SUMMARY
- The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.
- Attack exploits the IMsiServer interface for remote code execution and persistence.
- Malicious DLLs are remotely written, loaded, and executed to compromise systems.
- It requires the attacker and victim to be within the same domain, limiting the scope.
- Consistent DCOM hardening patches can mitigate attack effectiveness.
Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.
The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.
The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.
For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.
On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.
The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.
The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.
The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.
Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.
Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.
This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.
