Update Analysis_29-09-2019.md
This commit is contained in:
StrangerealIntel
GitHub
parent
b19a2a5717
commit
83d1569c51
@ -1,8 +1,6 @@
|
|||||||
# Analysis about campaign of unknown phishing group (29-09-2019)
|
# Analysis about campaign of unknown phishing group (29-09-2019)
|
||||||
## Table of Contents
|
## Table of Contents
|
||||||
* [Malware analysis](#Malware-analysis)
|
* [Malware analysis](#Malware-analysis)
|
||||||
+ [Initial vector](#Initial-vector)
|
|
||||||
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
|
||||||
* [Indicators Of Compromise (IOC)](#IOC)
|
* [Indicators Of Compromise (IOC)](#IOC)
|
||||||
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
||||||
* [Links](#Links)
|
* [Links](#Links)
|
||||||
@ -11,18 +9,19 @@
|
|||||||
+ [Documents](#Documents)
|
+ [Documents](#Documents)
|
||||||
|
|
||||||
## Malware analysis <a name="Malware-analysis"></a>
|
## Malware analysis <a name="Malware-analysis"></a>
|
||||||
### Initial vector <a name="Initial-vector"></a>
|
|
||||||
###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
|
###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
|
||||||
|
|
||||||
###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call.
|
###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfuscation and execute the JS backdoor by an eval call.
|
||||||
|
|
||||||
###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
|
###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
|
||||||
|
|
||||||
|
|
||||||
|
###### We can see the global configuration of the backdoor, the IP of the C2, the paths for installers, logs..
|
||||||
|
|
||||||
|
###### We can list all the commands that the attacker can perform on the compromised system.
|
||||||
|
|
||||||
|
|
||||||
|
###### List of commands (v2.0) :
|
||||||
|
|
||||||
###### Liste des commands :
|
|
||||||
|Command|Description|
|
|Command|Description|
|
||||||
|:-------------:| :------------- |
|
|:-------------:| :------------- |
|
||||||
|disconnect|Disconnect reverse shell|
|
|disconnect|Disconnect reverse shell|
|
||||||
@ -54,8 +53,18 @@
|
|||||||
|kill-process|Kill a specific process (by taskkill)|
|
|kill-process|Kill a specific process (by taskkill)|
|
||||||
|Sleep|Hibernate process via a duration chosen by the attacker|
|
|Sleep|Hibernate process via a duration chosen by the attacker|
|
||||||
|
|
||||||
|
###### On the function which crawl the system informations, we observe an number of version (2.0).
|
||||||
|
|
||||||
|
|
||||||
###### Liste des commands :
|
###### This matching with another sample spotted on the cofense analysis. This report that new variant in Javascript (latest VBS) of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files. However, the version number is not indicated, we need to analysis it.
|
||||||
|
###### On the first layer on the payload, we observe that this uses a switch case structure for less the detection of the AV.
|
||||||
|
|
||||||
|
|
||||||
|
###### We can confirm that the version 1.2 of the js version of Hworm and compare the improvements between the two versions. The main improvement is the fact that the payload have multiple PE in the script and this avoid to have additionnal online storage for distribute the tool if needed.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
###### List of commands (v1.2) :
|
||||||
|
|
||||||
|Command|Description|
|
|Command|Description|
|
||||||
|:-------------:| :------------- |
|
|:-------------:| :------------- |
|
||||||
@ -83,19 +92,21 @@
|
|||||||
|kill-process|Kill a specific process (by taskkill)|
|
|kill-process|Kill a specific process (by taskkill)|
|
||||||
|Sleep|Hibernate process via a duration chosen by the attacker|
|
|Sleep|Hibernate process via a duration chosen by the attacker|
|
||||||
|
|
||||||
|
###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions. The group seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals.
|
||||||
|
|
||||||
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
||||||
###### The process graph resume the cyber kill chain used by the attacker.
|
###### The process graph resume the cyber kill chain used by the attacker.
|
||||||
![alt text]()
|
|
||||||
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
|
|
||||||
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
||||||
###### List of all the references with MITRE ATT&CK Matrix
|
###### List of all the references with MITRE ATT&CK Matrix
|
||||||
|
|
||||||
|Enterprise tactics|Technics used|Ref URL|
|
|Enterprise tactics|Technics used|Ref URL|
|
||||||
| :---------------: |:-------------| :------------- |
|
| :---------------: |:-------------| :------------- |
|
||||||
||||
|
|Execution|Scripting<br>Execution through API|https://attack.mitre.org/techniques/T1064/<br>https://attack.mitre.org/techniques/T1106/|
|
||||||
||||
|
|Persistence|Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060/|
|
||||||
||||
|
|Defense Evasion|Scripting|https://attack.mitre.org/techniques/T1064/|
|
||||||
|
|Discovery|Query Registry<br>System Information Discovery|https://attack.mitre.org/techniques/T1012/<br>https://attack.mitre.org/techniques/T1082/|
|
||||||
|
|
||||||
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
||||||
|
|
||||||
@ -103,13 +114,33 @@
|
|||||||
|
|
||||||
| Indicator | Description|
|
| Indicator | Description|
|
||||||
| ------------- |:-------------:|
|
| ------------- |:-------------:|
|
||||||
|||
|
|TNT Collection Request BH7 297745.js|5e3ddf08616d4d0e7ba2a42af8e51e30e184eccb931ce36515cf5b24f3eb538d|
|
||||||
||Domain requested|
|
|BANK DETAILS CONFIRMATION_PDF.js|2f3541dd71b6c3f2cc4ef9f3a6dd36df1749ac4c062dfca7d955ac93bad8f53f|
|
||||||
||IP requested|
|
|vvvv.js|09e9c9b722e63fa6f2d5b3e2949fb0a4d0cc42183b8e1c3030ecd46691a866b4|
|
||||||
||HTTP/HTTPS requests||
|
|kl-plugin.exe|272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a|
|
||||||
||IP C2|
|
|bpvpl.tar.gz|27bd6db946dd85de546f6fb9b80658e46ecd327136773c949cd212ddfd52aa4e|
|
||||||
||Domain C2|
|
|mapv.tar.gz|bfcde7f66c042845af095b5600d1e7a383926e2836624f7eb1690b078e9cfe28|
|
||||||
###### This can be exported as JSON format [Export in JSON]()
|
|rd-plugin.exe|d65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653|
|
||||||
|
|2813.noip.me|Domain C2|
|
||||||
|
|tcoolsoul.com|Domain C2|
|
||||||
|
|ip-api.com|Domain requested|
|
||||||
|
|brothersjoy.nl|Domain requested|
|
||||||
|
|doughnut-snack.live|Domain requested|
|
||||||
|
|hxxp[:]//pluginsrv1.duckdns.org:7757/is-ready|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//ip-api.com/json/|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//tcoolsoul.com:1765/is-ready|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//doughnut-snack.live/mapv.tar.gz|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//doughnut-snack.live/klplu.tar.gz|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//doughnut-snack.live/bpvpl.tar.gz|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//doughnut-snack.live/rdplu1.tar.gz|HTTP/HTTPS requests|
|
||||||
|
|hxxp[:]//185.247.228.159:1765/open-rdp|1280x720|HTTP/HTTPS requests|
|
||||||
|
|79.134.225.100|IP requested|
|
||||||
|
|192.169.69.25|IP requested|
|
||||||
|
|172.245.14.10|IP requested|
|
||||||
|
|185.194.141.58|IP C2|
|
||||||
|
|185.247.228.159|IP C2|
|
||||||
|
|
||||||
|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/IOC/IOC_01-10-19.json)
|
||||||
|
|
||||||
## Links <a name="Links"></a>
|
## Links <a name="Links"></a>
|
||||||
###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>
|
###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>
|
||||||
@ -119,3 +150,4 @@
|
|||||||
* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)
|
* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)
|
||||||
###### Documents: <a name="Documents"></a>
|
###### Documents: <a name="Documents"></a>
|
||||||
* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)
|
* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)
|
||||||
|
* [Houdini’s Magic Reappearance - October 2016](https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user