Oski — Threat Intel Lab Writeup
Overview
This writeup documents my approach to the lab Oski available on the CyberDefenders website, a blue team-focused cyber threat intelligence lab that requires you to examine a MD5 hash related to a malicious file.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the lab before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the lab more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Scenario
The accountant at the company received an email titled “Urgent New Order” from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?
Lab Analysis
To effectively categorize and understand the behavior and intent of this potential malware, it is crucial to identify its family. What is the name of the malware family for the malicious executable found within the PPT?
In VirusTotal, I can see that the provided MD5 hash is related to a Win32 EXE. Under the Relations tab for the provided file hash, the Graph Summary links the file hash to Stealc malware.
According to an IOC report in VirusTotal, Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth’s statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.
Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?
In VirusTotal under the Details tab, we can see information about the malware file hash, including relevant dates such as creation time.
Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?
In VirusTotal under the Relations tab, I can see the malware file contacts two URL’s. In an article published by Sekoia, the C2 URL structure can look as follows:
- C2 base URL: http://<ip or domain> or https://<ip or domain>;
- C2 URL resource which is a random string ending by .php extension;
- C2 directory name where the DLLs are hosted (nss3.dll, sqlite3.dll, etc…).
Based on crowdsourced context provided through VirusTotal, the URL with the “.php” file extension has been marked as being utilized as a botnet C2 for the Stealc malware and aligns with the aforementioned C2 structure.
Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?
In the previous question, we noted two URL’s were contacted, one of which had a DLL file titled “sqlite3.dll”. To access particular files or data, Stealc requires external DLLs that are not embedded in the PE but rather downloaded from a specific URL hosted by the C2. The DLLS are all written in the “C:\ProgramData\” directory and are then loaded. In VirusTotal, I can see that the first file dropped is the DLL file “sqlite3.dll” observed in the URL.
Upon examining the malware, it appears to utilize the RC4 key for decrypting a base64 string. What specific RC4 key does this malware use?
In the article published by Sekoia, we can see that Stealc data is RC4-encrypted and base64-encoded. The RC4 key is hardcoded in the PE in cleartext and by definition RC4 keys are 20 bytes long. In the community tab, a convenient link has been provided to an Any.Run report, which provides the RC4 key used in this malware file.
Identifying an adversary’s techniques can aid in understanding their methods and devising countermeasures. Which MITRE ATT&CK technique are they employing to steal a user’s password?
In the report from Any.Run, we can also see the full analysis of the file, which includes the MITRE ATT&CK mappings. One of the techniques used for credential access is to steal credentials from Web Browsers (T1555).
Malware may delete files left behind by the actions of their intrusion activity. Which directory or path does the malware target for deletion?
In the full analysis report from Any.Run, we can see that the malware attempts to cover it’s track by deleting the malware file itself and the DLL files downloaded from the C2 server.
Understanding the malware’s behavior post-data exfiltration can give insights into its evasion techniques. After successfully exfiltrating the user’s data, how many seconds does it take for the malware to self-delete?
In the image from the previous question, the malware executes a command that waits 5 seconds, then deletes a VPN-related executable and all DLL files in C:\ProgramData, and finally exits.
Conclusion
This was a interesting threat intel lab around the Stealc information stealer. I enjoyed reading more about this malware and interacting with Any.Run to answer some of the questions. Thank you for reading till the end and I hope you enjoyed this writeup!
