Patchwork
CASE STUDY, COURTESY OF GADI EVRON, CYMMETRIA
Background
• First observed December 2015
• At least 2,500 machines infected
• Targets: military and political personnel
― Especially working on issues related to S.E. Asia and the South China Sea
• Attack vector: Powerpoint presentation
• Exploit: Sandworm –CVE-2014- 4114
― Only affects unpatched Microsoft Office Powerpoint 2003 and 2007
2
First Stage Payload: Compiled Script
• This script was written in AutoIT
• Bypassed UAC using a method called UACME, which had been posted to a hacker forum:
3
Next Stages
• Now having elevated privileges, it used PowerSploit to download and run Meterpreter
― Remote Access Trojan component of the MetaSploit penetration testing framework
• Meterpreter was used to locate and exfiltrate documents in order for the attacker to gauge the value of the target
― If considered valuable, the attacker then delivered a second payload, also built from snippets of code taken from various online forums and other resources
4
Next Stages (cont)
5
Deception Campaign
• Goal: discover as much as possible about the threat actor, especially tools, techniques and procedures
― Allowing subsequent detection elsewhere
― Prevent future attacks against Cymmetria’s customer
• Honeynet environment
― Breadcrumbs: snippets of data which lead the attacker to a new machine:
Credentials, browser cookies, network shares, VPN connections, etc.
― Decoys: full operating systems running in VM’s; represent high-value targets for
the attacker
• The lure: a fake profile for a person in whom the attacker was interested
6
The Deception Campaign
7
The Chain of Events
1. The Powerpoint PPS was opened on a target laptop and dropped the initial payload components
2. The Meterpreter reverse shell was pulled from the C2 server
3. Files from the target laptop were exfiltrated to the C2 server along with some encrypted traffic
4. The attacker decided to drop the second stage malware; this scanned the hard drive
5. It copied itself as C:\Windows\SysWoW64\netvmon.exe and added this to the startup programs
6. Three days later, alerts were received on the decoy running an SMB share
7. The malware accessed the shared drive and scanned it for files
8. Someone attempted to connect to a cloud decoy using RDP
9. They failed to log in (could have done it using Mimikatz)
10. The IP address suggests the same attacker
8
Honeynet Map
9
PPS Files on the C2 Server
10
Secondary Infection Stages
11
Attribution
12
Mapped to the Working Day
DARKER GREY INDICATES MORE EDITS
13
Lessons
• Reconnaisance: collection of identity information of military and political workers with specific interests
• Weaponization: infected Powerpoint presentation
― Lots of military/government briefing packages are delivered by Powerpoint
• Delivery: spear-phishing campaign, reusing documents exfiltrated previously
• Exploit: A chain: Sandworm, privilege escalation, then Meterpreter pulled from C2
• Action on objectives: exfiltration of documents
• Exploit 2: 7zip.exe -> netvmon.exe
• Installation: Added to startup programs
• Action on objectives: exfiltration
• C2: Various reused IP addresses
Also: PATCH!
• Full report available at https://cymmetria.com/research/patchwork-targeted- attack/
14