Blog

Archive for January, 2020

Emotet epoch 1 infection with Trickbot gtag mor84, (Tue, Jan 28th)

Introduction

URLhaus is a great resource to check for malicious URLs associated with malware.  I use it frequently to get a URL for a Word doc related to Emotet so I can generate a full chain of events for an Emotet infection.  The flow chart for an Emotet infection looks like this:


Shown above:  Flow chart for Emotet activity covered in this diary.

I generated an Emotet infection on Monday 2020-01-27.  This diary reviews traffic and malware associated with the infection.

Of note, you might see the terms epoch 1, epoch 2, or epoch 3 associated with information about Emotet.  Each “epoch” identifies a botnet distributing Emotet.  Epochs 1, 2, and 3 each have their own infrastructure, so Windows executable files and Word documents associated with Emotet should fall under one of these three epochs.

You might also see the term gtag associated with Trickbot.  This is a tag used by Trickbot to identify the campaign distributing this family of malware.  Currently, gtags starting with mor identify Trickbot distributed through an Emotet infection.  On Monday 2020-01-27, we saw gtag mor84 for this Trickbot campaign.  On Tuesday 2020-01-28, we should see gtag mor85.

Infection traffic

I saw infection traffic typical of Emotet and Trickbot infections.  For anyone who keeps tabs on Emotet, this should no suprise.

Indicators of compromise (IOCs)

The following are indicators from the Emotet and Trickbot infection I generated on Monday 2020-01-27:

HTTP request for the initial Word doc:

  • 104.28.7[.]44 port 80 – ikosher.co[.]il – GET /discussiono/multifunctional-section/close-4hfy6o73iy-06x/383167265-j3LVOCu77d3B/

HTTPS traffic for Emotet binary after enabling Word macro:

  • 173.231.214[.]60 port 443 (HTTPS traffic) – delhisexclinic[.]com – GET /zds/jUzItNFoNN/

Emotet post-infection traffic:

  • 190.6.193[.]152 port 8080 – 190.6.193[.]152:8080 – POST /wbFcaqy5zdJxDV
  • 200.69.224[.]73 port 80 – 200.69.224[.]73 – POST /v4ZuR6CnU
  • 200.69.224[.]73 port 80 – 200.69.224[.]73 – POST /OwgR
  • 51.159.23[.]217 port 443 – 51.159.23[.]217:443 – POST /OwgR
  • 51.159.23[.]217 port 443 – 51.159.23[.]217:443 – POST /CnnW94MVhQGtJZSjR
  • 200.69.224[.]73 port 80 – 200.69.224[.]73 POST /Yuy3Hh3
  • 200.69.224[.]73 port 80 – 200.69.224[.]73 – POST /aLWChqlBNn8isE
  • 200.69.224[.]73 port 80 – 200.69.224[.]73 – POST /X2XDUN0TWIhtvxsrt

Trickbot post-infection traffic:

  • port 443 – ident[.]me – HTTPS traffic, IP address check caused by Trickbot (not inherently malicious)
  • 190.214.13[.]2 port 449 – HTTPS traffic caused by Trickbot
  • 194.99.21[.]137 port 447 – HTTPS traffic caused by Trickbot
  • 203.176.135[.]102 port 8082 – 203.176.135[.]102:8082 – POST /mor84/[string with host name and other info]/81/
  • 203.176.135[.]102 port 8082 – 203.176.135[.]102:8082 – POST /mor84/[string with host name and other info]/90

Malware info:

SHA256 hash: c963c83bc1fa7d5378c453463ce990d85858b7f96c08e9012a7ad72ea063f31e

  • File size: 155,379 bytes
  • File location: hxxp://ikosher.co[.]il/discussiono/multifunctional-section/close-4hfy6o73iy-06x/383167265-j3LVOCu77d3B/
  • File name: Dat 2020_01_27 48060.doc
  • File description: Word doc with macro for Emotet (epoch 1)

SHA256 hash: 006d5fda899149df4cc5d6d1b1ae52e9fcc4ade7541c1dd4391e0429d843b4d5

  • File size: 356,475 bytes
  • File location: hxxps://delhisexclinic[.]com/zds/jUzItNFoNN/
  • File location: C:Users[username]797.exe
  • File location: C:Users[username]AppDatalocal[2- or 3-word combo][same 2- or 3-word combo].exe
  • File description: Emotet malware binary (epoch 1)

SHA256 hash: dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740

  • File size: 495,693 bytes
  • File location: C:ProgramData[random alpha-numeric string].exe
  • File location: C:Users[username]AppDataRoamingwindirect[Armenian text].exe
  • File description: Trickbot gtag mor84

Final words

Overall no surprises here, but a reminder of this activity is useful for people who don’t normally investigate Emotet or Trickbot infections.  An up-to-date Windows host with the latest version of Microsoft Office should not succumb to these sorts of infections.  To infect a vulnerable computer, people would have to click through various warnings, and they would also need to bypass many of the default security settings in recent versions of Windows 10.

A pcap of the infection traffic and the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.

There are two cybersecurity-related aspects of an emergency like this:

  • Fraud and other ways of how criminals try to take advantage of situations like this.
  • Business continuity preparedness.

In past disasters, we have seen different ways of how criminals try to take advantage of a situation like this:

  1. Fake Donations

Various entitles have already started to register domain names around the name “coronavirus.” In past events, we have seen some of these domains being used for fake donation web sites. They may also be used for other less legitimate business purposes like selling overpriced supplies. At this point, all the domains I have seen are parked or not yet active with content, so it is hard to tell what will happen.

  1. Malware

Malware authors are always looking for new ruses to get people to open their attachment. In the past, we have seen malicious videos and other attachments being used to spread malware.

  1. Fake News

Fake news is not only used to influence elections. Sometimes it is done to attract more eyeballs to a YouTube channel. Be careful who you trust, and don’t let sensational news cause you to panic. Panic is not the right state to make sensible decisions.

Please let us know if you see any of this.

From a business continuity perspective, I like the CDC checklist (https://www.cdc.gov/flu/pandemic-resources/pdf/businesschecklist.pdf ). I only highlight some items from it. Another excellent resource is the response plan published by Public Health England: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/344695/PI_Response_Plan_13_Aug.pdf

I only highlight some items from it.

First of all: Unless your business is supporting critical infrastructure or healthcare, employee safety has to come before business continuity. Sometimes it is just best to shut down and go home until the crisis is over.

  1. Remote Access

Even during a relatively mild outbreak, people may not be willing or able to come to work. Even for the common flu, it is much preferred for someone to stay at home and maybe do a little bit of work vs. coming to work and infecting others (remember the flu is estimated to kill 8,200-20,000 people this season in the US alone). You must have functional and secure remote access set up. There are several different VPN and similar solutions. Voice and video conferencing solutions should be part of this. It should be easy for people to stay at home for a few days. You may also want to consider loaner laptops. It is much simpler and more secure to have employees working from home use corporate computers with a known secure configuration vs. using a random home computer. Test remote access while you still have people in the office to fix issues. This is in particular important if you need remote access for administrative purposes like rebooting systems. Many organizations have migrated systems to the cloud and should be used to manage them remotely (but if you did it right, you may have whitelisted specific IPs for remote management access)

In a pandemic situation, the remote access solution may be the resource that is constrained. Considerations should be put into investigating shorter timeout value and determine who are the critical users to be put in a special group for more extended and continuous access. Regular users can have a different profile to consume less load on the VPN equipment.

  1. Biometric Identification

Many biometric identification systems are problematic. Fingerprint scanners often do not work with gloves or can be a conduit for infection. Facial recognition does not work while someone is wearing a mask. Devise some alternative means to authenticate for emergency access. At the very least, have some sanitizer ready to clean surfaces people need to touch to authenticate.

  1. When and How to Shut Down

In some cases, it may be best to just shut down for a while If your business is not part of the health care or critical infrastructure. Business continuity plans should not endanger anybody’s life. Have a plan for when and how to shut down. Which systems are shut down first? How can we reduce the load on system administrators and security analysts, so fewer of them have to come to work? If you decide to shut down all the way: How do you ensure some physical security of your space (boarding up, a company monitoring the space?).

  1. Supply Chain Continuity

It appears to be already apparent that the Chinese economy will, at least in the short term, be significantly affected. Some of the effects are delayed due to scheduled shutdowns during the lunar new year. Of course, similar travel restrictions could also affect other countries. How many critical supplies do you have on-site? Most modern businesses try very hard to minimize the amount of inventory, which in turn makes them very vulnerable to supply disruptions. The availability of supplies could also affect your decision to shut down. Do not overlook your “internal supply chain”. Which locations/individuals are critical to your operations?

  1. Emergency communication plan

Now is an excellent time to make sure your phone lists are up to date. Make sure critical people can be reached. If possible, there should be diverse methods to reach each other (really hard to do with “everything over IP”). Another part of this is how the organization will communicate its plan to employees, suppliers, and customers. There should be multiple means, and they need to be communicated ahead of time. (Website, Twitter, phone number to call). Miscreants may exploit any weakness in your communication plan to spread rumors about your organization or to impersonate your company. Your escalation plan should be included in the review of your communication plan.

  1. How can you help others?

During a crisis, first responders will likely soon get worn out and need support. There may also be assets (space, materials…) that your company does not need right now that you can use to help. Typically, this can only happen if you made necessary connections ahead of time.

And of course: Please let me know what else should be noted (or point out any mistakes I made above)


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.

I have taken a simplistic approach to Threat Hunting and for me it is: Proactively searching for threats missed by every defenses in the enterprise. We are Threat Hunting for the unknown! Assume something is already compromised.

That is a tall order, where do we start? There first step is to know the network I’m defending. In order to do this well, it means to have a pretty good knowledge what the network looks like (i.e. network diagrams, traffic flows, client → server relationship, etc) and the type of activity considered normal. Anything deviating from that “normal” need to be investigated.

The next step is to collect the logs that will help with the hunt; such as host and network logs to fuse traffic flow in a way that can help identify unusual pattern of activity.

Some of the logs that might be important to collect (not exhaustive) might be: proxy, web & application servers, DNS, host-based, antivirus, EndPoint Detection Response (EDR), firewall, etc. In the end, each organization is unique. Using the Mitre ATT&CK framework can help the hunt by identifying the tactics and techniques that will help capture the most promising logs to detect and identify unusual behavior happening in the network.

Over the years, several handlers have published various articles on Threat Hunting whether it be process, methods or tools like rita [1][2] or HELK [3] to help with the hunt.

If you are interested in learning how to conduct Threat Hunting in your network and missed Active Countermeasures’ last course, they are conducting another free, one-day, Cyber Threat Hunting Training online course on the 4 April where you can see the course content and register here.

[1] https://isc.sans.edu/forums/diary/DeepBlueCLI+Powershell+Threat+Hunting/25730
[2] https://isc.sans.edu/forums/diary/Using+RITA+for+Threat+Analysis/23926
[3] https://isc.sans.edu/forums/diary/Threat+Hunting+Adversary+Emulation+The+HELK+vs+APTSimulator+Part+1/23525
[4] https://www.activecountermeasures.com/free-tools/rita/
[5] https://register.gotowebinar.com/register/6883873380989840395
[6] https://attack.mitre.org/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 7 12345...»