Lets Defend — Phishing Mail Detected
SOC146 — Phishing Mail Detected — Excel 4.0 Macros
LetsDefend
LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.
SOC146 — Phishing Mail Detected — Excel 4.0 Macros
Today we will analyze a real phishing scenario. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. The recipient is tricked into clicking a malicious link, or downloading a malicious attachment, which can lead to the installation of malware.
Monitoring
Our investigation start at the Monitoring page which simulates a real working SOC environment. More details about the incident can be found here. Looking at the details, we can see the source address, SMTP address and more. Our next step is to copy the sender address and look for it in our mailbox.
Mailbox
By searching for the source address in the mailbox, we find the copy of the email that generated the alert.
We can extract important information found in the email, that could be useful in the future :
- Subject: RE: Meeting Notes
- Sender: trenton@tritowncomputers[.]com
- Recipient(s): lars@letsdefend[.]com
- Attachment(s): 11f44531fb088d31307d87b01e8eabff.zip
Next, we will download the attachment and unzip it in a safe environment. In our case, we are using REMnux (https://remnux.org/).
After unzipping the attachment, we found three files:
Generating MD5
By using md5sum, a tool built-in in REMnux, we are calculating the hash of the files in the attachment. Hashes are useful for positively identifying a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint).
Virus Total
Next, we perform a hash search on VirusTotal (VT). VT allows you to search through their dataset in order to identify files that match certain criteria. To search for a file that has a given MD5, just type in the hash under consideration in the main search box.
According to VT, the three files are flagged malicious. At the time of our scan, the result reports 30 antivirus engines claiming the excel file has malicious. And 8 different antivirus engines claiming the DLL is malicious.
Anyrun Sandbox
Anyrun is an interactive malware analysis sandbox. The service detects, analyzes, and monitors cybersecurity threats in a given file, URL or executable. It shows all processes in real-time and an analyst can notice all malicious operations before the final version of the report.
Below, the results of analysis of our malicious excel file.
The sandbox detected unusual executions. The malware abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems.
Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations.
The sandbox also detected malicious network traffic transmitted across the network. The malicious excel is trying to communicate with two IPs known to be malicious.
Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. In our case, the communication is using application layer protocol associated with web traffic (Port 443). Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client (victim) and server (attacker).
IoCs
- 188[.]213[.]19[.]81
- 192[.]232[.]219[.]67
- nws[.]visionconsulting[.]ro
- royalpalm[.]sparkblue[.]lk
- trenton@tritowncomputers[.]com
- b775cd8be83696ca37b2fe00bcb40574
- e03bde4862d4d93ac2ceed85abf50b18
- 8e6fbefcbac2a1967941fa692c82c3ca
Log Management
We will now use the Log Management page and check if the C2s addresses were accessed. We have a result for the first IP 188[.]213[.]19[.]81. It was accessed by the host 172[.]16[.]17[.]57.
By clicking on the magnifying glass, we can see further details about the raw data. The malicious domain was reached by the user and the action was allowed based on the output.
The same process was repeated for the second IP 192[.]232[.]219[.]67 and we can see a log entry.
Further details on raw data gived the conclusion that the second malicious domain was also reached by the user and the action was allowed based on the output.
Endpoint Management
Since the malicious IoCs (IPs and domains) were reached by the device 172[.]16[.]17[.]57 our next step will be to contain the machine so no further exploit can occur.
Going to the Endpoint Security (EDR) page, we can contain the user machine.
Looking at more details given by the EDR, we have the option to dig deeper by looking at the command history, network connections and process list.
In the command history, we can see that the command “regsvr32.exe -s ../iroto.dll” was executed on the endpoint.
Network connections showcased once again that the malicious IPs were communicating with the endpoint.
And finally, the process history tree demonstrated that the process “regsvr32.exe” was run by the parent process “excel.exe” and had a command line of : “regsvr32.exe -s iroto.dll”.
Case Management Detail
We now are packed with enough information to conclude that the alert is a true positive and that a incident should be open.
We can answer the questions of the playbook with the information we’ve collected during our analysis.
Playbook
A security playbook is a list of required steps and actions needed to successfully respond to any incident or threat. Playbooks provide a step-by-step approach to orchestration, helping security teams to establish standardized incident response processes and ensuring the steps are followed in compliance with regulatory frameworks.
- When was it sent?
June 13, 2021 2:11 P.M - What is the email’s SMTP address?
24.213.228.54 - What is the sender address?
trenton@tritowncomputers[.]com - What is the recipient address?
lars@letsdefend.io - Is the mail content suspicious?
Yes. - Are there any attachment?
Yes.
