Blog

No items found.

Entry via Sentry: Analyzing the Exploitation of a Critical Vulnerability in Ivanti Sentry

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Dec 2023
20
Dec 2023
In late August 2023, Darktrace observed malicious actors exploiting vulnerabilities on Ivanti Sentry servers within customer networks. Following these successful exploits, a variety of cryptomining and reconnaissance tools were delivered. In this blog, we will provide details of these chains of activity, along with details of Darktrace/Network’s coverage of the steps involved in them.

In an increasingly interconnected digital landscape, the prevalence of critical vulnerabilities in internet-facing systems stands as an open invitation to malicious actors. These vulnerabilities serve as a near limitless resource, granting attackers a continually array of entry points into targeted networks.

In the final week of August 2023, Darktrace observed malicious actors validating exploits for one such critical vulnerability, likely the critical RCE vulnerability, CVE-2023-38035, on Ivanti Sentry servers within multiple customer networks. Shortly after these successful tests were carried out, malicious actors were seen delivering crypto-mining and reconnaissance tools onto vulnerable Ivanti Sentry servers.

Fortunately, Darktrace DETECT™ was able to identify this post-exploitation activity on the compromised servers at the earliest possible stage, allowing the customer security teams to take action against affected devices. In environments where Darktrace RESPOND™ was enabled in autonomous response mode, Darktrace was further able inhibit the identified post-exploitation activity and stop malicious actors from progressing towards their end goals.

Exploitation of Vulnerabilities in Ivanti Products

The software provider, Ivanti, offers a variety of widely used endpoint management, service management, and security solutions. In July and August 2023, the Norwegian cybersecurity company, Mnemonic, disclosed three vulnerabilities in Ivanti products [1]/[2]/[3]; two in Ivanti's endpoint management solution, Ivanti Endpoint Manager Mobile (EPMM) (formerly called 'MobileIron Core'), and one in Ivanti’s security gateway solution, Ivanti Sentry (formerly called 'MobileIron Sentry'):

CVE-2023-35078

  • CVSS Score: 10.0
  • Affected Product: Ivanti EPMM
  • Details from Ivanti: [4]/[5]/[6]
  • Vulnerability type: Authentication bypass

CVE-2023-35081

  • CVSS Score: 7.2
  • Affected Product: Ivanti EPMM
  • Details from Ivanti: [7]/[8]/[9]
  • Vulnerability type: Directory traversal

CVE-2023-38035

  • CVSS Score:
  • Affected Product: Ivanti Sentry
  • Details from Ivanti: [10]/[11]/[12]
  • Vulnerability type: Authentication bypass

At the beginning of August 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) provided details of advanced persistent threat (APT) activity targeting EPMM systems within Norwegian private sector and government networks via exploitation of CVE-2023-35078 combined with suspected exploitation of CVE-2023-35081.

In an article published in August 2023 [12], Ivanti disclosed that a very limited number of their customers had been subjected to exploitation of the Ivanti Sentry vulnerability, CVE-2023-38035, and on the August 22, 2023, CISA added the Ivanti Sentry vulnerability, CVE-2023-38035 to its ‘Known Exploited Vulnerabilities Catalogue’.  CVE-2023-38035 is a critical authentication bypass vulnerability affecting the System Manager Portal of Ivanti Sentry systems. The System Manager Portal, which is accessible by default on port 8433, is used for administration of the Ivanti Sentry system. Through exploitation of CVE-2023-38035, an unauthenticated actor with access to the System Manager Portal can achieve Remote Code Execution (RCE) on the underlying Ivanti Sentry system.

Observed Exploitation of CVE-2023-38035

On August 24, Darktrace observed Ivanti Sentry servers within several customer networks receiving successful SSL connections over port 8433 from the external endpoint, 34.77.65[.]112. The usage of port 8433 indicates that the System Manager Portal was accessed over the connections. Immediately after receiving these successful connections, Ivanti Sentry servers made GET requests over port 4444 to 34.77.65[.]112. The unusual string ‘Wget/1.14 (linux-gnu)’ appeared in the User-Agent headers of these requests, indicating that the command-line utility, wget, was abused to initiate the requests.

Figure 1: Event Log data for an Ivanti Sentry system showing the device breaching a range of DETECT models after contacting 34.77.65[.]112.The suspicious behavior highlighted by DETECT was subsequently investigated by Darktrace’s Cyber AI Analyst™, which was able to weave together these separate behaviors into single incidents representing the whole attack chain.

Figure 2: AI Analyst Incident representing a chain of suspicious activities from an Ivanti Sentry server.

In cases where Darktrace RESPOND was enabled in autonomous response mode, RESPOND was able to automatically enforce the Ivanti Sentry server’s normal pattern of life, thus blocking further exploit testing.

Figure 3: Event Log for an Ivanti Sentry server showing the device receiving a RESPOND action immediately after trying to 34.77.65[.]112.

The GET requests to 34.77.65[.]112 were responded to with the following HTML document:

Figure 4: Snapshot of the HTML document returned by 34.77.65[.]112.

None of the links within this HTML document were functional. Furthermore, the devices’ downloads of these HTML documents do not appear to have elicited further malicious activities. These facts suggest that the observed 34.77.65[.]112 activities were representative of a malicious actor validating exploits (likely for CVE-2023-38035) on Ivanti Sentry systems.

Over the next 24 hours, these Ivanti Sentry systems received successful SSL connections over port 8433 from a variety of suspicious external endpoints, such as 122.161.66[.]161. These connections resulted in Ivanti Sentry systems making HTTP GET requests to subdomains of ‘oast[.]site’ and ‘oast[.]live’. Strings containing ‘curl’ appeared in the User-Agent headers of these requests, indicating that the command-line utility, cURL, was abused to initiate the requests.

These ‘oast[.]site’ and ‘oast[.]live’ domains are used by the out-of-band application security testing (OAST) service, Interactsh. Malicious actors are known to abuse this service to carry out out-of-band (OOB) exploit testing. It, therefore, seems likely that these activities were also representative of a malicious actor validating exploits for CVE-2023-38035 on Ivanti Sentry systems.

Figure 5: Event Log for Ivanti Sentry system showing the device contacting an 'oast[.]site' endpoint after receiving connections from the suspicious, external endpoint 122.161.66[.]161.

The actors seen validating exploits for CVE-2023-38035 may have been conducting such activities in preparation for their own subsequent malicious activities. However, given the variety of attack chains which ensued from these exploit validation activities, it is also possible that they were carried out by Initial Access Brokers (IABs) The activities which ensued from exploit validation activities identified by Darktrace fell into two categories: internal network reconnaissance and cryptocurrency mining.

Reconnaissance Activities

In one of the reconnaissance cases, immediately after receiving successful SSL connections over port 8443 from the external endpoints 190.2.131[.]204 and 45.159.248[.]179, an Ivanti Sentry system was seen making a long SSL connection over port 443 to 23.92.29[.]148, and making wget GET requests over port 4444 with the Target URIs '/ncat' and ‘/TxPortMap’ to the external endpoints, 45.86.162[.]147 and 195.123.240[.]183.  

Figure 6: Event Log data for an Ivanti Sentry system showing the device making connections to the external endpoints, 45.86.162[.]147, 23.92.29[.]148, and 195.123.240[.]183, immediately after receiving connections from rare external endpoints.

The Ivanti Sentry system then went on to scan for open SMB ports on systems within the internal network. This activity likely resulted from an attacker dropping a port scanning utility on the vulnerable Ivanti Sentry system.

Figure 7: Event Log data for an Ivanti Sentry server showing the device breaching several DETECT models after downloading a port scanning tool from 195.123.240[.]183.

In another reconnaissance case, Darktrace observed multiple wget HTTP requests with Target URIs such as ‘/awp.tar.gz’ and ‘/resp.tar.gz’ to a suspicious, external server (78.128.113[.]130).  Shortly after making these requests, the Ivanti Sentry system started to scan for open SMB ports and to respond to LLMNR queries from other internal devices. These behaviors indicate that the server may have installed an LLMNR poisoning tool, such as Responder. The Ivanti Sentry server also went on to conduct further information-gathering activities, such as LDAP reconnaissance, HTTP-based vulnerability scanning, HTTP-based password searching, and RDP port scanning.

Figure 8: Event Log data for an Ivanti Sentry system showing the device making connections to 78.128.113[.]130, scanning for an open SMB port on internal endpoints, and responding to LLMNR queries from internal endpoints.

In cases where Darktrace RESPOND was active, reconnaissance activities resulted in RESPOND enforcing the Ivanti Sentry server’s pattern of life.

