firewall and UAC for performing additional actions during the infection stages.

One example is the Allaple worm malware family, which used several COM objects and made them point to a malicious DLL during execution.
Allaple worm malware

Adware

Citrio was one of the adware that was designed by the Catalina group, which, in its recent version, uses the COM object hijacking technique for persistence.

The adware drops several malicious DLLs under the disguise of Google Update, which possesses the ability to establish services on the system.

All of these malware families have different execution and usage folders for dropping their payloads. Some of the most common folders used by these malware are

  • qmacro
  • mymacro
  • MacroCommerce
  • Plugin
  • Microsoft

malware folders

Indicators Of Compromise

CLSID – COM Objects

  • 79FAA099-1BAE-816E-D711-115290CEE717
  • EBEB87A6-E151-4054-AB45-A6E094C5334B
  • 241D7F03-9232-4024-8373-149860BE27C0
  • C07DB6A3-34FC-4084-BE2E-76BB9203B049
  • 79ECA078-17FF-726B-E811-213280E5C831
  • 22C6C651-F6EA-46BE-BC83-54E83314C67F
  • F4CBF20B-F634-4095-B64A-2EBCDD9E560E
  • 57477331-126E-4FC8-B430-1C6143484AA9
  • C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9
  • 89565275-A714-4a43-912E-978B935EDCCC
  • 26037A0E-7CBD-4FFF-9C63-56F2D0770214
  • 16426152-126E-4FC8-B430-1C6143484AA9
  • 33414471-126E-4FC8-B430-1C6143484AA9
  • 23716116-126E-4FC8-B430-1C6143484AA9
  • D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4
  • 79FEACFF-FFCE-815E-A900-316290B5B738
  • 74A94F46-4FC5-4426-857B-FCE9D9286279

Common Paths Used During COM Object Persistence

  • C:Users<user>AppDataRoaming
  • C:Users<user>AppDataRoamingqmacro
  • C:Users<user>AppDataRoamingmymacro
  • C:Users<user>AppDataRoamingMacroCommerce
  • C:Users<user>AppDataRoamingPlugin
  • C:Users<user>AppDataRoamingMicrosoft
  • C:WindowsSysWow64
  • C:Program Files (x86)
  • C:Program Files (x86)Google
  • C:Program Files (x86)Mozilla Firefox
  • C:Program Files (x86)Microsoft
  • C:Program Files (x86)Common Files
  • C:Program Files (x86)Internet Download Manager
  • C:Users<user>AppDataLocal
  • C:Users<user>AppDataLocalTemp
  • C:Users<user>AppDataLocalMicrosoft
  • C:Users<user>AppDataLocalGoogle
  • C:WindowsTemp

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Source: https://bit.ly/3uS5LZ2

Rajkumar B

You may also like

Beware-of-Windows-Tools-that-Deliver-Stealing-Malware
Beware of Weaponized Notezilla, RecentX, & Copywhiz Windows Tools that Deliver Stealing Malware
September 12, 2024
WordPress-6.5.5
WordPress Releases Urgent Security Update to Patch XSS and Path Traversal Flaws
September 12, 2024
HC3-Unveils-Qilin-Ransomware-Attacking-Global-Healthcare-Organizations
HC3 Unveils Qilin Ransomware Attacking Global Healthcare Organizations
September 12, 2024

Leave A Reply

Your email address will not be published. Required fields are marked *