The security gap continues to evolve as attackers adjust their tactics to evade the latest defensive techniques. Using a recent case study, Adam Burt; Senior Systems Engineer at Fidelis Cybersecurity, will share his experience “From the Front Lines” on an example of the issues faced during investigations and Incident Response work.

1. Hiding in plain sight
Adam Burt

2. Example based on a previous case
• Customer called us in to investigate suspect machines
• Systems were infected with malicious software
• Customer already attempted discovery / analysis
• 64-bit malware
• Had to re-create the malware manually
• Attempted to evade detection / collection

4. Example based on a previous case
• Customer called us in to investigate suspect machines
• Systems were infected with malicious software
• Customer already attempted discovery / analysis
• 64-bit malware
• Had to re-create the malware manually
• Attempted to evade detection / collection
• Didn’t make use of any Jedi mind tricks
• Does show Fidelis Technologies (a bit)
• I feel a little bad labelling Obi-wan as malware

5. Scenario
• We deployed to site
• We were briefed
• We were given access to their on-site tooling (which was handy)
• Here is what we found…

6. Scenario
Suspect process
mftf.exe
80/TCP
C2 (internal intel)
C:Windowssystem32mftf.exe
MD5 7a02b873bfb5ec3957eef4d9983443be

7. Initial communications
These are the Fidelis bits - Specifically, Fidelis Endpoint

8. Initial communications
These are the Fidelis bits - Specifically, Fidelis Network

9. Let’s go get that file!
• Using customers already deployed tools
• Agent was capable of forensic capture (file / memory)
• We went to collect “C:WindowsSystem32mftf.exe”
• Sure, we can disassemble and pick through the code, easy, no problem

10. What did the file look like?
Static analysis

11. What did the file look like?
Virus Total Info

12. What did the file look like?
Virus Total Info

13. Something didn’t look right
Errrrr, what???
7a02b873bfb5ec3957eef4d9983443be != f2c7bb8acc97f92e987a2d4087d021b1
= No match!

14. How does this feel?
• The customer is always watching
• You feel compelled to find and fix everything humanly possible
• When something doesn’t go right, panic can set in..

16. How does this feel?
• The customer is always watching
• You feel compelled to find and fix everything humanly possible
• When something doesn’t go right, panic can set in..
• Even when it’s nothing to panic about

17. What was this malware doing?
• Rootkit?
• Custom file system filter?
• Automated suspension / termination on recognised process execution?
• Fileless / injected?

18. Microsoft, I’m sure you’re trying to be helpful…
File System Redirector

19. File System Redirector
“Most DLL file names were not changed when 64-bit versions of the DLLs were
created, so 32-bit versions of the DLLs are stored in a different directory. WOW64
hides this difference by using a file system redirector.” *
“In most cases, whenever a 32-bit application attempts to access
%windir%System32, the access is redirected to %windir%SysWOW64.” *
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx

20. File System Redirector
On 64-bit Windows
System32 = 64-bit
SysWOW64 = 32-bit
That makes sense 
Why was this done?
Perhaps to help us avoid that complication of re-writing in 64-bit code? oh, wait….

21. One reason
DLL search order
(in no particular order, due to DLL safe search, SetDllDirectory, LOAD_WITH_ALTERED_SEARCH_PATH etc..)
• The directory from which the application loaded.
• The system directory
• The 16-bit system directory
• The Windows directory
• The current directory.
• The directories that are listed in the PATH environment variable
This is the one relevant to our situation

22. File System Redirector
Process
File System Redirector
C:Windowssystem32 C:WindowsSysWOW64
Customer’s acquisition tools
were here
The malware
was here

23. Lessons learned
• Their tools didn’t accommodate the File System Redirector
• File System Redirector can be “disabled” for a process
• The malware authors didn’t have to work hard (or perhaps they didn’t know
about FSR) to hide their malware
• Other than the file collection issue, the malware was pretty obvious
• Microsoft always surprise us
“Applications can control the WOW64 file system redirector using
the Wow64DisableWow64FsRedirection, Wow64EnableWow64FsRedirection, and Wow64RevertWow64FsRedirection functions.
Disabling file system redirection affects all file operations performed by the calling thread, so it should be disabled only when
necessary for a single CreateFile call and re-enabled again immediately after the function returns.”

24. Hiding in plain sight
• There are many aspects that can hinder an investigation
• Investigations can take unexpected turns
• They can be stressful and emotional
• It’s easy to make an assumption, but without evidence, this is dangerous
• We are always assessing our evidence and tool sets

25. Questions and Contact
Adam Burt
adam.burt@fidelissecurity.com
Peter Wieschollek
peter.wieschollek@fidelissecurity.com
Lukasz Przybylski
lukasz.przybylski@eversys.pl