Analytics Story: Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

Date: 2020-01-22 ID: 988c59c5-0a1c-45b6-a555-0c62276e327e Author: iDefense Cyber Espionage Team, iDefense Product: Splunk Enterprise Security

Description

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

Why it matters

This story was created as a joint effort between iDefense and Splunk. iDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, "Orz," which is associated with the threat actors known as MUDCARP (as well as "temp.Periscope" and "Leviathan"). The file is executed using Wscript. The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'. Though this technique is not exclusive to MUDCARP, it has been spotted in the group's arsenal of advanced techniques seen in the wild. This Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot. If behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:

  1. www.chemscalere[.]com
  2. chemscalere[.]com
  3. about.chemscalere[.]com
  4. autoconfig.chemscalere[.]com
  5. autodiscover.chemscalere[.]com
  6. catalog.chemscalere[.]com
  7. cpanel.chemscalere[.]com
  8. db.chemscalere[.]com
  9. ftp.chemscalere[.]com
  10. mail.chemscalere[.]com
  11. news.chemscalere[.]com
  12. update.chemscalere[.]com
  13. webmail.chemscalere[.]com
  14. www.candlelightparty[.]org
  15. candlelightparty[.]org
  16. newapp.freshasianews[.]com In addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:
  17. cd195ee448a3657b5c2c2d13e9c7a2e2
  18. b43ad826fe6928245d3c02b648296b43
  19. 889a9b52566448231f112a5ce9b5dfaf
  20. b8ec65dab97cdef3cd256cc4753f0c54
  21. 04d83cd3813698de28cfbba326d7647c

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
First time seen command line argument PowerShell, Windows Command Shell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1