Taking into account the situation of “Use case 1 - Eternalblue attack”, in which due to a spear phishing email a user of the company falls into the trap and clicks on the email link, causing a series of actions that end up compromising her machine and part of the EvilCorp, network that are also vulnerable, the exploitation phase is completed by the attacker.
Once the teams have been compromised, we move on to the post-exploitation part of the attack in which other types of actions are defined, in this type of situations the most common cases are the hijacking of the computer (Ransomware) or the mining of cryptocurrencies through CPU. For our laboratory the case of cryptocurrency mining has been defined by obfuscated binary to avoid detection of the AV of the equipment again, which is executed in the background, being totally transparent to the user and even in equipment performance, added characteristic. Even so, through the analysis of network traffic, the communication of the executable miner against the mining pool is detected.
Two obfuscated files have been generated, an executable for Windows platforms and a script for Linux, the Linux script looks like this:
Viewing in redBorder platform
It is identified within Intrusion by the signatures:
- obfuscated binary Windows
- PUA-OTHER XMRig Cryptocurrency mining pool connection attempt
- PUA-OTHER Cryptocurrency Miner outbound connection attempt
- ET POLICY Cryptocurrency Miner Checkin
- obfuscated binary Linux
- ET POLICY Crypto Coin Miner Login
- PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt
At the same time as in the previous case, we can see that he has made the rules of Snort jump by entering the RAW mode and clicking on the right button of each rule and then on the information button that he creates to see the event and the captured traffic .
This capture corresponds to the obfuscated Linux script, which can be observed the communication in plain text
This other capture corresponds to the obfuscated Windows binary, which can also be seen the communication in plain text.
Article is closed for comments.