A journal of ghost hunting in network

“Two tigers love to dance…” (ring tone)

Wu Zhiming impatiently picked up his phone and pressed the answer key.

“Hello, Mr Wu” came the voice of Xiao Li from the company’s OPS team over the phone, “I caught an abnormal alarm, can you take a look?”

“I know, just a moment” Wu Zhiming reluctantly pulled his hero back to the base in game, then started logging into the VPN.

Soon, Wu Zhiming found the abnormal log that Xiao Li was talking about. It looked like the PowerShell log had been manually deleted. Since the company’s policy is that OPS cannot delete logs, this type of alarm was thrown out by the monitoring system.

“Something’s not right,” Wu Zhiming muttered to himself. As the sound of the keyboard tapping continued, more “not right” entered Wu Zhiming’s view, such as finding the following strange thing in the PowerShell log on a non-core machine:

Wu Zhiming thought for a while and guessed that this was probably a dictionary file used to crack weak passwords. At this point, a famous tool recalled in mind - mimikatz. After searching on this machine, he finally found the password file that had not been deleted yet:

What "relief" Wu Zhiming is that the administrator’s password was not on the above weak password list.

The buzzing of the machine was annoying to Wu Zhiming, and his forehead was already covered with a layer of dense sweat beads. Wu Zhiming impatiently picked up a cigarette, paused in the air for a while, then put the cigarette back, took out two chewing gums from the can next to him and started chewing.

After organizing his thoughts, Wu Zhiming decided to start with this machine and check which path the ghost came in through. But looking at the unfamiliar IP address of this machine, he couldn’t remember what this machine was used for. Out of helplessness, Wu Zhiming dialed Xiao Li’s phone.

“What is the machine with the IP address 1.2.3.4 used for? What business is it running?” Wu Zhiming asked.

“Emmm ... this machine ... this machine has no business, but this machine is often used to transfer files, because there is a machine in an independent subnet, only the machine 1.2.3.4 has two network cards, which can be configured to communicate between 2 subnets.” Xiao Li answered.

Wu Zhiming clicked on the network icon in tray area and indeed saw two network cards, and of course, he also saw the flashing icon next to it - an anti virus software called Galaxy Anti-Virus Enterprise Edition, a inspiration flashed through Wu Zhiming’s mind.

“Xiao Li, give me the address of the Galaxy Anti-Virus Control Center” Wu Zhiming said.

“What do you want this for?”

“I have an idea, anyway, give me the login address of the control center first.”

“Ok, it is 1.2.3.200.”

Wu Zhiming opened the control center in the browser and tried to enter the username and the password he just caught from mimikatz - but unfortunately, the login was unsuccessful.

Wu Zhiming cursed in his heart, then tried a few more usernames, but Lady Luck did not favor him, all combinations got the result of “account or password error”. Helplessly, Wu Zhiming had to dial Xiao Li’s phone for the second time.

“Hello, Xiao Li, send me the username and password of our Galaxy Anti-Virus Control Center, I need to login and check something,” Wu Zhiming said.

Soon Wu Zhiming received the username and password sent by Xiao Li on IM: admin/1qaZ2wsX, he not only frowned, but also muttered in his heart: “This username and password look familiar?” After thinking for a while, he suddenly remembered the code he found in the PowerShell log earlier - could it be that this code cracked the account and password of the control center?

After logging into the backend of the Galaxy Anti-Virus Control Center, Wu Zhiming first checked the operation log. After seeing the log, Wu Zhiming took a breath of cold air, someone had actually issued a suspicious program to the machine 1.2.3.4 through the issuing function:

Through the file name, Wu Zhiming finally found the issued program on the terminal:

“Big trouble” Wu Zhiming sighed in his heart.

This active_desktop_launcher.exe looks normal, it’s a pretty famous software called Cool Fox:

But this active_desktop_render.dll is absolutely beyond normal. Commonly, if the main program has a signature, the components it uses should also have a signature, but this file does not have any signatures. Other signs also indicate that this file is not right. It seems that if you want to know what this file specifically did, you have to analyze it in detail.

After a period of analysis, Wu Zhiming found a very suspicious behavior, the program dynamically loaded a piece of code, and this piece of code does not seem to have much to do with the logic of the entire program, but rather like it was patched by someone:

And this piece of code will be executed by DllMain when active_desktop_render.dll is loaded:

“Using a program that everyone recognizes as harmless to load a harmful module, the idea is very clever,” Wu Zhiming couldn’t help but admire the hacker’s thinking.

If you want to eliminate the impact of this hacker attack, you need to further see what the dynamically loaded code did. However, at this point, static analysis can no longer meet Wu Zhiming’s needs, so he decided to first monitor what behaviors the program has.

Wu Zhiming found that this program not only read the issued file found above, but also communicated with a suspicious host in large quantities. From the behavior, this program looks like a spyware diligently sending the collected data to the hacker-controlled server.

In the debugger, Wu Zhiming found that there is a self-decryption behavior, first putting the decryption length into CX, then controlling the data to be decrypted pointed to by EDX in a loop to complete the decryption, this decryption behavior was performed many rounds.

At the same time, he also caught the operation of reading the file:

After reading out the file and decrypting it, it starts to communicate with the cc address:

And this cc address is actually a known APT attack:

“Damn it” Wu Zhiming cursed in his heart.

But the work has to continue, block this cc address on network, and then check which machines in network have connected to this domain name.

In a short while, several more machines that had connected to this address were found in the network traffic flow log, and each of these machines was scanned for any malwares, finally killing the malwares on these machines:

A few hours later, Wu Zhiming had basically dealt with this security incident. The lights of the machines in the room were flashing wildly. When he switched back to the minimized game, he found that he had been reported to the small black room again…

Wu Zhiming sighed, muttered to himself: “I’ will be back!”, then started a game and quit the game.