Archive for the ‘Windows 10 in S mode’ Category

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV

September 27th, 2018 No comments

Consider this scenario: Two never-before-seen, heavily obfuscated scripts manage to slip past file-based detection and dynamically load an info-stealing payload into memory. The scripts are part of a social engineering campaign that tricks potential victims into running the scripts, which use the file names install_flash_player.js and BME040429CB0_1446_FAC_20130812.XML.PDF.js, to distribute and run the payload.

The payload is sophisticated and particularly elusive, given that it:

  • Doesnt touch the disk, and does not trigger antivirus file scanning
  • Is loaded in the context of the legitimate process that executed the scripts (i.e., wscript.exe)
  • Leaves no traces on the disk, such that forensic analysis finds limited evidence

These are markers of a fileless threat. Still, Windows Defender Advanced Threat Protection (Windows Defender ATP) antivirus capabilities detect the payload, stopping the attack in its tracks. How is this possible?

In this scenario, Antimalware Scan Interface (AMSI) facilitates detection. AMSI is an open interface that allows antivirus solutions to inspect script behavior by exposing script contents in a form that is both unencrypted and unobfuscated.

AMSI is part of the range of dynamic next-gen features that enable antivirus capabilities in Windows Defender ATP to go beyond file scanning. These features, which also include behavior monitoring, memory scanning, and boot sector protection, catch a wide spectrum of threats, including new and unknown (like the two scripts described above), fileless threats (like the payload), and other sophisticated malware.

Generically detecting fileless techniques

The two aforementioned obfuscated scripts are actual malware detected and blocked in the wild by antivirus capabilities in Windows Defender ATP. Removing the first layer of obfuscation reveals a code that, while still partially obfuscated, showed some functions related to a fileless malware technique called Sharpshooter. We found the two scripts, which were variants of the same malware, not long after the Sharpshooter technique was documented and published by MDSec in 2017.

The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk. This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script. As demonstrated by the example of the two scripts, files that use the Sharpshooter technique can then be used in social engineering attacks to lure users into running the script to deliver a fileless payload.

Screenshot of obfuscated scriptFigure 1. Obfuscated code from install_flash_player.js script

Screenshot of the script which contains functions typically used in the Sharpshooter technique

Figure 2. After de-obfuscation, the script contains functions typically used in the Sharpshooter technique

When the Sharpshooter technique became public, we knew it was only a matter time before it would be used it in attacks. To protect customers from such attacks, we implemented a detection algorithm based on runtime activity rather than on the static script. In other words, the detection is effective against the Sharpshooter technique itself, thus against new and unknown threats that implement the technique. This is how Windows Defender ATP blocked the two malicious scripts at first sight, preventing the fileless payload from being loaded.

The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior (a fingerprint of the malicious fileless technique). Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (i.e., triggers) are invoked.

This is the dynamic log generated by the scripts and detected by Windows Defender ATP at runtime via AMSI:

Screenshot of the dynamic AMSI log generated during the execution of the Sharpshooter techniqueFigure 3. Dynamic AMSI log generated during the execution of the Sharpshooter technique in the two malicious scripts

Using this AMSI-aided detection, Windows Defender ATP disrupted two distinct malware campaigns in June, as well as the steady hum of daily activities.

Windows Defender ATP telemetry shows two Sharpshooter campaigns in JuneFigure 4. Windows Defender ATP telemetry shows two Sharpshooter campaigns in June

Furthermore, generically detecting the Sharpshooter technique allowed us to discover a particularly sophisticated and interesting attack. Windows Defender ATPs endpoint and detection response capabilities caught a VBScript file that used the Sharpshooter technique.

Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security CenterFigure 5. Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security Center

We analyzed the script and extracted the fileless payload, a very stealthy .NET executable. The malware payload downloads data from its command-and-control (C&C) server via the TXT records of DNS queries. In particular, it downloads the initialization vector and decryption key necessary to decode the core of the malware. The said core is also fileless because its executed directly in memory without being written on the disk. Thus, this attack leveraged two fileless stages.

Screenshot showing that the core component of the malware is decrypted and executed from memoryFigure 6. The core component of the malware is decrypted and executed from memory

Our investigation into the incident turned up enough indicators for us to conclude that this was likely a penetration testing exercise or a test involving running actual malware, and not a real targeted attack.

Nonetheless, the use of fileless techniques and the covert network communication hidden in DNS queries make this malware similar in nature to sophisticated, real-world attacks. It also proved the effectiveness of the dynamic protection capabilities of Windows Defender ATP. In a previous blog post, we documented how such capabilities allow Windows Defender ATP to catch KRYPTON attacks and other high-profile malware.

Upward trend in fileless attacks and living off the land

Removing the need for files is the next progression of attacker techniques. Antivirus solutions have become very efficient in detecting malicious executables. Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis. That’s why we are seeing an increase in attacks that use of malware with fileless techniques.

At a high level, a fileless malware runs its main payload directly in memory without having to drop the executable file on the disk first. This differs from traditional malware, where the payload always requires some initial executable or DLL to carry out its tasks. A common example is the Kovter malware, which stores its executable payload entirely in registry keys. Going fileless allows the attackers to avoid having to rely on physical files and improve stealth and persistence.

For attackers, building fileless attacks poses some challenges; in primis: how do you execute code if you don’t have a file? Attackers found an answer in the way they infect other components to achieve execution within these components environment. Such components are usually standard, legitimate tools that are present by default on a machine and whose functionality can be abused to accomplish malicious operations.

This technique is usually referred to as “living off the land”, as malware only uses resources already available in the operating system. An example is the Trojan:Win32/Holiks.A malware abusing the mshta.exe tool:

Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-lineFigure 7. Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-line

The malicious script resides only in the command line; it loads and executes further code from a registry key. The whole execution happens within the context of the mshta.exe process, which is a clean executable and tends to be trusted as a legitimate component of the operating system. Other similar tools, such as cmstp.exe, regsvr32.exe, powershell.exe, odbcconf.exe, rundll3.exe, just to name a few, have been abused by attackers. Of course, the execution is not limited to scripts; the tools may allow the execution of DLLs and executables, even from remote locations in some cases.

By living off the land, fileless malware can cover its tracks: no files are available to the antivirus for scanning and only legitimate processes are executed. Windows Defender ATP overcomes this challenge by monitoring the behavior of the system for anomalies or known patterns of malicious usage of legitimate tools. For example, Trojan:Win32/Powemet.A!attk is a generic behavior-based detection designed to prevent attacks that leverage the regsvr32.exe tool to run malicious scripts.

Antivirus capabilities Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote scriptFigure 8. Antivirus capabilities in Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote script

What exactly is fileless?

The term fileless suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The term is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the targets machine and executed. This, too, is considered a fileless attack.

Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.

To shed light on this loaded term, we grouped fileless threats into different categories.

Taxonomy of fileless threats

Figure 9. Taxonomy of fileless threats

We can classify fileless threats by their entry point (i.e., execution/injection, exploit, hardware), then the form of entry point (e.g., file, script, etc.), and finally by the host of the infection (e.g., Flash, Java, documents).

From this classification, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.

  • Type I: No file activity performed. A completely fileless malware can be considered one that never requires writing a file on the disk.
  • Type II: No files written on disk, but some files are used indirectly. There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type do not directly write files on the file system, but they can end up using files indirectly.
  • Type III: Files required to achieve fileless persistence. Some malware can have some sort of fileless persistence but not without using files in order to operate.

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.

Exploits Hardware Execution or injection

  • File-based (Type III: executable, Flash, Java, documents)
  • Network-based (Type I)

  • Device-based (Type I: network card, hard disk)
  • CPU-based (Type I)
  • USB-based (Type I)
  • BIOS-based (Type I)
  • Hypervisor-based (Type I)

  • File-based (Type III: executables, DLLs, LNK files, scheduled tasks)
  • Macro-based (Type III: Office documents)
  • Script-based (Type II: file, service, registry, WMI repo, shell)
  • Disk-based (Type II: Boot Record)

For a detailed description and examples of these categories, visit this comprehensive page on fileless threats.

Defeating fileless malware with next-gen protection

File-based inspection is ineffective against fileless malware. Antivirus capabilities in Windows Defender ATP use defensive layers based on dynamic behavior and integrate with other Windows technologies to detect and terminate threat activity at runtime.

Windows Defender ATPs next-gen dynamic defenses have become of paramount importance in protecting customers from the increasingly sophisticated attacks that fileless malware exemplifies. In a previous blog post we described some of the offensive and defensive technologies related to fileless attacks and how these solutions help protect our customers. Evolving from the file-centric scanning model, Windows Defender ATP uses a generic and more powerful behavior-centric detection model to neutralize generic malicious behaviors and thus take out entire classes of attack.


Antimalware Scan Interface (AMSI) is an open framework that applications can use to request antivirus scans of any data. Windows leverages AMSI extensively in JavaScript, VBScript, and PowerShell. In addition, Office 365 client applications integrates with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. In the example above, we have shown how AMSI can be a powerful weapon to fight fileless malware.

Windows Defender ATP has implemented AMSI provider and consumes all AMSI signals for protection, these signals are especially effective against obfuscation. It has led to the disruption of malware campaigns like Nemucod. During a recent investigation, we stumbled upon some malicious scripts that were heavily obfuscated. We collected three samples that were evading static signatures and are a mixture of barely recognizable script code and binary junk data.

Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JACFigure 10. Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JAC.

However, after manual de-obfuscation, it turned out that these samples decode and execute the same .js script payload, a known downloader:

A portion of the second stage downloader decrypted by Nemucod.JACFigure 11: A portion of the second stage downloader decrypted by Nemucod.JAC

The payload does not have any obfuscation and is very easy to detect, but it never touches the disk and so could evade file-based detection. However, the scripting engine is capable of intercepting the attempt to execute the decoded payload and ensuring that the payload is passed to the installed antivirus via AMSI for inspection. Windows Defender ATP has visibility on the real payload as its decoded at runtime and can easily recognize known patterns and block the attack before it deals any damage.

Instead of writing a generic detection algorithm based on the obfuscation patterns in the samples, we trained an ML model on this behavior log and wrote heuristic detection to catch the decrypted scripts inspected via AMSI. The results proved effective, catching new and unknown variants, protecting almost two thousand machines in a span of two months. Traditional detection would not have been as effective.

Nemucod.JAC attack campaigns caught via AMSIFigure 12. Nemucod.JAC attack campaigns caught via AMSI

Behavior monitoring

Windows Defender ATPs behavior monitoring engine provides an additional layer of antivirus protection against fileless malware. The behavior monitoring engine filters suspicious API calls. Detection algorithms can then match dynamic behaviors that use particular sequences of APIs with specific parameters and block processes that expose known malicious behaviors. Behavior monitoring is useful not only for fileless malware, but also for traditional malware where the same malicious code base gets continuously repacked, encrypted, or obfuscated. Behavior monitoring proved effective against WannaCry, which was distributed through the DoublePulsar backdoor and can be categorized as a very dangerous Type I fileless malware. While several variants of the WannaCry binaries were released in attack waves, the behavior of the ransomware remained the same, allowing antivirus capabilities in Windows Defender ATP to block new versions of the ransomware.

Behavior monitoring is particularly useful against fileless attacks that live off the land. The PowerShell reverse TCP payload from Meterpreter is an example: it can be run completely on a command line and can provide a PowerShell session to a remote attacker.

Example of a possible command line generated by MeterpreterFigure 13. Example of a possible command line generated by Meterpreter

Theres no file to scan in this attack, but through behavior monitoring in its antivirus capabilities, Windows Defender ATP can detect the creation of the PowerShell process with the particular command line required. Behavior monitoring detects and blocks numerous attacks like this on a daily basis.

Detections of the PowerShell reverse TCP payloadFigure 14. Detections of the PowerShell reverse TCP payload

Beyond looking at events by process, behavior monitoring in Windows Defender ATP can also aggregate events across multiple processes, even if they are sparsely connected via techniques like code injection from one process to another (i.e., not just parent-child processes). Moreover, it can persist and orchestrate sharing of security signals across Windows Defender ATP components (e.g., endpoint detection and response) and trigger protection through other parts of the layered defenses.

Behavior monitoring across multiple processes is not only an effective protection against fileless malware; its also a tool to catch attack techniques in generic ways. Here is another example where multi process behavior monitoring in action, Pyordono.A is a detection based on multi-process events and is aimed at blocking scripting engines (JavaScript, VBScript, Office macros) that try to execute cmd.exe or powershell.exe with suspicious parameters. Windows Defender ATP telemetry shows this detection algorithm protecting users from several campaigns.

Pyordono.A technique detected in the wildFigure 15. Pyordono.A technique detected in the wild

Recently, we saw a sudden increase in Pyordono.A encounters, reaching levels way above the average. We investigated this anomaly and uncovered a widespread campaign that used malicious Excel documents and targeted users in Italy from September 8 to 12.

Screenshot of malicious Excel document with instructions in Italian to click Enable contentFigure 16. Malicious Excel document with instructions in Italian to click Enable content

The document contains a malicious macro and uses social engineering to lure potential victims into running the malicious code. (Note: We have recently integrated Office 365 clients apps with AMSI, enabling antivirus solutions to scan macros at runtime to check for malicious content).

The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.Figure 17. The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.

