Malware of the Day – Fiesta

What is Malware of the Day?

 

Lab Setup

Malware: Fiesta

AKA: Fiesta Exploit Kit, Fiesta EK.

Traffic Type: Crimeware

Connection Type: Reverse HTTP

C2 Platform: Cobalt Strike

Origin of Sample: https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/fiesta.profile

Host Payload Delivery Method: Powershell one-liner

Target Host/Victim: 192.168.99.51 – Windows 10 x64

C2 Server: 104.248.234.238 – Ubuntu 18.04.3 (LTS) x64

Beacon Timing: 30s

Jitter: 10%

 

Brief

Our focus is on identifying and detecting network beaconing behavior. We are using AI-Hunter/RITA as our network threat and C2/beacon detection platform to visualize the network traffic generated from running the Fiesta malware replication. We encourage you to download and use the PCAP files included in the next section to analyze these files independently using your preferred threat hunt platform to test your detection capabilities.

 

The above screenshot is taken of the AI-Hunter Beacons module from a 24-hour traffic capture. The Fiesta traffic has been detected as a very strong beacon signal of 99.30%.

In the green highlighted box is the beacon timing showing the number of connections of each interval of time in seconds. Here we can see the tight cluster of communications timing from 31 second intervals down to 27 second intervals. Viewing the traffic in a graph like this, we can clearly see the jitter that has been introduced into the timing of a deviation of 10%. This jitter could be just enough to spoof some detection tools that are looking for very rigid timing patterns. These consistent clusters of connection timings, even with some jitter, are evidence of programmed machine communications.

In the red highlighted box are the number of connections per hour (each blue block is a one-hour time frame). The consistency of the number of connections per hour is a tell-tale indicator of non-human behavior. Notice the flatness and uniformity of the hourly histogram. Normal users’ traffic will be much more random in nature and would display greater peaks and valleys in the graph over time.

 

Switching to the connections Data Size view (shown in the green highlighted box above), we can immediately see that the majority of communications are the same data size. For this sample, we have 8859 connections with 689 byte payloads. This is obviously very uniform communications, such as a C2 channel “heartbeat” of checking in for marching orders or to maintain persistence. Normal users’ network communications will vary greatly in data size. The data size analysis is confirming these are programmed communications to be investigated.

 

The same beacon analysis can be performed using our open-source framework, RITA ( RITA information and download page (free) ). RITA detected the Fiesta sample traffic as a strong threat, giving it a score of 0.993 (99.3% beacon probability). The network RITA is analyzing in the screenshot above is our malware lab and the Fiesta sample is currently listed as the #1 threat.

 

Capture Files

Because… PCAPs, or it didn’t happen. 😊

The following PCAP files are packet captures taken from our lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.

Fiesta 1 Hour Capture
fiesta_1hr.pcap (served by Dropbox)
Size: 1.44 MB
MD5 Checksum: e5b653a19d19c060ec0ad5ed5f5e23f6

Fiesta 24 Hour Capture
fiesta_24hr.pcap (served by Dropbox)
Size: 81.3 MB
MD5 Checksum: df85870ab2f93de105db66e9f03bd1f3

 

Discussion

Want to talk about this or anything else concerning threat hunting? Want to share how good (or bad) other detection tools were able to detect this Fiesta sample?

Join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.

 

Additional Resources

https://otx.alienvault.com/pulse/54d99f9811d4082833472e37

https://www.zscaler.com/blogs/research/fiesta-exploit-kit-live-infection

 

Until the next!

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To
Archives