Contributed by Edwin Doyle, Global Security Strategist, Check Point Software. 


As seen in the contrast between phishing and spear phishing, targeted cyber attacks are considerably more effective at compromising systems and data than more general attacks. Targeted attacks are starting to get much quite sophisticated.

Cyber criminals can discover a lot about your network from company websites, social media and, of course, by compromising individual systems on the network. Pervasive, dual-use tools, like PowerShell and WMI, allow attackers to learn more about the tools and services your company relies on without setting off the red flags. Armed with knowledge of these tools and the vulnerabilities present in each, they can construct payloads specifically designed to bring down not just any network, but your network.

How intruders use Payload Markers to execute an attack

 Payload Markers are placed using the § character, and function as follows:

  • Each pair of markers designates a single payload position.
  • A pair of markers may optionally enclose some text from the template request between them.
  • When a payload position is assigned a payload, both the markers and any enclosed text are replaced with the payload.
  • When a payload position does not have an assigned payload, the markers are removed but the enclosed text remains unchanged.
  • To make the configuration easier, the intruder automatically highlights each pair of payload markers and any enclosed text between them.

An intruder can place Payload Markers manually or automatically.

Known Payload Attacks in Real Systems

Cyber criminals are constantly looking for tricks that can be used to bypass antiviruses and protection mechanisms built into the OS. For example, since the beginning of last year, we have seen attempts to exploit the new vulnerability CVE-2020-0601 in Windows CryptoAPI for signing malware (the vulnerability allows to bypass the certificate verification mechanism).

Another example is malware for remote control of SysUpdate. This is a unique development of the Bronze Union APT group; which cyber criminals use to deliver other malware (payload) to devices under their control. As a rule, this payload is not detected by antiviruses, since the file has an undefined format and the antivirus cannot recognize it. Another example is the FakeChmMsi malware, with a complex Ghost trojan delivery chain, during which DLL hijacking is applied twice, hence complicating the analysis of malware by means of anti-virus protection. Sandboxes – solutions that allow you to run a file in an isolated virtual environment and analyze its behavior for malicious activity – help effectively counteract modern malware that can bypass antiviruses, firewalls, IPS, mail and web gateways.

In eight out of ten instances, malicious campaigns targeting organizations began with email attachments. For individuals, there is a high risk of infecting a computer not only through e-mail, but also as a result of visiting sites and downloading programs from questionable web resources. For example, in Q1, cybercriminals compromised a number of WordPress-based sites and redirected their visitors to phishing pages, where a backdoor was distributed under the guise of updating the Chrome browser. The payload has been downloaded over 2,000 times.

Dynamic Payloads

An attacker may hide a malicious payload as an executable apk/jar inside the APK resources. After installing the app, it opens the malware payload and loads DexClassLoader API (if the payload is a jar file) and executes dynamic code. The malware may persuade the user to install the embedded apk by pretending to be a significant update. BaseBridge and Anserverbot are two malware classes that use this technique. However, other classes of malware do not plant a malicious payload as a resource; instead, they download them from a remote server and bypass detection. DroidKungFuUpdate is a notorious example of dynamic payload malware. Usually, these techniques cannot be detected using static analysis methods. It is, therefore, advisable for the user to do a security check on the network logs to see what is going on in the background.

Fuzzing as a way of detecting payload attack vulnerabilities

Many input-based vulnerabilities, such as SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application’s responses for error messages and other anomalies. Given the size and complexity of today’s applications, performing this testing manually is a time consuming and tedious process. You can automate web application fuzzing through penetration testing tools. The most effective way of ensuring that your company’s network is free from customized payload attacks is by frequently doing penetration testing using powerful tools to identify and confiscate any available vulnerabilities.

For more information about payload attacks, continue reading Cyber Talk.