By Lenart Bermejo (Threat Engineer), Gilbert Sison (Cyber Threat Hunting Technical Lead), and Buddy Tancio (Incident Response Analyst)
Security teams and researchers depend on publicly documented analyses of tools, routines, and behaviors to update themselves on the latest findings in the cybersecurity landscape. Published information serves as a reference for the known tactics, techniques, and procedures (TTPs) to install defenses against advance persistent threats (APTs) and prevent attacks that are likely to occur in their respective industries.
However, having theoretical knowledge of defending against an attack immensely differs from experiencing it firsthand. The published routines, tools, and behaviors could differ from the execution of criminal groups per targeted company or industry. Moreover, the difference is largely based on the researched environment of the companies under compromise. Given the amount of effort and resources that goes into research and means for entry, these threat actors will ensure that they find different methods every time, remain hidden while observing, covertly send commands and receive information, mask their traffic, and infect more devices for as long as possible. This is where researchers, analysts, and technological solutions come in.
After detecting a suspicious command-and-control (C&C) traffic exchange from one of their servers, a company’s security team called us to investigate and analyze the traffic. We were given access to a limited number of machines and data to study feedback and event logs, including disk and memory images. However, there were no means to collect all the samples and tools that were likely running undiscovered in the environment of the inaccessible system without either an endpoint detection and response (EDR) or a cross-layered detection and response (XDR) solution. This limited the investigating and security teams from making a complete map and attack attribution.
Scope and Preliminary AnalysisBased on an initial analysis of the logs, a total of 62 machines were infected: 10 of these were servers, 13 were machines with binaries capable of file scraping and data exfiltration, 22 were machines with backdoor shells, while the rest hosted other tools and normal applications that were abused for loading malicious binaries abused for the attack.
Figure 1. Initial assessment of the routine based on preliminary data gathered and analyzed
The backdoor allows the attacker to execute commands using cmd.exe. Tools such as Mimikatz were also used to acquire user accounts. Network scanning tools were used to find other machines to infect and were included in a malicious network that further allowed the backdoor to drop other tools remotely. To run the remotely dropped executable, either a scheduled task was created or a wmic process create command was used. In several instances, copies of the backdoor were dropped, while the tools that were dropped and executed also varied.
The attackers were mostly after document files such as PDFs and Microsoft Office files. Additionally, it is likely that these attacks have been happening for a number of years now based on the timestamps of the binaries and how widespread the infection was. We compared the routines and the tools that we found with MITRE ATT&CK and noted that the observed techniques match both APT32 and APT3, except for a few varying techniques that could not be associated.
Analyses and AttributionConsidering the techniques’ variations, we analyzed the tools and relationship clusters that the routines used and connected to using the five endpoint targets with the most number of installations. We found six types of data exfiltration tools, six backdoors, and five miscellaneous tools that were used for varied purposes. Many of these tools exploited the company’s in-house systems and software, such as their document management system, with a MySQL back-end database, among others. We also found six relationship clusters connecting the tools to the malicious routines, and four intrusion sets that could be matched with previously documented campaigns of APT groups and subgroups. We discuss these tools and relationships in detail in our paper “Finding APTX: Attributing Attacks via MITRE TTPs.”
Figure 2. Relationship A, one of the tool relationship clusters found based on the processes that dropped, launched, or enabled persistence
The groups that we attributed the attack to use diverse toolsets and have strong links to other groups that have already been published by other researchers. The writing styles are also wide-ranging, as evidenced by the contrasts among how packed or “revealing” the tools are. To add, the redundancies in the data exfiltration processes from each of the intrusion sets come as no surprise considering that the goal is continuous information-stealing, data updates, and prolonged presence while remaining hidden in the system.
While unfortunate, victim organizations are in a unique position to note the indicators of compromise (IOCs) that they can use as references. Considering the technological solutions that are available today (such as EDR and XDR), undefined logs might be able to prove and identify the missing links that are necessary to create a full map of the intrusion.
These solutions could reduce the required time in identifying and recreating the events of how the attack occurred. Still, cooperating security and investigating teams play a crucial role in identifying, preventing, and mitigating threats, especially with regard to attributing to the groups responsible. While the process might not be straightforward, identifying the techniques and tools that were used can lead security teams in defending the entire company structure once the correlation of events and tools are made.
To read the full technical details and analyses of our investigation, download our research “Finding APTX: Attributing Attacks via Mitre TTPs.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.