Security Forem

Hitanshu Gedam
Hitanshu Gedam

Posted on

LetsDefend SOC250 - APT35 HyperScrape Data Exfiltration Tool Detected

#beginners #socanalysis #cybersecurity #career

takeownership

We start by taking the ownership of the alert.

Next we create case for the alert.

Next step is for us too start the playbook

playbook

Before we move ahead, let's search for the file's hash on VirusTotal:

virustotal

50 out of 70 vendors flag it as malicious, enough for us to conclude that is is.

enfpoint

Next we move on to Endpoint Security to find if the malware was actually running on the infected host, and from the above screenshot we see that it is.

logdescription

Since the rule says that it was a data exfiltration attempt, the next step is we move on to Log Management and filter the logs with the IP as the filter.
The firewall action saying SUCCESS, means that the firewall allowed it.

logon

This is the screenshot of a log stating a successful logon (EventID 4624) by the source IP 173.209.51[.]54.

I look up the IP address on the Threat Intel tab and find out that it is associated with APT35 CharmingKitten (https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten).

ip

This is the IP that was contacted by the host after the program ran.

Iporption

This IP belongs to the malicious IP

raw log

After searching for Arthur's email id (arthur@letsdefend[.]io) in Email Security, there's no traffic.

popop

After checking further in Endpoint Security, we see a program MpCmdRun.exe
which ran the command SignaturesUpdateService with the -ScheduleJob and -UnmanagedUpdate parameters. This means that the file was able to modify the signatures

Let's start the playbook

verify

idrecon

log

checkalert

ans1

attackerip

malicious

morethan1

containescription

contained

artifatsadded

Analyst's notes:
On December 27, 2023, at 11:22 AM, I identified an alert for suspicious behavior linked to a malicious file (hash: cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa), which VirusTotal confirmed as malicious with a score of 51. Upon investigation, I found that the file executed EmailDownloader.exe, though no associated emails were found in the email security logs. Log analysis revealed a file download at 11:21:48 on the host Arthur, where explorer.exe launched EmailDownloader.exe at 11:21:37, followed by MpCmdRun.exe running SignaturesUpdateService -ScheduleJob -UnmanagedUpdate at 11:38:10. The host was immediately contained with no further compromise, and I recommend blocking the attacker’s IP address and resetting the host’s password.

finidh

Now we finish the playbook and close the alert.

Top comments (0)