This is another Blue Team practice experience on TryHackMe. I’ve been collecting many defense-/forensics-focused rooms to gain more hands-on experience.
The available tools were WireShark, Brim and Network miner.
This was a nice and short room, enjoy this writeup.
Table of Contents
Scenario
You work as a Tier 1 Security Analyst L1 for a Managed Security Service Provider (MSSP). Today you’re tasked with monitoring network alerts.
A few minutes into your shift, you get your first network case: Potentially Bad Traffic and Malware Command and Control Activity detected. Your race against the clock starts. Inspect the PCAP and retrieve the artifacts to confirm this alert is a true positive.
Investigation
- What was the alert signature for Malware Command and Control Activity Detected?
ET Malware MirrorBlast CnC Activity M3
- What is the source IP address? Enter your answer in a defanged format.
- What IP address was the destination IP in the alert? Enter your answer in a defanged format.
The answers to these questions are also in the above screenshot.
-
Inspect the IP address in VirusTotal. Under Relations > Passive DNS Replication, which domain has the most detections? Enter your answer in a defanged format.
-
Still in VirusTotal, under Community, what threat group is attributed to this IP address?
TA505
- What is the malware family?
MirrorBlast
- Do a search in VirusTotal for the domain from question 4. What was the majority file type listed under Communicating Files?
- Inspect the web traffic for the flagged IP address; what is the user-agent in the traffic?
REBOL View 2.7.8.3.1
-
Retrace the attack; there were multiple IP addresses associated with this attack. What were two other IP addresses? Enter the IP addressed defanged and in numerical order. (format: IPADDR,IPADDR)
185[.]10[.]68[.]235,192[.]36[.]27[.]92
- What were the file names of the downloaded files? Enter the answer in the order to the IP addresses from the previous question. (format: file.xyz,file.xyz)
filter.msi,10opd3r_load.msi
- Inspect the traffic for the first downloaded file from the previous question. Two files will be saved to the same directory. What is the full file path of the directory and the name of the two files? (format: C:\path\file.xyz,C:\path\file.xyz)
C:\ProgramData\001\arab.bin,C:\ProgramData\001\arab.exe
I found this answer inspecting the sniffed packets. It was possible to see it directly in Wireshark, but an alternative would have been to export the actual file from the http stream, and use a program like Strings to gather the information.
- Now do the same and inspect the traffic from the second downloaded file. Two files will be saved to the same directory. What is the full file path of the directory and the name of the two files? (format: C:\path\file.xyz,C:\path\file.xyz)
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe,C:\ProgramData\Local\Google\exemple.rb
Same procedure as explained above.
MirrorBlast
MirrorBlast is a cyber threat primarily targeting financial services organizations through a phishing email campaign. It is delivered via malicious links contained in these emails, which download a weaponized Excel document.
The MirrorBlast campaign was found to have begun in 2021. It bears resemblance to tactics, techniques, and procedures commonly used by the threat group TA505 (which came out during the course of the investigation). The similarities extend to the attack chain, the functionality, the final payload, and domain name patterns.
The MirrorBlast malware uses macros, scripts for automating tasks, to carry out its malicious activities. While macros are disabled in Excel by default, attackers use social engineering to trick potential victims into enabling macros.
Morphisec found two variants of the MSI installer that used legitimate scripting tools called KiXtart and REBOL (and we saw during the investigation that in this particular case REBOL was used).
Conclusion
Nice room. It was easy but allowed me to practice some foundational techniques used in a SOC analyst role. I also had the chance to learn more about the MirrorBlast malware.
