Covert Channel Chronicles: Astaroth’s ADS Forking Techniques

*Note: This article was originally published by the author on April 6, 2020.

Microsoft graphic of Astaroth malware

“A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. A covert channel can be used to extract information from or implant information into an organization. An Internet covert channel is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility.” ~Piscitello, 2016 (ICANN)

Covert channels are at their face value as simple as they sound, a means of communicating secretly. There are a variety of different types of covert channels that rely on a number of different technologies. Covert channels have been a research interest of mine for several years. I credit them with luring me into computer hacking and eventually my deeply personal decision to become an information security professional, a profession I’ve been tinkering at for the last two and a half decades. Understanding how these fringe uses of technology can be abused to perform malicious functions is incredibly fascinating to me. Like in the way when most people look at a USB stick they don’t think about it any other way than it is marketed, as a file storage device. I look at the same USB stick and I see it as a potentially destructive weapon capable of wreaking havoc on an entire network.

Some quick examples of covert channels are perhaps a custom-crafted series of data packets sent to a particular application port at specific time intervals that are too small and dispersed when broken down to be detected by a firewall or Intrusion Detection System (IDS) and which can be reassembled on the target system. Or perhaps some type of malware beaconing system that is used to communicate with a Command and Control (C2) server for further instructions. It could also be that the system administrator left the Internet Control Message Protocol (ICMP) enabled on the system to be able to ping other network devices using the ICMP ECHO request and reply protocol which the firewall likely would not catch if abused. The Domain Name Service (DNS) protocol can also be abused for covert channel communication. As you can see, covert channels can take many forms and techniques. The more sophisticated they are, however, the harder they are to discover and the more is at stake to lose for those responsible for developing the hidden exploit technique which they want to remain secret for as long as possible.

Covert channels, also called side-channel attacks, are not a new concept. They’ve actually been around for thousands of years. In fact, the ancient Greeks used a primitive application of steganography that involved hidden writing beneath the hair which was used to conceal messages that were tattooed on a messenger’s scalp and which was not visible to the naked eye (Warkentin, Schmidt, & Bekkering, 2008, p. 17). Imagine having a message tattooed on your scalp for the rest of your life! Now, with digital communication technology, there are many more methods of communicating secretly using computers and Internet protocols to include digital steganography. In this instance, however, I am going to focus on Alternate Data Streams (ADS), or forking.

Understanding and recognizing covert channels is something that you should at least be somewhat familiar with because covert channels can affect you and the organization you work for very negatively. A malicious insider could bypass security controls such as a firewall or Data Loss Prevention (DLP) software by using a covert channel such as ADS to exfiltrate sensitive documents out of the organization. It helps to think of ADS as a sort of dual-purpose utility built into the Windows NT File System (NTFS) code. ADS is a well-known covert channel. It has been written about extensively since it was first created in 1993. Therefore, I will not spend time explaining exactly how it works here except to provide a broad overview. I merely want to bring awareness to some of the different types of covert channels and how they are being exploited in the wild.

Malicious ADS Within the Windows NTFS

Example of how an ADS file would not be visible without the proper command

The Windows NT File System, known as NTFS, or sometimes the New Technology File System, is commonly found in all Windows operating systems (OS) including Windows 10 and Windows Server 2019. It is the primary file system type within the Windows OS environment. NTFS allows for increased security controls such as Access Control Lists (ACL), BitLocker drive encryption, and allegedly volume sizes up to 256 TB (Microsoft, 2019). NTFS is able to support files stored in other formats and that is one of the reasons why it came to be developed. NTFS was designed to be compatible with Apple’s Macintosh HFS file system which was capable of forking data into files. Malicious abuse of ADS has changed a lot over time and so if we look at present-day applications of sophisticated malware such as Astaroth, we start to get a clearer picture of how this covert channel attack vector can be very problematic for security defenders.

Latest Astaroth living-off-the-land attacks are even more invisible but not less observable; credit: H. Suri

If we look at a recent malware sample such as Astaroth, the malware has been found to use ADS in a desktop.ini file without changing the file size (Suri, 2020). The targeted system needs to be running Windows and using the NTFS in order for the ADS technique to successfully work. Information forked out using ADS would be hidden though it is in plain text, though it could easily also be encrypted if so desired before transmitting it to further obfuscate. Interestingly, if you were thinking that auditing should pick up this type of activity you might be disappointed to learn that the Windows Event logging object tracking does not show hidden streams (Event ID: 560), only the host file being accessed and not the hidden stream file. There are now various third-party software utilities and security products that are capable of identifying hidden streams, but it wasn’t always this way and hidden malware payloads are often used to use ADS for concealment.

Astaroth is listed in the MITRE ATT&CK malware database as being a Trojan and information stealer that has typically targeted companies in Brazil and Europe (MITRE, 2020). Astaroth uses multiple techniques to compromise systems, many of which obfuscate its true intentions like the malware’s namesake (see historical explanation below). Astaroth uses ADS to sneak malicious payloads onto your system while bypassing the browser altogether and without the system even recognizing that it is downloading a file by copying downloaded payloads to a hidden ADS file titled desktop.ini and then deletes the original content. Astaroth, in its brilliant sophistication, then uses several Living-off-the-Land (LOTL) persistence techniques by using native Windows tools such as BITSAdmin, NirSoft MailPassView, ExtExport.exe, WMIC, and PowerShell. You can expect to see Astaroth used to exploit the present COVID-19 pandemic via malicious emails, the malware’s primary method of initial compromise.

MITRE ATT&CK malware database Indicators of Compromise (IOC) for the Astaroth malware; credit

Why was this malware named after a demon? An interesting aside regarding the namesake “Astaroth,” if you’re a deeply religious Christian or superstitious person, in general, then you might’ve heard the name before. You’re familiar with the premise of fallen angels who became demons. Astaroth is the name of a demon also known as the ‘Great Duke of Hell’ in both the Christianity and Islam religions. A cunning deceiver with a penchant for trying to appear righteous, it is said to have breath so foul it can be lethal to humans. Astaroth is nonetheless considered to be a very powerful demon purported to be part of the evil trinity consisting of Beelzebub, Lucifer, and Astaroth (2018). But I digress, enough of angels and demons. I just found it interesting that this Advanced Persistent Threat (APT) malware group was named after an actual chronicled demon. The BitPaymer ransomware is also known to have abused ADS (Leibovich, 2018).

credit

Hopefully, I have given you some information to chew on regarding covert or “side” channels to spurn further interest. The information I presented within only begins to scratch the surface of covert channels as there is so much more to this topic of study that I hope to write about more in the future. For those interested in learning more, check out the references to go deeper down the rabbit hole. I should also note that Microsoft has taken steps within Windows 10 to eliminate the malicious ADS threat vector. However, these controls are easily bypassed by skilled attackers because the flaw is actually inherent to the way NTFS works.

References:

“Astaroth”. (2018, August 5). Retrieved from https://mythology.net/demons/astaroth/

Leibovich, T. (2018, June 12). The Abuse of Alternate Data Stream Hasn’t Disappeared. Retrieved from https://www.deepinstinct.com/2018/06/12/the-abuse-of-alternate-data-stream-hasnt-disappeared/

MITRE. (2020). Astaroth. Retrieved from https://attack.mitre.org/software/S0373/

Microsoft. (2019, June 17). NTFS overview. Retrieved from https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview

Piscitello, D. (2016, August 29). What Is an Internet Covert Channel? The Internet Corporation for Assigned Names and Numbers. Retrieved from https://www.icann.org/news/blog/what-is-an-internet-covert-channel

Suri, H. (2020, March 23). Latest Astaroth living-off-the-land attacks are even more invisible but not less observable. Microsoft Defender ATP Research Team. Retrieved from https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/

Warkentin, M., Schmidt, M., & Bekkering, E. (2008). Steganography: Forensic, security, and legal issues. Journal of Digital Forensics, Security and Law, 3(2), 17–34.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ian Barwise

Ian Barwise

experienced privacy & security engineer **stepping away from blogging for an undetermined amount of time to focus elsewhere**