Distributed malware concepts challenge the behavioral detection of AV and EDR solutions by diluting the temporal and spatial features of a malicious execution across multiple processes. Several notable families already adopt a modular design with distinct features delegated to cooperating individual components. Recent research pushed this idea further by splitting the code of a single component into chunks to be run by emulators injected in multiple processes. The shortcoming of these approaches, however, are the conspicuous features and primitives they rely on, which make them easy prey for state-of-the-art AV or EDR systems and may also conflict with OS mitigations for hardening processes.
In this talk, we will present Rope, a new covert distributed execution technique. Rope builds on transactional NTFS as non-inspectable covert channel for payload distribution and execution coordination, and on return-oriented programming to encode the desired actions. Our technique seeks to minimize IoCs on the machine: for instance, it does not need any RWX region. Return-oriented programming is central for achieving the desired properties of our design and brings advantages against code-based detections. For its implementation, we designed a stealth, usable injection primitive that temporarily hijacks threads from possibly hardened processes and ignites the distributed execution.
Every technique we use in Rope complies with presently available Windows 10 mitigations or bypasses them in original ways that the talk will detail. Our Rope malware samples successfully eluded popular AV and EDR solutions.