First, we start by running Nmap scan. According to the scan results, two ports are open: 22 (SSH) and 80 (HTTP). Since there is no anonymous access on the SSH service, let’s continue from the web application on port 80.

To access the website, we add the IP address to our /etc/hosts file. When we open the website, we reach a Password Manager web page.

After investigate the page a bit, we encounter an error screen.

At the bottom of the error page, we can see that this is a Flask Werkzeug debugging page. With this debugging page, it is possible to access a console directly from the page. However, as in newer versions of Werkzeug, a PIN is required to access the console.

Let’s keep this debugging page in mind and continue.

By registering with a random username, we can access the vault page and see that we can generate passwords for any site.

On the vault screen, when we click the “Export” button, we can see that it downloads a file with a filename generated specifically for us. When we inspect the requests in Burp, we notice that the download is performed via a GET request.

Fetching the file directly by name via a GET request suggests a potential Arbitrary File Read vulnerability. When we try to traverse to parent directories and read /etc/passwd, we confirm that the file read vulnerability is indeed present.

At this point, after doing some research online based on our findings, we can find a payload that generates the Werkzeug debug PIN using the debugging page we discovered earlier (the relevant payload can be found on HackTricks). For the payload to work, we need values for the public bits and private bits, which we can retrieve from the target by abusing the file read vulnerability.

Let’s start with probably_public_bits. To obtain the username from the system, it is enough to check /proc/self/environ.

We can obtain the modname and attribute name fields from the debugging page.

For private_bits, first we need the machine’s MAC address. From /proc/net/arp, we learn the network interface name. Then we can retrieve the MAC address from /sys/class/net//address.

We convert this MAC address to decimal using Python’s “print” and obtain the first part of the private_bits section.

For the second part, we take the machine-id from /etc/machine-id and append to it the value we read from /proc/self/cgroup.

After placing the discovered values into the script and running it, we obtain the PIN. When we enter this PIN by clicking on any console element in the debugging page, we can see that the console opens.

Then, start a netcat listener on the host system and write a bash reverse shell payload into the opened console area.

We can see that a shell lands on our netcat listener.

When we explore the system, we notice that there are three users under /home, but we do not have permission to read any of their home directories. Similarly, we do not have sudo privileges at this stage.

After digging a bit more, we find a file named config_prod.json under the /app directory. This file contains MySQL database connection details. Using these details, we connect to the MySQL database.

Inside MySQL, when we list the databases, we can connect to the database named superpass and view its tables. From the Passwords table, we retrieve the password for the user “corum”.

We SSH into the machine as corum. We can find the user flag under corum’s home directory.

As the corum user, when we continue exploring the system, we notice a file named test_site_interactively.py under /app/app-testing/tests/functional. By reading the file, we see that it is used for testing the password manager website. The script reads credential information from creds.txt (which we cannot read directly), loads a Selenium web driver, and logs into the test version of the site.

In Selenium setups, when Chrome runs for testing, it typically exposes a debugging port. From the code, we learn that 41829 is used as the debugging port.

By using SSH port forwarding, we can access this port from our own machine and reach the test page locally.

In Chrome, we go to chrome://inspect and add 127.0.0.1:41829 under Target discovery. When we click Inspect, we can see that it takes us to the test page.

On the test page, we obtain the password for the user edwards.

Using this password, we switch to the edwards user.

By running sudo -l, we can see what edwards is allowed to do with sudo. According to the output, edwards can run sudoedit as the user dev_admin to edit two different files.

When we check the sudoedit version, we see that it is vulnerable to CVE-2023–22809. With this vulnerability, an attacker can inject extra arguments (using --) via user-provided environment variables; this allows edwards, as dev_admin, to write to files beyond the two permitted ones.

Now let’s find a path from dev_admin to root. When we check what files dev_admin can execute, we see that /app/venv/bin/activate can be executed.

This is interesting because we can access a file named test_and_update.sh on the system. This file runs every minute with root privileges and executes the activate binary (/app/venv/bin/activate).

By abusing the vulnerability, we can supply this binary as an extra argument using --, allowing us to edit it and ultimately gain root privileges.

We write /bin/bash at the top of the file and copy it under /tmp. Then we set the SUID bit on the copied file with chmod 4777.

After a few minutes, we can see the file appear under /tmp. When we run it with the -p flag, we successfully escalate to the root user. Finally, we can retrieve the root flag from /root/root.txt.

Thanks for reading!

Enjoy reading!

We start with an Nmap scan. According to the Nmap results, ports 22 and 80 are open. We cannot access SSH on port 22 at this time because we do not possess any credentials. Port 80 hosts an HTTP service. The banner indicates an Apache web server is running on port 80 and the scan shows a robots.txt entry listing a disallowed directory called /writeup/.
 (_robots.txt_ is a plain-text file that web servers expose to tell well-behaved web crawlers which paths they should not index. It is not an access-control mechanism — rather, it’s a hint that often contains developer-hidden or low-visibility endpoints such as admin pages, backups or staging directories. In a security assessment, _robots.txt_ is useful because it frequently points to high-priority locations to investigate.)

When we examine the site itself, we observe it is protected by a DDoS/anti-abuse mechanism that bans IPs producing many 40x responses. Because 40x requests are blocked, noisy directory discovery tools such as gobuster produce many 404s and quickly result in our IP being banned, so aggressive brute-force scanning is not an effective option here.

We fetched robots.txt with curl from the terminal and confirmed it contains a Disallow: /writeup/ entry.

When we browse the /writeup/ directory we see a draft-style page; the page layout and visible content do not immediately reveal anything useful.

By proxying requests through Burp Suite and inspecting requests and responses, we find that the site is running a CMS. The CMS appears to be the 2019 release of that product, a version known to have SQL injection issues.

After a little research, we confirmed the 2019 version is vulnerable to an unauthenticated SQL injection and found an exploit published on Exploit-DB that targets that vulnerability.

The exploit is written for Python 2, so we install Python 2 on our attacking machine (or adapt the exploit to Python 3), provide the target URL and run the exploit.

The exploit returns database fields including username, email, the password hash and the salt used for the password. Because the password is stored as a hash we must crack it before we can log in; for that we use Hashcat.

Examining the exploit code shows it constructs the hash as salt + password before hashing.

According to Hashcat’s documentation, hash mode 20 corresponds to md5($salt.$pass). Since the exploit performs salt + password, we use Hashcat mode 20.

We run Hashcat with rockyou.txt as a wordlist to recover the plaintext password.

Hashcat successfully recovers the password.

Using the recovered username and password we SSH into the box. After logging in as jkr we find the user flag in the jkr user’s home directory.

Privilege Escalation

To escalate privileges we first check for sudo but discover that sudo is not available on the system. Inspecting the output of id for the current user shows membership in an interesting group: staff.

On Debian-like systems, the staff group commonly allows members to add files under /usr/local — for example /usr/local/bin and /usr/local/sbin — without needing root privileges. Those two directories are typically placed near the front of the root user’s PATH. That means if root executes a command that resolves to a binary name that we can place in /usr/local/bin or /usr/local/sbin, we can overwrite or shadow the expected system binary with a malicious program and have that malicious code executed with root privileges.

To observe what the system (including root) runs during user logins, we download pspy32 from GitHub and copy it to the target via scp, then make it executable.

pspy is a lightweight monitoring binary that prints executed commands and process events in real time without requiring root; it is ideal for detecting cron jobs, system timers and other commands that run as root. Running pspy while initiating a new SSH session, we observe that during SSH login root invokes:

/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:… run-parts — lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

In other words, a clean environment is created (env -i) and the PATH is explicitly set with /usr/local/sbin and /usr/local/bin at the front and then run-parts executes the scripts in /etc/update-motd.d as root. Because /usr/local/sbin and /usr/local/bin are both writable by members of staff and because those directories appear at the beginning of the PATH that root uses when running run-parts, any binary name resolved by the MOTD scripts (for example uname or other common utilities invoked by those scripts) will resolve first to our writable /usr/local/bin if we place a program with the same name there. That precedence—root searching writable directories we control before secure system directories—creates a path-hijacking vector that allows us to run our own code with root privileges when run-parts runs.

By creating a malicious run-parts-invoked binary (for example a script named the same as a utility the MOTD script calls) inside /usr/local/bin, we can have that malicious program executed by root whenever run-parts runs during a new SSH login.

Our payload creates a setuid shell binary (or otherwise produces a persistent root shell). After placing the payload, we open a new SSH session. When /etc/update-motd.d is executed via run-parts during login, our malicious binary runs with root privileges and sets the SUID bit on a shell copy or directly spawns a privileged shell.

From a new terminal we then run the shell with the -p flag to preserve privileges and we obtain a root shell. From there we can read the root flag (/root/root.txt).

Enjoy reading!

Nmap scan was performed against the machine. The scan showed ports 22 (SSH) and 80 (HTTP) open. Because anonymous SSH login was not available, we decided to proceed via port 80.

For DNS resolution the IP and domain were added to the /etc/hosts file.

When the web page was visited, many input fields were observed. Examples include email subscription, registration and comment forms.

A directory scan was performed using Gobuster.

The discovered directories were inspected. None of the inspected directories revealed a way to log into the system. The user input fields on the site were tested with SQL injection and XSS payloads but no vulnerabilities were found.

A full-port Nmap scan was then run for more detail. In addition to the previously seen results, port 8761 was observed to be open.

A web search for services on port 8761 showed that Spring Cloud Eureka commonly runs on that port. Eureka is a service-discovery tool used in microservice architectures. Through its interface it is possible to view registered services, connection details, and management functions [1].

A deeper directory scan for Spring Boot endpoints was done using Feroxbuster with the SecLists wordlist file spring-boot.txt .

The scan showed the common /actuator/ endpoint for Eureka Server. In particular, the /actuator/heapdump file stood out. That file contains a memory dump of the running application. Sensitive information can sometimes be obtained from such dumps.

When the heapdump file was analyzed and host information was extracted, a Base64-encoded password was found.

After decoding that password, likely username and password information for an internal user were obtained.

Further searches were performed on the heapdump to find more credentials. Searching for the discovered username revealed a localhost entry.

Separately, searching directly for the string password= revealed username and password data for another user named Oscar.

Using the username and password recovered for Oscar, SSH connection was made.

Probably, the user flag is located under a different account on the system. Therefore, attempts were made to change users on the system. From the Spring scans, the /actuator/env path was examined and an interesting location was found.

When the file at that location was read via the SSH connection, application configuration details were discovered. Those details showed the application was using a MySQL database.

By connecting to the database, email addresses and hashed passwords for several users were obtained.

The collected email-and-hash pairs did not yield results. Even after attempting cracking with Hashcat and John, the hashes could not be cracked.

At this point we revisited the earlier localhost information. SSH port forwarding was used because the Eureka interface was only accessible from localhost. With the access we already had, SSH port forwarding was used to bypass this restriction and reach the closed service from our machine. The target machine’s port 8761 was forwarded to our local machine so it could be accessed as if it were local.

This allowed access to the Spring Boot admin panel at localhost:8761 from our machine. The credentials found earlier were used to log in.

Research into Eureka’s endpoint structure showed the /eureka/apps path [3].

At that endpoint, information about the user-management service was available.

Further research revealed a way to perform service spoofing [4]. Eureka’s registration mechanism was targeted: microservices normally register themselves with Eureka by reporting “I run at this IP and port.” By abusing this mechanism, a fake service called USER-MANAGEMENT-SERVICE was registered. As a result, other components in the system connected to this fake service and credentials were sent to a netcat listener opened on the host.

Using this method, SSH credentials for the miranda-wise user were captured. When decoded with Burp Suite’s URL decoder the password was recovered exactly.

Using those credentials, SSH connection was made to miranda-wise.

Privilege Escalation

To escalate privileges, the system was checked for sudo rights; the user did not have sudo access.

Similarly, there were no usable SUID binaries available to the user.

Crontabs on the system were examined. Logs kept by the cloud-gateway web component were observed to be updated every minute.

The log-analysis script contained a vulnerability in its code:

When comparing the Status: values, the script uses [[ “$existing_code” -eq “$code” ]] . However, the log contents are passed into the script in a way that allows $(…) expressions written in the log to be executed as Bash command substitution. Therefore by inserting a line such as HTTP Status: x[$(cp /bin/bash /tmp/bash; chmod u+s /tmp/bash)] into the log, the script will execute that command with the privileges of the process running the script.

A copy of /bin/bash was written to /tmp/bash and its SUID bit was set. Because the copied bash had the SUID bit, it could be executed to obtain a root shell.

Within one minute, the copied bash appeared under /tmp. As a result, a root shell was obtained and the root flag was recovered.

Resources

1. Spring. (n.d.). Spring Cloud Netflix documentation. Spring.io. https://docs.spring.io/spring-cloud-netflix/docs/current/reference/html
2. Wiz. (2023, April 24). Spring Boot actuator misconfigurations. Wiz.io. https://www.wiz.io/blog/spring-boot-actuator-misconfigurations
3. Netflix. (n.d.). Eureka REST operations. GitHub. https://github.com/netflix/eureka/wiki/eureka-rest-operations
4. Backbase Engineering. (2023, May 16). Hacking Netflix Eureka. Backbase Engineering Blog. https://engineering.backbase.com/2023/05/16/hacking-netflix-eureka

Enjoy reading!

We start by scanning all ports with Nmap. According to the results, many services are open such as DNS, Kerberos, LDAP, SMB, etc. This indicates that the machine is a Domain Controller in an Active Directory environment.

Using the given default credentials to connect over SMB, the SYSVOL share stands out.

We copy all files under the SYSVOL directory to our own machine.

Before analyzing the files taken from SYSVOL, we use Impacket’s GetADUsers over LDAP to extract the user inventory. The goal here is to connect to the domain controller and return user objects and important attributes from Active Directory. The output shows multiple users on the system, including an admin.

When we try to log in over WinRM with the user Levi, we see that they are not authorized.

Since we cannot log in to WinRM with the user we have, we continue through SMB. When examining the files taken from SMB, we see that the user Levi is a member of the HR group.

We also see that the HR group has write permissions over the Developers group.

These relationships are seen more clearly using BloodHound. Levi is a member of HR, and the HR group has GenericWrite privileges over Developers. In this case, users in the HR group can modify the membership of the Developers group.

With this information, we add the user Levi to the Developers group.

When we log back into SMB with Levi, we access important files under the /DEV directory.

Among the files obtained, recovery.kdbx is a KeePass 2.x database file. Its password is cracked using keepass2john.

By decrypting the password of “recovery.kdbx”, we open the database. Inside, we see users and their passwords.

Using the recovered password belonging to Antony Edwards, we can log in over SMB.

From the files taken under that user, we run the BloodHound collector to map the domain. When a Kerberos TGT cannot be obtained, the tool automatically falls back to NTLM and collects the information into a single zip file.

When the zip file is analyzed in the BloodHound interface, we find that the user Edwards is a member of the Senior Devs group and that this group has privileges over the user Adam Silver.

With this privilege the password of the user Adam Silver is changed.

Using ldapsearch to examine the Adam Silver account, we see that the account is disabled (userAccountControl value 66050; 66048+2, where the +2 bit is the account disable bit). The AccountDisable bit is cleared, the value is set to 66048 and the user is activated.

Using Evil-WinRM, we gain access to the system as the user Adam Silver.

As a result, we obtain user.txt on the user’s Desktop.

Privilege Escalation

When exploring the system, we see a zip file under C:\Backups.

When we download and examine the file on our own system, we access the username–password information belonging to the user steph.cooper.

When we connect with the user steph.cooper over WinRM, we find two important files under the user’s Documents directory. Of these files, masterkey.b64 is the base64-encoded form of the master key file. cred.b64 is the base64-encoded form of the credential file. The hidden part inside is the DPAPI blob. The DPAPI blob is the portion where the actual data is encrypted using the master key.

We obtain the user’s SID.

The user’s master key is protected with a key derived from the password and the user’s SID is also involved in the derivation. Therefore, we give both the password and the SID to the dpapi.py masterkey command. The script decrypts the encrypted key in the master key file and returns the raw master key (hex).

With the found master key, we decrypt the credential file; we discover steph.cooper_adm and its password and reach the actual information.

When we log in over WinRM with steph.cooper_adm, we obtain the root flag.

Enjoy reading!

First, nmap scan was run for the given IP address.

According to the nmap results, 2 ports were open: 22 (SSH) and 80 (HTTP). Since anonymous login was not allowed on SSH, the decision was to proceed over port 80. When visiting the website on port 80, the page could not be reached. First, it was necessary to add the related IP and domain to the /etc/hosts file.

After that, the website was accessed. No useful information was found on the site.

A directory scan was performed for the website using the gobuster tool.

To find different results for subdirectories, a scan was also performed with the ffuf tool. From the results, the login and up directories were identified as not accessible externally.

On the login page, a login portal was found.

Using Burp Suite, the part where the credentials are entered was tested for manipulation. As a result, it was discovered that the area with the “Remember Me?” button could be manipulated. By sending an input different from what the Laravel framework expects (a single quote), the application returned a different response. In this test, which focused on Laravel’s input validation and session management, it was observed that some invalid inputs caused different HTTP responses from the application. This suggested a potential weakness in input validation or error handling.

In the response from Burp Suite, the phrase “Login directly as me in /dev/local/preprod envs” appeared. In this case, if the system is in the preprod environment (APP_ENV=preprod), login checks are bypassed and it logs directly in as the related user.

To exploit this issue, a POST request was sent to the /login page. The POST request was intercepted with Burp Suite. Cookie values (XSRF-TOKEN and laravel_session) taken from the page’s DevTools were added to the POST request. The goal was to log in using the correct cookies.

The string “? — env=preprod” was added to the POST request and the request was sent. According to the response, access to the “/management/dashboard” page was obtained.

The page was accessed as user “Hish.” In the “Profile” section, it was seen that the user picture could be changed. It was thought that a malicious file could be uploaded here to get a shell.

After testing, a file with the extension “shell.php.” was accepted by the system. The system does not allow files with a direct .php extension, but it allows files like .php. A reverse shell code was added inside the uploaded file. The cookie and token values were replaced with the current ones.

A netcat listener was opened on the attacker machine. When the request was sent, a shell was received.

The user flag was obtained at “/home/hish/user.txt”.

Root Flag

To use a proper terminal inside the system, the following command was run:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

While exploring the system, a zipped file under /tmp caught attention. After unzipping, the files included keys that could be used to decrypt GPG-protected data.

The GNUPGHOME environment variable was set to /tmp/.gnupg and the discovered file /home/hish/backup/keyvault.gpg was decrypted. This way, when gpg is used, it first uses the files under /tmp.

As a result, sensitive passwords for the user were obtained.

With the obtained password, a switch to user Hish was made. Using the “sudo -l” command, it was discovered which commands the user could run without a password or with elevated privileges. According to the output, the user could run the script “/usr/bin/systeminfo” with sudo privileges.

Inside /usr/bin/systeminfo, various commands were found.

/usr/bin/systeminfo: Bourne-Again shell script, ASCII text executable
hish@environment:/tmp$ cat /usr/bin/systeminfo
#!/bin/bash
echo -e “\n### Displaying kernel ring buffer logs (dmesg) ###”
dmesg | tail -n 10
echo -e “\n### Checking system-wide open ports ###”
ss -antlp
echo -e “\n### Displaying information about all mounted filesystems ###”
mount | column -t
echo -e “\n### Checking system resource limits ###”
ulimit -a
echo -e “\n### Displaying loaded kernel modules ###”
lsmod | head -n 10
echo -e “\n### Checking disk usage for all filesystems ###”
df -h

Privilege escalation was achieved by abusing this bash script that Hish could run with sudo. An “exploit.sh” file that spawns a bash shell was created inside /tmp. The BASH_ENV variable was set to point to this file, and then the sudo-allowed script was executed. In this way, the sudo-run script executed bash with the script and a root shell was obtained.

The root flag was obtained at “/root/root.txt”.

Enjoy reading!

We start with an Nmap scan. The results show three open ports: 22, 80 and 443.

Since we don’t have any credentials, we skip SSH for now. Visiting the website, we see the default HTTP server test page. The same page is served on both 80 and 443.

Checking whether Apache 2.4.37 has anything exploitable doesn’t yield anything useful. Inspecting requests in BurpSuite, we notice an unusual header: X-Backend-Server. This indicates information leakage about the system.

We add the value “office.paper” from that header to /etc/hosts. After revisiting the site, we land on a paper company’s page.

Reviewing the site, under the “Feeling Alone!” post we find a comment by user “nick” mentioning there is secret content in drafts. This tells us we should look for some kind of draft.

Running Gobuster for directory enumeration, we discover a useful path: wp-admin.

This confirms the target is running WordPress.

Because WordPress often exposes vulnerabilities, we first run WPScan to fingerprint it. The result shows WordPress version 5.2.3.

Researching online, we find an Exploit-DB entry affecting this version (CVE-2019–17671). Appending ?static=1 to a WordPress URL reveals hidden content on the page—exactly what the earlier comment suggested about draft “secret content.”

From the hidden content, we obtain a secret registration URL.

Before visiting the URL, we also add “chat.office.paper” to /etc/hosts. When we browse to the URL, we’re presented with RocketChat. We register using random information.

Once inside, after poking around the chat a bit, we find conversations under #general. There we see a bot named “recyclops” in service.

The recyclops bot works by listing and reading content. While exploring user dwight’s directories, a folder named hubot catches our attention.

Browsing that directory, .env stands out as a potential source of environment secrets.

Inside /dwight/hubot/.env we find a password. We try password reuse over SSH.

Logging in via SSH as user dwight succeeds. From there, we obtain user.txt.

PRIVILEGE ESCALATION

To escalate privileges, we first check for binaries we can run with sudo. Since user dwight has no sudo rights, we get nowhere with that. At this stage, we pivot to LinPEAS to hunt for local privilege escalation opportunities.

We spin up a simple Python HTTP server on our machine and have the target download linpeas.sh. We then run ./linpeas.sh. The most striking finding is a direct hit: the system appears vulnerable to CVE-2021-3560.

Looking into it, the issue is due to a vulnerable Polkit version. In short, Polkit is an authorization framework on Linux that decides whether unprivileged users may perform certain administrative actions. It’s similar in purpose to sudo but operates differently.

Consulting the exploit on Exploit-DB, we see that the script abuses the timing bug in CVE-2021–3560 to create an administrator account over DBus without proper authentication, sets its password and effectively gives the attacker root privileges. After running the exploit on the system, we observe a new user “hacked” (username: hacked, password: password).

From user hacked, we run sudo su to switch to root and capture the root flag.

Xworm zararlısının kaynağı ve hedefleri, saldırının amacına ve arkasındaki aktörlerin motivasyonlarına bağlı olarak değişir. Finansal kazanç elde etmek amacıyla bankacılık, finans sektörleri hedef alınmakla birlikte casusluk faaliyetleri amacıyla devlet kurumlarına saldırılar düzenlenir. Saldırılar ülkeye özgü veya bağımsız şekilde yapılabilmekle birlikte farklı ülkelerdeki sunucular veya botnet ağları üzerinden gerçekleştirilir. Saldırılar çoğunlukla Rusya, Çin, Kuzey Kore ülkelerinden yapılmaktadır.

XWorm, genellikle phishing saldırılarıyla sistemlere sızan çok aşamalı bir tehdit olarak öne çıkar. Sisteme yerleştikten sonra, kendini gizlemek ve sürekli çalışmasını sağlamak için çeşitli yöntemler kullanır. Savunma mekanizmalarını aşmak için PowerShell komutlarıyla hareket eder, sistem bilgilerini ve kullanıcı verilerini toplar. Bu veriler dışarıya sızdırılır ve enfekte olmuş cihazlar, uzaktan kontrol edilen botlar haline getirilerek DDoS saldırıları ve diğer zararlı faaliyetler için kullanılır.

Aşağıda zararlı yazılım analiz laboratuvarında incelenen Xworm zararlısına ait elde edilen bulgulara yer verilmiştir.

Yürütme

Wxorm zararlısı bulaştığı sistemde “Microsoft Edge.exe” isimli payload dosyasını oluşturur. Oluşturduğu payload dosyası içerisine zararlı kodlar ekler. Dosya farklı bir işlev içermemekle birlikte zararlının fark edilmemek amacıyla oluşturduğu kendi kopyasıdır.

Kalıcılık

Xworm zararlısı bulaştığı sistemde kalıcılık elde etmek amacıyla scheduled task oluşturur. Yönetici haklarına sahipse en yüksek ayrıcalıklarla (/RL HIGHEST) her dakika olacak şekilde (/sc minute /mo 1) çalışacak bir görev oluşturur.

Zararlı yazılım çalıştırıldığında sonuçlar Sysmon ile incelenerek sistemde oluşturulan scheduled task dinamik olarak gözlemlenir.

Zararlı yazılım, Windows kayıt defterindeki “Run” anahtarına kendisini ekler. Bu işlemle birlikte sistem her açıldığında zararlının otomatik olarak başlatılması sağlanır. Başlangıç klasöründe oluşturduğu .lnk uzantılı kısayol dosyası ile kullanıcı her oturum açışında yazılım otomatik olarak başlatılarak kalıcılık sağlanır.

Powershell başlatılarak kullanıcıdan gizlenmesi sağlanır. ExecutionPolicy Bypass ile komut çalışması kısıtı kaldırılarak zararlı komutlar çalıştırılır. Windows Defender taramalarından muaf tutulur. Buradaki amaç, zararlının kendini gizleyerek fark edilmemesini sağlamaktır.

Keşif

XWorm zararlısı işlemci sayısı, username, makine adı, hardware bilgilerini alarak sistem hakkında detaylı bilgiler elde eder. Kullanıcının son aktivite bilgileri, aktif olduğu süre gibi bilgileri elde ederek uykuyu önleme fonksiyonunu çalıştırır, böylelikle zararlı faaliyetlerini kesintisiz bir şekilde gerçekleştirir.

“avicap32.dll” kütüphanesi kullanılarak video yakalama penceresi oluşturulur, sürücü bilgisi alınır. Bilgisayara bağlı kamera olup olmadığının kontrolü yapılarak kamera üzerinden görüntü toplama işlemi gerçekleştirilir.

Komuta Kontrol

XWorm zararlısı C2 adresine ulaşarak zararlı komutları indirir. Zararlının komuta kontrol adresinin Rusya’da olduğu tespit edilmiştir.

Zararlı yazılım bulaştığı bilgisayardan kullanıcı adı, OS, USB, CPU, GPU, RAM bilgilerini toplar. Topladığı bilgileri Telegram botu aracılığıyla Telegram kanalına yollar. Telegram kanalının Birleşik Krallık’ta olduğu tespit edilmiştir. Gönderilen bilgiler kullanılarak hedefler bot haline dönüştürülür ve DDOS saldırıları için kullanılır.

Zararlının asıl işlevlerini gerçekleştirdiği kısım DDOS saldırısı için bot haline getirildiği kısımdır. Merkezi bir komut sunucusundan alınan talimatlar yerine getirilerek zararlı faaliyetlerde bulunulan backdoor fonksiyonu görülmektedir. Bilgisayar bot haline getirilerek DDoS saldırıları, dosya indirme, komut çalştırma, sistem kontrolü vb. işlevleri gerçekleştirmesi sağlanır.

SONUÇ

XWorm’un ana saldırı vektörü, phishing e-postaları ile kullanıcılara gönderilen zararlı belgeler ve bu belgeler aracılığıyla yüklenen makrolardır. Bu makrolar, PowerShell komut dosyaları çalıştırarak zararlıyı sisteme yükler ve kullanıcının sisteminde kalıcı hale getirir.

XWorm V5.6, gelişmiş kalıcılık ve gizlenme yöntemleri kullanarak, enfekte ettiği sistemlerde zararlı faaliyetlerini sürdüren tehlikeli bir zararlı yazılım olarak dikkat çekmektedir. PowerShell komutları ile savunma mekanizmalarını atlatan, Windows Defender gibi güvenlik yazılımlarını devre dışı bırakan XWorm, elde ettiği sistem bilgilerini ve kullanıcı verilerini C2 sunucularına ileterek, enfekte sistemleri bot haline getirmekte ve DDoS saldırılarında kullanmaktadır. Bu tür zararlı yazılımların tespiti ve bertaraf edilmesi, güvenlik operasyon merkezleri için önemli bir öncelik haline gelmiştir.

MITRE ATT&CK Matrix

IoC

SHA 256 -> XClient.exe : 8ca7c43f383d3214f469a18fcc30436f472f9bd3d9b6134aea5d61a523665659

Domain Bilgileri

• pastebin.com
• pastebin.com/raw/zs3YKzJ3
• qsjksd-22439.portmap.host api.telegram.org/bot
• MyApplication.org

IP Adresleri

• 192.161.193.99
• 149.154.167.220

Dropper Dosyaları

• C:\Users\admin\Downloads\buidl.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk

Deobfuscator

using System;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using dnlib.DotNet;
using dnlib.DotNet.Emit;

namespace ConsoleApp1
{
internal class Deobfuscator
{
// Decrypts the given obfuscated string using a predefined key and Rijndael (AES) algorithm
public static string DecryptString(string encryptedString, string key)
{
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
using (MD5CryptoServiceProvider md5CryptoServiceProvider = new MD5CryptoServiceProvider())
{
// Hash the static key with MD5 to create the decryption key
byte[] keyArray = new byte[32];
byte[] hashArray = md5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(key));

            //Copy the first 16 bytes into the first half of the key array  
            Array.Copy(hashArray, 0, keyArray, 0, 16);  
            // Copy the first 16 bytes again into the second half   
            Array.Copy(hashArray, 0, keyArray, 15, 16);  
  
            // Set the Rijndael key and mode to ECB  
            rijndaelManaged.Key = keyArray;  
            rijndaelManaged.Mode = CipherMode.ECB;  
  
            // Create a decryptor with the given key  
            ICryptoTransform decryptor = rijndaelManaged.CreateDecryptor();  
  
            // Convert the Base64 encrypted string into bytes and decrypt it  
            byte\[\] encryptedBytes = Convert.FromBase64String(encryptedString);  
            byte\[\] decryptedBytes = decryptor.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);  
  
            return Encoding.UTF8.GetString(decryptedBytes);  
        }  
    }  
  
    // Extracts the value of a specific field from the given module  
    static string GetFieldValue(ModuleDefMD module, string fieldName)  
    {  
        foreach (TypeDef type in module.Types)  
        {  
            foreach (MethodDef method in type.Methods)  
            {  
                if (!method.HasBody) continue; // Skip methods without body  
                for (int i = 0; i < method.Body.Instructions.Count; i++)  
                {  
                    // Find the Stsfld opcode (sets a static field) and check the field name  
                    if (method.Body.Instructions\[i\].OpCode == OpCodes.Stsfld &&  
                        method.Body.Instructions\[i\].Operand.ToString() == fieldName)  
                    {  
                        // Return the previous operand which holds the value being assigned to the field  
                        return method.Body.Instructions\[i - 1\].Operand.ToString();  
                    }  
                }  
            }  
        }  
        return string.Empty;  
    }  
  
    // Decrypting and replacing obfuscated strings  
    static void ReplaceEncryptedStrings(ModuleDefMD module, string key)  
    {  
        // Loop through all types in the module  
        foreach (TypeDef type in module.Types)  
        {  
            if (!type.HasMethods) continue; // Skip types without methods  
  
            // Loop through all methods of the type  
            foreach (MethodDef method in type.Methods)  
            {  
                if (!method.HasBody) continue;  
                for (int i = 0; i < method.Body.Instructions.Count; i++)  
                {  
                    if (method.Body.Instructions\[i\].OpCode == OpCodes.Call)  
                    {  
                        string functionName = method.Body.Instructions\[i\].Operand.ToString();  
  
                        // Look for the obfuscated decryption function  
                        if (functionName.Contains("Sf3ygLwXizFpQcdEafah6RmRmvi94yTN3n3UpcJF") ||  
                            functionName.Contains("rcGLP28muXxfBxK3uFwoeAtSCKBUh59TpsFfzA1jtrEEczzNWbt7mki"))  
                        {  
                            // Get the encrypted string from the previous instruction  
                            string fieldValue = method.Body.Instructions\[i - 1\].Operand.ToString();  
                            Console.WriteLine(fieldValue);  
  
                            // Decrypt the value and replace the instruction with the decrypted string  
                            string decryptedString = DecryptString(GetFieldValue(module, fieldValue), key);  
  
                            method.Body.Instructions\[i - 1\].OpCode = OpCodes.Nop; // Clear the original instruction  
                            method.Body.Instructions\[i\].OpCode = OpCodes.Ldstr; // Load the decrypted string instead  
                            method.Body.Instructions\[i\].Operand = decryptedString;  
                        }  
                    }  
                }  
            }  
        }  
    }  
  
    static void Main(string\[\] args)  
    {  
        string filePath = @"C:\\Users\\aycagl\\Desktop\\buidl.exe";  
        string key = "N0BNPIHTRtK9oiyP";  
  
        ModuleDefMD module = ModuleDefMD.Load(filePath);  
  
        ReplaceEncryptedStrings(module, key);  
  
        // Write the deobfuscated code to a new file  
        module.Write(@"C:\\Users\\aycagl\\Desktop\\clean.exe");  
  
        Console.WriteLine("Deobfuscation completed.");  
        Console.ReadKey();  
    }  
}   }

YARA Kuralları

rule Suspicious_Persistence_Indicators
{
meta:
description = “Detects suspicious persistence mechanisms via registry, shortcuts, and scripts”
author = “aycagl - Ayca Gul”
date = “2024-08-15”
reference = “XWorm V5.6”

strings:  
$scheduled \= "schtasks.exe" fullword wide  
    $task\_highest \= "/create /f /RL HIGHEST /sc minute /mo 1 /tn \\"" fullword wide  
    $task\_basic \= "/create /f /sc minute /mo 1 /tn \\"" fullword wide  
    $registry\_run \= "SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" fullword wide  
    $wscript\_shell \= "WScript.Shell" fullword wide  
    $create\_shortcut \= "CreateShortcut" fullword wide  
    $target\_path \= "TargetPath" fullword wide  
    $working\_directory \= "WorkingDirectory" fullword wide  
  
condition:  
    6 of them   }  

rule XWorm_Indicators
{
meta:
description = “Detects the XWorm malware’s send_infos method that sends system information via a Telegram bot”
author = “aycagl - Ayca Gul”
date = “2024-08-15”
reference = “XWorm V5.6”

strings:  
    $xworm\_version \= "XWorm V" fullword wide  
    $new\_client \= "New Clinet :" fullword wide  
    $username \= "UserName :" fullword wide  
    $os\_fullname \= "OSFullName :" fullword wide  
    $usb \= "USB :" fullword wide  
    $cpu \= "CPU :" fullword wide  
    $gpu \= "GPU :" fullword wide  
    $ram \= "RAM :" fullword wide  
    $group \= "Groub :" fullword wide  
    $telegram\_api \= "https://api.telegram.org/bot" fullword wide  
    $send\_message \= "/sendMessage?chat\_id=" fullword wide  
    $webclient\_function \= {00735600000A0C08026F5700000A0ADE2D}  
  
condition:  
    6 of them   }  

rule Malware_Information_Queries {
meta:
description = “Detects malware performing system information queries and persistence setup.”
author = “aycagl - Ayca Gul”
date = “2024-08-15”
reference = “XWorm V5.6”

strings:  
    $query\_antivirus \= "\\\\root\\\\SecurityCenter2" fullword wide  
    $query\_antivirus\_product \= "Select \* from AntivirusProduct" fullword wide  
    $query\_display\_name \= "displayName" fullword wide  
    $query\_video\_controller \= "SELECT \* FROM Win32\_VideoController" fullword wide  
    $query\_processor \= "Win32\_Processor.deviceid" fullword wide  
  
condition:  
    4 of them   }  

rule Malware_Command_Detection {
meta:
description = “Detects specific malware command and function strings”
author = “aycagl - Ayca Gul”
date = “2024-08-15”
reference = “XWorm V5.6”

strings:  
    $s1 \= "pong" fullword wide  
    $s2 \= "CLOSE" fullword wide  
    $s3 \= "uninstall" fullword wide  
    $s4 \= "update" fullword wide  
    $s5 \= "Urlopen" fullword wide  
    $s6 \= "Urlhide" fullword wide  
    $s7 \= "PCShutdown" fullword wide  
    $s8 \= "shutdown.exe /f /s /t 0" fullword wide  
    $s9 \= "PCRestart" fullword wide  
    $s10 \= "shutdown.exe /f /r /t 0" fullword wide  
    $s11 \= "PCLogoff" fullword wide  
    $s12 \= "shutdown.exe -L" fullword wide  
    $s13 \= "RunShell" fullword wide  
    $s14 \= "StartDDos" fullword wide  
    $s15 \= "StopDDos" fullword wide  
    $s16 \= "StartReport" fullword wide  
    $s17 \= "StopReport" fullword wide  
    $s18 \= "Xchat" fullword wide  
    $s19 \= "Hosts" fullword wide  
    $s20 \= "\\\\drivers\\\\etc\\\\hosts" fullword wide  
    $s21 \= "Shosts" fullword wide  
    $s22 \= "HostsMSG" fullword wide  
    $s23 \= "Modified successfully!" fullword wide  
    $s24 \= "HostsErr" fullword wide  
    $s25 \= "DDos" fullword wide  
    $s26 \= "plugin" fullword wide  
    $s27 \= "sendPlugin" fullword wide  
    $s28 \= "savePlugin" fullword wide  
    $s29 \= "RemovePlugins" fullword wide  
    $s30 \= "Plugins Removed!" fullword wide  
    $s31 \= "OfflineGet" fullword wide  
    $s32 \= "OfflineKeylogger Not Enabled" fullword wide  
    $s33 \= "Plugin" fullword wide  
    $s34 \= "Invoke" fullword wide  
    $s35 \= "RunRecovery" fullword wide  
    $s36 \= "Recovery" fullword wide  
  
  
condition:  
    15 of ($s\*)   }

Industrial control systems (ICS) are systems that provide control over critical infrastructures and industrial systems. The management and control of water, energy, transportation, transmission, and other critical services are provided by ICS systems [1].

ICS systems mainly consist of Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC) components. SCADA performs the functions of automatic monitoring, control, and data collection of industrial systems. DCS includes systems used for the control of large industrial processes and consists of devices controlled from a central control room. PLCs are specialized computers used in industrial manufacturing and machinery control [2].

ICS systems have widespread usage areas. Examples of major usage areas include power plants and energy distribution networks, oil and gas pipelines, water treatment facilities, and manufacturing plants.

2. Security of ICS Systems

Since ICS systems include critical infrastructures, any problems within the systems can lead to serious dangers. For example, intentional or unintentional damage to dam or gas pipeline systems can endanger human health. Therefore, it is important to ensure the security of ICS systems both physically and in terms of software.

The first known large-scale attack on ICS systems is exemplified by Stuxnet. The Stuxnet malware, which targeted Iranian nuclear systems, disrupted the operations of nuclear facilities, resulting in serious consequences for Iran [3].

External threats are the primary threats to ICS systems. Because industrial systems directly affect human life and health, they become targets for hacktivists and terrorists [1]. Such external threats can infiltrate ICS networks using ransomware, worms, and other malicious software, leading to data leaks or even rendering the systems inoperable.

Internal threats to industrial systems arise from employees or unauthorized persons within the ICS. If system access is not properly configured, a user with access to the system can reach unauthorized areas, steal data, or damage the system. Other threats to ICS systems include improperly configured system elements, errors by inexperienced employees, natural disasters, or accidents.

According to a report published by SANS [4], the primary threat vectors to industrial systems are devices connected to the common network. With the proliferation of Internet of Things (IoT) systems in the industry, the security of these devices has also become important. The use of IoT devices in ICS systems often requires remote access. If patch management programs are not well-configured, IoT devices, which typically use commercial operating systems, leave ICS systems vulnerable to various exploits.

Other threat vectors include internal and external threats, malware families, industrial espionage, and similar elements. The potential threat elements to ICS systems in the industry are shown in Figure 1.

3. ICS Systems Threat Actors: APT Groups

Threats to ICS systems are mostly composed of state-sponsored APT groups. Based on the report prepared by MANDIANT [5], information about some of these groups is provided below.

APT39

Also known as ITG07, Chafer, Remix Kitten. This Iran-supported APT group primarily operates in the Middle East, targeting the telecommunications, travel, and technology sectors. Their operations mostly involve monitoring, surveillance, and data theft.

In their attacks, they use a special variant of the POWBAT backdoor along with SEAWEED and CACHEMONEY backdoors. Initially, attackers infiltrate systems using spear-phishing techniques with malicious attachments or links resulting in POWBAT infections. They exploit web servers of the target organizations using web shell tools like ANTAK and ASPXSPY.

APT35

Also known as COBALT MIRAGE, Charming Kitten, G0059, Magic Hound, Mint SandStorm, Newscaster Team, Phosphorus, TunnelVision [6]. This Iran-supported cyber intelligence group targets regions including America, Europe, and the Middle East, focusing on telecommunications, media, energy, and government sectors.

Their initial activity to infiltrate target organizations involves sending spear-phishing emails. They are associated with malware such as ASPXSHELLSV, BROKEYOLK, PUPYRAT, DRUBOT, TUNNA, MANGOPUNH, and HOUSEBLEND.

APT34

Also known as OilRig, Helix Kitten, IRN2. This Iran-supported group usually targets the Middle East, focusing on sectors like finance, energy, and telecommunications.

Their attacks involve malware such as TONEDEAF, VALUEVAULT, LONGWATCH, and PICKPOCKET. TONEDEAF is a backdoor communicating with CnC addresses over HTTP or DNS, performing activities like collecting system information, uploading files, and executing shell commands. “System.doc” and “ERFT-Details.xls” are related endpoint indicators. VALUEVAULT is a compiled version of the “Windows Vault Password Dumper” tool, which steals browser credentials. It compiled using Golang, and identified by the indicator “b.exe.” LONGWATCH is a keylogger recording outputs in “log.txt” within the Windows temp directory, associated with the indicator “WindowsNTProgram.exe.” PICKPOCKET targets browser credential information, with indicators “PE86.dll” and “PE64.dll” [7].

APT33

Also known as HOLMIUM, Elfin, Peach Sandstorm. This Iran-supported APT group targets the aerospace and energy sectors, being active in regions like Saudi Arabia, America, and South Korea, particularly focusing on petrochemical manufacturing organizations.

They use malware such as SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, and ALFA Shell. DROPSHOT, a dropper, connects to the wiper malware SHAPESHIFT. SHAPESHIFT can wipe disks, delete files, and perform other malicious activities on the system. Additionally, TURNEDUP backdoor can be dropped using DROPSHOT [8].

The group uses spear-phishing emails containing malicious HTML application files (.hta) to infiltrate target organizations’ systems.

APT31

Also known as BRONZE VINEWOOD, JUDGMENT PANDA, Red Keres, TA412, Violet Typhoon, ZIRCONIUM, Zirconium [6]. This Chinese group targets various sectors, including government, international finance, aerospace, engineering, and communications. They focus on obtaining information that provides political, economic, and military advantages.

They use malware such as SOGU, LUCKYBIRD, SLOWGYRO, and DUCKFAT. They exploit vulnerabilities in applications like Java and Adobe Flash to infiltrate target organizations.

APT10

Also known as ATK41, BRONZE RIVERSIDE, CVNX, Cloud Hopper, G0045, Granite Taurus, HOGFISH, Menupass Team, POTASSIUM, Red Apollo, STONE PANDAD, TA429, happyyongzi [6]. This Chinese APT group targets sectors including engineering, communications, aerospace, and also targets the governments of America, Europe, and Japan. They aim to obtain confidential company data to support Chinese organizations and military information to support the Chinese government.

They use malware such as HAYMAKER, SNUGRIDE, BUGJUICE, and QUASARRAT. They perform spear-phishing and network access attacks through various service providers. Spear-phishing emails include attachments with .lnk extensions, double file extensions (xxx_doc_.exe), and archive files containing malicious droppers.

APT6

This Chinese APT group targets sectors such as transportation, automotive, telecommunications, and electronics, focusing on the United Kingdom and America. They operate by stealing data.

They use malware such as BELUGA, EXCAHIN, and PUPTENT, and conduct attacks using various backdoor software used by other APT groups.

APT5

Also known as Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630 [8]. This Chinese APT group targets sectors such as telecommunications, technology, manufacturing, and military technology applications, with a particular focus on telecommunications and technology companies.

They use numerous malware including BRIGHTCREST, SWEETCOLA, SPIRITBOX, Poison Ivy, and HAZELNUT.

APT3

Also known as Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110 [8]. This Chinese APT group targets sectors such as transportation, communications, engineering, and defense. They are known for using zero-day browser-based exploits. Upon infiltrating the target system, they dump credential information, spread to other hosts related to the system, and load backdoors. Their CnC addresses are difficult to trace.

They use malware such as SHOTPUT, COOKIECUTTER, and SOGU. They conduct attacks using phishing emails, exploiting patched vulnerabilities in Adobe Flash Player’s Flash Video files. This exploit uses common heap spray techniques to bypass Address Space Layout Randomization (ASLR). The exploit also uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). The Adobe Flash Player exploit file contains shellcode along with the key used for decryption. The mentioned payload is xor encoded and stored within an image.

APT32

Also known as SeaLotus, OceanLotus, APT-C-00, Canvas Cyclone, BISMUTH [8]. This Vietnam-based APT group targets the private sector and various foreign governments and companies.

They use malware such as SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, and KOMPROGO. They aim to deceive the target using social engineering methods, employing ActiveMime files containing macros that download malicious payloads from remote servers when executed.

4. Recent ICS Attack Cases

In the first half of 2024, incidents targeting industrial systems occurred in the fields of manufacturing, energy, transportation, and engineering. According to a report published by Kaspersky [9], the countries most affected by the attacks were the United States, Germany, France, Belgium, and the Netherlands, in that order. The most common methods used to infiltrate target systems were social engineering attacks and vulnerable internet access tools. Some recent industrial attack cases, utilizing information from Kaspersky’s report, are described below [10].

SideWinder Attack

The APT group known as SideWinder has carried out numerous attacks. Most of these attacks targeted new industries, primarily maritime transportation. The majority of attacks were executed through phishing emails containing Microsoft Word documents with .lnk file extensions. The attachment in the email triggers a chain of malicious software written in JavaScript and .NET. At the end of this chain, a .NET malware, which operates only in memory and can be loaded by packers, takes control of the system.

VOLTZITE Attack

The threat actor known as Voltzite targets US-based electric companies, communication, satellite services, and emergency management services. The attackers employ living-off-the-land (LOTL) techniques. LOTL, known as a fileless malware cyber attack technique, does not require any code or script to be loaded for the malware to operate. Instead, it uses tools already present on the infected system. Examples include PowerShell, Windows Management Instrumentation (WMI), and Mimikatz tools [11]. Alongside LOTL techniques, attackers also use web shells. Voltzite has obtained various data, including geographic information system data and SCADA system configurations. Some of the compromised systems include Fortinet FortiGuard, Cisco ASA, and Ivanti Connect Secure VPN.

Scaly Wolf Attacks

This group targets logistics and industrial facilities in Russia. Attackers use phishing emails to prompt the target user to download malicious files, leading to the infection of the system with the White Snake stealer malware. This malware is often found within protected ZIP archives.

White Snake, used by Scaly Wolf, first appeared on the darknet in February 2023. The stealer can operate across platforms using a Python-written downloader and can perform remote access trojan functions, including keylogging on Windows. It supports customization based on XML configuration. The attacker can execute commands on the infected machine via SSH access, utilizing the Serveo.net service to access the SSH service. The stealer can also send notifications via Telegram [11].

5. Threat Detection Mechanisms for ICS Systems

Various methods and tools are used to detect threats targeting ICS systems. Detection mechanisms can be examined under three main categories: monitoring and control tools, anomaly detection, and threat intelligence.

Monitoring and control tools include SCADA systems and SIEM (Security Information and Event Management) tools. SCADA systems are used to monitor and control industrial processes, while SIEM systems help detect abnormal behaviors by monitoring network traffic and events in real-time.

Anomaly detection involves analyzing system and user behaviors through behavior analysis. Additionally, integrating artificial intelligence and machine learning algorithms can identify behaviors deviating from the norm.

For threat intelligence, threat intelligence platforms are utilized. Threats targeting ICS systems are segregated from collected and analyzed threats, ensuring necessary actions are taken. Cyber threat intelligence, which can be used before, during, and after attacks, can be sourced internally within the organization or obtained from third-party companies.

6. Security Measures for ICS Systems

With the evolution of threats, new security solutions are needed. To ensure the security of ICS systems, solutions such as real-time monitoring, network anomaly detection, and intrusion detection systems are provided [4].

The use of firewalls that monitor network traffic is crucial for ICS system security. Alongside firewalls, using Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are significant security measures against threats. IDS systems detect potential threats, while IPS systems automatically take action against detected threats.

Regular updates of software and hardware systems and maintaining patch management are vital for ICS system security. Each update repairs vulnerabilities in the system, making it secure. If updates are not performed, attackers can exploit discovered vulnerabilities to infiltrate the system and jeopardize it.

By separating critical systems from less critical ones, attackers’ access to the entire system can be restricted. Network segmentation between systems ensures that access to critical systems is more challenging in case of an attack.

Providing awareness training to personnel is essential for the security of ICS systems. Along with trained personnel, the presence of third-party teams regularly analyzing the system can offer additional benefits in analyzing the system externally and identifying potential threats.

Figure 2 illustrates the technologies used and planned to be used for the security of ICS systems based on the results of a study conducted by SANS [4].

Additional methods can be used to enhance the security of ICS systems. Multi-factor authentication is one example. Multi-factor authentication helps prevent unauthorized access. Periodic penetration tests and security audits can identify potential vulnerabilities and ensure measures are taken. Regularly backing up system data and preparing recovery plans for potential threats are also crucial for ICS security.

REFERENCES

1. Fortinet. (n.d.). What is ICS (Industrial Control System) security?. Retrieved from https://www.fortinet.com/resources/cyberglossary/ics-security
2. Wikimedia Foundation. (2023, October 31). PLC. Wikipedia. Retrieved from https://tr.wikipedia.org/wiki/PLC
3. İnan, Ö. (2023, August 29). Industrial Control Systems. SwordSec. Retrieved from https://swordsec.com/tr/endustriyel-kontrol-sistemleri/#:~:text=ICS%20(End%C3%BCstriyel%20Kontrol%20Sistemleri)%2C,prosesleri%20y%C3%B6netmek%20ve%20kontrol%20etmektir.
4. Gregory-Brown, B. (2017). Securing industrial control systems-2017. SANS Institute InfoSec Reading Room. Retrieved from https://paper.vulsee.com/icsmaster/doc/%E5%9B%BD%E5%A4%96/20170711_Survey_ICS_Tripwire.pdf
5. Mandiant. (n.d.-b). Advanced persistent threat (APT) Groups & Threat Actors. Retrieved from https://www.mandiant.com/resources/insights/apt-groups
6. FKIE, F. (n.d.). Malpedia (Fraunhofer FKIE). Retrieved from https://malpedia.caad.fkie.fraunhofer.de/
7. Google. (n.d.). Hard pass: Declining apt34’s invite to join their professional network | Mandiant | Google Cloud Blog. Retrieved from https://cloud.google.com/blog/topics/threat-intelligence/hard-pass-declining-apt34-invite-to-join-their-professional-network/
8. MITRE ATT&CK®. (n.d.). Groups. Retrieved from https://attack.mitre.org/groups/
9. Kaspersky ICS CERT. (2024, May 31). Q1 2024 — A brief overview of the main incidents in industrial cybersecurity: Kaspersky ICS CERT. Kaspersky Industrial Control Systems Cyber Emergency Response Team. Retrieved from https://ics-cert.kaspersky.com/publications/reports/2024/06/03/q1-2024-a-brief-overview-of-the-main-incidents-in-industrial-cybersecurity/
10. Kaspersky ICS CERT. (2024a, June 5). APT and financial attacks on industrial organizations in Q1 2024: Kaspersky ICS CERT. Kaspersky Industrial Control Systems Cyber Emergency Response Team. Retrieved from https://ics-cert.kaspersky.com/publications/reports/2024/06/10/apt-and-financial-attacks-on-industrial-organizations-in-q1-2024/
11. CrowdStrike. (2024, March 27). What are living off the land (LOTL) attacks? Retrieved from https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/

1. Summary:

This report contains a detailed analysis of a malicious software belonging to the “Loki” malware family.
A Windows 10 virtual machine was used for analysis. After running the malware on the virtual machine, the machine’s snapshot information was obtained, and the .vmem file was analyzed using the Volatility 3 tool. The obtained Indicators of Compromise (IoC) information is discussed in the report.

2. Overview of the Loki Malware Family:

Loki is a malware family focused on stealing various information such as credentials from the system. It was first detected in February 2016. It targets corporate structures especially with phishing emails. The file contained within the phishing email installs Trojan malware. The Trojan steals passwords from browsers, emails, and cryptocurrency wallets [1].
The malicious software belonging to the Loki family analyzed in this report is a stealer that infiltrates the system as an email attachment and steals information.

3. Malware Analysis:

Firstly, the process tree information of the .vmem file obtained as a result of the snapshot in Volatility tool was examined. Pstree is a command that allows viewing the list of processes in a tree format.

Upon examining the output of the obtained command, the exe named “0a9a1a3c031e0eb6c938510830144f26f88effe94230b1467e09123393b99650.exe” with a PID number of 8076 stands out. This is not a legitimate process name.

To obtain more detailed information, the cmdline command was executed to see the commands executed on the system.

Illegal processes seen in the pstree result, followed by the executed processes and cmdline outputs, are observed. PowerShell was executed after the suspected process.

“Netscan” was used to see the network connections made on the system.

It is observed from the Netscan results that a Syn connection is sent on the three-way-handshake. The source where the connection is made may contain the suspect’s C2 (Command and Control) address. It can be checked whether it has been labeled as malicious by any vendor using VirusTotal.

According to VirusTotal results, it has been labeled as “malicious” by 6 vendors. The suspect’s C2 address has been obtained.

At the same time, using the “malfind” command, any hidden or injected code/DLL information on the system can be obtained. According to the results, the suspected process has been identified.

To determine the files of the suspicious process on the system, “dumpfiles” was used. According to the results, the process contains the file “file.0x9e…exe.img.”

When the file is examined on VirusTotal, it is seen that it has been labeled as malicious by 3 vendors.

When the malicious file is analyzed on the ThreatZone sandbox, it is seen that it runs the processes “WMIADAP.EXE” and “wmiprvse.exe.” WMI Provider Host enables applications on the computer to request information about the system. It can be inferred from this that the malware is trying to obtain information about the system.

4. Conclusion:

According to the examination results with Volatility, an illegal process is running on the system. The running process then executes PowerShell, most likely establishing communication with the C2 address. According to the examination results, the file contained in the process has been classified as malicious by many providers and is trying to obtain information about the system. It operates using a stealer method attempting to steal personal data. The conclusions are verified with sandbox results. According to the results, the obtained CnC address during the analysis and the fact that the malware is a stealer have been confirmed.

• You can check AnyRun sandbox results from here: https://app.any.run/tasks/4ba470df-e682-49de-be48-8168075626e9/

5. References:

• DCX. (n.d.). https://success.trendmicro.com/dcx/s/solution/1117830-loki-malware-information?language=en_US

Siber tehdit istihbaratı (Cyber Threat Intelligence — CTI), dijital sistemlerin güvenliğini sağlamak amacıyla çeşitli kaynaklardan elde edilen bilgilerin yorumlanarak olası tehditlerin tespiti, analizi ve anlaşılması için gerçekleştirilen faaliyetlerin bütünüdür.

Siber tehdit istihbaratı saldırganlar, zararlı yazılımlar, Indicator of Compromise (IoC) adı verilen sistemin ihlal edildiğine dair göstergeler gibi çeşitli bilgileri içermektedir. Elde edilen bilgiler analiz edilerek ilgili kurumların önlemler almasına ve güvenlik stratejileri geliştirmesine olanak sağlar.

Siber tehdit istihbaratı 3 ana tipe ayrılmaktadır.

1. Stratejik Siber Tehdit İstihbaratı: Genellikle devletler, büyük ölçekli kuruluşlar, uluslararası örgütlerin stratejik kararlar almak maksadıyla kullandığı istihbarat çeşididir. Genel siber tehdit ortamı ve kurum için alınacak kararlar hakkında bilgi sağlar.
2. Operasyonel Siber Tehdit İstihbaratı:Saldırıların anlaşılması, zafiyet yönetimi gibi teknik konuları içerir. Özellikle SOC ekipleri için kullanışlı bir istihbarat çeşididir.
3. Taktiksel Siber Tehdit İstihbaratı: Zararlı yazılımlar, IoC bilgileri gibi verilere odaklanır. Genellikle kısa vadeli istihbarat sağlar.

Siber Tehdit İstihbaratı Toplama ve Analiz Süreçleri

Siber tehdit istihbaratı salt bilgilerin toplanmasından ziyade, bilgilerin analizini bir döngü içerisinde gerçekleştiren olaylar bütünüdür. Tehdit İstihbaratı Yaşam Döngüsü (Threat Intelligence Lifecycle) adı verilen siber istihbarat döngüsü kullanıcılar için bir framework görevi üstlenerek istihbaratın etkili ve sürekli yapılmasını sağlamaktadır (Şekil-1).

Şekil 1: Tehdit İstihbaratı Yaşam Döngüsü [1]

1. Gereksinim Belirleme

İlk aşamada yön belirleme işlemi gerçekleştirilir. Tehdit istihbaratı için yol haritasının çizildiği bu aşamada kurumun isteklerine bağlı olarak amaçlar, kapsam, metodoloji gibi bilgiler belirlenir. Saldırganlar, motivasyonları, saldırı yüzeyleri hakkında bilgiler elde edilmek istenir. Önceliklendirmeler yapılarak gerekli kaynaklar belirlenir.

2. Toplama

Bu aşamada bilgiler çeşitli kaynaklardan toplanır. Bilgi toplama amacıyla farklı kaynaklardan yararlanılabilir. Network cihazları, SIEM logları, blog sayfaları, deepweb ve darkweb forumları hatta insan istihbaratı gibi kaynaklardan veriler elde edilir.

3. İşleme

Önceki aşamada toplanan ham verilerin işlenerek bilgiye dönüştürüldüğü aşamadır. Bilgiler analiz aşaması için uygun formata dönüştürülür. Veri işleme gerçekleştirilerek gereksiz veya hatalı bilgiler ayıklanır. Bu aşamada AI araçlarından da faydalanılabilir.

Bu aşamada yapılan temel işlemlerden birisi veri normalizasyonudur. Veri daha kolay analiz edilmek amacıyla normalize edilir. Ardından veriye ek detaylar ve bilgiler eklenerek veri zenginleştirmesi işlemi gerçekleştirilebilir. IoC bilgilerine etkilenen sistemler, tehdit aktörleri gibi ek bilgiler eklenebilir. İşlenen veriler farklı göstergeler arası bağlantıları ifade etmek için korelasyon ve birleştirmeye tabi tutulur. Ardından bağlamlandırma ile kuruluşun konum, sistemleri gibi farklı faktörleri göz önünde bulundurularak tehditler derecelendirilir. Veri işleme için en önemli adımlardan biri olan filtreleme işlemi uygulanır. Verideki ilgisiz, yanlış, “gürültü” olarak nitelendirilebilecek her türlü verinin ayıklanması yapılır. Ayıklanan veri istihbarat türüne göre kategorize edilerek etiketlenir. Son aşamada ise bilgi değerlendirilerek zamansal ve kritik açıdan önceliklendirilir [2].

4. Analiz

İşlenen verilerin analizi gerçekleştirilir. İlk aşamada belirtilen sorulara cevaplar aranır. Veriler spesifik örüntüler, ilişkiler için incelenerek tehditlerin yapısı ve kapsamına cevap aranır. Teknik, taktik ve prosedürler belirlenir. Bu aşamada analist tarafından birtakım güvenlik önlemi tavsiyesinde bulunulabilir.

5. Yayma

Analiz sonucu elde edilen bilgiler rapor haline getirilerek ilgili kuruma sunulur. Uygun eylem planları kurum tarafından oluşturulur.

6. Geri Bildirim

Kurumdan geri bildirim alınarak gerekli iyileştirmeler yapılır.

Siber tehdit istihbaratı için farklı bir teknolojik çözüm olarak araçlardan faydalanılabilir. Bu araçlarla bilgiler çeşitli kaynaklardan toplanır, analiz edilir ve tehditlere karşı önlemler alınır. Anomali, Kaspersky, Bitdefender, IntSights gibi toollar örnek olarak gösterilebilir (Şekil — 2).

Şekil 2. 2024 yılı için en yaygın siber tehdit araçları [3]

Siber tehdit istihbaratı kurum ve kuruluşlar için önemli bir yere sahiptir. Önceden istihbar olunan bilgilerle olası veri kayıplarının önlenmesi, var olan zafiyetlerin giderilmesi, sistemlerin daha güvenli hale getirilmesini sağlamaktadır.

Siber tehdit istihbaratı yaşam döngüsü doğrusal bir süreç olmamakla birlikte sürekli devam eden dinamik bir yapıdadır. Döngüsel yapısıyla beraber güvenliğin sürekliliğini sağlamaktadır.

KAYNAKÇA

1. Baker, K. (2023, March 23). What is Cyber Threat Intelligence? Crowdstrike. https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/

2. The five phases of the threat intelligence lifecycle. (2023, August 9). ELVTR DE

   Lerne von Expert:innen live & online. https://de.elvtr.com/blog/the-five-phases-of-the-threat-intelligence-lifecycle

3. Wadhwa, P. (2024, February 20). Top 11 cyber threat intelligence tools in 2024. Sprinto. https://www.wallarm.com/what/threat-intelligence