The macro makes use of obfuscation to execute a cmd command, which is also obfuscated. The cmd command executes a PowerShell script that in turn downloads additional data and delivers the payload, infostealing Ursnif. We recently reported a small-scale Ursnif campaign that targeted small businesses in specific US cities. Through multi-process behavior monitoring, Windows Defender ATP detected and blocked the new campaign targeting users in Italy using a generic detection algorithm without prior knowledge of the malware.

Memory scanning

Antivirus capabilities in Windows Defender ATP also employ memory scanning to detect the presence of malicious code in the memory of a running process. Even if malware can run without the use of a physical file, it does need to reside in memory in order to operate and is therefore detectable by means of memory scanning. An example is the GandCrab ransomware, which was reported to have become fileless. The payload DLL is encoded in a string, then decoded and run dynamically via PowerShell. The DLL itself is never dropped on the disk. Using memory scanning, Windows Defender ATP can scan the memory of running processes and detect known patterns of the ransomware run from the stealthy DLL.

Memory scanning, in conjunction with behavior monitoring and other dynamic defenses, helped Windows Defender ATP to disrupt a massive Dofoil campaign. Dofoil, a known nasty downloader, uses some sophisticated techniques to evade detection, including process hollowing, which allows the malware to execute in the context of a legitimate process (e.g., explorer.exe). To this day, memory scanning detects Dofoil activities.

Detections of the memory-resident Dofoil payloadFigure 18. Detections of the memory-resident Dofoil payload

Memory scanning is a versatile tool: when suspicious APIs or behavior monitoring events are observed at runtime, antivirus capabilities in Windows Defender ATP trigger a memory scan in key points it is more likely to observe (and detect) a payload that has been decoded and may be about to run. This gives Windows Defender ATP granular control on which actions are more interesting and may require more attention. Every day, memory scanning allows Windows Defender ATP to protect thousands of machines against active high-profile threats like Mimikatz and WannaCry.

Boot Sector protection

With Controlled folder access on Windows 10, Windows Defender ATP does not allow write operations to the boot sector, thus closing a dangerous fileless attack vector used by Petya, BadRabbit, and bootkits in general. Boot infection techniques can be suitable for fileless threats because it can allow malware to reside outside of the file system and gain control of the machine before the operating system is loaded. The use of rootkit techniques, like in the defunct Alureon malware (also known as TDSS or TDL-4), can then render the malware invisible and extremely difficult to detect and remove. With Controlled folder access, which is part of Windows Defender ATPs attack surface reduction capabilities, this entire class of infection technique has become a thing of the past.

Control Folder Access preventing a boot sector infection attempted by PetyaFigure 19. Control Folder Access preventing a boot sector infection attempted by Petya

Windows 10 in S mode: Naturally resistant to fileless attacks

Windows 10 in S mode comes with a preconfigured set of restrictions and policies that make it naturally protected against a vast majority of the fileless techniques (and against malware in general). Among the available security features, the following ones are particularly effective against fileless threats:

For executables: Only Microsoft-verified applications from the Microsoft Store are allowed to run. Furthermore, Device Guard provides User Mode Code Integrity (UMCI) to prevent the loading of unsigned binaries.

For scripts: Scripting engines are not allowed to run (including JavaScript, VBScript, and PowerShell).

For macros: Office 365 does not allow the execution of macros in documents from the internet (for example, documents that are downloaded or received as attachment in emails from outside the organization).

For exploits: Exploit protection and Attack surface reduction rules are also available on Windows 10 in S mode as a consistent barrier against exploitation.

With these restrictions in place, Windows 10 in S mode devices are in a robust, locked down state, removing crucial attack vectors used by fileless malware.


As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too.

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable generic detections that are effective against a wide range of threats. Through AMSI, behavior monitoring, memory scanning, and boot sector protection, we can inspect threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.

Security solutions on Windows 10 integrate into a unified endpoint security platform in Windows Defender Advanced Threat Protection. Windows Defender ATP includes attack surface reduction, next-generation protection, endpoint protection and response, auto investigation and remediation, security posture, and advanced hunting capabilities. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Protections against fileless and other threats are shared across Microsoft 365, which integrate technologies in Windows, Office 365, and Azure. Through the Microsoft Intelligent Security Graph, security signals are shared and remediation is orchestrated across Microsoft 365.



Andrea Lelli
Windows Defender Research







Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV appeared first on Microsoft Secure.

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls are considered unwanted. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.



Michael Johnson

Windows Defender Research






Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.



Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team



Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.