EvilExtractor Network Forensics

I analyzed a PCAP file from a sandbox execution of the Evil Extractor stealer malware earlier today. This stealer collects credentials and files of interest from the victim’s computer and exfiltrates them to an FTP server. It is designed to autonomously collect and exfiltrate data rather than receiving commands from an operator through a command-and-control channel. The EvilExtractor creators market this feature as a “golden bullet”.

Real hackers don’t use reverse shells right? If you have only one bullet, would you waste with reverse shell? Try Evil Extractor to have golden bullet.

I downloaded the Evil Extractor capture file from Triage to a Windows Sandbox environment, to avoid accidentally infecting my computer when extracting artifacts from the PCAP. I then opened it up in the free version of NetworkMiner.

NetworkMiner shows that after checking its public IP on ipinfo.io EvilExtractor makes an unencrypted HTTP connection to a web server on 193.42.33.232 to download KK2023.zip. This zip archive contains a file called “Lst.exe” which is used to steal browser data, cookies and credentials according to Fortinet.

Twenty seconds later an FTP connection is established to 89.116.53.55 on TCP port 21. The username and password used to authenticate to the FTP server was “u999382941” and “Test1234”.

On the FTP server EvilExtractor creates a directory named after the country and hostname of the victim's PC, such as “(Sweden)DESKTOP-VV03LJ”, in which it creates the following three sub directories:

• 1-Password-Cookies
• 2-Credentials
• 3-Files

After uploading browser cookies, browser history and cached passwords from Chrome, Firefox and Edge to the “1-Password-Cookies” directory EvilExtractor sends a file called “Credentials.txt” to the “2-Credentials” directory. The contents of this text file looks something like this:

Public IP: [redacted]
Location: [lat],[long]
Computer Name: [redacted]
Username: Admin
RAM: 4 GB
OS Name: Microsoft Windows 10 Pro
OS Bit: 64-bit
Keyboard Language: en-US
GPU: [redacted]
CPU: Intel [redacted]
MAC Address: [redacted]
Extracted WIFI: [redacted]

The stealer also exfiltrates files with mpeg, docx, jpeg, pptx, zip, avi and rar extensions from the victim PC to the “3-Files” directory on the FTP server. The directory structure of the victim’s PC is maintained on the FTP server, so that files from the victim's desktop end up in a folder called “Desktop” on the FTP server.

The stealer later downloaded a keylogger module (Confirm.zip) and a webcam module (MnMs.zip), but no additional data was exfiltrated from this particular victim PC after that point.

IOC List

• Web server: 193.42.33.232:80
• FTP server: 89.116.53.55:21
• EvilExtractor: 9650ac3a9de8d51fddab092c7956bdae
• KK2023.zip: f07b919ff71fb33ee0f77e9e02c5445b
• Lst.exe: 163d4e2d75f8ce6c838bab888bf9629c
• Confirm.zip: 30532a6121cb33afc04eea2b8dcea461
• Confirm.exe: 0c18c4669e7ca7e4d21974ddcd24fdca
• MnMs.zip: bda0bda512d3e2a81fc9e4cf393091eb
• MnMs.exe: fb970c4367609860c2e5b17737a9f460

Users with an account on Triage can download the analyzed PCAP file from here: https://tria.ge/230424-vv9wvsfb2v/behavioral2

Update 2023-04-27

Jane tweeted a link to an execution of this same sample on ANY.RUN. This execution showed very similar results as the one on Triage, but with an interesting twist. Not only did the ANY.RUN execution exfiltrate images and documents from the Desktop and Downloads folders, it also exfiltrated “vv9wvsfb2v_pw_infected.zip”, which contained the EvilExtractor EXE file that was being run!

The PCAP from the ANY.RUN execution can be downloaded from here: https://app.any.run/tasks/43a11a79-4d1f-406c-86d7-158efb5ede01/

Posted by Erik Hjelmvik on Wednesday, 26 April 2023 08:50:00 (UTC/GMT)

Tags: #FTP​ #NetworkMiner​ #Sandbox​ #ANY.RUN​

QakBot C2 Traffic

In this video I analyze network traffic from a QakBot (QBot) infection in order to identify the Command-and-Control (C2) traffic. The analyzed PCAP file is from malware-traffic-analysis.net.

