401 – Threat Analysis
Objectives
- Demonstrate Skills Related to Analyzing a Campaign.
Background: This challenge will build off of 400. It is important to be able to recognize individual intrusions as linked when they are part of a larger campaign. The Cyber Kill Chain by Lockheed Martin analysts was useful for analyzing intrusions and identifying links between them to define an adversary campaign. The ICS Cyber Kill Chain was developed by members of the SANS ICS team to analyze identified ICS related campaigns.
Questions
- What was the campaign associated with the previously identified piece of malware?
- Using open source information about the campaign map the campaign’s stages to the ICS Cyber Kill Chain’s steps and stages. Not all phases will be represented. As an example, the campaign had no observable Reconnaissance performed. Provide an original sentence or two about each step discussing the observed activity.
Answers
- The Havex malware is associated with more than one campaign name: Dragonfly, Energetic Bear/Crouching Yeti-It depends on which antivirus company was observing it. The one in our example appears to have been compiled in November of 2013, judging by the time stamp on Virus Total. That doesn’t mean that it was made in 2013. The different campaigns typically reuse malware.
- There were actually 3 different types of known intrusions for Havex. I think that it’s the first one, based on the mutexes that I found. One mutex was associated with an exploited Flash Player vulnerability. I also found a mutex associated with an e-mail worm.
First Havex Intrusion:
Stage 1: Cyber Intrusion Preparation and Execution
Planning:
Reconnaissance-None Observed. Just because reconnaissance wasn’t observed, doesn’t mean that it didn’t happen. People were sent spear phishing e-mails. They had to figure out who to send the spear phishing e-mails to.
Preparation
Weaponization: They put a malicious attachment on a spear-fishing e-mail.
Targeting: The ICS’s that the people who received the spear-phishing e-mails used were the target.
Cyber Intrusion:
Delivery: The delivery mechanism was a malicious e-mail attachment.
Exploit: When the user opened the file, it exploited the system. The file was a pdf embedded with an exploit that took advantage of a Flash vulnerability.
Install: A Remote Access Trojan (rat) is installed that allows someone to remotely connect into the device and issue commands.
Modify: The malicious file modifies existing dlls by placing API hooks into them, it also modifies registry keys, and places autoruns entries so that the malicious process starts at the start up of the machine.
Management and Enablement:
C2: The malware has the ability to gather information about the ICS devices on the network, and it sends this information to C&Cs. These C&Cs instruct the malware to download and execute further components. It uses existing COM interfaces to connect to specific services.
Sustainment, Entrenchment, Development and Execution:
Act: It scans a network for ICS connected devices. It gathers information about the ICS connected devices and exfiltrates that information to a command and control system.
Stage 2: ICS Attack
In this particular campaign, ICS Attacks have not been observed.
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
http://www.pcworld.com/article/2367240/new-havex-malware-variants-target-industrial-control-system-and-scada-users.html
Walkthrough (Show How You Got Your Answers)
- I analyzed the memory image using volatility and Virus Total. I located evidence that appeared to support my conclusion. I looked for other evidence of compromise, as well, to make certain that my conclusion was correct.
- I used the evidence gathered, and my favorite search engine to search for the ICS kill chain’s steps and stages as well as a description of each step and stage. Then I simply added the appropriate information to each step and stage as I understood it.
No comments:
Post a Comment