Small blog post where I detail a malicious update I got served, try to track what it was doing, who sent it, and my mistakes. Would love to hear your thoughts!
If not be so quick to jump on conclusions that the distributing sites and servers are aware that they are complicit, or "fake". Infected WordPress installations participating in botnets and spreading malware is a scourge.
It would be commendable to try to contact the site operators in cases like this.
I haven't looked at ad malware for many years, but when I did, it infected the MBR, so reinstalling Windows alone wouldn't remove it. I had to rebuild the MBR. I definitely recommend doing any live testing in a VM on a dedicated testing device. Who knows what sneakier persistence techniques are out there now?
Strictly speaking (disks), yes, but people often say "disk" and format partitions instead.
As the partition table and the MBR/"EFI system partition" exist outside of the realm of normal partitions, formatting normal partitions doesn't help in this case.
__utma means they were looking for Google Analytics cookies. If you weren't on the landing page after seeing the ad (and just opened the zip file) you wouldn't have these on your test page. Also:
cid= is common for campaign identifiers. Might also be "channel". This might not be a CNC system but ad fraud.
Using a coffee shop is a great idea, but perhaps one further away from Tyson's Corner since there are a lot of IP addresses there used by netsec people and servers, so they are on a lot of blocklists.
Sometimes the script is looking for special cookies when injecting onto sites like amazon, so I used to use gift cards to buy stuff on amazon on my testrig when examining some malware, and I would get much more interesting ads than without.
Also: Be careful when recording your SSL traffic (with something like MITMPROXY), since ad guys know about this: https://github.com/mitmproxy/mitmproxy/issues/4575 but a lot of netsec people forget about this.
Yeah, when I decoded the B64 params, I did see the `cid` keyword, and briefly thought that this might be just really good adware. However, the following stages were too sophisticated for some person to just serve me an ad.
And I'm not sure if a coffee shop farther outside of Tyson's (not going to ask why you specifically said that area) would've helped. I'm very confident that they tore down their C2 after seeing either a (in their eyes) successful callback, or me badger their server with follow on requests.
> the following stages were too sophisticated for some person to just serve me an ad.
You may not believe me, but this is much less sophisticated than some of the things I have seen; My opinion is that the people who participate in ad fraud are a lot more sophisticated than any of the ad-fraud detection/protection "vendors" working to try and stop it.
To give you an idea of what I mean, "these guys" might not have been trying to show you an ad at all, but to sell your traffic (or normal looking cookies) to someone else who has already sold an ad, but just want something to juice the click-rate or the conversion-rate of some other traffic, and so if you weren't in that market, they won't even serve you the content that performs these steps.
> I'm very confident that they tore down their C2 after seeing either a (in their eyes) successful callback, or me badger their server with follow on requests.
No doubt. Unusual traffic tends to spook them. They will shut everything down, then use google search to look for their domain name in blogs and stuff, and if that doesn't happen, and their "customer" doesn't complain about anything, they will resume the juicing.
Good article, I also would advise running in HyperV or its 3rd party equivalent, having to re-OS is lame, and using your main OS leaves you open to UEFI attacks.
I think most of the attacks are for Type 2 hypervisors, and even then, are fairly rare. I did find this [0] very interesting read on an AMD-specific KVM escape (albeit via nested virtualization, so I'm not sure if that quite counts as a Type 1).
This is not really my area of expertise so perhaps explains my confusion.
I'm not actually getting the domain was taken down reasoning, I mean I understand it was taken down but
"but after using an online NS lookup tool, I realized that the DNS records were deleted some time last night. This must have been in response to the next stage having been downloaded. It’s unclear whether deleting the DNS records was automatic or manual."
so is the assumption here that they were trying to get just one person, or actually this specific person CuckooExe?
Could it be that the deletion happened because
1. they know infection happened because data sent ?
2. Next stage of infection not happen (whatever that would be) therefore it follows infection detected.
Thanks for pointing that out! I'll try to update my phrasing to make it more clear. At the end of the day, I don't have definitive proof of anything, however, I'm fairly confident that it was taken down in response to one of two things: a) the payload was downloaded and executed (technically), or b) I was badgering their domain with requests to re-download it.
If it was a), then this might indicate a more advanced adversary who has the TTPs to support this. If it was b), which hints at something more reactionary, then I'm going to guess the adversary was slightly less advanced.
In theory they could register many hostnames on the DNS, and serve each individual victim a URL with a different hostname, and delete that host afterwards.
I think it's pretty typical for this type of attack to be put up, run for a few hours, and then be taken down. It will then be put up again on another domain with new code so automated scanners can't link the two.
During those hours, no client will be served twice. By doing it via an ad network, they can make the payload only run once per impression that they bidded on. That means even an advanced user will really struggle to get a copy of the payload.
The code will typically also check if it's running in a VM and will clean up after itself, all to make analysis more difficult.
Post install, the software usually reports to a C&C server and then sits idle till instructed to do something. So far, on installations I've done on test machines, I have never detected any activity beyond this - I guess they do a spray approach, and then only direct specific targets to upload files or anything else.
I went to visual studio (without the d) dot com and ended up in different places from different connections
I tried it again today and reached a Glassdoor listing for a paralegal wanted post. I made a Google malware report for this over a month ago but if they can simply show something different to Google bot, how will Google verify I was not lying in my report?
> Also, please don't execute payloads on your laptop. That seems really stupid.
I would never execute a payload that I didn't manually vet on my computer :) That's why I didn't actually execute the full stage-two, but just pieces of it so it would decode what it was reaching out to. I also replaced the `eval` in the next stage to an `echo` to see what it was doing!
Executing (parts of) payloads is often an effective part of malware analysis, revealing things quicker than static analysis.
You just need to do it in an isolated environment - it can be a virtual machine (while VM escapes exist, they are quite rare) or a separate laptop that doesn't have any personal data and will be wiped afterward.
I can easily believe that this is a grassroots group (we see many examples of that, in many areas, even in childhood), but this did prompt a few questions:
1. Is there any advantage to nation having cyber attack deniability via being able to at least semi-plausibly claim that, although an attack appeared in the interests of the nation, it was by an independent grassroots group, out of the nation's control? If so, would they establish identities for those supposed independent groups ahead of time?
2. Let's say you're a nation with cyber capabilities that are advanced but spread thin. If you're filling the human resource deficit with lower-skilled workers, and not giving them access to your advanced tools for their tasks, would you be concerned that that looks like cyber weakness? If so, would you distinguish the lower-skilled workers from your main brand, and if so, how?
3. Is there any worthwhile external-PR or internal-morale benefit, to appearing to have the active support of independent groups?
I'm sure there are plenty of reasons it can be advantageous to be able to attribute covert action to some independent group, but at least one comes from fairly recent US history: the Iran-Contra Affair. Different parts of a government don't always agree with each other, and one might want to be able to act without approval from another. Not all countries are one-party dictatorships where warfighting departments can just do whatever they want.
I meant no offense by those thoughts, I thought they were in the spirit of HN curiosity, and I apologize if I caused any offense.
Since I posted my parent comment, it seems that at least one party has been trying to hack my accounts (including phishing attempts, and trying to social-engineer my phone carrier).
As an individual, I'm not hardened against attacks, and can't afford them, so I hope they will stop.
(If the parties want, they can go look at my publicly-shared open source software projects and community support, and see that I'm not an adversary.)
Hacking an individual is threatening and harmful, and not what I think any of us wants this Hacker News facilitated global community to be about.
I've seen this. This is the same basic payload/TTP from the regional news sites that were compromised (via shared scripts hosted by McClatchy and MediaNews) a few years ago (2019). Op needs to hit the site with a new IP and with a 'referer' to get the second stage. There is also some JS fingerprinting, like checking GPU model, to ensure a plausible client visit. This was a fun piece of malware to dissect.
The last batch of SocGholish I encountered had virtualization checks on each stage and required user interaction to run/open the payload. Used iframes or modified google analytics on the compromised site and used webpress plugins vulns to get access.
The sandboxing checks were crazy good. I ended up getting an old laptop to do the analysis as it detected every other security sandbox tool. The only positive is that the payload (6 months back) itself is easily detected by most edr. Defender caught it on download.
+1 to the enjoyable dissection. Rooting out the underlying infra was also very fun.
36 comments
[ 0.23 ms ] story [ 84.5 ms ] threadIt would be commendable to try to contact the site operators in cases like this.
In this case, wouldn't the infection go away by formatting the disk?
As the partition table and the MBR/"EFI system partition" exist outside of the realm of normal partitions, formatting normal partitions doesn't help in this case.
Using a coffee shop is a great idea, but perhaps one further away from Tyson's Corner since there are a lot of IP addresses there used by netsec people and servers, so they are on a lot of blocklists.
Sometimes the script is looking for special cookies when injecting onto sites like amazon, so I used to use gift cards to buy stuff on amazon on my testrig when examining some malware, and I would get much more interesting ads than without.
