Morphick’s Threat Intelligence Team identified a novel technique for maintaining persistence on a remote machine through the use of Windows MOF files.  This is not well known – and more importantly – not detected.

If you want to read the full technical write-up, head over here.

A little history

The technique of using a MOF file for persistence dates back to roughly 2003, however it’s not until 2012 that this began to pick up momentum with Chinese and Russian malware.  It’s yet another technique that plays on common files and computer processes to quietly allow attackers to gain a persistent foothold on your network.

What is it?

Web shells are common programs which act as a client (like a web browser) to request files from web servers.  MOF (Managed Object Format) is a language used to interface with CIM (Common information model).  MOF files can be used by legit services as a method of running persistently on a host.

MOF files are a mechanism to run a script, execute a file, or interface with the host.  When used as intended, it’s a helpful tool for updates and maintenance. 

How does it escape everyone else’s detection?

At their core, MOF files are simply text files that contain instructions.  Generally, AV engines do not scan text files.  This specific instance is found on a web server.  Since most web servers sit outside the corporate network in a DMZ and also, increasingly, in the cloud, security teams do not tend to focus on them.  The volume of traffic on a web server is also comparatively high which means doing in-depth research is more difficult.

The attackers take advantage of this and hide in the noise.  MOF and WMI are common, even recommend, for use on a typical webserver.  The file is generated from a PHP script – which again – depending on the configuration of the server, may not generate any alerts.

So really, it’s not just a needle in a haystack. It’s a needle that looks like a piece of hay.

What can it do?

Cyber attacks rely on being able to make that first entry into your network. The attacker has to find a way they can sneak in.

Combining a webshell with the execution of an MOF file allows for the attacker to have a poor man’s command prompt.  This persistent foothold on your network is difficult to detect.  They set themselves up as an administrator, which allows them to move deeper into your network using a variety of protocols (such as RDP).

Morphick goes above and beyond

Here at Morphick, we excel at discovering backdoors that are not detected by anti-virus and other security products.  We watch and track malicious techniques (like MOF files) and the actors associated.   While catching phishing emails and well-known malware will always be an important part of your defense, it’s not enough.  Dedicated teams with experience dealing with advanced attacks are needed to catch the attacks and techniques the ‘off-the-shelf’ solutions are still missing.

Morphick’s expert team of analysts, empowered by our Morphick Defense Platform, protects our clients from attacks like the malicious MOF webshell.