Exploits & Vulnerabilities
SettingContent-ms Used for DeepLink Payload
In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy. That campaign was mostly targeting banks in different countries across Asia and Europe.
Save to Folio
Microsoft’s SettingContent-ms has become a recent topic of interest. In July, we saw one spam campaign use malicious SettingContent-ms files embedded in a PDF to drop the remote access Trojan FlawedAmmyy, a RAT also used by the Necurs botnet. That campaign was mostly targeting banks in different countries across Asia and Europe.
SettingContent-ms is a recent addition to Microsoft software, first introduced in Windows 10. The contents written on it are in XML format/language and normally these files contain setting content for Windows functions, such as update processes and default applications used to open particular file types. The most common use of this file is to act as a shortcut to open the old Windows Control Panel.
Figure 1. SettingContent-ms file extension and icon
Figure 2. Normal usage of SettingContent’s DeepLink tag
As well as the spam campaign, there was also Proof of Concept (PoC) research involving Microsoft’s SettingContent-ms file published in July by Specter Ops. Both the research and campaign show that abuse can typically be done by replacing the commandline under the DeepLink tag with something malicious. At first, when Microsoft heard about this issue from the researchers, they did not consider it an operating system vulnerability. But on August 2018, they released a patch to address this issue: CVE-2018-8414.
Figure 3. Malicious Commandline via DeepLink tag
As an example of how SettingContent-ms can be abused, see image above (Figure 3). The malicious commandline written under the DeepLink tag is capable of executing a PowerShell script to download and execute the payload from a malicious website.
On further investigation of these abuse methods, we begin to see the limitations of the technique. Using DeepLink alone seems to have a few disadvantages:
| Advantages | Disadvantages |
· Easy to deploy |
· Only accepts a maximum of 517 characters |
· Smaller file size – not suspicious at first glance
|
· Limited to some Command Execution techniques, such as:
|
Based on this insight, further research was done to discover what other techniques could be deployed using SettingContent-ms. Previously, researchers already looked into the idea of using the Icon tag for malicious purposes. To verify whether this technique will work, we created a SettingContent PoC which uses both DeepLink and Icon tag for installing the payload.
DeepLink + Icon-based Payload—How Does it Work?
In this malicious scenario, the DeepLink tag must only contain a commandline capable of invoking what is written under the Icon tag (Main Payload). For our PoC research, we put a heavily obfuscated script under the Icon tag as seen below (in Figure 4).
Figure 4. DeepLink invoking the Icon tag
Figure 5. Continuation of the malicious PowerShell script written under the Icon tag (deobfuscated)
We did this test to see if the Icon-based payload would work even with a long, complicated or obfuscated script—it did. The PowerShell script written under the Icon tag of this PoC came from previous malware, TROJ_PSINJECT.A, capable of downloading ANDROM/GAMARUE.
Even with this manipulation, the file icon appears innocuously blank (as shown in Figure 1), and we saw that it will appear this way regardless of what is written under the Icon tag.
Assuming that this latest technique could become a potential threat in the future, it has advantages and disadvantages as well:
| Advantages | Disadvantages |
· Still easy to deploy |
· Larger file size – easy to be flagged as suspicious at first glance |
· The Icon tag accepts UNLIMITED characters |
|
· Not limited to simple command execution; it could deploy different scripting techniques such as ReflectivePEInjection, backdoors, etc. |
Solutions and Mitigation
This technique shows that cybercriminals have many tools at their disposal to help them deploy an effective and complicated payload. The scenario outlined above started out from a simple malicious commandline on SettingContent-ms via DeepLink tag until we discovered that a more complex and longer payload could be deployed via the Icon tag. There are still many normal files with the same potential for abuse as SettingContent-ms, so we must continue doing research on different applications to stay ahead of malicious actors and new threats.
To protect against these and similar threats abusing SettingContent-ms, employ solutions that have behavioral monitoring capabilities. They identify and block malicious commandlines in these files before they can run on a victim’s machine. Trend Micro™ Endpoint Security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware. We also stay alert for the techniques outlined above by monitoring the SettingContent-ms files coming in and checking for the creation of new process commandlines.