008. How Stealthy is Installation of an Advanced Backdoor?

Hello everyone! Yesterday I checked a fresh report by Kaspersky on EAGERBEE backdoor, which has potrntial conections with the CoughingDown threat group.

So, we already talked a bit about how noisy are APT groups in reality and how easy it is to detect malicious activity if you really want to, and this backdoor is another great example.

Let's look at installation routine described in the report. First of all, to harden forensic analysis, the adversary leverages timestomping technique abusing PowerShell:

powershell.exe -Command "='1/8/2019 9:57'; = 'C:\users\public\ntusers0.dat';(Get-Item ).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = "

Remember, PowerShell can be used to solve hundreds of tasks during the attack lifecycle, so make sure you have detection analytics for timestomping.

Another technique used during the installation routine - changing file attributes to hide them abusing attrib.exe:

attrib.exe +s +h +a C:\users\public\ntusers0.dat

attrib.exe +s +h +a system32\tsvipsrv.dll

Also, make note, that the first malicious file (EAGERBEE) is located in Public folder - it's very often used to store malware. And, of course, masquarading - the malicious file resembles NTUSER.DAT registry file. The second, the loader, is masquaraded to look like legitimate DLL.

To use DLL hijacking vulnerability and execute the loader, the adversary abuses net.exe to stop and restart service, as well as SC to config it to start automaticly to make malware persistent in the compromised system:

net.exe stop sessionenv

cmd.exe /c "sc config sessionenv Start= auto"

net.exe start sessionenv

As you can see, installation routine is quite noisy even for advanced backdoor - you just need to know where to look!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!