S4E01: KEGTAP-ing Out: Don't be a One Trickbot Pony
about 12 hours ago.
Updated 9 months ago.
On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique - tracking pixels - and how it can inform more restrictive & evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show by deep-diving with Matt Bromiley (@_bromiley) on critical vulnerability we've been responding to most in 2020 - and what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email tracking pixels. We break down how these legitimate marketing tools are leveraged by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
We break down the different variations on these trackers for both benign and malicious uses. For examples of each style of tracking pixel, see Glyer's recent tweet thread (https://twitter.com/cglyer/status/1222255759687372801). We talk through additional red team operators' responses to how they use this technique in their campaigns today - discussion sparked from this great offensive security discussion (https://twitter.com/malcomvetter/status/1222539003565694985). This trend of professional target profiling - drawing both inspiration and specific tracking tools from the marketing industry - is highly effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes the same end goal as email pixels - and how it can share information about the current version of Microsoft Office on the potential victim's system. Similar to execution guardrails, this Office version information for Microsoft Word or Excel could be used to deliver malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office versions. We discuss VBA macro stomping and file format intricacies that require attackers to understand the version of office a target may be using, in order to create evasive spear phishing lures that may bypass both static and dynamic detections. Rick Cole joins us to talk through an active attacker using macro stomping for evasion - both p-code compiling and PROJECT stream manipulation. Rick walks through a brief overview of the technique and a particular financial threat actor who loves macro stomping as much as they love Onyx. Rick co-authored a blog on the topic (https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet thread linking to other research (https://twitter.com/a_tweeter_user/status/1225062617632428033).
Finally, we're joined by a surprise second guest! Matt Bromiley drops in to discuss FireEye's efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, that went public on January 10, 2020. Matt helps us break down some of the activity we've seen since then, including distinct uncategorized clusters of activity for NOTROBIN, coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in Managed Defense, Matt's been working with the team to release several blogs, defender tips, and tools on the vulnerability:
• Matt and Nick published an initial blog on the topic – detailing exploit timelines, evasive attackers, and resilient approaches to detection (https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)
• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN and the concept of exploit squatter's rights in the blog with the title adored by Reddit's netsec sub (https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html)
• Matt and Glyer wrote about that time an exploit was actually bundled with ransomware & ETERNALBLUE (https://www.fireeye.com/blog/threat-research/2020/01/nice-try-501-ransomware-not-implemented.html)
• All of us worked with Mandiant consultants and Citrix to release the CVE-2019-19781 compromise host-based scanner (https://github.com/fireeye/ioc-scanner-CVE-2019-19781) and a detailed blog on how it was built and how it works (https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citrix-tool-scans-for-iocs-related-to-vulnerability.html)
We're hoping for defenders' sake that the pace of intrusion activity slows for the rest of 2020, but we've got you covered and will keep you up-to-date no matter which way this goes!