Hello 1994: Abusing Windows Explorer via Component Object Model in 2023
06-09, 11:30–12:00 (America/New_York), Grand Salon

PlugX, a fully-featured remote access tool with a Chinese nexus, has been active in the wild for over a decade. However, a new variant was recently discovered to be using older, lesser-known Windows APIs via Component Object Model (COM) for staging and concealment - never-before-seen techniques. Leveraging an undesirable behavior in Windows Explorer, the malware uses COM to create folders that the Operating System cannot render or natively access, evading security scans that rely on the underlying Windows APIs. Additionally, this sucker is wormable, spreading across networks via USB air-gap jumping.

Despite rapidly changing and improving security practices, old technology is still an effective means for malicious cyber activity. This presentation will describe how the threat actors used COM to instantiate Windows APIs and abuse Windows Explorer to remain undetected on their victim's machines. It will explain how and why COM is so often overlooked by security researchers and suggest further areas of research on the topic.

See also:

Mr. Harbison has been a part of the security community for over 20 years. He has experience in both the public and private sectors, working in cyber threat intelligence and serving as a subject matter expert to multiple US federal agencies. He holds several technical certifications, is a certified forensic examiner, and has a Bachelor of Science degree in Computer Forensics.

Since age twelve, Mr. Harbison has been studying code and continues that today as a Distinguished Engineer for Palo Alto Networks' Unit 42. He strives to understand his work at the deepest level, and has a strong desire to bring awareness to the growing threats in cyberspace and to educate the public on ways to improve security practices.