Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Reverse Deception: Organized Cyber Threat Counter-Exploitation (67 page)
cmd:
This information was quite useful for the examiners. They were able to validate that the attached files were malicious, and they were able to gain crucial intelligence on the actual infection technique and the initial sequence of events that transpired on the system while Mr. Smith had been sitting in his office waiting for the security team to arrive. Shortly after these commands were executed, the security team also saw that since the .p12 file for Mr. Smith was on the system, they could identify that it had in fact been sent out to a host that was resolving to
www.marinetimemac.com
at that time. It downloaded an XML file once the appropriate verification had been made by the Trojan that the server was up and that the system could reach the file that was needed from the server. This was an XML file that would be used as an instruction list of tools that support a Linux-based interface that allows remote connections and issuances of various Unix commands on a Windows host, without the host knowing of its presence.
The modules that were listed in the XML file that was downloaded from the
www.marinetimemac.com
host supported Xfce, which runs a number of core components for the minimum tasks you would expect from a desktop environment (such as window, desktop, session, file, and settings managers). Most important is that this tool also provides the ability for remote Secure Shell (SSH) connections. The following is a short list of the captured Xfce packages that were remotely installed by the attacker in this incident:
NOTE
Xfce is a great open source project and is in no way malicious in and of itself. It just so happened that the attackers favored this methodology for performing remote control of Mr. Smith’s system. Xfce was installed on the system by the attackers and was not originally a part of the system build.
The next step the examiners took was to contact their counterintelligence group and inform them of their findings. After a dialogue of the observed events, it was determined that active responses were needed for a threat of this motivation and skill. The modules that were loaded onto the honeypot system were analyzed. Since this system was a six-month-old image and the true image of Mr. Smith, the cyber counterintelligence (CCI) security team went to work. They opened a dialogue with Mr. Smith and provided him with a temporary operating account that had a moderate attribution layer while his account was being investigated. The CCI team began copying some of the more recent information off of Mr. Smith’s laptop after examining what the stage-two Trojan had been seen searching for, which were files of the following types: