Security Alert Summary
Earlier this week, Carbon Black, in conjunction with the Cb User Exchange Community, discovered anomalies related to well-known Adware variants, including OpenCandy and Dealply, and trojanized Chromium, using highly sophisticated evasion techniques (previously observed by Carbon Black associated with nation-state attacks — specifically Operation Aurora, which targeted major companies including Google, Adobe, etc). These obfuscation techniques easily evade sandboxing and other intrusion detection techniques due to Binary Fragmentation. Once these Adware variants are installed on a machine, the actor has the ability to bypass existing security controls and successfully install the secondary payloads, giving the adversary full control of a user’s machine.
These Adware variants started to appear across the Carbon Black customer base early this week, spanning industry and size, which suggests this is a recently launched, pervasive campaign.
We believe this attack vector is being used as a delivery mechanism for ransomware and other malware classes. The Carbon Black Threat Research team is currently performing a technical deep-dive pertaining to this finding, stay tuned for more information.
For Carbon Black customers who would like to add detection of these Adware variants, please add the following Watchlists**:
PRIMARY BEHAVIOR: cmdline:copy AND cmdline:/b
SECONDARY BEHAVIOR: process_name:wscript.exe AND netconn_count:[1 TO *]
**If you see a lot of hits on these Watchlists — that’s expected as there might be legitimate activity performing those actions. Filter by what appears to be legitimate activity until their query only shows the strange activity. As we see more examples, we’ll be sure to post them in the Carbon Black Detection eXchange.
For those that are not Carbon Black customers (and who do not have the ability to inspect command-line arguments), we suggest looking in the “Scheduled Tasks” for suspicious, newly created tasks as these variants establish persistence in the Windows Task Scheduler. A significant takeaway from this alert should be to take Adware and other “PUPs” seriously, as these seemingly innocuous applications are growing progressively more malicious in their impact to an environment. As we learn more, we’ll be sure to update this blog.
It started out like any other Thursday: team meetings, coffee, more meetings, and of course more coffee. At 11:00 AM, I began my first customer call of the day. As it turns out, it was a threat hunting and Kill Chain analysis call. 35 minutes into the call, we found some generic trojans, but at the time they didn’t seem particularly interesting. It was at this point that I just happened to remember an attack vector I had once triaged while doing some work during Operation Aurora. (See #FlashbackToOperationAurora at the end of this article for the whole story).
Just for fun, I asked my customer to the run the query:
cmdline:copy AND cmdline:/b. Cb Response showed they had three hits. I bolted upright in my chair. Three years ago, I stumbled upon this this attack vector and I’d never seen it since… until last week.
As we began to triage the event, we began to see .dat files being joined to form all sorts of unusual file types including .txt, .png, .log, .ico, & .dll files. It was highly irregular. Obviously, I couldn’t think of a legitimate reason for someone to conjoin “random” .dat files to create an image or even a .dll file (As shown in the screenshots below). As we began to follow the process execution, these “icons” and “log files” were then being launched by wscript where they beaconed to multiple “unusual” domains/IPs and established persistence as a scheduled task on the compromised system.
And another example:
So, now for the “stranger” part. As we began to walk backward up the process tree, we began noticing that the parent processes launching these rather advanced obfuscation techniques were “routine” adware (Flagged multiple times by Virus Total). I was stunned. I kept asking myself why in the world “regular” Adware would need such advanced obfuscation?
Resulting from this meeting, we found several other systems, all demonstrating similar symptoms of compromise. In my next two calls that day, BOTH of my customers (different industries) also had systems compromised in the same manner. I felt at this point it was my duty to spread the word and post my findings to Carbon Black’s User Exchange (UX). Within minutes, reports began to pour in regarding similar findings across our customer base. (Direct link to the original thread in the Carbon Black User eXchange: https://community.carbonblack.com/docs/DOC-5307).
The Cb Collective Defense model came through on this attack like a grand slam as all of our customers have access the Detection Exchange to share indicators and comment on detection and analysis methods Just yesterday (09/22/2016), a user in the Community who goes by the alias of “dumonal” made a wild discovery: the “Adware” may be a delivery vector for the Enigma Ransomware. To-date we’ve not been able to replicate this behavior, but will keep you updated as we learn more.
All of a sudden, the level of advanced obfuscation for this “Adware” makes sense. This Adware appears be the stager being used to covertly distribute the binaries (believed to be) attributed to ransomware and other classes of malware.
There are several methods being discussed in our UX to detect and contain these sort of attacks that leverage Binary Fragmentation. Given the widespread nature of this compromise, I strongly recommend scanning your systems for use of the copy command being leveraged with the binary append “/b” parameter. Another user in our UX who goes by the name “myersjos” has suggested that “Process searching Wscript.exe with Netcons out to the internet may reveal interesting results to you.”
For those that are not Carbon Black customers (and who do not have the ability to inspect command-line arguments), we suggest looking in the “Scheduled Tasks” for suspicious newly created tasks as these variants establish persistence in the Windows Task Scheduler. A significant takeaway from this alert should be to take Adware and other “PUPs” seriously as these seemingly innocuous applications are growing progressively more malicious in their impact to an environment. As we learn more, we’ll be sure to update this blog.
At the time I was managing the SOC for a large financial client and our Division Chief had been targeted by a very skillfully crafted phishing email. (Fortunately for the client, the spam filter blocked the payload as it contained a .rar file). However, given the tailored information contained in the phishing email, I decided to “play around” and see what the presumed malicious payload did. As I opened the rar file, I saw a Word document and a shortcut file, along with a sub directory. I (wrongly) assumed that there was a malicious macro embedded in the word doc. However, when I fired up MS Word in a VM, much to my surprise nothing malicious happened. I double and triple analyzed the doc and still nothing. From there, I began to explore the subdirectory. I was interested by what appeared to be two temp files as they were named ~$1.tmp & ~$2.tmp. I hashed the files, however an open source query came back null. When I ran strings on them I was a bit perplexed as when I opened up ~$1.tmp in Winhex it had an MZ header (thus signaling to me that it had executable content), however it was only a 16 character file. Weird, but obviously way too small to actually be a Portable Executable. ~$2.tmp was pure gibberish, nothing really interesting and not many readable characters. I tried a number of different methods to launch these files, however nothing worked.
At this point, I was greatly perplexed. The actor went through a decent bit of work to craft a VERY good spearphish, however, nothing malicious would execute. Just for due diligence sake, I went back and clicked on the shortcut, my jaw nearly hit the floor when all the sudden the system began beaconing and *something* established persistence. I couldn’t believe what I was seeing and I immediately viewed the properties of that little innocuous shortcut. No, it didn’t send me to a web link, instead it did one of the coolest things I’ve ever seen to date:
The target field of the shortcut ran a Copy command in the using the Binary Append parameter and conjoined the two “temp files” into a single binary. (This is a legitimate function of the standard Windows copy command: https://support.microsoft.com/en-us/kb/71161)
The command executed by the shortcut was something like this to build & launch the payload and then remove the malware fragments:
copy /b “temp/~$1.tmp”+“temp/~$2.tmp” “temp/svcmgr.exe” & start “temp/svcmgr.exe” & del “temp/~$1.tmp” & del “temp/~$2.tmp”
I remember just sitting back in my chair with my jaw still hanging open and shaking my head at what I just found. I was thoroughly impressed. This was one of those times you see an attack vector that you know is really bad, but was so clever you wanted to almost shake the attacker’s hand congratulate him on his brilliance.
What makes this attack so interesting is how effective it is at evading perimeter and network based IDS/IPS tools. Obviously, hash-based detection mechanisms would fail to catch these fragments as they would be hashed individually. Sandboxing & Detonation based tools would also give a false negative rating & allow these fragments to pass as they would be executed individually as well.
Benjamin Tedesco is a Senior Technical Services Consultant working at Carbon Black as a digital forensics and incident response SME. He currently leads the Advanced Consulting Team and assists Carbon Black customers to leverage the Carbon Black tool suite in their existing incident response and detection capabilities. Before coming to Carbon Black, Benjamin was responsible for leading a number of high-profile APT hunt-and-detection engagements. Currently, he is pursuing a master’s degree in information security and forensics at Penn State University.
Recently, while in Europe, Ben discovered an ATM skimmer, click here to see a video of his discovery.
Click here to view other articles Ben has written: https://www.carbonblack.com/author/ben-tedesco/
To connect with Ben, drop him a line on LinkedIn: https://linkedin.com/in/bentedesco