Malware of the Day – Orangeworm

What is Malware of the Day?

 

Lab Setup

Malware: Orangeworm

AKA: Using the Kwampirs Trojan family (Trojan.Kwampirs)

Traffic Type: Crimeware

Connection Type: Reverse HTTPS

C2 Platform: SCYTHE

Origin of Sample: https://github.com/scythe-io/community-threats/blob/master/Orangeworm/Orangeworm_scythe_threat.json

Host Payload Delivery Method: Executable (EXE)

Target Host/Victim: 192.168.99.52 – Windows 10 x64

C2 Server: 35.221.46.24

Beacon Timing: 45s

Jitter: 40%

 

Brief

Our focus is on identifying and detecting network beaconing behavior. We are using AI-Hunter/RITA as our network threat and C2/beacon detection platform to visualize the network traffic generated from running the Orangeworm malware replication. We encourage you to download and use the PCAP files included in the next section to analyze these files independently using your preferred threat hunt platform to test your detection capabilities.

This week we are stepping up the difficulty of detection a bit, thanks to the fine folks at SCYTHE.

 

The above screenshot is taken of the AI-Hunter Beacons module from a 24-hour traffic capture. The Orangeworm traffic has been detected as a strong beacon signal of 91.50%.

In the green highlighted box is the beacon timing showing the number of connections of each interval of time in seconds. Here we can see a broad cluster of communications timing from 27 second intervals up to 46 second intervals. Viewing the traffic in a graph like this, we can clearly see the jitter that has been introduced into the timing of a deviation of 40% from 45 seconds. This considerable amount of jitter will most likely spoof most beacon detection tools that are looking for very rigid timing patterns. These consistent clusters of connection timings, even with this aggressive jitter, are evidence of programmed machine communications.

In the red highlighted box are the number of connections per hour (each blue block is a one-hour time frame). The consistency of the number of connections per hour is a tell-tale indicator of non-human behavior. Notice the flatness and uniformity of the hourly histogram. Even with an aggressive 40% jitter of our Orangeworm beacon timing, note how the jitter normalizes-out when viewing hourly chunks over an extended period of time. Normal users’ traffic will be much more random in nature and would display greater peaks and valleys in the graph over time.

 

Switching to the connections Data Size view (shown in the green highlighted box above), we can immediately see that the majority of communications are the same data size. For this sample, we have 6105 connections with 1449 byte payloads. This is obviously uniform and structured communications, such as a C2 channel “heartbeat” of checking in for marching orders or to maintain persistence. Normal users’ network communications will vary greatly in data size. This data size analysis is confirming these are programmed communications to be investigated.

 

A similar beacon analysis can be performed using our open-source framework RITA ( RITA information and download page (free) ). RITA detected the Orangeworm sample traffic as a strong threat, giving it a score of 0.915 (91.5% beacon probability). The network RITA is analyzing is our malware lab and the Orangeworm sample is currently listed as the #1 threat.

 

Capture Files

Because… PCAPs, or it didn’t happen. 😊

The following PCAP files are packet captures taken from our lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.

Orangeworm 1 Hour Capture
orangeworm_1hr.pcap (served by Dropbox)
Size: 1.83 MB
MD5 Checksum: 06ca27218618783213740bdad9ee23f0

Orangeworm 24 Hour Capture
orangeworm_24hr.pcap (served by Dropbox)
Size: 255 MB
MD5 Checksum: ad23fb7ca96e0967999405edee370704

 

Discussion

Want to talk about this or anything else concerning threat hunting? Want to share how good (or bad) other detection tools were able to detect this Orangeworm sample?

Join our Discord server titled “Threat Hunter Community” to discuss topics surrounding threat hunting. We invite you to join our server here.

 

Thanks

A special thank you to Jorge Orchilles, as well as Sean Sun, Adam Mashinchi and all the people behind the awesome SCYTHE platform for providing this Orangeworm malware sample and hosting the C2 server for this Malware of the Day.

 

Additional Resources

https://www.scythe.io/library/threatthursday-orangeworm

https://attack.mitre.org/groups/G0071/

https://malpedia.caad.fkie.fraunhofer.de/actor/orangeworm

 

Until the next!