TI on the knee or how to investigate a threat using a browser

Hi all! In this article we will not talk about what Threat Intelligence is and what it is eaten with, but we will get straight to the point.

TL DR This short article will show how you can conduct threat reconnaissance and attribute a group with only a letter and a browser, without resorting to technical analysis, and that’s all. This article may seem boring to seasoned scouts, but young guys and girls who are starting their journey in TI may be interested in taking a look at the mindset when conducting reconnaissance.

Introductory

One of our customers received a simple letter from, allegedly, the administration of the city of Gorlovka about the property of the Ministry of Defense. Looking at such a letter, you begin to think that the villains have become completely lazy =(.

Content of the letter

Content of the letter

The attachment

The attachment

It's a good idea for TI to also view the email headers, but in this case all headers are valid. The villain simply registered a legitimate email address on mail.ru and sent a letter from it.

Step one. View attachment.

Never, I repeat, never analyze anything that smells like malware on your personal or work host. Use a virtual machine, it’s safer and you can always roll back. In this case, one could expect a dirty trick in the form CVE-2023-38831 for WinRar, but there was nothing like that and the villains simply sent a corrupted archive as an attachment. Inside the archive there is an interesting executable file, which for an ordinary user will look like this:

What does the contents of the archive look like with default Windows settings?

What does the contents of the archive look like with default Windows settings?

Of course, Windows hints in the Type column that this is an application, but who reads this…

So, we looked at the attachment, we see that it is definitely something illegitimate, and we need to understand what this sample does. The first thing to remember when working as an analyst is that you don’t need to reinvent the wheel. We do the simplest thing – calculate the hash (this can be done either using standard OS commands or using 7zip), and send it to virustotal.

md5: 30515ea717c237b124625707b66290ef
sha1: d3901874b08f3e1d1832232a54ea5be1978f368c
sha256: 36220391efa0de0d81bee5b8d8813b6f2c89e81c78091387d05946e184b967c8
Virustotal scan result.

Virustotal scan result.

Bingo! You can close the case with loud words that the attack was prevented and a beautiful report to management. However, in the work of both TI and SOC analysts, it is important to be guided by the following principle:

You can't be 100% sure of anything.

So we dig further with the following questions:

  • Maybe someone in the organization opened the letter after all?

  • What did those who sent us this want, and who is it anyway? Maybe we can charge them with 273 of the Criminal Code of the Russian Federation?

  • Can we protect ourselves from such threats in the future?

Step two. Let's look at the functionality and connections.

With these questions in mind, let’s dive into surfing the web. In the sample tags on virustotal you can already see some functionality and sampling techniques.

Trust but check. As has already been said, nothing can be trusted 100%.

Therefore, let's go see what the VPO is doing. Let's start with the section Behavior.

Here you can see a huge amount of technical information, tactics and techniques, registry keys….

Here is my top list of things to look for:

  • heuristic patterns sigma, suricata and others like them. But it is necessary to remember that these are signatures and they can be false;

  • created processes and executed commands;

  • open network connections;

In my opinion, this is a fairly important heuristic. You shouldn't rely entirely on the VT malware score. Sometimes, indicators with a large number of triggers turn out to be clean. Most often, this happens when the indicator history does not have time to update. Conversely, fresh indicators, especially network ones, can remain “green” for a long time, although hundreds of organizations can be hacked through them at the same time. Trust but check!

By examining behavior, we will find a lot of interesting things:

  • two types of fastening;

  • executed commands in cmd;

  • open network connections (by the way, among the network connections you can find the current malware management center and put it under control on the organization’s firewall to see if anyone from our network is accessing C2);

  • a bunch of dropped files that can also be “broken”;

  • and so on.

But for us, as TI analysts, it is important to focus on something characteristic and specific. This could be a specific procedure, the name of an artifact, unique strings, etc. To do this, let's see what commands were executed.

Interesting procedure

Interesting procedure

As you can see in the screenshot, my attention was drawn to the search for specific lines (and not an exe with a genital in the name). On the Internet you can quickly find that these lines are the names of antivirus products. But the question arose in my head, why exactly they are being tested. And from experience, samples of the same family often test for the same or similar means of protection. So let's try to google this command.

Search result by command

Search result by command

In addition to links to sandboxes, where we can further highlight the details of malware analysis, we find a link to a study of the Sticky Werewolf group.

If we continue to google about this group, we will see that the methods we saw on virustotal suspiciously coincide with the methods used by the villains in our case. Moreover, if you read this articlethen you can find a lot of similarities.

The reader can practice reversing or simply look at virustotal, find the current C2 address, and be surprised that in the same subnet with a 24 mask there were previously known control centers of this group.

conclusions

Remembering the three questions that we asked ourselves at the beginning of the analysis, we can summarize:

  1. Armed with a malicious letter and Google, we found a large number of additional indicators that we can monitor on the customer’s network.

  2. During the study, we identified the villains and found out that collecting a fine from them would not be so easy.

  3. We have identified another cluster of threats that is aimed at the customer, which will help him adjust his information security policy and help us adjust security measures and monitoring. In addition, this threat is described quite well; there is a lot that can be learned.

Of course, if you have the resources and you know how to reverse, then such skills will only help in a more detailed study, and, sometimes, such skills are simply necessary to understand the situation. But there are times when even without a lot of time/effort/competence/whatever to research an incident or threat, with the help of modern services, even without paid subscriptions, you can find and understand a lot.

Obviously, there was more than one way to determine the grouping by indicator, and not only through virustotal, everything is limited by your imagination. So implement TI into your security processes, sometimes it makes life a lot easier =).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *