Post-Breach Detection (Process Injection & Espionage Campaign)

Post-Breach Detection (Process Injection & Espionage Campaign)

One of the leading public transport companies in Turkey has decided to deploy and try
TRAPMINE although they have a well-known AV/EDR solution. After deploying TRAPMINE
and running some hunting queries, the customer called us to have a look at the results.
TRAPMINE has an interface that allows you to make a real-time threat hunting on systems.
When we look at the hunting results of customer, we see that a query was started on
14.02.2019.

Process injection is very common persistence and evasion technique used by attackers.
TRAPMINE Hunter is able to scan entire memory of the operating system to find suspicious
memory regions and injected threads.

When we look at the details of the query results, TRAPMINE finds some suspicious code
blocks in legitimate process in a few devices of the customer. Here we see that
"svchost.exe" is affected by a potential code injection. TRAPMINE Hunter allows you to kill
injected threads and retrieve the file or memory dump of the corresponding process
 Post-Breach Detection (Process Injection & Espionage Campaign)

remotely. In this case, we would like to analyze more so we take the process memory dump
remotely with a single click on Get process dump button.

After getting the memory dump, we can open it via WinDBG and extract the injected
code block;

After this step, we use common reverse engineering tools (IDA) to analyze the extracted
file. After our analyzing progress, we see that the injected code belongs to RAT malware
called REMCOS.
 Post-Breach Detection (Process Injection & Espionage Campaign)

Remcos is RAT (Remote Administration Tool) that was first discovered being sold in hacking
forums in the second half of 2016. It is widely-used in many malware campaigns especially
targeting Turkish defense contractors, Iceland and some other EU countries. The Remcos
RAT is capable of monitoring keystrokes, take remote screen captures, manage files,
execute commands and capture microphone on infected systems and more.

We suppose the breach TRAPMINE detected in our customer is related with the cyber
espionage campaign targeted Turkish defense companies with following spear-phishing
documents in Q4-2018.
 Post-Breach Detection (Process Injection & Espionage Campaign)

Solution & Suggestion

It's needed to point that the well-known EPP/EDR solutions were not able to detect this
breach in the customer. This is why enterprises should also invest in live response and threat
hunting solutions to detect post-breach attacks. TRAPMINE Defense and TRAPMINE Hunter
Pro customers can run “Scan memory for injected threads” query and scan all their
endpoints to discover any potential process injection attacks in their organization.

TRAPMINE Hunter Free Edition can also help you to detect this breach with available
queries. There is an important detail about Remcos malware used in this campaign. As you
can see the screenshot below, the malware creates a mutex object in infected devices;

If your organization received this kind of spear-phishing documents before, just download
TRAPMINE Hunter Free Edition to search this mutex object in your organization to find if
you're infected or not.