CFC REPORT SPHINX MOTH

Recommendations

Info

CFC REPORT: SPHINX MOTH TABLE OF CONTENTS OVERVIEW 3 INTRODUCTION 4 1. TOOLS, TACTICS AND PROCEDURES 4 1.1. Anatomy of attack 5 1.1.1. Initial foothold (steps 1+2) 5 1.1.2. Credentials harvesting, privileges escalation (step 3) 5 1.1.3. Lateral movement (steps 4+5) 6 1.1.4. Data exfiltration (step 6) 6 1.1.5. Regaining access (step 7) 6 2. TECHNICAL DETAILS ON MALWARE 7 2.1.1. “LiveUpdater.exe” (md5: 342887a7ec6b9f709adcb81fef0d30a3) 7 2.1.2. “iastor32.exe” (md5: fe2439ef0ace518e1c1a32585099dab8) 8 2.2. “nvcplex.dat” (md5: 894d47a8e23a64fc41a23484bcb50900) 9 2.2.1. “--install” 9 2.2.2. “--set” 10 2.2.3. “--show” 10 2.2.4. “--start” and “--stop” 10 2.2.5. “--clean” 10 2.2.6. Timestamp modification 10 2.3. “cudacrt.dll” (md5: d91ed1715de8eddd5244565926ed2899) 11 2.4. “kerberos32.dll” (md5 : fd4c881df95b67ee2f07adad0dca9c98) 11 3. CONCLUSION 12 APPENDICES 13 4.1. Indicators of Compromise 13 4.1.1. Binaries 13 4.1.2. IPs of Command and Control servers 13 4.1.3. Domains of Command and Control servers 14 4.2. IOC YARA rules 14 4.3. “Kerberos*.dll” list of commands 17 4.4. PowerShell script to interact with the named pipe 18 Cybersecurity unit of Kudelski Group www.kudelskisecurity.com request@kudelskisecurity.com
CFC REPORT: SPHINX MOTH OVERVIEW Sphinx Moth Since mid-2014, the Kudelski Security Cyber Fusion Center has been monitoring and investigating Sphinx Moth. This powerful corporate espionage threat is specifically designed to target large enterprises in the technology, pharma, commodities and legal sectors, penetrating their security and exfiltrating commercially sensitive information. Over the course of our investigations, we discovered new Indicators of Compromise (IOCs) and attack techniques, complementing those published recently by Symantec and Kaspersky 1 . Our report provides the following: • An analysis of 5 new binaries • 5 new Command and Control server IP addresses • 2 new Command and Control domains • 6 new YARA rules • 1 new tactic to regain access • A Powershell script to detect the named pipes IOC on an SCCM infrastructure We have detailed them here with the aim of furthering a collective understanding of the attack methods, tools and targets of this advanced persistent threat, and of improving general capabilities of detection and defense. 1 Sphinx Moth corresponds to the advanced persistent threat called “Wild Neutron” or “Butterfly/Morpho” by Kaspersky and Symantec respectively. Cybersecurity unit of Kudelski Group 3 www.kudelskisecurity.com request@kudelskisecurity.com
Page 1: CFC REPORT: SPHINX MOTH CFC REPORT:
Page 5 and 6: CFC REPORT: SPHINX MOTH 1.1. ANATOM
Page 7 and 8: CFC REPORT: SPHINX MOTH 2. TECHNICA
Page 9 and 10: CFC REPORT: SPHINX MOTH 2.2. “NVC
Page 11 and 12: CFC REPORT: SPHINX MOTH 2.3. “CUD
Page 13 and 14: CFC REPORT: SPHINX MOTH APPENDICES
Page 15 and 16: CFC REPORT: SPHINX MOTH rule iastor
Page 17 and 18: CFC REPORT: SPHINX MOTH 4.3. KERBER
Page 19: NAGRAVISION SA Route de Genève 22-

CFC REPORT SPHINX MOTH

Create successful ePaper yourself

Delete template?

Save as template?