122 lines
5.8 KiB
Markdown
122 lines
5.8 KiB
Markdown
# Analysis about campaign of unknown phishing group (29-09-2019)
|
|
## Table of Contents
|
|
* [Malware analysis](#Malware-analysis)
|
|
+ [Initial vector](#Initial-vector)
|
|
* [Cyber Threat Intel](#Cyber-Threat-Intel)
|
|
* [Indicators Of Compromise (IOC)](#IOC)
|
|
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
|
|
* [Links](#Links)
|
|
+ [Original Tweet](#Original-Tweet)
|
|
+ [Link Anyrun](#Links-Anyrun)
|
|
+ [Documents](#Documents)
|
|
|
|
## Malware analysis <a name="Malware-analysis"></a>
|
|
### Initial vector <a name="Initial-vector"></a>
|
|
###### The initial vector is a spear phishing who usurp the brand TNT to incite the victim to download and execute the payload.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/mail.png "")
|
|
###### On the JS payload, an array "tankew" is edited by a replace characters of the first layer of obfucation and execute the JS backdoor by an eval call.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/TNT%20layer%201.png "")
|
|
###### The first action perform on the system is to self extract in APPDATA folder as js file and run as another instance.
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence_pay.png "")
|
|
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/Images/TNT/persistence.png "")
|
|
|
|
|
|
|
|
###### Liste des commands :
|
|
|Command|Description|
|
|
|:-------------:| :------------- |
|
|
|disconnect|Disconnect reverse shell|
|
|
|reboot|Reboot the computer|
|
|
|shutdown|Shutdown the computer|
|
|
|execute|Execute commands (cmd + PowerShell)|
|
|
|install-sdk|Install sdk tool for grabbing password for browser|
|
|
|get-pass|Grabbing the password of specific browser chosen by the attacker|
|
|
|get-pass-offline|Grabbing the password off all current browser|
|
|
|update|run update the version of the script|
|
|
|uninstall|Remove persistence + close process|
|
|
|up-n-exec|"Download and execute an executable file (Fixed URL ->""send-to-me"")"|
|
|
|bring-log|upload the log of the js backdoor|
|
|
|down-n-exec|Download and execute an executable file (Custom URL )|
|
|
|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
|
|
|rdp|Start rdp module|
|
|
|rev-proxy|Start reverse proxy module|
|
|
|exit-proxy|kill reverse proxy process|
|
|
|keylogger|Start keylogger module|
|
|
|offline-keylogger|Launch keylogger module with mod|
|
|
|browse-logs|Send the logs do by the backdoor|
|
|
|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
|
|
|get-processes|Enumerates processes|
|
|
|disable-uac|Disable security settings (UAC + Defender)|
|
|
|check-eligible|Check existence of the file verified by the attacker|
|
|
|force-eligible|Check existence of the file verified by the attacker + elevated rights|
|
|
|elevate|Check elevated rights + runas for elevated the rights|
|
|
|if-elevate|Check elevated rights|
|
|
|kill-process|Kill a specific process (by taskkill)|
|
|
|Sleep|Hibernate process via a duration chosen by the attacker|
|
|
|
|
|
|
###### Liste des commands :
|
|
|
|
|Command|Description|
|
|
|:-------------:| :------------- |
|
|
|disconnect|Disconnect reverse shell|
|
|
|reboot|Reboot the computer|
|
|
|shutdown|Shutdown the computer|
|
|
|execute|Execute commands (cmd + PowerShell)|
|
|
|get-pass|Grabbing the password of specific browser chosen by the attacker|
|
|
|get-pass-offline|Grabbing the password off all current browser|
|
|
|update|run update the version of the script|
|
|
|uninstall|Remove persistence + close process|
|
|
|up-n-exec|Download and execute an executable file (Fixed URL ->"send-to-me")|
|
|
|bring-log|upload the log of the js backdoor|
|
|
|down-n-exec|Download and execute an executable file (Custom URL )|
|
|
|filemanager|Kill the backdoor process + download an executable file (Custom URL)|
|
|
|rdp|Start rdp module|
|
|
|keylogger|Start keylogger module|
|
|
|offline-keylogger|Launch keylogger module with mod|
|
|
|browse-logs|Send the logs do by the backdoor|
|
|
|cmd-shell|Execute commands (cmd + PowerShell) [Write the output in a file, read it, delete it]|
|
|
|get-processes|Enumerates processes|
|
|
|disable-uac|Disable security settings (UAC + Defender)|
|
|
|elevate|Check elevated rights + runas for elevated the rights|
|
|
|if-elevate|Check elevated rights|
|
|
|kill-process|Kill a specific process (by taskkill)|
|
|
|Sleep|Hibernate process via a duration chosen by the attacker|
|
|
|
|
|
|
## Cyber kill chain <a name="Cyber-kill-chain"></a>
|
|
###### The process graph resume the cyber kill chain used by the attacker.
|
|
![alt text]()
|
|
## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
|
|
## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
|
|
###### List of all the references with MITRE ATT&CK Matrix
|
|
|
|
|Enterprise tactics|Technics used|Ref URL|
|
|
| :---------------: |:-------------| :------------- |
|
|
||||
|
|
||||
|
|
||||
|
|
|
|
## Indicators Of Compromise (IOC) <a name="IOC"></a>
|
|
|
|
###### List of all the Indicators Of Compromise (IOC)
|
|
|
|
| Indicator | Description|
|
|
| ------------- |:-------------:|
|
|
|||
|
|
||Domain requested|
|
|
||IP requested|
|
|
||HTTP/HTTPS requests||
|
|
||IP C2|
|
|
||Domain C2|
|
|
###### This can be exported as JSON format [Export in JSON]()
|
|
|
|
## Links <a name="Links"></a>
|
|
###### Original tweet: [https://twitter.com/dvk01uk/status/1176483058058440705](https://twitter.com/dvk01uk/status/1176483058058440705) <a name="Original-Tweet"></a>
|
|
###### Links Anyrun: <a name="Links-Anyrun"></a>
|
|
* [TNT Collection Request BH7 297745.js](https://app.any.run/tasks/62990e45-e920-48b0-a3b3-9ce2e83f99dc)
|
|
* [BANK DETAILS CONFIRMATION_PDF.js](https://app.any.run/tasks/ec7c360a-5cd0-4cfc-b123-2f43fda77423)
|
|
* [vvvv.js](https://app.any.run/tasks/26647b54-0c71-4461-adee-765e926ab5fc)
|
|
###### Documents: <a name="Documents"></a>
|
|
* [Houdini Worm Transformed in New Phishing Attack - June 2019](https://cofense.com/houdini-worm-transformed-new-phishing-attack/)
|