NDR POW (12/16) Trickbot/RYUK Variant throw-down

Really REALLY nasty Trickbot variant observed last week. A few things to share. Yes I’ve posted about this before but I recently saw some of this in the wild.

First, special thanks to at abuse.ch for maintaining the Feodo Botnet list, also, tip-o-the-hat to John Althouse, Josh Atkins and Jeff Atkinson as the JA3 matches added great context.

We noticed that we had a myriad of SSL connections with the following characteristics:
1.)The Host (SNI), Cert Issuer as well as Cert Subject were null
2.) The certificate is Self-Signed
3.) Host was non-RFC1918 (external)
4.) The Cert was less than a week old (sometimes a few hours old)

If you look at line 29 of the trigger, you will see the criteria we are using to create the custom detection. We evaluate this criteria in-flight within milliseconds, no logs, no endpoints.

In a few cases, we had a little less than a dozen hosts that were NOT YET on any blacklists or CTI. The key here is that the behavior was shady so we flagged it, we then cross-checked the JA3’s only to see PowerShell_dropper, sodinokibi and OSTP-Backswap matches.

If you have external connections matching this criteria it is, AT A BARE MINIMUM, worthy of investigation and in all likelihood, shady as “#$&@!”

To avoid an error with a self-signed certificate, you need to get a host to trust the rogue CA. This means your adversary has evaded/disabled EDR and the SIEM forwarders will likely suffer the same fate.

We have been called in a few times to respond to these types of events and a few key things.
1.) Your EDR will tell you about infected systems ONLY for THOSE systems that it is running on.
2.) In today’s enterprise, it is almost impossible to guarantee that EDR clients are installed, even on those systems that can support them, much less IoT systems that you cannot install an EDR or SIEM forwarder.
3.) There is NO SCENARIO where you would have a legit SSL session with a server matching this criteria!
4.) You NEED NDR!!!

Events: SSL_OPEN

indent preformatted text by 4 spaces
// Type trigger code below
if(!Flow.server.ipaddr.isExternal) { return; }

let cip = Flow.client.ipaddr;
let sip = Flow.server.ipaddr;

//####################################################################################################################
//# After getting some null-check errors, I decided to check SSL_OPEN events that were missing Cert Info against CTI #
//####################################################################################################################
if(!SSL.certificate) {
    if(ThreatIntel.hasIP(sip)) { 
        log("Missing Cert CTI Match: " + sip + "\n" + JSON.stringify(SSL.record));
    }
    return;
}

let issueDate = new Date(SSL.certificate.notBefore*1000);
let today = new Date(); 
let days = 7;
let babyCert = new Date().setDate(today.getDate()-days);

let geoLoc = "";
if(GeoIP.getCountry(sip)===null) { geoLoc = "Not In Maxmind"; }
    else {
        geoLoc = GeoIP.getCountry(sip).countryName;
}


if(issueDate > babyCert && SSL.host===null && SSL.certificate.issuer===null && 
SSL.certificate.isSelfSigned) {
//if(SSL.certificate.issuer.toLowerCase().indexOf("let's") > -1) {
        detect();
        log("SSL Detection Fired: " + issueDate.toLocaleDateString('en-US') + " " + cip + ":" + sip + " " + 
SSL.certificate.isSelfSigned + " " + SSL.clientCertificateRequested + " " + SSL.host 
        + " " + SSL.certificate.issuer + " " + geoLoc + " " + SSL.ja3sHash + " " + SSL.clientSessionId + " " 
+ SSL.serverSessionId); 
 //   } 
}

function detect() {
var cip = Flow.client.ipaddr;
var sip = Flow.server.ipaddr;
if(SSL.host === null) { sslhost = "Unknown"; } else { var sslhost = SSL.host; }

commitDetection('SuspectSSL', {
    categories: ['sec.caution'],
    title: cip + ' observed connecting to ' + sip + ' located in ' + geoLoc + ' JA3: ' + SSL.ja3sHash,
    participants: [
    { role: 'offender', object: Flow.server.device },
    { role: 'victim', object: Flow.client.device }
],
description: '- **Reason: ** Suspect SSL Peer'  + "\n\n " +
             ' The SSL peer is missing the following fields:' + "\n " +
             ' Host(SNI), Issuer, Subject and is Self-Signed' + "\n\n " +
             ' this type of communication is consistent with BOTNET/C2 and Exfiltration' ,
//"**For PCAP Click Here:* [click this link]("+pcapUrl+") \n\n Download the PCAP to investigate." + "\n\n" ,
identityKey: [
    Flow.server.ipaddr,
    Flow.client.ipaddr,
    SSL.ja3sHash
].join('!!'),
riskScore: 90
})
1 Like