Blog
Inside the SOC
Phishing with QR Codes: How Darktrace Detected and Blocked the Bait
What is a QR Code?
Invented by a Japanese company in 1994 to label automobile parts, Quick Response codes, best known as QR codes, are rapidly becoming ubiquitous everywhere in the world. Their design, inspired by the board and black and white pieces of the game of Go, permits the storage of more information than regular barcodes and to access that information more quickly. The COVID-19 pandemic contributed to their increased popularity as it conveniently replaced physical media of all types for the purpose of content sharing. It is now common to see them in restaurant menus, plane tickets, advertisements and even in stickers containing minimal to no text pasted on lamp posts and other surfaces, enticing passers-by to scan its content.
QR Code Phishing Attacks (Quishing)
Recently, threat actors have been identified using QR codes too to embed malicious URLs leading the unsuspecting user to compromised websites containing malware or designed to harvest credentials. In the past month, Darktrace has observed an increase in the number of phishing emails leveraging malicious QR codes for malware distribution and/or credential harvesting, a new form of social engineering attack labelled “Quishing” (i.e., QR code phishing).
Between June 13 and June 22, 2023, Darktrace protected a tech company against one such Quishing attack when five of its senior employees were sent malicious emails impersonating the company’s IT department. The emails contained a QR code that led to a login page designed to harvest the credentials of these senior staff members. Fortunately for the customer, Darktrace/Email thwarted this phishing campaign in the first instance and the emails never reached the employee inboxes.
Trends in Quishing Attacks
The Darktrace/Email team have noticed a recent and rapid increase in QR code abuse, suggesting that it is a growing tactic used by threat actors to deliver malicious payload links. This trend has also been observed by other security solutions [1] [2] [3] [4]. The Darktrace/Email team has identified malicious emails abusing QR codes in multiple ways. Examples include embedded image links which load a QR code and QR code images being delivered as attachments, such as those explored in this case study. Darktrace/Email is continually refining its detection of malicious QR codes and QR code extraction capabilities so that it can detect and block them regardless of their size and location within the email.
Quishing Attack Overview
The attack consisted of five emails, each sent from different sender and envelope addresses, displayed common points between them. The emails all conveyed a sense of urgency, either via the use of words such as “urgent”, “now”, “required” or “important” in the subject field or by marking the email as high priority, thus making the recipient believe the message is pressing and requires immediate attention.
Additionally, the subject of three of the emails directly referred to two factor authentication (2FA) enabling or QR code activation. Another particularity of these emails was that three of them attempted to impersonate the internal IT team of the company by inserting the company domain alongside strings, such as “it-desk” and “IT”, into the personal field of the emails. Email header fields like this are often abused by attackers to trick users by pretending to be an internal department or senior employee, thus avoiding more thorough validation checks. Both instilling a sense of urgency and including a known domain or name in the personal field are techniques that help draw attention to the email and maximize the chances that it is opened and engaged by the recipient.
However, threat actors also need to make sure that the emails actually reach the intended inboxes, and this can be done in several ways. In this case, several tactics were employed. Two of the five emails were sent from legitimate sender addresses that successfully passed SPF validation, suggesting they were sent from compromised accounts. SPF is a standard email authentication method that tells the receiving email servers whether emails have been sent from authorized servers for a given domain. Without SPF validation, emails are more likely to be categorized as spam and be sent to the junk folder as they do not come from authorized sources.
Another of the malicious emails, which also passed SPF checks, used a health care facility company domain in the header-from address field but was actually sent from a different domain (i.e., envelope domain), which lowers the value of the SPF authentication. However, the envelope domain observed in this instance belonged to a company recently acquired by the tech company targeted by the campaign.
This shows a high level of targeting from the attackers, who likely hoped that this detail would make the email more familiar and less suspicious. In another case, the sender domain (i.e., banes-gn[.]com) had been created just 6 days prior, thus lowering the chances of there being open-source intelligence (OSINT) available on the domain. This reduces the chances of the email being detected by traditional email security solutions relying on signatures and known-bad lists.
Darktrace Detects Quishing Attack
Despite its novelty, the domain was detected and assessed as highly suspicious by Darktrace. Darktrace/Email was able to recognize all of the emails as spoofing and impersonation attempts and applied the relevant tags to them, namely “IT Impersonation” and “Fake Account Alert”, depending on the choice of personal field and subject. The senders of the five emails had no prior history or association with the recipient nor the company as no previous correspondence had been observed between the sender and recipient. The tags applied informed on the likely intent and nature of the suspicious indicators present in the email, as shown in Figure 1.
Quishing Attack Tactics
Minimal Plain Text
Another characteristic shared by these emails was that they had little to no text included in the body of the email and they did not contain a plain text portion, as shown in Figure 2. For most normal emails sent by email clients and most automated programs, an email will contain an HTML component and a text component, in addition to any potential attachments present. All the emails had one image attachment, suggesting the bulk of the message was displayed in the image rather than the email body. This hinders textual analysis and filtering of the email for suspicious keywords and language that could reveal its phishing intent. Additionally, the emails were well-formatted and used the logo of the well-known corporation Microsoft, suggesting some level of technical ability on the part of the attackers.
Attachment and link payloads
The threat actors employed some particularly innovative and novel techniques with regards to the attachments and link payloads within these emails. As previously stated, all emails contained an image attachment and one or two links. Figure 3 shows that Darktrace/Email detected that the malicious links present in these emails were located in the attachments, rather than the body of the email. This is a technique often employed by threat actors to bypass link analysis by security gateways. Darktrace/Email was also able to detect this link as a QR code link, as shown in Figure 4.
The majority of the text, as well as the malicious payload, was contained within the image attachment, which for one of the emails looked like this:
Convincing Appearance
As shown, the recipient is asked to setup 2FA authentication for their account within two days if they don’t want to be locked out. The visual formatting of the image, which includes a corporate logo and Privacy Statement and Acceptable Use Policy notices, is well balanced and convincing. The payload, in this case the QR code containing a malicious link, is positioned in the centre so as to draw attention and encourage the user to scan and click. This is a type of email employees are increasingly accustomed to receiving in order to log into corporate networks and applications. Therefore, recipients of such malicious emails might assume represents expected business activity and thus engage with the QR code without questioning it, especially if the email is claiming to be from the IT department.
Malicious Redirection
Two of the Quishing emails contained links to legitimate file storage and sharing solutions Amazon Web Services (AWS) and and InterPlanetary File System (IPFS), whose domains are less likely to be blocked by traditional security solutions. Additionally, the AWS domain link contained a redirect to a different domain that has been flagged as malicious by multiple security vendors [5]. Malicious redirection was observed in four of the five emails, initially from well-known and benign services’ domains such as bing[.]com and login[.]microsoftonline[.]com. This technique allows attackers to hide the real destination of the link from the user and increase the likelihood that the link is clicked. In two of the emails, the redirect domain had only recently been registered, and in one case, the redirect domain observed was hosted on the new .zip top level domain (i.e., docusafe[.]zip). The domain name suggests it is attempting to masquerade as a compressed file containing important documentation. As seen in Figure 6, a new Darktrace/Email feature allows customers to safely view the final destination of the link, which in this case was a seemingly fake Microsoft login page which could be used to harvest corporate credentials.
.png)
Gathering Account Credentials
Given the nature of the landing page, it is highly likely that this phishing campaign had the objective of stealing the recipients’ credentials, as further indicated by the presence of the recipients’ email addresses in the links. Additionally, these emails were sent to senior employees, likely in an attempt to gather high value credentials to use in future attacks against the company. Had they succeeded, this would have represented a serious security incident, especially considering that 61% of attacks in 2023 involved stolen or hacked credentials according to Verizon’s 2023 data breach investigations report [6]. However, these emails received the highest possible anomaly score (100%) and were held by Darktrace/Email, thus ensuring that their intended recipients were never exposed to them.
Looking at the indicators of compromise (IoCs) identified in this campaign, it appears that several of the IPs associated with the link payloads have been involved in previous phishing campaigns. Exploring the relations tab for these IPs in Virus Total, some of the communicating files appear to be .eml files and others have generic filenames including strings such as “invoice” “remittance details” “statement” “voice memo”, suggesting they have been involved in other phishing campaigns seemingly related to payment solicitation and other fraud attempts.
結論
Even though the authors of this Quishing campaign used all the tricks in the book to ensure that their emails would arrive unactioned by security tools to the targeted high value recipients’ inboxes, Darktrace/Email was able to immediately recognize the phishing attempts for what they were and block the emails from reaching their destination.
This campaign used both classic and novel tactics, techniques, and procedures, but ultimately were detected and thwarted by Darktrace/Email. It is yet another example of the increasing attack sophistication mentioned in a previous Darktrace blog [7], wherein the attack landscape is moving from low-sophistication, low-impact, and generic phishing tactics to more targeted, sophisticated and higher impact attacks. Darktrace/Email does not rely on historical data nor known-bad lists and is best positioned to protect organizations from these highly targeted and sophisticated attacks.
参考文献
[1] https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes/
[2] https://www.helpnetsecurity.com/2023/03/21/qr-scan-scams/
[4] https://businessplus.ie/tech/qr-code-phishing-hp/
[5] https://www.virustotal.com/gui/domain/fistulacure.com
[6] https://www.verizon.com/business/en-gb/resources/reports/dbir/ ; https://www.verizon.com/business/en-gb/resources/reports/dbir/
[7] https://darktrace.com/blog/shifting-email-conversation
Darktraceによるモデル検知
Association models
No Sender or Content Association
New Sender
不明な送信元
Low Sender Association
Link models
Focused Link to File Storage
Focused Rare Classified Links
New Unknown Hidden Redirect
High Risk Link + Low Sender Association
Watched Link Type
High Classified Link
File Storage From New
Hidden Link To File Storage
New Correspondent Classified Link
New Unknown Redirect
Rare Hidden Classified Link
Rare Hidden Link
Link To File Storage
Link To File Storage and Unknown Sender
Open Redirect
Unknown Sender Isolated Rare Link
Visually Prominent Link
Visually Prominent Link Unexpected For Sender
Low Link Association
Low Link Association and Unknown Sender
Spoof models
Fake Support Style
External Domain Similarities
Basic Known Entity Similarities
Unusual models
Urgent Request Banner
Urgent Request Banner + Basic Suspicious Sender
Very Young Header Domain
Young Header Domain
Unknown User Tracking
Unrelated Personal Name Address
Unrelated Personal Name Address + Freemail
Unusual Header TLD
Unusual Connection From Unknown
Unbroken Personal
Proximity models
Spam + Unknown Sender
スパム
Spam models
Unlikely Freemail Correspondence
Unlikely Freemail Personalization
General Indicators models
Incoming Mail Security Warning Message
Darktrace Model Tags
クレデンシャルハーベスティング
Internal IT Impersonation
Multistage payload
Lookalike Domain
フィッシングリンク
Eメールアカウント乗っ取り
偽アカウントの警告
メール履歴の少なさ
関連性なし
Spoofing Indicators
Unknown Correspondent
VIP
フリーメール
IoC - Type - Description & Confidence
fistulacure[.]com
domain
C2 Infrastructure
docusafe[.]zip
domain
Possible C2 Infrastructure
mwmailtec[.]com
domain
Possible C2 Infrastructure
czeromedia[.]com
domain
Possible C2 Infrastructure
192.40.165[.]109
IP address
Probable C2 Infrastructure
209.94.90[.]1
IP address
C2 Infrastructure
52.61.107[.]58
IP address
Possible C2 Infrastructure
40.126.32[.]133
IP address
Possible C2 Infrastructure
211.63.158[.]157
IP address
Possible C2 Infrastructure
119.9.27[.]129
IP address
Possible C2 Infrastructure
184.25.204[.]33
IP address
Possible C2 Infrastructure
40.107.8[.]107
IP address
Probable C2 Infrastructure
40.107.212[.]111
IP address
Possible Infrastructure
27.86.113[.]2
IP address
Possible C2 Infrastructure
192.40.191[.]19
IP address
Possible C2 Infrastructure
157.205.202[.]217
IP address
Possible C2 Infrastructure
a31f1f6063409ecebe8893e36d0048557142cbf13dbaf81af42bf14c43b12a48
SHA256 hash
Possible Malicious File
4c4fb35ab6445bf3749b9d0ab1b04f492f2bc651acb1bbf7af5f0a47502674c9
SHA256 hash
Possible Malicious File
f9c51d270091c34792b17391017a09724d9a7890737e00700dc36babeb97e252
SHA256 hash
Possible Malicious File
9f8ccfd616a8f73c69d25fd348b874d11a036b4d2b3fc7dbb99c1d6fa7413d9a
SHA256 hash
Possible Malicious File
b748894348c32d1dc5702085d70d846c6dd573296e79754df4857921e707c439
SHA256 hash
Possible Malicious File
Like this and want more?
More in this series
Blog
Inside the SOC
ViperSoftX: How Darktrace Uncovered A Venomous Intrusion
Fighting Info-Stealing Malware
The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.
What is ViperSoftX?
ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.
ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].
Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.
ViperSoftX Attack & Darktrace Coverage
In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.
Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files. This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.
The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.
For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:
- Compromise / Agent Beacon (Short Period)
- Compromise / Agent Beacon (Medium Period)
- Compromise / Agent Beacon (Long Period)
- Compromise / Quick and Regular Windows HTTP Beaconing
- Compromise / SSL or HTTP Beacon
Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.
URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.
Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.
Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.
The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.
Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].
Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.
攻撃は他のセキュリティスタックをどのようにすり抜けたか?
As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]
ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).
Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.
Insights/Conclusion
Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.
ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.
However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.
Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.
付録
参考文献
[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat
[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/
Darktrace DETECT Model Detections
· Anomalous File / Anomalous Octet Stream (No User Agent)
· Anomalous Connection / PowerShell to Rare External
· Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
· Anomalous Connection / Lots of New Connections
· Anomalous Connection / Multiple Failed Connections to Rare Endpoint
· Anomalous Server Activity / Outgoing from Server
· Compromise / Large DNS Volume for Suspicious Domain
· Compromise / Quick and Regular Windows HTTP Beaconing
· Compromise / Beacon for 4 Days
· Compromise / Suspicious Beaconing Behaviour
· Compromise / Large Number of Suspicious Failed Connections
· Compromise / Large Number of Suspicious Successful Connections
· Compromise / POST and Beacon to Rare External
· Compromise / DGA Beacon
· Compromise / Agent Beacon (Long Period)
· Compromise / Agent Beacon (Medium Period)
· Compromise / Agent Beacon (Short Period)
· Compromise / Fast Beaconing to DGA
· Compromise / SSL or HTTP Beacon
· Compromise / Slow Beaconing Activity To External Rare
· Compromise / Beaconing Activity To External Rare
· Compromise / Excessive Posts to Root
· Compromise / Connections with Suspicious DNS
· Compromise / HTTP Beaconing to Rare Destination
· Compromise / High Volume of Connections with Beacon Score
· Compromise / Sustained SSL or HTTP Increase
· Device / New PowerShell User Agent
· Device / New User Agent and New IP
Darktrace RESPOND Model Detections
· Antigena / Network / External Threat / Antigena Suspicious File Block
· Antigena / Network / External Threat / Antigena File then New Outbound Block
· Antigena / Network / External Threat / Antigena Watched Domain Block
· Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
· Antigena / Network / External Threat / Antigena Suspicious Activity Block
· Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
· Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block
· Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block
· Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
IoC一覧
Indicator - Type - Description
ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
apibilng[.]com - Hostname - ViperSoftX C2 endpoint
arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint
bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint
bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint
bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint
counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint
fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint
fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint
wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint
wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint
wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint
wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent
MITRE ATT&CK マッピング
Tactic - Technique - Notes
Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms
Command and Control - T1321 Data Encoding
Credential Access - T1555.005 Credentials from Password Stores: Password Managers
Defense Evasion - T1027 Obfuscated Files or Information
Execution - T1059.001 Command and Scripting Interpreter: PowerShell
Execution - T1204 User Execution T1204.002 Malicious File
Persistence - T1176 Browser Extensions - VenomSoftX specific
Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading
Blog
Inside the SOC
Protecting Prospects: How Darktrace Detected an Account Hijack Within Days of Deployment
Cloud Migration Expanding the Attack Surface
Cloud migration is here to stay – accelerated by pandemic lockdowns, there has been an ongoing increase in the use of public cloud services, and Gartner has forecasted worldwide public cloud spending to grow around 20%, or by almost USD 600 billion [1], in 2023. With more and more organizations utilizing cloud services and moving their operations to the cloud, there has also been a corresponding shift in malicious activity targeting cloud-based software and services, including Microsoft 365, a prominent and oft-used Software-as-a-Service (SaaS).
With the adoption and implementation of more SaaS products, the overall attack surface of an organization increases – this gives malicious actors additional opportunities to exploit and compromise a network, necessitating proper controls to be in place. This increased attack surface can leave organization’s open to cyber risks like cloud misconfigurations, supply chain attacks and zero-day vulnerabilities [2]. In order to achieve full visibility over cloud activity and prevent SaaS compromise, it is paramount for security teams to deploy sophisticated security measures that are able to learn an organization’s SaaS environment and detect suspicious activity at the earliest stage.
Darktrace Immediately Detects Hijacked Account
In May 2023, Darktrace observed a chain of suspicious SaaS activity on the network of a customer who was about to begin their trial of Darktrace/Cloud™ and Darktrace/Email™. Despite being deployed on the network for less than a week, Darktrace DETECT™ recognized that the legitimate SaaS account, belonging to an executive at the organization, had been hijacked. Darktrace/Email was able to provide full visibility over inbound and outbound mail and identified that the compromised account was subsequently used to launch an internal spear-phishing campaign.
If Darktrace RESPOND™ were enabled in autonomous response mode at the time of this compromise, it would have been able to take swift preventative action to disrupt the account compromise and prevent the ensuing phishing attack.
Account Hijack Attack Overview
Unusual External Sources for SaaS Credentials
On May 9, 2023, Darktrace DETECT/Cloud detected the first in a series of anomalous activities performed by a Microsoft 365 user account that was indicative of compromise, namely a failed login from an external IP address located in Virginia.
Just a few minutes later, Darktrace observed the same user credential being used to successfully login from the same unusual IP address, with multi-factor authentication (MFA) requirements satisfied.
A few hours after this, the user credential was once again used to login from a different city in the state of Virginia, with MFA requirements successfully met again. Around the time of this activity, the SaaS user account was also observed previewing various business-related files hosted on Microsoft SharePoint, behavior that, taken in isolation, did not appear to be out of the ordinary and could have represented legitimate activity.
The following day, May 10, however, there were additional login attempts observed from two different states within the US, namely Texas and Florida. Darktrace understood that this activity was extremely suspicious, as it was highly improbable that the legitimate user would be able to travel over 2,500 miles in such a short period of time. Both login attempts were successful and passed MFA requirements, suggesting that the malicious actor was employing techniques to bypass MFA. Such MFA bypass techniques could include inserting malicious infrastructure between the user and the application and intercepting user credentials and tokens, or by compromising browser cookies to bypass authentication controls [3]. There have also been high-profile cases in the recent years of legitimate users mistakenly (and perhaps even instinctively) accepting MFA prompts on their token or mobile device, believing it to be a legitimate process despite not having performed the login themselves.
New Email Rule
On the evening of May 10, following the successful logins from multiple US states, Darktrace observed the Microsoft 365 user creating a new inbox rule, named “.’, in Microsoft Outlook from an IP located in Florida. Threat actors are often observed naming new email rules with single characters, likely to evade detection, but also for the sake of expediency so as to not expend any additional time creating meaningful labels.
In this case the newly created email rules included several suspicious properties, including ‘AlwaysDeleteOutlookRulesBlob’, ‘StopProcessingRules’ and “MoveToFolder”.
Firstly, ‘AlwaysDeleteOutlookRulesBlob’ suppresses or hides warning messages that typically appear if modifications to email rules are made [4]. In this case, it is likely the malicious actor was attempting to implement this property to obfuscate the creation of new email rules.
The ‘StopProcessingRules’ rule meant that any subsequent email rules created by the legitimate user would be overridden by the email rule created by the malicious actor [5]. Finally, the implementation of “MoveToFolder” would allow the malicious actor to automatically move all outgoing emails from the “Sent” folder to the “Deleted Items” folder, for example, further obfuscating their malicious activities [6]. The utilization of these email rule properties is frequently observed during account hijackings as it allows attackers to delete and/or forward key emails, delete evidence of exploitation and launch phishing campaigns [7].
In this incident, the new email rule would likely have enabled the malicious actor to evade the detection of traditional security measures and achieve greater persistence using the Microsoft 365 account.
Account Update
A few hours after the creation of the new email rule, Darktrace observed the threat actor successfully changing the Microsoft 365 user’s account password, this time from a new IP address in Texas. As a result of this action, the attacker would have locked out the legitimate user, effectively gaining full access over the SaaS account.
Phishing Emails
The compromised SaaS account was then observed sending a high volume of suspicious emails to both internal and external email addresses. Darktrace was able to identify that the emails attempting to impersonate the legitimate service DocuSign and contained a malicious link prompting users to click on the text “Review Document”. Upon clicking this link, users would be redirected to a site hosted on Adobe Express, namely hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/.
Adobe Express is a free service that allows users to create web pages which can be hosted and shared publicly; it is likely that the threat actor here leveraged the service to use in their phishing campaign. When clicked, such links could result in a device unwittingly downloading malware hosted on the site, or direct unsuspecting users to a spoofed login page attempting to harvest user credentials by imitating legitimate companies like Microsoft.
The malicious site hosted on Adobe Express was subsequently taken down by Adobe, possibly in response to user reports of maliciousness. Unfortunately though, platforms like this that offer free webhosting services can easily and repeatedly be abused by malicious actors. Simply by creating new pages hosted on different IP addresses, actors are able to continue to carry out such phishing attacks against unsuspecting users.
In addition to the suspicious SaaS and email activity that took place between May 9 and May 10, Darktrace/Email also detected the compromised account sending and receiving suspicious emails starting on May 4, just two days after Darktrace’s initial deployment on the customer’s environment. It is probable that the SaaS account was compromised around this time, or even prior to Darktrace’s deployment on May 2, likely via a phishing and credential harvesting campaign similar to the one detailed above.
Darktrace のカバレッジ
As the customer was soon to begin their trial period, Darktrace RESPOND was set in “human confirmation” mode, meaning that any preventative RESPOND actions required manual application by the customer’s security team.
If Darktrace RESPOND had been enabled in autonomous response mode during this incident, it would have taken swift mitigative action by logging the suspicious user out of the SaaS account and disabling the account for a defined period of time, in doing so disrupting the attack at the earliest possible stage and giving the customer the necessary time to perform remediation steps. As it was, however, these RESPOND actions were suggested to the customer’s security team for them to manually apply.
Nevertheless, with Darktrace DETECT/Cloud in place, visibility over the anomalous cloud-based activities was significantly increased, enabling the swift identification of the chain of suspicious activities involved in this compromise.
In this case, the prospective customer reached out to Darktrace directly through the Ask the Expert (ATE) service. Darktrace’s expert analyst team then conducted a timely and comprehensive investigation into the suspicious activity surrounding this SaaS compromise, and shared these findings with the customer’s security team.
結論
Ultimately, this example of SaaS account compromise highlights Darktrace’s unique ability to learn an organization’s digital environment and recognize activity that is deemed to be unexpected, within a matter of days.
Due to the lack of obvious or known indicators of compromise (IoCs) associated with the malicious activity in this incident, this account hijack would likely have gone unnoticed by traditional security tools that rely on a rules and signatures-based approach to threat detection. However, Darktrace’s Self-Learning AI enables it to detect the subtle deviations in a device’s behavior that could be indicative of an ongoing compromise.
Despite being newly deployed on a prospective customer’s network, Darktrace DETECT was able to identify unusual login attempts from geographically improbable locations, suspicious email rule updates, password changes, as well as the subsequent mounting of a phishing campaign, all before the customer’s trial of Darktrace had even begun.
When enabled in autonomous response mode, Darktrace RESPOND would be able to take swift preventative action against such activity as soon as it is detected, effectively shutting down the compromise and mitigating any subsequent phishing attacks.
With the full deployment of Darktrace’s suite of products, including Darktrace/Cloud and Darktrace/Email, customers can rest assured their critical data and systems are protected, even in the case of hybrid and multi-cloud environments.
Credit: Samuel Wee, Senior Analyst Consultant & Model Developer
付録
参考文献
[2] https://www.upguard.com/blog/saas-security-risks
[4] https://learn.microsoft.com/en-us/powershell/module/exchange/disable-inboxrule?view=exchange-ps
[7] https://blog.knowbe4.com/check-your-email-rules-for-maliciousness
Darktraceによるモデル検知
Darktrace DETECT/Cloud and RESPOND Models Breached:
SaaS / Access / Unusual External Source for SaaS Credential Use
SaaS / Unusual Activity / Multiple Unusual External Sources for SaaS Credential
Antigena / SaaS / Antigena Unusual Activity Block (RESPOND Model)
SaaS / Compliance / New Email Rule
Antigena / SaaS / Antigena Significant Compliance Activity Block
SaaS / Compromise / Unusual Login and New Email Rule (Enhanced Monitoring Model)
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
SaaS / Compromise / SaaS Anomaly Following Anomalous Login (Enhanced Monitoring Model)
SaaS / Compromise / Unusual Login and Account Update
Antigena / SaaS / Antigena Suspicious SaaS Activity Block (RESPOND Model)
IoC – Type – Description & Confidence
hxxps://express.adobe[.]com/page/A9ZKVObdXhN4p/ - Domain – Probable Phishing Page (Now Defunct)
37.19.221[.]142 – IP Address – Unusual Login Source
35.174.4[.]92 – IP Address – Unusual Login Source
MITRE ATT&CK マッピング
Tactic - Techniques
INITIAL ACCESS, PRIVILEGE ESCALATION, DEFENSE EVASION, PERSISTENCE
T1078.004 – Cloud Accounts
探索
T1538 – Cloud Service Dashboards
CREDENTIAL ACCESS
T1539 – Steal Web Session Cookie
RESOURCE DEVELOPMENT
T1586 – Compromise Accounts
PERSISTENCE
T1137.005 – Outlook Rules
