Intelligence Background
As the conflict between Russia and Ukraine continues to escalate recently, Proofpoint observed that,
An organization used infected and stolen email accounts of members of the Ukrainian armed forces to spread XLS documents with macros to launch phishing attacks against European governments. Use macro code object Windows in this activity
Installer and MSI release and install backdoors based on Lua language in a very unique way.
Organization
Name
|
UNC1151
-|-
Associated organizations
|
Ghostwriter
Tactics Tag
|
Phishing
Technical Tags
|
VBA MSI lua
Intelligence Sources
|
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-
actor-uses-compromised-private-ukrainian-military-emails
**01 **Attack technical analysis
Overall attack process:
1. Stolen personal email accounts spread XLS documents with macro codes
2. After the document is opened and enabled, a connection is initiated to the attacker’s malicious address.
3. Download the malicious MSI installation package from the connection
4. The MSI installation package first releases the dependency files required to execute Lua scripts, creates a Lua execution environment, and releases an LNK file for persistence.
5. The next time Windows starts, Lnk will launch the Lua executable file to run the Lua script containing malicious code.
6. The malicious Lua script will obtain the sequence information of the C drive, communicate with the attacker’s C2 address every two seconds, and execute subsequent requests issued by the attacker.
1.1 Unique macro code-WindowsInstaller
In attack process 2, when the victim opens a malicious document and enables macro execution, a simple but unique macro code will be executed. This macro creates a Windows
Installer(msiexec.exe) object. This object calls Windows Installer to remotely connect to an IP controlled by the attacker to download and install the malicious MSI package.
By setting UILevel to 2, the specified Windows Installer will be installed in safe silent mode, hiding the installation request and installation process interface from the user.
Windows
The InstallProduct method of the Installer object caches the MSI installation file obtained from the URL locally, and then calls msiexec.exe to install the malicious MSI package. Since attackers use MSI packages as installers for subsequent Lua-based malware, macro documents delivered via phishing are a perfect fit.
Using macro documents to conduct phishing attacks is very common, but this time the attacker used a rare and unique target Windows
Installer to implement the deployment of malicious backdoors, this method is relatively unique and rare. Judging from the usage effect, this method is very convenient. It does not require a lot of macro codes and behaviors to transfer the attack process from office to msi. As long as the terminal security software executes windows based on the macro code
The installer does not restrict execution and can use this legitimate object to enter the next stage of malicious attacks. More effective and covert.
1.2 Deploying Lua-based malware using MSI
After converting the macro document phishing into a malicious MSI installation package, the attacker did not directly install the malicious binary backdoor and script. Instead, he first installed a series of legitimate files that Lua relied on, and these legitimate files contained malicious Lua scripts. . In this way, attackers can further circumvent direct confrontation with security software in binary file scanning and achieve backdoor execution by selecting malicious Lua scripts. Using the MSI installation package is also suitable for installing a series of dependency files for the script execution environment. Then install for Windows by
Start running LNK files for persistence.
Legal Lua files released:
luacom.dll (LuaCom library file)
ltn12.lua (LuaSocket script)
mime.lua
http.lua
url.lua
tp.lua
socket.lua
tp.lua
core.dll
mime.dll
lua51.dll
sppsvc.exe (Lua interpreter modified by the attacker, this version will not output a console interface to the user)
<6 characters>.rbs (windows installation rollback script)
Malicious Lua file dropped:
print.lua
The location of the malicious LNK dropped
~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Software Protection Service.lnk
The malicious LNK is set to launch sppsvc.exe released in the C:\ProgramData\.security-soft\ directory to run print.lua,
The script then attempts to obtain additional malicious Lua code from the attacker’s C2.
**02 **Summary
In phishing attacks, attackers often choose unique ways to avoid direct confrontation with security software. In this campaign we see macro documents running windows
The installer object installs a malicious MSI installation package. It is very interesting to use MSI packages to install backdoors based on scripting languages. If the relevant security software does not have a complete protection solution for these two points, attackers can take advantage of it.
Avoid direct confrontation with security software. In this campaign we see macro documents running windows
The installer object installs a malicious MSI installation package. It is very interesting to use MSI packages to install backdoors based on scripting languages. If the relevant security software does not have a complete protection solution for these two points, attackers can take advantage of it.
There are three ways to learn network security technology:
The first is to apply for the cybersecurity major, now called the cyberspace security major. The main professional courses are: programming, computer composition principles, data structures, operating system principles, database systems, computer networks, artificial intelligence, natural language processing, and social computing. , network security laws and regulations, network security, content security, digital forensics, machine learning, multimedia technology, information retrieval, public opinion analysis, etc.
The second type is self-study, which means looking for resources and tutorials on the Internet, or trying to get to know some big guys and hug them tightly. However, this method is very time-consuming, and there is no plan for learning. You may feel that you are not familiar with it for a long time. If there is no progress, it is easy to be discouraged.
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
The third way is to find training.
Next, I will teach you how to quickly get started with network security from scratch.
When getting started with network security, should you first learn programming or computer basics? This is a controversial issue. Some people will suggest learning programming first, while others will suggest learning computer basics first. In fact, these are all things you need to learn. And these are very important to learn about cybersecurity. But for people with no basic knowledge or those who are eager to change careers, learning programming or computer basics is difficult and takes too long.
The first stage: basic preparation 4 weeks to 6 weeks
This stage is a must-learn for all those who are preparing to enter the security industry. As the saying goes: if the foundation is not worked, the earth will shake.
The second stage: web penetration
Learning Basics Time: 1 week ~ 2 weeks:
① Understand basic concepts: (SQL injection, XSS, upload, CSRF, one-sentence Trojan, etc.) to lay the foundation for subsequent WEB penetration testing.
② Check out some Web penetration in some forums and learn the ideas from the cases. Every site is different, so the ideas are the main thing.
③ Learn the art of asking questions. If you encounter something you don’t know, you should be good at asking questions.
Configuring penetration environment time: 3 weeks ~ 4 weeks:
① Understand the commonly used tools for penetration testing, such as (AWVS, SQLMAP, NMAP, BURP, Chinese Chopper, etc.).
② Download the backdoor-free versions of these tools and install them on your computer.
③ Understand the usage scenarios of these tools and understand the basic usage. It is recommended to search them on Google.
Penetration actual operation time: about 6 weeks:
① Search for actual penetration cases on the Internet, and gain an in-depth understanding of the use of SQL injection, file upload, parsing vulnerabilities, etc. in actual combat.
② Build your own vulnerability environment for testing. DWVA, SQLi-labs, Upload-labs, and bWAPP are recommended.
③ Understand the stages of penetration testing and what actions are required at each stage: such as PTES penetration testing execution standards.
④ Study in depth manual SQL injection, find ways to bypass waf, and make your own scripts.
⑤ Study the principles of file upload, how to perform truncation, double suffix spoofing (IIS, PHP), parsing vulnerability exploitation (IIS, Nignix, Apache), etc., refer to: Upload Attack Framework.
⑥ Understand the principles and types of XSS formation, practice in DWVA, use a cms containing XSS vulnerabilities, install security dogs, etc. for testing.
⑦ Understand the one-sentence Trojan and try to write a one-sentence Trojan.
⑧ Study privilege escalation under Windows and Linux, Google keywords: privilege escalation
The above is the entry stage
The third stage: advanced
How to advance after you have already started and found a job? See the picture below for details
Getting started tips for newbies:
It is best for novices to start learning from videos. Videos are easy to understand and easier to absorb than obscure texts. Here I have prepared a set of video learning materials for network security from entry to master for free. oh!
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
