Security operations Obfuscation, reflective injection and ...

Security operations | 13 min read | May 26, 2020 | by Britton Manahan

Obfuscation, reflective injection and domain fronting; oh my!

We detect and respond to a lot of red team activity at Expel. Each engagement is a great opportunity for our SOC analysts to gain additional experience responding to an attacker (albeit a simulated one). Red team engagements help any security team stay ahead in a world with continuously evolving attacker tradecraft. When going head-to-head with a red team, we encounter a broad range of attacks. During a recent red team simulation we detected and responded to the execution of a suspicious VBscript file. Acquiring malicious files gives us the opportunity to extract deeper details that can be invaluable. In this post I'll walk you through our initial detection and then show you how we:

1. Determined the logic implemented by the VBscript and its payload 2. Extracted key details of the payload via base64dump.py and pecheck.py 3. Decompiled the payload with JetBrains DotPeek 4. Followed the chain of obfuscation to reach the red team PoshC2 implant 5. Analyzed the red team implant for attacker IOCs Then I'll share the details of the capabilities the file contained as well as the insights we gathered coming out of this exercise.

1

expel.io

Spotting something suspicious: malware detection

Malware analysis is "like a box of chocolates," in that you never know what you're going to encounter as you inspect the details of malicious code. During this red team engagement with an Expel customer, the CrowdStrike EDR Platform alerted on the execution of a suspicious VBScript file.

Expel Workbench Alert Details 1

Expel Workbench Alert Details 2

2

expel.io

So, we dove in to take a deeper look.

CrowdStrike Detection Details

For this CrowdStrike alert, a VBScript file named settings.vbs was launched with the command-line version of the Windows Script Host, cscript.exe. CrowdStrike Overwatch observed that the cscript.exe process reflectively injected a library named SharpDLL.dll.

Reflective injection inserts an executable library file into the address space of a process from memory instead of from on disk. This method doesn't rely on the LoadLibrary Windows API call, which only works with libraries files located on disk.

The Expel Global Response team, which provides Expel with advanced IR capabilities during critical incidents, noticed two additional recorded activities for the cscript.exe process:

Several .NET Framework Libraries (examples below) were loaded

A DNS request for (this will be explored more later on)

3

expel.io

CrowdStrike Detection Disk Operations

CrowdStrike Detection DNS Request

These recorded activities were extremely suspicious and signaled to us that it was time to conduct an investigation. That's when I began my analysis.

4

expel.io

Analyzing the file in three phases

When I looked at the contents of the settings.vbs file, I noticed it began with following comment block:

Beginning of settings.vbs

None of the script functionality contained in the rest of the settings.vbs file relates to this comment block, which is part of its attempt to achieve a surface appearance of performing printer and network administrative activities. When looking at the first section of code executed by the script, note that the first steps taken determine which version of .NET the process executing the script should configure itself to load in.

settings.vbs .NET Version Selection

If present in a process when the .NET framework is loaded, the COMPLUS_Version environment variable will force a certain version of the .NET framework to be loaded. Based on the presence of a particular 4.0 version of the .NET framework, determined by checking for the existence of a Windows Registry key, the script will set this environment variable to either v4.0.30319 or v2.0.50727.

The next action taken by the script is the initialization of two large base64 encoded strings, wpad_1 and wpad_2.

5

expel.io

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download