ISC StormCast for Thursday, July 17th 2014

Keeping the RATs out: an exercise in building IOCs - Part 1

Published: 2014-07-16
Last Updated: 2014-07-16 07:35:17 UTC
by Russ McRee (Version: 1)
2 comment(s)

Reader Jake sent us an awesome bundle of RAT-related mayhem collected during performance of his duties while investigating the unfortunate and prolonged compromise of a company we'll fictitiously call Hazrat Supply.
Guess what?  The RAT that was plaguing the Hazrat Supply environment was proxying traffic back to a Chinese hosting company.
This is my shocked face.

Shocked face

Really, I'm shocked, can you tell?

With the plethora of malicious files shared with us in this package it represents a huge opportunity to create some related IOCs with Mandiant's IOCe as well as run some of this evil through my preferred toolkit with which to identify then build said IOCs. We'll do this in three parts as I'm handler on duty for the next three days (lucky you); there's lots here to play with (lucky me).

Let me give you a quick manifest first:

bybtt.cc3    MD5 c2f0ba16a767d839782a36f8f5bbfcbc

mylcx.exe    MD5 4984fd547065ddcd781b068c4493ead6

PwDump7.exe    MD5 d1337b9e8bac0ee285492b89f895cadb

svchost.exe    MD5 20a6310b50d31b3da823ed00276e8a50

Ironically the RDP server the attackers used, RemoteMany3389.exe, is not flagged as malicious by AV detection. Apparently it's a legitimate China. :-)
Seemingly so too is the file locker they used, xlkfs.sys, courtesy of XOSLAB.COM (signed by Yang Ping). Hey, thanks for signing it, I trust it more.
I'm going to go out on a limb here (not really) and say treat these files as flagrantly hostile.
Hit the big red button if they happen to be on your systems along with their malicious compatriots cited above.
Here are their hashes regardless:
RemoteMany3389.exe    MD5 c9913698afc7288b850f3af602f50819
xlkfs.sys        MD5 4aa2d2975d649d2e18440da0f3f67105

Building IOCs with Mandiant IOCe is in many ways straight forward for simple logic, you'll need to understand AND and OR substructures to build more complex logic branches.
Read the user guide that's installed with the editor.
I took just a few attributes (MD5, SHA1, file size) to start my IOC file for HackTool:Win32/Zeloxat.A as seen in Figure 1.


Figure 1

I'll be populating this further and sharing the full IOC file set for each of these samples upon request after Friday's shift.
Tweet me for them @holisticinfosec or email me via russ at holisticinfosec dot org.

Tomorrow, I'll run Jake's dump file for svchost.exe through Volatility to see what we can further learn and use to create additional IOCs.
Stay tuned.

Russ McRee | @holisticinfosec

2 comment(s)


Diary Archives