Centralized File Movement Tracking Information System
11/19/2017admin
Intrusions Affecting Multiple Victims Across Multiple Sectors. Risk Evaluation. NCCIC Cyber Incident Scoring System NCISS Rating Priority Level Color Yellow MediumA medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. Details. While NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients. Peertopeer file sharing is the distribution and sharing of digital media using peertopeer P2P networking technology. P2P file sharing allows users to access. The water vascular system of the starfish is a hydraulic system made up of a network of fluidfilled canals and is concerned with locomotion, adhesion, food. IH20:_Where-Used_List_Time.png' alt='Centralized File Movement Tracking Information System' title='Centralized File Movement Tracking Information System' />Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network. Figure 1 Structure of a traditional business network and an IT service provider network. Technical Analysis. E Games Galaxy Of Games Red Edition on this page. The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures TTPs. The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of Power. Shell and the open source Power. Sploit tool to enable assessment, reconnaissance, and lateral movement. Command and Control C2 primarily occurs using RC4 cipher communications over port 4. IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this documents associated STIX package and. The indicators should be used to observe potential malicious activity on your network. User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti virus signatures. The observed malware includes PLUGXSOGU and REDLEAVES. Corel Video Studio Video Templates. Although the observed malware is based on existing malware code, the actors have modified it to improve effectiveness and avoid detection by existing signatures. Both REDLEAVES and PLUGX have been observed being executed on systems via dynamic link library DLL side loading. The DLL side loading technique utilized by these malware families typically involves three files a non malicious executable, a malicious DLL loader, and an encoded payload file. The malicious DLL is named as one of the DLLs that the executable would normally load and is responsible for decoding and executing the payload into memory. REDLEAVES Malware. The most unique implant observed in this campaign is the REDLEAVES malware. The REDLEAVES implant consists of three parts an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan RAT that is built in Visual C and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2. Capabilities. System Enumeration. The implant is capable of enumerating the following information about the victim system and passing it back to the C2 system name,system architecture x. IP address, andprimary drive storage utilization. Command Execution. The implant can execute a command directly inside a command shell using native Windows functionality by passing the command to run to cmd. Command Window Generation. The implant can also execute commands via a remote shell that is generated and passed through a named pipe. A command window is piped back to the C2 over the network as a remote shell or alternatively to another process or thread that can communicate with that pipe. The implant uses the mutex. Red. Leaves. CMDSimulator. Mutex. File System Enumeration. The implant has the ability to enumerate data within a specified directory, where it gathers filenames, last file write times, and file sizes. Network Traffic Compression and Encryption. The implant uses a form of LZO compression to compress data that is sent to its C2. After compression, the data for this implant sample is then RC4 ciphered with the key 0x. A6. F6. 86. E3. 13. Network Communications REDLEAVES connects to the C2 over TCP port 4. API function Internet. Open. Url. W. The data is not encrypted and there is no SSL handshake as would normally occur with port 4. RC4 cipher. Current REDLEAVES samples that have been examined have a hard coded C2. Inside the implants configuration block in memory were the strings in Table 1. Table 1 REDLEAVES Sample Strings Found in C2. QN4. 86. 9MD mutex used to determine if the implant is already running Varies from sample to sample2. INCO Unknownwindir. RC4 Key. While the name of the initial mutex, QN4. MD in this sample, varies among REDLEAVES samples, the Red. Leaves. CMDSimulator. Mutex mutex name appears to be consistent. Table 2 contains a sample of the implant communications to the domain windowsupdates. TCP port 4. 43. Table 2 REDLEAVES Sample Beacon BEGIN SAMPLE BEACON 0. C 1. 4 6f 6. 8 6e 1. C cf 4. 9 8. 1 a. I. m. 1. H. C 9. 2 e. L. j. f. 0. 00. C 7b 1. C dc 4. 4 a. 2 7. D. r. M. 3. 0. C 3f e. R. 6i. y. 00. 00. C 1. 3 7. 9 7a d. A 8. t. 0. 00. 00. C f. 8 3. 2 4. 9 ef 2d e. I. 0. 00. 00. C 5e 4b 7. Krj. G. m. y END SAMPLE BEACON REDLEAVES network traffic has two 1. RC4 encrypted compressed payload. The first header comes in its own packet, with the second header and the payload following in a separate packet within the same TCP stream. The last four bytes of the first header contain the number of the remaining bytes in little endian format 0x. The second header, starting at position 0x. C, is XORd with the first four bytes of the key that is used to encrypt the payload. In the case of this sample, those first four bytes would be john or 0x. ASCII hex codes. After the XOR operation, the bytes in positions 0x. C through 0x. 0F contain the length of the decrypted and decompressed payload. The bytes in positions 0x. To demonstrate, in the sample beacon, the second header follows 0. C 1. 4 6f 6. 8 6e 1. The length of the decrypted and decompressed payload is 0x. XOR 0x. 6a. 6f. 68. The length of the encrypted and compressed payload is 0x. XOR 0x. 6a. 6f. 68. This is verified by referring back to the sample beacon which had the number of remaining bytes set to 0x. C 0x. 7c. Strings. Note Use caution when searching based on strings, as common strings may cause a large number of false positives. Table 3 Strings Appearing in the Analyzed Sample of REDLEAVES Unique Ascii strings redautumnalleavesdllmain. INCOjohn. 12. 34. Feb 0. 4 2. 01. 51.