Hunting CryptoBot in the wild

Name:
Hunting CryptoBot in the wild

TTP:
T1566.002 Phishing: Spearphishing Link

Hypothesis:

Attackers are using spearphishing emails containing malicious links to deliver malware that uses Rundll32 and Mshta for defense evasion.

Suspected TTPs:

• Initial Access: Spearphishing Link
• Execution: Rundll32
• Defense Evasion: Mshta

Campaign Type:
Hybrid

Data Sources:

• Endpoint logs (e.g., Sysmon, Windows Event Logs)
• Network traffic logs (e.g., Zeek/Bro, Suricata)
• Email security gateway logs

Tools:

1. An environment for the attack: This can be a virtual machine or a physical machine.
2. The Windows Operating System: The testing will need to be done on a Windows system, as the technique itself is Windows-specific.
3. A means to collect logs: Sysmon and WEC (Windows Event Collector) will be set up to collect the logs generated during testing.
4. The right auditing: Ensure that the system is set up to collect the right level of logs, including enabling the correct audit policy and Sysmon configuration file.
5. The attack vector: A script or an HTA file will be created for testing purposes.

Scenario:

1. Initial Access: Attacker sends a spearphishing email containing a malicious link to a victim within the organization.
2. Execution: The victim clicks on the malicious link, which executes a script or downloads a malicious file.
3. Defense Evasion: The script or the file uses Rundll32 and/or Mshta to execute malicious code while evading defenses.
4. Persistence: The malware establishes persistence on the victim’s machine.
5. Privilege Escalation (Optional): The malware attempts to gain elevated privileges.
6. Lateral Movement (Optional): The malware spreads to other systems within the network.
7. Exfiltration (Optional): The malware exfiltrates sensitive data from the compromised systems.
8. Impact: The attacker achieves their objective, which could be data theft, disruption of services, or financial gain.

Recommendations:

• Implement strong email filtering rules to block or quarantine suspicious emails containing malicious links.
• Educate users about phishing attacks and the risks of clicking on suspicious links or attachments.
• Deploy endpoint detection and response (EDR) solutions to monitor and block malicious activity on endpoints.
• Regularly review and update security controls to mitigate the latest threats and vulnerabilities.

Step-by-Step Threat Hunting Emulation:

Prepare the Environment:

1. Set up a Windows virtual machine (VM) with the desired configuration.
2. Install Sysmon and configure it with the desired ruleset.
3. Enable the necessary audit policies for the operating system.
4. Set up a centralized log management system (e.g., HELK, QRadar, Azure Sentinel) to collect and store security events.

Emulate the Attack Techniques:

1. Create a malicious script or HTA file that uses Rundll32 and/or Mshta to execute a benign payload (e.g., calculator).
2. Execute the script or HTA file on the Windows VM.

Emulate Post-Compromise Activities:

1. (Optional) Simulate privilege escalation by executing a privilege escalation exploit or technique.
2. (Optional) Simulate lateral movement by using tools like PsExec or WMI to connect to and execute commands on other systems.
3. (Optional) Simulate exfiltration by transferring files or data from the compromised VM to an external system.

Collect and Analyze Logs:

1. Collect the generated security event logs from your centralized log management system.
2. Use analysis tools (e.g., Kibana, Splunk, QRadar) to search for events related to the emulated attack techniques.
3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.

Refine Detections:

1. Analyze the collected logs to identify patterns and refine your detection rules.
2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
3. Document your analysis and findings to improve future threat hunting efforts.

Hunting Strategy:

1. Analyze email security gateway logs for emails containing suspicious links or attachments.
2. Correlate email logs with endpoint and network logs to identify users who clicked on suspicious links or downloaded the files.
3. Search endpoint logs (Sysmon, Windows Event Logs) for the execution of Rundll32 and Mshta with unusual command-line parameters.
4. Analyze network traffic logs for any unusual connections or data transfers initiated by the victim’s machine after clicking the link.
5. Investigate any outliers or suspicious events identified in the previous steps.
6. If a threat is validated, perform further analysis to determine the malware’s capabilities, persistence mechanisms, and any other related activity.
7. Remediate the threat by isolating the compromised systems, removing the malware, and implementing necessary patches or security controls.
8. Document the findings of the threat hunt, including indicators of compromise (IOCs), attack paths, and remediation actions taken.

False Positive Consideration:

• Legitimate use of Rundll32 and Mshta by system administrators or software installers.
• Users accessing legitimate websites or web applications that may trigger the detection rules.

D3 Diagram:

T1055.001 - Process Injection: Dynamic-link Library Injection

Implementations:

* Process Hollowing
* Thread Execution Hijacking
* Asynchronous Procedure Call (APC) Injection
* Thread Local Storage (TLS) Injection

Observables:

* Process Name: svchost.exe (Analytic Robustness: 3 - Pre-Existing Tool, Event Robustness: U - User-Mode)
* Rationale: Windows utility, can be renamed by an adversary.
* Process Name: rundll32.exe (Analytic Robustness: 3 - Pre-Existing Tool, Event Robustness: U - User-Mode)
* Rationale: Windows utility, can be renamed by an adversary.
* Command Line: “CreateRemoteThread” (Analytic Robustness: 4 - Some Implementations, Event Robustness: K - Kernel-Mode)
* Rationale: Specific to this technique, but other process injection techniques could be used.
* Loaded DLL: “KERNEL32.DLL” (Analytic Robustness: 4 - Some Implementations, Event Robustness: A - Application)
* Rationale: Indicates the execution of process injection.

Notes:

* This D3 diagram is not exhaustive and may evolve with further research and analysis.
* The robustness levels assigned are based on a generalized assessment and may vary depending on the specific context.
* Defenders should consider combining multiple observables to improve the accuracy and robustness of their detections.