Full Report
By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the client’s […] The post The Curious Case of the Comburglar appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Incident Report: Stealthy COM Handler Persistence (UKC-1230)
## Executive Summary
During a Breach Assessment engagement, BHIS uncovered a highly stealthy and persistent intrusion technique attributed to threat actor UKC-1230. The attacker maintained Command-and-Control (C2) persistence for at least seven months by modifying Windows Scheduled Tasks to leverage a malicious `ComHandler` executing custom surrogate DLLs via the `dllhost.exe` process. The investigation was triggered by a month-old SOC alert on a file hash.
## Incident Details
- Discovery Date: Approximately March 5, 2025 (Inferred from alert date relative to engagement)
- Incident Date: Activity dating as early as January 31, 2024 (First sighting of malicious DLL artifacts)
- Affected Organization: Client undergoing a Breach Assessment (Specific organization not disclosed)
- Sector: Undisclosed
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: At least January 31, 2024 (Earliest known artifact compilation date)
- Vector: Initial access mechanism unknown.
- Details: The primary persistence mechanism involved loading custom DLLs via COM objects.
### Lateral Movement
- Details: The environment scanning using a YARA rule uncovered several additional compromised hosts, indicating established lateral reach within the network utilizing this persistence method.
### Data Exfiltration/Impact
- Details: The nature or scope of data exfiltration is not explicitly detailed, but the persistence mechanism confirms sustained C2 access.
### Detection & Response
- Date/Time: Approximately February 2025 (Incident that generated the alert occurred one month prior to the BHIS engagement).
- Vector: Detection originated from a file hash alert firing in the customer’s Security Operations Center (SOC).
- Details: BHIS performed triage collection, pivoting on the GUID found in the malicious DLL filename to uncover the corresponding modified Scheduled Task (`User_Feed_Synchronization-{GUID}`).
## Attack Methodology
| Phase | Method/Technique |
| :--- | :--- |
| **Initial Access** | Unknown |
| **Persistence** | Modification of Scheduled Tasks, specifically targeting tasks named `User_Feed_Synchronization-{GUID}`, to use a malicious `ComHandler` pointing to a custom DLL. |
| **Privilege Escalation** | Not explicitly detailed, but persistence required the ability to modify system-level Scheduled Tasks. |
| **Defense Evasion** | Utilizing a legitimate, albeit rarely modified, Scheduled Task type (`User_Feed_Synchronization`) and leveraging the legitimate Windows process `dllhost.exe` (COM Surrogate) to execute malicious code. |
| **Credential Access** | Not detailed. |
| **Discovery** | BHIS used the GUID to query the Registry path `HKCR\CLSID\{GUID}\InprocServer32` to locate the associated DLL path. |
| **Lateral Movement** | Identified via scanning multiple hosts using a YARA rule, indicating successful propagation of this persistence method across the environment. |
| **Collection** | Not detailed. |
| **Exfiltration** | Not detailed. |
| **Impact** | Sustained, stealthy Command-and-Control (C2) maintained for at least seven months. |
## Impact Assessment
- Financial: Not available.
- Data Breach: Type and volume of data compromised are not disclosed in the summary.
- Operational: Sustained, long-term compromise (at least 7 months).
- Reputational: Related to the successful Breach Assessment engagement.
## Indicators of Compromise
- **Network Indicators:** None explicitly listed (defanged).
- **File Indicators:**
- SHA256 Hash (alert trigger): `407d179f920342312dd526abc8a194b2620d0b19a95032dd36eeb70ec3bf5d65`
- File Path: `C:\ProgramData\Microsoft\Windows\{0759c13d-5d0f-4513-8707-98a6cc3536d5}.dll`
- **Behavioral Indicators:**
- The Scheduled Task `User_Feed_Synchronization-{GUID}` using the `ComHandler` setting (usually referencing `msfeedsync.exe`).
- Execution of unregistered DLLs via the `COM Surrogate` process (`dllhost.exe`) initiated by a modified scheduled task.
## Response Actions
- **Containment measures:** BHIS conducted a Breach Assessment, implying activities focused on identification and scoping. Specific containment actions are not listed but likely involved isolating affected hosts identified via YARA scanning.
- **Eradication steps:** Not detailed, but would involve removing the modified scheduled tasks and malicious DLLs across all affected systems.
- **Recovery actions:** Not detailed.
## Lessons Learned
- **Key Takeaways:** Threat actors are leveraging legacy components like COM objects and fileless persistence techniques within standard Windows scheduled tasks (`User_Feed_Synchronization`) for extremely long-term persistence (at least seven months, possibly over a year).
- **What could have been done better:** The initial detection was based on a month-old hash alert, suggesting potential gaps in real-time monitoring or escalation procedures for historical alerts.
## Recommendations
- Implement stricter monitoring and alerting on modifications to registry keys related to COM object handlers (`HKCR\CLSID\{GUID}\InprocServer32`).
- Baseline established configurations for common, less frequently modified scheduled tasks (like `User_Feed_Synchronization`) to detect abnormal `ComHandler` usage that does not point to legitimate executables like `msfeedsync.exe`.
- Enhance threat hunting capabilities specifically targeting the invocation of DLLs by `dllhost.exe` outside of expected Windows service execution contexts.