Remote File Copy

From ATT&CK
Jump to: navigation, search
Remote File Copy
Technique
ID T1105
Tactic Command and Control, Lateral Movement
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required User
Data Sources File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
Requires Network Yes

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

Examples

  • After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.2
  • After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.3
  • Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.45
  • A Patchwork payload downloads additional malware from the C2 server.6
  • Tools used by Gamaredon Group are capable of downloading and executing additional payloads.7
  • CHOPSTICK is capable of performing remote file transmission.8
  • LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.9
  • JHUHUGIT retrieves and executes an additional payload from its C2 server.10
  • SeaDuke is capable of uploading and downloading files.11
  • CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.12
  • RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.13
  • DustySky searches for network drives and removable media and duplicates itself onto them.14
  • HTTPBrowser is capable of writing a file to the compromised system from the C2 server.3
  • Sakula has the capability to download files.15
  • CallMe has the capability to download a file to the victim from the C2 server.16
  • Psylo has a command to download a file to the system from its C2 server.16
  • MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.16
  • Mivast has the capability to download and execute .exe files.17
  • Emissary has the capability to download files from the C2 server.18
  • Misdat is capable of downloading files from the C2.19
  • ZLib has the ability to download files.19
  • Hi-Zor has the ability to upload and download files from its C2 server.20
  • Kasidet has the ability to download and execute additional files.21
  • Agent.btz attempts to download an encrypted binary from a specified domain.22
  • Trojan.Karagany can upload, download, and execute files on the victim.23
  • cmd can be used to copy files to a remotely connected system.24
  • Crimson contains a command to retrieve files from its C2 server.25
  • XTunnel is capable of downloading additional files.26
  • Nidiran can download and execute files.27
  • Pisloader has a command to upload a file to the victim machine.28
  • Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.2930
  • BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.31
  • Unknown Logger is capable of downloading remote files.31
  • H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.32
  • After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.33
  • CORESHELL downloads another dropper from its C2 server.34
  • PowerDuke has a command to download a file.35
  • Shamoon can download an executable to run on the victim.36
  • ChChes is capable of downloading files, including additional modules.3738
  • POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.39
  • Pteranodon can download and execute additional files.7
  • RTM can download additional files.40

Mitigation

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.41

Detection

Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.41

References

  1. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  2. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  4. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  5. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  6. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  7. a b  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  8. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  9. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  10. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  11. ^  Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  12. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  13. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  14. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  15. ^  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  16. a b c  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  17. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  18. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  19. a b  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved February 25, 2016.
  20. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  21. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  1. ^  Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  2. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  3. ^  Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  4. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  5. ^  Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  6. ^  Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  7. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  8. ^  Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  9. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  10. a b  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  11. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  12. ^  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  13. ^  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  14. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  15. ^  Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  16. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  17. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  18. ^  Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  19. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  20. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.