Hunting Unpacked: Unleashing External Threat Intelligence in Network Hunting
Key Takeaways
- Internal hunting is an invaluable exercise for INFOSEC teams and, by extension, the business or agency.
- Impactful methodologies rely on experienced professionals who are able to identify patterns and anomalies in large data sets comprised of network and/or host-based telemetry.
- Using the external web to alert on new or existing adversary TTPs is a smart technique for identifying criteria for new or improved hunting plays.
- New hunting methodologies need to be tested and refined. Plays vary by efficacy, and each play should be tracked for quality over time, and phased out when appropriate.
Do you hunt? Rather, do you frequently hunt in the internal network?
Operating under the premise that a previously undetected attacker is in the internal network is a savvy defense strategy that should comprise a large and evolving chapter in every business’s information security (INFOSEC) playbook.
Playbook plays should include well-documented hunting methodologies that can be performed by team veterans and rookies alike. The key is talented and motivated professionals who share two traits: curiosity and creativity; because hunting is an art. Sure, there’s room for machine-learning algorithms (science) to assist in the hunt, but the tools still require a human brain.
One of the best sources for hunting strategies is external analysis and intelligence. New hunting methodologies need to be tested and refined. Plays vary by efficacy, and each play should be tracked for quality over time, and phased out when appropriate. But like most daunting tasks, committing and starting is the primary hurdle.
Logical methodologies include pattern and anomaly recognition in single and combined data sets such as employee activity times across time zones, analyzing the long tail of workstation-generated user agent strings, new registry keys, or memory processes across network devices.
The following is an exposition of a basic internal hunting methodology that was originally derived from a lead identified on the external web. It’s one basic example of a hunting play that can be implemented based on external threat intelligence and adversary TTP identification.
Crafting a Methodology
What is the most common low-level adversary tactic, technique, or procedure (TTP) for surreptitiously installing malicious code on a victim system while evading antivirus detection? Packing or compressing the executable or script.
Packing or compression software is used by legitimate companies who need to make their legitimate portable binaries more efficient for transmission and storage. Unfortunately, threat actors also use packers to obfuscate their malware and evade antivirus software. So packers are a useful TTP category, but suboptimal for hunting in the enterprise due to a high noise to signal ratio in host and/or network telemetry (log and event meta data), unless the signature development list is constrained to a small subset of packers unlikely to be used by legitimate software manufacturers (see a sample crypter list below).
Packer defensive signatures may not be directly applicable for higher-level TTP hunting, but there may be derivative value in malware sample information identified by packer type and observed over time outside of the company network.
To that end, we created Recorded Future entities for a long list of known packers (or “crypters” as they are known in the Underground Economy).
On April 29, 2016 Recorded Future produced a new entity (more information on Recorded Future’s natural language processing technology) alert for “RLPack.”
The malware sample in question — Trojan-Banker.Win32.Banker.exe — creates three mutexes, one of which is fairly unique: “Wapp.” Team Cymru’s malware intelligence platform returns 940 malware samples using the same mutex. Metadata for one of the samples appears below and is packed with RLPack V1.18 Basic Edition:
| SHA1 | 6eaf3557167b3915df2515056f0f2640962fc043 |
|---|---|
| SHA256 | 60b44c4dfbb7aa8d87a35b16c2ee108cb91993087aef26d844bf13fd678c0f5b |
| MD5 | 439d092fff3565472f83e599e46f344b |
| Imp Hash: | 09d0478591d4f788cb3e5ea416c25237 (26,772 related samples) |
| Type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| Packer | RLPack V1.18 Basic Edition (aPLib or LZMA) -> ap0x |
| Icon |  |
This sample is a Trojan (tagged by multiple antivirus engines as a “Banker Trojan”) that performs a HTTP POST method to hxxp://xhoxts.byethost13[.]com/envia.php (located at 199.59.243.120:80 — Bodis, LLC in New York).
Metadata for additional related malware sample examples (by mutex) appear below:
| SHA1 | 8d4b59d9a32f13597ee831e1568573222a10dafd |
|---|---|
| SHA256 | 8e01ee76c5c36dd7096ded18438a0c16c71004b7a5291257e5592a187e8db34f |
| MD5 | 7f262ad066091abbe6e74fe10e916ec4 |
| Imp Hash | 7cf6e504541f027b8abd821c7af3147f (7 related samples) |
| Type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| Packer | Borland Delphi v6.0 – v7.0 |
| Traffic | HTTP POST to hxxp://www.aera[.]gr/albums/duda/envia.php (located at 176.9.93.181:80 – Hetzner GmbH, Germany). |
| Icon |  |
| SHA1 | b3478a03902bea7d75b6d3a9d175588aa4bfcbbc |
|---|---|
| SHA256 | 0bb8b231db70fed08c7d47e8db9efa0359faf0d4b0ee1f03000cb1ec374e7195 |
| MD5 | d5661296f94242b3512c6ac21f57f6d3 |
| Imp Hash | 1c372311534116eeffdf56f3f6c69c5c (2,081 relates samples) |
| Type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| Packer | nPack v1.1.300.2006 Beta |
| Icon |  |
| SHA1 | 08b4c0a3bbdc773eace696a89ddb87ed66a24bc9 |
|---|---|
| SHA256 | 37d7c21c0940689f4337ebc7de7bb8298846429875042abf0f9ad2e344a4fe1f |
| MD5 | 552e9cca0f708afcb99cd531b4393aab |
| Imp Hash | 1b9197dbac1353fbc7bf82775978a0ae (28 related samples) |
| Type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| Packer | Microsoft Visual Basic v5.0 |
| Traffic | HTTP POST to hxxp://utenti.lycos[.]it/ssegura/infect.php |
A sample of additional packers used in related malware samples includes Thinstall Embedded 2.501 -> Jitit, PKLITE32 v1.1, Themida/WinLicense V1.8.0.2 + -> Oreans Technologies, eXPressor v1.5x -> CGSoftLabs (h), and UPX.
Creating the Play
The only runtime analysis commonality across the above four samples is the mutex string “Wapp” and the file type .exe destined for Windows machines. Otherwise these Trojan samples are different sizes, use different packers, and communicate with different internet controllers.
Yet there’s an opportunity to create a play specifically for hunting this crimeware in the enterprise, and it revolves around the HTTP POST path. While the domains and associated server addresses change across samples, the URI structure is relatively uniform.
In this case envia.php and infect.php are ideal candidates for a hunting methodology. Enviar is a Spanish transitive verb meaning “to send” and a Google search for inurl:”/envia.php” returns relatively few results. Thus it’s unlikely that internal enterprise employees would normally be initiating HTTP traffic to web pages ending in envia.php. Similarly, there are few Google results for inurl:”infect.php” also making it a good candidate for inclusion in a hunting play for this Banking Trojan family.
In order to test the play, a SIEM (security incident and event management) is a useful facilitator, specifically Splunk or ELK (ElasticSearch, Logstash, and Kibana). The SIEM should be storing web proxy logs and available for queries. A regular expression search (a generic Splunk query involving BlueCoat web proxy logs: sourcetype=”bluecoat:proxysg:access:syslog” uri_path=infect.php) for the previously discussed PHP pages may reveal negative results. Positive results could indicate a previously undetected compromise.
Regardless of initial search results, the SIEM query should be automated for regular review and evaluated for long-term value. The playbook should eventually contain internal hunting plays for specific malware families that are identified as high-value priorities to the business due to specific functionality or attribution.
Open source Yara rules are provided by Endgame for alerting on specific packers.
Conclusion
Hunting is an invaluable exercise for INFOSEC teams and, by extension, the business or agency.
Impactful methodologies rely on experienced professionals who are able to identify patterns and anomalies in large data sets comprised of network and/or host-based telemetry.
Using the web to alert on new or existing adversary TTPs is a smart technique for identifying criteria for new or improved hunting plays. In this case we identify a new malware sample via the web due to a match on a packer/crypter entity which leads to additional samples via malware intelligence. The additional samples contain metadata that is useful for malicious traffic profiling.
The identified pattern is subsequently ported to a SIEM query for ongoing alerting and the play is documented and tracked for long-term efficacy and value communication to the business.
Related