File-less Malware in the Real World (GrandCrab)

In this video, we’re going to spend a few minutes talking about GrandCrab, and then we’re going to talk about some Living Off the Land projects that are open source for everybody. So let’s get into that. So what is GrandCrab 2018, GrandCrab made its debut and quickly became a well-known malware that was distributed on the dark web. What it did is it was just ransomware, and we’ve already talked about ransomware and what that does. And that is, once it infects a system, it encrypts the system’s files and then demands payment to unencrypt them. And the reason why this one was different? Well, there’s a few reasons. One, it was using Living Off the Land binaries.

It was using PowerShell mostly to do this. It was getting a hold. Once it had privileges, it would start encrypting with PowerShell major files, system files. And the other reason why it was kind of interesting and new is because this was the first time that we saw something using an affiliate program, or what we call ransomware as a service. And the idea here is this is like multilevel marketing. The designers and maintainers of the actual malware, they want the code name Crab or GrandCrab, they would sell a pre-canned kind of walk through with the commands and the malware itself on the dark web for lower sophistication level users.

And then what happened is those attackers would pay for the malware, or maybe they would have a percentage payout based off of how many things they infected and what the payout was from that. Then they would use it, and they could do the hard work of actually getting it onto systems. So this made GrandCrab, the creators of GrandCrab at least, they were able to make money without actually having to be the people that had to break into the systems and do the hard work of getting the malware in place. And this kind of ransomware as a service was a big problem, because it gives top level sophistication malware components and attacks to low level attackers.

And in over two months, 50,000 machines were infected with GrandCrab and over $600,000 US has been paid out in payments for decryption keys. What I want to do now is I want to show you what some of these projects are that support Living Off the Land attacks. So the first project here is called LOLBAS, or Living Off the Land Binaries and Scripts. This project is focused on Windows. And you can see here what it does is, on the left side it lists the binary. I’m going to zoom in on that for you. On the left side it lists the binary that we’re talking about, and these are all built into Windows by default.

And on the right side it lists what we can do with that binary. OK. So you can see that there’s Bitadmin and Bash.exe and all these things here. So if we go to Certutil, we see that Certutil can download files for us. It can do alternate data streams for us. It can encode and decode data. All right. So if we click on it and see what it gives us, and we get a little bit of a pop-up saying that this page is dangerous, but we know it’s not.

When we go here, it will show us some examples actually of how to use Certutil here to download a file from the internet and save it as a 7zip disc in the current folder. OK. And so this kind of stuff can be used. If you think about this from an attacker’s perspective, what this means is you go back to that email. You get an email, it’s got a Word document, that Word document has a macro.

That macro launches PowerShell, and that PowerShell will execute the Certutil command, the Certutil command will download a file from the internet. That file could be the next step in my malware chain, this could be the more advanced malware. So I’m using basically that file and the Certutil command as what we call a stager. And that stager then goes and grabs the second stage, which is the actual payload, which could be custom malware. It could be something like interpreter, something like, It could be anything. Pulls it down, and in this case it drops it in the current folder as a 7zip file. And that’s just one. So that’s just what Certutil does.

If we go back, we can see there’s a lot of different ones. There’s a lot of people contributing to this project. And this is very hard for defenders, because they have to worry about making rules for the way that each one of these binaries is used and how to separate that good use from malicious use. You can see the problem that this creates, and you can see that there are a lot of them. And then there’s another project that is focused on Linux, and that is GTFOBins. This is the same concept here.

This is just on the left it shows the binaries, on the right it shows what you can do with those binaries if you use them in a clever way. And if we click on one of them, we’ll click on awk, because it’s got a bunch of stuff that it can do. You’ll see again that it gives us examples. And it’s the same process here. If you’re targeting someone that’s on a Linux box, you’re going to drop something. You know it has awk in it, and it’s going to use one of these strings and it’s going to try and autorun that. Now Linux isn’t autorun enabled, but you would try and get that system to run this command for you.

So that’s what Living Off the Land Binaries are in file-less malware attacks, or non-malware attacks as some people like to call them, and a brief overview of GrandCrab. What made it interesting, it was again just kind of generic ransomware, but it used these file-less approaches in the way that it used PowerShell, RTP, and some other WMI mans. And then also its multilevel marketing approach, affiliate programs, and ransomware as a service. This is kind of what we talked about in this section. In the next section, which I think is kind of our last major talking point section, it’s going to be hybrid attacks. And I think this is going to be super obvious, if it hasn’t already become obvious.

And we’ll get into that in the next video.