# Analysis about campaign of unknown phishing group (29-09-2019) ## Table of Contents * [Malware analysis](#Malware-analysis) + [Initial vector](#Initial-vector) * [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Link Anyrun](#Links-Anyrun) + [Documents](#Documents) ## Malware analysis <a name="Malware-analysis"></a> ### Initial vector <a name="Initial-vector"></a> ###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "") ###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "") ###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "") ###### Liste des commands : |Command|Description| |:-------------:| :------------- | |disconnect|Disconnect reverse shell| |reboot|Reboot the computer| |shutdown|Shutdown the computer| |execute|Execute commands (cmd + PowerShell)| |install-sdk|Install sdk tool for grabbing password for browser| |get-pass|Grabbing the password of specific browser chosen by the attacker| |get-pass-offline|Grabbing the password off all current browser| |update|run update the version of the script| |uninstall|Remove persistence + close process| |up-n-exec|"Download and execute an executable file (Fixed URL ->""send-to-me"")"| |bring-log|upload the log of the js backdoor| |down-n-exec|Download and execute an executable file (Custom URL )| |filemanager|Kill the backdoor process + download an executable file (Custom URL)| |rdp|Start rdp module| |rev-proxy|Start reverse proxy module| |exit-proxy|kill reverse proxy process| |keylogger|Start keylogger module| |offline-keylogger|Launch keylogger module with mod| |browse-logs|Send the logs do by the backdoor| |cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]| |get-processes|Enumerates processes| |disable-uac|Disable security settings (UAC + Defender)| |check-eligible|Check existence of the file verified by the attacker| |force-eligible|Check existence of the file verified by the attacker + elevated rights| |elevate|Check elevated rights + runas for elevated the rights| |if-elevate|Check elevated rights| |kill-process|Kill a specific process (by taskkill)| |Sleep|Hibernate process via a duration chosen by the attacker| ###### Liste des commands : |Command|Description| |:-------------:| :------------- | |disconnect|Disconnect reverse shell| |reboot|Reboot the computer| |shutdown|Shutdown the computer| |execute|Execute commands (cmd + PowerShell)| |get-pass|Grabbing the password of specific browser chosen by the attacker| |get-pass-offline|Grabbing the password off all current browser| |update|run update the version of the script| |uninstall|Remove persistence + close process| |up-n-exec|Download and execute an executable file (Fixed URL ->"send-to-me")| |bring-log|upload the log of the js backdoor| |down-n-exec|Download and execute an executable file (Custom URL )| |filemanager|Kill the backdoor process + download an executable file (Custom URL)| |rdp|Start rdp module| |keylogger|Start keylogger module| |offline-keylogger|Launch keylogger module with mod| |browse-logs|Send the logs do by the backdoor| |cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]| |get-processes|Enumerates processes| |disable-uac|Disable security settings (UAC + Defender)| |elevate|Check elevated rights + runas for elevated the rights| |if-elevate|Check elevated rights| |kill-process|Kill a specific process (by taskkill)| |Sleep|Hibernate process via a duration chosen by the attacker| ## Cyber kill chain <a name="Cyber-kill-chain"></a> ###### The process graph resume the cyber kill chain used by the attacker. ![alt text]() ## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a> ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a> ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | |||| |||| |||| ## Indicators Of Compromise (IOC) <a name="IOC"></a> ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------:| ||| ||Domain requested| ||IP requested| ||HTTP/HTTPS requests|| ||IP C2| ||Domain C2| ###### This can be exported as JSON format [Export in JSON]() ## Links <a name="Links"></a> ###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a> ###### Links Anyrun: <a name="Links-Anyrun"></a> * [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc) * [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423) * [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc) ###### Documents: <a name="Documents"></a> * [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)