Hunters' Team AXON e utollotše ebile e hlokomela ka mafolofolo lesolo la tšhošetšo leo le tšwelago pele leo le bitšwago "VEILDrive".Mathomong le utolotšwe nakong ya nyakišišo ya mošomo o kotsi mananeokgoparara a moreki, VEILDrive e diriša sutu ya SaaS ya Microsoft—kudu-kudu Teams, SharePoint, Quick Assist, le OneDrive—go phethagatša maano a yona Ka mo go kgethegilego, sebapadi sa tšhošetšo se šomiša a OneDrive-thehiloeng Taelo & Taolo (C & C) mokgwa wa embedded ka hare ho tloaelo malware hore e deployed ka ditikoloho kotsing Tshekatsheko ya rona bontša kgonego ya Russia tšimoloho bakeng sa letšolo lena, 'me Team AXON esale e lemosa bobeli Microsoft le amehang mekgatlo ho fokotsa ho sebelisa ho eketsehileng.
Dinyakišišo tša rena di thomile ka Lewedi 2024 ka morago ga karabelo ya tlhaselo ya setheo sa mananeokgoparara a bohlokwa ka United States. Dithekniki tša tlhaselo ya VEILDrive di fapana ka mo go fapanego le boitshwaro bjo bo tlwaelegilego bja tšhošetšo. Ba ithekgile kudu ka mananeokgoparara a SaaS a Microsoft go aba masolo a go tšhoša ka lerumo le go boloka disoftware tše kotsi. Leano le leo le ithekgilego ka SaaS le raraganya go utolla ka nako ya kgonthe gomme le tlola ditšhireletšo tše di tlwaelegilego.
Malware yeo e amanago le VEILDrive ke faele ya .jar yeo e theilwego go Java yeo ka mo go lemogegago e hlokago go šitiša, e dira gore e balege ka mo go sa tlwaelegago le go rulaganywa gabotse. Go sa šetšwe go ba bonolo ga yona, malware e ile ya efoga go lemogwa ke sedirišwa sa maemo a godimo sa Endpoint Detection and Response (EDR) le dientšene ka moka tša tšhireletšo ka go VirusTotal. Se se gatelela kotsi ye bohlokwa: gaešita le khoutu yeo e sa šitišwego, ye e otlologilego e ka efoga mekgwa ya sebjalebjale ya go utolla, e šišinya tlhokego ye e nabilego ya go etela gape maano a go utolla tikologong yeo e nago le kotsi ye kgolo.
Pego ye e fa temogo ka ga mekgwa ya VEILDrive le mellwane ya mekgwa ya bjale ya go utolla go hlomela setšhaba sa tšhireletšo ya inthanete gakaone kgahlanong le ditšhošetšo tšeo di tšwelelago.
Ka September 2024, Sehlopha sa AXON se ile sa arabela tiragalo yeo e bego e lebišitše khamphani ya mananeokgoparara a bohlokwa kua United States. Dinyakišišo tše di utollotše lesolo la tšhošetšo la moswananoši, "VEILDrive", leo le bontšhitšego maano a sa tlwaelegago, dithekniki, le ditshepedišo (TTPs) tšeo di fapogilego kudu go tšwa go tšeo ka tlwaelo di bonwago ditiragalong tše di swanago.
Go ya ka dikhwetšo tša rena, re akanyetša gore lesolo la VEILDrive le thomile mathomong a Phato 2024 gomme le sa dutše le le mafolofolo go fihla pegong ye. Ka go diriša ditirelo tša Microsoft SaaS—go akaretša Dihlopha, SharePoint, Quick Assist le OneDrive—mohlasedi o ile a diriša mananeokgoparara ao a botegago a mekgatlo yeo e kilego ya ba kotsing bakeng sa go aba ditlhaselo tša go hlasela ka lerumo le go boloka malware. Leano le leo le lebanego le leru le ile la dumelela sebapadi sa tšhošetšo go efoga go lemogwa ke ditshepedišo tše di tlwaelegilego tša go bea leihlo.
Ka mo go lemogegago, VEILDrive e tsebagaditše mokgwa wa padi wa OneDrive-based Command & Control (C&C) wo o tsentšwego ka gare ga malware ye e theilwego go Java yeo e tsentšwego go didirišwa tšeo di lego kotsing. Malware ka boyona, faele ya .jar, e bontšha dikarolo tše pedi tše di makatšago:
Dika tše di gatelela gore gaešita le ka ntle le mekgwa e raraganego ya go efoga, malware yeo e hlamilwego ka kelohloko, yeo e sa šitišwego e ka phema ditšhireletšo tša mehleng yeno. Nyakišišo ye e gatelela sekgoba ka maanong a bjale a go utolla gomme e gatelela tlhokego ya go phafoga kgahlanong le mekgwa ya tlhaselo yeo e sego ya tlwaelo kudu.
Team AXON e abelane diphetho tša yona le Microsoft le mekgatlo yeo e amegilego, e fana ka bohlale bjo bo ka tšewago kgato go fokotša tšhošetšo ye ye e tšwelago pele.
Mathomong a September 2024, yo mongwe wa bareki ba Hunters, yo a bolelwago ka mo tlase bjalo ka "Org C", o ile a tsenela Team AXON bakeng sa thekgo ya go swara tiragalo ye e šomago.Molato wo o be o tsepame go sedirišwa se se itšego ka gare ga Org C seo se bego se beilwe kotsing ka boentšeneare bja leago.
Mošomo wo o rulagantšwego wo o hlotšwego ka mo go belaetšago sedirišweng sa mošomi wa Org C o ile wa hlohleletša temošo, ya hlohleletša dinyakišišo tše dingwe. Ka go tswalanya dilog le go boledišana le modiriši yo a amegilego, sehlopha se hlakišitše mokgwa wa phihlelelo ya mathomo.
Ka fase ke Seswantšho sa Tlhaselo seo se fago kakaretšo ya maemo a godimo ya phallo ya tlhaselo:
Tatelano ya ditiragalo e ile ya phutholla ka tsela ye e latelago:
Modiragatši yo a nago le maikemišetšo a mabe o ile a diriša Dihlopha tša Microsoft go romela molaetša go bašomi ba bane bao ba kgethilwego go Org C, bao, ka thoko ga go ba bao e sego ba setegeniki go ya ka dikarolo tša bona, ba bego ba se na kgokagano ye nngwe ye e bonagalago. Mohlasedi o ile a itira setho sa sehlopha sa IT gomme a kgopela phihlelelo go sedirišwa sa mošomi yo mongwe le yo mongwe ka sedirišwa sa go thuša ka kgole sa Quick Assist .
Go e na le go diriša akhaonto yeo e sa tšwago go hlolwa bakeng sa go ekiša, mohlaselwa o ile a diriša akhaonto ya mosebediši yeo e lego kotsing go tšwa go mohlaselwa yo a ka bago gona wa nakong e fetilego, yeo mo e bitšwago "Org A.”
M365 Dilog tša Bohlahlobi di ile tša šomišwa go hlaola Microsoft Teams spear-phishing.
Ditiragalo tše ntši tša “ MessageSent ” le “ ChatCreated ” di ile tša hlaolwa, ka moka di tšwa go modiriši yo a bego a beilwe kotsing peleng wa Org A , yo a ruilweng ke sebapadi sa tšhošetšo.
Le ge bašomi ba 4 ba be ba nepišitšwe, ke tiragalo e tee fela ya “ MemberAdded ” yeo e lemogilwego yeo e nepišitšwego modiriši yo a lego kotsing wa Org A .
Temogo ye e lego ka mo godimo e be e kgahliša ebile e le ya bohlokwa, e laetša go ata mo go oketšegago ga phishing ka Dihlopha tša Microsoft le didirišwa tša kgokagano tše di swanago. Go fapantšha magareng ga maiteko a phishing ao a atlegilego le ao a paletšwego ka go šomiša dilog tša boruni tša M365, gotee le tswalano le dilog tša EDR, e ka ba bohlokwa kudu go dinyakišišo.
Melaetša ya Dihlopha tša Microsoft yeo e amogetšwego ke badiriši bao ba nepišitšwego ba Org C e dirilwe gore e kgonege ke mošomo wa “ Phihlelelo ya ka Ntle ” ya Microsoft Teams, yeo e dumelelago kgokagano ya Motho ka Mong le mokgatlo ofe goba ofe wa ka ntle ka go ikemela.
Mohlasedi o ile a goketša mohlaselwa wa Org C ka katlego gore a phethagatše sedirišwa sa Microsoft sa Thušo ya Kapejana gomme a ba fa khoutu ya phihlelelo ka Dihlopha tša Microsoft. Se se ile sa lebiša go phihlelelo ya tirišano ya sebapadi sa tšhošetšo khomphutheng ya mohlaselwa.
Sebapadi sa tšhošetšo ka morago se ile sa abelana kgokagano ya go taonelouta go SharePoint ya mokgatlo wo o arogilego (mohlaselwa e be e le wa mohiri yo a fapanego le yo a šomišitšwego go phishing ka poledišano ya Microsoft Teams, yeo re tlago e bitša ‘Org B’). Kgokaganyo ye e be e na le faele ya .zip yeo e šireleditšwego ka phasewete yeo e bitšwago Client_v8.16L.zip, yeo e bego e akaretša difaele tše di fapafapanego, gare ga tšona e le sedirišwa sa tlaleletšo sa RMM.
Faele e ile ya taoneloutšwa, go bonagala ka ditsela tša tirišano, ke mohlaselwa—yo a šetšego a na le phihlelelo ya kgole—yo a šomago ka tlase ga taba ya explorer.exe, a ba kgontšha go kgotla kgokagano le go taonelouta didirišwa ge go nyakega.
Ke mo go swanetšego go bolela gore nakong ya dinyakišišo, re ile ra tswalanya dilog tša go hlahloba dipuku tša M365, tšeo di filego tshedimošo ye e nepagetšego ka ga di-URL tše di tsenago melaetšeng ya Microsoft Teams, le telemetry ya EDR ya moamogedi wa mohlaselwa go kwešiša ka botlalo di-TTP tša mohlaselwa.
Go dirilwe maiteko a mantši a go phethagatša ditiro tše kotsi tša seatla ka phihlelelo ya kgole. Mediro ye kudu-kudu e be e akaretša maiteko a go phegelela, a bjalo ka go hlama mešomo yeo e rulagantšwego bakeng sa go phethagatša leboelela e nngwe ya difaele tšeo di taoneloutšwago ke mohlaselwa—sedirišwa sa RMM seo se bitšwago LiteManager ("ROMServer.exe").
schtasks /Create /TN "Perfomance monitoring" /SC MINUTE /TR C:\ProgramData\500000003\ROMServer.exe
Ka morago ga mediro ye e lego ka mo godimo, sebapadi se taonelouta ka seatla faele ye nngwe ya .zip yeo e bitšwago Cliento.zip.
Bjalo ka pele, kgokagano e ile ya abelanwa poledišanong magareng ga modiriši wa mohlaselwa le sebapadi sa tšhošetšo. Faele ye ya .zip e be e akaretša malware ye kgolo ya .JAR gammogo le Java Development Kit ka moka go phethagatša malware ya .JAR.
Modiragatši wa tšhošetšo o ile a phethagatša malware ya .JAR a diriša tše di latelago: C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar
Ditiro tše ntši tša netweke le diphethagatšo tša taelo di ile tša hlaolwa ka fase ga seemo sa faele ya .JAR ye kotsi, go akaretšwa:
Dikgopelo tše mmalwa tša DNS tše di tšwago/Mošomo wa Neteweke go → safeshift390-my.sharepoint.com
Kgopelo ya DNS ye mmalwa ye e tšwago/Mošomo wa Neteweke go → graph.microsoft.com
Kgopelo ya DNS ye mmalwa ye e tšwago/Mošomo wa Neteweke go → login.microsoftonline.com
Phethagatšo ya ditaelo tša go bala tša selegae:
Systeminfo
net time
Get-WmiObject -Class
Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
{$_.interfacetype -eq \"USB\"}"
Seswantšho se se latelago se bontšha dikarolo tše kgolo tša sehlare sa tshepedišo tšeo di amanago le mediro ye kotsi:
Mohlasedi o ile a tlaleletša gape ka binary ya JAR ye kotsi bjalo ka runkey ka gare ga registry bakeng sa phethagatšo ye e phegelelago ya malware ya Java.
Mola wa taelo: .
Set-ItemProperty -Path \"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"current\" -Value \"C:\\ProgramData\\Cliento\\jdk-22_windows-x64_bin\\jdk-22.0.2\\bin\\javaw.exe -jar C:\\ProgramData\\Cliento\\Cliento.jar\" -ErrorAction Stop"
Go thibelwa le go fedišwa ga tiragalo ye e be e le ka lebelo kudu le go šoma gabotse, gomme go ya ka bohlatse bja forensiki bjo re bego re na le bjona, go be go se na sešupo sa gore mohlaselwa o kgonne go baka tshenyo efe goba efe ye kgolo go moamogedi wa mohlaselwa le mokgatlo.
Temogo e nngwe ya bohlokwa go tšwa go phallo ya tlhaselo yeo e hlalositšwego ka botlalo ka mo godimo ke gore mohlaselwa o šomišitše ditirelo tše di fapanego tše di tsebegago le tšeo di šomišwago ka tlwaelo tša Microsoft bjalo ka karolo ya tlhaselo ya gagwe, bobedi bakeng sa go iphihla ka pono e kwagalago le ka kgonagalo gape bakeng sa go ba bonolo.
A re akaretšeng ka pela ditirelo tša Microsoft tšeo di šomišwago ke sebapadi sa tšhošetšo ka bjale re šomiša tafola ye e latelago:
Tirelo | Mohiri | Morero |
---|---|---|
Dihlopha tša Microsoft | Go tloga go Org A go ya go Org C | Spear Phishing Messages go goketša mohlaselwa go taonelouta le go phethagatša sedirišwa sa taolo ya kgole |
Thušo ya Kapejana | Org C. | Modiragatši wa tšhošetšo o romela khoutu ya Thušo ya Kapejana ka go šomiša molaetša wa Dihlopha tša Microsoft go hwetša taolo ya kgole ya mathomo |
SharePoint ya go abelana | Go tloga go Org B go ya go Org C | Difaele tše kotsi di “amogetšwe” ka go mohiri wa SharePoint wa Org B. Dikgokagano tša go taonelouta di abelanwa le Org C ka melaetša ya SharePoint gomme di bulwa ke mohlaselwa a šomiša Thušo ya Kapejana |
API ya kerafo | Go tloga go Org C go ya go N/A | Re bile le ditšhupetšo tša phihlelelo ye kotsi go Microsoft Graph (graph[.]microsoft[.]com) yeo e thomilwego ke cliento.jar ye kotsi. |
Mo nakong ye, re be re lemogile ditirelo/ditirišo tše nne tša Microsoft tšeo di boletšwego ka mo godimo. Le ge re be re kwešiša morero wa tše tharo tša mathomo, mošomo wo o lebišitšwego go API ya Kerafo o ile wa dula o sa kwagale. Re bile le dikakanyo tše mmalwa mabapi le morero wa yona wo o ka bago gona, eupša ka karabelo ya tiragalo, dikakanyo di nnoši ga se tša lekana, na ga go bjalo?
Go kgoboketša tshedimošo ye ntši le go kwešiša gakaone malware ya .JAR 'Cliento.jar' ka go OneDrive/SharePoint - bobedi go hlahloba ditiro tšeo di ka bago gona tšeo di tšerwego ke mohlaselwa le go hwetša temogo ya maikemišetšo a bona - re ile ra tšwela pele ka tshekatsheko ye e tletšego ya malware.
Re šomišitše Java Decompiler yeo e bitšwago “JDGUI” go decompile malware ya Client.jar (re reile leina la “ODC2”).
Go tšwa fela go lebelela ga mathomo ga maemo a godimo go malware, re be re ka e tswalanya gateetee le phethagatšo ya PowerShell yeo re e bonego nyakišišong ya tiragalo. Se se hlolwa ke go akaretšwa ga sephuthelwana sa Java sa “ jPowerShell ” - sephuthedi sa PowerShell sa Java.
Go tlaleletša, re be re kgona go bona diphuthelwana tša tlaleletšo tša go swana le “ditaelo,” “kgokagano,” “mothomi,” “goba kgokaganya,” bj.bj.Se se ile sa re nea kwešišo ya maemo a godimo ya sebopego sa malware.
Re thomile ka Main.class ka fase ga sephuthelwana sa “launcher“ gomme ra hwetša sete ya ditšhupetšo tša dikhoutu tše thata tšeo di šomišwago ke malware. Se se be se re makatša go se nene, eupša se kgahliša kudu.
Ka go sekaseka gape malware (bjalo ka ge go hlalošitšwe tshekatshekong ye e tletšego ka mo tlase), re hweditše gore malware e šomišitše mangwalo a a go hlatsela go dira netefatšo ya “legatong” go Entra ID. Go dira netefatšo ye, leswao la go hlabolla leo le nago le khoutu ye thata le ile la šomišwa le ID ya moreki le Sephiri sa moreki go kgopela leswao la phihlelelo.
Netefatšo e ile ya dumelela malware go fihlelela OneDrive ya badiriši ba itšego ba Entra ID, go bahiri bao go thwego ke ba sebapadi, ba diriša phihlelelo ye gampe bakeng sa merero ya C2.
Mošomong wo mogolo wa Main.class re ka bona ntlha ya go tsena ka boyona, yeo e akaretšago ditlhale tše ntši. E akaretša phethagatšo ya mešomo “odThread1” le “mainThread1“.
“odThread1” e akaretša phethagatšo ya mošomo wa Molaodi “odRun” wo o hwetšago sete ya mathomo ya ditšhupetšo tša hardcoded (Refresh Token, bjalobjalo) bakeng sa netefatšo.
E diriša aterese ya IP ya “40.90.196.221“ bakeng sa peakanyo ya kgokagano ya “odRun”.
Aterese ya IP ya “40.90.196.228” ya “Run” e thoma soketeng ya HTTPS go C2 ya mohlaselwa. IP ye ke IP ya Azure gape, gomme go na le kgonagalo ye kgolo ya gore e be motšhene wa go bonagala. Mokero wo wa C2, bjalo ka ge o hlalošitšwe ka botlalo ka mo tlase, ke wa “classic” kudu gomme o lebiša go phethagatšong ya ditaelo tša PowerShell
Go hwetša tshedimošo ye ntši ka ga diaterese tše tša IP, re ile ra hlahloba methopo ye e tsebjago go swana le ipinfo.io le Dithegi tša Tirelo tša diaterese tša IP tša Azure tšeo di phatlaladitšwego ke Microsoft, bjalo ka ge go bontšhitšwe seswantšhong sa skrine se se lego ka mo tlase:
Gape go bohlokwa go bolela gore aterese ya tlaleletšo ya IP yeo e nago le khoutu ye thata yeo e hwetšwago ka go malware ye (38.180.136.85) e bonala e le ya moabi yo mongwe wa ditirelo gomme e tswalanywa le ditirelo tša go amogela. Go ya ka ditemogo tša rena, aterese ye ya IP e be e sa dirišwe ka mafolofolo ke malware. Re tšea gore e be e le gona ka mabaka a bohwa (mananeokgoparara a peleng a C2).
Ka go epa go se nene ka gare ga “mainThread1 ()“ yeo e phethagatšago mošomo wa “ctrl.run ()”, re ka bona gore mošomo wa run () o leka go hlola kgokagano gomme ka mehla o hlahloba ge e ba kgokagano e phela. Ke moka e leka go “parseCommand,” e kgaola dikarolo tše di sa rego selo go tšwa go yona.
Mošomo wo wa “matha” o šomiša “kgokaganya ()” go beakanya/seta kgokagano gape. E bopa soketeng ho aterese ya IP ya kgole yeo re e bonego ka mo godimo - 40.90.196.228.
Mošomo wo wa “go kitima” o šomiša “CommandManager,” yeo e akaretšago ditshwaro tše di fapanego tša mehuta ye e fapanego ya ditaelo/bokgoni bjo malware ye e bo fago, go akaretšwa phetišetšo ya faele go tšwa go moreki go ya go seva le go tšwa go seva go ya go moreki, kgatelelo ya faele, diswantšho tša skrine, go tswalela dikgokagano tša netweke, le, ya e le hantle, taelo phethagatšo.
E lekola ge e ba taelo yeo e amogetšwego e se na selo goba ge e ba taelo ya kgonthe e amogetšwe go tšwa go seva ya C2.
Ge taelo e hweditšwe, e e arola gomme ya e phethagatša. Phethagatšo ge e le gabotse e ka fase ga seemo sa PowerShell.
Phethagatšo ya taelo ye e tsenago bjalo ka taelo ya PowerShell e dirwa ka go šomiša sephuthedi sa jPowerShell seo re boletšego ka sona pejana.
Pele delving ka gare ga moko wa mošomo wa OneDrive C2, go bohlokwa go lemoga gore dikarolo tše bohlokwa tša khoutu ya malware di ithekgile kudu ka ‘mehuta’ ye meraro ye e itšego ya difaele tša OneDrive: UUID, cf_UUID, le rf_UUID. Bjalo ka ge go lemogilwe nyakišišong ya rena, taelo ya Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
e ile ya phethagatšwa, ya utolla UUID ya didirišwa tša sedirišwa. Sešupo se sa moswananoši se šoma go kgetholla mohlaselwa yo mongwe le yo mongwe lesolo la VEILDrive.
Mohuta o mongwe le o mongwe wa faele o kgatha tema ye e fapanego ditirong tša malware. Seswantšho se se latelago se fa mehlala ya difaele tše le dikarolo tša tšona tša mathomo phethagatšong ya malware.
A re itahleng ka gare ga phallo ya mošomo wa OneDrive C2 le ka fao difaele tšeo tša UUID di šomišwago ka gona ka tirišo:
Go tlaleletša go bokgoni bja kgale bja Phethagatšo ya Kgole godimo ga PowerShell, mošomo wa “odRun” o ikarabela ka khoele ye nngwe yeo e theilwego go “OneDrive” bjalo ka mokero wa kgokagano. Ye ke karolo ya moswananoši ya malware ye.
“odRun” bjalo ka ge re e bona, mohlomongwe e reeletšwe ka “OneDrive” (OneDriveRun), gomme e akaretša tlholo ya kgokagano ya OneDrive ka go šomiša mošomo wa “Odconnect” bjalo ka kgato ya mathomo:
Bjalo ka ge o ka bona, pele thapo ya “machineUUID” e bewa bjalo ka thapo ye e se nago selo. Lateloa ke phethagatšo ya "getMachineUUID ()" mosebetsi, e leng, e le lebitso la eona bontša, fumana Machine UUID ya sesebediswa mohlaselwa:
Ka morago re ka bona gore kgokagano ya OneDrive e dirwa ka go šomiša mošomo wa “OdConnect”—kgokagano e dirwa go “tsena[.]microsoftonline[.]com“ bakeng sa tlholo/mpshafatšo ya sete ya ditšhupetšo tše mpsha tša phihlelelo le ditšhupetšo tša go hlabolla .
”checkFile”: Mošomo wo o lekola ge eba go na le faele yeo e bitšwago == machineUUID ka gare ga foltara ya gae ya modiriši wa bjale OneDrive
OneDrive faele yeo e reeletšwego ka machineUUID ya sedirišwa (ntle le dihlongwapele).
Diteng tša faele ya cf_MachineUUID di tla phethagatšwa.
Latelwa gape ka go ngwala faele go OneDrive, go šomiša “ writeFileToOneDrive “, pele “rf_“ + machineUUID, ka diteng tša karabelo ya phethagatšo.
Le tshebediso e nngwe ya “ writeFileToOneDrive “, ho ngola le lefeela “cf_” faele, ha e le hantle thibela phethagatšo e nngwe ya taelo e tšoanang (kaha malware matha ka lupu).
Go akaretša ka boripana, malware ye e bonala e na le dikanale tše pedi tše di fapanego tša C2 tšeo e ka šomago ka tšona:
HTTPS Socket C2 : mokgwa wa classic kudu, go amogela ditaelo go tšwa go Azure VM ya kgole le go di phethagatša ka fase ga seemo sa PowerShell.
OneDrive-based C2 : se se ikgethile kudu, gomme tsela yeo e šomago ka yona e raragane kudu e bile e na le bokgoni bja go hlama. E akaretša difaele tše tharo tše di fapanego, tšeo ka moka di akaretšago UUID ya sedirišwa sa mohlaselwa, tše dingwe di na le dihlongwapele (rf_ le cf_). Go dira gore go be bonolo gore sebapadi sa tšhošetšo se romele ditaelo le go di amogela ka go šomiša Microsoft Graph.
Ela hloko : Go bohlokwa go bolela gore malware ye e na le bokgoni bja tlaleletšo ntle le phethagatšo ya taelo ya maemo, go akaretšwa phetišetšo ya faele. Le ge go le bjalo, tshedimošo ye e tletšego ye e lego ka mo godimo e lebišitše tlhokomelo go lehlakore la phethagatšo ya taelo fela.
Mo nakong ye, go molaleng gore tlhaselo ye e kopantše ka bokgoni dithekniki tše bonolo le maano a raraganego, a moswananoši. Sebopego se sengwe se se emego go tšwa nyakišišong ya rena ya mathomo e bile tšhomišo ye e nabilego ya mananeokgoparara a Microsoft le ditirelo tšeo di kopantšwego go ralala le lesolo.
Ka morago ga go sekaseka malware le go tswalanya tshedimošo ye mpsha le ditemogo tša rena tša nyakišišo, re ile ra hwetša kwešišo ye e kwagalago ya tšhomišo ya mohlasedi ya ditirelo tše di fapafapanego le merero ya tšona. Re ile ra utolla gore tšhomišo ya ditirelo le mananeokgoparara a Microsoft e be e le ye kgolo le go feta ka fao go bego go lemogwa ka gona mathomong.
Bona tafola ye e lego ka mo tlase bakeng sa kakaretšo e kopana:
Tirelo | Mohiri | Morero |
---|---|---|
Dihlopha tša Microsoft | Go tloga go Org A go ya go Org C | Spear Phishing Messages go goketša mohlaselwa go taonelouta le go phethagatša sedirišwa sa taolo ya kgole |
Thušo ya Kapejana | Org C. | Modiragatši wa tšhošetšo o romela khoutu ya Thušo ya Kapejana ka go šomiša molaetša wa Dihlopha tša Microsoft go hwetša taolo ya kgole ya mathomo |
SharePoint ya go abelana | Go tloga go Org B go ya go Org C | Difaele tše kotsi di “amogetšwe” ka go mohiri wa SharePoint wa Org B. Dikgokagano tša go taonelouta di abelanwa le Org C ka melaetša ya SharePoint gomme di bulwa ke mohlaselwa a šomiša Thušo ya Kapejana |
Azure VM ya go swana le | Mananeokgoparara a mohlaselwa | Malware e ile ya boledišana le Azure Virtual Machine yeo e lego ya sebapadi sa tšhošetšo bakeng sa merero ya HTTPS Socket C2 |
OneDrive (API ya Kerafo) . | Magareng ga Mohlasedi wa OneDrive & Org C moamogedi (di) . | Modiragatši wa tšhošetšo o šomišitše OneDrive bjalo ka mokero wa tlaleletšo wa C2, go hwetša bokgoni bja go swana le phethagatšo ya kgole ya ditaelo, go tšea diswantšho tša skrine, go taonelouta/go tsenya difaele, bjalobjalo go nepiša (di)moamogedi wa Org C . |
Boingwadišo bja Tirišo ya Azure AD | Magareng ga Mohlasedi wa OneDrive & Org C moamogedi (s | Tirišo e ile ya šomišwa bakeng sa netefatšo legatong la akhaonto ya mosediriši ya Azure AD yeo e lego ya sebapadi, gomme o fihlelele foltara ya gae ya yona ya OneDrive |
C5f077f6-5f7e-41a3-8354-8e31d50ee4d
893e5862-3e08-434b-9067-3289bec85f7d
B686e964-b479-4ff5-bef6-e360321a9b65
2c73cab1-a8ee-4073-96fd-38245d976882
SafeShift390[.]onmicrosoft[.]com
GreenGuard036[.]onmicrosoft[.]com
a515634efa79685970e0930332233aee74ec95aed94271e674445712549dd254
1040aede16d944be8831518c68edb14ccbf255feae3ea200c9401186f62d2cc4
7f61ff9dc6bea9dee11edfbc641550015270b2e8230b6196e3e9e354ff39da0e
d6af24a340fe1a0c6265399bfb2823ac01782e17fc0f966554e01b6a1110473f
7f33398b98e225f56cd287060beff6773abb92404afc21436b0a20124919fe05
40.90.196[.]221
40.90.196[.]228
38.180.136[.]85
213.87.86[.]192
Go tlaleletša go di-IOC tše itšego tšeo di boletšwego ka mo godimo, re ile ra hlama dipotšišo tše dintši tša go tsoma tšhošetšo tšeo di ka šomišwago go utolla ditlhaselo tšeo di hlotšwego ke sebapadi se se swanago, tšeo di dirilwego ka fase ga lesolo le tee, goba go abelana dimelo tše di swanago (TTPs) .
Ela hloko: Nako ya go tsoma ye e šišinywago ya VEILDrive ke go tloga ka Phupu 2024.
Potšišo ya go kwagala: Nakong ya tshekatsheko ya rena, re lemogile gore Sedirišwa sa Phihlelelo ya Kgole (RAT) sa mohlaselwa se šomišitše Powershell go lata UUID ya motšhene bjalo ka karolo ya tshepedišo ya wona ya phethagatšo. Potšišo ye e utolla ditiragalo tše di sa tlwaelegago tša Powershell yeo e tswalwago ke javaw.exe ka difolaga tše di itšego tša mola wa taelo tšeo di šomišwago ke sebapadi sa tšhošetšo.
Potšišo:
SELECT EVENT_TIME, AGENT_ID, PARENT_PROCESS_NAME, PARENT_PROCESS_COMMANDLINE, INITIATING_PROCESS_NAME, INITIATING_PROCESS_COMMANDLINE, TARGET_PROCESS_NAME, TARGET_PROCESS_COMMANDLINE, TARGET_PROCESS_OS_PID FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS WHERE 1=1 AND PARENT_PROCESS_NAME ILIKE '%javaw%' AND INITIATING_PROCESS_NAME ILIKE '%cmd%' AND TARGET_PROCESS_NAME ILIKE '%powershell%' AND TARGET_PROCESS_COMMANDLINE ILIKE 'powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile %' AND EVENT_TIME > current_timestamp - interval '60d'
Potšišo ya go kwagala: Potšišo ye e utolla ditiragalo tša mošomo wo o rulagantšwego wo o ingwadišago ka phethagatšo ya sedirišwa sa ROM seo se šomišwago ke sebapadi sa tšhošetšo bakeng sa go phegelela.
