Cisco : Protecting against the latest variant of H1N1

Cisco Blog >Security

This is the third and final installment in our technical analysis of the H1N1 loader. In case you missed it, my colleague Josh Reynolds peeled apart the latest variant of H1N1 and analyzed its obfuscation tactics and techniques in the first blog, and in the second blog provides deep technical analysis of its execution.

While we are very lucky to spend time dissecting malware and doing all this analysis and research, ultimately we need to turn this into something tangible (other than this blog). We have broken down this malware and now will discuss how we are creating capabilities in Cisco's Advanced Malware Protection (AMP) technologies to mitigate these and other threats in the future.

AMP Threat Grid provides coverage and convictions of these variants with its current generic indicator sets as discussed in the first blog post of this series. These include: identification of the document dropping an executable, deletion of shadow copies, disabling recovery functionality, and the VBA macro obfuscation techniques:

These indicators provide insight into malicious behaviors performed by H1N1, and provide conviction capabilities even without directly identifying H1N1 families. This highlights the power of identifying behaviors themselves as opposed to making use of static signatures for conviction of malware samples.

AMP for Endpoints Coverage

When AMP Threat Grid analyzes a file, the subsequent results are sent to the AMP knowledgebase. Thanks to this, AMP for Endpoints can detect several techniques used by H1N1 throughout its execution lifecycle using Indicators of Compromise (IOC). These IOCs provide a means of detecting a wide variety of attack vectors. These are seen in the Device Trajectory screen, which provides a view of process activity on the monitored system and any accompanying events that have occurred. The indicators of Compromise that trigger in the case of H1N1 include:

Self-propagation/lateral movement through recycling bin executions (W32.Trojan.Recycle.RET):

Generic Botnet Communication when the command and control server is contacted:

Intelligence

AMP Threat Grid can be leveraged to gain a large amount of intelligence from a seemingly small amount of information. We will look into how a single SHA256 can be used to search for additional indicators of compromise and tell us more about the malware family in question. To demonstrate this, I have selected a SHA256 from our list of indicators:

SHA256: 35364eec4a1bced57f333e09b63fbbc0d6fc2b3b624c519cc011e0c551d1ef9b

We start by plugging this hash into Maltego leveraging transforms for AMP Threat Grid :

We immediately see a number of samples have been submitted to AMP Threat Grid with this SHA256. Next we will again leverage the AMP Threat Grid transforms to provide us with the domain's and IP addresses these samples are communicating with:

Now, in order to expand our data set we will use the tgDomain2SID and tgIP2SID transforms to relate associated domains and IPs back to any samples that may be using them. This gives us a plethora of new data to work with:

We observe the domain parothenda[dot]com is associated with the majority of the malicious samples we have discovered up to this point. To find more about this domain we can make use of OpenDNS Investigate:

OpenDNS is declaring that this domain is malicious which aligns with our current theory. The domain was created recently and saw activity approximately one week after its creation. This tells us that this campaign is recent, and ongoing. It also shows distinct activity periods, which can indicate the behavior of the actors behind the campaign, since there are periods of higher activity alternating with periods of little to no activity. The last point of interest is the registrant e-mail address. Since there are 178 domains registered to this single e-mail and 177 of them are malicious. This is a data point to explore.

Armed with this new information we will go back to Maltego. We will start by discovering the domain's and IP's associated with this registrant email address:

We can see from this view that a number of IPs are overlapping with domains used by this actor. This shows the actor's tendency to reuse existing infrastructure for separate or overlapping campaigns.

Expanding on this, we see a number of malicious samples known to AMP Threat Grid are associated with each of these domains:

We are also given an alias for this e-mail address which is an additional data point to explore. This view gets very interesting as we continue to zoom out:

Here we see the registrant e-mail address associated with domains. Each domain has a cluster of malicious samples surrounding them. This indicates that there is a large amount of domains associated with numerous samples over time. This demonstrates a level of sophistication we had not witnessed in our earlier discoveries. Having a large number of domains could indicate sophistication (although lacking in operational security through the use of a single e-mail address), and likely indicates the use of different domains between campaigns and/or targets.

Now let us take a step back and look again at the domains we discovered. We see below a number of domains AMP Threat Grid has seen which also resolves to the IP addresses associated with these domains:

Digging into these new indicators we find they are registered using a private registration service:

For many, this may be an ending point. We will stop our pivoting on the networking data and take a look in AMP Threat Grid to see if there are any samples associated with these domains:

At first glance we see there are a lot of samples associated with the domains as we expand out. Circular nodes are individual with square nodes being groups 25 or more. Now, the possibilities get a lot more interesting. Exploring the indicators for the H1N1 campaign we now have connections to thousands of other malware samples. Let's see what we can learn!

As we explore the groups of malware further, we see these behavioral indicators (generated by AMP Threat Grid) associated with the malware communicating with the infrastructure around H1N1:

There are two scenarios for this. First, it is possible the actors responsible for the development of H1N1 are also using their infrastructure as command and control routes for other malware based on the purposeful separation between malware, infrastructure, and the aliases used. The poor operational security mentioned before could also be a purposeful choice. However, at this time there is no definitive link between the H1N1 and the malware associated with the domains we discovered based on the network indicators.

The second possibility is the use of malicious infrastructure as a service. This is the more likely scenario given the overlapping network infrastructure, as well as the lack of overlapping indicators. If the first scenario was more likely, we would see other malware samples being distributed from the same command and control infrastructure.

H1N1 is a threat which has continued to evolve in the time since it first appeared. Combined with the research conducted by Malware Reversing (R136a1, 2016) we can see that H1N1 shares common attributes with other malware we have seen previously in the wild. H1N1 will continue to be a threat until it is no longer effective or the author decides to focus efforts on another project.

The nature of targeting in the campaigns stands in stark contrast to the operational security failures we discussed. Combined with the implementation of anti-forensics techniques we can see a sophistication of this actor over time.

Performing research in this manner allows us to provide contextual information around other threats. We see demonstrated above the ability to pivot off any information we may need to enable defenders to better understand the threat. Adding this context enables defenders to filter out the noise and reduce the false positives from their sensors. Access to dynamic analysis information allows incident responders to gain knowledge about a threat to aid remediation.

Conclusion

H1N1 is an example of the many dropper variants that continue to evolve over time, and become threats to your organization in and of themselves, as opposed to the sophisticated variants they are meant to drop. The amount of obfuscation within this binary demonstrates the length at which malware authors are prepared to protect their original code, and even with this amount of complexity there are still a large number of variants that present much larger challenges for analysts.

The intelligence research shows a broad range of malicious activity attributable to a single registrant email address that was found by using a single sample SHA256 to query intelligence within AMP Threat Grid and querying the resulting information within OpenDNS. We see a greater level of sophistication from the threat actor from their use of new domains to minimize detection or domain blacklisting, while also seeing infrastructure reuse based on a large number of domains associated with a single IP address.

In the case of H1N1 it is important to educate users to not open and enable macro content from questionable sources. This is especially true for documents that request users to do so outright, as these are typically social engineering attempts. Education can also assist in the case of file shortcut abuse by informing users that shortcuts can contain hidden malice even when they appear to be benign. User privilege restrictions could also prevent the UAC bypass in this case, since one of the requirements is for the user to reside within the local administrators group. Without the code residing within a high integrity process it may not be able to access all required areas for stealing information.

A layered security approach, such as that provided by the AMP ecosystem provides automated identification of unknown threats using behavioral indicators. This information is then fed back into AMP to protect all customers that may come into contact with these threats.