SOC Goulash: Weekend Wrap-Up

Infosec News for 03/10/2022 — 09/10/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

Headline Items

1. Insights into the evolution of BumbleBee Loader’s capabilities, used by the FIN12 ransomware threat group for initial access;
2. IcedID & Qakbot toy with renamed system binaries and maldocs, but largely continue to rely on zip > iso > lnk detonation to sneak past email filtering;
3. Zimbra and PHP’s Composer fall victim to serious supply chain vulnerabilities.

BumbleBee continues to evolve its C2 & capabilities

Reference: ESET | Checkpoint

Significant research has emerged from ESET and Checkpoint this week which highlights the latest upgrades being made to BumbleBee’s tasking and communications framework.

I’ll expand on it a little more below, but if you like pretty pictures like I do, here’s a visual summary of the key points you’ll need to know:

Figure 1: Key findings from recent analysis by ESET & Checkpoint

Potential modularisation — PLG Command

First up, ESET have identified a new command option available to BumbleBee operators, which can be invoked with the “plg” option. All commands are represented by a three-letter truncation of their purpose, e.g. “dij” which corresponds to “Download & Inject”, or “dex” which downloads and executes an arbitrary payload.

This has led ESET to speculate that “plg” might enable execution of a particular plugin — a potential indication that the developers are looking to make BumbleBee a modular malware with multiple plugins that can be loaded and run as required.

For now, the command simply performs the same function as the “dij” command, and appears to have been left in there as a testing placeholder.

Use of Session IDs, shift to WebSocket for C2

The other developments ESET notes are:

1. The use of a hardcoded “client_ping” value of “FORTHEEMPEROR” being added to the initial C2 setup request, which prompts a session_id value being provided in the response that’s then used in further requests;
2. The switch to WebSocket to replace HTTPS as their C2 medium of choice. WebSocket retains the ability to wrap comms in TLS while also being full-duplex, as opposed to HTTPS which is half-duplex. This could allow the devs to configure BumbleBee to be instructed to run tasks as needed, instead of the malware having to repeatedly check in with the C2 at fixed intervals to request new tasking.

Decryption of the malware config

BumbleBee payloads operate using a config that is encrypted with an RC4 key, which can be found in an 80-byte section of the .data section, but has so far always been much shorter than the allocated 80 bytes.

This key is used to decrypt the remaining sections, including the list of C2 infrastructure which is stored in an encrypted 1024-byte block — many of which are actually decoys.

Two more 80-byte sections trail the RC4 key, though the first appears to be junk, unused code, and the second contains a “group_name” value. I know, it sounds exciting! Unfortunately, it’s been proven to be a dud for grouping samples — see the section on clustering below for an explanation <insert_sad_pepe_meme>.

InfoStealers for individuals, 2nd-stage malware for the enterprise

Checkpoint researchers have noticed that BumbleBee payloads dropped on systems that aren’t domain-joined will typically receive the “dex” command, instructing it to download and execute a secondary payload that is often either a banking trojan or InfoStealer, such as Vidar Stealer.

Conversely, victims that are a member of a domain will receive the “dij” command that downloads and injects a secondary payload into the memory of a target process. This payload is typically either a Cobalt Strike, Sliver, or Meterpreter implant to enable further exploration of the network and post-exploitation activities.

BumbleBee is distributed by EXOTICLILY, the Initial Access Broker (IAB) for the now-fractured, but still very-much operational Conti (FIN12) ransomware syndicate. This selective delivery of trojans and post-exploit implants is consistent with the group’s objective of enabling ransomware operations, while still monetising the accesses that don’t.

It’s also worth noting that in both cases the secondary payload will be packaged using the same custom Bumblebee packer — a YARA rule for this is included in at the end of Checkpoint’s report.

Correlating Campaigns based on RC4 Key

Checkpoint have found multiple unique “group_name” values used by samples that share the same RC4 encryption key and deliver the same 2nd-stage payload. As dropper malware such as this tend to be built and distributed based on the same config — and therefore often share the same encryption key and perform the same on-target actions — Checkpoint have dismissed group_name values as a reliable means of clustering activity.

Rather, the encryption keys themselves appear to be better indicators of related activity, and — at least for now — can be used to cluster infections.

Patterns in IcedID Infrastructure

References: Team Cymru | @Max_Mal

Team Cymru have published their findings from a comprehensive analysis of recently observed Tier 1 and Tier 2 IcedID infrastructure, which highlights a number of key patterns. Of these, the most noteworthy are:

1. Up to September 21, Tier 1 domains were registered by 1337 Services LLC Hosting and parked for ~31 days before being linked to an IP and used operationally — presumably to mitigate firewalls that sinkhole traffic newly registered domains;
2. Domains and IPs are mostly used only for the one campaign before being retired. They’re deployed in batches of four or five C2 IPs per-campaign, with an average operational lifespan of six days;

During September Team Cymru also reported observing four main distribution methods:

1. Password Protected ZIP -> ISO -> LNK -> JS -> [CMD or BAT] -> DLL;
2. Password Protected ZIP -> ISO -> CHM -> DLL;
3. Macro-enabled Word/Excel attachments;
4. Secondary distribution via the Pay-per-Install PrivateLoader service (the distributor for which was recently reported to have shut down). This was the most effective method of the four observed.

IcedID TTP Summary

There main delivery mechanisms were observed this week:

1. Campaign #1 (WSF proxy-invocation): @Max_Mal_
2. Campaign #2 (HTML Smuggling): malware-traffic-analysis
3. Campaign #3 (xlsm maldoc): @JAMESWT_MHT

Figure 2: IcedID TTPs

Several inflated maldoc samples were observed being delivered, with a 120MB sample observed by @James_inthe_box and several others found on various online sandboxes.

Unit 42 also highlighted the use of Powershell to invoke download of 2nd-stage Cobalt Strike payload from TCP/8080 — something worth keeping an eye out for in network and PowerShell logs

Qakbot TTP Summary

Both Qakbot distributors started playing with using copied and renamed system binaries to execute dll payloads, with some slight variance to the lnk > * > cmd > dll execution chain, and a continued reliance on malicious URLs and HTML files, as well as iso containers with lnk files for initial execution.

BB Botnet

Like IcedID, TA577 also played around with copying and renaming system binaries before using them to execute the payload, as well as switching .js files as an intermediary for .vbs files in their iso > lnk execution chain, and reverting to delivering malicious Excel docs in some instances;

03/10 : url > .zip > .iso > .lnk > wscript.exe (.vbs) > cmd.exe (.cmd) > rundll32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

05/10: url > .zip > excel.exe (.xlsb) > regsvr32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

06/10 : html > .zip > .iso > .lnk > cmd.exe (.cmd) > copies rundll32.exe to %PUBLIC%/my.exe > my.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

Figure 3: Qakbot BB Botnet TTPs

Obama Botnet

Two distinct distribution methods were observed from the Obama botnet (TA570) this week, though both relied on html smuggling as the first stage. The first method was simply a repeat of the same execution chain as last week, while the second followed TA577 and IcedID by executing renamed system binaries to run the payload:

05/10 (Obama209): html > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

06/10 (Obama210): html > .zip > .iso > cmd.exe (.lnk) > cmd.exe (.cmd) > copies regsvr32.exe to %PUBLIC%/re.exe > re.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

Figure 4: Qakbot Obama Botnet TTPs

Zimbra RCE Vulnerability actively exploited since at least September

Reference: AttackerKB | Rapid7 | Bleeping Computer

A CVSS 9.8 RCE vulnerability impacting Zimbra Collaboration Suite (CVE-2022–41352) has been actively exploited by attackers since at least September this year, allowing them to potentially overwrite the Zimbra webroot, implant shellcode, and access other users’ accounts.

The vulnerability stems from a bug in the file archiving utility cpio — CVE-2015–1194 — which was originally patched, but appears to have remained exploitable. This utility is used by Amavis — a security tool integrated into Zimbra Collaboration Suite — to extract archives and scan its contents.

The official fix is to install the pax package, which Amavis will use instead of cpio to extract archives.

Additional Vulnerabilities

Auth Bypass in FortiGate, FortiProxy products

Attackers can bypass authentication requirements on the management interface of Fortinet FortiGate and FortiProxy appliances due to a critical vulnerability designated CVE-2022–40684.

Patches are available, with the interim mitigation being to lock down access to the portal. Better yet — don’t expose the management plane to the internet, maybe?

Kubernetes management tool Rancher exposed plaintext credentials & tokens

CVE-2021–36782 is a CVSS 9.9 vulnerability assigned to flaws in versions 2.5.15–2.6.6 of Kubernetes management tool Rancher, which saw sensitive fields, like passwords, API keys and Rancher’s service account token (used to provision clusters), being stored in plaintext directly on Kubernetes objects.

These objects can be read by anyone with sufficient permissions via the Kubernetes API. The exposure of Rancher’s service account token would allow any standard user to escalate its privileges to cluster administrator in Rancher.

Command Injection vulnerability discovered in PHP’s Packagist

Packagist, which is used by PHP package manager Composer to determine and download project software dependencies, was found to be vulnerable to command execution through processing of maliciously crafted branch names (CVE-2022–24828).

The downstream impact of this is significant, with Composer downloading ~2 billion software dependencies via Packagist every month.

Upgrade to the patched versions of Composer — 2.3.5, 2.2.12, or 1.10.26 — to mitigate this vulnerability.

Offensive

1. Trickest — A set of wordlists composed with strings most suitable for CMS and Robots.txt enumeration;
2. SysWhispers — generate header/ASM files to allow your implants to make direct system calls and avoid triggering user-land security product hooks;
3. Freeze — a tool for creating payloads that bypass EDR hooking using methods like creating processes in a suspended state and resolving function addresses directly from ntdll’s .text section;
4. ntlm_theft — a tool to help generate files that can be abused to steal NTLMv2 hashes;
5. HardwareAllTheThings — a guide for hardware/IoT hacks and techniques;
6. Meterpreter fans rejoice — it now supports BOF Loaders!
7. @snovvcrash has this neat thread summarising why Diamond and Sapphire Tickets make useful alternatives to the traditional Golden Ticket Kerberos attack;
8. Worried about triggering Microsoft Defender for Identity while Kerberoasting your way to victory? Check out this talk from BruCON on how to tiptoe around those controls on your next engagement;
9. This is a really good summary of the multiple challenges faced by organisations in their quest to secure user identities and the authentication and authorisation processes that underpin it. It’s more than just “roll out FIDO and you’ll be fine” — while it’s proven to be effective, there are more controls and challenges that inhibit organisations’ ability to make meaningful ground in this space.

Defensive

1. Dissect — a Python-based IR framework that enables access to artefacts such as Runkeys, Prefetch Files, Event Logs, and more;
2. GitFive — an OSINT tool to investigate Github profiles;
3. EternalLiberty — Getting your wires crossed on overlaps in threat actor aliases used by different vendors? This repo provides links to decipher their relationships;
4. Anydesk is a common Remote Management Tool abused by threat actors such as the former Conti group. Forensicxlab have created a Volatility3 plugin to help extract AnyDesk configs from memory dumps!
5. ICMYI — Defender sucks at finding web shells because it “by default excludes scanning from IIS process and folders on Windows Server 2016 or above.”
6. In lieu of being able to depend on Defender, this timely post will guide you through hunting in IIS, Exchange Setup, Exchange PowerShell cmdlet History logs and more;
7. Naturally, Florian has a Sigma rule that can help plug this gap by looking at file creation events by the IIS server process on Exchange servers;
8. Microsoft have shared this article on detecting and preventing LSASS credential dumping attacks;
9. Common misconfigurations in Azure Conditional Access and how to bypass them — worth doing a sanity check of your internal controls to make sure these holes are plugged!
10. Splunk’s Threat Research Team have built on last week’s leak of a cracked version of the Brute Ratel C4 framework by providing analysis and detection options to help defenders;
11. Check out this post by RedCanary, that walks you through how to detect manipulation and theft from Exchange mailboxes;
12. @CyberRaiju has shared several references for malware/RAT analysis resources, including RedLine and STRRAT;
13. SpecterOps’ post on Prioritisation of the Detection Engineering Backlog is a great resource for anyone working in or managing that area of Blue Team ops;
14. If you’re looking for a simple way to mitigate the now-commonplace iso > lnk > * execution chain, you can disable the double-click-to-mount for iso files with this reg key.

Threat Actor Activity & Reporting

1. The NSA, CISA and FBI have released a joint advisory regarding the compromise of an organisation in the Defence sector by an as-yet unidentified APT group. The intrusion was enabled through compromise of an Exchange server in January 2021, and Impacket was used to enable internal lateral movement in addition to a custom exfil tool dubbed CovalentStealer;
2. Another joint advisory released by the trio of agencies has highlighted the CVEs most exploited by Chinese state-sponsored actors since 2020. The spread is unsurprising, but given popping CVEs are a favourite of Chinese actors, this makes for a good shopping list of things to make sure you’re patched/mitigated/monitoring for;
3. Researchers have linked the Cheerscrypt ransomware to the China-affiliated DEV-0401/Emperor Dragonfly threat group, positing that the ransomware operations are a potential cover for cyber espionage campaigns;
4. Trend Micro have looked at evolutions in the tooling used by the APT group they track as Earth Aughisky, known for targeting organisations in Taiwan and Japan.

Cyber Crime & Ransomware

1. Blackberry researchers have this report looking into DJVU ransomware. Active since 2018, it exclusively targets Windows hosts. The operators also appear to have partnered with other cyber criminal groups as an apparent secondary monetisation method, distributing InfoStealers during intrusions to exfil data;
2. Sophos have shed light on BlackByte ransomware’s EDR bypass technique that relies on abusing the legit-but-vulnerable driver RTCore64.sys used by Micro-Star’s MSI AfterBurner 4.6.2.15658 graphics-card overclocking utility. Spoilers — it looks like the technique was largely based on the open-source EDRSandblast tool, and also the developer could really use a hug right now (check out the choice of Service names — yikes);
3. Trellix summarise the evolution of BazaCall Call-back Phishing campaigns — potentially something to work into your user training regime;
4. Meet Maggie — a RAT targeting SQL servers that has already infected hundreds of assets throughout the world, and is capable of executing commands on-target and bridging attacker comms into the compromised environment;
5. Elastic have produced this in-depth analysis of the PARALLAX loader — a highly-capable and evasive loader malware that was first seen in 2020 — and campaigns where it has delivered the Netwire trojan;
6. zScaler researchers have taken the scalpel to LilithBot, a versatile offering sold by the Eternity group on the Dark Web that comes with stealer, clipper, and miner capabilities;
7. A brief overview of the ELITETEAM Bulletproof hosting service, which is being actively leveraged to enabling multiple distinct clusters of cyber crime operations ranging from infostealing to ransomware deployment.

Misc

1. Secureworks 2022 State of the Threat Report has been released, with a noteworthy finding being that compromise of unpatched internet-facing infrastructure has overtaken credentials-based attacks as the primary initial attack vector, and enabled 52% of ransomware incidents over the past year;
2. Research by Cequence Security has highlighted the risk posed by “Shadow APIs”, noting 30% of “all malicious attacks” target such APIs;
3. Researchers from Avanan have flagged the continuing importance of Email security controls, and while Microsoft’s defences have been largely effective, approximately 20% of phishing emails bypassed Exchange Online Protection & Defender, with Defender missing 74% more phishes since 2020;
4. 64 percent of enumerated internet-connected PostgreSQL servers don’t use SSL; 41% don’t require a password. Seems we’ve been so busy sweating S3 buckets that we forgot about the original blob storage;
5. Talks from BSides Augusta are now available on Youtube.

Thanks for reading! A reminder — this is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!