Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
This approach works because the full path for a specific component is stored in the registry. By
changing the path, in this case the path can be anywhere but system32, the service will load
the target code and the target code will load the original dll using the full path to system32. Our
dnsext.dll module can be dynamically unloaded at startup time because nothing references it.
The only problem may be a timing issues on the dnsext service if it has dependencies with the
host.
The instance of SVCHost that hosts the DnsCache service also contains the following services
as of Windows 8.1 - CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, TermService. These
services listen to the ports 3389 (RDP) and 5355 (LLMNR). When the host DLL is loaded in the
process and attempts to perform communication with C&C server, port 443 (SSL) would show
up in ESTABLISHED state. It has been observed and confirmed that this anomaly is not
flagged by PSPs.
The date and time stamp on the host DLL should be set to an earlier date from the day the DLL
is actually built. The date and time stamps must take into account the release data of the
version of Visual Studio compiler that was used to generate the host DLL.
The size of the host DLL binary must be less than 280KB which should include the DLL shell,
execution dispatcher, loader, engine, C&C client, beacon, command processor and uninstaller.
The host DLL is allowed to make any calls it required to Win32 APIs and NTDLL native without
any restrictions.
The host DLL contains the custom loader which will load the Engine AXE. Once the engine
AXE is up and running the host DLL can be unloaded without affecting the operations of the
engine.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh