<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tinycc - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/tinycc/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/tinycc/feed.xml" rel="self" type="application/rss+xml"/><item><title>TinyCC Masquerading as Svchost for Shellcode Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/</guid><description>Attackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.</description><content:encoded><![CDATA[<p>The Lotus Blossom threat actor has been observed using a technique involving the Tiny C Compiler (TinyCC) to execute shellcode on compromised systems.  This technique involves renaming the legitimate <code>tcc.exe</code> binary to <code>svchost.exe</code> to masquerade as a legitimate Windows process. The renamed compiler is then used to compile and execute C source files containing malicious shellcode. A key aspect of this attack is the use of the <code>-nostdlib</code> and <code>-run</code> flags when invoking the renamed <code>tcc.exe</code>.  This behavior was specifically observed in the Chrysalis backdoor campaign, where the attackers executed <code>conf.c</code> containing Metasploit block_api shellcode.  This technique allows attackers to bypass traditional security measures by leveraging a legitimate tool in an unexpected way and from unusual locations. The ability of TinyCC to compile and execute code on-the-fly makes it an attractive tool for attackers seeking to evade detection.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system (details not specified in source).</li>
<li>The attacker drops the Tiny C Compiler (tcc.exe) onto the compromised system, typically in a user-writable directory like AppData or Temp.</li>
<li>The attacker renames <code>tcc.exe</code> to <code>svchost.exe</code> to masquerade as a legitimate Windows process. This helps evade detection based on process names.</li>
<li>The attacker drops a C source file (e.g., <code>conf.c</code>) containing malicious shellcode onto the system.</li>
<li>The attacker executes the renamed <code>svchost.exe</code> (originally tcc.exe) to compile and execute the C source file containing the shellcode. The command line includes the flags <code>-nostdlib</code> and <code>-run</code>.</li>
<li>The shellcode executes, performing malicious actions such as establishing a reverse shell, downloading additional payloads, or injecting into other processes.</li>
<li>The attacker uses the established foothold to move laterally within the network.</li>
<li>The attacker achieves their final objective, which could include data exfiltration, deploying ransomware, or establishing persistent access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary code on the compromised system. This can lead to data theft, system compromise, and further propagation within the network.  The Lotus Blossom group has used this technique to install the Chrysalis backdoor. The number of victims and the sectors targeted by this specific campaign are not detailed in the provided source, but the technique is a significant threat to organizations due to its potential for stealth and impact.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon process-creation logging (Event ID 1) and ensure command-line arguments are captured, to enable the rules above.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
<li>Monitor for processes named <code>svchost.exe</code> that are not located in the standard Windows system directories (<code>C:\\Windows\\System32\\</code> or <code>C:\\Windows\\SysWOW64\\</code>), as these are indicative of the renamed TinyCC binary based on the provided data and the detection logic.</li>
<li>Investigate any <code>svchost.exe</code> or <code>tcc.exe</code> processes executing with the <code>-nostdlib</code> and <code>-run</code> flags, especially when compiling <code>.c</code> files, using the detection logic in the Sigma rule.</li>
<li>Implement application control policies to restrict the execution of binaries from user-writable directories, mitigating the initial execution of the renamed compiler.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>tinycc</category><category>shellcode</category><category>svchost</category><category>lotus-blossom</category><category>chrysalis</category><category>t1059.003</category><category>t1027</category></item></channel></rss>