Hunting Unpacked: Unleashing External Threat Intelligence in Network Hunting

May 19, 2016 • Levi Gundert

Key Takeaways

  • Internal hunting is an invaluable exercise for INFOSEC teams and, by extension, the business or agency.
  • Impactful methodologies rely on experienced professionals who are able to identify patterns and anomalies in large data sets comprised of network and/or host-based telemetry.
  • Using the external web to alert on new or existing adversary TTPs is a smart technique for identifying criteria for new or improved hunting plays.
  • New hunting methodologies need to be tested and refined. Plays vary by efficacy, and each play should be tracked for quality over time, and phased out when appropriate.

Do you hunt? Rather, do you frequently hunt in the internal network?

Operating under the premise that a previously undetected attacker is in the internal network is a savvy defense strategy that should comprise a large and evolving chapter in every business’s information security (INFOSEC) playbook.

Playbook plays should include well-documented hunting methodologies that can be performed by team veterans and rookies alike. The key is talented and motivated professionals who share two traits: curiosity and creativity; because hunting is an art. Sure, there’s room for machine-learning algorithms (science) to assist in the hunt, but the tools still require a human brain.

One of the best sources for hunting strategies is external analysis and intelligence. New hunting methodologies need to be tested and refined. Plays vary by efficacy, and each play should be tracked for quality over time, and phased out when appropriate. But like most daunting tasks, committing and starting is the primary hurdle.

Logical methodologies include pattern and anomaly recognition in single and combined data sets such as employee activity times across time zones, analyzing the long tail of workstation-generated user agent strings, new registry keys, or memory processes across network devices.

The following is an exposition of a basic internal hunting methodology that was originally derived from a lead identified on the external web. It’s one basic example of a hunting play that can be implemented based on external threat intelligence and adversary TTP identification.

Crafting a Methodology

What is the most common low-level adversary tactic, technique, or procedure (TTP) for surreptitiously installing malicious code on a victim system while evading antivirus detection? Packing or compressing the executable or script.

Packing or compression software is used by legitimate companies who need to make their legitimate portable binaries more efficient for transmission and storage. Unfortunately, threat actors also use packers to obfuscate their malware and evade antivirus software. So packers are a useful TTP category, but suboptimal for hunting in the enterprise due to a high noise to signal ratio in host and/or network telemetry (log and event meta data), unless the signature development list is constrained to a small subset of packers unlikely to be used by legitimate software manufacturers (see a sample crypter list below).

Packer defensive signatures may not be directly applicable for higher-level TTP hunting, but there may be derivative value in malware sample information identified by packer type and observed over time outside of the company network.

To that end, we created Recorded Future entities for a long list of known packers (or “crypters” as they are known in the Underground Economy).

Crypter List

On April 29, 2016 Recorded Future produced a new entity (more information on Recorded Future’s natural language processing technology) alert for “RLPack.”

Recorded Future Alert

The malware sample in question — Trojan-Banker.Win32.Banker.exe — creates three mutexes, one of which is fairly unique: “Wapp.” Team Cymru’s malware intelligence platform returns 940 malware samples using the same mutex. Metadata for one of the samples appears below and is packed with RLPack V1.18 Basic Edition:

SHA1 6eaf3557167b3915df2515056f0f2640962fc043
SHA256 60b44c4dfbb7aa8d87a35b16c2ee108cb91993087aef26d844bf13fd678c0f5b
MD5 439d092fff3565472f83e599e46f344b
Imp Hash: 09d0478591d4f788cb3e5ea416c25237 (26,772 related samples)
Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Packer RLPack V1.18 Basic Edition (aPLib or LZMA) -> ap0x
Icon Icon

This sample is a Trojan (tagged by multiple antivirus engines as a “Banker Trojan”) that performs a HTTP POST method to hxxp://xhoxts.byethost13[.]com/envia.php (located at 199.59.243.120:80 — Bodis, LLC in New York).

Metadata for additional related malware sample examples (by mutex) appear below:

SHA1 8d4b59d9a32f13597ee831e1568573222a10dafd
SHA256 8e01ee76c5c36dd7096ded18438a0c16c71004b7a5291257e5592a187e8db34f
MD5 7f262ad066091abbe6e74fe10e916ec4
Imp Hash 7cf6e504541f027b8abd821c7af3147f (7 related samples)
Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Packer Borland Delphi v6.0 – v7.0
Traffic HTTP POST to hxxp://www.aera[.]gr/albums/duda/envia.php (located at 176.9.93.181:80 – Hetzner GmbH, Germany).
Icon Icon
SHA1 b3478a03902bea7d75b6d3a9d175588aa4bfcbbc
SHA256 0bb8b231db70fed08c7d47e8db9efa0359faf0d4b0ee1f03000cb1ec374e7195
MD5 d5661296f94242b3512c6ac21f57f6d3
Imp Hash 1c372311534116eeffdf56f3f6c69c5c (2,081 relates samples)
Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Packer nPack v1.1.300.2006 Beta
Icon Icon
SHA1 08b4c0a3bbdc773eace696a89ddb87ed66a24bc9
SHA256 37d7c21c0940689f4337ebc7de7bb8298846429875042abf0f9ad2e344a4fe1f
MD5 552e9cca0f708afcb99cd531b4393aab
Imp Hash 1b9197dbac1353fbc7bf82775978a0ae (28 related samples)
Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Packer Microsoft Visual Basic v5.0
Traffic HTTP POST to hxxp://utenti.lycos[.]it/ssegura/infect.php

A sample of additional packers used in related malware samples includes Thinstall Embedded 2.501 -> Jitit, PKLITE32 v1.1, Themida/WinLicense V1.8.0.2 + -> Oreans Technologies, eXPressor v1.5x -> CGSoftLabs (h), and UPX.

Creating the Play

The only runtime analysis commonality across the above four samples is the mutex string “Wapp” and the file type .exe destined for Windows machines. Otherwise these Trojan samples are different sizes, use different packers, and communicate with different internet controllers.

Yet there’s an opportunity to create a play specifically for hunting this crimeware in the enterprise, and it revolves around the HTTP POST path. While the domains and associated server addresses change across samples, the URI structure is relatively uniform.

In this case envia.php and infect.php are ideal candidates for a hunting methodology. Enviar is a Spanish transitive verb meaning “to send” and a Google search for inurl:”/envia.php” returns relatively few results. Thus it’s unlikely that internal enterprise employees would normally be initiating HTTP traffic to web pages ending in envia.php. Similarly, there are few Google results for inurl:”infect.php” also making it a good candidate for inclusion in a hunting play for this Banking Trojan family.

In order to test the play, a SIEM (security incident and event management) is a useful facilitator, specifically Splunk or ELK (ElasticSearch, Logstash, and Kibana). The SIEM should be storing web proxy logs and available for queries. A regular expression search (a generic Splunk query involving BlueCoat web proxy logs: sourcetype=”bluecoat:proxysg:access:syslog” uri_path=*infect.php*) for the previously discussed PHP pages may reveal negative results. Positive results could indicate a previously undetected compromise.

Regardless of initial search results, the SIEM query should be automated for regular review and evaluated for long-term value. The playbook should eventually contain internal hunting plays for specific malware families that are identified as high-value priorities to the business due to specific functionality or attribution.

Open source Yara rules are provided by Endgame for alerting on specific packers.

Conclusion

Hunting is an invaluable exercise for INFOSEC teams and, by extension, the business or agency.

Impactful methodologies rely on experienced professionals who are able to identify patterns and anomalies in large data sets comprised of network and/or host-based telemetry.

Using the web to alert on new or existing adversary TTPs is a smart technique for identifying criteria for new or improved hunting plays. In this case we identify a new malware sample via the web due to a match on a packer/crypter entity which leads to additional samples via malware intelligence. The additional samples contain metadata that is useful for malicious traffic profiling.

The identified pattern is subsequently ported to a SIEM query for ongoing alerting and the play is documented and tracked for long-term efficacy and value communication to the business.