Case study: “Imminent RATs” (III)

Articles from the series “Case study: “Imminent RATs”: [1] [2] [3]

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format))

Additional analysis

The incident was practically solved in the previous article, but we still have some doubts in the pipeline:

  • What actions did the malware perform on the system?
  • What type of malware is it?

To get out of doubts we execute the document in a specially tuned virtual machine with anti-VM measures, which also has Noriben and Sysmon installed. In addition, we capture the outgoing traffic with WireShark to have as complete a view as possible of what the malware does.
[Read more…]

Case study: “Imminent RATs” (II)

Analysis (follow-up)

In the previous article, we had determined there was “something weird” in the computer, and we had downloaded both, a possibly malicious .doc and a user executable and mailbox. It’s time to get down to work to see what they may contain…

[Note: As a good security practice, malicious files should NEVER be shared without minimal protection. Therefore, you can download both files from here, but they are zipped with the password “infected”. Please, handle them with extreme care, you’ve been warned.]

To start with, we can open the user’s .pst to verify that the infection path is correct, something we can easily do from Windows with the Kernel Outlook PST Viewer:
[Read more…]

Case study: “Imminent RATs” (I)

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

[Read more…]

Exchange forensics: The mysterious case of ghost mail (I)

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

Clearing up the complexity: Security for non-technicians

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.... Leer Más