A silent, yet highly effective attack: COM Hijacking and potential vulnerability analysis report.
Attackers may not always use brute force. Sometimes, it’s better to wait for the right time.
Attackers use COM Hijacking to get around AV solutions and bypass embedded security systems.
This vulnerability report will mainly discuss an example test application (ExplorerBlurMica), the risks associated with it and potential COM Hijacking risks, and assess the extent of the vulnerability.
What is COM?
COM (Component Object Model) is a system that allows different software to have similar functionality by using resources embedded in the system. COM objects are defined on the registry with Class Identifiers (CLSID) and Global Unique Identifiers (GUID). They can point to a DLL or object class. They are located under HKCU and HKLM on the registry.
HKCU (HKEY_CURRENT_USER) displays only the components belonging to the relevant user, while HKLM (HKEY_LOCAL_MACHINE) shows the components valid for the entire system. In this context, changes to HKLM affect the entire system, but require rebooting. For changes on HKCU, it is sufficient to load the relevant profile.
What is COM Hijacking?
COM Hijacking is the exploitation of COM resources. This exploit does not depend on a single method; it can be performed in multiple ways. One common method is to change the entries of .dll or .exe files in the registry. These attacks are not detected by AV solutions and security systems because the attack method is executed under secure/whitelisted services.
However, the common code injection method can be identified through services and processes by monitoring the relevant API call, which enables it to be easily detected by many AV solutions.
In contrast to code injection, an attack using COM hijacking occurs under a secure or ignored COM object and evades AV surveillance by behaving as a system function.
For example, processes such as “explorer.exe” or “svchost.exe” are components that are typically trusted by most AV solutions and security systems, even if their processes are at a critical authorisation level. They are not typically intervened unless necessary in order to avoid disrupting the system process. These components have hundreds of different COM objects and have to load them through certain registry points.
At this point, registry entries on specific CLSID keys can be manipulated by an attacker to redirect to a malware, service, or library of their choice. Moreover, since this redirection is carried out by a system service such as “svchost.exe” or “explorer.exe,” it is automatically whitelisted by the AV solutions.
Vulnerability Report: ExplorerBlurMica
In my test, I chose a tool that modifies registry entries by intervening for “explorer.exe” on Windows 10 and 11. This tool is perfect for COM Hijacking. Although it is not harmful by itself, it can be used by an attacker to perform COM Hijacking on “explorer.exe”.
- Affected components: “explorer.exe”
- Test scenario ExplorerBlurMica (no harmful activity/clean service)
- Affected build: Win32 Native Win10 1089–2004–22H2, Win11 22H2–23H2
- Potential Risk: Although the tool does not contain malicious activity, it may be vulnerable to COM Hijacking due to the way it works.
The table above shows the techniques that, according to MITRE, are likely to be performed on the current tool. Even a simple intervention on a system component can cause critical functions such as VirtualAlloc to be called on non-isolated areas. Below you can see the list of all matching MITRE ATT&CK.
MITRE ATT&CK DB
TA0002
T1129
TA0003
T1176
T1547.001
T1574.002
TA0004
T1134
T1547.001
T1574.002
TA0005
T1112
T1134
T1218.010
T1218.011
T1497
T1497.001
T1574.002
TA0006
T1056.001
TA0007
T1012
T1057
T1082
T1083
T1497
T1497.001
T1518.001
TA0009
T1056.001
T1185Now, we’re gonna review the Crowdsource Sigma Ruleset. We will work on different Sample Event Sets, all of which belong to ExplorerBlurMica, which directly prepares the system for COM Hijacking.
The first of the Sample Sets shows the transfer of various components loaded via HKCR to the system services under the directory “\system32”. Note the CLSID values in these transfers.
EventSample1: Potential Persistence Via COM Hijacking From Suspicious Locations
//EventSample1
EventID:13
ProcessId:8156
EventType:SetValue
Image:C:\Windows\system32\regsvr32.exe
ProcessGuid:{C784477D-0DD1-64D8-1F06-000000004400}
UtcTime:1691880913
Details:C:\Users\george\Desktop\ExplorerBlurMica.dll
RuleName:T1122
TargetObject:HKCR\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\(Default)
EventID:13
ProcessId:7360
EventType:SetValue
Image:C:\Windows\system32\rundll32.exe
RuleName:T1122
UtcTime:1691880919
Details:C:\Users\george\Desktop\ExplorerBlurMica.dll
ProcessGuid:{C784477D-0DD7-64D8-2906-000000004400}
TargetObject:HKCR\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\(Default)
EventID:13
ProcessId:8096
EventType:SetValue
Image:C:\Windows\system32\loaddll64.exe
RuleName:T1122
UtcTime:1691880922
Details:C:\Users\george\Desktop\ExplorerBlurMica.dll
ProcessGuid:{C784477D-0DD1-64D8-1C06-000000004400}
TargetObject:HKCR\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\(Default)With 3 different ProcIDs, we are getting a T1122 match. The processes are all highly authorised, unrestricted and potentially whitelisted services under “\system32”.
With the exception of block 4, the GUID is partitioned and identical, which represents the queued process tree for a .dll execution. The EventType check confirms this theory, with “SetValue” resulting in a registry point being changed.
Location information is required for load the .dll that we verified with EventType. This address information will be obtained from the registry. “InprocServer/InprocServer32” represents a path to DLL services, so we have the address information.
The TargetObject parameter indicates the location of the registry entry to be modified. In this scenario, this entry is located under “{B44BD3C8-E597–4E08-AE43–246CE24698E7}”. After the change, the COM object specified by CLSID is detected with the InprocServer32 key and the related .dll file is loaded.
This is where COM Hijacking comes into play. In order to carry out the exploitation, the attacker allows the InprocServer32 key to point to a valid but dummy CLSID to load the malicious .dll file. After the malicious .dll file is loaded into target service or program (like explorer), the attacker can perform many different malicious operations on the system, from code execution to post-infection attacks.
EventSample2: Potential Persistence Via COM Search Order Hijacking
//EventSample2
EventID:13
ProcessId:7360
EventType:SetValue
Image:C:\Windows\system32\rundll32.exe
ProcessGuid:{C784477D-0DD7-64D8-2906-000000004400}
UtcTime:1691880919
Details:C:\Users\george\Desktop\ExplorerBlurMica.dll
RuleName:T1122
TargetObject:HKCR\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\(Default)
EventID:13
ProcessId:8096
EventType:SetValue
Image:C:\Windows\system32\loaddll64.exe
RuleName:T1122
UtcTime:1691880922
Details:C:\Users\george\Desktop\ExplorerBlurMica.dll
ProcessGuid:{C784477D-0DD1-64D8-1C06-000000004400}
TargetObject:HKCR\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32\(Default)According to the Sigma rule classified as “Potential Persistence Via COM Search Order Hijacking”, a similar attack can be performed. However, this time the attack is not achieved by key exchange under CLSID, but instead by giving priority to malicious .dll files during the search of COM objects.
A different .dll file with the same name as the original .dll file to be loaded on the system is placed in a location outside the system root (for example, in the file location of the program) and loaded into the program by changing the system’s priority during the search.
The difference here is that no registry modification is made. This gives an advantage against AV solutions that check entries in the registry.
During the attack, when loading COM objects, the system may give priority to the application’s file location instead of checking through the registry, so that the .dll file with malicious code is loaded instead of the safe/original file.
EventSample3: CurrentVersion Autorun Keys Modification
//EventSample3
EventID:13
ProcessId:8156
EventType:SetValue
Image:C:\Windows\system32\regsvr32.exe
ProcessGuid:{C784477D-0DD1-64D8-1F06-000000004400}
UtcTime:1691880913
Details:DWORD (0x00000001)
RuleName:T1176
TargetObject:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\NoInternetExplorer
EventID:13
ProcessId:7360
EventType:SetValue
Image:C:\Windows\system32\rundll32.exe
ProcessGuid:{C784477D-0DD7-64D8-2906-000000004400}
UtcTime:1691880919
Details:DWORD (0x00000001)
RuleName:T1176
TargetObject:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\NoInternetExplorer
EventID:13
ProcessId:8096
EventType:SetValue
Image:C:\Windows\system32\loaddll64.exe
RuleName:T1176
UtcTime:1691880922
Details:DWORD (0x00000001)
ProcessGuid:{C784477D-0DD1-64D8-1C06-000000004400}
TargetObject:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\NoInternetExplorerIn this Sigma rule classified as “CurrentVersion Autorun Keys Modification”, an attack other than COM Hijacking can be used. Under CurrentVersion, the keys that can act as an extension for Explorer are modified, in this context, the attacker can change the automatic startup tasks by interfering with the “Run”, “RunOnce”, “RunOnceEx” entries.
While this is of course not directly executing malicious code, it indirectly allows a harmless tool to be used for offensive purposes.
Critical registry locations accessed by the tool in question (ExplorerBlurMica):
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regsvr32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\FIDs\ByFID
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B44BD3C8-E597-4E08-AE43-246CE24698E7}As can be seen from the block, if the changes on the explorer.exe shell extension are manipulated, it opens the door to malware that can both evade AV software and run under secure system services.
"regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "(DEFAULT)"; Value: "ExplorerBlurMica BHO"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "(DEFAULT)"; Value: "C:\ExplorerBlurMica.dll"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "THREADINGMODEL"; Value: "Apartment"), "regsvr32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "NOINTERNETEXPLORER"; Value: "01000000"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "(DEFAULT)"; Value: "ExplorerBlurMica BHO"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "(DEFAULT)"; Value: "C:\ExplorerBlurMica.dll"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\CLASSES\CLSID\{B44BD3C8-E597-4E08-AE43-246CE24698E7}\INPROCSERVER32"; Key: "THREADINGMODEL"; Value: "Apartment"), "rundll32.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{B44BD3C8-E597-4E08-AE43-246CE24698E7}"; Key: "NOINTERNETEXPLORER"; Value: "01000000")The given sample command set is valid for ExplorerBlurMica. If we analyse step by step;
- SETVAL: Accessing registry and many changes on entries.
- Key modification under CLSID and CurrentVersion.
- Path reveal at memory-level of “\{B44BD3C8-E597–4E08-AE43–246CE24698E7}”.
- InprocServer32 key change occurs under “\{B44BD3C8-E597–4E08-AE43–246CE24698E7}”.
The command set registers the BHO (Browser Helper Object) under a directory specially created for ExplorerBlurMica. Just to make a modification to the explorer.exe interface, dozens of different keys have already been changed and dozens of different keys have already been added. A unique possibility for COM Hijacking.
Patches from memory addresses:
"rundll32.exe" wrote bytes "20d29856fc010000f05f9756fc01000070fbd1bbf87f000020179a56fc010000" to virtual address "0xF0C4E090" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "00889956fc010000" to virtual address "0xF0C4E058" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "20d49756fc010000" to virtual address "0xF0C4E0F8" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "605d9756fc010000e08e9756fc010000a0d19856fc01000050619956fc010000" to virtual address "0xF0C4E0B8" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "a09dfeb8f87f0000608efeb8f87f000090b7fcb8f87f0000a090feb8f87f0000508dfcb8f87f0000502efcb8f87f000020c4feb8f87f000070bbfeb8f87f000080bcfeb8f87f00004078ffb8f87f0000a0bafeb8f87f00000088feb8f87f0000" to virtual address "0xBA1D4030" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "6012fdb8f87f0000" to virtual address "0xBA1D4020" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "30c0ffb8f87f000020c0ffb8f87f000000b8ffb8f87f0000c09efeb8f87f0000d0a1feb8f87f000090bafeb8f87f000080ba04b9f87f000080a2ffb8f87f0000603dfcb8f87f0000402303b9f87f0000" to virtual address "0xBA1D52B0" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "f0c0feb8f87f000030ea01b9f87f0000303ffcb8f87f0000102402b9f87f00009080fcb8f87f0000c04bfcb8f87f0000802402b9f87f00006072ffb8f87f000030f2fcb8f87f00008005feb8f87f0000" to virtual address "0xBA1D4270" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "e03b88b6f87f0000302a88b6f87f0000e02188b6f87f0000e01e88b6f87f0000c03588b6f87f0000b01588b6f87f0000c02689b6f87f0000c01488b6f87f0000" to virtual address "0xB66E10F0" (part of module "UXTHEME.DLL")
"regsvr32.exe" wrote bytes "e98102b2ff" to virtual address "0xBBD20710" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e9c108b2ff" to virtual address "0xBBD20010" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e981ffb1ff" to virtual address "0xBBD208D0" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e94106b2ff" to virtual address "0xBBD20190" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e94100b2ff" to virtual address "0xBBD20690" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e98103b2ff" to virtual address "0xBBD20290" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991f0b1ff" to virtual address "0xBBD21AC0" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911d5b1ff" to virtual address "0xBBD23680" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911edb1ff" to virtual address "0xBBD21D00" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911f3b1ff" to virtual address "0xBBD21200" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e9d1e6b1ff" to virtual address "0xBBD22300" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991dab1ff" to virtual address "0xBBD22E80" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e911dbb1ff" to virtual address "0xBBD22C80" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e991d2b1ff" to virtual address "0xBBD23480" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e951e4b1ff" to virtual address "0xBBD22240" (part of module "NTDLL.DLL")
"regsvr32.exe" wrote bytes "e951f8b1ff" to virtual address "0xBBD20D40" (part of module "NTDLL.DLL")- “rundll32.exe” modifies GDI32.dll (Windows Core Graphics Lib) and performs an injection. This is then refreshed in memory and explorer.exe has the desired transparent appearance.
- With “regsvr32.exe”, a jump instruction “e9XXXXb1ff” is performed in NTDLL.dll (Core System Lib). At this stage, the attacker can execute malicious code in the system call by performing a hooking again.
Autogen YARA rule:
rule autogen_peexe_AntiVmControlDllhostExplorerGreywareLolbinSettingsynchost_9d6f5546
{
meta:
author = "FileScan.IO Engine v1.1.0-77bd2b4"
date = "2023-08-24"
sample = "9d6f554604111405e48f7fdf0eba972bdde5e0a275d2e7dd66240681ea595344"
score = 20
tags = "anti-vm,control,dllhost,explorer,greyware,lolbin,settingsynchost"
isWeakRule = false
strings:
//IOC patterns
$req0 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
$req1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\"
$req2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\\\"
$req3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize"
$req4 = "https://github.com/Maplespe/ExplorerBlurMica/"
$req5 = "{B44BD3C8-E597-4E08-AE43-246CE24698E7}"
//optional strings
$opt0 = "ADVAPI32.dll"
$opt1 = "AcquireSRWLockExclusive"
$opt2 = "AdjustTokenPrivileges"
$opt3 = "AreFileApisANSI"
$opt4 = "COMCTL32.dll"
$opt5 = "CloseThreadpoolTimer"
$opt6 = "CloseThreadpoolWait"
$opt7 = "CoCreateInstance"
$opt8 = "Control Panel\\Desktop\\WindowMetrics"
$opt9 = "CreateEventExW"
$opt10 = "CreateEventW"
$opt11 = "CreateFileW"
$opt12 = "CreateMutexW"
$opt13 = "CreateSemaphoreExW"
$opt14 = "CreateSemaphoreW"
$opt15 = "CreateSymbolicLinkW"
$opt16 = "CreateThread"
$opt17 = "CreateThreadpoolTimer"
$opt18 = "CreateThreadpoolWait"
$opt19 = "CreateThreadpoolWork"
$opt20 = "CreateToolhelp32Snapshot"
$opt21 = "CreateWindowExW"
$opt22 = "DeleteCriticalSection"
$opt23 = "DestroyWindow"
$opt24 = "DisableThreadLibraryCalls"
$opt25 = "DllCanUnloadNow"
$opt26 = "DllGetClassObject"
$opt27 = "DllRegisterServer"
$opt28 = "DllUnregisterServer"
$opt29 = "EncodePointer"
$opt30 = "EnterCriticalSection"
$opt31 = "EnumChildWindows"
$opt32 = "ExitProcess"
$opt33 = "FindFirstFileExW"
$opt34 = "FindFirstFileW"
$opt35 = "FindNextFileW"
$opt36 = "FlushFileBuffers"
$opt37 = "FlushInstructionCache"
$opt38 = "FlushProcessWriteBuffers"
$opt39 = "FreeEnvironmentStringsW"
$opt40 = "FreeLibrary"
$opt41 = "FreeLibraryAndExitThread"
$opt42 = "FreeLibraryWhenCallbackReturns"
$opt43 = "GetCommandLineA"
$opt44 = "GetCommandLineW"
$opt45 = "GetConsoleMode"
$opt46 = "GetConsoleOutputCP"
$opt47 = "GetCurrentPackageId"
$opt48 = "GetCurrentProcess"
$opt49 = "GetCurrentProcessId"
$opt50 = "GetCurrentProcessorNumber"
$opt51 = "GetCurrentThreadId"
$opt52 = "GetDesktopWindow"
$opt53 = "GetEnvironmentStringsW"
$opt54 = "GetFileInformationByHandleEx"
$opt55 = "GetFileSizeEx"
$opt56 = "GetFileType"
$opt57 = "GetKeyState"
$opt58 = "GetLastError"
$opt59 = "GetModuleFileNameW"
$opt60 = "GetModuleHandleExW"
$opt61 = "GetModuleHandleW"
$opt62 = "GetPrivateProfileStringW"
$opt63 = "GetProcAddress"
$opt64 = "GetProcessHeap"
$opt65 = "GetStartupInfoW"
$opt66 = "GetStdHandle"
$opt67 = "GetStringTypeW"
$opt68 = "GetSystemInfo"
$opt69 = "GetSystemTimeAsFileTime"
$opt70 = "GetSystemTimePreciseAsFileTime"
$opt71 = "GetThreadContext"
$opt72 = "GetThreadId"
$opt73 = "GetTickCount64"
$opt74 = "GetWindowLongW"
$opt75 = "HeapCreate"
$opt76 = "HeapDestroy"
$opt77 = "HeapReAlloc"
$opt78 = "InitOnceExecuteOnce"
$opt79 = "InitializeConditionVariable"
$opt80 = "InitializeCriticalSectionAndSpinCount"
$opt81 = "InitializeCriticalSectionEx"
$opt82 = "InitializeSListHead"
$opt83 = "InitializeSRWLock"
$opt84 = "InterlockedFlushSList"
$opt85 = "IsDebuggerPresent"
$opt86 = "IsProcessorFeaturePresent"
$opt87 = "KERNEL32.dll"
$opt88 = "LCMapStringW"
$opt89 = "LeaveCriticalSection"
$opt90 = "LoadLibraryExW"
$opt91 = "LoadLibraryW"
$opt92 = "LookupPrivilegeValueW"
$opt93 = "MonitorFromWindow"
$opt94 = "OpenProcessToken"
$opt95 = "OpenThread"
$opt96 = "QueryPerformanceCounter"
$opt97 = "RaiseException"
$opt98 = "RegCloseKey"
$opt99 = "RegCreateKeyExW"
$opt100 = "RegDeleteKeyW"
$opt101 = "RegGetValueW"
$opt102 = "RegOpenKeyExW"
$opt103 = "RegQueryValueExW"
$opt104 = "RegSetValueExW"
$opt105 = "ReleaseMutex"
$opt106 = "ReleaseSRWLockExclusive"
$opt107 = "ResetEvent"
$opt108 = "ResumeThread"
$opt109 = "RtlCaptureContext"
$opt110 = "RtlLookupFunctionEntry"
$opt111 = "RtlPcToFileHeader"
$opt112 = "RtlVirtualUnwind"
$opt113 = "SHCore.dll"
$opt114 = "SendMessageW"
$opt115 = "SetFileInformationByHandle"
$opt116 = "SetFilePointerEx"
$opt117 = "SetLastError"
$opt118 = "SetStdHandle"
$opt119 = "SetThreadContext"
$opt120 = "SetThreadpoolTimer"
$opt121 = "SetThreadpoolWait"
$opt122 = "SetUnhandledExceptionFilter"
$opt123 = "SetWindowCompositionAttribute"
$opt124 = "SetWindowLongW"
$opt125 = "SettingSyncHost.exe"
$opt126 = "SleepConditionVariableCS"
$opt127 = "SleepConditionVariableSRW"
$opt128 = "SubmitThreadpoolWork"
$opt129 = "SuspendThread"
$opt130 = "SystemParametersInfoW"
$opt131 = "TerminateProcess"
$opt132 = "TerminateThread"
$opt133 = "Thread32First"
$opt134 = "Thread32Next"
$opt135 = "TlsGetValue"
$opt136 = "TlsSetValue"
$opt137 = "TryAcquireSRWLockExclusive"
$opt138 = "TryEnterCriticalSection"
$opt139 = "USER32.dll"
$opt140 = "UnhandledExceptionFilter"
$opt141 = "UxTheme.dll"
$opt142 = "VirtualAlloc"
$opt143 = "VirtualFree"
$opt144 = "VirtualProtect"
$opt145 = "VirtualQuery"
$opt146 = "WaitForSingleObject"
$opt147 = "WaitForSingleObjectEx"
$opt148 = "WaitForThreadpoolTimerCallbacks"
$opt149 = "WakeAllConditionVariable"
$opt150 = "WakeConditionVariable"
$opt151 = "WriteConsoleW"
$opt152 = "dllhost.exe"
$opt153 = "dwmapi.dll"
$opt154 = "explorer.exe"
$opt155 = "gdiplus.dll"
$opt156 = "inappropriate io control operation"
$opt157 = "kernel32.dll"
$opt158 = "mscoree.dll"
$opt159 = "read only file system"
$opt160 = "user32.dll"
$opt161 = "uxtheme.dll"
$opt162 = "vmtoolsd.exe"
condition:
//require 50% of optional strings
uint16(0) == 0x5A4D and filesize > 197223 and filesize < 21913621913 and all of ($req*) and 81 of ($opt*)
}Results
A tool designed exclusively for modifying the appearance of the file explorer, and devoid of any malicious activity or malicious code, leaves an open door for attackers to gain access to critical system components and files.
Since attackers execute malicious .dll files and Autorun configurations under critical system components such as “explorer.exe” and “svchost.exe”, they can easily evade security solutions.
This scenario applies not only to ExplorerBlurMica, but also to any tool that interferes with and modifies system files and has access to registry points.
Although AV solutions are getting better and better, their ability to interfere with critical system components is still limited. Attackers who are aware of this can easily use these methods to infiltrate targeted systems.
