POC Malware - Part 2
by ogmini
I’ll be releasing my POC Malware called GaslitPad sometime next week. Please see my previous post for some background. I’ll lead off with a video demonstration - https://www.youtube.com/watch?v=z-5MxRxgBxI. GaslitPad makes no attempts at obfuscation as it is purely a proof of concept.
It is relatively easy to edit the state files for Windows Notepad and by altering the “Content” sections we can change what is shown in Windows Notepad. Annoyingly, some changes that Microsoft has made over time to the behaviour of the state files has removed some avenues for attack. I hope to detail these changes more in a later post. We cannot alter the Unsaved Buffer Chunks because they are flushed upon closing Windows Notepad and any manual changes won’t reflect.
GaslitPad monitors the contents of the TabState folder for Windows Notepad, the presence of the notepad.exe process, and keeps track of the system idle time. When Windows Notepad is active and the system idle time is greater than the configured time, the program will close Windows Notepad. A scan will be performed for TabState files that match the conditions to attack. These conditions are:
- Target Filename Match
- TypeFlag of File Tab
- Has Content
- Unsaved State
If these conditions are met, the program will search for a Regex pattern match and replace that match with its own text. The changes will be saved to the original TabState file and Windows Notepad will be reopened.
This attack can also be inverted in that it will only alter TabState files when Windows Notepad is NOT active and there is a TabState file with unsaved changes. The attack would be the same; but the program would not reopen Windows Notepad and instead will rely on the user reopening and saving at a later time.
Attack Vector or What use is this?!
An attacker has done their reconnaissance and knows that Windows Notepad is used by your system administrators to make updates to configuration files. They’ve observed regular changes to a configuration file located on a network mapped drive on a server they don’t have access to. By changing some information in this configuration file they would be able to gain access to more services. One of the system administrator’s computers has already been compromised and they are able to install GaslitPad. They configure the attack payload and wait for the next regular change to occur…
Future Plans
- More robust attack options.
- Multiple Regex patterns and replacements
- Multiple filenames
- Inverted version of this attack. The attack only occurs when Windows Notepad is closed.
- Steal data typed into Windows Notepad. Similar to a keylogger; but it would log what was typed into Windows Notepad.