A researcher has shown how a type of vulnerability affecting many ransomware families can be exploited to control the malware and terminate it before it can encrypt files on compromised systems.
Researcher John Page (aka hyp3rlinx) has been running a project called Malvuln, which catalogs vulnerabilities found in various pieces of malware.
The Malvuln project was launched in early 2021. SecurityWeek wrote about it in January 2021, when it only had two dozen entries, and again in June 2021, when it had reached 260 entries. As of May 4, 2022, Malvuln has cataloged nearly 600 malware vulnerabilities.
In the first days of May, Page added 10 new entries describing vulnerabilities found in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families.
The researcher found that these and likely other ransomware families are affected by DLL hijacking vulnerabilities. These types of flaws can typically be exploited for arbitrary code execution and privilege escalation by placing a specially crafted file in a location where it would get executed before the legitimate DLL.
In the case of ransomware, an “attacker” can create a DLL file with the same name as a DLL that is searched for and ultimately loaded by the ransomware. If the new DLL is placed next to the ransomware executable, it will be executed instead of the malware. This can be used to intercept the malware and terminate it before it can encrypt any files.
The researcher noted that the DLLs can be hidden — he does this in his PoC videos by using the Windows “attrib +s +h” command.
“Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting,” Page explained. “From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.”
Page told SecurityWeek that some of the ransomware samples he tested are very recent, but noted that the method works against nearly every ransomware, comparing it to a “Pandora’s box of vulnerabilities.”
The researcher has also published videos showing exploitation of the vulnerabilities for each ransomware. The videos show how the malware is prevented from encrypting files if a specially crafted DLL file is placed in the same folder as the ransomware executable.
The Malvuln database stores information on authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related and other types of vulnerabilities found in malware.
Page recently also unveiled Adversary3, an open source tool described as a “malware vulnerability intel tool for third-party attackers.” The tool is written in Python and it’s designed to make it easier to access data from the Malvuln database, allowing users to find vulnerabilities based on the exploit category.
The researcher says the tool could be useful in red teaming engagements. For example, the tester could look for devices hosting malware and leverage vulnerabilities in that malware to escalate privileges.
When the project was launched, some members of the cybersecurity community raised concerns that the information could be useful to malware developers, helping them fix vulnerabilities, some of which may have silently been exploited for threat intelligence purposes.
However, the ransomware vulnerabilities and the Adversary3 tool show that the project can also be useful to the cybersecurity community.