Also: Be careful when recording your SSL traffic (with something like MITMPROXY), since ad guys know about this: https://github.com/mitmproxy/mitmproxy/issues/4575 but a lot of netsec people forget about this.
And I'm not sure if a coffee shop farther outside of Tyson's (not going to ask why you specifically said that area) would've helped. I'm very confident that they tore down their C2 after seeing either a (in their eyes) successful callback, or me badger their server with follow on requests.
You may not believe me, but this is much less sophisticated than some of the things I have seen; My opinion is that the people who participate in ad fraud are a lot more sophisticated than any of the ad-fraud detection/protection "vendors" working to try and stop it.
To give you an idea of what I mean, "these guys" might not have been trying to show you an ad at all, but to sell your traffic (or normal looking cookies) to someone else who has already sold an ad, but just want something to juice the click-rate or the conversion-rate of some other traffic, and so if you weren't in that market, they won't even serve you the content that performs these steps.
> I'm very confident that they tore down their C2 after seeing either a (in their eyes) successful callback, or me badger their server with follow on requests.
No doubt. Unusual traffic tends to spook them. They will shut everything down, then use google search to look for their domain name in blogs and stuff, and if that doesn't happen, and their "customer" doesn't complain about anything, they will resume the juicing.
Hard pass.
[0]: https://googleprojectzero.blogspot.com/2021/06/an-epyc-escap...
I'm not actually getting the domain was taken down reasoning, I mean I understand it was taken down but
"but after using an online NS lookup tool, I realized that the DNS records were deleted some time last night. This must have been in response to the next stage having been downloaded. It’s unclear whether deleting the DNS records was automatic or manual."
so is the assumption here that they were trying to get just one person, or actually this specific person CuckooExe?
Could it be that the deletion happened because
1. they know infection happened because data sent ?
2. Next stage of infection not happen (whatever that would be) therefore it follows infection detected.
3. delete dns on infection detected?
or am I overthinking this?
If it was a), then this might indicate a more advanced adversary who has the TTPs to support this. If it was b), which hints at something more reactionary, then I'm going to guess the adversary was slightly less advanced.
Lmk if you have more questions!
During those hours, no client will be served twice. By doing it via an ad network, they can make the payload only run once per impression that they bidded on. That means even an advanced user will really struggle to get a copy of the payload.
The code will typically also check if it's running in a VM and will clean up after itself, all to make analysis more difficult.
Post install, the software usually reports to a C&C server and then sits idle till instructed to do something. So far, on installations I've done on test machines, I have never detected any activity beyond this - I guess they do a spray approach, and then only direct specific targets to upload files or anything else.
I went to visual studio (without the d) dot com and ended up in different places from different connections
I tried it again today and reached a Glassdoor listing for a paralegal wanted post. I made a Google malware report for this over a month ago but if they can simply show something different to Google bot, how will Google verify I was not lying in my report?
Also, please don't execute payloads on your laptop. That seems really stupid.
I would never execute a payload that I didn't manually vet on my computer :) That's why I didn't actually execute the full stage-two, but just pieces of it so it would decode what it was reaching out to. I also replaced the `eval` in the next stage to an `echo` to see what it was doing!
You just need to do it in an isolated environment - it can be a virtual machine (while VM escapes exist, they are quite rare) or a separate laptop that doesn't have any personal data and will be wiped afterward.
1. Is there any advantage to nation having cyber attack deniability via being able to at least semi-plausibly claim that, although an attack appeared in the interests of the nation, it was by an independent grassroots group, out of the nation's control? If so, would they establish identities for those supposed independent groups ahead of time?
2. Let's say you're a nation with cyber capabilities that are advanced but spread thin. If you're filling the human resource deficit with lower-skilled workers, and not giving them access to your advanced tools for their tasks, would you be concerned that that looks like cyber weakness? If so, would you distinguish the lower-skilled workers from your main brand, and if so, how?
3. Is there any worthwhile external-PR or internal-morale benefit, to appearing to have the active support of independent groups?
Since I posted my parent comment, it seems that at least one party has been trying to hack my accounts (including phishing attempts, and trying to social-engineer my phone carrier).
As an individual, I'm not hardened against attacks, and can't afford them, so I hope they will stop.
(If the parties want, they can go look at my publicly-shared open source software projects and community support, and see that I'm not an adversary.)
Hacking an individual is threatening and harmful, and not what I think any of us wants this Hacker News facilitated global community to be about.
I believe Symantec classified it as SocGholish.
Edited: clarity, details
+1 to the enjoyable dissection. Rooting out the underlying infra was also very fun.
Bonus if you do this all the time, you’ll snag the whole thing when saving all captures.