Cyber Threat Intelligence Pivoting: From a single alert to multiple IoCs

Security Operation Centers (SOCs) mainly deal with handling alerts from various security tools like Proxies, Antivirus software, Intrusion Detection Systems (IDS), Endpoint Detection and Response solutions (EDRs), etc. The ever-changing landscape of cyber threats requires a proactive approach to strengthen defenses. Depending solely on the tools isn’t enough. Proactive Cyber Threat Intelligence (CTI) plays a crucial role by providing context in the early stages of an observed attack, helping analysts prioritize and respond quickly. This proactive approach improves detection capabilities by identifying potential incidents in the early stages of an attack. In the upcoming article, we explore how a single alert can reveal more Indicators of Compromise (IoCs) in the same attack campaign. By strategically pivoting, these IoCs can be incorporated into the Threat Intelligence arsenal, enhancing the ability to identify and stop future attacks.

Handling the alert

First things first, let’s say that the following Antivirus alert is triggered:

· File Path: C:\Users\%USERNAME%\Downloads\Skechers_Informations_Campaign_2023.gz->Skechers Informations Campaign 2023.exe

· Downloaded from: https[://]trello[.]com/1/cards/6541f976110a465adfc6ac7d/attachments/6544c205999ac5a9ad25bf0b/download/Skechers_Informations_Campaign_2023[.]gz

· Antivirus Signature: Trojan:Win32/Wacatac.B!ml

We can see that the user downloaded from the above-mentioned Trello URL (Trello is a visual work management tool), a .gz file (an archive compressed using the gzip compression technology) which also contains an executable file inside. The signature of Trojan:Win32/Wacatac.B!ml is a generic description of a type of malware that infects a computer disguised as legitimate software. At the moment we suspect we have a malicious file in our hands.

Extracting TTPs and IoCs from the file

Next step for our analysis is to understand the file’s capabilities (TTPs) and extract any IoCs (communicating domains/IPs, hashes, etc.) from it. Extensive malware analysis is out-of-the-scope for this discussion, but we will cover just the basics so we can get some context about this file. For this purpose, we will utilize the app Any.run which is an interactive online malware analysis sandbox. We can give this Trello URL to an Any.run task so we can download the file safely into the sandbox and then we can interactively execute the executable file that sits inside the .gz file. So we create a new task (Any.run requires you to be logged in so you can run a task), we give it the URL, we start the public task and then upon download of the .gz file, we extract it and double-click the executable file.

Creating an Any.run task

The following TTPs and IoCs could be identified from this task:

TTPs

· T1059.001 — Command and Scripting Interpreter — PowerShell

· T1059.003 — Command and Scripting Interpreter — Windows Command Shell

· T1204.002 — User Execution — Malicious File

· T1552.001 — Unsecured Credentials — Credentials in Files

· T1012 — Query Registry

· T1082 — System Information Discovery

· T1518 — Software Discovery

The main executable performs the following actions:

• C:\Users\admin\Downloads\Skechers_Informations_Campaign_2023\Skechers Informations Campaign 2023.exe -> opened multiple browser related locations where information are stored such as cookies, and login data (activity associated with stealing personal data). Also it communicates with the domain IoCs that are described in the next section (for information harvesting, and exfiltration purposes).

Main executable’s behavior activities

• C:\WINDOWS\system32\cmd.exe /d /s /c “type .\temp.ps1 | powershell.exe -noprofile - -> reads the contents of the “temp.ps1” PowerShell script file and executes it using PowerShell, without running any PowerShell profile scripts
• csc.exe spawning cvtres.exe -> indicates the compilation of a C# (.NET) program
• C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pdf & C:\WINDOWS\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v “Skechers Informations Campaign 2023” -> checks if this registry run key (persistence) exists so to potentially check and not infect the machine again

Process tree part 1

Process tree part 2

IoCs

Files:

• Skechers Informations Campaign 2023.exe

MD5: 1574efdac390dac2e785d3c531f97565

SHA-1: 3c92a0770f46ac37e632384a60a2a522be7b034e

SHA-256: 2084df959e3015da91882d211512fb93beff6bd1a0248745f1870c517c356d78

Domains & IPs:

• whoer[.]net (a service aimed at verifying the networking and VPN info of a computer, commonly utilized from infostealers to obtain IP information of the victim)
• snapimage[.]top & 188.40.251[.]132 (suspicious domain, .top Top-level domains are among the most popular for malicious purposes)
• api[.]telegram[.]org (telegram bot, potentially utilized as the C2)
• facebook[.]com (social media, probably to harvest login and session information)

Network Connections

In overall, this is about an information stealing malware, hosted on a Trello URL, and exfiltrating the harvested information through a telegram bot.

Now that we have extracted the IoCs, we can also have a look in VirusTotal so we can also identify any other valuable information by searching for the file’s hashes:

Only 7/70 AV vendors have detected the file as of now, with the most popular label to be trojan.fobo.

VirusTotal detections for the file

With a quick Google Search of this term we can identify multiple results regarding this threat label. One of them references the following: “Scammers are taking advantage of the immense popularity of ChatGPT, an advanced natural language processing AI, by impersonating it to spread a dangerous Trojan malware known as Fobo. The main aim of this scam is to steal sensitive login credentials of business accounts, which can be used for fraudulent purposes.”. Thus we are already getting an idea that this kind of malicious software may be promoted in the surface web as the ChatGPT AI, probably due to the use of malicious ads.

In the details tab we see some interesting information: i.e. the names and file information are referencing besides of others, node.exe, node.js and Microsoft information, as also the file is not signed:

Details tab of the executable

The Relations tab includes the IoCs we have extracted from the Any.run task and the Community tab has no further information. The Behavior tab is extremely interesting:

Multiple nodejs strings identified on the Memory Pattern Urls section:

Memory Pattern URLs of the executable

Other sandboxes of VirusTotal have extracted also other kind of TTPs (sample):

• C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v “REVA Company Information 2023” /t REG_SZ /d “\”C:\Users\user\REVA Company Information 2023.exe\”” /f -> Registry Run Key Persistence — T1547.001
• Creates or modifies windows services for persistence — T1543.003

Registry Keys Set of the executable

• C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c “taskkill /pid null /f” — Uses taskkill to terminate processes — T1562.001

Gaining insight into the campaign

VirusTotal is not limited to providing information for files. VirusTotal can also provide useful information for domains, URLs and IPs. Let’s search for the identified IoCs. Facebook and Telegram can be excluded since we know their legitimacy and there may be multiple irrelevant information about our scenario, since multiple information stealing malwares communicate with these domains. However, the domain and IP pair of snapimage[.]top & 188.40.251[.]132 are great candidates for further information. However after searching for them in VirusTotal, the same results can be identified via the Relations tab, as also some generic malware detections for the .top domain. Another interesting domain is the whoer.net which we understand is not malicious by nature but who knows, maybe we can find any interesting relationship.

Searching for this domain in the Community Tab we identify an interesting comment written 2 months ago, that this indicator was mentioned in this report.

Comment in VirusTotal Community tab for the domain whoer[.]net

By reading this report, we can identify multiple similarities with our identified malware such as the infection vector of advertising trojanised AI tools , the usage of Trello for payload hosting, the collection of browser cookies and locations as also Facebook related data, the usage of node.js language and a .top domain and telegram bot for exfiltration. This report does not only gives us technical insight but also gives us higher level insights such as an active campaign and the threat actor’s background.

Pivoting through the IoCs to identify further infrastructure

Now that we not only have the technical data but also the context behind this campaign we can start pivoting through the extracted IoCs with the goal to reveal further infrastructure and malicious files.

So, what is pivoting? CTI pivoting involves the systematic exploration of gathered data from different sources to identify relationships and connections between various elements. Such a process can assist in identifying patterns and relationships between the data that can reveal further attacker’s infrastructure.

A great tool to facilitate pivoting is Censys. Censys serves as a powerful search tool for devices linked to the internet and the services they make available. It consistently explores the complete IPv4 address range, offering an essential tool for collecting information about diverse internet-connected resources. Security experts can leverage Censys to identify potential weaknesses, evaluate network setups, and uncover suspicious behaviors.

Let’s start by searching through Censys the IP address 188.40.251[.]132 which registered the previously identified domain snapimage[.]top.

We can see that this IP also hosts other .top domains which we can also consider potentially part of the same campaign or threat actor. In addition, we can also see that there are multiple open ports, SSH one of them (Linux OS) that also includes the SHA256 host SSH key fingerprint and the Autonomous System Number (ASN) is HETZNER-AS.

Censys results for 188.40.251[.]232

The host’s key SSH fingerprint serves as a unique identifier for the host, and it’s used to verify the authenticity of the host during the SSH connection process. This fingerprint is a cryptographic hash of the host’s public key.

An Autonomous System (AS) name refers to a network or a collection of IP (Internet Protocol) networks and routers under the control of a single organization that presents a common, clearly defined routing policy to the internet. Each autonomous system is assigned a unique number known as an ASN. The AS name is a human-readable label associated with an ASN and is used to identify and reference that specific autonomous system on the internet.

Useful points for pivoting and identifying further infrastructure could be many of them. For example the same ports and services, the autonomous system name, the SSH Host Key fingerprint, .top domains in the forward DNS, etc. However, each of them individually may not indicate suspicious activity. For example not all .top domains are malicious, or not every IP in the HETZNER-AS ASN is malicious. But, by combining the terms we are limiting the scope and we have more chances to identify further suspicious activity and infrastructure.

For the shake of this article, we could definitely use the SSH fingerprint which is unique and could allow us to limit the scope enough since we have identified malicious activity from this host. By clicking the fingerprint URL we add it to the filter and the results count is 139.

Censys Search Filter:

services.ssh.server_host_key.fingerprint_sha256: 2a39d346693a9de88a21d9de7abc2ccaa8b0f29f503150064c923ca28c46916f

Searching Censys with the SSH host key fingerprint

However, we want to limit further the scope, trying our luck by also adding the ASN of HETZNER-AS by clicking the left option.

Censys Search Filter:

(services.ssh.server_host_key.fingerprint_sha256: 2a39d346693a9de88a21d9de7abc2ccaa8b0f29f503150064c923ca28c46916f) and autonomous_system.name=`HETZNER-AS`

Searching Censys through the SSH fingerprint and ASN

Now with those filters, we have 6 hosts that all contain the same SSH fingerprint and ASN. By also observing the results we can also see that every host has also the same set of services.

By selecting one host of them (except the one that we have already identified), we can observe that it also contains .top domains registered. By checking each host, we can verify the same applies for each of them.

Sample host of the query results

Since now we have strong candidates for malicious activities let’s document all the domains and IPs we have discovered:

· IP:

188.40.251[.]132

· Domains:

imgmax2[.]top

imgmax[.]top

snapimage[.]top

imgmax3[.]top

· IP:

188.40.174[.]78

· Domains:

renderimage[.]top

hohoimage[.]top

makeimgs3[.]top

makeimgs2[.]top

· IP:

188.40.241[.]91

· Domains:

hahaimage[.]xyz

ddimage[.]top

goimage[.]top

hahaimage[.]info

· IP:

188.40.248[.]143

· Domains:

allimage.supportbussiness[.]sbs

ggimage[.]top

· IP:

188.40.197[.]194

· Domains:

imgultra[.]top

imgultra3[.]top

imgultra2[.]top

· IP:

188.40.205[.]113

· Domains:

dnsimg[.]top

Now that we have our pivot points ready, we can dive into VirusTotal again to discover any malicious files that may be communicating with our extracted domains and IPs. Let’s search them one by one and emphasize in the Relations tab. Let’s take the domain dnsimg.top for example.

