The number of ways that hacker groups use to attack companies seems endless, but in reality they are not. Almost all tactics and techniques of cybercriminals have been analyzed and documented in the public MITER ATT & CK database. In this post, we will tell you how, during the investigation of a real incident, using the MITER ATT & CK base helped us figure out which group attacked the client company.
We were approached by a company, one of the servers in the network of which was constantly exchanging data with a third-party Internet server. After initial examination, it turned out that this traffic contained data and commands that were exchanged between the malware and the attacker’s C&C server.
Investigating the incident turned out to be a daunting task: the data available for examination consisted of event logs from endpoints and servers, which had been compromised, and our team of experts had access to only five computers from which they were able to obtain disk and memory images. And we didn’t have the opportunity to collect all possible sample programs running on the company’s network.
We analyzed the event logs and found that 62 computers were infected on the company’s network. Among them were 10 servers and 13 computers containing utilities for collecting and sending files, as well as 22 computers with backdoor shells. The rest of the machines hosted other tools used in the attack or applications to download malicious libraries.
A backdoor loaded via a malicious DLL allows an attacker to execute commands via cmd.exe. Utilities ProcDump and Mimikatz were used to obtain user accounts. The resulting accounts were used to connect to other computers on the network via IPC and download malicious components to them. They were launched either by adding a task to the schedule using Schtasks, or by creating a wmic process.
The main subjects of interest to the attackers were PDF files and MS Office documents, and it turned out that they had been present in the system for several years.
Finding a cracker
Comparing the techniques used by the attackers with the MITER ATT & CK base, we got two possible options – the APT3 and APT32 groupings.
To understand which of the two groups carried out the attack, it was necessary to study more deeply the tools used by the hackers. To do this, we analyzed the images of five computers at our disposal. As a result, many malicious tools were discovered, and we figured out how the criminals used them.
All instruments fell into one of three categories:
collection and transmission of data,
Let’s consider the composition of each of these categories.
Collection and transmission of data
This is a file scraper, whose task is to collect files with specified extensions into a separate folder, keeping the original directory structure, and then pack these files into a RAR archive with a password. The archive file name consists of date and time. After creating the archive, the original files are deleted.
Data transfer utility
Takes as parameters the path to the folder created by the archiving utility, the IP address and port of the command and control server, and the number of threads to work; can recursively send all files from a given folder and subfolders. The program creates a separate stream for each file sent. If an additional parameter is specified, the file can be deleted after sending. Together with the file, metadata containing the name of the infected computer and the name of the user on whose behalf the process was launched are sent to the command and control server. The transferred files are encrypted with a password using XOR.
This tool downloads a file from a URL and writes it to your local drive. Initially, the main function of this tool is to download additional utilities to the infected machine. However, closer examination revealed that it was used by attackers to download documents, in particular PDF files, over the company’s network.
PowerShell script for interacting with MySQL
Used to get data from MySQL database. The script accepts a connection string that includes the server, UID, password, and database name, as well as the SQL query string to be executed. Running the script looks like this:
An examination of the command line parameters that the attackers passed to this tool showed that they had information about all database servers, administrative accounts, database names, as well as the structure of the data stored in them. In all observed cases, queries were used to retrieve document records by date or record ID. The query results were written to a CSV file. The information received from the database was transferred to the file loader, which loaded it into the save folder of the archiving utility.
This tool differs from the archive utility in that instead of copying files to a temporary folder, it saves the full paths to them in a text file. After completing this procedure, the archiver launches the built-in 7-Zip and creates an archive, which is then encrypted with a simple XOR key. The file is sent to the FTP server specified on the command line. The uploaded file is deleted to hide the fact of theft.
We found five variants of backdoor utilities that allowed attackers to execute commands using cmd.exe. As a rule, traffic between backdoors and the command and control server was encrypted. Some backdoors executed commands directly, while others added tasks received from the command and control server to the schedule services.
In addition to traditional backdoors, a web shell was found on the company’s network, embedded into a site running Apache. This web shell allowed the following commands to be executed:
In addition to backdoors and tools for collecting and stealing data, the criminals used various auxiliary utilities. The most common among them were:
the file dropper TROJ_CHINOXY.ZAGK, which placed a legitimate utility with a malicious dll in the startup folder;
Procdump – utility for dumping the memory of the LSASS system process;
Mimikatz – utility for extracting passwords for logged in user accounts;
NBTScan is a scanner for servers and computers with open network folders.
Interaction of tools
In addition to the set of tools used by the hackers, it is also important how they used them during the incident. This allows you to find patterns of actions typical for certain groups and increase the accuracy of identifying the attacker.
In total, we were able to identify four basic and two combined patterns of using malicious tools. For example, a script using a file dropper looked like this:
This script began by downloading a bundle consisting of a script, a legitimate application, and a malicious dll. Upon completion of the download, the script launched a legitimate utility, which in turn loaded the malicious dll. After gaining control, the dll worked as a backdoor shell, placing Procdump at startup and launching the utility to transfer the files collected in the system to the command server.
After examining the tools and their use cases, we found that we still could not uniquely identify the group that had infiltrated the company’s network, as the variety of tools and tactics was too great for the two attacker candidates we installed.
For example, the functionality of the backdoors was about the same, but the languages in which they were written were different. There were also different ways of ensuring a permanent presence in the system. The tools for collecting and transmitting data also duplicated each other’s functions, and some even had built-in backdoors.
After analyzing all the inconsistencies, we identified four “penetration kits” used by the attackers.
Set No. 1
It included a dropper, a dll with a backdoor, and a tool for collecting and transferring data via FTP. All utilities used Chinese.
We have already encountered the second set of tools identified in our other investigations. It was used by the Trip group, which was part of Lotus Blossom. The functionality of this set is richer than that of set # 1:
Set No. 2
This is a new set that we have not seen before or observed in any of the documented APT groups. The kit includes an archiving utility that creates a RAR archive. The second utility moves the created archive to a folder for sending to the command and control server. Almost all utilities in the suite contain a malicious dll that is loaded through a legitimate application. A distinctive feature of this set is an extremely rich set of tactics used by attackers.
This toolkit is most commonly used by the group of the same name, also known as APT32. It contains the minimum required tools to carry out an attack, and various functions are combined into one utility. For example, a backdoor from this set, in addition to executing commands from the command and control server, can collect and archive files.
The presence of OceanLotus in the cracker kits confirmed our version of the participation of the APT32 group in the attack on the organization. In addition, this set was different from other themes, requiring a hostname and username to decrypt the samples sent to the C&C server.
By studying an incident, the research team should be able to look at what is happening in the company’s network at the macro level. One of the tasks of attackers is to hide their actions by distributing them across multiple utilities and across different machines, so looking for connections between tools will provide analysts with a better understanding of the attack and its details.
To find such connections, tools that provide visibility to what is happening on the network, as well as any suspicious processes, would greatly help. In the described case, for example, there were difficulties in identifying the sideloaded-DLL.
In order to effectively identify intrusion sets based on the MITER methodology, the monitoring system installed in the company must intercept and register as many events as possible. In our case, this allowed us to single out two groups as suspects in the attack, and then leave the most likely organizer. It was enough to compare the found tools with the known tools used by APT, and also group the toolboxes based on their relationship. The two approaches complement each other as some of the tools can be used in different invasion sets.