Going Dark: Fact vs. Fiction on the Dark Web

Going Dark: Fact vs. Fiction on the Dark Web

What is the dark web really like? In this episode, we take a tour of the dark halls and back alleys of the dark web to separate fact from fiction.

The post Going Dark: Fact vs. Fiction on the Dark Web appeared first on Recorded Future.

     

Mention the dark web and many people summon imagery of a massive, mysterious online criminal underground, where all manner of products and information are bought, sold, and traded, hidden away from the prying eyes of the public and law enforcement.
But, is that really what it’s like, or is that just cyber security marketing hype?
In this episode, we take a tour of the dark halls and back alleys of the dark web with the aim of separating fact from fiction. We’ll learn the truth about the people and products on the dark web, and find out the part it plays in threat intelligence today.
Our tour guides are Andrei Barysevich, Director of Advanced Collection at Recorded Future, and Emily Wilson, Director of Analysis at Terbium Labs.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.
The post Going Dark: Fact vs. Fiction on the Dark Web appeared first on Recorded Future.
     
Go to Source
Author: Amanda McKeon

Powered by WPeMatico

Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release

Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release

As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Here’s a closer look.

The post Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release appeared first on Recorded Future.

     

As of April 15, the Chinese cyber community had begun to investigate the most recent release of malware from the Shadow Brokers group. Security researchers and cyber actors reversed several of the tools and were particularly interested in the exploit framework (named FUZZBUNCH), the SMB malware (ETERNALBLUE), and the privilege escalation tool (ETERNALROMANCE).
Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses.

Mentions of one of the tools, ETERNALBLUE, on the Chinese language web over time.

Mentions of Shadow Brokers-released malware on the Chinese language web and from Recorded Future sources.
The surprising recent release has also stirred up great interest among Russian-speaking cyber criminals. Only three days after the data was leaked, a well-respected member of the top-tier dark-web community provided a detailed setup tutorial of weaponizing the ETERNALBLUE exploit as well as the DOUBLEPULSAR kernel payload.

Mentions of one of the tools, ETERNALBLUE and DOUBLEPULSAR, on the Russian language web over time.
In a separate thread, another member of the community, solicited help from other members in utilizing a proper exploit for a vulnerable Server Message Block version 1 (SMBv1), identified at the time of scanning a victim’s environment. Several members recommended using the recently released ETERNALBLUE exploit and admired its usefulness.
Background
Shadow Brokers is probably a hacker group that first came to public awareness in August 2016. While membership of the Shadow Brokers group remains unknown, it has both advertised for sale and publicly released hacker tools and exploits which the group claims were written and used by the U.S. National Security Agency (NSA).
Impact
Discussions in the Chinese and Russian cyber communities indicate that there is broad interest in these capabilities released by Shadow Brokers. Chinese users are particularly interested in the unique malware triggers and many feel the underlying vulnerability exploited by these toolsets has not been completely mitigated by the patches.
Further, Chinese APT groups have demonstrated an ability to quickly weaponize zero-day vulnerabilities, in as little as three days after public release in one instance.These three factors combine to increase the risk that malicious Chinese actors may reuse or repurpose this malware.
Recorded Future customers should set up alerts on these tools and the corresponding vulnerabilities, patch critical systems immediately, and remain vigilant to unique variations on these exploitation techniques.
The post Chinese and Russian Cyber Communities Dig Into Malware From April Shadow Brokers Release appeared first on Recorded Future.
     
Go to Source
Author: Insikt Group

Powered by WPeMatico

It’s Cheap, It’s Easy, It’s Dangerous: Karmen Ransomware Hits the Criminal Black Market

It’s Cheap, It’s Easy, It’s Dangerous: Karmen Ransomware Hits the Criminal Black Market

This episode focuses on a new ransomware variant called “Karmen” that’s cheap and easy to use for cyber criminals. Andrei Barysevich provides more detail.

The post It’s Cheap, It’s Easy, It’s Dangerous: Karmen Ransomware Hits the Criminal Black Market appeared first on Recorded Future.

     

Over the last two years, ransomware has become the hottest commodity in the criminal black market. And we do mean commodity — it’s getting cheaper and more accessible to crooks, even the unskilled ones.
On March 4 of this year, a leading cyber criminal, who goes by the name “Dereck1,” mentioned that there was a new ransomware variant out called “Karmen.” But Dereck1 wasn’t the one hawking this in the criminal market. Instead, it’s a Russian speaker who goes by the name of “DevBitox.”
The first infections seem to go back to December of 2016, with victims in Germany and the United States reporting infection. DevBitox is no cryptographic ace — by his own admission, he was involved only with web development and control panel design, the criminal customer’s user experience. But Karmen is interesting not only because it’s dangerous, but because it’s cheap, and because it affords some insight into the way criminal markets function. Joining us to talk about Karmen is Andrei Barysevich, Director of Advanced Collection at Recorded Future.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.
The post It’s Cheap, It’s Easy, It’s Dangerous: Karmen Ransomware Hits the Criminal Black Market appeared first on Recorded Future.
     
Go to Source
Author: Amanda McKeon

Powered by WPeMatico

Writing a libemu/Unicorn Compatability Layer

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to
write a libemu compatibility layer for the Unicorn engine. In the
course of this work, we will also import the libemu Win32 environment
to run under Unicorn.

For a bit of background, libemu is a lightweight x86 emulator
written in C by Paul Baecher and Markus Koetter. It was released in
2007 and includes a built-in Win32 environment that allows shellcodes
to resolve API at runtime. The library also provides end users with a
convenient way to receive callbacks when API functions are hit. The
original project supported 5 Windows dlls, 51 hooks and 234 opcodes
all wrapped in a tight 1mb package. Unfortunately it is no longer
being updated.

In late 2015, we saw the Unicorn engine project released by Nguyen
Anh Quynh and Dang Hoang Vu. This project takes the processor
emulators from QEMU and wraps them into an easy to use library.
Unicorn, however, does not provide a Win32 layer.

As an experiment, we were curious to see what it would take to bring
the libemu Win32 environment into Unicorn. This task actually turned
out to be quite simple since it was nicely self contained. In the
process of exploring this it also made sense to write a basic shim
layer to support the libemu API and translate its inner workings over
to Unicorn.

Lets start with the common libemu API:

The API is actually very similar to Unicorn:

The major differences are that Unicorn does everything through an
opaque uc_engine* handle, while libemu uses a series of structs such
as emu, emu_cpu, and emu_memory:

In general, the emu and emu_memory structures are passed directly as
arguments to API wrappers such as emu_cpu_get, emu_memory_get and the
emu_memory_read/write functions. There is one common case of direct
member access to the emu_cpu structure that requires some special
attention. This structure gives the user direct read/write access to
the emulator’s virtual processor and is commonly utilized by user
code. Examples to support include:

The next task was to see if we could mimic the direct access to the
emu_cpu elements as if they were static struct fields. Here we enter
the world of C++ operator overloading.

With these tasks complete, porting existing code from libemu over to
Unicorn should be a pretty straightforward task.

In Figure 1 we see an initial test, we put together that includes
the Win32 environment, shim layer, several API hooks and a hard coded payload.

Figure 1: Initial test of the libemu Win32
environment and hooks running under Unicorn

With this working, the next stage was to try it out against a larger
code base. Here we imported the userhooks.cpp from scdbg, an extension
of the libemu sctest that includes some 250 API hooks. As it turns
out, very few changes were required to get it working.

In Figure 2, we can see the results of testing it against a fairly
complex shellcode that:

  • allocates virtual memory
  • copies code to the new
    alloc
  • creates a new thread
  • downloads an
    executable
  • checks the registry for the presence of Antivirus
    software

Note that while this shellcode would normally do process injection,
scdbg handles it all inline for simplified analysis.


Figure 2: Complex shellcode running with
hooks imported from scdbg

Another large feature to test was the scdbg debug shell. When
testing software in an emulated environment, having interactive debug
tools available is extremely handy.

Figure 3 shows an example of setting a breakpoint, single stepping,
and examining memory of code running in the emulator.


Figure 3: Imported scdbg debug shell
running with Unicorn Engine and libemu shim layer

Conclusion

In this article we took a quick look at the differences between the
libemu and Unicorn emulators API. This allowed us to create a shim
layer to import legacy libemu code and use it with Unicorn largely unchanged.

Once the shim layer was in place, we next imported the libemu Win32
Environment so we could run it under Unicorn.

As a final test we ported several large portions of the scdbg
project, which was originally written to run under libemu. Here our
previous work allowed for the importation of scdbg’s 250+ API hooks
and debug shell to run under Unicorn with only minimal changes.

Overall the entire process went quite smoothly and should provide
benefits for developers of libemu and/or Unicorn. If you would like to
experiment for yourself you can download a copy of our test project here.

In this post we are going to take a quick look at what it takes to
write a libemu compatibility layer for the Unicorn engine. In the
course of this work, we will also import the libemu Win32 environment
to run under Unicorn.

For a bit of background, libemu is a lightweight x86 emulator
written in C by Paul Baecher and Markus Koetter. It was released in
2007 and includes a built-in Win32 environment that allows shellcodes
to resolve API at runtime. The library also provides end users with a
convenient way to receive callbacks when API functions are hit. The
original project supported 5 Windows dlls, 51 hooks and 234 opcodes
all wrapped in a tight 1mb package. Unfortunately it is no longer
being updated.

In late 2015, we saw the Unicorn engine project released by Nguyen
Anh Quynh and Dang Hoang Vu. This project takes the processor
emulators from QEMU and wraps them into an easy to use library.
Unicorn, however, does not provide a Win32 layer.

As an experiment, we were curious to see what it would take to bring
the libemu Win32 environment into Unicorn. This task actually turned
out to be quite simple since it was nicely self contained. In the
process of exploring this it also made sense to write a basic shim
layer to support the libemu API and translate its inner workings over
to Unicorn.

Lets start with the common libemu API:

The API is actually very similar to Unicorn:

The major differences are that Unicorn does everything through an
opaque uc_engine* handle, while libemu uses a series of structs such
as emu, emu_cpu, and emu_memory:

In general, the emu and emu_memory structures are passed directly as
arguments to API wrappers such as emu_cpu_get, emu_memory_get and the
emu_memory_read/write functions. There is one common case of direct
member access to the emu_cpu structure that requires some special
attention. This structure gives the user direct read/write access to
the emulator’s virtual processor and is commonly utilized by user
code. Examples to support include:

The next task was to see if we could mimic the direct access to the
emu_cpu elements as if they were static struct fields. Here we enter
the world of C++ operator overloading.

With these tasks complete, porting existing code from libemu over to
Unicorn should be a pretty straightforward task.

In Figure 1 we see an initial test, we put together that includes
the Win32 environment, shim layer, several API hooks and a hard coded payload.

Figure 1: Initial test of the libemu Win32
environment and hooks running under Unicorn

With this working, the next stage was to try it out against a larger
code base. Here we imported the userhooks.cpp from scdbg, an extension
of the libemu sctest that includes some 250 API hooks. As it turns
out, very few changes were required to get it working.

In Figure 2, we can see the results of testing it against a fairly
complex shellcode that:

  • allocates virtual memory
  • copies code to the new
    alloc
  • creates a new thread
  • downloads an
    executable
  • checks the registry for the presence of Antivirus
    software

Note that while this shellcode would normally do process injection,
scdbg handles it all inline for simplified analysis.


Figure 2: Complex shellcode running with
hooks imported from scdbg

Another large feature to test was the scdbg debug shell. When
testing software in an emulated environment, having interactive debug
tools available is extremely handy.

Figure 3 shows an example of setting a breakpoint, single stepping,
and examining memory of code running in the emulator.


Figure 3: Imported scdbg debug shell
running with Unicorn Engine and libemu shim layer

Conclusion

In this article we took a quick look at the differences between the
libemu and Unicorn emulators API. This allowed us to create a shim
layer to import legacy libemu code and use it with Unicorn largely unchanged.

Once the shim layer was in place, we next imported the libemu Win32
Environment so we could run it under Unicorn.

As a final test we ported several large portions of the scdbg
project, which was originally written to run under libemu. Here our
previous work allowed for the importation of scdbg’s 250+ API hooks
and debug shell to run under Unicorn with only minimal changes.

Overall the entire process went quite smoothly and should provide
benefits for developers of libemu and/or Unicorn. If you would like to
experiment for yourself you can download a copy of our test project here.

Go to Source
Author: David Zimmer

Powered by WPeMatico

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware
and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that
allows a malicious actor to download and execute a Visual Basic script
containing PowerShell commands when a user opens a Microsoft Office
RTF document containing an embedded exploit. We worked with Microsoft
and published
the technical details of this vulnerability
as soon as a patch
was made available.

In this follow-up post, we discuss some of the campaigns we observed
leveraging the CVE-2017-0199 zero-day in the days, weeks and months
leading up to the patch being released.

CVE-2017-0199 Used by Multiple Actors

FireEye assesses with moderate confidence that CVE-2017-0199 was
leveraged by financially motivated and nation-state actors prior to
its disclosure. Actors leveraging FINSPY and LATENTBOT used the
zero-day as early as January and March, and similarities between their
implementations suggest they obtained exploit code from a shared
source. Recent DRIDEX activity began following a disclosure on April
7, 2017.

FINSPY Malware Used to Target Russian-Speaking Victims

As early as Jan. 25,2017, lure documents referencing a
Russian Ministry of Defense decree and a manual allegedly published in
the “Donetsk People’s Republic” exploited CVE-2017-0199 to
deliver FINSPY payloads. Though we have not identified the targets,
FINSPY is sold by Gamma Group to multiple nation-state clients, and we
assess with moderate confidence that it was being used along with the
zero-day to carry out cyber espionage.

The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5:
c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely
available military training manual (Figure 1). Notably, this version
purports to have been published in the “Donetsk People’s Republic,”
the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.

The initial malicious document downloaded further payloads,
including malware and a decoy document from 95.141.38.110. This site
was open indexed to allow recovery of additional lure content,
including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which
claims to be a Russian Ministry of Defense decree approving a forest
management plan.

Per a 2015 report
from CitizenLab, Gamma Group licenses their software to clients and
each client uses unique infrastructure, making it likely that the two
documents are being used by a single client.

FINSPY malware is sold by Gamma Group, an Anglo-German “lawful
intercept” company. Gamma Group works on behalf of numerous
nation-state clients, limiting insight into the ultimate sponsor of
the activity. The FINSPY malware was heavily obfuscated, preventing
the extraction of command and control (C2) information.

Figure 1: FINSPY Lure Purporting to be Russian
Military Manual

CVE-2017-0199 Used to Distribute LATENTBOT

As early as March 4, 2017, malicious documents exploiting
CVE-2017-0199 were used to deliver the LATENTBOT
malware
. The malware, which includes credential theft capability,
has thus far only been observed by FireEye iSIGHT Intelligence in
financially motivated threat activity. Additionally, generic lures
used in this most recent campaign are consistent with methods employed
by financially motivated actors.

LATENTBOT is a modular and highly obfuscated type of malware first
discovered by FireEye iSIGHT intelligence in December 2015. It is
capable of a variety of functions, including credential theft, hard
drive and data wiping, disabling security software, and remote desktop
functionality. Recently, we observed LATENTBOT campaigns using
Microsoft Word Intruder (MWI).

The lure documents distributing LATENTBOT malware used generic
social engineering. The documents that were used are shown in Table 1,
and all used 217.12.203.90 as a C2 domain.

File Name

MD5 Hash

hire_form.doc

5ebfd13250dd0408e3de594e419f9e01

!!!!URGENT!!!!READ!!!.doc

1b17ccf5109a9342b59bded31e1ffb18

6e9483edacdc2b6f6ed45c526cf4cf7b

PDP.doc

4a81b6ac8aa0f86719a574d7546d563f

document.doc

65a558e9fe907dc5790e8a592364f64e

Table 1: LATENTBOT Documents

On April 10, the actors altered their infrastructure to deliver
TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5:
e3b600a59eea9b2ea7a0d4e3c45074da) beacons to
http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client
and beacons to sudoofk3wgl2gmxm.onion.

FINSPY and LATENTBOT Samples Share Origin

Shared artifacts in the FINSPY and LATENTBOT samples suggest the
same builder was used to create both, indicating the zero-day exploit
was supplied to both criminal and cyber espionage operations from the
same source.

Malicious documents used in both campaigns share a last revision
time of: 2016-11-27 22:42:00 (Figure 2).

Figure 2: Revision Time Artifact Shared Between
FINSPY and LATENTBOT Samples

DRIDEX Spam Follows Recent Disclosure

Following a disclosure of specifics related to the zero-day on April
7, 2017, the vulnerability was used in DRIDEX spam campaigns, which
continue as of the publication of this blog. We cannot confirm the
mechanism through which the actors obtained the exploit. These actors
may have leveraged knowledge of the vulnerability gained through the
disclosure, or been given access to it when it became clear that
patching was imminent.

A spam wave was sent out on April 10, 2017, leveraging a “Scan Data”
lure. The attached document leveraged CVE-2017-0199 to install DRIDEX
on the victim’s computer.

Outlook and Implications

Though only one FINSPY user has been observed leveraging this
zero-day exploit, the historic scope of FINSPY, a capability used by
several nation states, suggests other customers had access to it.
Additionally, this incident exposes the global nature of cyber threats
and the value of worldwide perspective – a cyber espionage incident
targeting Russians can provide an opportunity to learn about and
interdict crime against English speakers elsewhere.

FireEye recently identified a vulnerability – CVE-2017-0199 – that
allows a malicious actor to download and execute a Visual Basic script
containing PowerShell commands when a user opens a Microsoft Office
RTF document containing an embedded exploit. We worked with Microsoft
and published
the technical details of this vulnerability
as soon as a patch
was made available.

In this follow-up post, we discuss some of the campaigns we observed
leveraging the CVE-2017-0199 zero-day in the days, weeks and months
leading up to the patch being released.

CVE-2017-0199 Used by Multiple Actors

FireEye assesses with moderate confidence that CVE-2017-0199 was
leveraged by financially motivated and nation-state actors prior to
its disclosure. Actors leveraging FINSPY and LATENTBOT used the
zero-day as early as January and March, and similarities between their
implementations suggest they obtained exploit code from a shared
source. Recent DRIDEX activity began following a disclosure on April
7, 2017.

FINSPY Malware Used to Target Russian-Speaking Victims

As early as Jan. 25,2017, lure documents referencing a
Russian Ministry of Defense decree and a manual allegedly published in
the “Donetsk People’s Republic” exploited CVE-2017-0199 to
deliver FINSPY payloads. Though we have not identified the targets,
FINSPY is sold by Gamma Group to multiple nation-state clients, and we
assess with moderate confidence that it was being used along with the
zero-day to carry out cyber espionage.

The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5:
c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely
available military training manual (Figure 1). Notably, this version
purports to have been published in the “Donetsk People’s Republic,”
the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.

The initial malicious document downloaded further payloads,
including malware and a decoy document from 95.141.38.110. This site
was open indexed to allow recovery of additional lure content,
including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which
claims to be a Russian Ministry of Defense decree approving a forest
management plan.

Per a 2015 report
from CitizenLab, Gamma Group licenses their software to clients and
each client uses unique infrastructure, making it likely that the two
documents are being used by a single client.

FINSPY malware is sold by Gamma Group, an Anglo-German “lawful
intercept” company. Gamma Group works on behalf of numerous
nation-state clients, limiting insight into the ultimate sponsor of
the activity. The FINSPY malware was heavily obfuscated, preventing
the extraction of command and control (C2) information.

Figure 1: FINSPY Lure Purporting to be Russian
Military Manual

CVE-2017-0199 Used to Distribute LATENTBOT

As early as March 4, 2017, malicious documents exploiting
CVE-2017-0199 were used to deliver the LATENTBOT
malware
. The malware, which includes credential theft capability,
has thus far only been observed by FireEye iSIGHT Intelligence in
financially motivated threat activity. Additionally, generic lures
used in this most recent campaign are consistent with methods employed
by financially motivated actors.

LATENTBOT is a modular and highly obfuscated type of malware first
discovered by FireEye iSIGHT intelligence in December 2015. It is
capable of a variety of functions, including credential theft, hard
drive and data wiping, disabling security software, and remote desktop
functionality. Recently, we observed LATENTBOT campaigns using
Microsoft Word Intruder (MWI).

The lure documents distributing LATENTBOT malware used generic
social engineering. The documents that were used are shown in Table 1,
and all used 217.12.203.90 as a C2 domain.

File Name

MD5 Hash

hire_form.doc

5ebfd13250dd0408e3de594e419f9e01

!!!!URGENT!!!!READ!!!.doc

1b17ccf5109a9342b59bded31e1ffb18

6e9483edacdc2b6f6ed45c526cf4cf7b

PDP.doc

4a81b6ac8aa0f86719a574d7546d563f

document.doc

65a558e9fe907dc5790e8a592364f64e

Table 1: LATENTBOT Documents

On April 10, the actors altered their infrastructure to deliver
TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5:
e3b600a59eea9b2ea7a0d4e3c45074da) beacons to
http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client
and beacons to sudoofk3wgl2gmxm.onion.

FINSPY and LATENTBOT Samples Share Origin

Shared artifacts in the FINSPY and LATENTBOT samples suggest the
same builder was used to create both, indicating the zero-day exploit
was supplied to both criminal and cyber espionage operations from the
same source.

Malicious documents used in both campaigns share a last revision
time of: 2016-11-27 22:42:00 (Figure 2).

Figure 2: Revision Time Artifact Shared Between
FINSPY and LATENTBOT Samples

DRIDEX Spam Follows Recent Disclosure

Following a disclosure of specifics related to the zero-day on April
7, 2017, the vulnerability was used in DRIDEX spam campaigns, which
continue as of the publication of this blog. We cannot confirm the
mechanism through which the actors obtained the exploit. These actors
may have leveraged knowledge of the vulnerability gained through the
disclosure, or been given access to it when it became clear that
patching was imminent.

A spam wave was sent out on April 10, 2017, leveraging a “Scan Data”
lure. The attached document leveraged CVE-2017-0199 to install DRIDEX
on the victim’s computer.

Outlook and Implications

Though only one FINSPY user has been observed leveraging this
zero-day exploit, the historic scope of FINSPY, a capability used by
several nation states, suggests other customers had access to it.
Additionally, this incident exposes the global nature of cyber threats
and the value of worldwide perspective – a cyber espionage incident
targeting Russians can provide an opportunity to learn about and
interdict crime against English speakers elsewhere.

Go to Source
Author: Ben Read

Powered by WPeMatico

What About the Plant Floor? Six Subversive Concerns for ICS Environments

What About the Plant Floor? Six Subversive Concerns for ICS Environments

Industrial enterprises such as electric utilities, petroleum
companies, and manufacturing organizations invest heavily in
industrial control systems (ICS) to efficiently, reliably, and safely
operate industrial processes. Without this technology operating the
plant floor, these businesses cannot exist.

Board members, executives, and security officers are often unaware
that the technology operating the economic engine of their enterprise
invites undetected subversion.  

In this paper, FireEye iSIGHT Intelligence prepares risk executives
and security practitioners to knowledgeably discuss six core
weaknesses an adversary can use to undermine a plant’s operation:

  • Unauthenticated protocols
  • Outdated hardware
  • Weak user authentication
  • Weak file integrity
    checks
  • Vulnerable Windows operating systems
  • Undocumented third-party relationships

Download the
report
to learn more. To discuss these six subversive
vulnerabilities threatening today’s industrial environments, register
for our live webinar
scheduled for Tuesday, April 25 at 11:00am
ET/8:00am PT. Explore the implications and how to address them
firsthand with our ICS intelligence experts.

Industrial enterprises such as electric utilities, petroleum
companies, and manufacturing organizations invest heavily in
industrial control systems (ICS) to efficiently, reliably, and safely
operate industrial processes. Without this technology operating the
plant floor, these businesses cannot exist.

Board members, executives, and security officers are often unaware
that the technology operating the economic engine of their enterprise
invites undetected subversion.  

In this paper, FireEye iSIGHT Intelligence prepares risk executives
and security practitioners to knowledgeably discuss six core
weaknesses an adversary can use to undermine a plant’s operation:

  • Unauthenticated protocols
  • Outdated hardware
  • Weak user authentication
  • Weak file integrity
    checks
  • Vulnerable Windows operating systems
  • Undocumented third-party relationships

Download the
report
to learn more. To discuss these six subversive
vulnerabilities threatening today’s industrial environments, register
for our live webinar
scheduled for Tuesday, April 25 at 11:00am
ET/8:00am PT. Explore the implications and how to address them
firsthand with our ICS intelligence experts.

Go to Source
Author: Sean McBride

Powered by WPeMatico

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents
that leverage CVE-2017-0199, a previously undisclosed vulnerability.
This vulnerability allows a malicious actor to download and execute a
Visual Basic script containing PowerShell commands when a user opens a
document containing an embedded exploit. FireEye has observed Office
documents exploiting CVE-2017-0199 that download and execute malware
payloads from different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and
has been coordinating public disclosure timed with the release of a
patch by Microsoft to address the vulnerability, which can be found here.

The vulnerability bypassed most mitigations prior to patch
availability; however, FireEye email and network products detected the
malicious documents. FireEye recommends that Microsoft Office users
apply the patch
from Microsoft
.

Attack Scenario

The attack occurs in the following manner:

  1. A threat actor emails a Microsoft Word document to a targeted
    user with an embedded OLE2 embedded link object
  2. When the
    user opens the document, winword.exe issues a HTTP request to a
    remote server to retrieve a malicious HTA file
  3. The file
    returned by the server is a fake RTF file with an embedded malicious
    script
  4. Winword.exe looks up the file handler for
    application/hta through a COM object, which causes the Microsoft HTA
    application (mshta.exe) to load and execute the malicious
    script

In the two documents that FireEye observed prior to the initial
blog
acknowledging these attacks, malicious scripts terminated the
winword.exe processes, downloaded additional payloads, and loaded
decoy documents. The original winword.exe process was terminated to
conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.

Figure 1: User prompt hidden by the Visual Basic script

Document 1 – (MD5: 5ebfd13250dd0408e3de594e419f9e01)

The first malicious document identified by FireEye had three stages.
An embedded OLE2 link object causes winword.exe to reach out to the
following URL to download the stage one malicious HTA file:

http[:]//46.102.152[.]129/template.doc

Once downloaded, the malicious HTA file is processed by the
“application/hta” handler.  The highlighted line in Figure 2 shows the
first download occurring, followed by the additional malicious payloads.

Figure 2: Live attack scenario

Once downloaded, the template file was stored in the user’s
temporary internet files with the name template[?].hta, where [?] is
determined at run time.

The Logic Bug

Mshta.exe is responsible for handling the Content-Type
“application/hta,” parsing the content, and executing the script.
Figure 3 shows winword.exe querying registry value of CLSID for the
“application/hta” handler.

Figure 3: Winword query registry value

Winword.exe makes a request to the DCOMLaunch service, which in turn
causes the svchost.exe process hosting DCOMLaunch to execute
mshta.exe. Mshta.exe then executes the script embedded in the
malicious HTA document. Figure 4 shows the deobfuscated VBScript from
the first stage download.

Figure 4: First document, stage one VBScript

The script shown in Figure 4 performs the following malicious actions:

  1. Terminates the winword.exe process with taskkill.exe to hide
    the prompt shown in Figure 1.
  2. Downloads a VBScript file
    from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to
    %appdata%MicrosoftWindowsmaintenance.vbs
  3. Downloads a decoy
    document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc
    and saving it to %temp%document.doc
  4. Cleans up the Word
    Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft
    Word will restart normally
  5. Executes the malicious stage two
    VBScript: %appdata%MicrosoftWindowsmaintenance.vbs
  6. Opens
    the decoy document, %temp%document.doc, to hide the malicious
    activity from the user

Once executed, the downloaded stage two VBScript
(ww.vbs/maintenance.vbs) performs the following actions:

  1. Writes an embedded obfuscated script to
    %TMP%/eoobvfwiglhiliqougukgm.js
  2. Executes the script

The obfuscated eoobvfwiglhiliqougukgm.js script performs the
following actions when executed:

  1. Attempts to delete itself from the system
  2. Attempts to
    download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most
    44 times), and save the file to
    %TMP%dcihprianeeyirdeuceulx.exe
  3. Executes
    %TMP%dcihprianeeyirdeuceulx.exe

Figure 5 shows the process execution chain of events.

Figure 5: Process creation events

The final payload utilized in this malware is a newer variant of the
LATENTBOT malware family. Additional details of the updates to this
malware follow the Document 2 walkthrough.

MD5

Size

Name

Description

5ebfd13250dd0408e3de594e419f9e01

37,523

hire_form.doc

 

Malicious document

fb475f0d8c8e9bf1bc360211179d8a28

27,429

template.doc/template[?].hta

Malicious HTA file

984658e34e634d56423797858a711846

5,704

ww.vbs/maintenance.vbs

Stage two VBScript

73bf8647920eacc7cc377b3602a7ee7a

13,386

questions.doc/document.doc

Decoy document

11fb87888bbb4dcea4891ab856ac1c52

5,292

eoobvfwiglhiliqougukgm.js

Malicious script

a1faa23a3ef8cef372f5f74aed82d2de

388,096

wood.exe/ dcihprianeeyirdeuceulx.exe

Final payload

15e51cdbd938545c9af47806984b1667

414,720

wood.exe/ dcihprianeeyirdeuceulx.exe

Updated final payload

Table 1: First document file metadata

The LATENTBOT Payload

The payload associated with the first document is an updated version
of the LATENTBOT
malware family
. LATENTBOT is a highly-obfuscated BOT that has
been in the wild since 2013.

The newer version of the LATENTBOT has different injection
mechanisms for Windows XP (x86) and Windows 7 operating systems:

  • Attrib.exe patching – The bot calls Attrib.exe, patches the
    entry in memory, and inserts a JMP instruction to transfer control
    to the mapped section. To map the section in the address space of
    atrrib.exe it uses ZwMapViewOfSection().
  • Svchost code Injection – Attrib.exe starts the svchost.exe
    process in suspended mode, creates space, and allocates code by
    calling ZwMapViewOfSection().
  • Control transfer – It then uses SetThreadContext() to modify
    the OEP of the primary thread, which will be executed in the remote
    process to trigger code execution.
  • Browser injection – A similar process is used to inject the
    final payload into the default web browser with the help of
    NtMapVIewOfSection().

In Windows 7 or later operating systems, the bot does not use
attrib.exe. Rather, it injects code into svchost.exe followed by
launching the default browser with malicious payload by leveraging NtMapViewOfSection().

This variant then connects to the following command and control (C2) server:

Upon successful communication with the C2 server, LATENTBOT
generates a beacon. One of the decrypted beacons are as follows with
an updated version number of 5015:

At the time of analysis, the C2 server was offline. The bot comes
with a highly modular plugin architecture and has been associated with
the “Pony” campaigns as an infostealer.

As of April 10, 2017, the malware hosted at
www.modani[.]com/media/wysiwyg/wood.exe has been updated and the C2
server has been moved to: 217.12.203[.]100.

Document 2 – (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)

The second malicious document identified by FireEye consisted of two
malicious stages. The initial stage reached out to the following URL
to download the stage one malicious HTA file:

http[:]//95.141.38[.]110/mo/dnr/tmp/template.doc

This file is downloaded into the user’s temporary internet files
directory with the name template[?].hta, where [?] is determined at
runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the
file. mshta.exe parses through file finding <script>
</script> tags and executes the contained script. Figure 6 shows
the deobfuscated script.

Figure 6: Second document, first stage VBScript

Figure 6 shows the following malicious actions:

  1. Terminate the winword.exe process with taskkill.exe  to hide
    the prompt shown in Figure 1
  2. Download an executable from
    http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to
    ‘%appdata%MicrosoftWindowsStart
    MenuProgramsStartupwinword.exe’
  3. Download a document from
    http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to
    %temp%document.doc
  4. Clean up the Word Resiliency keys for
    Word versions 15.0 and 16.0, so that Microsoft Word will restart
    normally
  5. Execute the malicious payload at
    ‘%appdata%MicrosoftWindowsStart
    MenuProgramsStartupwinword.exe’
  6. Open the decoy document,
    %temp%document.doc, to hide the malicious activity from the
    user

Examination of the malicious payload revealed that it is a variant
of the dropper for what Microsoft calls WingBird,
which has similar characteristics as FinFisher. The malware is heavily
obfuscated with several anti-analysis measures, including a custom VM
to slow analysis. A blog
post by “Artem”
covers a payload driver of WingBird.
The blog author briefly mentions the protection techniques of the
dropper, which match this sample.

MD5

Size

Name

Description

c10dabb05a38edd8a9a0ddda1c9af10e

70,269

СПУТНИК РАЗВЕДЧИКА.doc

 

Malicious document

9dec125f006f787a3f8ad464d480eed1

27,500

template.doc

Malicious HTA file

acde6fb59ed431000107c8e8ca1b7266

1,312,768

copy.jpg/winword.exe

Final payload

e01982913fbc22188b83f5f9fadc1c17

6,220,783

docu.doc/document.doc

Decoy document

Table 2: Second document metadata

Conclusion

FireEye observed CVE-2017-0199, a vulnerability in Microsoft Word
that allows an attacker to execute a malicious Visual Basic script.
The CVE-2017-0199 vulnerability is a logic bug and bypasses most
mitigations. Upon execution of the malicious script, it downloads and
executes malicious payloads, as well as displays decoy documents to
the user. The two documents achieve execution of their malicious
payloads, with one containing LATENTBOT and the other containing
WingBird/FinFisher. The malicious document contained only a link to
the attacker controlled server, showing the advantage of FireEye’s MVX
engine to detect multi-stage attacks. Further campaigns leveraging
this attack have been observed prior to patch availability, but are
not covered in this blog.

We recommend that Microsoft Office users apply the patch
as soon as possible.

Acknowledgement

Thank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe,
Swapnil Patil, Joshua Triplett, and Tyler Dean from FLARE Team,
FireEye Labs Team, and FireEye iSIGHT Intelligence for their
contributions to this blog. Thank you as well to everyone who worked
with us at the Microsoft Security Response Center (MSRC).

FireEye recently detected malicious Microsoft Office RTF documents
that leverage CVE-2017-0199, a previously undisclosed vulnerability.
This vulnerability allows a malicious actor to download and execute a
Visual Basic script containing PowerShell commands when a user opens a
document containing an embedded exploit. FireEye has observed Office
documents exploiting CVE-2017-0199 that download and execute malware
payloads from different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and
has been coordinating public disclosure timed with the release of a
patch by Microsoft to address the vulnerability, which can be found here.

The vulnerability bypassed most mitigations prior to patch
availability; however, FireEye email and network products detected the
malicious documents. FireEye recommends that Microsoft Office users
apply the patch
from Microsoft
.

Attack Scenario

The attack occurs in the following manner:

  1. A threat actor emails a Microsoft Word document to a targeted
    user with an embedded OLE2 embedded link object
  2. When the
    user opens the document, winword.exe issues a HTTP request to a
    remote server to retrieve a malicious HTA file
  3. The file
    returned by the server is a fake RTF file with an embedded malicious
    script
  4. Winword.exe looks up the file handler for
    application/hta through a COM object, which causes the Microsoft HTA
    application (mshta.exe) to load and execute the malicious
    script

In the two documents that FireEye observed prior to the initial
blog
acknowledging these attacks, malicious scripts terminated the
winword.exe processes, downloaded additional payloads, and loaded
decoy documents. The original winword.exe process was terminated to
conceal a user prompt generated by the OLE2link. Figure 1 shows this prompt.

Figure 1: User prompt hidden by the Visual Basic script

Document 1 – (MD5: 5ebfd13250dd0408e3de594e419f9e01)

The first malicious document identified by FireEye had three stages.
An embedded OLE2 link object causes winword.exe to reach out to the
following URL to download the stage one malicious HTA file:

http[:]//46.102.152[.]129/template.doc

Once downloaded, the malicious HTA file is processed by the
“application/hta” handler.  The highlighted line in Figure 2 shows the
first download occurring, followed by the additional malicious payloads.