We can see 2 files communicating with this domain but only 1 detection for each. Also, the name of the files also matches our alerted file (refer to the screenshot of the Details tab of VirusTotal).

Relations tab of the dnsimg[.]top domain

If we click one of these 2 files and navigate to the Behavior tab we can identify that the TTPs of the file are similar, indicating they may be part of the same campaign:

Process tree of the file communicating with the domain dnsimg[.]top

And Bingo! We can assess with confidence that these files, domains, and IPs are part of the same campaign and thus we can add them to our Threat Intelligence lists and security tools so we can be alerted if any hit occurs.

The updated list of the extracted IoCs in overall is the following:

· IP:

188.40.251[.]132

· Domains:

imgmax2[.]top

imgmax[.]top

snapimage[.]top

imgmax3[.]top

· Hashes:

7b47cb38c2ec6e4dd5dec7bbe022fccf061385ad2313202caaaed0890912d9e3

8aba6752b94d97b687611a1d740b17db5eca75661e49cc7e5ce67c0a5ade28f4

9eca99dc2e46abcf10836edd7ae105ff7cddb8563b29adbbc6dd1787b790dece

a09bcd89ecc9840bbca55ed987bc6331e4f8b15a98bc7cb45e9f9a8a60777393

facb3bbdc005f832eb18532a941e867313c8c112e543677e822f08d2df3152db

2084df959e3015da91882d211512fb93beff6bd1a0248745f1870c517c356d78

230b80289f8183a3d556f45afb0627dd629e65dfc38e20ff504c3221b5f8d9ff

d5011a4a6e30ede91d85bba178963a8cb2b0e37f09344b32d4b5f250ad084c20

5b06d10dfb2472532e7b53b64c1a0951dd7ff2b12901693b085b7763830fb314

977d9b0938e8ea271d5da90d1b34962f4961a16de71080f33db0ddacfaccc499

b552fc770b2fe08a2c0b869e057c59e7e259dd4c25bfa5908432656700e018e6

db3098d44f575e06c4e8107e880cd13225b501d55e84e2887810e3dfc92951b6

· IP:

188.40.174[.]78

· Domains:

renderimage[.]top

hohoimage[.]top

makeimgs3[.]top

makeimgs2[.]top

· Hashes:

