SOC, TI and IR posts

Server-side attacks, C&C in public clouds and other MDR cases we observed

Introduction

This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. The goal of the report is to inform our customers about techniques used by attackers. We hope that learning about the attacks that took place in the wild helps you to stay up to date on the modern threat landscape and to be better prepared for attacks.

Command and control via the public cloud

The use of public cloud services like Amazon, Azure or Google can make an attacker’s server difficult to spot. Kaspersky has reported several incidents where attackers used cloud services for C&C.

Case #1: Cloudflare Workers as redirectors

Case description

The incident started with Kaspersky MDR detecting the use of a comprehensive toolset for security assessment, presumably Cobalt Strike, by an antimalware (AM) engine memory scan (MEM:Trojan.Win64.Cobalt.gen). The memory space belongs to the process c:\windows\system32\[legitimate binary name][1].exe.

While investigating, we found that the process had initiated network connections to a potential C&C server:

The URL format indicates the use of Cloudflare Workers.

We then found that earlier, the binary had unsuccessfully[2] attempted to execute an lsass.exe memory dump via comsvcs.dll:

Several minutes later, a suspicious .bat script was run. This created a suspicious WMI consumer, later classified by MDR as an additional persistence mechanism.

The incident was detected in a timely manner, so the attacker did not have the time to follow through. The attacker’s final goals are thus unknown.

Case detection

The table below lists the signs of suspicious activity that were the starting point for the investigation by the SOC.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1588.002: Tool
  1. AM engine detection on beacon
AM verdict: MEM:Trojan.Win64.Cobalt.gen, which can be used for Cobalt Strike or Meterpreter A malicious payload was executed in the victim’s system and started communicating with the C&C server
T1620: Reflective Code Loading
  1. AM detection in memory
AM verdict: MEM:Trojan.Win64.Cobalt.gen The malicious payload migrated to the victim’s memory
  1. Process injection
Detection of code injection from an unknown binary into a system binary
T1071.001: Web Protocols
  1. HTTP connection
  2. Process start
Suspicious HTTP connections to the malicious URL: blue-rice-1d8e[.]dropboxonline.workers.dev/… from a non-browser process with a system integrity level The attacker’s communications with the C&C server
T1584.006: Web Services
  1. HTTP connection
URL reputation, regular expression in URL The attacker’s communications with the C&C server
T1102.001: Dead Drop Resolver
  1. HTTP connection
URL reputation, regular expression in URL The attacker’s communications with the C&C server
T1003.001: LSASS Memory
  1. AM detection on suspicious activity
AM detection on lsass memory access The attacker’s unsuccessful attempt to dump the lsass.exe memory to a file
  1. Process start
Regex on command like: rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <PID> lsass.dmp full
T1546.003: Windows Management Instrumentation Event Subscription
  1. Windows event
  2. WMI activity
WMI active script event consumer created remotely The attacker gained persistence through active WMI

Payload hidden in long text

Case #1: A scheduled task that loads content from a long text file

Case description

This case started with a suspicious scheduled task. The listing below should give you a general idea of the task and the command it executes.
Scheduled task:

Command:

The scheduled task invokes a VBS script (file path: C:\Windows\System32\r4RYLepG5\9B2278BC-F6CB-46D1-A73D-5B5D8AF9AC7C, MD5 106BC66F5A6E62B604D87FA73D70A708), which decodes from the Base64-encoded content of the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys, and then executes the latter.

The VBS script mimics the content and behavior of the legitimate C:\Windows\System32\SyncAppvPublishingServer.vbs file, but the path and file name are different.

The customer approved our MDR SOC analyst’s request to analyze the file C:\Windows\System32\drivers\S2cZVnXzpZ\02F4F239-0922-49FE-A338-C7460CB37D95.sys. A quick analysis revealed a Base64-encoded payload inside long text content (see the picture below).

The decoded payload contained a link to a C&C server:

Further telemetry analysis showed that the infection was probably caused by the following process, likely a malicious activator (MD5 F0829E688209CA94305A256B25FEFAF0):

The activator was downloaded with the Tixati BitTorrent client and executed by a member of the local Administrators group.

Fortunately, the telemetry analysis did not reveal any evidence of malicious activity from the discovered C&C server (counter[.]wmail-service[.]com), which would have allowed downloading further stages of infection. In the meantime, a new AM engine signature was released, and the malicious samples were now detected as Trojan-Dropper.Win64.Agent.afp (F0829E688209CA94305A256B25FEFAF0) and Trojan.PowerShell.Starter.o (106BC66F5A6E62B604D87FA73D70A708). The C&C URL was correctly classified as malicious.

Case detection

The table below lists the attack techniques and how they were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1547.001: Registry Run Keys / Startup Folder
  1. Autostart entry
Regex on autostart entry details Malicious persistence
  1. AM detection
Heuristic AM engine verdict: HEUR:Trojan.Multi.Agent.gen
T1059.001: PowerShell
  1. Autostart entry
Regex on autostart entry details Execution of PowerShell code via “ScriptBlock” instead of “Invoke-Expression”
T1216.001: System Script Proxy Execution
  1. Process start
Regex on command line Malicious payload execution via C:\Windows\System32\
SyncAppvPublishingSer
ver.vbs
T1204.002: Malicious File
  1. Process start
Execution sequence: svchost.exe
→ explorer.exe → patch.exe
From directory: C:\Users\<
removed>\Downloads\ExcelAnaly
zer 3.4.3\crack\
The user executed a file downloaded by the Tixati BitTorrent client
As a result, the file 02f4f239-0922-49fe-
a338-c7460cb37d95.sys was created
  1. Local file operation
Creation of
c:\users\<removed>\downloads\ex
celanalyzer
3.4.3\setup_excelanalyzer.exe
In this order: chrome.exe →
tixati.exe
  1. Local file operation
Creation of 02f4f239-0922-49fe-
a338-c7460cb37d95.sys
In this order: svchost.exe →
patch.exe
Process command line:
“C:\Users\<removed>\Downloads\
ExcelAnalyzer
3.4.3\crack\Patch.exe”
The contents of 02f4f239-0922-
49fe-a338-c7460cb37d95.sys do
not match the extension (text
instead of binary).
T1027: Obfuscated Files or Information
T1140: Deobfuscate/Decode Files or Information
The suspicious file 02f4f239-0922-49fe-a338-c7460cb37d95.sys was requested from the customer via an MDR response 02f4f239-0922-49fe-a338-
c7460cb37d95.sys contained text;
starting on line 4890, it contained
a Base-64-encoded payload.
Attacker hid payload
T1071.001: Web Protocols
  1. HTTP connection
  2. Network connection
The SOC checked for successful connections to the discovered C&C server. A search for the attacker’s possible attempts to execute further stages of the attack

Server-side attacks on the perimeter

Case #1: A ProxyShell vulnerability in Microsoft Exchange

Case description

During manual threat hunting, the Kaspersky SOC team detected suspicious activity on a Microsoft Exchange server: the process MSExchangeMailboxReplication.exe attempted to create several suspicious files:

The ASPX file format, which the service should not create, and the random file names led our SOC analyst to believe that those files were web shells.

Telemetry analysis of the suspicious file creation attempts showed that Kaspersky Endpoint Security (KES) had identified the process behavior as PDM:Exploit.Win32.Generic and blocked some of the activities.

Similar behavior was detected the next day, this time an attempt at creating one file:

KES had blocked the exploitation attempts. Nonetheless, the attempts themselves indicated that the Microsoft Exchange server was vulnerable and in need of patching as soon as possible.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1190: Exploit Public-Facing Application
  1. AM detection
Heuristic AM engine verdict: PDM:Exploit.Win32.Generic Exploitation attempt
T1505.003: Web Shell
  1. Local file operation
Attempts at creating ASPX files using the MSExchangeMailboxReplication.exe process Web shell file creation

Case #2: MS SQL Server exploitation

Case description

The incident was detected due to suspicious activity exhibited by sqlservr.exe, a legitimate Microsoft SQL Server process. At the time of detection, the account active on the host was S-1-5-21-<…>-<…>-<…>-181797 (Domain / username).

The SQL Server process attempted to create a suspicious file:

We observed that a suspicious assembly was loaded to the sqlserver process (c:\program files\microsoft sql server\mssql15.sqlexpress\mssql\binn\sqlservr.exe) db_0x2D09A3D6\65536_fscbd (MD5 383D20DE8F94D12A6DED1E03F53C1E16) with the original file name evilclr.dll.

The file was detected by the AM engine as HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b.

The SQL server host had previously been seen accessible from the Internet and in the process of being scanned by a TOR network.

After the suspicious assembly load, the AM engine detected execution of malicious SQL jobs. The SQL jobs contained obfuscated PowerShell commands. For example:

The created SQL jobs attempted to connect to URLs like those shown below:

Some of the IP addresses were already on the deny list, while others were added in response to this incident.

We were not able to observe any other host within the monitoring scope attempt to connect to these IP addresses, which confirmed that the attack was detected at an early stage.

The next day, the same activity, with the same verdicts (HEUR:Trojan.MSIL.Starter.gen, Trojan.Multi.GenAutorunSQL.b) was detected on another SQL Server host, which was also accessible from the Internet.

Since the attack was detected in time, and its further progress was blocked by the AM engine, the attacker was not able to proceed, while the customer corrected the network configuration errors to block access to the server from the Internet.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1090.003: Multi-hop Proxy
T1595.002: Vulnerability Scanning
  1. Network connection
  2. AM detection
Reputation analysis showed the use of TOR network for scanning. The scanning activity was detected through network connection analysis and by the AM engine. The attacker scanned the SQL Server host
T1190: Exploit Public-Facing Application
  1. Process start
The server application sqlservr.exe launched powershell.exe, in the following order: services.exe → sqlservr.exe → powershell.exe The attacker successfully exploited the SQL server
  1. Autostart entry
Execution of the object previously detected as an autostart entry with a bad reputation: sql:\SQLEXPRESS\db_0x2D09A3D6\65537_fscbd; original file name: evilclr.dll
T1059.001: PowerShell
  1. Autostart entry
  2. Process start
Command line analysis showed the use of PowerShell. Malicious persistence via an SQL Server job
T1027: Obfuscated Files or Information
  1. Autostart entry
Regex- and ML-based analysis of the SQL Server Agent job command line The attacker attempted to evade detection
  1. Process start
Regex- and ML-based analysis of the services.exe → sqlservr.exe → powershell.exe execution sequence command line
T1505.001: SQL Stored Procedures
  1. Autostart entry
SQL Server Agent job analysis Malicious persistence via an SQL Server job
  1. AM detection
  2. AM detection on suspicious activity
Heuristic detects on PowerShell SQL Server Agent; verdict: HEUR:Trojan.Multi.Powecod.a
T1071.001: Web Protocols
  1. HTTP connection
  2. AM detection
The URL reputation as well as an AM generic heuristic verdict similar to HEUR:Trojan.Multi.GenBadur.genw pointed to the use of a malicious C&C server. The attacker’s C&C server

What does exfiltration in a real-life APT look like?

Case #1: Collecting and stealing documents

Case description

Kaspersky MDR detected suspicious activity on one particular host in customer infrastructure, as the following process was started remotely by psexec:

“cmd.exe” /c “c:\perflogs\1.bat”, which started:

After that, the following inventory commands were executed by the binary C:\ProgramData\USOPrivate\ UpdateStore\windnphd.exe:

Suspicious commands triggering actions in the Active Directory Database were executed:

After these commands were executed, the windnphd.exe process started an HTTP connection:
Then a suspicious file, c:\users\public\nd.exe (MD5 AAE3A094D1B019097C7DFACEA714AB1B), created by the windnphd.exe process, executed the following commands:
Later, the SOC observed that a suspicious scheduled task had been created on the same host:
The task executed a suspicious file: c:\users\public\s.exe (MD5 6C62BEED54DE668234316FC05A5B2320)

This executable used the archive c:\users\public\0816-s.rar and the suspicious IP address 38[.]54[.]14[.]183, located in Vietnam, as parameters.

The 0816-s.rar archive was created via remote execution of the following command through psexec:

After that, we detected a suspicious network connection to the IP address 38[.]54[.]14[.]183 from the s.exe executable. The activity looked like an attempt to transfer the data collected during the attack to the attacker’s C&C server.

Similar suspicious behavior was detected on another host, <hostname>.

First, a suspicious file was created over the SMB protocol: c:\users\public\winpdasd.exe (MD5: B83C9905F57045110C75A950A4EE56E4).

Next, a task was created remotely via psexec.exe:

During task execution, an external network communication was detected, and certain discovery commands were executed:

This was followed by a connection to a network share on the host 10.<…cut…> as username3:

More reconnaissance command executions were detected:

Then winpdasd.exe created the file windpchsvc.exe (MD5: AE03B4C183EAA7A4289D8E3069582930) and set it up as a task:

After that, C&C communications were detected:

This incident, a fragment of a long-running APT campaign, demonstrates a data collection scenario. It shows that the attacker’s final goal was to spy on and monitor the victim’s IT infrastructure. Another feature of targeted attacks that can be clearly seen from this incident is the use of custom tools. An analysis of these is given later in this report as an example.

Case detection

The table below lists the attack techniques and how these were detected by Kaspersky MDR.

MITRE ATT&CK Technique MDR telemetry event type used Detection details Description
T1569.002: Service Execution
  1. Process start
Command line analysis The attacker performed reconnaissance and search in local logs
The attacker persisted in the victim’s system through service creation
  1. Windows event
Windows events on service installation and service start
  1. AM detection on suspicious activity
AM behavior analysis The attacker executed windnphd.exe through psexec
T1592: Gather Victim Host Information
T1590: Gather Victim Network Information
  1. Process start
Command line analysis The attacker performed internal reconnaissance
T1021.002: SMB/Windows Admin Shares
  1. Share access
Inbound and outbound share access The attacker tried to access:
\\10.<…cut…>.65\ipc$
\\10.<…cut…>.52\c$
T1003.003: NTDS
  1. Process start
Command line analysis The attacker accessed NTDS.dit with ntdsutil
T1071.001: Web Protocols
  1. HTTP connection
  2. Network connection
The SOC checked if the data transfer was successful The attacker communicated with the C&C server at hxxp[:]//31.192.234[
.]60:53/useintget
  1. AM detection on suspicious activity
The connection was initiated by the suspicious process windnphd.exe
T1571: Non-Standard Port
  1. HTTP connection
  2. Network connection
The SOC detected the use of the HTTP protocol on the non-standard 53/TCP port Attacker used the C&C server hxxp[:]//31.192.234[
.]60:53/useintget
T1587.001: Malware
  1. Local file operation
  2. Process start
  3. AM detection on suspicious activity
Use of various suspicious binaries prepared by the attacker specifically for this attack The attacker used custom tools:
s.exe
winpdasd.exe
windpchsvc.exe
(see detailed report below)
T1497: Virtualization/Sandbox Evasion
  1. Malware analysis
Detected the HookSleep function (see below) The attacker attempted to detect sandboxing. The emulation detection was found in the custom tools: winpdasd.exe and windpchsvc.exe
T1036.005: Match Legitimate Name or Location
  1. Local file operation
  2. Malware analysis
Operations with the file c:\users\Default\ntusers.dat The attacker attempted to hide a shellcode inside a file with a name similar to the legitimate ntuser.dat
T1140: Deobfuscate/Decode Files or Information
  1. Local file operation
  2. Malware analysis
The file ntusers.dat contained an encoded shellcode, which was later executed by winpdasd.exe and windpchsvc.exe The attacker executed arbitrary code
T1560.001: Archive via Utility
  1. Process start
Use of the RAR archiver for data collection The attacker archived the stolen credentials and documents
T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol
  1. Process start
Command line analysis The attacker used a custom tool to exfiltrate data
  1. Network connection
Analysis of the process that initiated the connection

An analysis of the custom tools used by the attacker

windpchsvc.exe and winpdasd.exe

Both malware samples are designed to extract a payload from a file, decode it, and directly execute it via a function call. The payload is encoded shellcode.

Both files read in from a file intended to deceive investigators and users by applying naming conventions that are similar to system files:

Payload file for windpchsvc.exe

Payload file for windpchsvc.exe

The malware, windpchsvc.exe, reads from the file c:\users\Default\ntusers.dat. A legitimate file, named ntuser.dat, exists in this location. Note that the bona fide registry file does not contain an ‘s’.

A similar file name was used for the winpdasd.exe malware:

Payload file for winpdasd.exe

Payload file for winpdasd.exe

The malware reads from this file and decodes the bytes for direct execution via a function call as seen below (call [ebp+payload_alloc] and call esi ):

windpchsvc.exe: decode, allocate memory, copy to mem, execute

windpchsvc.exe: decode, allocate memory, copy to mem, execute

winpdasd.exe: decode, allocate memory, copy to mem, execute via function call

winpdasd.exe: decode, allocate memory, copy to mem, execute via function call

The payload files (ntusers.dat) contain the main logic, while the samples we analyzed are just the loaders.

Some of the images show a function that I labeled “HookSleep” and which might be used for sandbox evasion in other forms of this malware. The function has no direct effect on the execution of the payload.

The decompiled function can be seen below:

The "HookSleep" function found in both files, decompiled

The “HookSleep” function found in both files, decompiled

When debugging, this worked as expected. The Win32 Sleep function is directed to the defined function in the malware:

The Sleep function redirected back to the malware code

The Sleep function redirected back to the malware code

s.exe

This file can be classified as a simple network transfer tool capable of uploading or downloading. The basic parameters are as follows:

This is basically netcat without all the features. The benefit of this is that it does not draw as much attention as netcat. In fact, while testing, we found that netcat, when set to listen, was able to receive a file from this sample and output to a file (albeit with some added junk characters in the results). We also found that the sample was incapable of executing anything after a download or upload.

The algorithm is pretty simple: network startup, parse arguments, create socket, send file or wait for file based on arguments. The decompiled main function can be seen below:

Decompiled network transfer tool

Decompiled network transfer tool

[1] The actual name of the binary is unimportant; hence it was skipped.
[2] Kaspersky Endpoint Security efficiently protects LSASS memory.

Server-side attacks, C&C in public clouds and other MDR cases we observed

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox