When it comes to finding ways to leverage Artificial Intelligence and Machine Learning (AI/ML), analysts are frequently overwhelmed by choice. Often, finding the right ways to leverage AI/ML requires in-depth technical knowledge that is hard to come by. A significant challenge that faces the community and AI/ML practitioners is how to move these tools from development to the real world. The biggest hang-up is that AI/ML models are inherently a “black box”. The black box makes it hard for users and practitioners alike to explain what happens between input and output. We understand that AI/ML models are capable of superhuman computing, yet we are unable to clearly understand the logic behind an AI agent’s decision making. A team of researchers at AIS is beginning to chip away at this problem by leading cutting-edge research in Explainable AI.

With October being Cybersecurity Awareness Month, I wanted to share the critical importance of staying safe in the ever-evolving digital landscape. Not only will we delve into the significance of this annual event, but we’ll review some unique and practical cyber hygiene tips to keep you safe as we head into 2024.

Government agencies play a pivotal role in maintaining national security, delivering public services and safeguarding sensitive information. The same digital landscape that enables efficiency and innovation, however, also presents unprecedented cybersecurity challenges. With Cybersecurity Awareness Month around the corner, I wanted to reiterate the importance of cybersecurity for government agencies, the unique threats they face and the role AIS plays in developing technologies and executing strategies to protect our nation.

Key Takeaways

• Assured Information Security (AIS) has discovered a campaign targeting users of AIS’s security products, particularly Metasponse, AIS’s incident response framework.
• The campaign utilizes Search Engine Optimization (SEO) poisoning to manipulate search results to point to pages containing malicious document/binary downloads.
• The payload contains numerous similarities to the SolarMarker group and shows a high level of sophistication.

Overview

AIS regularly monitors the public web for leaks of AIS products and possible threats to AIS customers. This has paid off in the discovery of targeted SEO poisoning attacks against users of AIS products, mainly the Metasponse incident response framework. This article shows AIS’s analysis of this threat.

SEO Poisoning and Google Groups

Searching for “metasponse” or “metasponse download” returns several legitimate pages, such as AIS’s own page on Metasponse and academic papers referring to it. However, there are some that do not appear so legitimate:

Many times, these are in the first page of results mixed in with legitimate search results. One of the discovered fake search results pointed to a Google Groups conversations containing SEO manipulative content. By utilizing a known good service (Google Groups) to push their content, adversaries hope to bypass web content filtering on enterprise and government networks. Thankfully, by the time of writing this article, at least one of these has been banned:

However, at least one group remains. The group appears to have failed to gain sufficient traffic and has remained, at the time of writing, under the radar. This allows us to see how the content in these groups is organized:

These pages contain very large and noticeable images, prompting the user to click them to download the file they want.

These links put the user through numerous redirects until they are provided a document or executable file.

Malicious Downloads

When a user clicks on the presented link, they are redirected multiple times, and if the user’s system matches what the attacker is trying to target, the user will be provided a document to download. Files observed downloaded include executables, PDFs, and Microsoft Office documents (docx).

.NET Dropper

One file that the AIS team was able to download was an executable called Improving-Er-Patient-Satisfaction.exe. A quick analysis showed the file to be a heavily obfuscated .NET executable. Automated dynamic analysis did not initially show many results. The binary was analyzed statically by decompiling it to view the obfuscated code. Features of the obfuscated code included all numbers being converted to randomly named functions that returned the number:

Another feature was the functions being stuffed with useless code that just increments a number without doing anything else of interest:

Certain functions returned obfuscated strings with each character subtracted with a number passed to the decoding function. The code for the decode function was copied out and run with Dotnet Core, which allows not only execution on Linux, but quick script-like execution with the “dotnet run” command. Using this manual method, the AIS team was able to decode the following strings:

• System.Management.Automation.PowerShell
• Create
• Invoke
• CyFwve.exe
• /s
• AddScript

The CyFwve.exe referenced is an installer for PDF Merge, which is stored encoded in the binary itself. This is dropped as a “smokescreen” to hide the other malicious activity and distract the user. Also, as can be guessed from these strings, the binary calls PowerShell by using the System.Management.Automation.dll method. .NET code can load this DLL and execute PowerShell directly in its own process. This allows the attacker to execute PowerShell without calling the actual PowerShell binary directly, allowing the attacker to bypass any protections that defenders put on the PowerShell binary. The PowerShell script called is also stored encrypted in the binary itself using a XOR with a key also present in the binary. The key in this sample was:

E1F6EB0F91338C4B3EBFA92D7754E08B836D25C3C36CF7E32FAE64088CE9BD09C56ACE3114F4E2F9D3B4C97B8558C82167D5BC0D2D13A875FF08E0E2CE83BE55019F680D86AF778E8A2CEF0FA27C5DD6E643A0B72CB0DBB2C158320B14FF2A4FF67479E5F0BB9BB85D2E82012499D283AB09FC8BE2062951C4B54B2D

PowerShell Script

The PowerShell script serves to install the final payload onto the system. It creates a shortcut (LNK) file in the user’s startup folder, enabling persistence whenever the user logs on to the infected system.

Interestingly, the DLL is not directly loaded by the shortcut, but by creating an encrypted payload with a randomized file extension. The PowerShell script then registers the file extension to run with another smaller PowerShell script that unencrypts and loads the payload.

Created encrypted DLL:

Extension handler in the registry:

The AIS team was able to manually extract and decode the final payload (thanks to CyberChef!) to continue the analysis.

It’s the Final Payload! (dadada, dadadadada)

This payload is another .NET binary, this time a DLL that is loaded into the PowerShell process through a decryptor/loader:

This loader is both used as the handler for the randomized extension as well as during the initial execution of the sample.

Dissecting the Code

Once again, this payload is a heavily obfuscated .NET binary. All strings are stored in functions that reconstruct the values from either two XOR-ed byte arrays or a series of integers subtracted together and appended together.

Like the previous .NET sample, the string functions were copied and could be safely executed using Dotnet Core to reveal what values they hold.

Not all of the functions appeared to hold valid strings, with some containing binary data in functions that are never called. These appear to be garbage functions made to confuse analysis and waste time. The code is also littered with execution-time consuming threads and sleeps to make analysis, both static and dynamic, more difficult.

Extracting Functionality

Once the strings were decoded, the team could get a better idea of how the payload operates. Like other samples of SolarMarker, command and control (C2) communications are done through passing encrypted data over HTTP (note not HTTPS, but HTTP containing encrypted data). RSA is used to encrypt a generated AES key to send the C2 server, which is used afterwards to both encrypt and decrypt communicated data.

AES key being generated (Note that function names and fields have been changed to make the code more readable):

Key being encrypted with RSA:

Indicators

TTP Indicators

• Randomly named LNK files in user startup folders.
• Long and randomly named file extension name handlers created on a system
• Monitor for the temporary files created when PowerShell dynamically loads C# code, such as the .cs and .dll files created in the user’s temporary directory.

Hashes

• Improving-Er-Patient-Satisfaction.exe SHA1: 4732d62c289ab07348da87a3c3f72c11cb5dd6d2
• CyFwve.exe SHA1: 2908846d8d17393e4ae9a620ff6e80d039b8c4ce
• PowerShell Script SHA1: ff2a4ed76310ae6c0b9964bd21a306eb14174440
• Final Payload SHA1: 5b5874d1bb711c6d34ab8b9f33aa1bd6625b2b6a

Network IOCs

• C2 Server: 86[.]106[.]20[.]155

C2 traffic is sent in a JSON format, with requests to the C2 server having the following structure:

{“action”:”ping”,”hwid”:”<HWID>”,”pc_name”:”<HOSTNAME>”,”os_name”:”Win<OS_NAME>”,”arch”:”<ARCH>”,”rights”:”<+|->”,”version”:”AP_3/B”,”workgroup”:”? | ?”,”dns”:0,”protocol_version”:2}

This data format indicates a few things:

• The payload is a newer version than of other samples seen before. Other articles have contained versions AP_2.
• Continuous development is clearly being done, given the placeholder values for workgroup and a protocol version field.
• Linux support doesn’t seem to be a priority, given the “Win” hardcoded into the os_name field.

AIS determined that the payload supports a couple of commands, which allow the implant to write files and execute binaries and PowerShell scripts:

• file: Supports writing executables to a randomized name in the temp directory or PowerShell scripts, then executing the file or script.
• command: Executes a command using PowerShell.

Given this limited set of functionalities, it can be assumed that this implant is mainly for establishing a presence on a network and to serve to execute further implants and reconnaissance commands.

Conclusion

In conclusion, this sample can be attributed to the SolarMarker APT group with a high degree of certainty, as its attack techniques and sample version string matching known SolarMarker activities. With the high levels of obfuscation and anti-forensics techniques, this sample clearly attempts to deter detection and shows the developer has significant resources behind them. This sample appears to be made to gain a foothold in a network but given this sample attempts to imitate government and military documents, this foothold would be all this advanced threat needs to perform grave damage against critical targets.

AIS customers should be vigilant for attacks of this type, and only access documentation and other product data from known AIS sources. For information on the proper channels of getting AIS products or to learn more about what services AIS provides, contact us here.

Eric Thayer, Chief Engineer, and Eric Sognefest, Reverse Engineer III, attended the 2022 CyberBoat Challenge at Michigan Tech in Houghton, Michigan in May.

This three-day event is designed to place college students into an accelerated environment in which they are provided the knowledge and resources to develop attacks against industry relevant target systems and jump start their careers in cybersecurity. Colorado State Universities Systems Engineering Department and other collaborators helped enable industry partners, other universities and students to come together to understand and conquer maritime cybersecurity challenges.

Industry driven cybersecurity exercises such as CyberBoat are an exciting opportunity to assist in the growth of the next generation of reverse engineers through training and mentorship. Students and mentors are placed in an environment that facilitates collaboration and creative thinking with a single end goal in mind, break the target system. The Hackathon style environment created by this challenge encourages students to identify an attack method or technique they are interested in experimenting with and then provide them with the guidance required to achieve their goal. Students investigated protocol attacks, RF message injection and jamming and even GPS spoofing to influence the behavior of the target systems. The practical experience, exposure to new targets and ability to experiment with new attack vectors made this exercise beneficial to all that attended.

While there, Sognefest presented a two-hour class to the students on the process taken to perform an assessment against an embedded target and he and Thayer served as mentors for the practicum portion, a six-hour hands on assessment on the final day of the challenge.

“This event is a great opportunity for young engineers to develop their public speaking skills, gain mentors and get on a solid path toward a successful career in cybersecurity.” said Thayer. “The challenge is in its first year but was modeled after other great challenges like CyberAuto and CyberTruck.”

The day one class agenda provided students with an understanding of the basics of ship systems and the sensors that they have aboard with classes presented by Fathom5 and Digital Silence like Maritime ICS Protocol Exploitation, Maritime Sensor Exploitation, SDR and GPS and Maritime Testbed Assessment & CTF.

Class structure for day two was focused on providing students with knowledge of the adversarial process, tools and protocols that they would need to perform their assessment on day three. Classes were led by GRIMM, Colorado State University, Fathom5, Libertas and AIS.

To prepare for their presentation on how to conduct an assessment, Thayer and Sognefest were provided access to a Sofar Spotter Buoy to perform a security assessment on. Their findings and process would then be reviewed in their presentation, ‘Hack to Hack’ the next day.

Sognefest led the ‘Hack to Hack’ presentation, detailing the process used to perform an assessment. Basic analysis approach and examples were provided using a vulnerable IoTGoat image and basic host level information gathering, recon and attack techniques. He then exposed the students to the Spotter Buoy and applied the same process to that piece of hardware, interactively walking them through the information gathering phase, searching the FCC database, browsing through the vendor’s website and basic device interaction.

With global tensions rising, the cybersecurity threat landscape continues to get progressively more dangerous. Staying ahead of threats requires expertise and guidance and knowing your vulnerabilities is key in preventing cyber attacks.

We’ve learned from recent attacks that Russia is actively targeting and exploiting infrastructure and public/private businesses to further their political objectives. Organizations who do business with or in Ukraine, are contractors with the Department of Defense or are a part of critical infrastructure as defined by Presidential Policy Directive 21 (PPD-21), are more likely to be a direct target of these attacks

It’s vital for organizations to adopt a heightened state of awareness and conduct proactive threat hunting to protect themselves against emerging threats. We have the expertise necessary to help strengthen your business’s cyber posture: