There has been a lot of coverage about the malware known as Destover.
Several hashes have been released by US-CERT, the FBI and other organizations. This blog examines how you can look for this malware and its indicators of compromise (IOCs) using Carbon Black.
The structure of this write up will start with ways to find known pieces of this malware within your organization using Carbon Black and will transition through some more advanced search techniques.
In the Beginning…
First, a search can be constructed to see if any of the MD5 hashes have been seen in your environment.
From the US-CERT alert, we have the following hashes to look for:
The best and easiest way to look for these hash values is to use the “Respond -> Binary Search” dashboard. By entering the list above, as follows:
In the query box, this will search to see if any of the hash values in the US-CERT bulletin are present in your organization. Here’s the result in one of our research systems.
You can see there were a few hits, so let’s keep digging.
Since we know the hash D1C27EE7CE18675974EDF42D4EEA25C6 is the dropper, we can start digging there to attempt to understand as much of the story as possible. Clicking through the hash, and then onto the specific instance a graph like the one below appears.
We know so far that we’ve seen several interesting hashes, one of them appears to be a dropper (dropper.exe), and it’s created a few other processes, one of them named “igfxtrayex.exe.”
It’s possible to search for this executable name in Carbon Black, simply use the “Respond -> Process Search” dashboard and type the executable name in the search box.
What else does the dropper do in addition to creating and starting the process above? It also writes a .dat file.
Looking for this exact path would do you no good (unless all of your users are named ‘user’). Instead in the Process Search dashboard you can look for:
This will tell you if this file has been written to any users’ directory.
Protip: You can use several wildcards and even search across multiple drives with “*:\users\*\appdata\local\virtualstore\windows\syswow64\net_ver.dat”, however this will be slower due to the use of multiple wildcards.
This binary also created some network connections:
The IPs that are contacted are all in the 22.214.171.124/24 class-C network. While not every IP in that network was contacted, a fair amount were. Rather than look for each IP individually, as we did above, we can leverage some advanced search syntax to look for anything in that class-C network. This may lead to a couple of false positives, but hunting is never easy. By leveraging the Process Search dashboard and a query of…
“ipaddr:[729976064 TO 729976319]”
…we can look for all network connections into that class-C.
Note, the IP addresses were converted to their decimal equivalent and used for the search. Carbon Black stored IPs as an integer for easy and quick searching (especially across ranges). It’s also possible to look for the identified C2 IPs (126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199) with the following: “ipaddr:188.8.131.52 or ipaddr:184.108.40.206 or ipaddr:220.127.116.11 or ipaddr:18.104.22.168 or ipaddr:22.214.171.124 or ipaddr:126.96.36.199 or ipaddr:188.8.131.52”.