Daniel Stepanic

Dancing the night away with named pipes -  PIPEDANCE client release

In this publication, we will walk through this client application’s functionality and how to get started with the tool.

Dancing the night away with named pipes - PIPEDANCE client release

Introduction

This year at VB2023, a globally renowned malware conference, Daniel Stepanic of the Elastic Security Labs team presented new insights into PIPEDANCE – a malware we disclosed earlier this year. In addition to the talk, we released a client application that enables threat research, offering learning opportunities for both offensive and defensive teams. In this publication, we will walk through this client application’s functionality and how to get started with the tool. Our goal with this research is to help defenders improve their understanding of PIPEDANCE by emulating techniques from this malware, used by a formidable threat group. This includes different behaviors such as:

  • Command and control communication through named pipes
  • Different styles of process injection
  • Performing network connectivity checks
  • System/network discovery and enumeration

Recap

PIPEDANCE is a custom malware family used by a state-sponsored group to perform post-compromise activities. It's purpose-built to enable lateral movement, deploy additional implants, and perform reconnaissance functions. PIPEDANCE uses named pipes as its main channel for command and control communication. With a variety of unique features, we believe it’s a useful example to share for research purposes and can help defenders validate security tooling.

For a detailed analysis of the PIPEDANCE malware, check out our previous research.

Development

To get a better understanding of different features within malware, our team at Elastic Security Labs sometimes writes custom applications and controllers to interact with the malware or malware infrastructure. This process helps cultivate knowledge of a sample’s core features, assists in understanding the control flow better, and further validates different areas such as inputs and outputs to functions and data structures. Another key benefit is to uncover functionality that was not directly observed during an intrusion but is still contained in the malware. This allows our team to collect more intelligence, build additional detections, and understand more of the adversary’s objectives behind the malware.

While we don't cover these exact scenarios in this publication, here are some things that you can do with the client (but you may think of others):

  • Understand how malware abuses named pipes
  • Verify data sources for security tooling around network activity using named pipes
  • Build a network decoder using PCAP data from PIPEDANCE’s communication requests

With the release of the client, we're hoping that the community can write additional PIPEDANCE clients in your favorite language and compare notes.

Getting Started

Note: Please review the requirements before setting up the lab environment. For this example, we will use two different endpoints in the same local network where named pipes, inter-process communication, and SMB settings are configured properly.

The first step is to download the PIPEDANCE sample (free registration required) and start the program without any arguments on one endpoint. This machine is the targeted endpoint where the adversary is interested in running additional implants and performing reconnaissance. After execution, a named pipe will be created and await an incoming connection from our client.

.\e5ae20ac5bc2f02a136c3cc3c0b457476d39f809f28a1c578cda994a83213887

Now that PIPEDANCE is running on our targeted machine, download and compile the client files within the repository. The PIPEDANCE malware uses a hard-coded string, u0hxc1q44vhhbj5oo4ohjieo8uh7ufxe, that serves as the named pipe name and RC4 key.

Take the newly compiled client program and execute it on a separate endpoint with one argument using either the target IP address or hostname of the machine running PIPEDANCE (machine from the previous step). An example of this would be:

pipedance_client.exe 192.168.47.130

After execution, the client will check in with the PIPEDANCE victim to retrieve the PID of the malicious process, working directory, and user running the process. A menu of commands should be listed allowing the operator to perform various post-compromise activities.

The appendix below contains the functions and their supported arguments.

Conclusion

As part of our research investigating PIPEDANCE, we are releasing a client application that interacts with the malware. This tool can be used to evaluate existing security prevention/detection technologies as well as used for threat research purposes. Please check out our repository, there is also a detection section with behavioral/YARA/hunting rules.

Appendix

Handler Commands

Command IDDescriptionArguments
0StopPIPEDANCE client
1Terminate process by PIDPID (ex. 9867)
2Run shell command and print outputCommand (ex. ipconfig)
4List files in current working directory
6Write file to diskFilename (full path), file content
7Get current working directory
8Change current working directoryFolder path
9List running processes
23Create random process with hijacked token from provided PID and inject shellcode (32bits)PID (token hijack), shellcode
24Create random process with hijacked token from provided PID and inject shellcode (64bits)PID (token hijack), shellcode
25Open process from provided PID and inject shellcode (32bits)PID (thread hijack), shellcode
26Open process from provided PID and inject shellcode (64bits)PID (thread hijack), shellcode
71HTTP connectivity checkDomain (ex. google.com)
72DNS connectivity check with provided DNS server IPDNS server IP
73ICMP connectivity checkICMP server IP
74TCP connectivity checkIP, port
75DNS connectivity check without DNS server
99Disconnect pipe / exit thread
100Terminate PIPEDANCE process / disconnect Pipe / exit thread