When it comes to generating and delivering malware on Linux, offensive operators have choices. Some objectives call for a dynamic payload bootstrap off the wire, others require stageless implants.
Often, malware deployed with bundled payloads can be successfully detected and analyzed. However, we think there are opportunities to improve on the process of embedding payloads in standalone implants that can elevate their survival levels.
This talk will address developments in the static payload embedding and loading. In our discussion, we will revisit the mechanisms of construction of ELF binaries, and will focus on how ELF sections can be used to facilitate a successful payload hosting, retrieval and loading.
We will introduce the concept of ELF section docking, whereby a section containing payload can be independently attached to the payload-agnostic loader. We will further expand the concept to address in-field (re-)attachment of sections to loaders without the use of compilers which may be very useful for long-haul offensive operations.
Furthermore, we will show how ELF docking can be successfully used as an alternative to executable packing when addressing complex payloads and providing teams with options and flexibility in multiple payload delivery scenarios.
We will touch on detection opportunities and the evasion features implemented in a proof-of-concept loader and injector tooling which will be released during the talk.
We feel that ELF section docking can help solve some of the payload bundling challenges for the offensive operators, and also introduce ideas to hunters to detect and respond to this technique.