{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/tinycc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lotus Blossom"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tiny C Compiler"],"_cs_severities":["high"],"_cs_tags":["tinycc","shellcode","svchost","lotus-blossom","chrysalis","t1059.003","t1027"],"_cs_type":"threat","_cs_vendors":["TinyCC"],"content_html":"\u003cp\u003eThe Lotus Blossom threat actor has been observed using a technique involving the Tiny C Compiler (TinyCC) to execute shellcode on compromised systems.  This technique involves renaming the legitimate \u003ccode\u003etcc.exe\u003c/code\u003e binary to \u003ccode\u003esvchost.exe\u003c/code\u003e to masquerade as a legitimate Windows process. The renamed compiler is then used to compile and execute C source files containing malicious shellcode. A key aspect of this attack is the use of the \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e flags when invoking the renamed \u003ccode\u003etcc.exe\u003c/code\u003e.  This behavior was specifically observed in the Chrysalis backdoor campaign, where the attackers executed \u003ccode\u003econf.c\u003c/code\u003e containing Metasploit block_api shellcode.  This technique allows attackers to bypass traditional security measures by leveraging a legitimate tool in an unexpected way and from unusual locations. The ability of TinyCC to compile and execute code on-the-fly makes it an attractive tool for attackers seeking to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (details not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker drops the Tiny C Compiler (tcc.exe) onto the compromised system, typically in a user-writable directory like AppData or Temp.\u003c/li\u003e\n\u003cli\u003eThe attacker renames \u003ccode\u003etcc.exe\u003c/code\u003e to \u003ccode\u003esvchost.exe\u003c/code\u003e to masquerade as a legitimate Windows process. This helps evade detection based on process names.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a C source file (e.g., \u003ccode\u003econf.c\u003c/code\u003e) containing malicious shellcode onto the system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed \u003ccode\u003esvchost.exe\u003c/code\u003e (originally tcc.exe) to compile and execute the C source file containing the shellcode. The command line includes the flags \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe shellcode executes, performing malicious actions such as establishing a reverse shell, downloading additional payloads, or injecting into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established foothold to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, deploying ransomware, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the compromised system. This can lead to data theft, system compromise, and further propagation within the network.  The Lotus Blossom group has used this technique to install the Chrysalis backdoor. The number of victims and the sectors targeted by this specific campaign are not detailed in the provided source, but the technique is a significant threat to organizations due to its potential for stealth and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) and ensure command-line arguments are captured, to enable the rules above.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for processes named \u003ccode\u003esvchost.exe\u003c/code\u003e that are not located in the standard Windows system directories (\u003ccode\u003eC:\\\\Windows\\\\System32\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\\\\\u003c/code\u003e), as these are indicative of the renamed TinyCC binary based on the provided data and the detection logic.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003esvchost.exe\u003c/code\u003e or \u003ccode\u003etcc.exe\u003c/code\u003e processes executing with the \u003ccode\u003e-nostdlib\u003c/code\u003e and \u003ccode\u003e-run\u003c/code\u003e flags, especially when compiling \u003ccode\u003e.c\u003c/code\u003e files, using the detection logic in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of binaries from user-writable directories, mitigating the initial execution of the renamed compiler.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/","summary":"Attackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.","title":"TinyCC Masquerading as Svchost for Shellcode Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-09-tinycc-shellcode/"}],"language":"en","title":"CraftedSignal Threat Feed - TinyCC","version":"https://jsonfeed.org/version/1.1"}