Threat Research

UAC Bypass Using CMSTP

Securonix

Two sentences summarizing the article: Quick Heal researchers examine how malware bypasses User Account Control (UAC) to gain admin privileges, enabling ransomware to encrypt system files. The piece details three CMSTP-based UAC bypass methods (malicious INF files, CLSIDs, and runtime DLL loading) and cites affected groups such as LockBit and BlackCat. #CMSTP #CMLUA #CMSTPLUA #LockBit #BlackCat #BlackMatter #Avaddon

Keypoints

  • Ransomware seeks admin privileges by bypassing UAC to encrypt the system root and other protected areas.
  • CMSTP (Microsoft Connection Manager Profile Installer) is exploited as a legitimate, signed tool to achieve silent elevation.
  • Three CMSTP-based UAC bypass techniques are highlighted: malicious INF files, CLSIDs (CMLUA/CMSTPLUA), and runtime linking of CMLUA.dll.
  • Malicious INF files are used with cmstp.exe to install service profiles silently and elevate to Administrator.
  • COM interface/CLSIDs and IID combinations enable COM hijacking to bypass UAC (e.g., CMSTPLUA/CMLUAUTIL CLSIDs).
  • Runtime DLL loading (dynamic linking) of CMLUA.dll is another method to obtain admin privileges during UAC bypass.
  • Threat actors and ransomware families mentioned include LockBit 3.0, BlackCat, BlackMatter, and groups like Cobalt, Muddy Water, Evilnum, and Avaddon.

MITRE Techniques

  • [T1548.002] Bypass User Account Control – Used to obtain admin privileges without prompting the user; ‘As per our analysis, this is done by bypassing the UAC to get admin access.’
  • [T1112] Modify Registry – Registry key changes elevate programs; ‘Registry key: A small change in the registry key will elevate the program to the admin level. The most commonly changed key is shell/open/command.’
  • [T1574.001] DLL Search Order Hijacking – DLL Hijack occurs when a legitimate DLL load is intercepted by a malicious DLL; ‘When an auto-elevated program is running and requesting to load a legitimate DLL, a malicious DLL will be loaded that takes over the process when one of its functions is called.’
  • [T1574.002] COM Hijacking – COM interface exploitation to obtain admin-level execution; ‘COM Interface: This technique is used by some malware families… targets a genuine windows application program COM interface which usually operates at the admin level.’
  • [T1218.005] Signed Binary Proxy Execution: CMSTP – CMSTP usage to install service profiles silently and elevate; ‘CMSTP stands for Microsoft Connection Manager Profile Installer… The service profile can be installed silently without prompting the user.’
  • [T1574.002] COM Hijacking – Using CLSIDs of CMSTPLUA and CMLUAUTIL to achieve elevation; ‘They can also use IID (the Interface ID) in combination with any of the two CLSIDs.’
  • [T1055.001] DLL Injection – Runtime linking of CMLUA.dll to gain privileges; ‘Linking CMLUA.dll at runtime… the malware loads DLL … to get administrative privileges.’

Indicators of Compromise

  • [Hash] MD5 – 097CC44444C6733BC6B32CB1C4C87DDD
  • [Hash] MD5 – 7E37F198C71A81AF5384C480520EE36E

Read more: https://blogs.quickheal.com/uac-bypass-using-cmstp/