Figure 2: Live attack scenario

Once downloaded, the template file was stored in the user’s
temporary internet files with the name template[?].hta, where [?] is
determined at run time.

The Logic Bug

Mshta.exe is responsible for handling the Content-Type
“application/hta,” parsing the content, and executing the script.
Figure 3 shows winword.exe querying registry value of CLSID for the
“application/hta” handler.

Figure 3: Winword query registry value

Winword.exe makes a request to the DCOMLaunch service, which in turn
causes the svchost.exe process hosting DCOMLaunch to execute
mshta.exe. Mshta.exe then executes the script embedded in the
malicious HTA document. Figure 4 shows the deobfuscated VBScript from
the first stage download.

Figure 4: First document, stage one VBScript

The script shown in Figure 4 performs the following malicious actions:

  1. Terminates the winword.exe process with taskkill.exe to hide
    the prompt shown in Figure 1.
  2. Downloads a VBScript file
    from http[:]//www.modani[.]com/media/wysiwyg/ww.vbs and saving it to
    %appdata%MicrosoftWindowsmaintenance.vbs
  3. Downloads a decoy
    document from http[:]//www.modani[.]com/media/wysiwyg/questions.doc
    and saving it to %temp%document.doc
  4. Cleans up the Word
    Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft
    Word will restart normally
  5. Executes the malicious stage two
    VBScript: %appdata%MicrosoftWindowsmaintenance.vbs
  6. Opens
    the decoy document, %temp%document.doc, to hide the malicious
    activity from the user

Once executed, the downloaded stage two VBScript
(ww.vbs/maintenance.vbs) performs the following actions:

  1. Writes an embedded obfuscated script to
    %TMP%/eoobvfwiglhiliqougukgm.js
  2. Executes the script

The obfuscated eoobvfwiglhiliqougukgm.js script performs the
following actions when executed:

  1. Attempts to delete itself from the system
  2. Attempts to
    download http[:]//www.modani[.]com/media/wysiwyg/wood.exe (at most
    44 times), and save the file to
    %TMP%dcihprianeeyirdeuceulx.exe
  3. Executes
    %TMP%dcihprianeeyirdeuceulx.exe

Figure 5 shows the process execution chain of events.

Figure 5: Process creation events

The final payload utilized in this malware is a newer variant of the
LATENTBOT malware family. Additional details of the updates to this
malware follow the Document 2 walkthrough.

MD5

Size

Name

Description

5ebfd13250dd0408e3de594e419f9e01

37,523

hire_form.doc

 

Malicious document

fb475f0d8c8e9bf1bc360211179d8a28

27,429

template.doc/template[?].hta

Malicious HTA file

984658e34e634d56423797858a711846

5,704

ww.vbs/maintenance.vbs

Stage two VBScript

73bf8647920eacc7cc377b3602a7ee7a

13,386

questions.doc/document.doc

Decoy document

11fb87888bbb4dcea4891ab856ac1c52

5,292

eoobvfwiglhiliqougukgm.js

Malicious script

a1faa23a3ef8cef372f5f74aed82d2de

388,096

wood.exe/ dcihprianeeyirdeuceulx.exe

Final payload

15e51cdbd938545c9af47806984b1667

414,720

wood.exe/ dcihprianeeyirdeuceulx.exe

Updated final payload

Table 1: First document file metadata

The LATENTBOT Payload

The payload associated with the first document is an updated version
of the LATENTBOT
malware family
. LATENTBOT is a highly-obfuscated BOT that has
been in the wild since 2013.

The newer version of the LATENTBOT has different injection
mechanisms for Windows XP (x86) and Windows 7 operating systems:

  • Attrib.exe patching – The bot calls Attrib.exe, patches the
    entry in memory, and inserts a JMP instruction to transfer control
    to the mapped section. To map the section in the address space of
    atrrib.exe it uses ZwMapViewOfSection().
  • Svchost code Injection – Attrib.exe starts the svchost.exe
    process in suspended mode, creates space, and allocates code by
    calling ZwMapViewOfSection().
  • Control transfer – It then uses SetThreadContext() to modify
    the OEP of the primary thread, which will be executed in the remote
    process to trigger code execution.
  • Browser injection – A similar process is used to inject the
    final payload into the default web browser with the help of
    NtMapVIewOfSection().

In Windows 7 or later operating systems, the bot does not use
attrib.exe. Rather, it injects code into svchost.exe followed by
launching the default browser with malicious payload by leveraging NtMapViewOfSection().

This variant then connects to the following command and control (C2) server:

Upon successful communication with the C2 server, LATENTBOT
generates a beacon. One of the decrypted beacons are as follows with
an updated version number of 5015:

At the time of analysis, the C2 server was offline. The bot comes
with a highly modular plugin architecture and has been associated with
the “Pony” campaigns as an infostealer.

As of April 10, 2017, the malware hosted at
www.modani[.]com/media/wysiwyg/wood.exe has been updated and the C2
server has been moved to: 217.12.203[.]100.

Document 2 – (MD5: C10DABB05A38EDD8A9A0DDDA1C9AF10E)

The second malicious document identified by FireEye consisted of two
malicious stages. The initial stage reached out to the following URL
to download the stage one malicious HTA file:

http[:]//95.141.38[.]110/mo/dnr/tmp/template.doc

This file is downloaded into the user’s temporary internet files
directory with the name template[?].hta, where [?] is determined at
runtime. Once downloaded, winword.exe utilizes mshta.exe to parse the
file. mshta.exe parses through file finding tags and executes the contained script. Figure 6 shows
the deobfuscated script.

Figure 6: Second document, first stage VBScript

Figure 6 shows the following malicious actions:

  1. Terminate the winword.exe process with taskkill.exe  to hide
    the prompt shown in Figure 1
  2. Download an executable from
    http[:]//95.141.38[.]110/mo/dnr/copy.jpg, saving it to
    ‘%appdata%MicrosoftWindowsStart
    MenuProgramsStartupwinword.exe’
  3. Download a document from
    http[:]//95.141.38[.]110/mo/dnr/docu.doc, saving it to
    %temp%document.doc
  4. Clean up the Word Resiliency keys for
    Word versions 15.0 and 16.0, so that Microsoft Word will restart
    normally
  5. Execute the malicious payload at
    ‘%appdata%MicrosoftWindowsStart
    MenuProgramsStartupwinword.exe’
  6. Open the decoy document,
    %temp%document.doc, to hide the malicious activity from the
    user

Examination of the malicious payload revealed that it is a variant
of the dropper for what Microsoft calls WingBird,
which has similar characteristics as FinFisher. The malware is heavily
obfuscated with several anti-analysis measures, including a custom VM
to slow analysis. A blog
post by “Artem”
covers a payload driver of WingBird.
The blog author briefly mentions the protection techniques of the
dropper, which match this sample.

MD5

Size

Name

Description

c10dabb05a38edd8a9a0ddda1c9af10e

70,269

СПУТНИК РАЗВЕДЧИКА.doc

 

Malicious document

9dec125f006f787a3f8ad464d480eed1

27,500

template.doc

Malicious HTA file

acde6fb59ed431000107c8e8ca1b7266

1,312,768

copy.jpg/winword.exe

Final payload

e01982913fbc22188b83f5f9fadc1c17

6,220,783

docu.doc/document.doc

Decoy document

Table 2: Second document metadata

Conclusion

FireEye observed CVE-2017-0199, a vulnerability in Microsoft Word
that allows an attacker to execute a malicious Visual Basic script.
The CVE-2017-0199 vulnerability is a logic bug and bypasses most
mitigations. Upon execution of the malicious script, it downloads and
executes malicious payloads, as well as displays decoy documents to
the user. The two documents achieve execution of their malicious
payloads, with one containing LATENTBOT and the other containing
WingBird/FinFisher. The malicious document contained only a link to
the attacker controlled server, showing the advantage of FireEye’s MVX
engine to detect multi-stage attacks. Further campaigns leveraging
this attack have been observed prior to patch availability, but are
not covered in this blog.

We recommend that Microsoft Office users apply the patch
as soon as possible.

Acknowledgement

Thank you to Michael Matonis, Dhanesh Kizhakkinan, Yogesh Londhe,
Swapnil Patil, Joshua Triplett, and Tyler Dean from FLARE Team,
FireEye Labs Team, and FireEye iSIGHT Intelligence for their
contributions to this blog. Thank you as well to everyone who worked
with us at the Microsoft Security Response Center (MSRC).

Go to Source
Author: Genwei Jiang

Powered by WPeMatico

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

FireEye recently detected malicious Microsoft Office RTF documents
that leverage a previously undisclosed vulnerability. This
vulnerability allows a malicious actor to execute a Visual Basic
script when the user opens a document containing an embedded exploit.
FireEye has observed several Office documents exploiting the
vulnerability that download and execute malware payloads from
different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and
has been coordinating for several weeks public disclosure timed with
the release of a patch by Microsoft to address the vulnerability.
After recent public disclosure by another company, this blog serves to
acknowledge FireEye’s awareness and coverage of these attacks.

FireEye email and network products detect the malicious documents
as: Malware.Binary.Rtf.

