The more advanced the threat actors, the better they know how to sneak into and move undetected in your network. Clever adversaries count on the fact that a network administrator using only basic administration tools might not become suspicious from a first glance at network traffic. As Gartner noted in their December 2019 Market Guide for Endpoint Detection and Response Solutions (Gartner subscription required):
Since the complexity of attacks and threats have both continued to develop at a pace that exceeds the ability of the tools and defenders to protect against them, security solution providers have developed more flexible tools with an “assume breach” mindset. EDR tools focus on the post-infection stage of the kill chain, providing the ability to detect and respond to advanced threats in a timely and effective manner.
In other words, we believe that getting beyond basic tools and adopting an endpoint detection and response (EDR) tool will significantly enhance a business’s level of visibility into advanced threats possibly already present in the network that might have otherwise gone undetected. The behavior of advanced threats is not always easy to distinguish from what is normal.
For example, consider what typical traffic in a network could look like: GIF, JPG or PNG image downloads and uploads; connections to popular social media sites like Twitter, Imgur or Reddit; or HTTP GET requests to legitimate domains. Perhaps there is even traffic from an HTTP proxy handling endpoints outside your LAN.
Everything in the network may seem to be running along smoothly and quietly, but it is paramount for security operations center (SOC) teams to see when all that is just a facade. Using an EDR tool like ESET Enterprise Inspector (EEI), SOCs are able to quickly unearth a lot of detailed information, helping to identify and investigate suspicious activity.
EEI works by matching event data from endpoints against a set of rules designed to flag malware-like or suspicious behavior, as well as low reputation and/or malicious executables. Matched events fire-off alarms and complete process trees are available for manual inspection in EEI:
Figure 1: Alarm details view in EEI with process tree
Getting deeper into the network with PolyglotDuke
As an example of the level of visibility that EEI provides, we can consider how the tool interacts with the presence of malware like PolyglotDuke, a downloader used by the Dukes threat group (APT29) in Operation Ghost.
PolyglotDuke comes as an encrypted DLL appended to a GIF89 image header. A separate .exe process – PolyglotDuke’s dropper – decrypts the DLL appended to the image header and drops it to a machine’s current working directory. The fact that a DLL with low popularity is loaded into a trusted process causes an alarm in EEI.
This PolyglotDuke DLL is then executed by a rundll32.exe process and starts contacting Twitter, Reddit, Imgur and other image-sharing sites to download Japanese, Chinese or Cherokee strings that encode the malware’s command and control server. Take a look at this Twitter post:
Figure 2: PolyglotDuke grabs its C&C URL – encoded in Cherokee – from a Twitter post
Normally, these actions would go unnoticed on a network level as it is usual business for employees to browse Twitter, download images, etc. Further, there is also nothing obviously suspicious about running DLL files with rundll32.exe – your operating system does it all the time. Since this process sets off other suspicious processes, however, a few alarms are raised in EEI.
Having decoded the addresses of its command and control servers, PolyglotDuke starts making HTTP GET requests to domains like rulourialuminiu.co[.]uk and powerpolymerindustry[.]com. The result of these requests is to download a JPG or PNG image file that has additional binary data appended to it. If you should visit these URLs, they redirect to similar looking, but legitimate counterparts: rulourialuminiu.ro and powerpolymer.net – a seemingly orchestrated ruse to hide its communications.
Finally, EEI sees PolyglotDuke extracting the appended binary data from the modified JPG or PNG images and performing some suspicious “write” activities. It may write a new executable to disk to be launched by CreateProcess. It may write a DLL to disk either for launch from another rundll32.exe process or for loading by LoadLibraryW. Last, but not least, it may write a JSON config file to the registry. These actions trigger the following alarms in EEI: “Trusted process loaded suspicious DLL” or “Rundll32 loaded DLL from suspicious location”:
Figure 3: Alarms view in EEI with MITRE ATT&CK references
Looking at the alarms aggregated in EEI’s dashboard, administrators are able to correlate the data to the MITRE ATT&CK knowledge base via a direct reference to ATT&CK techniques. For example, Rundll32 (T1085) is documented in the ATT&CK Enterprise Matrix as a technique used by threat actors both for execution of malware components and defense evasion. In this way, network defenders gain a broader picture of the threat actors known to have utilized the identified techniques, as well as key prevention and remediation strategies.
Advanced reconnaissance and exfiltration with MiniDuke
The goal of PolyglotDuke is to download a backdoor called MiniDuke – a much more threatening prospect for affected organizations. EEI can reveal the processes that MiniDuke spawns, including the upload and download of files or the retrieval of system information like hostname or names of local drives. In total, MiniDuke packs 38 functions to enable cyberespionage.
One interesting trick that MiniDuke uses to blend into network traffic is to send POST requests to ecolesndmessines[.]org or salesappliances[.]com that appear as JPG file uploads. Upon inspecting these requests, however, administrators discover that the file merely has a JPG header masquerading the data as an image:
Figure 4: MiniDuke sends a POST request to its C&C server that looks like a JPG file upload
The malware writers obviously hope to hide their backdoor activities within the mass of images that are usually sent across a typical network.
One of the great benefits of EEI is that it allows administrators to download suspicious files for further analysis. So, looking at the MiniDuke version used in the mentioned Operation Ghost, the .exe file contains an invalid signature from the Microsoft Corporation. Some security products could be fooled, even by an invalid signature, into thinking that the file is benign.
Malware analysts on a SOC team can also download the files from EEI for reverse engineering in tools like IDA. There they can disassemble MiniDuke to find the pure x86 code, albeit hidden behind some deep obfuscation.
Having identified the offending processes and files, IT admins can use EEI to kill processes and, in the upcoming version 1.4 of EEI, to isolate compromised endpoints from the network in a one-click action. In addition, IT administrators are able to read the full set of over 300 rules packaged with EEI, create their own exclusions from rules and write their own custom detections. Providing even greater transparency and control over the alarm rule set greatly enhances the capabilities of SOC teams to defend their networks.
ESET will be presenting at the RSA Conference in San Francisco on February 24 - 27, 2020, where attendees can find a demonstration simulating the malicious mechanism of PolyglotDuke and MiniDuke – the favorite tools of the Dukes at play during Operation Ghost. Find us at Booth #753 in the South Hall.
Have macOS on the network? Version 1.4 of EEI has you covered. Learn more here.