Incident Activity Report | Malware | Java Script

of 4

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
PDF
4 pages
2 downs
48 views
Share
Description
My attempt at writing an incident activity report for the malware activity observed in the pcap file at http://www.malware-traffic-analysis.net/2014/12/08/index.html
Tags
Transcript
  Incident Activity Report Date: 2017-06-01Analyst: 0x776b7364 EXECUTIVE SUMMARY On 8 December 2014 23:18 GMT, a user on the host 38NTRGDFQKR-PC (192.168.204.137) accessedwww.excelforum.com via a Google search. This previously-compromised website contained a malicious script file which caused the user’s browser to be redirected to other websites containing malicious active content such as Java and Flash files. Existing browser-based vulnerabilities present on the host computer enabled the website to download and execute programs on the computer. The whole intrusion and infection sequence took about two minutes to complete. Based on the provided network traffic file, private or company information could potentially have been exfiltrated.The organisation should: ã Consider encouraging or forcing users to use alternative browsers ã Encourage users to install browser add-ons/extensions such as NoScript to prevent potentiallymalicious scripts from loading automatically ã Ensure that endpoint protection software (such as antivirus) is installed and up-to-date ã Implement application whitelisting on Windows workstations ã Consider implementing a reverse proxy filtering solution (such as F5 or Blue Coat). TECHNICAL ANALYSIS The Network Miner tool was first used to get an overall picture of the contents within the included pcapfile. From Network Miner, I obtained the following information: ã A large majority of the sessions srcinated from the host 192.168.204.137. This Windows host had the corresponding hostname ‘38NTRGDFQKR-PC’ and MAC address of 00:0C:29:9D:B8:6D. ã Later analysis would demonstrate that this host is the host affected by the malicious JavaScript files. ã The ‘Parameters’ tab indicated that the user-agent parameter values for the host 192.168.204.137 is largely “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1;…”. This indicates that the user is using the IE 8.0 browser on Windows 7 to access the sites. A further user-agent was observed: “Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_25 . Later analysis would show that this user-agent belonged to the malware reaching out to malicious servers to download binary payloads.Wireshark was then used to open the pcap file for analysis. The following display filter was used to isolate HTTP traffic related to the affected host: (ip.src_host == 192.168.204.127 || ip.dst_host == 192.168.204.137) && http From the display filter results, I concluded that the affected user first entered the search term “http://www.excelforum.com” into Google [frame 8], and then clicked on the result which redirected him to the website http://www.excelforum.com (69.167.155.134:80) [frame 22]. Based on the ‘Date’ HTTP parameter in the HTTP response [frame 309], the date and time in which this event occurred is 8December 2014 23:18:42 GMT. The website included a <script> tag on line 127 which has the URL: ã  http://magggitia.com/! 2#$=p4%p'dha&*3=96+,-9_1d8&9+to=_8*6t8o4#_ar&gi+a=85-r8cgd0s-%&t6+r=62  This causes the affected user’s browser to perform a HTTP GET request to http://magggnitia.com (94.242.216.69:80) [frame 94]. The HTTP response was a JavaScript file which caused a redirect to thedomain digiwebname.in (205.234.186.111:80). This JavaScript file though obfuscated had the ‘gNUmtrTcEF’ parameter value of ‘ http://digi*am.i/6tpio/$o5#,*r;<3$ ’. The pcap file supported the hypothesis that the user got redirected to that URL [frame 1300]. This event occurred on 8 December 2014 23:20:09 GMT.The response of the HTTP request to the digiwebname.in domain was a HTML file containing another set of obfuscated JavaScript code [frame 1340]. The obfuscated JavaScript code was isolated and copied to a Remnux installation for further analysis. After patching the JavaScript code, and using Rhino-debugger and Google Chrome v8 for debugging and analysis, I determined that this JavaScript code profiled the browser and its plugins, and then used the results to make HTTP GET requests to download further payloads. The relevant subsequent HTTP GET requests and its corresponding frame numbers are as follows: ã  http://digi*am.i/6tpio/3830948c19484276070104000-09a0100000d6088060c0060a060aa>118800>94  [frames 1347 and 1360] ã  http://digi*am.i/6tpio/7d0d7c947a-a7a0d2-08080d0703-0301090-02008204100d>910  [frames 1414 and 1435] ã  http://digi*am.i/6tpio/3911234c7d1c8840130a030940a010a60a0008060dd07020070a>406031  [frames 1418 and 1444] ã  http://digi*am.i/6tpio/-dd7ca026ca44707-60c40706-0900012707  [frames 1977 and 1986]These encrypted payloads were extracted to the examining system using Wireshark’s Export Objects (HTTP) feature. The following list is a mapping from URL to filename to SHA1 hash of the payloads: ã http://digiwebname.in/6ktpi5xo/3830948c194842760701040b0b0f095a010b000b0d560858060c0b060a060a5a;118800;94 > hyepksam259.swf > 4e8bdc5611f8ef8e6473bd38cc625341832b7d3 ã http://digiwebname.in/6ktpi5xo/7d0d7c94be7afa7a5b0d525f0558080d0557035f0301090f0250085204510b0d;910 > buvyoem41.pdf > 15add2fdcd6f4ee6a16ae2c8557aaba8bf2943d3 ã http://digiwebname.in/6ktpi5xo/39e112e34c7d1c884055130a0309540a010a560a05505508060d5d070200570a;4060531 > dszohrfb90.xap > 90208b3c149a01de487a64f469042326050da3d0 ã http://digiwebname.in/6ktpi5xo/55fdd7ebca026cab5447075f560c545b0706555f5055555900015e525705575b > syvwkahx581.jar > 59c07162d0c10658eec2298f19febfcb8275b25dThe SHA1 hashes was used as a search term within VirusTotal to confirm that all of the payloads are malicious, and that they are recognized by most antivirus vendors. The VirusTotal analysis further identifies that the SWF and JAR payloads exploit CVE-2014-0569 and CVE-2012-0507 respectively. A search of these two exploits reveals that both of them are used in the RIG and Fiesta exploit kits (EKs). A blog post by Context Information Security [1] confirms that the pcap file captured a Fiesta EK incident due to the unique way in which the malicious URLs were generated and the JavaScript code was obfuscated.The files referenced above exploited vulnerabilities in browser plugins such as Adobe Flash, Adobe PDF, Microsoft Silverlight, and Java. Some or all of the plugins were exploited to further download malicious encrypted payloads in frames 1596, 1757, 1961, 2139, and 2291 (these are shown as having the MIME type ‘application/octet-stream’).I used a script provided by Context Information Security [2] to decode the second set of obfuscated JavaScript code, and obtained the following URLs which were not present in the pcap file:  ã  http://digi*am.i/6tpio/22879d200ad460a060c0c07020000100c014090706000106060  (incompatible Flash version) ã  http://digi*am.i/6tpio/69266c742d-809030-00d048060d040a010d0201070-030d0a000100d  (incompatible Flash version) ã  http://digi*am.i/6tpio/19a9c34c4c040ca04a0310aa0d0780460170a77a  (missing or incompatible JavaFX)Presumably, the JavaScript file determined that certain exploits do not match certain installed browser plugins due to missing or incompatible versions, and hence the downloads for these files are not triggered. In future incidents, such URLs should be accessed by a sacrificial Virtual Machine (VM) over a dedicated connection in order to accurately assess the impact of such malware on the organisation’s environment.Each of the file format exploits (swf/pdf/xap/jar) dropped an encrypted binary onto the local filesystem.A script by user 0x3a [3] was used to decrypt the encrypted binaries, and all the decrypted binaries resulted in the same SHA1 hash of dc54148d7b01c4ef6fe0bb9f74cce09a4ff83809. The VirusTotal and Malwr analysis of this binary confirmed that this is a PE executable malware. In addition, the Malwr page [4] indicated that an outgoing connection to the host 209.239.112.229:80 was observed. This corresponds to frames 1792 and 1799 in the pcap file, and it is likely that the malware has executed andis “phoning home” or exfiltrating information. I was unsuccessful in determining the plaintext from the base-64 encoded POST request; further analysis on the binary using a debugger such as IDA Pro is recommended. RECOMMENDED CLEAN UP AND MITIGATION STRATEGIES The following steps should be undertaken immediately: ã The affected system should be removed from the network, and a comprehensive forensics and data recovery exercise (if required) should be performed ã The Operating System should be wiped, and if the malware infection is severe, the system should be decommissioned ã The malicious binary files should be blacklisted in the centralized antivirus console, and quick scans using the updated signatures should be performed against sensitive systems ã Network and website filters should be set to restrict access to the affected websites and IP addresses.The following steps should be considered and undertaken in the short-term: ã Deploy alternative browsers such as Mozilla Firefox and Google Chrome to users ã Browser add-ons/extensions which disable automatic loading of scripts and plugins should be used ã The Standard Operating Environment (SOE) should be reviewed and unnecessary software (such as Flash or Java) should be removed unless required for operations.The following steps should be considered and undertaken in the long-term: ã Windows workstations should have application whitelisting enabled (such as via AppLocker) ã A reverse proxy filtering solution should be implemented to check the target website’s reputation and presence of malware through analysis or blacklists. REFERENCES The following tools were used in the generation of this report:  ã Wireshark, Network Miner, Unix ‘file’, Remnux, Google Chrome v8, Rhino-debuggerThe following links were referenced and/or used in the generation of this report: ã [1]: https://www.contextis.com/resources/blog/fiesta-exploit-kit-analysis/  ã [2]: https://www.contextis.com/documents/34/Fiesta_Decoder.zip ã [3]: https://raw.githubusercontent.com/0x3a/tools/master/fiesta-payload-decrypter.py ã [4]: https://malwr.com/analysis/MmNiMTdhZTFhMGRmNDAwZjg2ZDhhMDZjODFjMGY3NjI/ 
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks