Oski

The accountant at the company received an email titled “Urgent New Order” from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?

The PPT file’s MD5 hash was as follows: 12c1842c3ccafe7408c23ebf292ee3d9. Using the file hash, I went to VirusTotal to check if the file was malware.

Turns out this PPT file isn’t just a PPT file. Rather, it’s a known Trojan and was created in
2022-09-28 17:40:46 UTC. It is a Windows executable and has also been listed as a “stealer malware”.

Next, I looked through the Relations tab to find out the C2 server that this malware is communicating with. It was listed as: http://171.22.28.221/5c06c05b7b34e8e6.php. Knowing this can help with tracing incidents back to the attacker, as they will probably use this server for most of their attacks.

With this, I could also set up the firewall to block any incoming traffic from that address. So knowing this allows us to protect against further exploitation as well providing insights into the attacker’s methodology/infrastructure.

With the knowledge that this is indeed malware, and knowing where it is communicating with, my next action was to understand what the malware does post-infection.

Looking through the “files dropped” section of VirusTotal, I was able to see that the malware makes a request to the library, sqlite3.dll. It being a SQL library means it has to do with database management. This suggests to me that the malware is attempting to either manipulate data or collect sensitive material. Knowing what exactly this piece of malware may be targeting helps us tremendously in our investigative efforts as security analysts.

Here, AnyRun is telling me that this malware is part of the Stealc family.

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. - AnyRun

From the malware configuration, I can see that the malware is using an RC4 key: 5329514621441247975720749009. The malware uses this key to decrypt the encoded strings that the malware uses for things like connecting with its C2 server. Identifying the key used by malware is crucial in the incident response process. It allows us to better understand the scope of the attacker’s behavior.

Looking at the MITRE ATT&CK Matrix can help us better understand the processes.

Here we can see all of the tactics and techniques used by the attacker. Every technique is assigned a unique number, to help with identifying different methodologies.

Here we can clearly see that the malware used by the attacker i attempting to search for password storage locations on the victim system. It not only looks through the system, but also goes through any web browsers used by the victim, which greatly enhances the potential negative impact of this info stealer.

Lastly, I looked through more of the data to see that the malware deletes C:\ProgramData before it timeouts, so that it leaves zero trace of it stealing any information. This is common for malware. Attackers obviously do not want to be found/caught. Leaving any traces in a target system is the same as leaving a gun with fingerprints on it after a crime scene. To be a good criminal, you mustn’t get caught.