This Malware-as-a-Service platform has been through a number of incarnations over the years; previously, it has been titled Adwind, Unrecom, AlienSpy, and JSocket, among others. An investigation in 2016 found that by the turn of the year it had over 1800 users, ranging from scammers and corporations (targeting competitors) to mercenaries and private individuals (using it against personal acquaintances). It has been used against more than 443,000 individuals, commercial, and non-commercial organizations, with specifically targeted industries including manufacturing, finance, engineering, telecoms, and energy. It has been identified in particular association with attacks against organizations in Germany, India, Italy, Russia, Vietnam, Hong Kong, Turkey, Taiwan, the US, and the UAE to conduct keylogging, memory scraping, screen display capture, and VPN certificate theft, among a variety of other uses.
China Chopper is a web shell, a program intended to manipulate compromised web servers into acting as network gateways. For this reason it has a huge variety of potential attacker applications, though it is primarily used by Chinese cyber criminals and APT groups. Most notoriously, it has been associated with an attack on a defense contractor in Australia during the summer of 2016, targeting information related to the F-35 and P-8 military aircraft.
Mimikatz is the most widely used memory scraping tool, for the simple reason that it is among the most effective. As a result it has a very wide user base, including script kiddies, criminal gangs (Carbanak), penetration testers, and APT groups, and was incorporated into SMB exploit-leveraging ransomware attacks NotPetya and BadRabbit. It has been used in a number of publicized attacks, such as against DigiNotar (a certificate-issuing authority), various intrusions into government bodies such as the German parliament, and a series of bank thefts.
Much like Mimikatz, Empire is a framework widely used by criminal and nation-state threat actors, penetration testers and red teams due to PowerShell’s presence on all Windows OSs from 7 forward. It has been identified in use by criminal group FIN10 and Iran-linked APT CopyKittens for establishing a network foothold, conducting internal reconnaissance, and achieving persistence. In line with its use by CopyKittens, it has been associated with attacks against government institutions, education bodies, defence contractors, large IT companies, and persons of political interest such as UN employees, especially in regions such as Saudi Arabia, Turkey, the US, Jordan, and Germany. The popularity of Empire is due to its versatility in fileless attacks; it allows for direct command execution through PowerShell and can be integrated into other tooling through modules for Mimikatz, key logging, lateral movement, and token manipulation.
Short for HUC Packet Transmit Tool, HTran was written by a founder of Chinese nationalist hacktivism group, ‘Lion’, for the Honker Union of China – hence, HUC. It is used to obfuscate command and control traffic, making it valuable to any attackers wishing to mask their activities. It has been observed in use against US and Japanese companies by hacktivist organizations like Moafree and DraonOK, additionally by APT1, and in the March 2011 attack against RSA. Use of HTran makes incident response and attribution more challenging as it intercepts and redirects TCP connections from a local to a remote host, obfuscating attacker communications with victim networks.
F-Secure Countercept – Detection and Response
So far we have looked at the use and targeting of the tools identified in the Five Eyes joint report. The nature of how they function can pose difficulties in detection, however there are several giveaways that can indicate their presence on a compromised host. Here are a number of techniques for picking up those indicators.
Most attackers want to maintain access to a network once they have gained a foothold. By collecting data on a vast range of persistence mechanisms across the network, stacking the data to identify anomalies, and enriching the data sets with digital signature verification, prevalence and threat intelligence information, it is possible for us to identify undetected implants residing on compromised endpoints.
Empire, JBiFrost and China Chopper all have aspects of persistence, which shows the importance of detection and response in this area.
Anomalous Process Execution
A common feature of malware implants and general malicious activity on compromised endpoints is either the execution of unknown binaries or the execution of common administrative tools in contexts that they would not usually occur. For example, an executable that has not been seen on the network before may be launched, such as may be the case for Htran or Mimikatz, or a compromised web server may be seen launching command interpreters, such as would be the case with China Chopper.
By monitoring process execution events and the context in which they occur, it is possible to identify anomalous execution events due to new unknown binaries being executed or process trees of execution that are abnormal.
Fileless attacks and Scripting Language Abuse
Many attacks and implants in more recent years have focused on leveraged existing legitimate tools for misuse, as opposed to using custom binaries. For example, powerful scripting frameworks like PowerShell or other execution engines, such as Java, can be used as a platform for executing custom malicious actions.
Empire is an entire exploitation framework based on PowerShell and uses many malicious PowerShell techniques that we‘ve observed in a range of implants used by a variety of threat actors. JBiFrost (formerly Adwind) is a remote access Trojan (RAT) written in Java and also makes malicious use of VBScript, which we have observed in the wild on compromised endpoints.
User and Entity Behavior Analytics
Sometimes activity can be identified as malicious purely because the particular activity is unusual for the particular endpoint or user account. For example, making use of a command prompt or making RDP connections to a server may both be perfectly acceptable when conducted by administrators from their own laptop. However, seeing a service account on a web server engaging in those activities would be highly unusual.
By tracking the context in which certain activity occurs, using anomaly detection techniques and learning what counts as normal behavior, it is possible to identify this type of malicious activity. It could easily be associated with China Chopper and HTran especially, where a web server and its associated service account begin executing commands it doesn’t normally perform or any compromised endpoint begins relaying a variety of network communications around the network that would not be common for that endpoint or the associated user.
Memory-resident implant techniques that avoid leaving forensic evidence on disk have been common for over a decade. Consequently, methods of identifying malicious code residing purely in-memory is essential to detecting more advanced compromises. By performing live memory analysis to pinpoint suspicious regions of memory or to identify malicious hooks of system APIs, it is possible to detect memory-resident malware.
Htran, Mimikatz and Empire all have aspects or common usage scenarios that involve injecting code directly into the memory space of legitimate processes and so are examples of tools that fall under the scope of memory analysis detection techniques.