Welcome
Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll be exploring how the VIP Keylogger makes use of two interesting defense evasion techniques – remote template injection and steganography.
RADBot Generated Text Summary
Introduction
Hello everyone, Josh Shepherd here. Welcome to this edition of the Threat Hunters Corner. Today, we're diving into a recent and sophisticated piece of malware known as VIP Key Logger. This malware is a key logger and information stealer that employs some unique and less commonly seen defensive evasion techniques such as steganography and remote template injection. Let's break down how it operates and how you can protect your systems against it.
Understanding VIP Key Logger
Initial Access and Execution
VIP Key Logger typically gains initial access through phishing emails. These emails may contain either an archive file (such as a .zip or .gzip) or an Excel spreadsheet. Here’s how each method works:
- Archive Files: The user is required to download and execute the binary contained within the archive.
- Excel Spreadsheets: This method leverages a technique called Remote Template Injection. Microsoft Office allows the loading of remote templates to aid in document creation. Threat actors exploit this feature by loading malicious templates. In this case, an Excel document loads a malicious RTF file, which exploits older vulnerabilities to initiate the malware's execution chain.
Execution Flow
Once the initial payload is executed, the malware proceeds as follows:
- PowerShell Script Execution: The malware executes a PowerShell script.
- Contacting Archive[.]org: The PowerShell script reaches out to archive[.]org, a legitimate website known for its Wayback Machine, which archives snapshots of websites over time.
- Steganography: The threat actor downloads an image file from archive[.]org. This image contains base64 encoded malicious code. The PowerShell script that downloads this image, decodes the base64 content, and assembles it into a .NET executable. This executable is the actual payload responsible for the key logging and information stealing activities.
Threat Hunting and Detection Strategies
To effectively hunt for and detect VIP Key Logger, consider the following strategies:
Hunting For/Detection Remote Template Injection
- Network Activity Monitoring
- Baseline Network Activity: Establish a baseline of network activity for Office products. Monitor DNS queries and IP connections originating from these applications.
- Identify Outliers: Look for unusual network activity, such as Excel making unexpected DNS queries or connections to suspicious domains. These anomalies could indicate a remote template injection attempt.
- Process Monitoring
- Unusual Process Spawning: Monitor for unusual processes spawned by Office applications. For example, if Excel spawns PowerShell or scripts (e.g., WScript or CScript), it could indicate malicious activity.
- Legitimate Use Cases: While there may be legitimate use cases for these activities, they should be relatively easy to tune and differentiate from malicious behavior.
Hunting For Malicious Archive[.]org Image Downloads (Steganography)
- Archive.org Activity
- Monitor Archive.org Access: Unusual access to archive.org by end-user systems can be a red flag. Pay special attention to non-browser related processes.
- Mark of the Web Data: Look for unusual file downloads from archive[.]org using Mark of the Web data. This can help identify potentially malicious downloads.
Conclusion
VIP Key Logger is a sophisticated malware that leverages advanced techniques to evade detection. By understanding its methods and implementing robust monitoring and detection strategies, you can better protect your environment from such threats.
If you have any questions or suggestions for future topics, feel free to reach out. Stay safe out there, and we'll see you in the next session of the Threat Hunters Corner.