Case study – CERT.SE's major fraud and hacking criminal case, B 8322-16

Refer to the case study at https://www.cert.se/2017/09/cert-se-tekniska-rad-med-anledning-av-det-aktuella-dataintrangsfallet-b-8322-16. We can download the PCAP file from https://drive.google.com/open?id=0B7pTM0QU5apSdnF0Znp1Tko0ams. The case highlights the use of open source tools and denotes that the infection took place after the targets received an email along with a macro-enabled document. The attackers asked the victims to enable macros to view the content of the document and hence generated a foothold on the target system. We will examine the pcap from the network's point of view and highlight the information of interest.

Let's fire up the NetworkMiner and get an overview of what happened:

If we sort the packets with bytes, we have 37.28.155.22 as the top IP address. Let's view its details:

We can see that the system is Linux and, as mentioned, it has a TTL value of 64. The open ports on this system are 8081 and 445. Let's fire up Wireshark to investigate this IP:

We can see that 92% of the traffic belongs to 37.28.155.22 as highlighted in the preceding screenshot. Let's see some of the HTTP data:

Well! It looks as though the Empire framework has been used here. Let's confirm our suspicion by investigating one of the packets:

As we discussed earlier, and saw in NetworkMiner, the 37.28.155.22 IP is a Linux server with a TTL value of 64. The preceding request does not make sense, since it states that the server is running Microsoft IIS 7.5 and has the same request signature as Windows 7. The communication is from Empire. However, the attackers have modified some of the pages, such as news,php and news.asp. We can also see encrypted data flowing:

We just saw how tools such as Empire were used to commit a real-world crime. Hence, it's always good to know the IOCs for the same.

So to sum up this investigation, we have the following details:

  • C2 server IP: 37.28.155.22
  • C2 server Port: 8081
  • Infected system IP: 195.200.72.148
Infected system's port
  • Actions performed by the attacker:
    • The attacker gained shell access to the system when the user executed a malicious document that contained macros (source: Case Study).
    • The attacker gained access via Empire on port 8081 of their C2 server (source: PCAP).
      • Time of the attack: Sep 14, 2017, 13:51:14.136226000 India Standard Time (packet arrival time)
      • Duration of the attack: 21 minutes+ (Capinfos/Statistics | Capture File Properties)
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.42.94