Sandbox gems for CTI rookies - Ertugrul Kara

All right. Hello everyone. Um, again it's it's great to be here. Uh, I think it's it has been a great event so far and we are almost there but actually it was really great uh that I would want it to last longer. So I'm R2. I do product marketing at VMray. Uh VMray is an uh advanced thread analysis and sandboxing company. So um I am most of the time in between business and technical side of things. So it's it's a good place to be uh in and today uh uh my topic is around sandbox and how to use sandbox outputs uh by I mean via CTI mindset. So a little bit about me. Um I'm into uh I

I have been I have spent my career most of the time with startup scaleups on in cyber security for over 10 years. Um I got some um uh yeah um entrepreneurship journey as well. I started my own company. It didn't go well failed but I have some good learnings. And uh previously I worked for so radar a thread intel um company as well. I like speaking um sharing stuff that I learn and I'm obviously a learner also in the CTI space and I like running and I have two plus one kids as you can see the plus one here uh that we were on a ferry from uh Holland to uh the UK island. And

uh if you ask this robot is it's kind of a clue how you can pronounce my name R2. So yeah. Yeah. So today um we uh will talk about sandbox and most uh our focus will be on a commodity malware which is VIP key logger. So I had my time to take a look at hundreds of uh sandbox reports. Um so the um sandbox reports uh focusing on this specific malware. So I'm going to just share my uh kind of a mind map uh from where I started where I have gone. Um again uh looking at the sandbox reports outputs from like CTI mindset how I can gather some insight. So that was kind of

the idea just you know I I wanted to share with you. Um so yeah we will go through all the config extraction and we will also do some pivoting um as as the time allows and at the end yeah we're going to come up with some insight shares. Um yeah let's go. So a quick disclaimer. So these are my opinions my slides. As you can see there is no uh company logo or something. And I uh had a GitHub repo that you know I am sharing there all the links to the sandbox report so you can go check out and uh obviously the the sandbox we used here was the VMray one uh so cloud instance

um is kind of um one of the VMR's offerings on top of onrem and the the samples uh were kind of off from virus total via yara hunts so and the our own thread feed portal which is accessible to the public. Uh that we are sharing continuously the the reports there and yeah um with regards to sandbox typically what we see from uh from organizations uh they start this journey via actually instant response. So they have some samples they would like to analyze they would like to see the behavior of the sample. So it's kind of uh most of the time manual and most of the time uh specifically focusing on the analysis and uh mainly by reverse

engineers, malware analysts and there are other use cases like detection um and automation as well to integrate sandbox with an EDR or with a sore that it can analyze fishing emails and all the bad stuff in an auto automated way. Uh there's also some use case around research uh that um um I'm also aware for example that Brightwell is doing a good job uh in this. So I I'm fan of their blog posts. Uh there are also other companies and as well as we um at VMRA we have a labs team doing research with with sandbox um sandbox data. uh today as I said it's kind of CTI focusing on CTI but because uh typically

CTI is coming actually on top of this sock foundation so uh most of the time the organizations start the CTI journey with probably the time they spare from other activities or the analysts they can you know probably spend time on it um so it's it requires some kind of let's say maturity but most of the time resources um So uh it is kind of still not not there yet. So that's why I I wanted to highlight how you can use sandbox uh from for CTI uh people and the the that mindset. And the thing is um uh here the case is actually uh assuming that you have an RF RFI a targeted RFI to um gather some insights

around um a specific trade craft which will be a VIP key logger. Um so um this is the typ typical um you know just to show you this what you can expect from a sandbox for those of you who are not hands-on or not familiar. So um kind of the high level view. So there are specific sections that in each section actually there are some gems some some useful data that can be useful uh to you know satisfy this uh request uh to to reply to this request with some useful data. And the first thing to look at when we look at the sandbox report is actually as you can see in the you know

this red square is the verdict. So which is great you know to have that verdict in the in the report as you first look uh and when it is malicious especially it is great you know um but for for today actually it's not like it doesn't um I mean I'm not happy with that just to just look at the verdict because I would like to have insights actually but in automation use case it would be great for example uh to to take quick actions around the around the verdict for example if there's an email that you got to get back to the user as much as as quick as possible not to disrupt any you

know operations. Uh you got to analyze the email and you you want to see if this is really malicious email or no. Um another thing here um so as I submit the sample I got the report and I see here actually I was expecting VIP kiloger uh because on my era hunt it was a hit to VIP kiloger era rule but here actually interesting there's another malware which is good loader uh which is a downloader actually category so that's good that's a good input and also uh the name of the sample that I find is already starting to give me some clues like for example as You can see here I'm not really familiar with Spanish but it

it sounds like it looks like Spanish and also it looks like Turkish my native language pakura probably means something like invoice and probably it is a campaign theme in this case. So where are the IoC's? So the the juicy stuff and this is by Will uh our friend uh so I find this meme uh relevant. So of course it would be good to have uh IOC's and typically as a thread intel analyst probably the first uh thing you got to you you may want to check would be the specifically the IOC section of the report. But as I look at it I I I find I mean I'm it's kind of disappointing because I mean there there's not even an

IP address, you know, there's not too many domains or stuff. So I just see some files and uh some hashes and um so it's not kind of enough for me. Uh yeah I I I see here a URL at Google. So I can understand that probably malware is using this um I mean alleged infrastructure uh to for for something for some reason. Uh but still and at the same time um I have in mind the parameter of pain. I would like to go up through this pain um through this pyramid not pain. So um another section uh so the actually the first thing that helps the sandbox to classify malware is actually the yara matches and here uh

what um it's kind of the the idea behind this slide was uh previous based on our previous analysis actually somebody was able to write uh create a yara rule so that right now actually we are able to catch at first um that this actually this sample is VIP kiloger. So this is for example uh showing kind of the partially the match. You can see there are some function strings and uh one other thing is actually based on runtime memory. So memory dumps. So these are kind of these have been identified these similar um strings. So that's kind of good um to um have this um you know uh data because uh we are u as part of

replying to that RFI probably in that report we would want to give some detection clues to the detection engineers. So this is kind of um how it works. So good good data and the process three. So uh in order uh and as we can see in the in the middle PowerShell and there are some other executables as well and at the end actually we know that VIP key logger uh got executed. I I just had a quick visit to WT kind of a a partial pivot and what I know actually what I wanted to see was the if there is any execution parent for this file and the thing is yes there was. So actually this is another clue

that in the campaign uh they probably used an email and attached to that email there was a rare um attachment. So you know the user just clicked all of the uh things and at the end uh got managed to got you know infected. So um continuing on with the behaviors that behavioral markers that I I have seen on the sandbox here actually my question is why there is Google loader right it was a key logger sample actually this explains why there is loader because gool loader's only job only focus is really get past the security tools sandboxes and it can employ uh anti-analysis you know and evasion tricks And it's um here what we can see and um

I'm not going into the details of this but u gloer is kind of u making the space ready uh for VIP key logger and here we can see the obviously um key loader um main activities like um reading sensitive mail data. So we understand that key logger is especially after um stealing the uh mail credentials and as well as the sensitive browser data that means autofill passwords everything recorded in the uh saved in the uh browsers. So uh like more into the gems uh as part of the report we have malware config extraction data and there are actually two configs since there are two malware Google loader and VIP kiloger for gool loader I mean this is it only

job it's it's kind of a shell code highly offiscated and it's just the point for gool loader is to uh access to this uh Google drive link and download the payload that would ultimately um end up with VIP key loader infection. And with regards to sandboxes, actually there's one thing good uh when you see such a link actually it's not passive actually it can go automatically to that link and download the payload. So you can have the uh some details around it. I mean although it seems here that it it looks like clean because it's part of the whole attack chain. Uh but still it's good that you don't have to uh submit it again or you don't have to

interact with it. So actually sandbox already automated um you know move around and uh managed to uh find that payload which was needed to uh for malware to run properly so that we ended up with VIP key logger execution uh and this malware config data and from here it's getting really interesting kind of um uh because when when I look at that I see that there is an X SMTP Xfiltration going on and Actually there's username password data so credentials and when I look at that it's it can easily be seen that this kind of looks like a legitimate um domain here. So um here as you can see and there's a Gmail address which is probably uh the attacker using

this um mail server is uh forwarding this stolen data to his own very new uh brand new Gmail address. uh and from here actually CTI mindset says um also based on the reports that I reviewed I have seen that this kind of a pattern uh for VIP kiloger samples so there are a lot of legit domains that um uh VIP kiloger this malware is um using um and that's kind of a question how the attacker managed to get all these um you know um you know credentials around legit uh mail servers. Um this was kind of the question and also I'm also noting down that there are some interesting mail addresses like logistics info expo. So

this not like personal mail address. So they were not after one um you know specific um you know email. So it doesn't seem random. So it triggers me a thought like maybe the mail server all got compromised so that they were able to access these uh email accounts or what. So this was the hypothesis and actually I wanted to check out if this is uh you know um the case and um I found out this vulnerability of round cube mail servers. I didn't find the vulnerability but I found that it's published. So and every year it seems that there's a pattern there's a critical one and it's very easy to exploit uh understand what's going on. Um so I went ahead and

checked out for example this domain on faux so um I I and I I managed to also um do the same query for some other domains uh and actually there are similar findings but not really all of them. So at the end actually my conclusion was it was info stealer uh and actually I used another um pivot point I used the free edition of so radar uh and actually the reference to this um domain so it's it was again include stealers so from there on actually I would I would like to get some insights around um you know how I can um make this more useful for detection um detection engineers and when you actually query a

hash in my total you can get some sigma rule matches and that's kind of available in the free edition and one of the matches actually it's a good one um is a the high seity one so script execution from temp folder and actually as you can see from sandbox data you could see the command line the powershell command and here actually this got matched so the uh executable uh run from uh temp folder And this was kind of a a good one um a match for the existing sigma rule. And again it's from learning perspective you know how to make use of sandbox data uh kind of approach I have and the second thing uh I was just looking to see if

there is something not found yet. So actually I found one which is another network connection that I got from the report. uh there's an IP lookup really free JIP and it wasn't available somehow in the crowd crowdsourced uh sigma rules and what you can do is when you find have a such a finding you can always you know um just go ahead and create your own sigma rules and actually yeah first I checked on virus total if it is really malicious and it seems like it's really malicious and then by using some LLM you know sigma rules generator I was able to generate the uh sigma rule. Of course, this is some basics, some uh easy thing,

but still it can give you an idea on how to use it. And um I share the ttps also on the uh GitHub repo for VIP key logger. Uh but it's also good to have this um visibility as you analyze more samples, you will have probably have some patterns and that would be a win. So most of the insights here I was able to um communicate during the presentation. But one other thing is the industry focus. I have seen that there is a focus around especially logistics, manufacturing, uh construction and one thing to highlight is about the supply chain risk. So this is a very I mean uh common out there and small firms you

know they are very exposed to this kind of risks and and they are making business they are doing business with uh bigger firms. So it's always um kind of good to know keep in mind this type of um supply chain risks exist um out there and the takeaways again um this has this was kind of a uh roundup of insights from uh VIP kiloger specifically uh if you would like to go one step further to attribution it's a good start because when you look at actually a well-known model diamond model actually you're kind of having clues around infrastructure and capability. Uh um so two corners of the diamond model uh which would probably connect you to um adversary. Um

so yeah uh in my opinion this is kind of a um um yeah malware kind of of tell the real best stories. uh of course with the help of different tools and in this presentation I wanted to um mention some of them which are uh mostly free uh not sandbox uh unfortunately uh but uh and the of course is kind of um of every pivot actually kind of is curiositydriven and kind of uh yeah sandbox could be a good uh starting point. Hopefully you find it uh useful. And one last note, yeah, is I I found this meme kind of very relevant, but commodity malware is still a thing that we need to take a look at. And u so it's

not always the APS and sophisticated threats kind of. So this is very easy to um yeah access for cyber criminals. Yeah. Uh that was it from me. Thank you so much.

I will be around if you have questions. >> Thanks.