Sunday, June 5, 2016

RIG EK Traffic Analysis and Indicators

This blog post is to walk through the Lab exercise from "malware-traffic-analysis.net" posted on June 2016.  And the focus is mainly on using Splunk as a SIEM tool to detect the pattern. This post assumes some basic working knowledge of Splunk , Suricata and Wireshark.

ASSOCIATED FILES:

ZIP archive with a PCAP of the traffic:  2016-06-03-traffic-analysis-exercise.pcap.zip   6.1 MB (6,111,571 bytes)
ZIP archive with malware or artifacts retrieved from Granny's infected infected computer:  2016-06-03-artifacts-from-infected-host.zip   753.8 kB (753,805 bytes)
ZIP archive with some suspicious emails Granny received:  2016-06-03-traffic-analysis-exercise-suspicious-emails.zip   30.2 kB (30,215 bytes)


Lab-Setup

My set-up is to run the like Suricata (IDS), Wireshark and Fiddler inside the seperate instance for analysis and use a Splunk universal forwarder to transport the logs to Splunk Core instance. Follow the below post for Suricata install and configure to transport the logs-to splunk


Navigate to the suricata folder  and run the following command.

Suricata -c suricata.yaml - r input_pcap_file_location -l output_location_to_store_the_logs

Example,

root@brainfold-blackbox:/opt# suricata -c /opt/suricata-3.1.1/suricata.yaml -r /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-06-03-RIG_EK/2016-06-03-traffic-analysis-exercise.pcap -l /mnt/hgfs/Shared/network_traffic_analysis/CRIME/2016-06-03-RIG_EK/
<Notice> - This is Suricata version 3.1.1 RELEASE
 <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
<Notice> - Signal Received.  Stopping engine.
<Notice> - Pcap-file module read 12223 packets, 7567437 bytes

Suricata's output eve.json file contains various event_types, segregating the activities to alert, dns, fileinfo, flow, http, stats, tls. This is very useful in identifying the malicious events.

Once the traffic is loaded in Splunk.

First, search-1 for rare/uncommon http.hostname and then, search-2 to understand the flow of events by unique host. In this instance, I have removed the known good traffic like google, facebook and twitter.  Its better to have a lookup file with known good http.hostname. (removing the noise). The highlighted traffic requires further triage.

Search-1 : index="suricata" sourcetype="pcap" source="*2016-06-03-traffic-analysis-exercise*" event_type=* | rare http.hostname



Search-2 : index="suricata" sourcetype="pcap" source="*2016-06-03-traffic-analysis-exercise*" event_type=* NOT (http.hostname="*google.com" OR http.hostname=*facebook.net OR http.hostname="*bing.com" OR http.hostname="*facebook.com" OR http.hostname="*twitter.com")   | table timestamp src_ip dest_ip http.status http.hostname http.url | dedup http.hostname | sort timestamp



At this point, I know there is some odd looking traffic that requires further investigation.
Below are some of the evidence screenshots taken during the triage

ET Signatures

Http Traffic

Files Downloaded

DNS Traffic

At this point, i need to review the actual pcap files using wireshark, to determine the IP Address, Host infected and payload information which would typically not available in Splunk. 



As noted in SANS dairy, The sequence of typical RIG EK events is:
  1. User visits a website compromised by this actor.
  2. An HTTP GET request for a .js file from the compromised site returns text with malicious script appended to it.
  3. An HTTP GET request to the gate returns a variable used by the malicious script.
  4. The variable sent by the gate is decrypted, and an HTTP GET request for the EK landing page is sent.


Further export the HTTP objects from wireshark to decrypt and analyse the files downloaded.