Threat Hunters Corner: VIP Keylogger

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at Radical, and in this episode, we’ll diving into a recent VIP Keylogger campaign, highlighting two defense evasion techniques (steganography and remote template injection), and talking through how you can go about looking for them. 

RADBot Generated Text Summary

Introduction 

Hello, cybersecurity enthusiasts! Josh Shepard here, Principal Threat Hunter at Radical. Welcome to this edition of the Threat Hunters Corner. Today, we're diving into a recent campaign reported by HP: the VIP Key Logger. This campaign employs some intriguing defense evasion techniques, including remote template injection and steganography, which will be the focus of our discussion. 

Overview of the VIP Key Logger Campaign 

The VIP Key Logger campaign begins, as many do, with a phishing email. This email contains an attached Excel spreadsheet. Upon downloading, the spreadsheet leverages a technique known as remote template injection.

Remote Template Injection 

Remote template injection exploits a legitimate Microsoft feature that allows templates to be loaded from remote sources. While this feature is useful for businesses needing to access templates from remote file servers, threat actors abuse it to load malicious components remotely. This method helps bypass spam filters since the document itself isn't inherently malicious; it only becomes so upon opening and accepting the remote load. 

In this campaign, the remote template injection loads a malicious RTF file that attempts to exploit an old Office equation editor vulnerability (CVE-2017-11882). This serves as a crucial reminder to keep your systems updated and patched to avoid such exploits. 

Upon successful exploitation, the campaign drops a script that creates a PowerShell script. This PowerShell script then downloads an image from archive[.]org. This is where steganography comes into play. 

Steganography 

Steganography is the process of hiding data within another type of data. Typically, we see text or binary data hidden within multimedia files, such as images. In this case, the threat actor hides malicious data within an image uploaded to archive.org. 

The common method used here is least significant bit (LSB) steganography. By altering the least significant bit of each pixel, binary data can be hidden without materially affecting the image's appearance. The PowerShell script downloads the image, extracts, and reconstructs the malicious payload, which is a .NET executable, leading to the VIP key logger infection. 

Detection and Threat Hunting Strategies 

Detecting Remote Template Injection 

From a detection perspective, remote template injection is similar to malicious macro workflows. Look for Office products executing scripts or script engines. For example, if Excel spawns WScript, CScript, PowerShell, etc, it warrants investigation. Depending on your environment and the use of legitimate macros, this can be a robust detection method to catch such abuses. 

Detecting Steganography 

Detecting steganography can be more challenging. For this campaign, one effective detection method is monitoring non-browser processes [such as PowerShell] reaching out to archive[.]org. Typically, archive[.]org usage stems from browser processes, so non-browser access should be investigated. 

Additionally, if your EDR solution, such as CrowdStrike, collects script body contents, look for evidence of image manipulation. This includes loading an image, extracting it as binary, and performing encoding or decoding operations. This can be done using various scripting engines like PowerShell, Python, or VBScript. Research and familiarize yourself with how steganography might be implemented in these scripts to enhance your detection capabilities. 

Conclusion 

In this edition of the Threat Hunters Corner, we explored the VIP key logger campaign, highlighting remote template injection and steganography techniques. We also discussed practical detection strategies to identify and mitigate these threats. As always, if you have any questions, feel free to reach out. Stay safe out there, and see you in the next edition of the Threat Hunters Corner!