9 min read
Investigating a malware attack using Binalyze AIR’s Investigation Hub
Tim Thorne : Tue, Nov 21, '23
Updated: 6th June 2024
Navigating through a common incident use case.
From the shadowed corners of cyberspace, a seemingly innocuous act such as the downloading of a zip file can set the stage for a personal or corporate cybersecurity catastrophe.
The background
This use case seeks to demonstrate and explore a malware attack that begins with just such an event, an act that triggers a chain of malevolent activities that may go unnoticed for a significant time and is always never advantageous for the victims.
The realization of such a problem could have been alerted by a detection system such as an EDR /XDR or as part of an automated and scheduled proactive health check, carried out by Binalyze’s Automated Incident Response (AIR) platform.
AIR's integration with many common alert systems is a crucial feature, enabling the automation of evidence collection and analysis from your assets upon specific triggers. This functionality ensures that when you or your analysts begin the workday, the Investigation Hub is already populated, and ready to go with evidence collected and findings presented derived from our world-leading DRONE analyzers.
This evidence will have been gathered, will be forensically sound, thoroughly analyzed, and already prioritized for further investigation. This seamless and always ready-to-respond 24/7 operation enhances efficiency, speeding up mean times to resolution and ensuring that critical analysis is underway well before any manual intervention is needed.
Collection and automated analysis
AIR's lightning-fast and comprehensive evidence-acquisition capabilities mark the initial phase of the response, swiftly and automatically collecting digital evidence based on predefined profiles from assets.
AIR’s automated evidence analyzers (DRONE) assume a pivotal role. They meticulously scan the assets with the MITRE ATT&CK Analyzer and also evaluate the collected evidence with the other bespoke analyzers. In the example case discussed in this blog, we will see how our compromise assessment acquisition profile and DRONE analyzers immediately draw our focus to the root cause in this incident; the role of 'invoice.zip' is identified in the Temp directory as the critical ‘detonation point’ for the attack.
This process provides robust decision support, ensuring a thorough and timely review of crucial evidence. This foundation enables the most effective forensic investigation possible.
In the Investigation Hub dashboard, within a matter of minutes, we see the overview of our case. We can clearly and immediately see that the Win10-002 asset has significant issues.
Of immediate concern are the 9 findings marked as High severity and revealed in the Findings page for the compromise assessment taking run WIN10-002:
We can, without even navigating to any other view, see that malware protection was disabled and the Binalyze DFIR Lab analyzers have identified the presence of the Havoc Framework - but more on that later as we’ll now take a structured walk through one possible workflow for an analyst to follow.
Let's start by taking a look at those high findings in a bit more detail, and sure enough we can immediately see that ‘invoice.exe’ makes its first appearance:
When we hover the mouse above the ‘No Digital Signature’ entry, 4 reasons why this item has been highlighted as high are displayed:
- No digital signature was found.
- The Registry Key name(114) is all in numbers - this is unusual.
- The location is ‘rare’ - an executable running in the Temp folder is unusual.
- This happened at a time super-relevant to our investigation.
Clearly, we need to dig deeper and establish exactly what has occurred here and then remediate, perhaps with interACT, AIR’s remote shell capability, and then check all other assets using AIR’s triage capability and automated analyzers.
Unraveling the Attack in Investigation Hub with MITRE ATT&CK
Another investigation methodology is to allow yourself to be guided by AIR’s integration of MITRE ATT&CK framework mapping. In this case, we can delve into the digital debris highlighted in the Investigation Hub mapped by MITRE ATT&CK based on adversary tactics, techniques, and procedures from real-world observations allowing us to trace the malware's lifecycle from deployment to discovery.
MITRE ATT&CK Tactics - Initial Access
Four items are highlighted and mapped to the MITRE ATT&CK tactic: Initial Access. When inspected we can see that the four entries point to password-protected zip files currently residing in the recycle bin, as indicated by the file names $RKEZQSR.zip, $R9EYK9E.zip, and the file path.
These files have been allocated a Finding: Rule: Password_protected_ZIP, (author: Binalyze DFIR Lab)
When you select a Finding in the Details window, hash values are available. These hashes can be entered into the global search box of the Investigation Hub to see if it is known anywhere else in this case. Searching the hashes here reveals matches in the Event Records Lists:
Inspection of the Event Records List quickly reveals that Microsoft Edge was used to download a file named ‘invoice.zip’ on 2023-10-21 at 08:59:39 into C:\\Users\\john\\Downloads. This is the file we identified in the recycle bin, so we can put a name to it now:
So, within just a few minutes we have potentially identified the root cause of the attack and how initial access was achieved.
MITRE ATT&CK Tactics - Execution - Command and Scripting Interpreter - T1059:
Cyber adversaries will misuse script and command-line interfaces, such as the Unix shell in macOS and Linux, or the Windows Command Shell and PowerShell, to execute malicious operations on nearly any platform.
When we click on the Command and Scripting Interpreter MITRE ATT&CK technique, the Investigation Hub filters on T1059 and 3 medium severity Findings are presented which warrant further investigation.
‘Anti_defender.bat’ has been identified as an issue for us as it’s a ‘.bat’ file that is running from a suspicious location:
Within a few seconds, an AIR triage task can be sent hunting using the identified hash to search for matching files across all other assets. This action is taken after confirming with VirusTotal that the hash represents a potential threat:
MITRE ATT&CK Tactics - Persistence
Having found a way in, staying there will now be high on the attacker's objectives, and in our case, three methods of doing just that stand out:
- To protect its presence, the malware established an ‘autorun registry key’ (not too cunningly hidden in our example) named 'aaa', signaling its intention to establish a permanent foothold on this new host:
To further achieve a permanent presence, attackers may establish or alter Windows services to persistently run the malicious code. These services, which are programs that execute background tasks, are launched automatically by Windows during startup.
In our case the creation of the Service; '114' is used to do exactly that by launching ‘invoice.exe' after every restart.
- Another common tactic from attackers is to create their own permanent user account, truly embedding in the victim's environment, and in our case, DRONE has identified and mapped to MITRE ATT&CK, such an account with the user name; ‘abx’:
MITRE ATT&CK Tactics - Privilege Escalation - TA0004
Privilege Escalation involves attackers using methods to obtain higher access rights on a system or network. Typically, attackers start with basic access and seek greater privileges to achieve their goals, exploiting vulnerabilities or system misconfigurations.
Elevated privileges can range from SYSTEM/root access to a local administrator or user accounts with admin-level permissions or rights to specific systems or functions.
MITRE ATT&CK Tactics - Defense Evasion - TA0005
Defense Evasion involves strategies by attackers to evade detection, such as disabling security tools, cloaking data, and mimicking legitimate processes to conceal malware. Techniques that also undermine defenses are additionally cataloged under this category:
Our incident unfolds with the deceptive simplicity of a downloaded file named, 'invoice.zip'. This was a password-protected file, which as a ‘digital Trojan horse,’ was concealing dual ‘agents of chaos’:
As identified here by a Binalyze DFIR Lab rule, the executable 'invoice.exe' was actually a potent command and control mechanism borne from the Havoc Framework, often used as a red-teaming tool.
The second element of our Trojan horse was 'anti-defender.bat' which in this case was a script engineered to stop Windows Defender's safeguards. These seemingly mundane files can lay in wait in unusual directories such as C:\Windows\Temp directory, poised to orchestrate a symphony of destruction!
MITRE ATT&CK Tactics - Credential Access - OS Credential Dumping
Attackers target ‘lsass.exe’, a crucial Windows process, to extract NTLM hashes, the cryptographic format for storing Windows user passwords. These hashes are essential for Windows authentication and are used in various communication protocols.
Clicking on ‘OS Credential Dumping’ filters the listing in our case to show that this activity has indeed been used here:
The goal of credential dumping from ‘lsass.exe’ is to acquire NTLM hashes, which can be decrypted using tools like Mimikatz to reveal plaintext passwords. This poses a significant security risk as it allows attackers to bypass the need for actual passwords.
The details window for the entry above confirms that ‘invoice.exe’ is indeed launching ‘lsass.exe’:
NTLM hashes are stored in the Security Account Manager (SAM) on local machines, access to them enables attackers to move laterally within a network, access sensitive information, and increase their access privileges.
MITRE ATT&CK Tactics - Discovery - TA0007
At this stage the attacker is probing your system and network to gather information, using discovery techniques that often leverage built-in OS tools. This intelligence-gathering step helps them map out the environment and plan their subsequent actions.
The attacker now has a foothold that allows them to deploy SharpHound and with the help of a beacon cloaked as 'Sp.exe', the malware now embarks on a cartographic mission, mapping the network's Active Directory landscape in search of new domains to compromise.
SharpHound is a data-collecting tool from the well-known BloodHound toolset, used by red teamers to simulate attacks, and for defenders to identify and mitigate potential paths of compromise within AD infrastructures.
They are particularly useful for understanding complex permission structures and uncovering attack routes that would otherwise be difficult to detect through manual analysis.
‘Sp.exe’ is also clearly associated with our bad actor and when searching on that filename in the Global Search you’ll find plenty of evidence of its activity throughout the system:
These search hits will take the investigator to any part of the system where there is further evidence of sp.exe’s activity. And below it was already marked with a High Finding when discovered by DRONE in the prefetch file:
-
The file was only executed once.
-
It happened at a super-relevant time.
-
The entropy is suspiciously high.
-
The location from where it ran is ‘rare’.
-
And the file name is unusually short.
A Forensic Deep Dive
All of the above investigative activity demonstrated how we use AIR’s Investigation Hub to dissect the attacker's movements through an infected asset - this is just one way to progress your investigation, now we will look at another way in which you can exploit the Investigation Hub.
Each piece of evidence can then be methodically examined, utilizing reliable references like VirusTotal to ascertain the capability of the artifacts revealed by DRONE in the Investigation Hub.
In the secondary menu of the Investigation Hub, DRONE’s findings are also highlighted with a colored badge and count number, making it easy for investigators to focus on this additional investigative route.
Let's look at some such hits in this case remembering that it’s often impossible for attackers to remove their footprints from these system areas.
SRUM Application Resource Usage
As seen below the Investigation Hub provides the ability, with surgical precision, for investigators to navigate many forensically sound artifacts such as the SRUM (System Resource Usage Monitor) database. In this case, having identified ‘invoice.exe’ as important, some keyword matches have been identified by DRONE in SRUM.
This SRUM data helps us establish when ‘invoice.exe’ was run and, which account, it was run by.
Processes
In this case, we can see that there are 4 items highlighted as Findings by the Investigation Hub for us to investigate:
In the Details/TCP window for one of these flagged processes the remote IP address for this suspicious process is displayed - so now we may have identified how and from where the attacker is operating on our system:
Prefetch Parsed
The Prefetch file can be a great source of information to support investigations, used by the system to speed up performance by preloading commonly used applications; it can be used in DFIR to track when and from where any applications were launched.
In our case we can evidence from this high finding fact that ‘SP.exe’ was launched and DRONE is telling us that there is plenty to be suspicious about with this activity:
- No digital signature was found.
- The file was only executed once.
- It happened at a super-relevant time.
- The entropy is suspiciously high.
- The location from where it ran is ‘rare’.
- And the file name is unusually short.
Registry - App Compat Cache
Also known as the Shim Cache, this will contain details of program execution and its function of backward compatibility gets us to the name; ‘ App Compat - Application Compatibility’. This cache is one of those areas where the attacker will struggle to hide their activities.
In our case, we can see that one of the entries for App Compat Cache is marked as relevant and shows how the attacker ran ‘whoami’ in the command line as part of their reconnaissance activities.
Amcache
For DFIR, Amcache entries are crucial as they log executed programs, providing timestamps, file paths, and hashes, all of which are key for tracing malicious activity and building event timelines, even when other traces may have been removed.
This means we can find evidence of ‘invoice.exe’ and its sha1 hash value. Tracking this sha1 on this system or others after using AIR to triage for the presence of the hash will help to identify and contain any compromise.
Collaborative endeavor
The Investigation Hub's collaborative framework enables a concerted effort among a group of analysts and responders. Findings are shared, strategies are formulated, and the collective intelligence of the team is harnessed to work the case and remediate the attack with speed and accuracy.
Toward remediation and future defense
Using Binalyze AIR's Investigation Hub, incident response teams can analyze intelligence to remove attackers from compromised assets. The Investigation Hub also helps teams move quickly from analysis to action, shortening investigation times and allowing them to eliminate threats, recover systems, and strengthen defenses, all powered by AIR's automated analysis features.
The convergence of technology and methodology
This use case highlights how Binalyze AIR’s Investigation Hub, paired with DRONE's automated analysis and tactical insights, simplifies the complex process of analyzing a sophisticated malware attack.
It showcases the power of the AIR platform's user-friendly design, which supports a systematic and collaborative investigative operation, accessible to a mixture of skill levels within any DFIR team.
To learn more about how AIR’s Investigation Hub could help with your reactive and proactive incident response use cases you can contact us today or try it for yourself.