Developers: | Cymulate |
Date of the premiere of the system: | 2022/07/05 |
Content |
The main articles are:
2022: Hopper White Hat announcement
On July 5, 2022, it became known that a worm had been created to protect against other worms. Hopper is a tool for white hackers to protect and analyze system vulnerabilities.
As reported, as of July 2022, worms are the most destructive force in the field of information security, bringing multi-million dollar damage to companies. Despite this, there are viruses that benefit. Such a virus is Hopper.
Detection tools poorly detect non-exploit-based spread, which worms do best. Most information security solutions are less resistant attacks to worm methods, such as the use of an impersonation token (token impersonation - allows you to perform any actions on behalf of another user), and others that take advantage of imperfect internal configurations - a set of libraries, PAM segmentation, insecure storage credentials data , etc.
Hopper is a worm with commands and control, built-in privilege elevation and many other of the most dangerous abilities of a self-multiplying virus. Hopper tells its White Hat operators where and how it managed to break into the network. He reports how far he's come, what he's found along the way and how to improve defenses.
The development team Cymulate created Hopper based on a stager - a small executable file as an initial payload that prepares a larger payload. Stager also serves as a PE packer (a program that indirectly loads and executes programs from a package). Stager was written in such a way that the initial payload does not need to be changed after the Hopper update.
To maximize Hopper flexibility, the Cymulate team added various initial execution methods, communication methods, ways to obtain the initial payload, various implementation methods, and more.
To create a hidden worm, the developers made the configurations almost completely operator-controlled:
- Initial payload configuration - fully configurable execution methods, including executable files, libraries, Python scripts, shellcodes, PowerShell scripts, etc.;
- Payload configuration of the first stage - configurable methods for receiving and embedding packages;
- The beacon configuration of the second stage is the configured communication channels and the waiting time for the confirmation of activity, as well as the jitter (delay fluctuations, meaning that packets are sent and received at different rates).
- API - wireless addition of capabilities, including communication methods, distribution methods and exploits.
Hopper's initial deployment is in memory and in stages. The first stage is a small plug with limited capabilities. The stub triggers a more important piece of code instead of containing code within itself, making it difficult to mark the file as malicious.
To elevate privileges, the authors chose different UAC traversal methods, using vulnerable (print spooler) and incorrectly configured services, as well as autorun to optimize privileges or save to the network. Hopper uses minimum privileges to achieve its goals. For example, if a machine grants a user access to a target device, Hopper may not raise privileges to distribute to the device.
Hopper has centralized management of credentials, which allows it to distribute data between instances. All Hopper variants have access to the collected credentials, so there is no need to duplicate the confidential database on other machines.
Hopper uses incorrect exploit configurations to distribute. Misconfiguration is difficult to detect as malicious activity. For example, incorrect Active Directory settings may open access to the resource. Also, incorrect software settings may allow the user to remotely execute the code.
The Cymulate command chose in-memory execution for Hopper because in-memory execution uses direct system calls instead of API calls that can be tracked by EDR products. If Hopper really needs to use API functions, he first detects and unloads EDR interceptors.
To maintain stealth, Hopper communicates with the C2 server during working hours, masking the activity with ordinary working activity. It also only interacts with servers from the allowed list (for example, Slack, Google Tables, or other public services).
Hopper White Hat is a suitable solution to prevent worm attacks. Hopper turns the power of the worm into a real protection tool[1].
See also
- Software and hardware vulnerabilities