This post is a continuation of Bypassing Perimeter Security and Malware Evasion (1)
As discussed before the best way to understand how drived by downloads technique work to bypass modern cyberdefenses is with a network traffic analysis exercise.
The get a full understanding of the technique we will have to look for answers to some of the following questions,
- What is the IP address, host name and MAC of the infected machine?
- What is the IP address and domain of the compromised web site?
- What is the IP and domain of the web site that delivered the exploit kit?
- What is the redirect URL that points to the EK landing page?
- What exploits are sent by the EK?
- What the alerts triggered by the IDS sensors?
The first thing to do as usual is to open the network capture or pcap file with a tool such as Wireshark to start the analysis.
The other 2 steps I take before trying to understand the packet flow is to get a high level overview of the communication in place. To do this I go to Statistics -> Protocol Hierarchy and Statistics -> Conversations this will give me a high level overview of the endpoints involved in the communication as well as the protocols involved in that communication.
From this 2 screenshots we can summarize that,
- Main protocols used in the communications are TCP and HTTP
- The endpoint’s IP address which communicates to internet is 172.16.165.165
Let’s crack on and start answering the questions we the initial information we have above.
What is the IP address, host name and MAC of the infected machine? The IP address is 172.16.165.165, the mac address is f0:19:af:02:9b:f1 and the host name is k34EN6W3N-PC.To obtain the host name we filter by DHCP protocol.
What is the IP address and domain of the compromised web site?
126.96.36.199 and domain http://www.ciniholland.nl to get to this answers we need to know what we are looking for. We are looking for drive by downloads so at some point in the communication an executable or set of executable were dropped to the endpoint. To see the sequenece of events we use a wireshark feature to export the http objects of the communication, File -> HTTP
In the image above we can see teh sequence of events and host visited by our endpoint in the network. The first thing we need to do now is to look for executable files. We search in the column content type for application/x-msdownload.
To understand how these files were dropped in the victim we need to follow the tcp stream,
Right now we can reconstruct the sequence of events, the user did a search on bing.com, visited ciniholland.nl and somehow the victim’s browser visited 24-corp-shop.com and stand.trustandprobaterealty.com which served the malware. Based on this facts we can answers the next question, what is the IP address and domain of the compromised web site? ciniholland.nl and IP 188.8.131.52 an also ,what is the IP and domain of the web site that delivered the exploit kit? 184.108.40.206 an the domain stand.trustandprobaterealty.com
To answer the next question it is important to understand how redirects and iframes work in drive by downloads, what is the redirect URL that points to the EK landing page? 24-corp-shop.com, if the page that served the EK was stand.trustandprobaterealty.com somehow the refereer had to be 24-corp-shop.com an therefore the redirect URL that pointed to the EK landing page.What exploits are sent by the EK?
The exploits pushed by the EK are 4, 2 Java and 2 shockwave-flash
The last question is, what alerts are triggered by the IDS sensors? I am currently installing an IDS at home with Onion Linux and I do not have local tools however uploading the pcap file to Virustotal will provide information triggered by Suricata and Snort IDS sensors. If you were dealing with a real incident, it is not advisable to do so as you could be alerting the attacker. Please, also notice how the detection rate is very low, only 2 of 56 AV engines detected some sort of malicious activity in the pcap file.
The EK detected is RIG EK. For additional information check,
With this example, it is clear how easy is to bypass the security perimeter and compromise the endpoint to set up an C2C or exfiltrate information. In the continuation we will see how to report this incident to management and I will go through the process of Antivirust evasion with a different EK.