mirror of https://github.com/MISP/misp-training
new: [exercises] Added some exercises in case hdoc dies
parent
66d258d60c
commit
8346017d4b
|
@ -0,0 +1,159 @@
|
||||||
|
---
|
||||||
|
tags: MISP, misp-training, training, exercise, hands-on
|
||||||
|
---
|
||||||
|
# MISP Encoding Exercise: Flubot malware capture by honeypot
|
||||||
|
(Inspired by the [blogpost of telekom.com](https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368))
|
||||||
|
|
||||||
|
## Ressources
|
||||||
|
- [Cheatsheet: Concepts & Data model](https://www.misp-project.org/misp-training/cheatsheet.pdf)
|
||||||
|
- [Attributes Categories and Types](https://iglocska.eu/pages/display/doc/categories_and_types)
|
||||||
|
- [MISP Objects](https://www.misp-project.org/objects.html) and [searchable in MISP](https://iglocska.eu/taxonomies/index)
|
||||||
|
- [Galaxies](https://www.misp-project.org/galaxy.html) and [searchable in MISP](https://iglocska.eu/galaxies/index)
|
||||||
|
- [Taxonomies](https://www.misp-project.org/taxonomies.html) and [searchable in MISP](https://iglocska.eu/taxonomies/index)
|
||||||
|
|
||||||
|
|
||||||
|
## Context
|
||||||
|
Our honeypot detected a FluBot infection with the following details:
|
||||||
|
|
||||||
|
The honeypot received a SMS text message on `2022-03-12 13:27` from `+352131575` containing a text notifying that the recipient missed a call, and a suspicious link they should click on to listen to a voicemail. Upon multiple reception of these text messages, we observed that the link is personalized. Here is a sample of such text message:
|
||||||
|
```
|
||||||
|
Missed Call: You have a missed call.
|
||||||
|
Caller left you a message: https://evilprovider.com/r.php?e1525c0f
|
||||||
|
```
|
||||||
|
|
||||||
|
This link points to a payload to be downloaded (also attached as `sample.apk`, the link resolves to `8.231.77.176`)
|
||||||
|
|
||||||
|
We downloaded the malware hosted on that URL and ran it in our sandbox. It looks like the sample is trying to exploit `CVE-2022-27835` and fetches its configuration from an hardcoded C2 server at `https://another.evil.provider.com:42666/c.php?e1525c0f` (`226.140.183.77` and `2efe:65b4:7533:4f5f:1081:0995:ff87:348f`).
|
||||||
|
|
||||||
|
We generated a YARA rule that can be used for blocking similar payload:
|
||||||
|
```
|
||||||
|
rule android_flubot {
|
||||||
|
meta:
|
||||||
|
author = "Thomas Barabosch, Telekom Security"
|
||||||
|
version = "20210720"
|
||||||
|
description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
|
||||||
|
sample = "37be18494cd03ea70a1fdd6270cef6e3"
|
||||||
|
|
||||||
|
strings:
|
||||||
|
$dex = "dex"
|
||||||
|
$vdex = "vdex"
|
||||||
|
$s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
|
||||||
|
$s2 = "java/net/HttpURLConnection;"
|
||||||
|
$s3 = "java/security/spec/X509EncodedKeySpec;"
|
||||||
|
$s4 = "MANUFACTURER"
|
||||||
|
|
||||||
|
condition:
|
||||||
|
($dex at 0 or $vdex at 0)
|
||||||
|
and 3 of ($s*)
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
After a while, the installed malware exfiltrates the contact list to the C2 server.
|
||||||
|
Periodically, the bot queries the same C2 to receive a new target to try to infect and a SMS text.
|
||||||
|
Example:
|
||||||
|
```
|
||||||
|
Missed Call: You have a missed call.
|
||||||
|
Caller left you a message: https://evilprovider.com/r.php?a1f9f536
|
||||||
|
```
|
||||||
|
|
||||||
|
We strongly believe that the seemingly random sequence of character at the end of the URL is used as a form of token for validation.
|
||||||
|
|
||||||
|
This is how far we have gotten so far. Please be mindful that this is an ongoing investigation, we would like to avoid informing the attacker of the detection and kindly ask you to only use the contained information to protect your constituents.
|
||||||
|
|
||||||
|
- Sample: [sample.apk](https://iglocska.eu/malicious.exe)
|
||||||
|
|
||||||
|
## Type of data extracted from evidences
|
||||||
|
- Phishing SMS
|
||||||
|
- URL of the phishing website
|
||||||
|
- CVE
|
||||||
|
- URL of the C2 server
|
||||||
|
- Yara rule
|
||||||
|
- Another phishing SMS sent from infected device
|
||||||
|
- Malicous APK
|
||||||
|
|
||||||
|
## Data extracted from evidences
|
||||||
|
|
||||||
|
|
||||||
|
- Orignal phishing SMS collected from honeypot
|
||||||
|
```
|
||||||
|
Missed Call: You have a missed call.
|
||||||
|
Caller left you a message: https://evilprovider.com/r.php?e1525c0f
|
||||||
|
```
|
||||||
|
|
||||||
|
- `+352131575`
|
||||||
|
- Phoner number sender of original SMS
|
||||||
|
- `https://evilprovider.com/r.php?e1525c0f`
|
||||||
|
- Phishing URL contained in the original SMS
|
||||||
|
- `8.231.77.176`
|
||||||
|
- Resolved IP address for the above domain
|
||||||
|
- [sample.apk](https://iglocska.eu/malicious.exe)
|
||||||
|
- Malicious APK infecting the device
|
||||||
|
- `CVE-2022-27835`
|
||||||
|
- CVE exploited by the malware
|
||||||
|
- `https://another.evil.provider.com:42666/c.php?e1525c0f`
|
||||||
|
- URL of the C2 server
|
||||||
|
- `226.140.183.77` and `2efe:65b4:7533:4f5f:1081:0995:ff87:348f`
|
||||||
|
- IP addresses resolving to the C2
|
||||||
|
- Provided Yara rule for blocking similar payload
|
||||||
|
```yara
|
||||||
|
rule android_flubot {
|
||||||
|
meta:
|
||||||
|
author = "Thomas Barabosch, Telekom Security"
|
||||||
|
version = "20210720"
|
||||||
|
description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
|
||||||
|
sample = "37be18494cd03ea70a1fdd6270cef6e3"
|
||||||
|
|
||||||
|
strings:
|
||||||
|
$dex = "dex"
|
||||||
|
$vdex = "vdex"
|
||||||
|
$s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
|
||||||
|
$s2 = "java/net/HttpURLConnection;"
|
||||||
|
$s3 = "java/security/spec/X509EncodedKeySpec;"
|
||||||
|
$s4 = "MANUFACTURER"
|
||||||
|
|
||||||
|
condition:
|
||||||
|
($dex at 0 or $vdex at 0)
|
||||||
|
and 3 of ($s*)
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- Phishing SMS sent from infected device
|
||||||
|
```
|
||||||
|
Missed Call: You have a missed call.
|
||||||
|
Caller left you a message: https://evilprovider.com/r.php?a1f9f536
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Encoding tasks
|
||||||
|
These are the steps you are asked to do. The order is provided as a suggestion.
|
||||||
|
1. Create an new *event*
|
||||||
|
2. Encode all data to be shared
|
||||||
|
- **Indicators**
|
||||||
|
- Supportive data / Observable
|
||||||
|
- Non technical indicators
|
||||||
|
3. Add relationships to recreate the events and story
|
||||||
|
4. Add the time component to recreate the chronology
|
||||||
|
5. Perform enrichments where applicable (e.g location if IP address)
|
||||||
|
6. Add contextualization
|
||||||
|
- **Incident type**
|
||||||
|
- `circl`, `enisa`, `europol-incident`
|
||||||
|
- **Releasability** and **Permissible Actions**
|
||||||
|
- `tlp`, `PAP`
|
||||||
|
- **Malware type / familly**
|
||||||
|
- `malware_classification`, `ransomware`, `malpedia` Galaxy
|
||||||
|
- Infection vector
|
||||||
|
- `ransomware`, `maec-delivery-vectors`, `europol-event`
|
||||||
|
- **Adversary infrastructure**
|
||||||
|
- `adversary`
|
||||||
|
- **Adversary tactics and techniques**
|
||||||
|
- `attack-pattern` Galaxy
|
||||||
|
- Malware-specific information
|
||||||
|
- `ransomware`, `maec-malware-capabilities`
|
||||||
|
- Mitigations and Detection
|
||||||
|
- `Course of Action` Galaxy
|
||||||
|
- Sector and Location
|
||||||
|
- `Sector` Galaxy, `Country` Galaxy
|
||||||
|
- Collaboration and sharing
|
||||||
|
- `workflow`, `collaborative-intelligence`
|
||||||
|
7. Create a small write-up as an *event report*
|
||||||
|
8. Review the distribution level and publish
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,98 @@
|
||||||
|
---
|
||||||
|
tags: MISP, misp-training, training, exercise, hands-on
|
||||||
|
---
|
||||||
|
# MISP Encoding Exercise : Infection via spear-phishing email
|
||||||
|
|
||||||
|
## Ressources
|
||||||
|
- [Cheatsheet: Concepts & Data model](https://www.misp-project.org/misp-training/cheatsheet.pdf)
|
||||||
|
- [Attributes Categories and Types](https://iglocska.eu/pages/display/doc/categories_and_types)
|
||||||
|
- [MISP Objects](https://www.misp-project.org/objects.html) and [searchable in MISP](https://iglocska.eu/taxonomies/index)
|
||||||
|
- [Galaxies](https://www.misp-project.org/galaxy.html) and [searchable in MISP](https://iglocska.eu/galaxies/index)
|
||||||
|
- [Taxonomies](https://www.misp-project.org/taxonomies.html) and [searchable in MISP](https://iglocska.eu/taxonomies/index)
|
||||||
|
|
||||||
|
## Chronology
|
||||||
|
- **11:42:43 UTC+0**: Email containing a malware sent from supposedly Andrew Ryan
|
||||||
|
- **11:47:27 UTC+0**: Email was read, its attachment opened and executed
|
||||||
|
- **11:47:28 UTC+0**: Malware added persistence
|
||||||
|
- **12:08:18 UTC+0**: Malware successfully contacted the C2 to get its configuration
|
||||||
|
|
||||||
|
## Type of data extracted from evidences
|
||||||
|
- Original **e-mail**
|
||||||
|
- The actual malware **binary**
|
||||||
|
- **Registry Keys** for persistence and configuration
|
||||||
|
- C&C server **ip address** used to generate the malware's configuration
|
||||||
|
- The **bitcoin address** on which the ransom should be paid
|
||||||
|
- The **person**, impersonated (or fake) that sent the email
|
||||||
|
|
||||||
|
|
||||||
|
## Data extracted from evidences
|
||||||
|
- Spear-phishing `email`
|
||||||
|
> Subject: Invoice 4829-2383
|
||||||
|
>From: "Andrew_Ryan" <Andrew_Ryan@rindustries.rp>
|
||||||
|
>To: "Brigid_Tenenbaum" <Brigid_Tenenbaum@rindustries.rp>
|
||||||
|
>
|
||||||
|
>Dear Brigid,
|
||||||
|
>
|
||||||
|
>Please see the attached Iolta report for 4829-2383.
|
||||||
|
>
|
||||||
|
>We received a check request in the amount of $1,637.28 for the above referenced file. Would you kindly take care of this request at your earliest convenience.
|
||||||
|
>
|
||||||
|
>Thanks.
|
||||||
|
>
|
||||||
|
>Andrew_Ryan
|
||||||
|
>CEO
|
||||||
|
>
|
||||||
|
>Ryan Industries
|
||||||
|
>42, Central Control Hephaestus - Rapture
|
||||||
|
>www.rindustries.rp
|
||||||
|
>
|
||||||
|
>*Not licensed to practise law.
|
||||||
|
>
|
||||||
|
>This communication contains information that is intended only for the recipient named and may be privileged, confidential, subject to the attorney-client privilege, and/or exempt from disclosure under applicable law. If you are not the intended recipient or agent responsible for delivering this communication to the intended recipient, you are hereby notified that you have received this communication in error, and that any review, disclosure, dissemination, distribution, use, or copying of this communication is STRICTLY PROHIBITED. If you have received this communication in error, please notify us immediately by telephone at 1-800-766-7751 or 1-972-643-6600 and destroy the material in its entirety, whether in electronic or hard copy format.
|
||||||
|
- `cryptolocker.exe`
|
||||||
|
- Malware attached to the mail
|
||||||
|
- [cryptolocker.exe (no auth)](https://iglocska.eu/malicious.exe)
|
||||||
|
- `81.177.170.166`
|
||||||
|
- `ip address` of a C2 server used to generate the configuration
|
||||||
|
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"`
|
||||||
|
- The registry key used for persistence
|
||||||
|
- `HKCU\SOFTWARE\CryptoLocker VersionInfo`
|
||||||
|
- The registry key containing the configuration received from the C2 server
|
||||||
|
- `0x819C33AE`
|
||||||
|
- XOR key used to encode the configuration data
|
||||||
|
- Person, e-mail, occupation and role
|
||||||
|
- `Andrew Ryan`, `Andrew_Ryan@rindustries.rp`
|
||||||
|
- `CEO`, `Victim`, `Originator`
|
||||||
|
|
||||||
|
## Encoding tasks
|
||||||
|
These are the steps you are asked to do. The order is provided as a suggestion.
|
||||||
|
1. Create an new *event*
|
||||||
|
2. Encode all data to be shared
|
||||||
|
- **Indicators**
|
||||||
|
- Supportive data / Observable
|
||||||
|
- Non technical indicators
|
||||||
|
3. Add relationships to recreate the events and story
|
||||||
|
4. Add the time component to recreate the chronology
|
||||||
|
5. Perform enrichments where applicable (e.g location if IP address)
|
||||||
|
6. Add contextualization
|
||||||
|
- **Incident type**
|
||||||
|
- `circl`, `enisa`, `europol-incident`
|
||||||
|
- **Releasability** and **Permissible Actions**
|
||||||
|
- `tlp`, `PAP`
|
||||||
|
- **Malware type / familly**
|
||||||
|
- `malware_classification`, `ransomware`
|
||||||
|
- Infection vector
|
||||||
|
- `ransomware`, `maec-delivery-vectors`, `europol-event`
|
||||||
|
- **Adversary infrastructure**
|
||||||
|
- `adversary`
|
||||||
|
- **Adversary tactics and techniques**
|
||||||
|
- `attack-pattern` Galaxy
|
||||||
|
- Malware-specific information
|
||||||
|
- `ransomware`, `maec-malware-capabilities`
|
||||||
|
- Mitigations and Detection
|
||||||
|
- `Course of Action`
|
||||||
|
- Collaboration and sharing
|
||||||
|
- `workflow`, `collaborative-intelligence`
|
||||||
|
7. Create a small write-up as an *event report*
|
||||||
|
8. Review the distribution level and publish
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,16 @@
|
||||||
|
### Incident report email
|
||||||
|
|
||||||
|
> From csirt@telco.lu
|
||||||
|
>
|
||||||
|
> Dear xy,
|
||||||
|
>
|
||||||
|
> We have had a failed spearphishing attempt targeting our CEO recently with the following details:
|
||||||
|
>
|
||||||
|
> Our CEO received an E-mail on 03/02/2021 15:56 containing a personalised message about a report card for their child. The attacker pretended to be working for the school of the CEO’s daughter, sending the mail from a spoofed address (john.doe@luxembourg.edu). John Doe is a teacher of the student. The email was received from throwaway-email-provider.com (137.221.106.104).
|
||||||
|
>
|
||||||
|
> The e-mail contained a malicious file (find it attached) that would try to download a secondary payload from https://evilprovider.com/this-is-not-malicious.exe (also attached, resolves to 2607:5300:60:cd52:304b:760d:da7:d5). It looks like the sample is trying to exploit CVE-2015-5465. After a brief triage, the secondary payload has a hardcoded C2 at https://another.evil.provider.com:57666 (118.217.182.36) to which it tries to exfiltrate local credentials. This is how far we have gotten so far. Please be mindful that this is an ongoing investigation, we would like to avoid informing the attacker of the detection and kindly ask you to only use the contained information to protect your constituents.
|
||||||
|
>
|
||||||
|
> Best regards,
|
||||||
|
|
||||||
|
- Sample 1: [malicious.exe](https://iglocska.eu/malicious.exe)
|
||||||
|
- Sample 2: [this-is-not-malicious.exe](https://iglocska.eu/this-is-not-malicious.exe)
|
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue