diff --git a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md index 577a750..2c19eb4 100644 --- a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md +++ b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md @@ -46,8 +46,43 @@ ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "") ###### Once the protection removed, we can see the functions used by the dll. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "") -###### The run method get the payload string push by the second PE and execute it. +###### The run method get the payload string push by the second PE, decode it and execute it. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "") +#### Frombook +###### We can observe on the structure, the encoding for scale the data and add junk code on the PE for avoid the detection of the AV (here, in the "Currentversion" string. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/dec.png "") +###### This sample is programming in C++ (Frombook is available in many language : VB, C, C++, C#...) and check the PE structure. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/CheckPE.png "") + +###### This continue to detect and steal the data from the navigators. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/choicenav.png "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/chrome.png "") + +##### This parsed and steal the passwords. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/config.png "") +##### We can observe the useragent settings who send the data to the C2. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Frombook/useragent.png "") +##### This use a run key as persistence for the frombook module. +##### Some features of Frombook form the cyberbit analysis can be observed in this analysis and the execution on the anyrun sandbox : +* ###### Keystroke logging +* ###### Clipboard monitoring +* ###### HTTP/HTTPS/SPDY/HTTP2 form and network request grabbing +* ###### Browser and email client password grabbing +* ###### Capturing screenshots +* ###### Bot updating +* ###### Downloading and executing files +* ###### Bot removing +* ###### Launching commands via ShellExecute +* ###### Clear browser cookies +* ###### Reboot the system +* ###### Shutdown the system +* ###### Download and unpack ZIP archive +### Cyber kill chain +###### These process graphs represents the cyber kill chain of the initial vector and the Frombook module. +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyber.PNG "") +![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/cyberfrom.PNG "") +### Cyber Threat Intel + ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix @@ -72,7 +107,10 @@ ## Links * Original tweet: https://twitter.com/Rmy_Reserve/status/1164405054746460161 -* Anyrun Link: [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b) +* Anyrun Link: + + [IMG76329797.xls](https://app.any.run/tasks/3cff3642-1d54-4a66-8f0d-256f0065479b) + + [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e) * Docs : -+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) -+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html) + + [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) + + [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html) + + [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)