033b640431c217527ead158845b453c2f57afcb96a2fc55e8ca3c61a25d382ea

0daf54eebaa57766385ff75aadd0d56b6cb50148b42974d017416bc8660bf8a8

0e0326a90e99ec7741a381bc707737fc4992653f5c55f07c6e028622afccbdc8

1aa29df79e8b152c23ecc48e7a6016e369b4ca82cd555857dcc55463791c7614

2045d056b51aa2448676e8f8d4078240263ba2730859763d50c9942061b22e94

3988063d28f39011bdd27ba786fc490024c0ef0a3ba49072c819b6bb09599655

4710ea94d27b1468bec28a7d2894a28d3ae7e817416d6b7ea147e3991ac3a230

5594536c436e0bbfac26c74ebf0383d9fb2ef8c029b78704ea0c8c4777c55ac4

5af76ee6a5ce4219fe2ff0d8113ab638b02a52737c8280f98c536b475dc322d7

6df186e6335840bfc0ba06b2a913b2b06af85a54227999dd0ded9860f7a4fae2

6fdc94f2cb1d3b7b5fdd0115fae61fcc7e68dd1e240d9744154a16c52a504ddf

87b045e32341ba1955a94b483c4509664503a5dccc7f1012fe7e15bc0503bd2d

b77b505080c1b19cd5a3b39972a8d40317a0818b2239a3122e668524a138601b

bce5185f0c916dd4ccf3049f8ee0e93f4994cc1ecd62bd40429439670e4c9394

c3ab2ebae319b4f07541730eb32c669125f479ff4ed310f586bb4908272e670c

cbf967de4ca4975a99ed1b5172b135f2076e2131571f7d2c3fcbad54ff55c1b1

df947a8dc87cb7fd4f7b7d6947444163673717be2975b0692811d3c8dc2b3b99

f03dfefc8cdde895b986bcab18547941b41748fe98f4f4b18f71ae6bed068215

1c844e3f68320e10981368a51549dd15fb796358ed82f69a66e92b549ea56950

cce012483d5933305896f0596b4fae5ec7889fbc9511b50a326368beff02781f

4035fe8c845f31002675a16aa514191bada3751c1f61acfb80b671e42c4ff037

49c01daebf0856bcf7dea411374bfee0b4d8835b6f442e6add782ecf79e62679

69dc91e45f0aef7e296fd6add6b69c7f585ff386c3846bdc31f1cd3424161dd4

8a904108f866d3d02a3f1986e328ecddff8f88c0e4bd953453da28bf26092183

8e4ddf16929d575ad20436110866d05e7711f20aee07c52b5cbff4134f217b05

e630f1c71d7f160896c22c61f7123f3b017f497564e3e72041d40a5ee25cc4c3

2f8ecc61f184987e6a21751cf5d3d20ac2360dd5322fead613437739cc7b3538

d8cd155fbbe3a48a33c56c125f871e16107bae4514d9cedd64a40ae57480daf9

· IP:

188.40.241[.]91

· Domains:

hahaimage[.]xyz

ddimage[.]top

goimage[.]top

hahaimage[.]info

· Hashes:

18acb3d7ffac7e66a2e8bb4ae1be6c24f0bd4129280b0ab7a0a5ed9a51a703da

2c077cb4d6b614f21887eb7872f387e3c575661eb73ac03fbb9aa60332f4537e

463bc348097332bb5e02ba3c0f93ef550556243032482121b6a98ba2c7274dc6

63d55dba5982d39b73b11ee8fe62e8da884985c208d12c6b14db625916eb4011

b346f55462d195cb3cbcc8ea6a8f068e6e365bd5b3ea94aeb266d39a85b3a0ae

bfad00af0f4b26dd67a0f39bfed2e1d52232ac582e2101be1aeffde32220613a

c7b23e435cb8a3034692e215f6cf64564867837fed63839618af53fd3eb41837

e17ab5fd1f05bb8de6592b7f7f3ae0b42fb479a0d3ef178f47bf8f0b9afaed56

f6a270c9b0068deaa463bf54fb8ef4653a3e856474d76eef4fdadbb1ac195d63

234825a1784b2c76a79579a10157a4312595d9f6adcd6ca5d55527d00e2b2b0c

2630fb8db4145734f2e52cf4b3506e0f6bc976e15b57ed9740698cf0fb59a329

2b9b34dc17329ea048534e8e177f87acf9ffef16cdbf791d6bf226e5951dfb6f

58b087bcce5c1cb1117729a0c65b7dd8d2c0d6fa84e7e0bf21347f20b8edd4be

690ed6d5fb907e109527348d24ba43ed9e6dccff6d8b0d459bf10d57c877c3c2

9830eb091668a6c3e04d874fbeec51a3005e81b7c8e07e8833a96628d2eceb7e

b149dec46e0e9f263b27ee5d5214b06d71d3a918f63f4d47119e8c9c877e97a6

c112b253b8efbc0cd06a21965e178e02f3a37f44fd9bf60fab05cf17830f3831

c4c22b0d0fe6d7cbc16ac982fb0b0d25024cf9d46ef3eb358b20bfb4f04db464

e8700864424d309a339151d0cecd3af388818fb97aded404a763833e529ac182

e9d58a7ee9e7505d833dbe7e5808478f5588b175c4fed2cce409182019b0ab2c

eb3606f14f943cada5adfe1125a38cb3ade83e3da0553b63692a55abdb8a79d8

· IP:

188.40.248[.]143

· Domains:

allimage.supportbussiness[.]sbs

ggimage[.]top

· Hashes:

7929b2b90fe972dcd706e21df3ea12f06e46ed4f884e770cf8675f032634e1cc

· IP:

188.40.197[.]194

· Domains:

imgultra[.]top

imgultra3[.]top

imgultra2[.]top

· Hashes:

17ee2d8645732319f4b34ce743804057bf13fa3752cbed769b108c0782235d19

1858dfd8f70c7c86192a828072ff8ca2aa1c564df72de09a6d2130cc1cc794be

280f2b98cc7545947c18a0c98089efb158eb5cc757e280b4a7b24015665bb6ea

29cfc07945601e35d39a15f07b84d4ad4196539dab062d2dba47cf4ee587ff07

33f82e42c8063238156bb61da631a9c39f663eec2e0feeb9f52838452e254166

3e85c67b58df532fc2112aa4c3c61d2a1ec898eb130918c7feeda8df5a08300c

3f05f26cdacf18f80669cef3558f6600fb99929f6ce45567586e0b6510a59e38

4648aa05d88a1d8254d0858682f0b1b697de46c851686bde9261eb4092edb009

4e4dd7d6fab77e0b62c4124007d31f77b803f4e8fe108d681dd660b4cf0a9f26

6482801735496cbba45ef1bcdf193426ef1c4b2626982e73848fc2f72501b6aa

781b327284e7bb763e66822e4c14122c2e873bf3eeed4dc2c59a73cdddc20580

78276fe54fa611e6e02f4484a5e26fbaaea15ffa2bf45f1e777dae1b86ebd83c

866a0e6dc7658730969ac18c9b8cdc4c8d3c2bca1c96eb2f9c7a825446b7b59b

8be5d480e81ca231af69616d7676c0ab465c12333c3aec003013383d9445eacb

90c7a6e039e0ce8c5fca1ab90a054331e7c722584e485123ccaf85d74475d42b

912b9d4e4676dd84811d0cc86482c4dde0b24c831261545802329ad9cab6a2f1

9a34ccce8040a773a6a15fc1f361df2f8512c98254141e55b9e2626394a9e55c

ace4333d9376be867395fc1ec91f0fe9c8b06cc29f44a7f7a79ac6e41bdd7f58

afa61ebedcb1ad00165174a5bf80fc83b5d552d9b8e0b966c4b7831633021fb7

bd4cb067f9789cfc402fa439e98e696dfa73642c99b3368dbc3da78dfef83415

1785f3be415ff7e838f5c7da28b245237925c0e1419a3542256259c403607389

547e0f467ee9e35eacf4a389da9f7b68b34f62fd0b1a12c82db9c067a35ad00b

596c8c1222cf13a303eec8a417fd434fba1fe1f2d37b9e51b20fa609b54ccd7a

a2b39ad9c81ac20aca730ba96c51cb30ed904fa45167e589f61174c682dc2f19

721b3c50606d51725bf3dd29c3bb864d9f6b1d2740de3b3fc951767a0d339216

b6b4070767f3271a69ad976c3c753aaee8f38cb40944cd34c705ca6368d54c81

be0f1ff35d67241741168d145ab3de555dee077ab473f9716710dcde3b95c2cd

d174bafcf8ee9c36757fd5c9b1ac3f3174dd6255da08121b27c93606cd823115

d5018b6198bc44880eb30fa494003ac7e77f20dcba84ba21c657d21c97e94a62

e64909a3f6b69f6a5b465961f0358679928a4954baae0c104b081492569c17dd

f37c938465e516b070f6b24bf293bd781336163e19c695ac41cd10fa9dd44240

fa0a8a262320b49e493c445d16ccf4397f224e28b9059b3f827ecdc5bf97ce67

· IP:

188.40.205[.]113

· Domain:

dnsimg[.]top

· Hashes:

3c90cf7af2d602413543a642c69fe892beb4c506a20f3b5dc5a0b7279923649c

d312920e2902db8807f500438ff3894bba5389f7f503d9be1500bdaa1266d209