Potšišo:
SELECT EVENT_TIME AS EVENT_TIME, AID AS AGENT_ID, CID AS COMPUTER_ID, EVENT_SIMPLE_NAME AS EVENT_NAME, RAW:TaskName AS TASK_NAME, RAW:TaskExecCommand AS TASK_EXEC_COMMAND, RAW:TaskAuthor AS TASK_AUTHOR, RAW:UserName AS USER_NAME --- Adjust according to your EDR of choice FROM RAW.CROWDSTRIKE_RAW_EVENTS WHERE EVENT_SIMPLE_NAME = 'ScheduledTaskRegistered' AND TASK_EXEC_COMMAND ILIKE '%romserver%' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'
SET YOUR_ORGANIZATION_NAME = 'hunters'; SELECT EVENT_TIME, ORGANIZATION_ID AS ORG_ID, OPERATION AS EVENT_TYPE, SPLIT_PART(LOWER(SPLIT_PART(USER_ID, '@', 2)), '.', 1) AS SENDER_ORG_DOMAIN, RECORD_SPECIFIC_DETAILS:message_ur_ls AS MESSAGE_URLS, WORKLOAD AS WORKLOAD, USER_ID AS USER_ID, RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID, RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE, RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME, RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN, RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS, RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID, RECORD_SPECIFIC_DETAILS FROM RAW.O365_AUDIT_LOGS WHERE NOT USER_ID ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%' AND (NOT (MESSAGE_URLS ILIKE '%' || SENDER_ORG_DOMAIN || '%') AND MESSAGE_URLS ILIKE '%sharepoint%') AND NOT MESSAGE_URLS ILIKE '%' || $YOUR_ORGANIZATION_NAME || '%' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '60d'
Logic ya potšišo: Potšišo ye e latelago e utolla melaetša yeo e rometšwego ka poledišano ya motho ka o tee ka o tee ke badiriši ba ka ntle go tšwa go didomene tšeo e sego tše di tlwaelegilego. Potšišo e sefa didomene tšeo di šomišwago kudu tšeo di theilwego godimo ga mošomo wa histori gomme e hlaola maloko a ka ntle ao a okeditšwego go dipoledišano ao a ka bago a dira ditlhaselo tša phishing.
Potšišo:
SET YOUR_DOMAIN_NAME = 'hunters'; --- GET EXTERNAL TEAMS AND ONEDRIVE USERS OF THE LAST 3 MONTHS - TO CLEAN EXTENSIVELY USED DOMAINS WITH COMMONLY_USED_DOMAINS AS ( SELECT LOWER(SPLIT_PART(USER_ID , '@', 2)) AS DOMAIN_COMMONLY_USED, MIN(EVENT_TIME) AS MIN_EVENT_TIME, MAX(EVENT_TIME) AS MAX_EVENT_TIME, ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS, COUNT(*) AS COUNTER FROM RAW.O365_AUDIT_LOGS WHERE WORKLOAD IN ('MicrosoftTeams', 'OneDrive') AND EVENT_TIME > CURRENT_TIMESTAMP - interval '90d' AND USER_ID ILIKE '%@%' GROUP BY DOMAIN_COMMONLY_USED HAVING COUNTER > 20 ), ---- Get List of External Domains that recently communicated with our organization using Microsoft Teams LATEST_EXTERNAL_DOMAINS AS ( SELECT USER_ID AS LATEST_EXT_USERS, LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN, MIN(EVENT_TIME) AS MIN_EVENT_TIME, MAX(EVENT_TIME) AS MAX_EVENT_TIME, ARRAY_AGG(DISTINCT OPERATION) AS OPERATIONS, ARRAY_AGG(DISTINCT RECORD_SPECIFIC_DETAILS:communication_type) AS COMMUNICATION_TYPE, COUNT(*) AS COUNTER FROM RAW.O365_AUDIT_LOGS WHERE EVENT_TIME > CURRENT_TIMESTAMP - interval '50d' AND NOT USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%' AND NOT USER_ID IN ('app@sharepoint') AND USER_ID ILIKE '%@%' -- CLEAN-UP OF EXTENSIVELY USED DOMAINS AND USER_DOMAIN NOT IN (SELECT DISTINCT DOMAIN_COMMONLY_USED FROM COMMONLY_USED_DOMAINS) AND OPERATION IN ('MemberAdded', 'ChatCreated') AND RECORD_SPECIFIC_DETAILS:communication_type = 'OneOnOne' GROUP BY USER_ID HAVING COUNT(*) > 5 ) SELECT EVENT_TIME, ORGANIZATION_ID AS ORG_ID, WORKLOAD AS WORKLOAD, OPERATION AS OPERATION, USER_ID AS USER_ID, LOWER(SPLIT_PART(USER_ID , '@', 2)) AS USER_DOMAIN, RECORD_SPECIFIC_DETAILS:chat_thread_id AS CHAT_THREAD_ID, RECORD_SPECIFIC_DETAILS:communication_type AS COMMUNICATION_TYPE, RECORD_SPECIFIC_DETAILS:members[0].DisplayName AS MEMBER_DISPLAY_NAME_0, RECORD_SPECIFIC_DETAILS:members[0].UPN AS MEMBER_UPN_0, RECORD_SPECIFIC_DETAILS:members[0] AS MEMBERS_0, RECORD_SPECIFIC_DETAILS:members[1].DisplayName AS MEMBER_DISPLAY_NAME_2, RECORD_SPECIFIC_DETAILS:members[1].UPN AS MEMBER_UPN_2, RECORD_SPECIFIC_DETAILS:members[1] AS MEMBERS_2, RECORD_SPECIFIC_DETAILS:resource_tenant_id AS RESOURCE_TENANT_ID, RECORD_SPECIFIC_DETAILS, RAW:ClientIP AS CLIENT_IP FROM RAW.O365_AUDIT_LOGS WHERE 1=1 AND RECORD_SPECIFIC_DETAILS:communication_type = 'OneOnOne' AND ( RECORD_SPECIFIC_DETAILS:members[0].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS) OR RECORD_SPECIFIC_DETAILS:members[1].UPN IN (SELECT LATEST_EXT_USERS FROM LATEST_EXTERNAL_DOMAINS) ) AND USER_ID ILIKE '%' || $YOUR_DOMAIN_NAME || '%' AND OPERATION = 'MemberAdded' AND EVENT_TIME > CURRENT_TIMESTAMP - interval '50d';
Logic ya potšišo ye e tseneletšego: Ka ge potšišo ye e raragane go se nene, tlhalošo ya logiki ye ke ye. Sa pele, re šomiša tšobotsi ya “CTE” ya Snowflake go aga dipono tše pedi:
Mafelelong, re hwetša tshedimošo ye e tletšego ka ga mosediriši le domain ya bona yeo e amanago le bona ka go botšiša dipoelo tše di sefilwego go tšwa go LATEST_EXTERNAL_DOMAINS.
Re ile ra akaretša dikarolo tša go tsoma le tša nyakišišo tšeo di amanago le dithekniki tša tlhaselo ye ntši tšeo di šomišwago ke sebapadi. Tše dingwe tša mekgwa yeo e kotsi le mekgwa le tšona di tsebja e le tšeo di dirišwago masolo a fapa-fapanego.
Go šireletša mokgatlo wa gago ditšhošetšong tšeo go ka fokotša kudu kotsi ya ditlhaselo tše di atlegilego tšeo di lebišitšego dikarolong tše di fapanego tša mananeokgoparara a gago a mokgatlo.
Di-Hgiene Nuggets tše sego kae tšeo di ka dirišetšwago go godiša boemo bja gago bja tšhireletšego ke tše:
VEILDrive e kopanya go ba bonolo le go raragana. E be e le mo go kgahlišago go hlatsela tšhomišo ya dimelo tša C2 tša kgale ka go bapelana le C2 godimo ga OneDrive, gammogo le tšhomišo ya go phegelela mo go theilwego mošomong mo go rulagantšwego ga kgale mo go kopantšwego le phethagatšo ya malware yeo EDR ya maemo a godimo e sa e lemogego.
Dika tšeo di lemogilwego bjalo ka karolo ya nyakišišo le nyakišišo ya tšhošetšo di be di kgahliša, gomme di re dumeletše go kwešiša gakaone ka fao sebapadi se sa tšhošetšo se šomago ka gona, ke ditirelo dife tše di tsebjago tšeo se di šomišago gampe, gore se di šomiša gampe bjang, le ka morero ofe.
Tsela yeo OneDrive e ilego ya šomišwa gampe bakeng sa kgokagano ya C2 ka go VEILDrive e be e na le dimelo tša moswananoši. Le ge go le bjalo, kgopolo ya kakaretšo ya tšhomišompe ya OneDrive bakeng sa merero ya C2 e be e dutše e oketšega dikgweding tše di fetilego, gomme ke selo seo se swanetšego go gopola.
Phihlelelo ya mathomo ka spear-phishing go diforamo tša kgokagano tša go swana le Microsoft Teams, Slack, le ditirelo tše di swanago e tlwaelegile ka go oketšega.
Re bolelela pele gore e tla tlwaelega le go feta ge nako e dutše e e-ya. Ka fao, dikelo tša bohlweki le tša go ema tšeo di amanago le lehlakore le (bjalo ka ge go boletšwe ka go Di-Hgiene Nuggets ka mo godimo) di bohlokwa kudu.
Didirišwa tša Taolo ya Kgole di šetše di tumile kudu gare ga batšeakarolo ba tšhošetšo. Mekgwa ye e fapanego e ka tšewa go fokotša kgonagalo ya phihlelelo ye e sa dumelelwago ka go šomiša didirišwa tše bjalo. Go ya ka pono ya rena, mokgwa wo o šišinywago mo lefelong le ke go tsenya lenaneong le lešweu (go dumelela lenaneong) go kopantšwe le go bea leihlo mo go tiilego.
Re lebeletše pele gore masolo a mantši a mohuta wo a tla tšwelela, a šomiša mekgwa le dimelo tše di swanago. Ka fao, go hlokomela mo go tšwelago pele le go tsoma tšhošetšo ka mafolofolo bakeng sa mohuta wo wa tšhošetšo di kgothaletšwa kudu.
Go dula o mpshafaditšwe ka dinyakišišo tša go tsoma tšhošetšo, mediro, le dipotšišo, latela akhaonto ya Team Axon ya X/Twitter ( @team__axon ).