🔒
There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

Nowhere to Hide: Detecting SILENT CHOLLIMA’s Custom Tooling

29 November 2021 at 09:25

CrowdStrike Falcon OverWatch™ recently released its annual threat hunting report, detailing the interactive intrusion activity observed by hunters over the course of the past year. The tactics, techniques and procedures (TTPs) an adversary uses serve as key indicators to threat hunters of who might be behind an intrusion. OverWatch threat hunters uncovered an intrusion against a pharmaceuticals organization that bore all of the hallmarks of one of the Democratic People’s Republic of Korea (DPRK) threat actor group: SILENT CHOLLIMA. For further detail, download the CrowdStrike 2021 Threat Hunting Report today.

Threat Hunters Uncover SILENT CHOLLIMA’s Custom Tooling

OverWatch threat hunters detected a burst of suspicious reconnaissance activity in which the threat actor used the Smbexec tool under a Windows service account. Originally designed as a penetration testing tool, Smbexec enables covert execution by creating a Windows service that is then used to redirect a command shell operation to a remote location over Server Message Block (SMB) protocol. This approach is valuable to threat actors, as they can perform command execution under a semi-interactive shell and run commands remotely, ultimately making the activity less likely to trigger automated detections.

As OverWatch continued to investigate the reconnaissance activity, the threat actor used Smbexec to remotely copy low-prevalence executables to disk and execute them. The threat hunters quickly called on CrowdStrike Intelligence, who together were able to quickly determine the files were an updated variant of Export Control — a malware dropper unique to SILENT CHOLLIMA.

SILENT CHOLLIMA then proceeded to load two further custom tools. The first was an information stealer, named GifStealer, which runs a variety of host and network reconnaissance commands and archives the output within individual compressed files. The second was Valefor, a remote access tool (RAT) that uses Windows API functions and utilities to enable file transfer and data collection capabilities.

OverWatch Contains Adversary Activity

Throughout the investigation, OverWatch threat hunters alerted the victim organization to the malicious activity occurring in the environment. As the situation developed, OverWatch continued to alert the organization, eventually informing them of the emerging attribution of this activity to SILENT CHOLLIMA. 

Because this activity originated from a host without the CrowdStrike Falcon® sensor, OverWatch next worked with the organization to expand the rollout of the Falcon sensor so the full scope of threat actor activity could be assessed. Increasing the organization’s coverage and visibility into the intrusion, threat hunters identified six additional compromised hosts. Through further collaboration with the organization, OverWatch was able to relay their findings in a timely manner, empowering the organization to contain and remove SILENT CHOLLIMA from their network. 

OverWatch discovered a service creation event that was configured to execute the Export Control loader every time the system reboots, allowing the threat actor to maintain persistence if they temporarily lose connection.

sc create [REDACTED] type= own type= interact start= auto error=ignore binpath= "cmd /K start C:\Windows\Resources\[REDACTED].exe"

The threat actor was also mindful to evade detection by storing their Export Control droppers and archived reconnaissance data within legitimate local directories. By doing this, threat actors attempt to masquerade the files as benign activity. The threat actor continued its evasion techniques, removing traces of the collected GifStealer archives by deleting them and overwriting the GifStealer binary itself using the string below. This technique is another hallmark of SILENT CHOLLIMA activity.

"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Windows\Temp\[REDACTED]"

Conclusions and Recommendations

The OverWatch team exposed multiple signs of malicious tradecraft in the early stages of this intrusion, which proved to be vital to the victim organization’s ability to successfully contain the campaign and remove the threat actor from its networks. In this instance, OverWatch worked with the organization to rapidly expand Falcon sensor coverage. Though the Falcon sensor can be deployed and operational in just seconds, OverWatch strongly recommends that defenders roll out endpoint protection consistently and comprehensively across their environment from the start to ensure maximum coverage and visibility for threat hunters. OverWatch routinely sees security blind spots become a safe haven from which adversaries can launch their intrusions.  The Falcon sensor was built with scalability in mind, allowing an organization to reach a strong security posture by protecting all enterprise endpoints in mere moments.

The expertise of OverWatch’s human threat hunters was pivotal in this instance, as it was the threat hunters ability to leverage their expertise that allowed them to discern the SMB activity was indeed malicious. 

For defenders concerned about this type of activity, OverWatch recommends monitoring: 

  • Service account activity, limiting access where possible
  • Service creation events within Windows event logs to hunt for malicious SMB commands
  • Remote users connecting to administrator shares, as well as other commands and tools that can be used to connect to network shares

Ultimately, threat hunting is a full time job. Defenders should also consider hiring a professional managed threat hunting service, like OverWatch, to secure their networks 24/7/365. 

Additional Resources

Shining a Light on DarkOxide

15 September 2021 at 16:30

Since September 2019, Falcon OverWatch™ has been tracking an as yet unattributed actor, conducting targeted operations against organizations within the Asia Pacific (APAC) semiconductor industry. CrowdStrike Intelligence tracks this activity cluster under the name DarkOxide.

CrowdStrike Intelligence has not yet determined the motivation of this activity cluster, but its tactics, techniques and procedures (TTPs) and target scope indicate it is more likely focused on the theft of sensitive information than on direct financial gain.

Telltale TTPs Reveal a Cluster of Activity

The DarkOxide cluster exhibits a very specific set of TTPs that have changed very little over the last two years.

Initially, the actor engages a target via a business-oriented social media platform under the guise of carrying out a recruitment drive (to read more about this technique, see https://attack.mitre.org/techniques/T1566/003/). The target is then encouraged to download a lure document purportedly relating to a job opening. In reality, this file is a malicious executable with a double file extension. The executables in these lures have used non-standard executable file extensions such as .PIF (program information file) and .SCR (screensaver). As Windows, by default, hides the extension of known file types, these files initially appear to be legitimate document files when viewed in Windows File Explorer. 

To date, the targets of the phishing attacks have included engineering staff with access to sensitive documents and source code, indicating that theft of intellectual property is the likely motivation for these operations.

The following screenshot shows the detection that appears in the CrowdStrike Falcon UI when a victim runs one of these malicious screensaver files. In this case, the customer had enabled preventions, allowing the pattern of activity to be recognized by the sensor and terminated before the actor could complete the installation of their remote access software.

(Click to enlarge)

When the payload is executed, it utilizes a number of scripting interfaces, including PowerShell and Visual Basic Script, to download a further malicious binary executable. This second executable, also with a .PIF or .SCR extension, in turn installs a copy of the legitimate remote access tool, Remote Utilities, with a preconfigured command-and-control (C2) address. In a small number of cases in addition to Remote Utilities, the actor also installed the Total Manager Pro file manager. It is likely that this was in order to conduct file system searches, or to package files for exfiltration.

Although the Remote Utilities binary, rutserv.exe, is a legitimate signed binary, its use is relatively rare across CrowdStrike’s customer set.

As of at least March 2020, this TTP has been slightly modified, removing the first stage downloader and moving directly from the initial phishing attack to the installation of the Remote Utilities software.

The following table shows how these TTPs have been shared across a number of intrusions and how they map to the MITRE ATT&CK® framework.

In June 2021, the cluster was observed deploying additional tooling to a host. Again these tools were commercial off-the-shelf software. The tooling observed included:

  • Total Spy: a commercial spyware suite with capabilities including keylogging, screen capture, messaging capture and social network capture
  • RDP Wrapper: an open source tool allowing RDP access to the host
  • DWServe: an open source tool allowing the host to be remotely controlled from a web browser

In almost all cases, the cluster’s activity has been frustrated, either by preventions enabled by the customer, or by early notifications from Falcon OverWatch, allowing the affected systems to be contained before the actor could take further actions on objectives. In the single case where follow-up activity was observed, it consisted of modifications to the registry in order to allow further access to the host via Remote Desktop Protocol. (To read more about these techniques see: https://attack.mitre.org/techniques/T1112/ and https://attack.mitre.org/techniques/T1133/.)

Since CrowdStrike began tracking DarkOxide, the activity cluster has continued to conduct operations against a number of semiconductor companies, almost exclusively located within the South Asia region. 

Your Best Defense Against DarkOxide

Over the past two years, Falcon OverWatch, alongside CrowdStrike Intelligence, has been tracking an activity cluster, DarkOxide, actively targeting the semiconductor industry. Although the actor’s TTPs have remained largely consistent, they have demonstrated the capacity to adapt and improve their processes, having recently streamlined their activity by removing the need for a first-stage downloader in their intrusion process. 

Defenders in the semiconductor industry should be particularly alert to this activity, which drives home the need to enlist end users as the first line of defense. The actor is actively targeting employees via social media to gain initial access. Well-trained staff can be an asset in combating the continued threat of phishing and related social engineering techniques.

As noted above, the Falcon platform can identify and prevent actors’ use of malicious files with double extensions, but it is crucial the sensor is rolled out across the environment with appropriate prevention settings turned on. Defenders can slow down malicious activity by employing strict user account management based on the principle of least privilege. 

Finally, but most crucially, this activity shows the lengths to which threat actors go in their attempt to evade automated detections. Whether by gaining access through phishing activities, or by using legitimate tooling to achieve actions on objectives, threat actors are always looking for new ways to pierce an organization’s defenses. A managed threat hunting service, like Falcon OverWatch, provides the continuous monitoring that is required to identify and disrupt  malicious activity before the damage is done.

Indicators of Compromise

First Stage Payload

SHA256 Hash Lure Filename
48c19ad7436f3d311e9e63327801d0a2d6d25c0d7c7bbc3d2c6a32afb95a0187 Final.exe
9d34f653edf948d9f46522081ff00dddf2f4b62b18d138c49e3b281ca953aeb1 Resume pdf.pif
1fcb6b54b17a6c3df0047a48280b4dcab8b2f2cad2ef4b8c802b05119cedce42 Talent Recruitment Web meeting system.pif
6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6 msi6.9.pif
9d68049510581ff4827fd72510c59d685ce54609b07733be17492bf2403442b4 Job description sr.scr
b414dca98e117d3755903ff27ffc07880f1fe2bfabfb49f6956cf82c06f4eab1 Job description sr.scr
8045f3e00e52c663ab942f39ec779ffc7ac90197ece8e574e5a70c422aa32b36 Job detail description.scr
49fbf9884299fbc6b09e640449fdc834f82a752908d381a68e2057a9861e3618 Job description.scr
186a7abdfcc2df113148650eb1673620a11bb8bfcf3c53f8a1c7429703cda715 Job detail description.scr
45e6653af40fb838eae0657a34905d5ba36052bd41819873d2afc240874b14b6 Qualcomm Job description India.scr
041398a0d34794df5b8d22683f5be7991647416f6243c7bc0441abd7c71c7c27 Qualcomm Job details.scr

Second Stage Payload

SHA256 Hash Filename
9d34f653edf948d9f46522081ff00dddf2f4b62b18d138c49e3b281ca953aeb1 one.pif

Legitimate Binaries Observed

SHA256 Hash Filename
5ada6d1fd62bb1740ea80a30788e55988758acc2b835e6835d6524af1e7afcbd rutserv.exe
C295bd2653d6d8752ff5805b4114eee8e4370a0f16e922d81aecc5f49fa8c9c9 rfusclient.exe
966ef76fe3476d530b1b97a6f40947ed14ada378f13e44ecfe774edc998cd0b0 srvinst.exe
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 rdpwrap.dll
07935229c213d1735655cc8453daa29718da2656546e05d5b3990cb49c248b98 RDPWInst.exe
43fbae4f6637c8eaa955db7e394eebd39cd261f91f36a5bc646303f123e68f13 tsmon.exe
39235102a3aeeb88678cad8d841292fc17ec3b0551cf57d755fdd523985567e8 tsmon4.exe
1ad4b06e282e3c3f22c6d194dabdc272215154f004c57b93b3882c161efc5279 tsmon5.exe
4515d7ee0d5e2e2e236499d35a154b427f07124e9edd379b6e9d62af2ae88c4d tsmon6.exe

Hard-Coded Command and Control for Remote Utilities

  • 54.149.69[.]226
  • 54.188.107[.]146
  • 60.254.95[.]183 
  • 34.221.96[.]116

Additional Resources

The post Shining a Light on DarkOxide appeared first on crowdstrike.com.

2021 Threat Hunting Report: OverWatch Once Again Leaves Adversaries with Nowhere to Hide

8 September 2021 at 05:00

This time last year, the CrowdStrike Falcon OverWatch™ reported on mounting cyber threats facing organizations as they raced to adopt work-from-home practices and adapt to constraints imposed by the rapidly escalating COVID-19 crisis. Unfortunately, the 12 months that followed have offered little in the way of reprieve for defenders. The past year has been marked by some of the most significant and widespread cyberattacks the world has seen. 

The OverWatch team has seen attempted interactive intrusion activity continue at record levels. Both eCrime and targeted intrusion adversaries have continued to evolve and mature their tradecraft, finding new ways to evade technology-based defenses. 

In the newly released Falcon OverWatch annual report, 2021 Threat Hunting Report: Insights From the Falcon OverWatch Team, threat hunters share the trends in adversary tradecraft that have emerged over the past year. This report, now in its fourth year, documents OverWatch’s ongoing campaign to disrupt adversaries’ attempts at interactive intrusions.

In the battle defined by both stealth and speed, OverWatch is winning — leaving adversaries with nowhere to hide

Threat Hunting by the Numbers

The 2021 Threat Hunting Report reveals the scale and spread of potential interactive cyber intrusions uncovered and disrupted with the help of OverWatch. In the 12 months from July 1, 2020 to June 30, 2021, OverWatch tracked adversaries in the networks of organizations from every corner of the globe and nearly every industry vertical. No organization is outside the reach of today’s highly motivated adversaries. 

OverWatch has eyes-on-glass 24/7/365, looking for even the faintest signal of adversary activity. Adversaries do not sleep — they are not restricted by time zone or geography. Adversaries also move fast — they are capable of moving laterally to additional hosts within just minutes of achieving initial access. It is in this context that OverWatch’s around-the-clock vigilance proves so critical.

In this past year alone, OverWatch’s human threat hunters have directly identified more than 65,000 potential intrusions. That’s approximately 1 potential intrusion every 8 minutes ― every hour of the day and night. 

Human-triggered detections are only half of the OverWatch equation. In order to detect intrusion attempts at speed and on a global scale, OverWatch draws on its threat hunting findings to continuously advance the autonomous detection techniques in the CrowdStrike Falcon®platform. Over the last year, threat hunters have distilled their findings into the development of hundreds of new behavioral-based preventions for the Falcon platform, resulting in the direct prevention of malicious activity on approximately 248,000 unique endpoints.

With a powerful combination of human expertise and industry-leading technology, OverWatch can not only disrupt the most sophisticated intrusion attempts today, but also develop insights into detections that ensure swift identification and prevention of known threats into the future.

What You’ll Find in This Year’s Report

  • An overview of how OverWatch combines human ingenuity with patent protected workflows to find the threats technology alone cannot (the SEARCH methodology)
  • A 10,000-foot view of the interactive threat landscape as observed by OverWatch
  • Six detailed case-studies providing insights into how adversaries are carrying out their campaigns in the wild 
  • A new look not only at the most common tactics, techniques and procedures (TTPs) used by adversaries, but also those OverWatch believes defenders should have on their radar
  • An analysis of potential intrusions by vertical, including a special feature on the telecommunications vertical, which saw attempted intrusions double this past year 
  • Recommendations for defenders looking to better protect their organization from current and emerging threats

Whether you’re a seasoned defender looking to learn the latest or a cyber professional just starting out, the 2021 OverWatch Threat Hunting Report has something for you. Be sure to download your copy of the report today.  

Additional Resources

The post 2021 Threat Hunting Report: OverWatch Once Again Leaves Adversaries with Nowhere to Hide appeared first on crowdstrike.com.

  • There are no more articles
❌