IOC List

• C2 IP and port: 80.47.61.240:2222
• C2 IP and port: 185.80.53.210:443
• QakBot proxy IP and port: 23.111.114.52:65400
• JA3: 72a589da586844d7f0818ce684948eea
• JA3S: ec74a5c51106f0419184d0dd08fb05bc
• JA3S: fd4bc6cea4877646ccd62f0792ec0b62
• meieou.info X.509 cert hash: 9de2a1c39fbe1952221c4b78b8d21dc3afe53a3e
• meieou.info X.509 cert Subject OU: Hoahud Duhcuv Dampvafrog
• meieou.info X.509 cert Issuer O: Qdf Wah Uotvzke LLC.
• gifts.com X.509 cert hash: 0c7a37f55a0b0961c96412562dd0cf0b0b867d37
• HTML Body Hash: 22e5446e82b3e46da34b5ebce6de5751664fb867
• HTML Title: Welcome to CentOS

Links

• QakBot PCAP download (malware-traffic-analysis.net)
• 80.47.61.240 (VirusTotal)
• 80.47.61.240:2222 (ThreatFox)
• 80.47.61.240 (Feodo Tracker)
• 80.47.61.240 (Censys)
• 185.80.53.210 (Censys)

For more analysis of QakBot network traffic, check out my Hunting for C2 Traffic video.

Posted by Erik Hjelmvik on Thursday, 02 March 2023 12:43:00 (UTC/GMT)

Tags: #QakBot​ #QBot​ #C2​ #Video​ #malware-traffic-analysis.net​ #ThreatFox​ #ec74a5c51106f0419184d0dd08fb05bc​ #fd4bc6cea4877646ccd62f0792ec0b62​ #CapLoader​ #NetworkMiner​

TLS Redirection and Dynamic Decryption Bypass in PolarProxy

PolarProxy is constantly being updated with new features, enhanced performance and bug fixes, but these updates are not always communicated other than as a short mention in the ChangeLog. I would therefore like to highlight a few recent additions to PolarProxy in this blog post.

Custom TLS Redirection

One new feature in PolarProxy is the --redirect argument, which can be used to redirect TLS traffic destined for a specific domain name to a different domain. This feature can be used to redirect TLS-encrypted malware traffic going to a known C2 domain to a local HTTPS sandbox instead, for example INetSim.

This --redirect argument will cause PolarProxy to terminate outgoing TLS traffic to malware-c2.com and redirect the decrypted traffic into a new TLS session going to inetsim.local instead. The “--leafcert noclone” argument forces PolarProxy to generate a fake X.509 certificate for “malware-c2.com” rather than sending a clone of the certificate received from the INetSim server to the malware implant.

Note: You also need to specify a proxy mode, such as -p for transparent proxy or --socks for SOCKS proxy, to make the command above work.

The --redirect argument can also be used to perform domain fronting, which is a clever method for hiding the true destination of HTTPS based communication, in order to circumvent censorship or for other reasons conceal who you’re communicating with. The following command can be used to set up a local socks proxy that redirects traffic destined for YouTube to google.com instead:

A browser configured to use PolarProxy as a SOCKS proxy will send HTTPS requests for youtube.com to PolarProxy, which then decrypts the TLS layer and re-encrypts the HTTP communication in a new TLS session directed at google.com instead. Someone who monitors the outgoing traffic from PolarProxy will assume that this is normal Google traffic, since the SNI as well as certificate will be for google.com. On the server side however, after having decrypted the TLS layer, Google will kindly forward the client’s original HTTP request for youtube.com to an endpoint that serves the content for YouTube.

Dynamic TLS Decryption Bypass

PolarProxy is designed to block TLS connections that it can’t decrypt, except for when the server’s domain name is explicitly marked for decryption bypass with the “--bypass” command line argument. However, as of recently PolarProxy also supports dynamic TLS decryption bypass using a form of fail-open mode. When this fail-open mode is enabled, PolarProxy attempts to intercept and decrypt proxied TLS traffic, but allows connections to bypass decryption if the same client-server pair has previously rejected PolarProxy’s certificate. This method is convenient when monitoring network traffic from applications that enforce certificate pinning or for some other reason can’t be configured to trust PolarProxy’s root CA – provided that it’s acceptable to let traffic that can’t be decrypted to pass through untouched rather than blocking it, of course.

The following command line option configures PolarProxy to allow new TLS connections to bypass decryption for one hour (3600 seconds) after previously having failed to decrypt traffic between the same client and server.

A simple way to verify this fail-open feature is to do a simple test with curl. It doesn’t matter if the client you’re testing on is Windows, Linux or macOS, since PolarProxy as well as curl is available for all three platforms.

Web browsers that don’t trust PolarProxy’s root CA will display a certificate warning the first time they visit a website that PolarProxy tries to decrypt traffic for.

But once the dynamic bypass has kicked in the user will no longer see a certificate warning when visiting the same website again, since traffic between that client and server is now end-to-end encrypted.

Handling of non-TLS traffic and Better Logging

Other new features in PolarProxy is the “--nontls” argument, which can be used to specify how to handle connections that doesn’t use TLS. The default action is to block non-TLS connections, but they can also be allowed to pass through (if the target host is known) or to forward the connection to a specific host and port. There is even a “--nontls encrypt” argument, which can be used to encrypt traffic that isn’t already TLS-encrypted before forwarding it to a specific host. This feature can be used as an alternative to stunnel to wrap traffic from applications that lack TLS support inside a TLS tunnel.

PolarProxy now also produces less output to stdout, unless -v is used, and error messages have been improved to be more specific and easier to understand.

Posted by Erik Hjelmvik on Tuesday, 28 February 2023 13:42:00 (UTC/GMT)

Tags: #PolarProxy​ #TLS​ #redirect​ #bypass​ #SNI​ #ASCII-art​

How to Identify IcedID Network Traffic

Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post.

Note: This video was recorded in a Windows Sandbox to minimize the risk of infecting the host PC in case of accidental execution of a malicious payload from the network traffic.

As I have previously pointed out, IcedID sends beacons to the C2 server with a 5 minute interval. According to Kai Lu’s blog post A Deep Dive Into IcedID Malware: Part 2, this 5 minute interval is caused by a call to WaitForSingleObject with a millisecond timeout parameter of 0x493e0 (300,000), which is exactly 5 minutes.

The IcedID trojan uses a custom BackConnect protocol in order to interact with victim computers through VNC, a file manager or by establishing a reverse shell. There was no IcedID BackConnect traffic in this particular PCAP file though, but several other IcedID capture files published on malware-traffic-analysis.net do contain IcedID BackConnect traffic. For more information on this proprietary protocol, please see our blog post IcedID BackConnect Protocol.

IOC List

Fake Microsoft Teams download page

• URL: hxxp://microsofteamsus[.]top/en-us/teams/download-app/
• MD5: 5dae65273bf39f866a97684e8b4b1cd3
• SHA256: e365acb47c98a7761ad3012e793b6bcdea83317e9baabf225d51894cc8d9e800
• More info: urlscan.io

IcedID GzipLoader

• Filename: Setup_Win_13-02-2023_16-33-14.exe
• MD5: 7327fb493431fa390203c6003bd0512f
• SHA256: 68fcd0ef08f5710071023f45dfcbbd2f03fe02295156b4cbe711e26b38e21c00
• More info: Triage

IcedID payload disguised as fake gzip file

• URL: hxxp://alishabrindeader[.]com/
• MD5: 8e1e70f15a76c15cc9a5a7f37c283d11
• SHA256: 7eb6e8fdd19fc6b852713c19a879fe5d17e01dc0fec62fa9dec54a6bed1060e7
• More info: IcedID GZIPLOADER Analysis by Binary Defense

IcedID C2 communication

• IP and port: 192.3.76.227:443
• DNS: treylercompandium[.]com
• DNS: qonavlecher[.]com
• X.509 certificate SHA1: b523e3d33e7795de49268ce7744d7414aa37d1db
• X.509 certificate SHA256: f0416cff86ae1ecc1570cccb212f3eb0ac8068bcf9c0e3054883cbf71e0ab2fb
• JA3: a0e9f5d64349fb13191bc781f81f42e1
• JA3S: ec74a5c51106f0419184d0dd08fb05bc
• Beacon interval: 5 minutes
• More info: ThreatFox

Network Forensics Training

Check out our upcoming live network forensics classes for more hands-on network forensic analysis. Our current class material doesn’t include any IcedID traffic though, instead you’ll get to investigate C2 traffic from Cobalt Strike, TrickBot, njRAT, Meterpreter and a few others.

Posted by Erik Hjelmvik on Wednesday, 15 February 2023 10:52:00 (UTC/GMT)

Tags: #IcedID​ #CapLoader​ #Video​ #Periodicity​ #a0e9f5d64349fb13191bc781f81f42e1​ #ec74a5c51106f0419184d0dd08fb05bc​

CapLoader 1.9.5 Alerts on Malicious Traffic

CapLoader 1.9.5 was released today!

The most important addition in the 1.9.5 release is the new Alerts tab, in which CapLoader warns about malicious network traffic such as command-and-control protocols. The alerts tab also shows information about network anomalies that often are related to malicious traffic, such as periodic connections to a particular service or long running sessions.

Other additions in this new version are:

• BPF support for “vlan” keyword, for example “vlan”, “not vlan” or “vlan 121”
• Support for nanosecond PCAP files (magic 0xa1b23c4d)
• Support for FRITZ!Box PCAP files (magic 0xa1b2cd34)
• Decapsulation of CAPWAP protocol, so that flows inside CAPWAP can be viewed and filtered on
• Domain names extracted from TLS SNI extensions

Alerts for Malicious Network Traffic

As you can see in the video at the end of this blog post, the Alert tab is a fantastic addition for everyone who wants to detect malicious activity in network traffic. Not only can it alert on over 30 different malicious command-and-control (C2) protocols — including Cerber, Gozi ISFB, IcedID, RedLine Stealer, njRAT and QakBot — it also alerts on generic behavior that is typically seen in malware traffic. Examples of such generic behavior are periodic connections to a C2 server or long running TCP connections. This type of behavioral analysis can be used to detect C2 and backdoor traffic even when the protocol is unknown. There are also signatures that detect “normal” protocols, such as HTTP, TLS or SSH running on non-standard ports as well as the reverse, where a standard port like TCP 443 is carrying a protocol that isn’t TLS.

Many of CapLoader’s alert signatures are modeled after threat hunting techniques, which can be used to detect malicious activities that traditional alerting mechanisms like antivirus, EDR’s and IDS’s might have missed. By converting the logic involved in such threat hunting tasks into signatures a great deal of the analysts’ time can be saved. In this sense part of CapLoader’s alerting mechanism is a form of automated threat hunting, which saves several steps in the process of finding malicious network traffic in a packet haystack.

Watch my Hunting for C2 Traffic video for a demonstration on the steps required to perform manual network based threat hunting without CapLoader's alerts tab. In that video I identify TLS traffic to a non-TLS port (TCP 2222) as well as non-TLS traffic to TCP port 443. As of version 1.9.5 CapLoader automatically generates alerts for that type of traffic. More specifically, the alert types will be Protocol-port mismatch (TLS on TCP 2222) and Port-protocol mismatch (non-TLS on TCP 443). Below is a screenshot of CapLoader’s new Alerts tab after having loaded the capture files analyzed in the Hunting for C2 Traffic video.

Image: Alerts for malicious traffic in CapLoader 1.9.5.

Video Demonstration of CapLoader's Alerts Tab

The best way to explain the power of CapLoader’s Alerts tab is probably by showing it in action. I have therefore recorded the following video demonstration.

The PCAP file analyzed in the video can be downloaded from here:
https://www.netresec.com/files/McDB_150724-18-22_FpF90.pcap

This capture file is a small snippet of the network traffic analyzed in one of my old network forensics classes. It contains malicious traffic from njRAT and Kovter mixed with a great deal of legitimate web traffic.

Posted by Erik Hjelmvik on Thursday, 09 February 2023 14:30:00 (UTC/GMT)

Tags: #CapLoader​ #Video​ #Threat Hunting​

Online Network Forensics Class

I will be teaching two live online network forensics classes this spring, one in March and one in April. The March class is adapted to American time and the April one is adapted to European time. Both classes focus on doing network forensics in an incident response context.

The training is split into four interactive morning sessions, so that you have the afternoon free to either practice what you learned in class or do your “normal” day job. The number of attendees will be limited in order to enable attendees to ask questions or even cover short ad-hoc side tracks. We plan to accept 10 to 15 attendees per class. The class registration will be closed once we reach this attendee limit.

• 🇺🇸 March 20-23, 2023: PCAP in the Morning US
  ⏲️ Time: 9:30 AM to 1:30 PM EDT
  💸 Price: $1,000 USD per student
• 🇪🇺 April 17-20, 2023: PCAP in the Morning Europe
  ⏲️ Time: 8:30 AM to 12:30 PM CEST
  💸 Price: € 950 EUR per student

We will be analyzing a unique 30GB PCAP data set captured during June 2020 on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices. As you’ve probably guessed, the capture files contain traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

See our training page for more info about the “PCAP in the Morning” classes.

To sign up for a class, simply send an email to sales@netresec.com with the class dates, your name and invoice address. We will then send you a PayPal payment link that you can use to complete your training registration.

Hope to see you there!

Cheers,
Erik Hjelmvik
Creator of NetworkMiner and founder of Netresec

Posted by Erik Hjelmvik on Tuesday, 17 January 2023 10:18:00 (UTC/GMT)

Tags: #Netresec​ #PCAP​ #Training​ #Network Forensics​ #Class​

IEC-104 File Transfer Extraction

Did you know that the SCADA protocol IEC 60870-5-104 (IEC-104) can be used to transfer files? This file transfer feature is primarily used for retrieving disturbance data from electric grid protection devices, such as protective relays, but can in practice be used to transfer any type of data.

In this video I demonstrate how IEC-104 file transfers can be extracted from network traffic with NetworkMiner.

The network traffic that was captured with NetworkMiner in this video can be downloaded here: NM_2022-12-13T14-16-00.pcap

The IEC-104 software used in the video was the IEC 104 RTU Server Simulator and IEC 104 Client Simulator from FreyrSCADA.

Posted by Erik Hjelmvik on Monday, 09 January 2023 09:00:00 (UTC/GMT)

Tags: #IEC-104​ #SCADA​ #NetworkMiner​ #ICS​ #PCAP​

NetworkMiner 2.8 Released

I am happy to announce the release of NetworkMiner 2.8 today! This new version comes with an improved user interface, better parsing of IEC-104 traffic and decapsulation of CAPWAP traffic. The professional edition of NetworkMiner additionally adds port-independent detection of SMTP and SOCKS traffic, which enables extraction of emails and tunneled traffic even when non-standard ports are used.

User Interface Improvements

The first thing you see when starting NetworkMiner is the Hosts tab, which now has been updated to include a filter text box. This text box can be used to filter the displayed hosts based on the property fields they contain. By entering “Android” into the filter box NetworkMiner will show only the hosts having a property containing the string “Android”, for example in the OS classification or User-Agent string. Other properties you might find useful to filter on are hostname, JA3 hash and MAC address. If you’re running NetworkMiner Professional then you’ll also be able to filter on Country thanks to the MaxMind GeoLite2 feature included in the Pro edition.

It’s now also possible to copy text from most tabs in NetworkMiner with Ctrl+C or by right-clicking and selecting “Copy selected rows”. A maximum of 10 rows can be copied at a time using the free version of NetworkMiner, while the Professional version allows all rows to be copied in one go.

The content based file type identification introduced in NetworkMiner 2.7 has been improved to also differentiate between EXE and DLL files as of version 2.8.

• Matanbuchus malware DLL disguised as PNG
• MD5: d733d96a25fd14f4494f6d76f9ff9892
• Source: 2022-06-17-Matanbuchus-with-Cobalt-Strike.pcap

• AutoIt EXE disguised as ZIP file
• MD5: c56b5f0201a3b3de53e561fe76912bfd
• Source: 2022-08-19-Astaroth-Guildma-infection-traffic.pcap

IEC 60870-5-104

NetworkMiner’s parser for the SCADA protocol IEC 60870-5-104 (IEC-104) has been significantly improved in version 2.8. NetworkMiner now supports more IEC-104 commands and the commands are presented on the Parameters tab in a clearer way than before.

Image: IEC-104 commands sent by the Industroyer2 malware

I’m also proud to announce that NetworkMiner 2.8 now extracts files transferred over the IEC-104 protocol. More details about that particular feature is available in our IEC-104 File Transfer Extraction blog post.

CAPWAP Decapsulation

NetworkMiner 2.8 can read IEEE 802.11 packets inside CAPWAP tunnels between WLAN Controllers and Access Points. This feature allows WiFi traffic to be analyzed without having to capture packets in the air.

Reading PCAP from a Named Pipe

NetworkMiner previously allowed packets to be read from PacketCache over a named pipe. This feature has been upgraded to allow a PCAP stream to be read from any named pipe, not just from PacketCache. Here’s an example showing how to capture packets from localhost for 10 seconds with RawCap and make those packets available via a named pipe called “RawCap”:

RawCap will start capturing packets once a PCAP reader connects to the “RawCap” named pipe, which now can be done with NetworkMiner by clicking “Read from Named Pipe” on the File menu.

Bug Fixes

NetworkMiner previously produced incorrect JA3S signatures for TLS servers if they sent Session ID values in Server Hello messages or listed only one supported TLS version using the Supported Versions extension. These bugs have now been fixed in NetworkMiner 2.8.

NetworkMiner’s live sniffing feature has been improved to better handle huge packets caused by Large Send Offload (LSO). NetworkMiner previously crashed with an error message saying that the received packet was “larger than the internal message buffer” when attempting to capture a too large packet.

TCP sessions occasionally didn’t show up in NetworkMiner’s Sessions tab previously if the application layer protocol was unknown. This bug has now been fixed in version 2.8.

New Features in NetworkMiner Professional

NetworkMiner Professional includes a feature for port independent protocol detection of protocols like FTP, HTTP, IRC, Meterpreter, SSH and TLS, which enables extraction of artifacts from those protocols even though the service is running on a non-standard port. This new release adds two additional protocols to the collection of identified protocols, namely SMTP and SOCKS. This allows analysts to extract emails from spam runs sent to ports other than 25 or 587, as well as to see what goes on inside covert SOCKS tunnels running on non-standard ports.

Image: SMTP credentials extracted from spam run to non-standard SMTP port

In addition to allowing hosts to be filtered using string and regex matching, NetworkMiner Professional also allows the discovered hosts to be filtered on IP address using CIDR notation, such as “192.168.1.0/24” or “10.0.0.0/8”.

Image: NetworkMiner Professional with CIDR filter 192.168.88.0/24

Here are some IPv4 and IPv6 CIDR filters that you might find useful:

• 224.0.0.0/4 = IPv4 multicast (224/4 is also supported)
• 127.0.0.0/8 = IPv4 loopback (127/8 is also supported)
• fe80::/10 = IPv6 link-local addresses
• ff00::/8 = IPv6 multicast
• 0.0.0.0/0 = IPv4 hosts (0/0 is also supported)
• 0::/0 = IPv6 hosts

Credits

We’d like to thank René Perraux, Matt Smith and Anand Kumar Singh for reporting bugs that have been fixed in this new release.

Upgrading to Version 2.8

Users who have purchased NetworkMiner Professional can download a free update to version 2.8 from our customer portal, or use the “Check for Updates” feature from NetworkMiner's Help menu. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Monday, 02 January 2023 08:00:00 (UTC/GMT)

Tags: #NetworkMiner​ #IEC-104​ #SMTP​ #SOCKS​ #PIPI​ #CIDR​