Try in Splunk Security Cloud

Description

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-01-22
  • Author: iDefense Cyber Espionage Team, iDefense
  • ID: 988C59C5-0A1C-45B6-A555-0C62276E327E

Narrative

This story was created as a joint effort between iDefense and Splunk.
iDefense analysts have recently discovered a Windows executable file that, upon execution, spoofs a decryption tool and then drops a file that appears to be the custom-built javascript backdoor, “Orz,” which is associated with the threat actors known as MUDCARP (as well as “temp.Periscope” and “Leviathan”). The file is executed using Wscript.
The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command. After a successful reboot, the malware is made persistent by a manipulating [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\\windows\\system32\\rundll32.exe c:\\windows\\system32\\zipfldr.dll,RouteTheCall c:\\programdata\\winapp.exe'. Though this technique is not exclusive to MUDCARP, it has been spotted in the group’s arsenal of advanced techniques seen in the wild.
This Analytic Story searches for evidence of tactics, techniques, and procedures (TTPs) that allow for the use of a endpoint detection-and-response (EDR) bypass technique to mask the true parent of a malicious process. It can also be set as a registry key for further sandbox evasion and to allow the malware to launch only after reboot.
If behavioral searches included in this story yield positive hits, iDefense recommends conducting IOC searches for the following:
\

  1. www.chemscalere[.]com\
  2. chemscalere[.]com\
  3. about.chemscalere[.]com\
  4. autoconfig.chemscalere[.]com\
  5. autodiscover.chemscalere[.]com\
  6. catalog.chemscalere[.]com\
  7. cpanel.chemscalere[.]com\
  8. db.chemscalere[.]com\
  9. ftp.chemscalere[.]com\
  10. mail.chemscalere[.]com\
  11. news.chemscalere[.]com\
  12. update.chemscalere[.]com\
  13. webmail.chemscalere[.]com\
  14. www.candlelightparty[.]org\
  15. candlelightparty[.]org\
  16. newapp.freshasianews[.]comIn addition, iDefense also recommends that organizations review their environments for activity related to the following hashes:
    \
  17. cd195ee448a3657b5c2c2d13e9c7a2e2\
  18. b43ad826fe6928245d3c02b648296b43\
  19. 889a9b52566448231f112a5ce9b5dfaf\
  20. b8ec65dab97cdef3cd256cc4753f0c54\
  21. 04d83cd3813698de28cfbba326d7647c

Detections

Name Technique Type
First time seen command line argument PowerShell, Windows Command Shell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration Anomaly

Reference

source | version: 1