Attack Scenario

The attack involves a threat actor emailing a Microsoft Word
document to a targeted user with an embedded OLE2link object. When the
user opens the document, winword.exe issues a HTTP request to a remote
server to retrieve a malicious .hta file, which appears as a fake RTF
file. The Microsoft HTA application loads and executes the malicious
script. In both observed documents the malicious script terminated the
winword.exe process, downloaded additional payload(s), and loaded a
decoy document for the user to see. The original winword.exe process
is terminated in order to hide a user prompt generated by the OLE2link.

The vulnerability is bypassing most mitigations; however, as noted
above, FireEye email and network products detect the malicious
documents. Microsoft Office users are recommended to apply the patch
as soon as it is available. 

Acknowledgements

FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and
Microsoft Security Response Center (MSRC).

FireEye recently detected malicious Microsoft Office RTF documents
that leverage a previously undisclosed vulnerability. This
vulnerability allows a malicious actor to execute a Visual Basic
script when the user opens a document containing an embedded exploit.
FireEye has observed several Office documents exploiting the
vulnerability that download and execute malware payloads from
different well-known malware families.

FireEye shared the details of the vulnerability with Microsoft and
has been coordinating for several weeks public disclosure timed with
the release of a patch by Microsoft to address the vulnerability.
After recent public disclosure by another company, this blog serves to
acknowledge FireEye’s awareness and coverage of these attacks.

FireEye email and network products detect the malicious documents
as: Malware.Binary.Rtf.

Attack Scenario

The attack involves a threat actor emailing a Microsoft Word
document to a targeted user with an embedded OLE2link object. When the
user opens the document, winword.exe issues a HTTP request to a remote
server to retrieve a malicious .hta file, which appears as a fake RTF
file. The Microsoft HTA application loads and executes the malicious
script. In both observed documents the malicious script terminated the
winword.exe process, downloaded additional payload(s), and loaded a
decoy document for the user to see. The original winword.exe process
is terminated in order to hide a user prompt generated by the OLE2link.

The vulnerability is bypassing most mitigations; however, as noted
above, FireEye email and network products detect the malicious
documents. Microsoft Office users are recommended to apply the patch
as soon as it is available. 

Acknowledgements

FLARE Team, FireEye Labs Team, FireEye iSIGHT Intelligence, and
Microsoft Security Response Center (MSRC).

Go to Source
Author: Genwei Jiang

Powered by WPeMatico

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation
of Longstanding Threat

APT10 Background

APT10 (MenuPass Group) is a Chinese cyber espionage group that
FireEye has tracked since 2009. They have historically targeted
construction and engineering, aerospace, and telecom firms, and
governments in the United States, Europe, and Japan. We believe that
the targeting of these industries has been in support of Chinese
national security goals, including acquiring valuable military and
intelligence information as well as the theft of confidential business
data to support Chinese corporations. PwC and BAE recently issued a joint
blog
detailing extensive APT10 activity.

APT10’s Resurgence

In June 2016, FireEye iSIGHT intelligence first reported that APT10
expanded their operations. The group was initially detected targeting
a Japanese university, and more widespread targeting in Japan was
subsequently uncovered. Further collaboration between FireEye as a
Service (FaaS), Mandiant and FireEye iSIGHT intelligence uncovered
additional victims worldwide, a new suite of tools and novel techniques.

Global Targeting Using New Tools

Leveraging its global footprint, FireEye has detected APT10 activity
across six continents in 2016 and 2017. APT10 has targeted or
compromised manufacturing companies in India, Japan and Northern
Europe; a mining company in South America; and multiple IT service
providers worldwide. We believe these companies are a mix of final
targets and organizations that could provide a foothold in a final target.

APT10 unveiled new tools in its 2016/2017 activity. In addition to
the continued use of SOGU, the current wave of intrusions has involved
new tools we believe are unique to APT10. HAYMAKER and SNUGRIDE have
been used as first stage backdoors, while BUGJUICE and a customized
version of the open source QUASARRAT have been used as second stage
backdoors. These new pieces of malware show that APT10 is devoting
resources to capability development and innovation.

  • HAYMAKER is a backdoor that can download and execute
    additional payloads in the form of modules. It also conducts basic
    victim profiling activity, collecting the computer name, running
    process IDs, %TEMP% directory path and version of Internet Explorer.
    It communicates encoded system information to a single hard coded
    command and control (C2) server, using the system’s default
    User-Agent string.
  • BUGJUICE is a backdoor that is executed
    by launching a benign file and then hijacking
    the search order
    to load a malicious dll into it. That
    malicious dll then loads encrypted shellcode from the binary, which
    is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults
    to TCP using a custom binary protocol to communicate with the C2,
    but can also use HTTP and HTTPs if directed by the C2. It has the
    capability to find files, enumerate drives, exfiltrate data, take
    screenshots and provide a reverse shell.
  • SNUGRIDE is a
    backdoor that communicates with its C2 server through HTTP requests.
    Messages are encrypted using AES with a static key. The malware’s
    capabilities include taking a system survey, access to the
    filesystem, executing commands and a reverse shell. Persistence is
    maintained through a Run registry key.
  • QUASARRAT is an
    open-source RAT available here. The versions
    used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via
    the public GitHub page, indicating that APT10 has further customized
    the open source version. The 2.0 versions require a dropper to
    decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT
    is a fully functional .NET backdoor that has been used by multiple
    cyber espionage groups in the past.

Traditional and Novel Methods

This recent APT10 activity has included both traditional spear
phishing and access to victim’s networks through service providers.
(For more information on infection via service providers see M-Trends
2016
). APT10 spear phishes have been relatively unsophisticated,
leveraging .lnk files within archives, files with double extensions
(e.g. “[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in
some cases simply identically named decoy documents and malicious
launchers within the same archive.

In addition to the spear phishes, FireEye ISIGHT Intelligence has
observed APT10 accessing victims through global service providers.
Service providers have significant access to customer networks,
enabling an attacker who had compromised a service provider to move
laterally into the network of the service provider’s customer. In
addition, web traffic between a service provider’s customer and a
service provider is likely to be viewed as benign by network defenders
at the customer, allowing the attacker to exfiltrate data stealthily.
A notable instance of this observed by FireEye involved a SOGU
backdoor that was set to communicate with its C2 through a server
belonging to the victim’s service provider.

APT10 actors issued the following commands to a SOGU implant at a victim:

  • sc create CorWrTool binPath=
    “”C:WindowsvssvixDiskMountServer.exe””
    start= auto displayname= “Corel Writing Tools Utility”
    type= own
  • sc description CorWrTool “Corel Graphics
    Corporation Applications.”
  • ping -a [Redacted]
  • psexec.exe <orghost> d.exe
  • net view
    /domain:[Redacted]
  • proxyconnect – “port”: 3389,
    “server”: “[IP Address Redacted]”

These commands included setting persistence on the victim’s system.
The actor then tested connectivity to an IP managed by the victim’s
service provider. Once connectivity to the service provider IP was
verified, the actor established the service provider IP as a proxy for
the victim’s SOGU backdoor. This effectively routes SOGU malware
traffic through the victim’s service provider, which likely indicates
a foothold on the service provider’s network. The tactic also serves
to mask malicious C2 and exfiltration traffic and make it appear innocuous.

Implications

APT10 is a threat to organizations worldwide. Their abuse of access
to service provider networks demonstrates that peripheral
organizations continue to be of interest to a malicious actor –
especially those seeking alternative angles of attack. We believe the
pace of APT10 operations may slow following the public disclosure by
the PwC/BAE
blog
; however, we believe they will return to their large-scale
operations, potentially employing new tactics, techniques and procedures. 

APT10 Background

APT10 (MenuPass Group) is a Chinese cyber espionage group that
FireEye has tracked since 2009. They have historically targeted
construction and engineering, aerospace, and telecom firms, and
governments in the United States, Europe, and Japan. We believe that
the targeting of these industries has been in support of Chinese
national security goals, including acquiring valuable military and
intelligence information as well as the theft of confidential business
data to support Chinese corporations. PwC and BAE recently issued a joint
blog
detailing extensive APT10 activity.

APT10’s Resurgence

In June 2016, FireEye iSIGHT intelligence first reported that APT10
expanded their operations. The group was initially detected targeting
a Japanese university, and more widespread targeting in Japan was
subsequently uncovered. Further collaboration between FireEye as a
Service (FaaS), Mandiant and FireEye iSIGHT intelligence uncovered
additional victims worldwide, a new suite of tools and novel techniques.

Global Targeting Using New Tools

Leveraging its global footprint, FireEye has detected APT10 activity
across six continents in 2016 and 2017. APT10 has targeted or
compromised manufacturing companies in India, Japan and Northern
Europe; a mining company in South America; and multiple IT service
providers worldwide. We believe these companies are a mix of final
targets and organizations that could provide a foothold in a final target.

APT10 unveiled new tools in its 2016/2017 activity. In addition to
the continued use of SOGU, the current wave of intrusions has involved
new tools we believe are unique to APT10. HAYMAKER and SNUGRIDE have
been used as first stage backdoors, while BUGJUICE and a customized
version of the open source QUASARRAT have been used as second stage
backdoors. These new pieces of malware show that APT10 is devoting
resources to capability development and innovation.

  • HAYMAKER is a backdoor that can download and execute
    additional payloads in the form of modules. It also conducts basic
    victim profiling activity, collecting the computer name, running
    process IDs, %TEMP% directory path and version of Internet Explorer.
    It communicates encoded system information to a single hard coded
    command and control (C2) server, using the system’s default
    User-Agent string.
  • BUGJUICE is a backdoor that is executed
    by launching a benign file and then hijacking
    the search order
    to load a malicious dll into it. That
    malicious dll then loads encrypted shellcode from the binary, which
    is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults
    to TCP using a custom binary protocol to communicate with the C2,
    but can also use HTTP and HTTPs if directed by the C2. It has the
    capability to find files, enumerate drives, exfiltrate data, take
    screenshots and provide a reverse shell.
  • SNUGRIDE is a
    backdoor that communicates with its C2 server through HTTP requests.
    Messages are encrypted using AES with a static key. The malware’s
    capabilities include taking a system survey, access to the
    filesystem, executing commands and a reverse shell. Persistence is
    maintained through a Run registry key.
  • QUASARRAT is an
    open-source RAT available here. The versions
    used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via
    the public GitHub page, indicating that APT10 has further customized
    the open source version. The 2.0 versions require a dropper to
    decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT
    is a fully functional .NET backdoor that has been used by multiple
    cyber espionage groups in the past.

Traditional and Novel Methods

This recent APT10 activity has included both traditional spear
phishing and access to victim’s networks through service providers.
(For more information on infection via service providers see M-Trends
2016
). APT10 spear phishes have been relatively unsophisticated,
leveraging .lnk files within archives, files with double extensions
(e.g. “[Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in
some cases simply identically named decoy documents and malicious
launchers within the same archive.

In addition to the spear phishes, FireEye ISIGHT Intelligence has
observed APT10 accessing victims through global service providers.
Service providers have significant access to customer networks,
enabling an attacker who had compromised a service provider to move
laterally into the network of the service provider’s customer. In
addition, web traffic between a service provider’s customer and a
service provider is likely to be viewed as benign by network defenders
at the customer, allowing the attacker to exfiltrate data stealthily.
A notable instance of this observed by FireEye involved a SOGU
backdoor that was set to communicate with its C2 through a server
belonging to the victim’s service provider.

APT10 actors issued the following commands to a SOGU implant at a victim:

  • sc create CorWrTool binPath=
    “”C:WindowsvssvixDiskMountServer.exe””
    start= auto displayname= “Corel Writing Tools Utility”
    type= own
  • sc description CorWrTool “Corel Graphics
    Corporation Applications.”
  • ping -a [Redacted]
  • psexec.exe d.exe
  • net view
    /domain:[Redacted]
  • proxyconnect – “port”: 3389,
    “server”: “[IP Address Redacted]”

These commands included setting persistence on the victim’s system.
The actor then tested connectivity to an IP managed by the victim’s
service provider. Once connectivity to the service provider IP was
verified, the actor established the service provider IP as a proxy for
the victim’s SOGU backdoor. This effectively routes SOGU malware
traffic through the victim’s service provider, which likely indicates
a foothold on the service provider’s network. The tactic also serves
to mask malicious C2 and exfiltration traffic and make it appear innocuous.

Implications

APT10 is a threat to organizations worldwide. Their abuse of access
to service provider networks demonstrates that peripheral
organizations continue to be of interest to a malicious actor –
especially those seeking alternative angles of attack. We believe the
pace of APT10 operations may slow following the public disclosure by
the PwC/BAE
blog
; however, we believe they will return to their large-scale
operations, potentially employing new tactics, techniques and procedures. 

Go to Source
Author: FireEye iSIGHT Intelligence

Powered by WPeMatico

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call
POSHSPY. POSHSPY leverages two of the tools the group frequently uses:
PowerShell and Windows Management Instrumentation (WMI). In the
investigations Mandiant has conducted, it appeared that APT29 deployed
POSHSPY as a secondary backdoor for use if they lost access to their
primary backdoors.

POSHSPY makes the most of using built-in Windows features –
so-called “living off the land” – to make an especially stealthy
backdoor. POSHSPY’s use of WMI to both store and persist the backdoor
code makes it nearly invisible to anyone not familiar with the
intricacies of WMI. Its use of a PowerShell payload means that only
legitimate system processes are utilized and that the malicious code
execution can only be identified through enhanced
logging
or in memory. The backdoor’s infrequent beaconing, traffic
obfuscation, extensive encryption and use of geographically local,
legitimate websites for command and control (C2) make identification
of its network traffic difficult. Every aspect of POSHSPY is efficient
and covert.

Mandiant initially identified an early variant of the POSHSPY
backdoor deployed as PowerShell scripts during an incident response
engagement in 2015. Later in that same engagement, the attacker
updated the deployment of the backdoor to use WMI for storage and
persistence. Mandiant has since identified POSHSPY in several other
environments compromised by APT29 over the past two years.

We first discussed APT29’s use of this backdoor as part of our “No
Easy Breach” talk. For additional details on how we first identified
this backdoor, and the epic investigation it was part of, see the slides
and presentation.

Windows Management Instrumentation

WMI is an administrative framework that is built into every version
of Windows since 2000. WMI provides many administrative capabilities
on local and remote systems, including querying system information,
starting and stopping processes, and setting conditional triggers. WMI
can be accessed using a variety of tools, including the Windows WMI
Command-line (wmic.exe), or through APIs accessible to programming and
scripting languages such as PowerShell. Windows system WMI data is
stored in the WMI common information model (CIM) repository, which
consists of several files in the System32wbemRepository directory.

WMI classes are the primary structure within WMI. WMI classes can
contain methods (code) and properties (data). Users with sufficient
system-level privileges can define custom classes or extend the
functionality of the many default classes.

WMI permanent event subscriptions can be used to trigger actions
when specified conditions are met. Attackers often use this
functionality to persist the execution of backdoors at system start
up. Subscriptions consist of three core WMI classes: a Filter, a
Consumer, and a FilterToConsumerBinding. WMI Consumers specify an
action to be performed, including executing a command, running a
script, adding an entry to a log, or sending an email. WMI Filters
define conditions that will trigger a Consumer, including system
startup, the execution of a program, the passing of a specified time
and many others. A FilterToConsumerBinding associates Consumers to
Filters. Creating a WMI permanent event subscription requires
administrative privileges on a system.

We have observed APT29 use WMI to persist a backdoor and also store
the PowerShell backdoor code. To store the code, APT29 created a new
WMI class and added a text property to it in order to store a string
value. APT29 wrote the encrypted and base64-encoded PowerShell
backdoor code into that property.

APT29 then created a WMI event subscription in order to execute the
backdoor. The subscription was configured to run a PowerShell command
that read, decrypted, and executed the backdoor code directly from the
new WMI property. This allowed them to install a persistent backdoor
without leaving any artifacts on the system’s hard drive, outside of
the WMI repository. This “fileless” backdoor methodology made the
identification of the backdoor much more difficult using standard host
analysis techniques.

POSHSPY WMI Component

The WMI component of the POSHSPY backdoor leverages a Filter to
execute the PowerShell component of the backdoor on a regular basis.
In one instance, APT29 created a Filter named BfeOnServiceStartTypeChange (Figure 1), which they
configured to execute every Monday, Tuesday, Thursday, Friday, and
Saturday at 11:33 am local time. 

Figure 1: “BfeOnServiceStartTypeChange” WMI
Query Language (WQL) filter condition

The BfeOnServiceStartTypeChange Filter was
bound to the CommandLineEventConsumer WindowsParentalControlsMigration. The WindowsParentalControlsMigration consumer was
configured to silently execute a base64-encoded PowerShell command.
Upon execution, this command extracted, decrypted, and executed the
PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class. The PowerShell command contained
the payload storage location and encryption keys. Figure 2 displays
the command, called the “CommandLineTemplate”, executed by the WindowsParentalControlsMigration consumer.

Figure 2: WindowsParentalControlsMigration CommandLineTemplate

Figure 3 contains the decoded PowerShell command from the “CommandLineTemplate.”

Figure 3: Decoded CommandLineTemplate PowerShell code

POSHSPY PowerShell Component

The full code for a POSHSPY sample is available here.

The POSHSPY backdoor is designed to download and execute additional
PowerShell code and Windows binaries. The backdoor contains several
notable capabilities, including:

1. Downloading and executing PowerShell code as an EncodedCommand

2. Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the
chosen directory name, or, if that fails, writing the executable to a
system-generated temporary file name, using the EXE extension

3. Modifying the Standard Information timestamps (created, modified,
accessed) of every downloaded executable to match a randomly selected
file from the System32 directory that was created prior to 2013

4. Encrypting communications using AES and RSA public key cryptography

5. Deriving C2 URLs from a Domain Generation Algorithm (DGA) using
lists of domain names, subdomains, top-level domains (TLDs), Uniform
Resource Identifiers (URIs), file names, and file extensions

6. Using a custom User Agent string or the system’s User Agent
string derived from urlmon.dll

7. Using either custom cookie names and values or randomly-generated
cookie names and values for each network connection

8. Uploading data in 2048-byte chunks

9. Appending a file signature header to all encrypted data, prior to
upload or download, by randomly selecting from the file types:

  • ICO
  • GIF
  • JPG
  • PNG
  • MP3
  • BMP

The sample
in this example used 11 legitimate domains owned by an organization
located near the victim. When combined with the other options in the
DGA, 550 unique C2 URLs could be generated. Infrequent beaconing, use
of DGA and compromised infrastructure for C2, and appended file
headers used to bypass content inspection made this backdoor difficult
to identify using typical network monitoring techniques.

Conclusion

POSHSPY is an excellent example of the skill and craftiness of
APT29. By “living off the land” they were able to make an extremely
discrete backdoor that they can deploy alongside their more
conventional and noisier backdoor families, in order to help ensure
persistence even after remediation. As stealthy as POSHSPY can be, it
comes to light quickly if you know where to look. Enabling and
monitoring enhanced
PowerShell logging
can capture malicious code as it executes and
legitimate WMI persistence is so rare that malicious persistence
quickly stands out when enumerating it across an environment. This is
one of several sneaky backdoor families that we have identified,
including an off-the-shelf domain
fronting backdoor
and HAMMERTOSS.
When responding to an APT29 breach, it is vital to increase
visibility, fully scope the incident before responding and thoroughly
analyze accessed systems that don’t contain known malware.

Additional Reading

This PowerShell
logging blog post
contains more information on improving
PowerShell visibility in your environment.

This excellent
whitepaper
by William Ballenthin, Matt Graeber and Claudiu
Teodorescu contains additional information on WMI offense, defense and forensics.

This presentation
by Christopher Glyer and Devon Kerr contains additional information on
attacker use of WMI in past Mandiant investigations.

The FireEye FLARE team released a WMI
repository-parsing tool
that allows investigators to extract
embedded data from the WMI repository and identify WMI persistence. 

Mandiant has observed APT29 using a stealthy backdoor that we call
POSHSPY. POSHSPY leverages two of the tools the group frequently uses:
PowerShell and Windows Management Instrumentation (WMI). In the
investigations Mandiant has conducted, it appeared that APT29 deployed
POSHSPY as a secondary backdoor for use if they lost access to their
primary backdoors.

POSHSPY makes the most of using built-in Windows features –
so-called “living off the land” – to make an especially stealthy
backdoor. POSHSPY’s use of WMI to both store and persist the backdoor
code makes it nearly invisible to anyone not familiar with the
intricacies of WMI. Its use of a PowerShell payload means that only
legitimate system processes are utilized and that the malicious code
execution can only be identified through enhanced
logging
or in memory. The backdoor’s infrequent beaconing, traffic
obfuscation, extensive encryption and use of geographically local,
legitimate websites for command and control (C2) make identification
of its network traffic difficult. Every aspect of POSHSPY is efficient
and covert.

Mandiant initially identified an early variant of the POSHSPY
backdoor deployed as PowerShell scripts during an incident response
engagement in 2015. Later in that same engagement, the attacker
updated the deployment of the backdoor to use WMI for storage and
persistence. Mandiant has since identified POSHSPY in several other
environments compromised by APT29 over the past two years.

We first discussed APT29’s use of this backdoor as part of our “No
Easy Breach” talk. For additional details on how we first identified
this backdoor, and the epic investigation it was part of, see the slides
and presentation.

Windows Management Instrumentation

WMI is an administrative framework that is built into every version
of Windows since 2000. WMI provides many administrative capabilities
on local and remote systems, including querying system information,
starting and stopping processes, and setting conditional triggers. WMI
can be accessed using a variety of tools, including the Windows WMI
Command-line (wmic.exe), or through APIs accessible to programming and
scripting languages such as PowerShell. Windows system WMI data is
stored in the WMI common information model (CIM) repository, which
consists of several files in the System32wbemRepository directory.

WMI classes are the primary structure within WMI. WMI classes can
contain methods (code) and properties (data). Users with sufficient
system-level privileges can define custom classes or extend the
functionality of the many default classes.

WMI permanent event subscriptions can be used to trigger actions
when specified conditions are met. Attackers often use this
functionality to persist the execution of backdoors at system start
up. Subscriptions consist of three core WMI classes: a Filter, a
Consumer, and a FilterToConsumerBinding. WMI Consumers specify an
action to be performed, including executing a command, running a
script, adding an entry to a log, or sending an email. WMI Filters
define conditions that will trigger a Consumer, including system
startup, the execution of a program, the passing of a specified time
and many others. A FilterToConsumerBinding associates Consumers to
Filters. Creating a WMI permanent event subscription requires
administrative privileges on a system.

We have observed APT29 use WMI to persist a backdoor and also store
the PowerShell backdoor code. To store the code, APT29 created a new
WMI class and added a text property to it in order to store a string
value. APT29 wrote the encrypted and base64-encoded PowerShell
backdoor code into that property.

APT29 then created a WMI event subscription in order to execute the
backdoor. The subscription was configured to run a PowerShell command
that read, decrypted, and executed the backdoor code directly from the
new WMI property. This allowed them to install a persistent backdoor
without leaving any artifacts on the system’s hard drive, outside of
the WMI repository. This “fileless” backdoor methodology made the
identification of the backdoor much more difficult using standard host
analysis techniques.

POSHSPY WMI Component

The WMI component of the POSHSPY backdoor leverages a Filter to
execute the PowerShell component of the backdoor on a regular basis.
In one instance, APT29 created a Filter named BfeOnServiceStartTypeChange (Figure 1), which they
configured to execute every Monday, Tuesday, Thursday, Friday, and
Saturday at 11:33 am local time. 

Figure 1: “BfeOnServiceStartTypeChange” WMI
Query Language (WQL) filter condition

The BfeOnServiceStartTypeChange Filter was
bound to the CommandLineEventConsumer WindowsParentalControlsMigration. The WindowsParentalControlsMigration consumer was
configured to silently execute a base64-encoded PowerShell command.
Upon execution, this command extracted, decrypted, and executed the
PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class. The PowerShell command contained
the payload storage location and encryption keys. Figure 2 displays
the command, called the “CommandLineTemplate”, executed by the WindowsParentalControlsMigration consumer.

Figure 2: WindowsParentalControlsMigration CommandLineTemplate

Figure 3 contains the decoded PowerShell command from the “CommandLineTemplate.”

Figure 3: Decoded CommandLineTemplate PowerShell code

POSHSPY PowerShell Component

The full code for a POSHSPY sample is available here.

The POSHSPY backdoor is designed to download and execute additional
PowerShell code and Windows binaries. The backdoor contains several
notable capabilities, including:

1. Downloading and executing PowerShell code as an EncodedCommand

2. Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the
chosen directory name, or, if that fails, writing the executable to a
system-generated temporary file name, using the EXE extension

3. Modifying the Standard Information timestamps (created, modified,
accessed) of every downloaded executable to match a randomly selected
file from the System32 directory that was created prior to 2013

4. Encrypting communications using AES and RSA public key cryptography

5. Deriving C2 URLs from a Domain Generation Algorithm (DGA) using
lists of domain names, subdomains, top-level domains (TLDs), Uniform
Resource Identifiers (URIs), file names, and file extensions

6. Using a custom User Agent string or the system’s User Agent
string derived from urlmon.dll

7. Using either custom cookie names and values or randomly-generated
cookie names and values for each network connection

8. Uploading data in 2048-byte chunks

9. Appending a file signature header to all encrypted data, prior to
upload or download, by randomly selecting from the file types:

  • ICO
  • GIF
  • JPG
  • PNG
  • MP3
  • BMP

The sample
in this example used 11 legitimate domains owned by an organization
located near the victim. When combined with the other options in the
DGA, 550 unique C2 URLs could be generated. Infrequent beaconing, use
of DGA and compromised infrastructure for C2, and appended file
headers used to bypass content inspection made this backdoor difficult
to identify using typical network monitoring techniques.

Conclusion

POSHSPY is an excellent example of the skill and craftiness of
APT29. By “living off the land” they were able to make an extremely
discrete backdoor that they can deploy alongside their more
conventional and noisier backdoor families, in order to help ensure
persistence even after remediation. As stealthy as POSHSPY can be, it
comes to light quickly if you know where to look. Enabling and
monitoring enhanced
PowerShell logging
can capture malicious code as it executes and
legitimate WMI persistence is so rare that malicious persistence
quickly stands out when enumerating it across an environment. This is
one of several sneaky backdoor families that we have identified,
including an off-the-shelf domain
fronting backdoor
and HAMMERTOSS.
When responding to an APT29 breach, it is vital to increase
visibility, fully scope the incident before responding and thoroughly
analyze accessed systems that don’t contain known malware.

Additional Reading

This PowerShell
logging blog post
contains more information on improving
PowerShell visibility in your environment.

This excellent
whitepaper
by William Ballenthin, Matt Graeber and Claudiu
Teodorescu contains additional information on WMI offense, defense and forensics.

This presentation
by Christopher Glyer and Devon Kerr contains additional information on
attacker use of WMI in past Mandiant investigations.

The FireEye FLARE team released a WMI
repository-parsing tool
that allows investigators to extract
embedded data from the WMI repository and identify WMI persistence. 

Go to Source
Author: Matthew Dunwoody

Powered by WPeMatico