diff --git a/Unknown/Unknown phishing group/Analysis_29-09-2019.md b/Unknown/Unknown phishing group/Analysis_29-09-2019.md index 2311f0e..127752f 100644 --- a/Unknown/Unknown phishing group/Analysis_29-09-2019.md +++ b/Unknown/Unknown phishing group/Analysis_29-09-2019.md @@ -1,8 +1,6 @@ # Analysis about campaign of unknown phishing group (29-09-2019) ## Table of Contents * [Malware analysis](#Malware-analysis) - + [Initial vector](#Initial-vector) -* [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) @@ -11,18 +9,19 @@ + [Documents](#Documents) ## Malware analysis -### Initial vector ###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "") -###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call. +###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfuscation and execute the JS backdoor by an eval call. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "") ###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "") +###### We can see the global configuration of the backdoor, the IP of the C2, the paths for installers, logs.. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/config.png "") +###### We can list all the commands that the attacker can perform on the compromised system. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/switch.png "") - - -###### Liste des commands : +###### List of commands (v2.0) : |Command|Description| |:-------------:| :------------- | |disconnect|Disconnect reverse shell| @@ -54,8 +53,18 @@ |kill-process|Kill a specific process (by taskkill)| |Sleep|Hibernate process via a duration chosen by the attacker| +###### On the function which crawl the system informations, we observe an number of version (2.0). +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/infos.png "") -###### Liste des commands : +###### This matching with another sample spotted on the cofense analysis. This report that new variant in Javascript (latest VBS) of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. However, the version number is not indicated, we need to analysis it. +###### On the first layer on the payload, we observe that this uses a switch case structure for less the detection of the AV. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/Bank/LAY11.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/Bank/LAY12.png "") +###### We can confirm that the version 1.2 of the js version of Hworm and compare the improvements between the two versions. The main improvement is the fact that the payload have multiple PE in the script and this avoid to have additionnal online storage for distribute the tool if needed. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/Bank/config.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/Bank/infos.png "") + +###### List of commands (v1.2) : |Command|Description| |:-------------:| :------------- | @@ -83,19 +92,21 @@ |kill-process|Kill a specific process (by taskkill)| |Sleep|Hibernate process via a duration chosen by the attacker| +###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions. The group seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals. ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. -![alt text]() -## Cyber Threat Intel +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/Cyber.PNG "") + ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | -|||| -|||| -|||| +|Execution|Scripting
Execution through API|https://attack.mitre.org/techniques/T1064/
https://attack.mitre.org/techniques/T1106/| +|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/| +|Defense Evasion|Scripting|https://attack.mitre.org/techniques/T1064/| +|Discovery|Query Registry
System Information Discovery|https://attack.mitre.org/techniques/T1012/
https://attack.mitre.org/techniques/T1082/| ## Indicators Of Compromise (IOC) @@ -103,13 +114,33 @@ | Indicator | Description| | ------------- |:-------------:| -||| -||Domain requested| -||IP requested| -||HTTP/HTTPS requests|| -||IP C2| -||Domain C2| -###### This can be exported as JSON format [Export in JSON]() +|TNT Collection Request BH7 297745.js|5e3ddf08616d4d0e7ba2a42af8e51e30e184eccb931ce36515cf5b24f3eb538d| +|BANK DETAILS CONFIRMATION_PDF.js|2f3541dd71b6c3f2cc4ef9f3a6dd36df1749ac4c062dfca7d955ac93bad8f53f| +|vvvv.js|09e9c9b722e63fa6f2d5b3e2949fb0a4d0cc42183b8e1c3030ecd46691a866b4| +|kl-plugin.exe|272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a| +|bpvpl.tar.gz|27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e| +|mapv.tar.gz|bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28| +|rd-plugin.exe|d65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653| +|2813.noip.me|Domain C2| +|tcoolsoul.com|Domain C2| +|ip-api.com|Domain requested| +|brothersjoy.nl|Domain requested| +|doughnut-snack.live|Domain requested| +|hxxp[:]//pluginsrv1.duckdns.org:7757/is-ready|HTTP/HTTPS requests| +|hxxp[:]//ip-api.com/json/|HTTP/HTTPS requests| +|hxxp[:]//tcoolsoul.com:1765/is-ready|HTTP/HTTPS requests| +|hxxp[:]//doughnut-snack.live/mapv.tar.gz|HTTP/HTTPS requests| +|hxxp[:]//doughnut-snack.live/klplu.tar.gz|HTTP/HTTPS requests| +|hxxp[:]//doughnut-snack.live/bpvpl.tar.gz|HTTP/HTTPS requests| +|hxxp[:]//doughnut-snack.live/rdplu1.tar.gz|HTTP/HTTPS requests| +|hxxp[:]//185.247.228.159:1765/open-rdp|1280x720|HTTP/HTTPS requests| +|79.134.225.100|IP requested| +|192.169.69.25|IP requested| +|172.245.14.10|IP requested| +|185.194.141.58|IP C2| +|185.247.228.159|IP C2| + +###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/IOC/IOC_01-10-19.json) ## Links ###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) @@ -119,3 +150,4 @@ * [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc) ###### Documents: * [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/) +* [Houdini’s Magic Reappearance - October 2016](https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/)