Case Study: Post-Breach Detection (Process Injection & Espionage Campaign)

One of the leading public transport companies in Turkey has decided to deploy and try TRAPMINE although they have a well-known AV/EDR solution. After deploying TRAPMINE and running some hunting queries, the customer called us to have a look at the results. TRAPMINE has an interface that allows you to make a real-time threat hunting on systems. When we look at the hunting results of customer, we see that a query was started on 14.02.2019

Process injection is very common persistence and evasion technique used by attackers. Trapmine Hunter is able to scan entire memory of the operating system to find suspicious memory regions and injected threads.

When we look at the details of the query results, TRAPMINE finds some suspicious code blocks in legitimate process in a few devices of the customer. Here we see that “svchost.exe” is affected by a potential code injection. TRAPMINE Hunter allows you to kill injected threads and retrieve the file or memory dump of the corresponding process remotely. In this case, we would like to analyze more so we take the process memory dump remotely with a single click on “Get process dump” button.

After gettting the memory dump , we can open it via WinDBG and extract the injected code block;

After this step, we use common reverse engineering tools (IDA) to analyze the extracted file. After our analyzing progress, we see that the injected code belongs to RAT malware called REMCOS.

Remcos is RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. It is widely-used in many malware campaigns especially targeting Turkish defense contractors, Iceland and some other EU countries. The Remcos RAT is capable of monitoring keystrokes, take remote screen captures, manage files, execute commands and capture microphone on infected systems and more.

We suppose the breach TRAPMINE detected in our customer is related with the cyber espionage campaign targeted Turkish defense companies with following spear-phishing documents in Q4-2018.

Solution/Suggestion

It’s needed to point that the well-known EPP/EDR solutions were not able to detect this breach in the customer. This is why enterprises should also invest in live response and threat hunting solutions to detect post-breach attacks. TRAPMINE Defense and Hunter PRO customers can run “Scan memory for injected threads” query and scan all their endpoints to discover any potential process injection attacks in their organization.

TRAPMINE Hunter Free Edition can also help you to detect this breach with available queries. There is an important detail about Remcos malware used in this campaign. As you can see the screenshot below, the malware creates a mutex object in infected devices;

If your organization received these kind of spear-phishing documents before, just download TRAPMINE Hunter Free Edition to search this mutex object in your organization to find if you’re infected or not.

Yavuz Han / TRAPMINE

References:

RiskIQ: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/

Cyberscoop: https://www.cyberscoop.com/remcos-rat-surveillance-tool-talos-craig-williams/