Introduction
FortiSandbox seamlessly integrates with various Security Fabric platform products, offering a straightforward approach to safeguarding against breaches. Upon detecting malicious code, FortiSandbox promptly responds by assigning risk ratings and instantly sharing local intelligence with Fortinet Security Fabric, Fabric-Ready Partners, and other security solutions.
This article showcases the capability of FortiSandbox in identifying and documenting the behaviors of a .NET based malware sample. FortiSandbox detected a recent malware that leverages event handling methods to facilitate the loading and execution of an additional executable. Subsequently, the loaded executable undertakes the tasks such as establishing registries for persistent operations, bypassing firewalls via netsh, configuring auto-start mechanisms, and ultimately endeavoring to establish a connection with its command and control (C2) server. All the information in this article was gathered from the Job Detail report generated by FortiSandbox. A reverse engineering of the malware was conducted to explore the other capabilities of the malware.
Through this exploration, readers will gain insight into robust detection mechanisms of FortiSandbox and its vital role in protecting against sophisticated malware threats.
Analysis
FortiSandbox documented the behaviors of the analyzed malware and provided visual aids for analysis. A Tree View diagram (Figure 1) illustrates the sequence of execution, outlining the chronological order in which various actions and processes occur within the malware. The visual representation offers valuable insights into the malware’s behavior, allowing analysts to trace the flow of operations and understand how the malware operates. Additionally, suspicious indicators triggered during the analysis were recorded (Figure 2), providing further context and aiding in the identification of potentially malicious activities.
Figure 1. Chain of execution run inside FortiSandbox
Figure 2. FortiSandbox indicators with severity rating
In the original malware (MD5: 40255b9f53ebb191c916ebfe09bf717d
), it becomes clear that it employs a technique within the Windows Application Form to load an additional executable. Specifically, it utilizes the Form_Load()
method to initialize data loading into the form upon its initial opening, as depicted in Figure 3. This action triggers the loading and execution of its associated executable (MD5: f3c5c34e86d9752a45ca9465843fd4d9
) showcased in Figure 4.
Figure 3. Form_Load() method to initialize data
Figure 4. Loading of an addition executable
Figure 5 showcases an indicator depicting the malware’s action of modifying its file attributes by setting them hidden. This action is a common tactic used by threat actors to evade detection, as hiding the file makes it less conspicuous and harder for security tools to identify and mitigate the threat. By concealing its presence, the malware increases its chances of remaining undetected and prolonging its malicious activities.
Figure 5. Modifying its file attribute and set to hidden
Additionally, the malware uses the netsh
command to add itself to the Windows Firewall exception list. This action allows both inbound (incoming) and outbound (outgoing) network traffic through the Windows Firewall, facilitating the malware’s ability to communicate with external servers and potentially exfiltrate data. This behavior is illustrated in Figure 6.
Figure 6. Command to add itself to the Windows Firewall exception list
The malware achieves persistence by utilizing two methods: first, it adds an entry to the registry key
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\92289967baef8de17fd8346c4764a1ed
ensuring automatic execution upon system startup or user login. Additionally, it drops a copy of itself into the Startup folder. These combined actions guarantee consistent execution, thus allowing malware control over the system. These behaviors as illustrated in Figure 7 and Figure 8 respectively were captured by the FortiSandbox.
Figure 7. Creation of the Run Registry for Automatic Execution
Figure 8. Malware copying itself into the Startup folder for Automatic Execution
Following an in-depth analysis of this malware, we uncovered its keylogging functionality, as illustrated in Figure 9. This capability is triggered when the user presses a key, enabling the malware to record all keystrokes made by the user, compromising the user’s privacy and security. By intercepting keyboard input, the malware captures each keystroke in real-time, logging the information for malicious purposes.
Figure 9. Code snippets that monitor and record the specific keys pressed by the user
Furthermore, the malware searches for specific processes associated with security analysis and terminates them upon detection. These targeted processes, including “taskmgr
”, “process viewer
”, “processhacker
”, and “process explorer
” are tools for monitoring system activity and analyzing running processes, showcased in Figure 10. By terminating these processes, the malware aims to evade detection, thereby prolonging its presence on the compromised system and maintaining stealth.
Figure 10. Malware searches for monitoring processes and attempts to terminate them
Lastly, the malware attempts to establish a connection to its Command and Control (C2) server located at http://197[.]207[.]172[.]44:5552
. Upon successful connection, it initiates the transmission of stolen data capture or queries from the compromised system to the server. This process allows threat actors to remotely receive and potentially exploit the sensitive information gathered from the infected system. Figure 11 illustrates that this behavior to retrieve the server's IP address was also captured by the FortiSandbox.
Figure 11. Command and Control server IP address
Threat Mitigation
FortiSandbox serves as a crucial component in fortifying organizations against cyber threats by swiftly identifying and mitigating potential breaches. Through its seamless integration with Security Fabric platform products, FortiSandbox protects via Inline Scan and enhances collaborative threat intelligence sharing, enabling rapid response to emerging threats.
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA002 – Execution
Technique ID |
Technique Description |
Observed Activity |
T1059.003 |
Windows Command Shell |
The use of Interaction.Shell method in .NET, invoking the Windows command shell to execute the ‘netsh’ command
|
TA004 – Persistence
Technique ID |
Technique Description |
Observed Activity |
T1547.001 |
Boot or Logon AutoStart Execution |
The file dropped suspicious file(s) to the startup folder
|
T1547.001 |
Boot or Logon AutoStart Execution |
The file applied low suspicious AutoStart registry modifications to start itself automatically
|
T1547.001 |
Boot or Logon AutoStart Execution |
This file prevented AutoStart registry from being deleted
|
TA0005 – Defense Evasion
Technique ID |
Technique Description |
Observed Activity |
T1562.001 |
Disable or Modify Tools |
The files try to use netsh to bypass firewall
|
T1564.001 |
Hidden Files and Directories |
Executable tried to hide itself
|
TA0011 – Command and Control
Technique ID |
Technique Description |
Observed Activity |
T1571 |
Uncommonly Used Port |
Executable attempted to connect to remote server with non-standard port
|
IOC
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
Original Executable |
40255b9f53ebb191c916ebfe09bf717d
|
MD5 Hash |
Installation |
Original executable use to load another PE file |
A7d82032029357cb64d343529cdc0472c36614e7232029623ed69346af57cef3
|
SHA256 Hash |
|||
Loaded executable |
f3c5c34e86d9752a45ca9465843fd4d9
|
MD5 Hash |
Installation |
Executable aimed at keylogging and establishing C2 connection |
c291fec445a6b9f1a812ff6edb8324a16374e4ce4258bba431d903a173109f67
|
SHA256 Hash |
|||
C&C site |
IP Address |
C2 Server |
C2 server where the malware sends the stolen information |
Summary
The detailed analysis of the .NET sample reveals the intricacy of contemporary malware delivery techniques, underscoring the imperative for proactive defense strategies. FortiSandbox’s robust detection capabilities efficiently identify and document the sample’s malicious behaviors, illustrating its pivotal role in fortifying defenses against the ever-evolving landscape of cyber treats. This thorough analysis not only highlights the sophistication of modern malware but also emphasizes the crucial need for advanced security solutions like FortiSandbox to mitigate potential risks and protect organizations from cyberattacks.