Hunting 4 PhantomCore RAT

The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.

Name:
Hunting 4 PhantomCore RAT

TTP:
T1071.001 Application Layer Protocol: Web Protocols, T1059.001 Command and Scripting Interpreter: PowerShell, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1106 Native API, T1566.001 Phishing: Spearphishing Attachment, T1082 System Information Discovery

Hypothesis:

The attacker is using spearphishing emails with malicious attachments to deliver malware, which then establishes command and control and collects system information.

Campaign Type:
Intel Driven

Data Sources:

  • Email logs
  • Endpoint security logs
  • Network traffic logs
  • Process execution logs

Tools:

  • QRadar
  • Azure Sentinel
  • ELK
  • Any SIEM/Log Management tool

Scenario:

  1. Initial Access: Attacker sends a spearphishing email with a malicious attachment, such as a ZIP archive containing a malicious LNK file and an executable disguised as an archive file.
     
  2. Execution: The LNK file contains commands to extract and execute the disguised executable, which is a Remote Access Trojan (RAT).
     
  3. Defense Evasion: The RAT sets the locale language of the victim machine to “ru_RU.UTF-8” to blend in with the expected environment.
     
  4. Command and Control: The RAT communicates with a command-and-control (C&C) server using the Boost.Beast library over HTTP WebSockets.
     
  5. System Information Discovery: The RAT collects victim’s information, including the public IP address, Windows version, username, etc.

Hunting Strategy:

  1. Analyze email logs for suspicious emails with attachments from unknown senders.
  2. Correlate email logs with endpoint security logs to identify if any user executed a suspicious attachment.
  3. Analyze process execution logs for the execution of the PowerShell command and the cmd.exe command used to extract and launch the RAT.
  4. Analyze network traffic logs for any communication with the identified C&C server.
  5. Investigate any outliers or suspicious events related to the locale settings and PowerShell execution.
  6. Validate potential threats by analyzing the behavior of the suspected processes and network connections.
  7. Remediate by isolating the infected machines, removing the malware, and blocking the C&C server.
  8. Report the findings and recommendations for improving email security, endpoint protection, and network security

False Positive Consideration:

  • Legitimate users may use PowerShell for administrative tasks or scripting.
  • Network connections to external servers may be legitimate for software updates or cloud services.
  • Locale settings may be changed by users for language preferences.

Recommendations:

  • Implement email security solutions to detect and block malicious attachments.
  • Deploy endpoint detection and response (EDR) tools to monitor suspicious activities.
  • Use intrusion detection/prevention systems (IDS/IPS) to block connections to known malicious C&C servers.
  • Regularly update software and operating systems with the latest security patches.
  • Educate users about phishing attacks and best practices for email security.

Threat Hunting Emulation Step-by-Step Process

Prepare the Environment:

  1. Set up a test environment with Windows machines and the necessary security monitoring tools, such as an EDR and a centralized log management system.
     
  2. Enable auditing policies for PowerShell execution, command shell execution, process creation, network connections, and registry changes.
     
  3. Configure the log management system to collect logs from all endpoints.
     

Emulate the Attack Techniques:

  1. Create a malicious LNK file with the PowerShell command to extract and execute the RAT.
     
  2. Package the LNK file and the RAT into a ZIP archive.
     
  3. Deliver the ZIP archive to a test user in the environment, for example, via a simulated phishing email.
     
  4. Execute the LNK file as the test user.
     
  5. Observe the PowerShell execution, cmd.exe execution, locale setting changes, and C&C communication.
     

Collect and Analyze Logs:

  1. Collect the generated security event logs from your centralized log management system. 
     
  2. Use analysis tools to search for events related to the emulated attack techniques.
     
  3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.
     

Refine Detections:

  1. Analyze the collected logs to identify patterns and refine your detection rules.
     
  2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
     
  3. Document your analysis and findings to improve future threat hunting efforts.

D3 Diagram:

Leave a Reply