Malware of the Day – Malware Techniques: Discovery and Information Gathering

What is Malware of the Day?

 

Lab Setup

“Malware”: Various Payloads Delivered via CALDERA

MITRE Tactics: TA0011 Command and Control, TA0007 Discovery, TA0009 Collection

Traffic Type: Generic

Connection Type: HTTP, TCP

C2 Platform: CALDERA

Origin of Sample: https://github.com/mitre/caldera

Host Payload Delivery Method: Powershell

Target Host/Victim: 10.0.0.60 – Windows 10 x64

C2 Server: 157.230.93.100

Beacon Timing: N/A

Jitter: N/A

 

Brief

Today our focus is on identifying the anomalous network behavior that results from an adversary snooping around our network. We are using AC-Hunter/RITA and BeaKer as our intrusion detection tools to examine traffic generated by the CALDERA software. CALDERA is an open-source C2 framework that makes it incredibly easy to automate and/or manually run a variety of exploits on a remote system.

In the early stages of a cyber attack it is essential for the adversary to get to know the layout of the digital landscape they have infiltrated. This includes discovering accounts and domain controllers, learning the details of the target’s network configuration, finding injectable processes, etc. Armed with this information, an adversary can make more educated decisions about how to act during the remainder of the engagement.

This phase of an attack and the techniques therein fall under the MITRE ATT&CK category of Discovery. The adversary will often use native operating-system tools (i.e. Powershell) to collect information and explore what they can control and exploit on the compromised host or within the surrounding network.

Here are several examples (among many) of what one can learn from some simple Powershell commands.

Discovering what antivirus software is running on the system:

This information helps the adversary with defense evasion and deciding which further exploits are most likely to be successful.

Discovering network and ISP information: (Collecting ARP details and reverse nslookup)

Permissions group discovery:

Gpresult displays information about the group policy objects to the machine and user. It displays details such as last time group policy was applied, which domain controller it ran from, and which security groups the user and computer is a member of. This information is valuable to an attacker since they can make better informed decisions about how to move around the network.

How can we tell if an adversary is engaging in this type of behavior?

Fortunately for us, in order for the adversary to obtain and make use of any information, they have to get that data from a compromised system over to their servers, which leaves a digital footprint. This most often happens over the internet although sending in a spy with a bag full of USB drives is also possible.

 

The screenshot above is taken from AC-Hunter’s long connections screen. The top result shows a connection to an external IP that was open for just under 24 hours. There are several obvious factors that make this connection suspicious:

• The persistence of the connection does not resemble human activity. Most user-created connections will not last more than a few hours.
• The connection goes directly to an IP address that does not appear to have an associated domain name. Human made HTTP requests will almost always be to a domain rather than IP (there will also typically be a DNS request present for that domain).

Switching to the second view in the AC-Hunter Long Connections tab shows us the total time two hosts were connected (all connections combined). It also shows the total bytes transferred between the hosts:

The amount of data transferred between the hosts (140Mb) is another indicator that this connection should be further investigated. At this point we have identified a potential threat and we can perform further forensic analysis to determine what the adversary might have been doing.

Our open-source tool RITA can also be used for a similar analysis. The screenshot above shows the results from running the command:

rita show-long-connections database-name -H

 

If BeaKer (pictured above) is installed on the local system we can use it to see which processes on the host machines are responsible for the connection in question. There appears to be a single executable file which, in this case, must be the stager for the command and control channel. We also see several instances of Powershell on our machine connecting to the machine in question. While Powershell itself is a legitimate program, it is both easy and common for attackers to abuse it. Powershell exploits are especially convenient because it is often trusted and not deeply monitored by most antivirus programs.

So how do we bridge the gap between finding a malicious network connection to determining it was on a discovery mission and collecting system information?

This can be a bit tricky, or sometimes impossible, depending on the network protocol and encryption method of the data. Previously we saw that this connection used the HTTP protocol. Since HTTP is a plain text protocol and we have the packet capture, we might be able to figure out what exactly was being sent over the wire depending on if the payloads were encrypted prior to transport.

 

In the screenshot above, we opened the PCAP in Wireshark and then filtered for the IP in question and the HTTP protocol. In the highlighted request we see a file named “181475_credstuffuserpass.txt” was posted to the server. Taking a look at the other requests may give us a clearer picture of what the adversary was doing, but this task we leave to you, the threat hunter to complete.

We encourage you to download and use the PCAP files included in the next section to analyze these files independently using your preferred threat hunt platform to test your detection capabilities.

 

Capture Files

Because… PCAPs, or it didn’t happen. 😊

The following PCAP files are packet captures taken from the same lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.

CALDERA Discovery 1 Hour Capture
caldera_discovery_1hr.pcap
Size: 119.48 MB
SHA256 Checksum: 793622CCFCF2FA4788C93B327C874A8A80A5C02576F7BEE9F8FF574103B22A03

CALDERA Discovery 24 Hour Capture
caldera_discovery_24hr.pcap
Size: 240.92 MB
SHA256 Checksum: E81FD13ECDCA3E01235E683806115A5E3189EEDE4739709BFBF7A40B2AE190F0

 

Discussion

Want to talk about this or anything else concerning threat hunting? Want to share how good (or not so good) other detection tools were able to detect this sample?

You are welcome to join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.