Tuesday, March 12, 2024

Know your enemies: An approach for CTI teams

VirusTotal’s Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture accordingly. In this post, we will play the role of a CTI analyst working for a Singaporean financial institution.

As a first step, we search for threat actors that traditionally both targeted the financial industry and Singaporean companies.


TA505 and APT41 both match these requirements. For the moment let’s focus on TA505, which seems more active at the moment.

Understanding (TA505):

The Threat Actor card provides details on the actor, which seems to target organizations in the financial, healthcare, retail, and hospitality sectors across Europe, Asia Pacific region, Canada, India and the United States.


According to the description TA505 seems related to Dridex banking trojan and Locky ransomware activity.

In VirusTotal we can find two categories for TTPs:
- The First are TTPs directly ingested from MISP and MITRE.
- The second (called Toolkit TTPs) shows TTPs obtained from sandbox analysis of the IOCs related to a particular actor.

In this case, for TA505 we can find the following Toolkit TTPs:


The T1486 tactic (‘Data Encrypted technique for Impact') seems potentially related to the use of ransomware, such as Locky, by this actor. This seems like a good point for us to retrieve some fresh data and understand this actor’s recent activity. For instance, the following query provide fresh samples from the actor (samples submitted after January 1st, 2024) that use data encryption, and tagged as ransom by AVs:



Multiple of the returned samples belong to the “locky” Collection tagged as ‘locky’, which contains 510 files at the moment.


The Telemetry tab provides information about submissions and lookups, which helps us understand malware family’s distribution and timeframes of operations.


Tailoring defenses:

In addition, the Collection’s Rules panel provides details on crowdsourced Yara, sigma and IDS rules that match different indicators files in this collection.


In this case, the “win_locky_auto” yara rule matches almost all the files in this collection (505/510). This could help to enhance detection capabilities for this threat.

Collection’s commonalities refer to characteristics, behaviors, or technical attributes shared by a set of indicators, which helps to identify patterns. Let’s use this to create a new “Livehunt rule” to track this activity in the future. We will use only recent samples, we can filter them in the IOCS tab (“fs:180d+”):


Based on commonalities results, some useful information to create the livehunt rule may include:

Metadata:
  • File type: EXE and DLL formats.
    (vt.metadata.file_type == vt.FileType.PE_DLL or vt.metadata.file_type == vt.FileType.PE_EXE)
  • File size: Less than 1Mb.
    (vt.metadata.file_size < 1000000)
  • Main icon: Custom and specific icon.
    (vt.metadata.main_icon.dhash == "52c244c9a7a3998b")
  • Imphash: Hash value calculated from PE's import table, that could be matching some locky samples.
    (vt.metadata.imphash == "31553623c43827d554ad9e1b7dfa6a5a")

Behavior:
  • Sandbox attack techniques: Detect T1486 Encryption Data technique.
    (for any tec in vt.behaviour.mitre_attack_techniques: (tec.id == "T1486"))
  • Command execution: Identification of possible rescue note and background set.
    (for any ce in vt.behaviour.command_executions: (ce icontains "\\Desktop\\*.txt" or ce icontains "\\Desktop\\*.bmp"))
  • Memory patterns: Specific patterns observed in locky samples that could be reused.
    (for any mem in vt.behaviour.memory_pattern_urls: (mem icontains "checkupdate" or mem icontains "userinfo.php"))

Remember you can always follow Threat Actor and/or collections and receive fresh new IOCs through the IoC Stream.

Wrapping up:

Threat Landscape empowers CTI teams with insights for prioritizing threats, understanding threat actors and tracking their operations pivoting between Threat Actors <=> Collections <=> IOCs. This provides actionable details based on the technical capabilities of the malware used in these campaigns, including a set of TTPs based on sandbox detonation that we can use both for hunting and monitoring. Collections also provide “Commonalities” on different indicators, including which crowdsourced rules better detect them. This helps us to quickly create effective monitoring and hunting strategies for malware families and threats actors, as well as effective protections adjusted to recent campaigns and malicious activity.

If you have any suggestions or want to share feedback please feel free to reach out here.

Happy Hunting!

Thursday, March 07, 2024

, , , , ,

COM Objects Hijacking

The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself.
We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.

Abused COM Objects

We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.
The chart below shows the distribution of how many samples abused different COM objects for persistence:
You can find the most used COM / CLSIDs listed in the Appendix.

Berbew

One of the main malware families we have observed abusing COM for persistence is Padodor/Berbew. This Trojan primarily focuses on stealing credentials and exfiltrating them to remote hosts controlled by attackers. The main COM objects abused by this family are as follows:
  • {79ECA078-17FF-726B-E811-213280E5C831}

  • {79FEACFF-FFCE-815E-A900-316290B5B738}

  • {79FAA099-1BAE-816E-D711-115290CEE717}

The corresponding registry entries point to the malicious DLL. However, multiple samples of this family use a second registry key for persistence, which points to this previous CLSID we described, as in the following example :
In this case, the registry key …CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\(Default) points to the malicious DLL C:\Windows\SysWow64\Iimgdcia.dll. A second registry entry …Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger points to the previous CLSID {79ECA078-17FF-726B-E811-213280E5C831} which loads the malicious DLL.
The ShellServiceObjectDelayLoad registry entry (part of ShellServiceObjectDelayLoad), combined with the Web Event Logger subkey used here by Berbew, has frequently been utilized to initiate the loading of the genuine webcheck.dll. This DLL was tasked with monitoring websites within the Internet Explorer application.
The previously utilized CLSID by WebCheck registry key was {E6FB5E20-DE35-11CF-9C87-00AA005127ED} However, in certain instances today the CLSID {08165EA0-E946-11CF-9C87-00AA005127ED} is used. Both are responsible for loading the webcheck.dll DLL and are abused by malware samples.

RATs

The CLSID {89565275-A714-4a43-912E-978B935EDCCC} seems to be extensively used by various RATs . This CLSID has primarily been associated with families like RemcosRAT and AsyncRAT in our observations. However, we've also encountered instances where BitRAT samples have used it. Researchers at Cisco Talos found this CLSID activity associated with the SugarGh0st RAT malware.
In the majority of cases, the DLL used for persistence with this CLSID is dynwrapx.dll. This DLL was found in the wild in a GitHub repository, currently unavailable, however the DLL originates from a project named DynamicWrapperX (first seen in VirusTotal in 2010). It executes shellcode to inject the RAT into a process.
A similar case is CLSID {26037A0E-7CBD-4FFF-9C63-56F2D0770214}. The associated DLL for persistence is dbggame.dll. First uploaded to VirusTotal in 2012, this DLL is deployed by various types of malware, including ransomware such as XiaoBa.

RATs w/ vulnerabilities

To finish with RATs that use this technique, from late December 2023 to February 2024, there were various incidents linked to the CVE-2024-21412 vulnerability uncovered by the Trend Micro Zero Day Initiative team (ZDI). During these events, active campaigns were distributing the Darkme RAT. Throughout the infection process, a primary goal was to evade Microsoft Defender SmartScreen and introduce victims to the DarkMe malware.
The TrendMicro analysis highlights that the Darkme RAT sample utilizes the CLSID {74A94F46-4FC5-4426-857B-FCE9D9286279} to carry out the final load of the RAT. Yet, we've noted the utilization of other CLSIDs for persistence, including {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} in this sample.
Furthermore, to guarantee the DLL's execution, they generate a registry key employing Autorun keys. This key's objective is to initiate the CLSID using rundll32.exe and /sta parameter, which is used to load a COM object, in this case, the previous malicious COM object created.
EventID:13 
EventType:SetValue
Details:%windir%\SysWOW64\rundll32.exe /sta {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} "USB_Module"
TargetObject:HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunDllModule

Why use one when you can use many?

Some samples (like this Sality one) use multiple CLSIDs:
  • {EBEB87A6-E151-4054-AB45-A6E094C5334B}

  • {57477331-126E-4FC8-B430-1C6143484AA9}

  • {241D7F03-9232-4024-8373-149860BE27C0}

  • {C07DB6A3-34FC-4084-BE2E-76BB9203B049}

The sample drops two different DLLs during execution, three of the registry keys point to one of them, the remaining one to the other. The sample also turns off the Windows firewall and UAC to carry out additional actions while infecting the system.
The Allaple worm family deploys multiple COM objects pointing to the malicious DLL during execution, like in this example:

Adware

Citrio, an adware web browser designed by Catalina Group, uses in its more recent versions a COM object for persistence with CLSID {F4CBF20B-F634-4095-B64A-2EBCDD9E560E}. It drops several harmful DLLs, one masquerades as Google Update (goopdate.dll), also observed as psuser.dll, that possesses the capability to establish services on the system along using a COM object for persistence.

Common folders used to store the payloads

Most malicious DLLs we saw so far are typically stored in the C:\Users\<user>\AppData\Roaming\ directory. It's also common to create subfolders within this directory, the most frequently found include:
  • \qmacro

  • \mymacro

  • \MacroCommerce

  • \Plugin

  • \Microsoft

In addition to these, we also found the following folders being frequently used to hide malicious DLLs:
  • The C:\Windows\SysWow64 is a folder found in 64-bit versions of Windows, containing legitimate 32-bit system files and libraries, and is oftenly used to conceal malicious DLLs. Its prevalence makes it an attractive hiding place, complicating detection efforts. However, permissions are required to create files in it.

  • The C:\Program Files (x86) folder is another legitimate directory used to store malicious COM hijacking payloads. Similar to \AppData\Roaming, in this case we have observed that the malicious DLLs are stored under specific subfolders, such as “\Google”, “\Mozilla Firefox”, “\Microsoft”, “\Common Files” or “\Internet Download Manager”.

  • C:\Users\<user>\AppData\Local is another folder used for storing these payloads, including the “\Temp”, “\Microsoft” and “\Google” subfolders.

Detection

In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.

These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively: VTI query for sigma1 and VTI query for sigma2.
You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the vt.behaviour.registry_keys_set modifier.
import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
      vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
    )  
}
The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:
and not 
    (
        for any engine, signature in vt.metadata.signatures : (  
        signature icontains "berbew"  
        )  
    )
You can also use the paths listed in Appendix to identify suspicious samples using them.
A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use vt.behaviour.registry_keys_set in our condition.
import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
      vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
    )
}

Wrapping up

The T1546.015 - Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.
Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.
The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.
We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.

APPENDIX

Abused CLSIDs

Next, you'll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.

CLSID - COM Objects

79FAA099-1BAE-816E-D711-115290CEE717

EBEB87A6-E151-4054-AB45-A6E094C5334B

241D7F03-9232-4024-8373-149860BE27C0

C07DB6A3-34FC-4084-BE2E-76BB9203B049

79ECA078-17FF-726B-E811-213280E5C831

22C6C651-F6EA-46BE-BC83-54E83314C67F

F4CBF20B-F634-4095-B64A-2EBCDD9E560E

57477331-126E-4FC8-B430-1C6143484AA9

C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9

89565275-A714-4a43-912E-978B935EDCCC

26037A0E-7CBD-4FFF-9C63-56F2D0770214

16426152-126E-4FC8-B430-1C6143484AA9

33414471-126E-4FC8-B430-1C6143484AA9

23716116-126E-4FC8-B430-1C6143484AA9

D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4

79FEACFF-FFCE-815E-A900-316290B5B738

74A94F46-4FC5-4426-857B-FCE9D9286279

Common paths

Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the 'parent' paths as well, while the chart includes only the 'subpaths'.

Common paths used during COM object persistence

C:\Users\<user>\AppData\Roaming

C:\Users\<user>\AppData\Roaming\qmacro

C:\Users\<user>\AppData\Roaming\mymacro

C:\Users\<user>\AppData\Roaming\MacroCommerce

C:\Users\<user>\AppData\Roaming\Plugin

C:\Users\<user>\AppData\Roaming\Microsoft

C:\Windows\SysWow64

C:\Program Files (x86)

C:\Program Files (x86)\Google

C:\Program Files (x86)\Mozilla Firefox

C:\Program Files (x86)\Microsoft

C:\Program Files (x86)\Common Files

C:\Program Files (x86)\Internet Download Manager

C:\Users\<user>\AppData\Local

C:\Users\<user>\AppData\Local\Temp

C:\Users\<user>\AppData\Local\Microsoft

C:\Users\<user>\AppData\Local\Google

C:\Windows\Temp

Wednesday, February 21, 2024

,

Following MITRE's footsteps in analyzing malware behavior

The MITRE framework helps all defenders speak the same language regarding attackers' modus operandi. VirusTotal provides multiple data points where MITRE's Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes. In particular, samples' MITRE mapping can be found under the BEHAVIOR tab of a file's report. This data is searchable in VirusTotal Intelligence (VTI) with the help of a set of specific file search modifiers.
In this article, we'll illustrate how security analysts can leverage MITRE for malware detection and behavior-based hunting for ransomware and keylogger samples.

Hunting for Ransomware

The security industry historically identified a set of commonly used techniques in Ransomware campaigns, including inhibiting the system recovery and discovering local files and network shares for later data encryption, usually combined with exfiltration and/or Command and Control techniques.

Common TTPs of modern ransomware groups by Kaspersky

In VT Intelligence we can use 2 search modifiers to query files behavior mapped to MITRE ATT&CK:
In addition to the "attack_tactic" and "attack_technique" modifiers, VirusTotal provides extra modifiers listed on the Appendix I - Behavior search modifiers for procedures-based queries at the end of this post.
Let's do an example. We want to find samples given a set of ransomware-related techniques combined with the "behavior:CryptEncrypt" operating system API call (check Appendix I for details). Additionally, we specify the entity we are interested in (files) and the first submission date (fs) to filter out files submitted before 2024-01-01.
The resulting query is as follows:

Let's analyze in more detail one of the query's resulting files (35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab). According to the community, the file belongs to a BlackHunt Ransomware campaign threat that compromised multiple companies in Paraguay.
Its BEHAVIOR report tab, provides details on the techniques detected during sample's detonation:
  • T1490 (Inhibit System Recovery), the sample deletes the shadow copies (as highlighted in the Capabilities section below) and it also modifies Windows boot settings via bcdedit.
  • T1083 and T1135: The sample runs discovery processes to get system local files and directories, and also network shares.
  • The encryption process is visible by the CryptEncrypt operating system API call, functionality provided by the Advapi32.dll, and visible under the file's DETAILS tab.

Hunting for Keyloggers

Keyloggers are a particular form of Spyware designed for stealing user data, that commonly share some MITRE Tactics, including collecting data and/or discovering data for later exfiltration and/or Command and Control communication.
For our VTI query we will specify the T1056.001: Input Capture: Keylogging sub-technique of the Collection tactic, which identifies keystrokes interception. Additionally, we use the first submitted time condition (fs) and both Command and Control or Exfiltration tactics (attack_tactic), since we are not really interested in restricting the way the data gets outside of the victim environment.

One of the retrieved files (975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5) with a 25 out of 71 AV detection ratio is cataloged as Remcos, a commercial Remote Access Tool with keylogger capabilities among many others, which has been used by several Threat Actors.
On its BEHAVIOR tab, we can see details on the keystrokes interception performed via polling method. The report also reveals additional functionality, including capturing screenshots, reading victims' clipboard and geographical location of the abused device.

Conclusions

In this post we have seen using a couple of examples how present the MITRE framework is on VirusTotal and how it can be used to search for files with a particular TTP-based behavior using VirusTotal Intelligence searches. MITRE-related data is based on behavior detected during samples' sandbox detonation.
We have additionally created an Appendix I (below) detailing some of the most interesting behavior-search modifiers you can use in your queries. This fits particularly well with other TTP-based modifiers, allowing you to refine results by adding particular technical characteristics specific for the malware under analysis.
We hope you found this post interesting and useful. For suggestions or feedback please feel free to reach out here, we will be happy to hear from you.
Happy hunting!

Appendix I - Behavior search modifiers

The following search modifiers provide a more granular way of searching files based on their behavior, allowing more restrictive queries while using Tactics/Techniques ("attack_tactic", "attack_technique") search modifiers.