Guest contributors to this blog: Brian Kerns and Vedran Tomljanovic.
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary:
There’s a saying that nothing can be certain, except death and taxes; in today’s cyber threat landscape, we can add ransomware to that short list. One of the AT&T Managed Threat Detection and Response customers almost had an incident at the crossroads of taxes and ransomware, but thanks to the SentinelOne advanced EDR platform, the attack was quickly detected and stopped automatically. Then, the combined efforts of the MTDR SOC, Threat Hunters, and the AT&T Alien Labs team lead to a swift customer escalation, root cause discovery, and analysis of what turned out to be the surprisingly still effective and relevant activity of the Sodinokibi ransomware gang.
These attackers leverage search engine optimization (SEO) to ensure compromised sites hosting links to malicious files are pushed up to the first page of Google results for commonly asked questions. In this case, a user was taken to a compromised site and downloaded a file containing a malicious JavaScript file. While the JavaScript file was executed, there was little impact on the organization thanks to SentinelOne correlating and associating the activities that followed as malicious and autonomously stopping the attack. And, with the help of AT&T, the client was able to take further remediation steps, enable additional proactive prevention policies, and confirm no other malicious domains were observed across the network.
Investigation:
Initial Alarm Review:
The MTDR SOC received two SentinelOne Malware Detected alarms related to a malicious file running from a user’s temp folder on the same host:
Attackers often trick users into opening these malicious files by making them look legitimate. From the events from SentinelOne, we can see that the file was likely inside of a zip file which the user opened and double-clicked on. We can also see the Mitigation Status is “Mitigated” and the action of “Kill” was successful 4 times.
While there were no additional malware related Alerts and the potentially malicious process was killed successfully and autonomously, this was an important event to bring up and investigate deeper into. These two malware events were added to an Investigation and the client was notified per their incident response plan (IRP).
Expanded Investigation:
The client was able to pull Deep Visibility logs from the SentinelOne console for the host in question and provide the MTDR SOC with a way of obtaining the original JavaScript file safely. Looking at the JavaScript file, we can see that it has a good amount of junk code, so the quickest way to pull out the output of the script is to run it in a sandbox and pull the strings out from memory.
From a high level, we can see that a registry key gets created, a value gets written, and we see three 3 possible locations in an array that the stage 2 download could come from. Looking deeper in the strings in memory, we can see the built URL:
hxxps://www[.]longshotproductions[.]tv/search.php?slvidnlzvhrqm=4507983033157472z
We then turned to the AT&T Alien Labs Open Threat Exchange to see what else we could learn about these domains. We found similar observed uniform resource identifier (URI) patterns and determined that one of the possible download locations, www[.]leschiensdelabistade[.]fr, is a known bad domain for Sodinokibi Ransomware (also known as BlueCrab).:
When we provided the longshotproductions[.]tv domain with the client, they discovered it was one of the two URLs in the user’s browser history that occurred around the time of the alerts:
hxxps://www[.]longshotproductions[.]tv/about.php?rzdqkgu=lmvdzwjjo&id=6a2b7859665a49624e707161523138446f36336257563653742f753857754e5737414a3774414e43453063446576502b626b6d7831364e3138696b59325045305952334452413d3d&occtyth=tceknjson&izsxy=xjckrt
hxxps://www[.]ksrevenue[.]org/pdf/kw100.pdf
The first URL is from the same domain as our stage 2 download and matches URI patterns, so we were relatively certain that it was where the JavaScript file came from. While we were unable to pull down the stage 2 or see any indication that the stage 2 was pulled down on the host, open source intelligence (OSINT) research suggested that the resulting stage 2 would be written into registry keys, and then pulled out by PowerShell to inject into a legitimate process.
Looking at the Deep Visibility logs from SentinelOne, a very clear picture was painted of what happened after the JavaScript was executed. We were able to confirm the zip file containing the JavaScript from a process run.
Once we had an idea of what the JavaScript led to, we could attempt to find how the user potentially got the file. Leveraging the information from the file name, plus some context with the one PDF the user was able to get from a legitimate site, we were able to emulate the user’s actions without the proxy logs. Starting with a Google search of “missouri and kansas tax reciprocity” and you can see that one of the results is the ksrevenue site. Two results down from there, we see there’s a suspicious site:
This site stood out because it was HTTP, and therefore less secure, and because the domain name itself doesn’t suggest that it’s a resourceful site for discussing tax information. Clicking on the link shows this page:
The page is extremely suspicious and sparse and contains a link for a download to answer what should be a straightforward question.
When you hover to see where that link goes:
hxxps://5cuerdas[.]com/about.php?mettcxtagiu=wokpczhj&id=6f477a38626f427a6e4e6c714346724d4d305233566c3737525a6a3174776a5565677443334c317479705a787378534b745275396666764a777772612b3935456765396f67624c785a666f71&rozcrxxk=lqmmmcw&rsrgkt=nootbjmn
Compare that to our assumed delivery link:
hxxps://www[.]longshotproductions[.]tv/about.php?rzdqkgu=lmvdzwjjo&id=6a2b7859665a49624e707161523138446f36336257563653742f753857754e5737414a3774414e43453063446576502b626b6d7831364e3138696b59325045305952334452413d3d&occtyth=tceknjson&izsxy=xjckrt
The file path of about.php, and the parameters of [random string] = [string], &id= [string], &[randomstring] = [string] is identical. Without a doubt, this is how the user got the zip file with the JavaScript inside. With the question of “how” the user got the malicious file in question, we wanted to confirm our hunch that this was indeed Sodinokibi. Pivoting off the IOCs in OTX, performing OSINT searches for the TTPs observed, and following up with our brilliant Alien Labs team, we confirmed that this was indeed a close call with Sodinokibi.
Response:
The client took remediation steps including isolating the affected host, blocking the IOCs related to the malware, and working alongside the MTDR SOC to confirm no other hosts were affected and no traffic to the malicious domains were observed across the network. SentinelOne was instrumental in the detection and mitigation of the malicious activity occurring after the JavaScript file was executed. With SentinelOne’s rollback functionality, even if the stage 2 had successfully downloaded and executed, the system’s files would likely have been restored at the click of a button.