Utilizing Image File Execution Options (IFEO) For Stealthy Persistence

Introduction

In this continuously expanding threat environment, the most stealthy threat actors can make their malware lurk in the most unsuspecting places. Picture this: a seemingly harmless Windows feature, the Image File Execution Option (IFEO), standing as the perfect trojan horse for malware persistence. This concealed strategy allows malicious actors to embed themselves deeply within a victim’s system, evading detection and maintaining a relentless grip.

In this blog post, we embark on a journey into the shadows of malware persistence, where malicious software meets the art of invisibility and how a legitimate Windows feature such as IFEO becomes a weapon in the hands of crafty threat actors. We’ll uncover how malware creators exploit this hidden avenue to ensure their continued presence, undetected and undisturbed.

We will illuminate the enigmatic world of IFEO and equip you with the knowledge to detect, confront, and fortify against this stealthy threat. Stay with us until the end of this blog as we unveil the hidden trails that malware leaves behind.

While this persistence technique may be considered dated, it aligns with the timeless wisdom that suggests:

‘Old tactics can be revisited, but the innovative adaptations maintain their relevance in the constantly shifting terrain of knowledge and innovation.’

Let’s start…

What exactly is Image File Execution Options (IFEO), and why do threat actors utilize it for achieving persistence?

IFEO is a feature in Windows designed for developers. It allows them to set specific execution options for an image file (executable) without modifying the actual binary code. Developers commonly use IFEO for debugging and compatibility purposes.

However, threat actors have also exploited IFEO for malicious purposes due to its powerful capabilities. They frequently choose IFEO as a preferred destination for achieving persistence because of:

• Legitimacy: IFEO entries are legitimate and do not typically raise suspicion. They blend seamlessly into the Windows Registry, making them less likely to be detected by security software.
• Silent Execution: Malware utilizing IFEO can execute silently alongside legitimate processes. This stealthy approach can help evade detection and maintain a low profile on the victim system.
• Persistence: IFEO-based persistence ensures that the malicious code runs every time the specified executable is launched, maintaining the attacker’s control over the compromised system as long as the user continues to run the same application.

IFEO can be accessed and located in the registry key:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

Case Study: Persistence via IFEO

Now we’ll dive into the mechanics of IFEO, exploring how attackers make use of this Windows feature as a component of their malware’s discreet persistence technique.

Access IFEO via GUI REGEDIT.exe

Before we continue, let’s explore where to find this in the registry.

First, open the Windows search and type REGEDIT. (Run as Admin)

Next, navigate to IFEO that can be found at:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Access IFEO via CLI via reg query command

Now, let’s explore accessing IFEO via the command-line interface (CLI).

Firstly open an Administrator Command Prompt.

Then execute the following command, replacing the <Subkey> with the binary of interest:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<Subkey>"

This command will query the IFEO subkey, providing us with the full path and its corresponding subkey values.

1. IFEO Registry Key and Subkeys
2. IFEO Registry Full Path (iexplore.exe)
3. IFEO’s sample iexplore.exe subkey with its values, data types and data

Persistence via IFEO Debugger using CLI reg command

In this section, we’ll delve into the mechanics of how malware can utilize IFEO as a means of achieving persistence.

Under the IFEO key in the Windows Registry you can create subkeys named after executable files, as seen in the above example. These subkeys contain various values and settings that control how the associated executable runs. Some common uses of IFEO include:

1. Debugger Registration: Developers can use IFEO to specify a debugger that should be launched when a particular executable is started. This is useful for debugging and diagnosing issues with software.
2. Compatibility Settings: IFEO can be used to specify compatibility settings for an executable, such as running it in a particular compatibility mode or with specific privileges.
3. Silent Process Exit: IFEO can be configured to monitor processes and perform actions when a specified executable exits. This can be useful for diagnostic purposes.

In this demo, we will use the Debugger value and settings to mimic how malware uses IFEO for persistence.

1. We execute the following ‘reg add’ command: reg add 
   "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution 
   Options\notepad.exe" /t REG_SZ /v Debugger /d 
   "C:\Windows\System32\calc.exe" /f
    
2. A notepad.exe was created as a subkey to the IFEO key.
3. Added the full path of calculator “C:\Windows\System32\calc.exe” as data for our ‘Debugger’ value.
   
   (note: refresh regedit or use reg query to confirm the changes)

After the steps above, open notepad and observe what happens!

When we assign ‘calc.exe’ as data to our Debugger value, we are essentially informing notepad.exe that its debugger software counterpart is ‘calc.exe’.

In our case study when the user launches “notepad.exe” the assigned data to the Debugger will be executed instead and in our case its “calc.exe” not notepad.

This is how malware exploits this Windows feature: by using a legitimate application to execute malware in the system. Ensuring that the malicious code runs every time the specified executable is launched.

(1,2) notepad.exe value, data types and data (3) calculator (Win32cacl.exe) was launched instead of notepad.

Summary

This blog implies is that malware authors modify this registry key in order to use legitimate applications to launch their custom malware on the victim system. IFEO provides threat actors with an effective means of maintaining persistence on a compromised system while leveraging the cloak of legitimacy. This combination of stealth and versatility makes it an attractive choice for malicious actors seeking to maintain control over targeted systems.

As a result, IT administrators and security professionals often monitor and audit the IFEO entries in the Windows Registry to identify suspicious or unauthorized modifications that may indicate the presence of malware or other security threats in their systems.

For more information on this technique refer to MITRE ATT&CK sub-technique T1546.012.

About Security Blue Team

This article was written by Renmarc Andrada, a Defensive Content Engineer at Security Blue Team. SBT is a leading cybersecurity training company that has over 100,000 students across governments, law enforcement agencies, military units, financial institutions, and many more industries around the world.