Malware of the Day – Malware Techniques: Data Exfiltration or Forcing a Host to Play Thunderstruck As Loud As Possible
What is Malware of the Day?
Malware of the Day: Malware Techniques: Data Exfiltration or Forcing a Host to Play Thunderstruck As Loud As Possible
Malware: SILENTTRINITY Powershell Stageless Stager
Traffic Type: Generic
Connection Type: HTTPS/SSL
C2 Platform: SILENTTRINITY
Origin of Sample: https://github.com/byt3bl33d3r/SILENTTRINITY
Host Payload Delivery Method: Powershell Stageless Stager
Target Host/Victim: 10.0.0.62 – Windows 10 x64
C2 Server: 220.127.116.11
Beacon Timing: 30s
This week we are exploring the question “What can analysis of my network tell me about whether my data is being stolen?”
In this demonstration we are experimenting with SILENTTRINITY as our C2 channel. SILENTTRINITY is an open source project written in Boolang and Python, which has a lot to offer. On the quest to answer our question of utmost importance, we will first take a detour and investigate some of this C2 framework’s interesting features.
SILENTTRINITY has a team-server architecture similar to Cobalt Strike. Multiple clients can connect at once, making it useful for team operations. In addition, it comes with a comprehensive set of default modules including invoking mimikatz, credential theft, etc. One interesting little gem we found is the ability to force the victim machine to play any audio from an embedded YouTube URL.
How did we get to playing Thunderstruck at full volume?
The initial implant was delivered via a powershell stageless stager. “Stageless” means the entire payload is delivered all at once, in this case, a boolang interpreter was embedded directly into powershell. Once the client has connected back, the exploit process is as simple as running the Thunderstruck module with default parameters. (Warning: For those looking to evade detection as part of a red team exercise, I strongly advise against using this feature!). Running the module not only plays the song at full volume through the victims speakers but also prevents manual audio adjustment. Our preliminary tests show that if you test this module late at night your roommates may never forgive you. 🙂
Now… onto the important stuff…
The above screenshot is taken of the AC-Hunter Beacons module from a 24-hour traffic capture of SILENTTRINITY. The timing graph highlighted on the bottom shows the number of connections being made each hour. We can see it has extremely consistent connections and very little jitter has been introduced.
The highlighted graph on the right shows the number of connections per given time interval. Here we see that the host was consistently connecting outward at 30 second intervals. Another noteworthy thing here is the row of connections on the bottom spread out over a larger interval. This on its own does not give us a lot to work off of, but it could be a clue that the C2 channel is not just hanging out doing nothing.
Switching to the data size view things get more interesting once again. On the far left-hand side we see the heartbeat signal as expected. Beacon connections will typically be of a low data size (in this case 40 bytes) because the client is just checking in, asking for commands, not getting any, and then going back to sleep. (If only all our jobs were that easy…) Here we also see a cluster of connections with much larger payloads on the right. Hovering over the bar with your mouse shows there were several hundred connections made with approximately a 124Kb payload. This is our primary indicator of Data Exfiltration defined by MITRE.
We can utilize the overview on the Deep Dive screen to see more of the connection details. The total outbound bytes (going from the internal system to the suspicious server) is 36.72Mb. This is not “a lot” per se, but definitely a non-trivial amount.
For perspective, here are some example common file sizes:
- Average size of a webpage is ~< 2MB
- PDFs/text documents are typically under 1MB
- A 5 minute mp3 file of Thunderstruck is around 7MB
A similar analysis can also be done using an open-source tool such as RITA.
The screenshot above is generated using RITA’s html-report feature. We can see our C2 server at the top of the list with a beacon score of 89% along with the average and total bytes transferred between the two hosts. Total Bytes gives us the total number of bytes transferred bi-directionally, (Inbound and outbound). By looking at the Size Range we can determine that some packets contained much more data than others.
We can now conclude that files/data were exfiltrated from the host to the external server. It happens to be the case that the files were broken into smaller chunks before being sent outward. According to MITRE ATT&CK, once an adversary has collected data, they will often package it to avoid detection while removing it. This can include limits on data rate, compression and encryption, etc. What we see here, Exfiltration Over C2, is a common method and is recognized as MITRE sub-technique T1041. Since this C2 channel communicated over SSL, it is impossible to see exactly what was being transferred, only how much.
Lastly, one final note on data analysis – It’s always important to understand the data your tools are giving you. AC-Hunter and RITA are showing us activity in 24 hour chunks. Depending on how long an adversary has been in your network and/or how hard they’re trying to hide their tracks, the actual data exfiltrated could be much more (but not less) than what is shown here.
As always, we encourage you to download the PCAP files and analyze them in a program/tool of your choosing. The tool SILENTTRINITY also stands out to us for many reasons, including but not limited to its file downloader, which is much more stable than that of other tools we have run.
Because… PCAPs, or it didn’t happen. 😊
The following PCAP files are packet captures taken from the same lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host. The PCAPs are safe, standard PCAP files and do not include any actual malware.
SILENTTRINITY 1 Hour Capture
silenttrinity_1hr.pcap (served by Dropbox)
Size: 859 KB
MD5 Checksum: b680378c6006d3f2a2a048dbe844c54a
SILENTTRINITY 24 Hour Capture
silenttrinity_24hr.pcap (served by Dropbox)
Size: 56.68 MB
MD5 Checksum: 2666eed97472e1d42d37a8299d390ac2
Want to talk about this or anything else concerning threat hunting? Want to share how good (or not so good) other detection tools were able to detect this sample?
You are welcome to join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.
A special thanks to Marcello Salvati (@byt3bl33d3r) for creating SILENTTRINITY and for just being an awesome guy.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Hannah joined Active Countermeasures as an intern in 2020. She is currently a graduate student at the University of Utah.