SOC250 — APT35 HyperScrape Data Exfiltration Tool Detected

EventID :

212

Event Time :

Dec, 27, 2023, 11:22 AM

Rule :

SOC250 — APT35 HyperScrape Data Exfiltration Tool Detected

Level :

security analyst

Hostname :

Arthur

Ip Address :

172.16.17.72

Process Name :

EmailDownloader.exe

Process Path :

C:\Users\LetsDefend\Downloads\EmailDownloader.exe

Parent Process :

C:\Windows\Explorer.EXE

Command Line :

C:\Users\LetsDefend\Downloads\EmailDownloader.exe

File Hash :

cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa

Trigger Reason :

Unusual or suspicious patterns of behavior linked to the hash have been identified, indicating potential malicious intent.

Device Action :

Allowed

Log Management:

Starting from log management we want to find logs and traffic related to the Source IP that the alert is reporting. Therefore we filter by Source IP and we will see two raw logs.

The first one has to do with 4624 event id which indicates a successful connection of user Arthur and then a quite important log that shows us a successful communication on Destination IP 136.243.108.14 with Destination port 80 and the process that caused this traffic is EmailDownloader.exe, while the firewall action is success.

Therefore, prima facie we have an allowed traffic from the firewall to an external IP.

Before proceeding, it is a good idea to check the Destination IP in the threat intelligence we have.

The following snapshots show us that this Source IP is flagged for malicious activity and is associated with APT35.

• VirusTotal,

• IBM X-Force,

• AbuseIPDB,

• Kaspersky Threat Intelligence Portal

We always note the times when each action took place, it helps us in our analysis to understand exactly how the flow of the attack has taken place.

We can continue by setting the destination IP to 172.16.17.72, so we can see if there are any moves to that IP.

We note three other logs. The successful login of user Arthur has come from the external IP 173.209.51.54 via remote desktop connection (port 3389)

The aforementioned IP is classified as malicious by threat intelligence analysis.

VirusTotal Analysis

IBM X-Force Analysis

In addition we have another raw log from the internal IP 172.16.20.3 to 172.16.17.72. 172.16.20.3 appears to be the exchange server and the raw log records destination port 5985.

Therefore, only from Log Management we have so far, in chronological order, Successful RDP connection from 173.209.51.54 to 172.16.17.72. Successful logon of user Arthur with event id 4624 was performed. Then connection from exchange server IP 172.16.20.3 to 172.16.17.72, at port 5985 (WinRM 2.0 (Microsoft Windows Remote Management)) and finally successful connection from 172.16.17.72 to malicious external IP 136.243.108.14 at destination port 80 (HTTP).

Let’s go to the EDR, where we will complete the puzzle and with the synthesis of all the findings we may come to a conclusion

Endpoint Security:

We are looking for the user’s IP, i.e. 172.16.17.72 and we will start looking step by step for the processes that ran.

Lets Defense EDR

Right away our eye falls on a slightly different process, which was executed at 11:17 and is called smss.exe. The smss.exe is the Session Manager Subsystem and is responsible for starting and managing system sessions during Windows startup.

We continue and we see that smss.exe runs repeatedly, every second or so.

Processes Running

We continue on to the second tab and we’ll see how explorer.exe and EmailDownloader.exe are running again just before. This could mean that the attacker is trying to manage multiple sessions or exploit the system further.

Opening the explorer.exe event we will see the Target Process Command Line is C:\Windows\System32\smartscreen.exe -Embedding , which is a Microsoft process that checks the trustworthiness of a web page or file. It is inside the Microsoft Defender suite.

smartscreen.exe process

And the next process is EmailDownloader.exe. which is launched via explore.exe

EmailDownloader.exe process

But we have one more machine that can give us some information and that is the exchange server with IP 172.16.20.3.

Here we will see at first glance that the user is the Administrator. Therefore he has elevated privileges and can run additional commands and processes.

LetsDefense EDR

Here it is worth noting the existence of a powershell runtime.

Powershell.exe

So, after analyzing the internal machines that we have access to, we find the following:

Repeatedly running the smss.exe process before running the explorer.exe process is a worrying indication of a compromise. The combination of running smartscreen.exe before running EmailDownloader.exe is equally important. At the same time there is running powershell on the exchange server.

In conclusion, let’s put all our data in chronological order to draw our conclusion.

Initially based on the above it is True Positive! We analyzed a successful attack resulting in data exfiltration to a malicious IP.

The attack started at 11:17 from the external malicious IP 173.209.51.54, which made a successful connection via Remote Desktop Connection (port 3389), with user Arthur on the internal destination IP 172.16.17.72 and which generated 4624 event ids for the user’s successful connection.

Then the internal IP 172.16.17.72 at 11:17 started repeatedly launching the smss.exe process. At 11:21 the same machine runs the EmailDownloader.exe process via explorer.exe and at exactly the same time a connection from exchange server 172.16.20.3 to 172.16.17.72 via port 5985 (WinRM 2.0 (Microsoft Windows Remote Management)) is observed. The combination of powershell.exe running on the exchange server suggests to us that a malicious script or command was likely executed to 172.16.17.72. In the involved log file, the email download from the exchange server and the user’s mailbox arthur@letsdefend.io is shown.

Finally, we have a successful communication from the internal 172.16.17.72 to the malicious IP 136.243.108.14 on port 80 (HTTP). Therefore, based on the above we have a successful data exfiltration.

Further analysis:

The hash value given at the beginning of the alert is

“cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa” and after threat intelligence analysis it belongs to EmailDownloader.exe.

• VirusTotal 51/73: https://www.virustotal.com/gui/file/cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
• IBM X-Force — High Risk (Type: Infostealer): https://exchange.xforce.ibmcloud.com/malware/cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
• Kaspersky Threat Intelligence Portal — Malware: https://opentip.kaspersky.com/cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa/results?tab=lookup