Today’s screenshot demo is going to give you a quick glimpse into some of the visibility you get with Carbon Black on Mac OS X. This post touches on some key points to how quickly you can “rewind the tape” to detect Ventir.
In this example, the starting point is a typical one—take a strange IP address, 220.127.116.11, from my firewall logs and see what process actually made that connection.
I start by entering the IP address:
I got one hit, a process named “update” running from /Users/test/Library/.local/update—a strange location to me.
So I go to do my analysis now to see the tree and other metadata and event activity. I can see the process is unsigned and it looks like several instances of the “update” process are being spawned by something called “updated.”
I’ll scroll down to the events section and show you that this instance only has two events: a network connection (which matches what we searched for—18.104.22.168) and a file-modification.
OK, so this is interesting but let me keep going. With just two clicks I go to “updated” and then its parent, “reweb,” to build out my tree instantly:
Again, we’re seeing unsigned binaries running out of what appears to be a strange location (/Users/test/Library/.local/). But I want to see who wrote this, so I search for “filemod:reweb” (I could also be more specific or search for md5sums of binaries that were written out, or more).
Interesting. I can see “ventir_dropper” wrote this out. A quick search for this results in a lot of hits. But what about “ventir_dropper?”
Let me look at the process tree:
We can see that “ventir_dropper” was executed by bash (because I ran it as an example), and then it executed a lot of built-in utility commands such as “rm,” “chmod,” and “mkdir.” And, of course, we get the full command lines too. We can see what filemods “ventir_dropper” made by looking below at the event activity:
So we see “reweb,” and we also see our friends “update” and “updated.”
But what wrote-out “ventir_dropper?”
Let’s have a look by searching for “filemod:ventir_dropper,” which brings us to the archive utility process. If I look at the process’s file modifications, sure enough, I see “ventir_dropper”:
This makes sense because, for this example, I copied “ventir_dropper.zip” over to my VM to extract it for this analysis.
While this post isn’t necessarily exhaustive in its analysis of the Ventir malware, I hope you got a good glimpse into how quickly you can investigate, analyze and pivot within Carbon Black. Because Carbon Black is always recording, you can quickly get back to root analysis while following the activity to figure out everything that has been changed and is in-scope for remediation.
Furthermore, this is where response can drive detection. Take some of the behavior above, like anything running out of .local or writing to .local, and alert your team the next time it happens.
And, of course, it’s easy to be notified when any of those indicators of compromise, like the typical IP addresses and hashes, show up anywhere within your environment. Because Carbon Black records and stores data, you can go back even further in time from this example to see if Ventir (or anything similar) was in your environment for as far back as you have data for.