ch0ic3/CyberThreatIntel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Malware analysis 09-09-19.md

Browse Source
This commit is contained in:
StrangerealIntel 2019-09-13 00:58:35 +02:00 committed by GitHub
parent 7a5e948d0e
commit 1d043f7b55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md
View File

@ -1,7 +1,6 @@
# [Update] New samples, same TTPs and accounts # [Update] New samples, same TTPs and accounts
## Table of Contents ## Table of Contents
* [Malware analysis](#Malware-analysis) * [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
* [Cyber Threat Intel](#Cyber-Threat-Intel) * [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC) * [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
@ -11,10 +10,9 @@
+ [Documents](#Documents) + [Documents](#Documents)
## Malware analysis <a name="Malware-analysis"></a> ## Malware analysis <a name="Malware-analysis"></a>
### Initial vector <a name="Initial-vector"></a> ###### The initial vector is an VBA macro from a Maldoc. This use two functions for obfuscated the main command.
###### The initial vector is an VBA macro from an Maldoc, this use two functions for obfuscated the main command.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/macro1.png "")
###### Once this removed, we can see that use the only command is mshta for invoke the loader. ###### Once this removed, we can see that use the only command is mshta for invoke the loader.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Macro2.PNG "")
###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin. ###### This web page use unescape (4 times) for use again mshta and redirect on the first pastebin.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/site.PNG "")
@ -22,25 +20,37 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/redirect2.PNG "")
###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint). ###### The first pastebin use again the escape function (and like all at pastebin shares).The first command of the Visual Basic script is to kill the following process (Word, Excel, Publisher and Powerpoint).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1.PNG "")
###### The second command create a persistence using another mshta for initate to to close the hidden window. ###### The second command create a persistence using another mshta for initiate to close the hidden window.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/loader1close.PNG "")
###### The third command execute a loader with two new pastebins. ###### The third command execute a loader with two new pastebins.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P.png "")
###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers. ###### The first share is a script using an array and the getbytes function for obfuscate the payload on two layers.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "") ![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-1.png "")
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "") ![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2.png "")
###### This execute a dll for load the second PE. This dll is the same than the last analysis and is use as protector ConfuserEx. ###### This executes a dll for load the second PE. This dll is the same than the last analysis and is used as protector ConfuserEx.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "") ![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P1-2C.png "")
###### The second Pastebin content the data to split for the second PE. ###### The second Pastebin content the data to split for the second PE.
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "") ![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/LoaderL2P2-1.png "")
###### The second PE load the old Delphi Azorult Stealer. We can confirm it in seeing quickly some features, here read the ihformations about the keyboard : ###### The second PE load the old Delphi AZORult Stealer. We can confirm it in seeing quickly some features, here read the informations about the keyboard :
![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "") ![alt text](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/09-09-19/Images/Bin-Keyboard.PNG "")
###### We can observe too that malware can research the current wallets.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/bin_wallets.png "")
###### This uses an XOR operation with a 3-byte key for encrypting data to sent to the C&C server.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/bin_Data.png "")
###### This can get a screenshot of the computer too.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/bin-BMP.png "")
## Cyber kill chain <a name="Cyber-kill-chain"></a> ## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graph resume the cyber kill chain used by the attacker. ###### The process graph resume the cyber kill chain used by the attacker.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Cyberkillchain.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Cyberkillchain.png "")
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a> ## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
###### The TTPs are the same that the last analysis of the group, this time, this uses the old version of the AZORult (Delphi instead of C++).
###### The fact to have a pastebin at each step of the operation is interesting for see the rate of the success and see if the operation is probably discovered.
###### The two accounts used for the operation are the same that the last sample spotted and are linked as accounts of the APT group.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/Hagga_again.PNG "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/second%20account.PNG "")
###### The last interesting thing is that the sample is spotted the 10 September 2019, we can see that the pastebins are the last time edited on the 9 September and in going on the opendir of the panel, we can see multiple panels for theirs operations was implemented at the last moments and show that not prepared for a special event.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/09-09-19/Images/panel.png "")
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix