Security vendor Huntress got more than just a trial customer when an active cybercriminal clicked on an Internet ad for its endpoint protection agent and installed the software.
As the agent monitored the threat actor’s computer, Huntress’ security operations centre (SOC) was able to learn a great deal of unique information about the person, their tools and general workflow, in less than an hour and a half, the security vendor explained to iTnews.
Why exactly the threat actor installed the Huntress agent isn’t clear, but the security firm was able to “shoulder surf” as the person reconnoitred with the help of artificial intelligence, used search engines to research techniques and resources, and availed themselves of Google Translate while probing sites in languages the person didn’t master.
Huntress has shared its findings of the telemetry it received on a blog post.
Much of the information came from the threat actor’s browser history, but there were other data sources as well.
“A good bit of what was shared in the blog focuses on the browser history, as this provided us with a lot of insight into their operations,” director of adversary tactics Jill Levy told iTnews.
“However, there was other telemetry used during the investigation to determine this was a threat actor, like process executions, basic machine information (current time, time zone, IP address etc), Windows event logs, and malware files; all of which were pulled from the machine via our EDR agent.”
Several malicious toolkits such as the man-in-the-middle attack framework Evilginx, and others for reconnaisance, exfiltration and social engineering, were also discovered by Huntress on the threat actor’s computer.
The threat actor also attempted to use residential proxy services, to hide malicious activity from detection, and registered an account at the Styx “dark web” forum to check out info-stealer logs, stolen credentials and other information.
Source: Huntress
Although there are ethical considerations around releasing the information it had gathered through telemetry, Huntress said it responded to malware executing on the computer the trial version of its managed agent was installed on.
“We wanted to serve the broader community by sharing what we learned about the tradecraft that the threat actor was using in this incident,” Levy and Huntress staffers Lindsey O’Donnell-Welch and Michael Tigges wrote.
“In deciding what information to publish about this investigation, we carefully considered several factors, like strictly upholding our privacy obligations, as well as disseminating EDR telemetry that specifically reflected threats and behaviour that could help defenders.”
Levy said the threat actor installed the trial version of EDR agent on July 9 UTC.
She added that the SOC analysts had determined 84 minutes after activation of the agent that the user was malicious and forcibly uninstalled the software when they had sufficient evidence that the endpoint was being used by a threat actor.
Little was learnt about the background of the threat actor, which targeted banks and other organisations in several places around the world.
Source link
