ELF Section Docking: Revisiting Stageless Payload Delivery

The presentation discusses the use of static delivery for malware on Linux systems as an alternative to dynamic delivery.

• There has been a 35% year-over-year increase in Linux malware, with a shift towards stealthy attacks and fileless execution.
• Dynamic delivery has advantages in flexibility, but static delivery can offer benefits in terms of dormancy and detection avoidance.
• Current methods of embedding payloads include turning binaries into hex or specifying sections for data placement during compilation and linking.
• The presentation introduces the concept of LPAC (Linux Payloads As Crates) ELF docking, which allows for the bundling of payloads with loaders and the use of multiple payloads in different sections.
• LPAC ELF docking achieves ABI compatibility and overcomes packers in memory.
• Defenders can use tools to detect LPAC ELF docking, but attackers can use deeper packing and encryption to evade detection.
• LPAC ELF docking offers more flexibility for malware writers and can be used for long-term operations.
• Defenders can use Yara and other tools to detect LPAC ELF docking and analyze the sizes and types of sections in executables.

The presenter notes that while dynamic delivery is more popular, there may still be benefits to static delivery. LPAC ELF docking offers a way to bundle payloads with loaders and use multiple payloads in different sections, allowing for more flexibility and potentially longer-term operations. However, defenders can use tools like Yara to detect LPAC ELF docking and analyze the sizes and types of sections in executables.

When it comes to generating and delivering malware on Linux, offensive operators have choices. Some objectives call for a dynamic payload bootstrap off the wire, others require stageless implants. Often, malware deployed with bundled payloads can be successfully detected and analyzed. However, we think there are opportunities to improve on the process of embedding payloads in standalone implants that can elevate their survival levels.This talk will address developments in the static payload embedding and loading. In our discussion, we will revisit the mechanisms of construction of ELF binaries, and will focus on how ELF sections can be used to facilitate a successful payload hosting, retrieval and loading.We will introduce the concept of ELF section docking, whereby a section containing payload can be independently attached to the payload-agnostic loader. We will further expand the concept to address in-field (re-)attachment of sections to loaders without the use of compilers which may be very useful for long-haul offensive operations.Furthermore, we will show how ELF docking can be successfully used as an alternative to executable packing when addressing complex payloads and providing teams with options and flexibility in multiple payload delivery scenarios. We will touch on detection opportunities and the evasion features implemented in a proof-of-concept loader and injector tooling which will be released during the talk. We feel that ELF section docking can help solve some of the payload bundling challenges for the offensive operators, and also introduce ideas to hunters to detect and respond to this technique.