1. Home
  2. Techniques
  3. Enterprise
  4. 主机软件二进制文件妥协

主机软件二进制文件妥协

ID Name
T1554.001 代码寄生注入
T1554.002 动态库劫持重定向
T1554.003 合法数字证书滥用
T1554.004 内存驻留无文件攻击

主机软件二进制文件妥协指攻击者通过篡改系统或应用程序的可执行文件实现持久化访问,通常涉及后门植入、认证流程劫持或防御规避等恶意行为。传统检测手段依赖数字签名验证、文件完整性监控(如Tripwire)及异常进程行为分析。防御方可通过校验签名元数据、监控客户端软件异常模块加载与网络连接等方式进行防护。
为应对日益严格的文件完整性保护机制,攻击者发展出多种隐蔽式二进制篡改技术,通过代码结构伪装、执行环境融合与信任链滥用等策略,突破传统静态检测体系的防护边界,构建出"形合法、实恶意"的新型持久化攻击范式。
现有匿迹技术的核心在于攻击载荷与宿主环境的深度适配及信任机制的逆向利用。代码寄生注入通过保持二进制文件表层完整性,在未触发签名告警的前提下实现恶意代码执行;动态库劫持利用系统依赖加载机制的缺陷,将攻击行为伪装成合法模块调用;合法证书滥用颠覆了传统信任验证体系,使恶意文件获得官方认证身份;内存驻留技术则完全规避文件系统监控,实现"无实体"攻击。四类技术的共性在于突破"文件-进程"二元检测模型,通过代码层融合、信任链寄生与执行环境劫持,将恶意行为嵌入软件生命周期的各个合法阶段,使得基于单一维度(如文件哈希、签名状态)的防御机制全面失效。
匿迹技术的演进迫使防御体系向多维动态检测转型,需结合运行时内存取证、跨进程行为关联分析、证书链深度验证等技术,构建覆盖文件静态属性、内存动态特征与信任传递路径的全周期防护体系。

ID: T1554
Sub-techniques:  T1554.001, T1554.002, T1554.003, T1554.004
Tactic: 入侵维持
Platforms: Linux, Windows, macOS
Contributors: CrowdStrike Falcon OverWatch; Jamie Williams (U ω U), PANW Unit 42; Liran Ravich, CardinalOps
Version: 2.1
Created: 11 February 2020
Last Modified: 12 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过代码结构伪装与数字身份伪造,使被篡改二进制文件在静态检测中呈现合法特征。例如使用有效证书签名恶意文件、保持原有PE/ELF文件结构完整性,或通过内存驻留技术完全规避文件特征检测。此类手法使得恶意二进制文件在数字签名验证、哈希校验等环节均通过合法性审查,实现攻击载荷的"白名单化"。

行为透明

部分技术(如动态库劫持)利用系统固有机制实现攻击透明化。通过劫持合法软件的正常依赖加载流程,使恶意代码执行过程与宿主程序行为完全融合,传统基于进程行为基线或API调用序列的检测机制难以识别异常。

数据遮蔽

内存驻留技术通过避免磁盘写入实现攻击数据物理遮蔽,而代码寄生注入则可能使用加密或混淆技术保护恶意载荷。部分高级攻击采用运行时解密机制,仅在内存中展开可执行代码,使得静态分析工具无法提取完整攻击逻辑。

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team used a trojanized version of Windows Notepad to add a layer of persistence for Industroyer.[1]
G1023 APT5

APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.[2][3]
S1136 BFG Agonizer

BFG Agonizer uses DLL unhooking to remove user mode inline hooks that security solutions often implement. BFG Agonizer also uses IAT unhooking to remove user-mode IAT hooks that security solutions also use.[4]
S0486 Bonadan

Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[5]
S1118 BUSHWALK

BUSHWALK can embed into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs.[6][7]
C0029 Cutting Edge

During Cutting Edge, threat actors trojanized legitimate files in Ivanti Connect Secure appliances with malicious code.[8][9][6]
S0377 Ebury

Ebury modifies the keyutils library to add malicious behavior to the OpenSSH client and the curl library.[10][11]
S1120 FRAMESTING

FRAMESTING can embed itself in the CAV Python package of an Ivanti Connect Secure VPN located in /home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py.[6]
S0604 Industroyer

Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.[1]
S0487 Kessel

Kessel has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[5]
S0641 Kobalos

Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[12]
S1119 LIGHTWIRE

LIGHTWIRE can imbed itself into the legitimate compcheckresult.cgi component of Ivanti Connect Secure VPNs to enable command execution.[8][6]
S1121 LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA can append malicious components to the tmp/tmpmnt/bin/samba_upgrade.tar archive inside the factory reset partition in attempt to persist post reset.[7]
S1104 SLOWPULSE

SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.[3]
S0595 ThiefQuest

ThiefQuest searches through the /Users/ folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. [13][14]
S1116 WARPWIRE

WARPWIRE can embed itself into a legitimate file on compromised Ivanti Connect Secure VPNs.[8]
S1115 WIREFIRE

WIREFIRE can modify the visits.py component of Ivanti Connect Secure VPNs for file download and arbitrary command execution.[8][9]
S0658 XCSSET

XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.[15]

Mitigations

ID Mitigation Description
M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files that may modify client software binaries to establish persistent access to systems.
File Deletion

Monitor for unexpected deletion of client software binaries to establish persistent access to systems.
File Metadata

Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment
File Modification

Monitor changes to client software that do not correlate with known software or patch cycles.

References

  1. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  2. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  3. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  4. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  5. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  6. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  7. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  8. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  1. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  2. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  3. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  4. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  5. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  6. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
  7. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.