The popular penetration testing and hacking framework Metasploit may be getting long in the tooth, but it hasn’t lost its bite in the hands of bad actors. According to researchers, hackers are still using the tool and a highly effective technique called Shikata Ga Nai (Japanese for “nothing can be done”) to slip past modern day endpoint protections.
Stopping attacks that use this technique still remain a challenge, according to a fresh analysis by FireEye researchers Steve Miller, Evan Reese and Nick Carr posted Monday.
“Despite Metasploit’s over 15 year existence, there are still core techniques that go undetected, allowing malicious actors to evade detection,” researchers wrote.
Metasploit was created in 2003 by network security expert (and hacker) H D Moore. In 2009, Rapid7 hired Moore and acquired Metasploit. Moore designed the tool as a way to make the job of penetration testers easier. And, like many similar tools, it was coopted by black hat hackers who have used it, as recently as last week, to attack computer systems.
Today, Metasploit is on its fifth version and billed by Rapid7 as “penetration testing software to help you act like the attacker.”
Metasploit, and especially Shikata Ga Nai, has also found a home with a cadre of bad guys.
FireEye said Shikata Ga Nai has been used by suspected Chinese nation-state sponsored threat group APT20, along with recent attacks involving cybercrime groups identified by FireEye as UNC902, TA505 and APT41. In 2018, ESET Research identified the Turla APT group using the Shikata Ga Nai encoder in a campaign called Mosquito.
“The encoding utility that Shikata Ga Nai provides is typically found in first stage backdoors,” Reese told Threatpost. This type of malware would be used to gain an initial foothold within an environment during an attack, he said.
“One of [Metasploits] core techniques is the Shikata Ga Nai (SGN) payload-encoding scheme,” FireEye wrote. “Modern detection systems have improved dramatically over the last several years and will often catch plain vanilla versions of known malicious methods. In many cases though, if a threat actor knows what they are doing they can slightly modify existing code to bypass detection.”
According to researchers, skilled code tweaks, via the Metasploit SGN technique, are still highly lethal. They credit the SGN encoder’s unique “polymorphic XOR additive feedback encoder” for its success. Researchers break down that jargon as such:
“It is polymorphic in that each creation of encoded shellcode is going to be different from the next,” researchers wrote. SGN will make the payload appear benign via encoding the malware with “dynamic instruction substitution, dynamic block ordering, randomly interchanging registers, randomizing instruction ordering, inserting junk code, using a random key, and randomization of instruction spacing between other instructions.”
A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.
In the context of Metasploit and SGN, “The XOR additive feedback piece in this case refers to the fact the algorithm is XORing future instructions via a random key and then adding that instruction to the key to be used again to encode the next instruction. Decoding the shellcode is a process of following the steps in reverse.”
Researchers said SGN has managed to elude endpoint protection that relies too heavily on static and dynamic detection. The decoding of the payload in memory necessary to determine the code’s malicious intent is too taxing on system, making it impractical. Detection via behavioral indicators and sandboxes can also be imprecise, Reese explains.
“Different engines will fall into the static or dynamic detection categories, including machine learning, but it is important to spread detections across engines within these categories. Relying on a single detection or engine is a single point of failure,” he said. “It is entirely possible to detect SGN without machine learning, and we even included a YARA rule in the blog, but the addition of a machine learning engine… is a great approach for adding detection depth.”
Researchers said, SGN encoded payloads vary. “Looking forward, we expect to see continued usage of SGN encoded payloads,” they said.
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
