In my previous post about TI I hinted that malware sample sandboxing (f.ex. extracting configs, credentials, domains, emails, (S)FTP accounts) – identifying TTPs is a great TI data source…
I must admit that there is so much juice to absorb from automated sandboxing that I sat on the below post for a few years. Until I finally realized that these techniques are now so widespread that we can finally talk about them… openly.
Yes, intercepting these aforementioned signals in an automated fashion is indeed, a very powerful TI concept… Because there is, in fact, a number of Windows API functions and COM methods that – when hooked – can ‘see’ all these hardcoded, sensitive data being used by attackers, including credentials, api keys, tokens, used to access both local and remote entry points, C2s, emails, online storage facilities, etc…
And… this may come as a shock to you, but even in 2024 there are malware families that still manage to connect out to external (S)FTP, or SQL databases to upload their stolen data w/o being blocked! And there are of course, the more modern ones that leverage existing modern infra to flawlessly connect to Discord, Telegram, S3 and so on and so forth. BUT, while doing so they also have to use a set of these hardcoded credentials, keys, or tokens… and… yes… we can and should be catching these today…
So… the bottom line is that anyone who gets access to these secrets can access many resources the malware author can! And yes, this is exactly what some of the Threat Intel shops are doing today on regular basis. The access to cred-, account-, cookie- and bitcoin wallet- dumps collected & stored by malware instantiations gives these companies an edge when it comes to ‘early warnings’. They know your org is targeted, because the name, the domain name, the cookie, or any other information that unequivocally points to your org is automagically discovered in the intercepted malware-collected data files and logs…
I do hope that all these companies observe the local and global privacy laws…
Coming back to the technical realm, the below is a good list of APIs that, when intercepted/monitored, may give us lots of pointers that facilitate that early access:
- NetUserAdd
- IXMLHttpRequest::open
- IWbemLocator::ConnectServer
- ITask::SetAccountInformation
- IWinHttpRequest::SetCredentials
- RasDial (legacy, but always)
- CryptHashData
- InternetOpen
- InternetConnect
- WinHttpOpen
- MAPILogonEx
- ConnectionOpen
And of course, recognizing and hooking popular libraries and their functions that are statically linked by many malware families will help too…
This is probably the hardest to write post in this series. I am still sitting on the fence when it comes to legality of it all, but at the same time – if we can prevent, or at least send an early-warning type of messages to victims as a result of this shady operation, aren’t we the ones to be praised?
GIPHY App Key not set. Please check settings