DFIR News

July 2020
This month we will discuss about…


TrickBot BazarLoader In-Depth
This publication talks about TrickBot new module called BazarLoader detected in some recent campaigns, article main objective is to explain internal functionality of this module. It is highly obfuscated code using different encryption routines to hide system API calls, it also uses bazar domains as C2 servers and after a connection to it, malware injects the payload in system memory using a technique known as process hollowing.

What can you get?

It is very interesting to understand all the different techniques used by the malware, specially the process hollowing. This technique injects the code directly in memory space of another process making detection harder for traditional signature based systems, because it requires a behavioural analysis for being detected. Even with the use of obfuscation and encryption of the system API in the malware code, it can be detected in memory during execution with specific rules using technologies like EDR (Endpoint Detection and Response). From an attacked point of view the uses of bazar domains avoid C2 servers takedown, but from the defenders perspective as those domains are not commonly used, blue team members can define alerts based on communications to bazar domains or even block the entire TLD from their network if there are no usual connections to them from their environment.

What we recommend you? In our experience during previous investigation of some incidents related with Ryuk ransomware, the key piece of those attacks is TrickBot. It is highly modular malware and based on CTI and ONE experience it is clear that the attackers deploy modules on demand depending on their objective. Based on previous comment and experience with customers, an intelligence-driven threat hunting hypothesis definition can be the key to detect new campaigns from a known Threat Actor.

By JBA. Principal Forensic Analyst at ONE



The dark web is flooded with offers to purchase corporate network access
The term “Access for sale” refers to the sale of credentials, software, or other tools that allow illegitimate access to corporate networks. The first quarter of this year has seen an increase in supply and demand for this service in the Internet black market, with the industrial, professional services, financial, IT and health sectors being the most affected, including Fortune 500 companies.

What can you get?

Although it may not seem obvious, the Internet black market is dictated by the laws of supply and demand. Knowing these trends is important, as it can give us a broader view of the risk to our company from cyber attacks in different contexts:

  1. The storm, which tells us which are the high-demand attacks at any given time,
  2. The business one, which tells us the danger our company is in depending on its sector and size, and
  3. The product, which tells us what the attackers want from me or my company.

The increase in demand for access to corporate networks tells us:

  1. The real danger of intrusions will be greater for certain organizations.
  2. An actor who has gained access to a network can put that access up for sale or collaborate with other actors.
  3. An intrusion can occur proactively or on demand.

What we recommend you?

Having knowledge of market trends (black market, in this case) can give us an idea of the attacks that are coming, and we can use this intelligence to incorporate it into our lines of prevention and detection, summarized in the maxim “know your enemy”. This does not only apply to the corporate environment. Just as “Access for sale” is a trend, so are our personal data and accounts, medical and financial information, among others.

At the end of the day, what matters to you is to be aware that what belongs to us (even if it is “intangible” is “intangible” has a price in the underworld.

Follow-up

By JCB. Senior Forensic Analyst at ONE