Figure 9: Event Log data for an Ivanti Sentry system receiving a RESPOND action as a result of its SMB port scanning activity.
Figure 10: Event Log data for an Ivanti Sentry system receiving a RESPOND action as a result of its LDAP reconnaissance activity.

Crypto-Mining Activities

In one of the cryptomining cases, Darktrace detected an Ivanti Sentry server making SSL connections to aelix[.]xyz and mining pool endpoints after receiving successful SSL connections over port 8443 from the external endpoint, 140.228.24[.]160.

Figure 11: Event Log data for an Ivanti Sentry system showing the device contacting aelix[.]xyz and mining pool endpoints immediately after receiving connections from the external endpoint, 140.228.24[.]160.

In a cryptomining case on another customer’s network, an Ivanti Sentry server was seen making GET requests indicative of Kinsing malware infection. These requests included wget GET requests to 185.122.204[.]197 with the Target URIs ‘/unk.sh’ and ‘/se.sh’ and a combination of GET and POST requests to 185.221.154[.]208 with the User-Agent header ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36’ and the Target URIs, ‘/mg’, ‘/ki’, ‘/get’, ‘/h2’, ‘/ms’, and ‘/mu’. These network-based artefacts have been observed in previous Kinsing infections [13].

Figure 12: Event Log data for an Ivanti Sentry system showing the device displaying likely Kinsing C2 activity.

On customer environments where RESPOND was active, Darktrace was able to take swift autonomous action by blocking cryptomining connection attempts to malicious command-and-control (C2) infrastructure, in this case Kinsing servers.

Figure 13: Event Log data for an Ivanti Sentry server showing the device receiving a RESPOND action after attempting to contact Kinsing C2 infrastructure.

Fortunately, due to Darktrace DETECT+RESPOND prompt identification and targeted actions against these emerging threats, coupled with remediating steps taken by affected customers’ security teams, neither the cryptocurrency mining activities nor the network reconnaissance activities led to significant disruption.  

Figure 14: Timeline of observed malicious activities.

Conclusion The inevitable presence of critical vulnerabilities in internet-facing systems underscores the perpetual challenge of defending against malicious intrusions. The near inexhaustible supply of entry routes into organizations’ networks available to malicious actors necessitates a more proactive and vigilant approach to network security.

While it is, of course, essential for organizations to secure their digital environments through the regular patching of software and keeping abreast of developing vulnerabilities that could impact their network, it is equally important to have a safeguard in place to mitigate against attackers who do manage to exploit newly discovered vulnerabilities.

In the case of Ivanti Sentry, Darktrace observed malicious actors validating exploits against affected servers on customer networks just a few days after the public disclosure of the critical vulnerability.  This activity was followed up by a variety of malicious and disruptive, activities including cryptocurrency mining and internal network reconnaissance.

Darktrace DETECT immediately detected post-exploitation activities on compromised Ivanti Sentry servers, enabling security teams to intervene at the earliest possible stage. Darktrace RESPOND, when active, autonomously inhibited detected post-exploitation activities. These DETECT detections, along with their accompanying RESPOND interventions, prevented malicious actors from being able to progress further towards their likely harmful objectives.

Credit to Sam Lister, Senior Cyber Analyst, and Trent Kessler, SOC Analyst  

Appendices

MITRE ATT&CK Mapping

Initial Access techniques:

  • Exploit Public-Facing Application (T1190)

Credential Access techniques:

  • Unsecured Credentials: Credentials In Files (T1552.001)
  • Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)

Discovery

  • Network Service Discovery (T1046)
  • Remote System Discovery (T1018)
  • Account Discovery: Domain Account (T1087.002)

Command and Control techniques:

  • Application Layer Protocol: Web Protocols (T1071.001)
  • Ingress Tool Transfer (T1105)
  • Non-Standard Port (T1571)
  • Encrypted Channel: Asymmetric Cryptography (T1573.002)

Impact techniques

  • Resource Hijacking (T1496)
List of IoCs

Exploit testing IoCs:

·      34.77.65[.]112

·      Wget/1.14 (linux-gnu)

·      cjjovo7mhpt7geo8aqlgxp7ypod6dqaiz.oast[.]site • 178.128.16[.]97

·      curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

·      cjk45q1chpqflh938kughtrfzgwiofns3.oast[.]site • 178.128.16[.]97

·      curl/7.29.0

Kinsing-related IoCs:

·      185.122.204[.]197

·      /unk.sh

·      /se.sh

·      185.221.154[.]208

·      185.221.154[.]208

·      45.15.158[.]124

·      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36

·      /mg

·      /ki

·      /get

·      /h2

·      /ms

·      /mu

·      vocaltube[.]ru • 185.154.53[.]140

·      92.255.110[.]4

·      194.87.254[.]160

Responder-related IoCs:

·      78.128.113[.]130

·      78.128.113[.]34

·      /awp.tar.gz

·      /ivanty

·      /resp.tar.gz

Crypto-miner related IoCs:

·      140.228.24[.]160

·      aelix[.]xyz • 104.21.60[.]147 / 172.67.197[.]200

·      c8446f59cca2149cb5f56ced4b448c8d (JA3 client fingerprint)

·      b5eefe582e146aed29a21747a572e11c (JA3 client fingerprint)

·      pool.supportxmr[.]com

·      xmr.2miners[.]com

·      xmr.2miners[.]com

·      monerooceans[.]stream

·      xmr-eu2.nanopool[.]org

Port scanner-related IoCs:

·      122.161.66[.]161

·      192.241.235[.]32

·      45.86.162[.]147

·      /ncat

·      Wget/1.14 (linux-gnu)

·      45.159.248[.]179

·      142.93.115[.]146

·      23.92.29[.]148

·      /TxPortMap

·      195.123.240.183

·      6935a8d379e086ea1aed159b8abcb0bc8acf220bd1cbc0a84fd806f14014bca7 (SHA256 hash of downloaded file)

Darktrace DETECT Model Breaches

·      Anomalous Server Activity / New User Agent from Internet Facing System

·      Device / New User Agent

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Device / New User Agent and New IP

·      Anomalous Connection / Application Protocol on Uncommon Port

·      Anomalous Connection / Callback on Web Facing Device

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Large Number of Suspicious Failed Connections

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Beacon for 4 Days

·      Compromise / Agent Beacon (Short Period)

·      Device / Large Number of Model Breaches

·      Anomalous Server Activity / Rare External from Server

·      Compromise / Large Number of Suspicious Successful Connections

·      Compromise / Monero Mining

·      Compromise / High Priority Crypto Currency Mining

·      Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

·      Device / Internet Facing Device with High Priority Alert

·      Device / Suspicious SMB Scanning Activity

·      Device / Internet Facing Device with High Priority Alert

·      Device / Network Scan

·      Device / Unusual LDAP Bind and Search Activity

·      Compliance / Vulnerable Name Resolution

·      Device / Anomalous SMB Followed By Multiple Model Breaches

·      Device / New User Agent To Internal Server

·      Anomalous Connection / Suspicious HTTP Activity

·      Anomalous Connection / Unusual Internal Connections

·      Anomalous Connection / Suspicious HTTP Activity

·      Device / RDP Scan

·      Device / Large Number of Model Breaches

·      Compromise / Beaconing Activity To External Rare

·      Compromise / Beacon to Young Endpoint

·      Anomalous Connection / Suspicious HTTP Activity

·      Compromise / Suspicious Internal Use Of Web Protocol

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Internet Facing System File Download

·      Device / Suspicious SMB Scanning Activity

·      Device / Internet Facing Device with High Priority Alert

·      Device / Network Scan

·      Device / Initial Breach Chain Compromise

References

[1] https://www.mnemonic.io/resources/blog/ivanti-endpoint-manager-mobile-epmm-authentication-bypass-vulnerability/
[2] https://www.mnemonic.io/resources/blog/threat-advisory-remote-file-write-vulnerability-in-ivanti-epmm/
[3] https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/
[4] https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
[5] https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
[6] https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078?language=en_US
[7] https://www.ivanti.com/blog/cve-2023-35081-new-ivanti-epmm-vulnerability
[8] https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US
[9] https://forums.ivanti.com/s/article/KB-Arbitrary-File-Write-CVE-2023-35081?language=en_US
[10] https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry
[11] https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US
[12] https://forums.ivanti.com/s/article/KB-API-Authentication-Bypass-on-Sentry-Administrator-Interface-CVE-2023-38035?language=en_US
[13] https://isc.sans.edu/diary/Your+Business+Data+and+Machine+Learning+at+Risk+Attacks+Against+Apache+NiFi/29900

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Sam Lister
SOC Analyst
Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Blog

No items found.

Attack Trends: VIP Impersonation Across the Business Hierarchy

Default blog imageDefault blog image
22
Feb 2024

What is VIP impersonation?

VIP impersonation involves a threat actor impersonating a trusted, prominent figure at an organization in an attempt to solicit sensitive information from an employee.

VIP impersonation is a high-priority issue for security teams, but it can be difficult to assess the exact risks, and whether those are more critical than other types of compromise. Looking across a range of Darktrace/Email™ customer deployments, this blog explores the patterns of individuals targeted for impersonation and evaluates if these target priorities correspond with security teams' focus on protecting attack pathways to critical assets.

How do security teams stop VIP Impersonation?

Protecting VIP entities within an organization has long been a traditional focus for security teams. The assumption is that VIPs, due to their prominence, possess the greatest access to critical assets, making them prime targets for cyber threats.  

Email remains the predominant vector for attacks, with over 90% of breaches originating from malicious emails. However, the dynamics of email-based attacks are shifting, as the widespread use of generative AI is lowering the barrier to entry by allowing adversaries to create hyper-realistic emails with minimal errors.

Given these developments, it's worth asking the question – which entities (VIP/non-VIP) are most targeted by threat actors via email? And, more importantly – which entities (VIP/non-VIP) are more valuable if they are successfully compromised?

There are two types of VIPs:  

1. When referring to emails and phishing, VIPs are the users in an organization who are well known publicly.  

2. When referring to attack paths, VIPs are users in an organization that are known publicly and have access to highly privileged assets.  

Not every prominent user has access to critical assets, and not every user that has access to critical assets is prominent.  

Darktrace analysis of VIP impersonation

We analyzed patterns of attack pathways and phishing attempts across 20 customer deployments from a large, randomized pool encompassing a diverse range of organizations.  

Understanding Attack Pathways

Our observations revealed that 57% of low-difficulty attack paths originated from VIP entities, while 43% of observed low-difficulty attack paths towards critical assets or entities began through non-VIP users. This means that targeting VIPs is not the only way attackers can reach critical assets, and that non-VIP users must be considered as well.  

While the sample size prevents us from establishing statistical significance across all customers, the randomized selection lends credence to the generalizability of these findings to other environments.

Phishing Attempts  

On average, 1.35% of total emails sent to these customers exhibited significantly malicious properties associated with phishing or some form of impersonation. Strikingly, nearly half of these malicious emails (49.6%) were directed towards VIPs, while the rest were sent to non-VIPs. This near-equal split is worth noting, as attack paths show that non-VIPs also serve as potential entry points for targeting critical assets.  

Darktrace/Email UI
Figure 1: A phishing email actioned by Darktrace, sent to multiple VIP and non-VIP entities

For example, a recent phishing campaign targeted multiple customers across deployments, with five out of 13 emails specifically aimed at VIP users. Darktrace/Email actioned the malicious emails by double locking the links, holding the messages, and stripping the attachments.

Given that non-VIP users receive nearly half of the phishing or impersonation emails, it underscores the critical importance for security teams to recognize their blind spots in protecting critical assets. Overlooking the potential threat originating from non-VIP entities could lead to severe consequences. For instance, if a non-VIP user falls victim to a phishing attack or gets compromised, their credentials could be exploited to move laterally within the organization, potentially reaching critical assets.

This highlights the necessity for a sophisticated security tool that can identify targeted users, without the need for extensive customization and regardless of VIP status. By deploying a solution capable of promptly responding to email threats – including solicitation, phishing attempts, and impersonation – regardless of the status of the targeted user, security teams can significantly enhance their defense postures.

Darktrace vs Traditional Email Detection Methods

Traditional rules and signatures-based detection mechanisms fall short in identifying the evolving threats we’ve observed, due to their reliance on knowledge of past attacks to categorize emails.

Secure Email Gateway (SEG) or Integrated Cloud Email Security (ICES) tools categorize emails based on previous or known attacks, operating on a known-good or known-bad model. Even if tools use AI to automate this process, the approach is still fundamentally looking to the past and therefore vulnerable to unknown and zero-day threats.  

Darktrace uses AI to understand each unique organization and how its email environment interoperates with each user and device on the network. Consequently, it is able to identify the subtle deviations from normal behavior that qualify as suspicious. This approach goes beyond simplistic categorizations, considering factors such as the sender’s history and recipient’s exposure score.  

This nuanced analysis enables Darktrace to differentiate between genuine communications and malicious impersonation attempts. It automatically understands who is a VIP, without the need for manual input, and will action more strongly on incoming malicious emails  based on a user’s status.

Email does determine who is a VIP, without a need of manual input, and will action more strongly on incoming malicious emails.

Darktrace/Email also feeds into Darktrace’s preventative security tools, giving the interconnected AI engines further context for assessing the high-value targets and pathways to vital internal systems and assets that start via the inbox.

Leveraging AI for Enhanced Protection Across the Enterprise  

The efficacy of AI-driven security solutions lies in their ability to make informed decisions and recommendations based on real-time business data. By leveraging this data, AI driven solutions can identify exploitable attack pathways and an organizations most critical assets. Darktrace uniquely uses several forms of AI to equip security teams with the insights needed to make informed decisions about which pathways to secure, reducing human bias around the importance of protecting VIPs.

With the emergence of tools like AutoGPT, identifying potential targets for phishing attacks has become increasingly simplified. However, the real challenge lies in gaining a comprehensive understanding of all possible and low-difficulty attack paths leading to critical assets and identities within the organization.

At the same time, organizations need email tools that can leverage the understanding of users to prevent email threats from succeeding in the first instance. For every email and user, Darktrace/Email takes into consideration changes in behavior from the sender, recipient, content, and language, and many other factors.

Integrating Darktrace/Email with Darktrace’s attack path modeling capabilities enables comprehensive threat contextualization and facilitates a deeper understanding of attack pathways. This holistic approach ensures that all potential vulnerabilities, irrespective of the user's status, are addressed, strengthening the overall security posture.  

Conclusion

Contrary to conventional wisdom, our analysis suggests that the distinction between VIPs and non-VIPs in terms of susceptibility to impersonation and low-difficulty attack paths is not as pronounced as presumed. Therefore, security teams must adopt a proactive stance in safeguarding all pathways, rather than solely focusing on VIPs.  

Attack path modeling enhances Darktrace/Email's capabilities by providing crucial metrics on potential impact, damage, exposure, and weakness, enabling more targeted and effective threat mitigation strategies. For example, stronger email actions can be enforced for users who are known to have a high potential impact in case of compromise. 

In an era where cyber threats continue to evolve in complexity, an adaptive and non-siloed approach to securing inboxes, high-priority individuals, and critical assets is indispensable.  

Continue reading
About the author
Kendra Gonzalez Duran
Director of Technology Innovation

Blog

Inside the SOC

Gootloader Malware: Detecting and Containing Multi-Functional Threats with Darktrace

Default blog imageDefault blog image
15
Feb 2024

What is multi-functional malware?

While traditional malware variants were designed with one specific objective in mind, the emergence of multi-functional malware, such as loader malware, means that organizations are likely to be confronted with multiple malicious tools and strains of malware at once. These threats often have non-linear attack patterns and kill chains that can quickly adapt and progress quicker than human security teams are able to react. Therefore, it is more important than ever for organizations to adopt an anomaly approach to combat increasingly versatile and fast-moving threats.

Example of Multi-functional malware

One example of a multi-functional malware recently observed by Darktrace can be seen in Gootloader, a multi-payload loader variant that has been observed in the wild since 2020. It is known to primarily target Windows-based systems across multiple industries in the US, Canada, France, Germany, and South Korea [1].  

How does Gootloader malware work?

Once installed on a target network, Gootloader can download additional malicious payloads that allow threat actors to carry out a range of harmful activities, such as stealing sensitive information or encrypting files for ransom.

The Gootloader malware is known to infect networks via search engine optimization (SEO) poisoning, directing users searching for legitimate documents to compromised websites hosting a malicious payload masquerading as the desired file.

If the malware remains undetected, it paves the way for a second stage payload known as Gootkit, which functions as a banking trojan and information-stealer, or other malware tools including Cobalt Strike and Osiris [2].

Darktrace detection of Gootloader malware

In late 2023, Darktrace observed one instance of Gootloader affecting a customer in the US. Thanks to its anomaly-focused approach, Darktrace DETECT™ quickly identified the anomalous activity surrounding this emerging attack and brought it to the immediate attention of the customer’s security team. All the while, Darktrace RESPOND™ was in place and able to autonomously intervene, containing the suspicious activity and ensuring the Gootloader compromise could not progress any further.

In September 2023, Darktrace identified an instance of the Gootloader malware attempting to propagate within the network of a customer in the US. Darktrace identified the first indications of the compromise when it detected a device beaconing to an unusual external location and performing network scanning. Following this, the device was observed making additional command-and-control (C2) connections, before finally downloading an executable (.exe) file which likely represented the download of a further malicious payload.

As this customer had subscribed to the Proactive Notification Service (PTN), the suspicious activity was escalated to the Darktrace Security Operations Center (SOC) for further investigation by Darktrace’s expert analysts. The SOC team were able to promptly triage the incident and advise urgent follow-up actions.

Gootloader Attack Overview

Figure 1: Timeline of Anomalous Activities seen on the breach device.

Initial Beaconing and Scanning Activity

On September 21, 2023, Darktrace observed the first indications of compromise on the network when a device began to make regular connections to an external endpoint that was considered extremely rare for the network, namely ‘analyzetest[.]ir’.

Although the endpoint did not overtly seem malicious in nature (it appeared to be related to laboratory testing), Darktrace recognized that it had never previously been seen on the customer’s network and therefore should be treated with caution.  This initial beaconing activity was just the beginning of the malicious C2 communications, with several additional instances of beaconing detected to numerous suspicious endpoints, including funadhoo.gov[.]mv, tdgroup[.]ru’ and ‘army.mil[.]ng.

Figure 2: Initial beaconing activity detected on the breach device.

Soon thereafter, Darktrace detected the device performing internal reconnaissance, with an unusually large number of connections to other internal locations observed. This scanning activity appeared to primarily be targeting the SMB protocol by scanning port 445.

Within seconds of DETECT’s detection of this suspicious SMB scanning activity, Darktrace RESPOND moved to contain the compromise by blocking the device from connecting to port 445 and enforcing its ‘pattern of life’. Darktrace’s Self-Learning AI enables it to learn a device’s normal behavior and recognize if it deviates from this; by enforcing a pattern of life on an affected device, malicious activity is inhibited but the device is allowed to continue its expected activity, minimizing disruption to business operations.

Figure 3: The breach device Model Breach Event Log showing Darktrace DETECT identifying suspicious SMB scanning activity and the corresponding RESPOND actions.

Following the initial detection of this anomalous activity, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the beaconing and scanning activity and was able to connect these seemingly separate events into one incident. AI Analyst analyzes thousands of connections to hundreds of different endpoints at machine speed and then summarizes its findings in a single pane of glass, giving customers the necessary information to assess the threat and begin remediation if necessary. This significantly lessens the burden for human security teams, saving them previous time and resources, while ensuring they maintain full visibility over any suspicious activity on their network.

Figure 4: Cyber AI Analyst incident log summarizing the technical details of the device’s beaconing and scanning behavior.

Beaconing Continues

Darktrace continued to observe the device carrying out beaconing activity over the next few days, likely representing threat actors attempting to establish communication with their malicious infrastructure and setting up a foothold within the customer’s environment. In one such example, the device was seen connecting to the suspicious endpoint ‘fysiotherapie-panken[.]nl’. Multiple open-source intelligence (OSINT) vendors reported this endpoint to be a known malware delivery host [3].

Once again, Darktrace RESPOND was in place to quickly intervene in response to these suspicious external connection attempts. Over the course of several days, RESPOND blocked the offending device from connecting to suspicious endpoints via port 443 and enforced its pattern of life. These autonomous actions by RESPOND effectively mitigated and contained the attack, preventing it from escalating further along the kill chain and providing the customer’s security team crucial time to take act and employ their own remediation.

Figure 5: A sample of the autonomous RESPOND actions that was applied on the affected device.

Possible Payload Retrieval

A few days later, on September 26, 2023, Darktrace observed the affected device attempting to download a Windows Portable Executable via file transfer protocol (FTP) from the external location ‘ftp2[.]sim-networks[.]com’, which had never previously been seen on the network. This download likely represented the next step in the Gootloader infection, wherein additional malicious tooling is downloaded to further cement the malicious actors’ control over the device. In response, Darktrace RESPOND immediately blocked the device from making any external connections, ensuring it could not download any suspicious files that may have rapidly escalated the attackers’ efforts.

Figure 6: DETECT’s identification of the offending device downloading a suspicious executable file via FTP.

The observed combination of beaconing activity and a suspicious file download triggered an Enhanced Monitoring breach, a high-fidelity DETECT model designed to detect activities that are more likely to be indicative of compromise. These models are monitored by the Darktrace SOC round the clock and investigated by Darktrace’s expert team of analysts as soon as suspicious activity emerges.

In this case, Darktrace’s SOC triaged the emerging activity and sent an additional notice directly to the customer’s security team, informing them of the compromise and advising on next steps. As this customer had subscribed to Darktrace’s Ask the Expert (ATE) service, they also had a team of expert analysts available to them at any time to aid their investigations.

Figure 7: Enhanced Monitoring Model investigated by the Darktrace SOC.

Conclusion

Loader malware variants such as Gootloader often lay the groundwork for further, potentially more severe threats to be deployed within compromised networks. As such, it is crucial for organizations and their security teams to identify these threats as soon as they emerge and ensure they are effectively contained before additional payloads, like information-stealing malware or ransomware, can be downloaded.

In this instance, Darktrace demonstrated its value when faced with a multi-payload threat by detecting Gootloader at the earliest stage and responding to it with swift targeted actions, halting any suspicious connections and preventing the download of any additional malicious tooling.

Darktrace DETECT recognized that the beaconing and scanning activity performed by the affected device represented a deviation from its expected behavior and was indicative of a potential network compromise. Meanwhile, Darktrace RESPOND ensured that any suspicious activity was promptly shut down, buying crucial time for the customer’s security team to work with Darktrace’s SOC to investigate the threat and quarantine the compromised device.

Credit to: Ashiq Shafee, Cyber Security Analyst, Qing Hong Kwa, Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore

Appendices

Darktrace DETECT Model Detections

Anomalous Connection / Rare External SSL Self-Signed

Device / Suspicious SMB Scanning Activity

Anomalous Connection / Young or Invalid Certificate SSL Connections to Rare

Compromise / High Volume of Connections with Beacon Score

Compromise / Beacon to Young Endpoint

Compromise / Beaconing Activity To External Rare

Compromise / Slow Beaconing Activity To External Rare

Compromise / Beacon for 4 Days

Anomalous Connection / Suspicious Expired SSL

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Compromise / Sustained SSL or HTTP Increase

Compromise / Large Number of Suspicious Successful Connections

Compromise / Large Number of Suspicious Failed Connections

Device / Large Number of Model Breaches

Anomalous File / FTP Executable from Rare External Location

Device / Initial Breach Chain Compromise

RESPOND Models

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network/Insider Threat/Antigena Network Scan Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

List of Indicators of Compromise (IoCs)

Type

Hostname

IoCs + Description

explorer[.]ee - C2 Endpoint

fysiotherapie-panken[.]nl- C2 Endpoint

devcxp2019.theclearingexperience[.]com- C2 Endpoint

campsite.bplaced[.]net- C2 Endpoint

coup2pompes[.]fr- C2 Endpoint

analyzetest[.]ir- Possible C2 Endpoint

tdgroup[.]ru- C2 Endpoint

ciedespuys[.]com- C2 Endpoint

fi.sexydate[.]world- C2 Endpoint

funadhoo.gov[.]mv- C2 Endpoint

geying.qiwufeng[.]com- C2 Endpoint

goodcomix[.]fun- C2 Endpoint

ftp2[.]sim-networks[.]com- Possible Payload Download Host

MITRE ATT&CK Mapping

Tactic – Technique

Reconnaissance - Scanning IP blocks (T1595.001, T1595)

Command and Control - Web Protocols , Application Layer Protocol, One-Way Communication, External Proxy, Non-Application Layer Protocol, Non-Standard Port (T1071.001/T1071, T1071, T1102.003/T1102, T1090.002/T1090, T1095, T1571)

Collection – Man in the Browser (T1185)

Resource Development - Web Services, Malware (T1583.006/T1583, T1588.001/T1588)

Persistence - Browser Extensions (T1176)

References

1.     https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/gootloader

2.     https://redcanary.com/threat-detection-report/threats/gootloader/

3.     https://www.virustotal.com/gui/domain/fysiotherapie-panken.nl

Continue reading
About the author
Ashiq Shafee
Cyber Security Analyst

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
Cloud-based deployment.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.