Cybercriminals still use Metasploit to bypass modern defense mechanisms

Metasploit penetration testing tool even after 15 year is used by cybercriminals to circumvent modern protection mechanisms.

According to researchers from FireEye, cybercriminals are still using the tool together with a highly efficient technique called Shikata Ga Nai (translated from Japanese as “nothing can be done,” ed.) to bypass modern endpoint protection mechanisms.

“Modern detection systems have improved dramatically over the last several years and will often catch plain vanilla versions of known malicious methods. In many cases though, if a threat actor knows what they are doing they can slightly modify existing code to bypass detection”, — write FireEye specialists.

Metasploit Framework is the most famous tool for creating, testing and using exploits. It allows exploitation and post-exploitation of vulnerabilities and delivery of “payloads” to the targets that are attacked. Initially, the tool was developed as a way to facilitate the work of exploit testers, but the attackers adopted Metasploit and began using the tool to attack computer systems.

Read also: Fake TOR browser steals cryptocurrency from shoppers on the darknet

The Shikata Ga Nai (SGN) technique was used as part of the recent attacks by a number of cybercriminal groups, in particular APT20, UNC902, TA505 and APT41 (a group allegedly hacked by the manufacturer of the utility TeamViewer).

“Despite the fact that Metasploit has existed for more than 15 years, there are still key techniques that go unnoticed and allow attackers to avoid detection. One of Metasploit’s main techniques is the Shikata Ga Nai payload coding scheme. Modern detection systems have improved significantly over the past few years and can often detect outdated malware. Nevertheless, in many cases, if the criminal is confident in his actions, he can slightly modify the existing code and bypass detection systems”, – write the researchers.

Code changes using the Metasploit SGN method are still very dangerous. The unique “polymorphic additive XOR encoder” of the SGN encoder provides this effect. Each creation of an encoded shell code will be different from the previous one. SGN makes the payload look safe by encoding malware with “dynamic command replacement, dynamic block ordering, random register exchange, randomization of command order, insertion of unnecessary code, use of a random key, and randomization of the distance between teams.”

XOR is an encryption algorithm that works based on a number of well-known principles. Encryption and decryption can be accomplished by applying and reusing the XOR function.

According to the researchers, SGN managed to bypass endpoint protection, which relies too heavily on static and dynamic detection methods. Deciphering the payload in memory to identify malicious code is overloading the system, making this approach impractical. Detection methods using behavioral indicators and sandboxes can also be inaccurate, according to FireEye.
Exit mobile version