Full Report
On red team engagements, I often use social engineering to get one of my client’s employees to run my malicious code on their machines, allowing me to get access to their system. A typical approach I’ve used is to call them up, tell them I’m from IT support, and then get them to go to an official looking web page that contains some PowerShell code they need to run, to fix some made-up problem.
Analysis Summary
# Tool/Technique: Browser Cache Smuggling (DLL Payload Caching and Retrieval)
## Overview
This describes a stealthy delivery technique used during red team engagements where an attacker tricks a target user into visiting a specially crafted website. This website forces the victim's browser (tested on Firefox and Chrome) to cache a malicious DLL payload while disguising it as a benign static resource (like an image) by manipulating HTTP response headers. Subsequently, the user is socially engineered into executing a seemingly innocent PowerShell one-liner that locates, extracts, and executes this cached DLL.
## Technical Details
- Type: Technique (Delivery Mechanism)
- Platform: Windows (Implied by use of PowerShell, rundll32, and standard Windows paths like `AppData\Local`). Target browsers are Firefox and Chrome.
- Capabilities: Stealthy malware delivery by leveraging legitimate, frequently used browser functions (caching). Circumvents standard defenses against direct malicious file downloads by having the execution environment pull the payload from a trusted local component (the cache).
- First Seen: Content published July 10, 2023.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Implied via redirection to an "official looking web page")
- **TA0010 - Exfiltration** (Not directly, but used for persistence/execution which leads to this)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Hiding the true nature of the cached file)
## Functionality
### Core Capabilities
1. **Force Caching via HTTP Header Manipulation:** The server hosting the payload is configured (e.g., Nginx) to serve the DLL with an HTTP `Content-Type` header of `image/jpeg` (or similar static media type), overriding default mappings for DLL/EXE files. This convinces the browser to cache the binary as a static resource.
2. **Payload Delivery via Social Engineering:** The user visits a page designed to trigger the caching. The user is then convinced to run a PowerShell command to "fix" a problem.
3. **Payload Extraction (Chrome Specific):** For Chrome, the DLL is modified in-memory (or prior to serving) to include unique delimiters (e.g., `INDLL` and `OUTDLL`) so that a subsequent PowerShell script can reliably search the complex browser cache database files (`Cache_Data`) to locate and extract the raw binary data.
4. **Execution:**
- **Firefox:** The extracted DLL is placed in a location for automatic execution or executed directly (method implied but less detailed than Chrome).
- **Chrome:** The extracted DLL is executed using `rundll32.exe`.
### Advanced Features
- **Stealth:** Avoids triggering immediate alerts associated with direct downloads of executables or scripts downloading payloads, as the file is delivered via the legitimate caching mechanism disguised as an image/static file.
- **DB Manipulation Insight:** Leverages deep knowledge of browser cache database structures (specifically Chrome's `Cache_Data`) to programmatically extract content without requiring file system modification prior to extraction.
## Indicators of Compromise
*Note: Specific hashes/C2 are not provided, but the method implies the following behavioral indicators.*
- File Hashes: N/A (Hash would depend on the specific payload generated via MSFVenom)
- File Names: `calc.dll` (Example payload), `hello.dll` (Extracted file name example for Chrome)
- Registry Keys: N/A
- Network Indicators: Access to the attacker-controlled web server URI hosting the HTML/payload resource.
- Behavioral Indicators:
- Execution of PowerShell commands performing file system reads/writes within user profile directories, specifically targeting browser cache directories (`$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cache\Cache_Data\`).
- Use of `rundll32.exe` to load an extracted DLL from a non-standard, temporary, or user-writable location.
## Associated Threat Actors
- Red Team Operators (As mentioned explicitly in the article).
- Not explicitly mapped to known malicious APT groups, but the technique is applicable to any actor prioritizing fileless/stealthy initialization.
## Detection Methods
- Signature-based detection: Detection of the specific PowerShell regex intended to parse the Chrome cache file.
- Behavioral detection: Monitoring for processes (`powershell.exe`) accessing and parsing large database or binary files within the Chrome/Firefox cache directories, followed immediately by process injection or execution of known library loading functions (`rundll32`).
- YARA rules: Could be written to identify files in the browser cache that contain the specific delimiters like `INDLL` and `OUTDLL`.
## Mitigation Strategies
- Prevention measures: Implement strict Application Control policies preventing PowerShell scripts or `rundll32.exe` from executing code if originating from user temporary or cache directories.
- Hardening recommendations: Educate users about unsolicited requests for running code or visiting suspicious links, regardless of how "official" the page appears (Social Engineering awareness). Organizations should restrict or monitor the configuration of web servers they host to prevent Content-Type header manipulation on sensitive directories.
## Related Tools/Techniques
- Malicious content delivered via browser cache entries (general concept).
- Standard PowerShell execution used for initial payload staging (T1059.001).
- Fileless execution techniques (T1055 series, though this uses a file on disk – the cache – as the temporary staging medium).