AMSI Bypasses –Still a Lucrative Target for Attackers
As the security enhances across services and products, malware developers also formulize clever and more discreet ways to bypass security checks, be it beating the scanners or avoiding being scanned entirely.
Researchers at Sophos have provided list of tools and methods that assist threat actors in avoiding Microsoft’s Antimalware Scan Interface (AMSI).
The AMSI interface was introduced in 2015 and is an integration between software and security products aimed at providing better security to end users.
Windows third-party developers also benefit from AMSI in their applications, allowing the checking of content passed to them that could potentially be employed for malicious purposes. This, along with a host of other reasons, makes AMSI a very lucrative target for malware developers.
Ever since the introduction of AMSI, attackers and researchers alike have been heavily involved in finding ways to evade detection or disable AMSI, even with Microsoft security software providers taking steps to render these efforts useless.
One of the earliest AMSI evasion occurred in 2016 when hacker Matt Graeber tweeted a one-line AMSI evasion in a PowerShell code. As per the report, “code flips the flag on an attribute for PowerShell’s AMSI integration—amsiInitFailed— to “true”, which then causes the current PowerShell process to stop requesting scans. With that achieved, a malicious PowerShell script can (in theory) execute whatever badness it is intended to without triggering a scan by antimalware software.”
Even though this exact bypass has been blocked, there still exists variations of it as it accounts of 1 percent of detections in a 90-day telemetry data (from February to May, 2021).
Since most of the detections include IP addresses delivering the packages from a local network, it appears that most detections are post-exploit activity and lateral movement. As an example, another method included the retrieving of a PowerShell backdoor from a secure web server in the private IP address space of the network.
The same bypass was recently used in piecing together of a Proxy Logon-based attack by connecting to a remote server for obtaining a malware downloader.
Another variant of the same attack exists and makes use of a technique called reflection “to invoke the same commands through the .NET framework from PowerShell.” The researchers discovered through a detected intrusion, an actor using an exploitation tool called Seatbelt which assisted in bypassing AMSI. According to the researchers, over 98 percent of the bypass attempts, as discovered through the telemetry data, manipulate code of AMSI library. A practice to make scan requests fail is also popular and is achieved by locating AmsiScanBuffer library in memory and overriding instructions at that specific address with newer ones redirecting to error message. Other methods include a memory patch technique integrated into Cobalt Strike as an option called amsi_disable.
The researchers also came across a cryptojacking worm called WannaMine on a customer’s systems and immediately blocked execution of the worm to prevent spreading to protected systems and subsequently install its cryptominer. The attempts of WannaMine to spread “peaked at over 300 a day for each system that provided AMSI telemetry.”
Cornelis de Plaa also discovered a method to bypass AMSI in 2016 which includes loading a fake DLL to render AMSI scan attempts useless. Though this tactic still exists, it’s exponentially more difficult since mitigations have been provided against it.
Other ways include script engine downgrading to versions before AMSI existed or even making use of unsupported engine loading.
“While AMSI will detect anything leveraging the .NET framework, some malicious actors have brought along their own scripting host (such as a NodeJS engine), or have used compiled executables built from other scripting languages (such as Python),” said the researchers.
AMSI plays a crucial role in protecting Windows 10 OS and Windows Server systems and due to this very reason, attackers are continuously finding ways to bypass the detections. Rolling out inconsistent patches and deploying other weak defensive tactics can leave systems vulnerable to standard, less advanced attacks.