Threat Thursday - Evading Defenses with ISO files like NOBELIUM
June 17, 2021
Evading Defenses with ISO files like NOBELIUM
Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file. We had not considered nor documented using an ISO file as a defense evasion method so we started looking into it after this report was published. Matt Graber was quick in putting together a PowerShell script that highlights why attackers likely choose ISO/IMG as a delivery mechanism: it evades SmartScreen because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes. For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.
Cyber Threat Intelligence
Microsoft was quick to release an alert and then a number of follow up posts when it realized that NOBELIUM, the same threat actor behind the attacks against SolarWinds, SUNBURST, TEARDROP, and GoldMax, compromised Constant Contact:
Cyber Threat Intelligence reports can be dense and long, so here is a quick summary:
- NOBELIUM, the Russian threat actor behind SolarWinds, compromised the Constant Contact account of USAID: T1584.006
- Constant Contact is an email service to send newsletters and updates to anyone that subscribes. This is significant because most subscribers are accustomed to receiving emails from USAID via Constant Contact and are essentially a known, trusted email they are used to receiving: T1566.003
- NOBELIUM sends emails to USAID subscribers with a link that downloads an ISO file: T1566.002
- ISO files are images that can be mounted as “Disk Drives”. Opening an ISO file bypassed Mark-of-the-Web security control, evading defenses: T1553.005
- The ISO file contained a decoy PDF file, a DLL, and a shortcut file that executed Rundll32.exe: T1204.002 & T1218.011
After analyzing the provided CTI from Microsoft, we organize this into a plan:
Packaging a payload in an ISO image file is interesting because when downloaded from the internet, it will bypass the Mark-of-the-Web security controls. As we like to map to MITRE ATT&CK, this technique most closely resembles T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass. We went ahead and documented this in our Community Threats GitHub under the Compound Actions folder and also committed the test to the Atomic Red Team project as it did not have any tests for T1553.005.
While compromising a third-party web service and sending email through that service will be out of scope for most Red and Purple Team engagements, we can emulate the other adversary behaviors to test attack, detect, and respond.
- Set up Command and Control (C2) using HTTPS and generate a DLL payload. If you are a SCYTHE user, create a new SCYTHE campaign, download a 32-bit or 64-bit DLL with the entry-point function name of "PlatformClientMain".
- Copy the src folder from our GitHub to a working directory on your Windows system. Note we are using the Folder2Iso project to create the ISO.
- Copy and rename the DLL payload to DOCUMENTS.dll and put it in the Folder2Iso of the working directory
- In the Folder2Iso directory, create a shortcut called Reports and set the Target to: C:\Windows\System32\rundll32.exe "DOCUMENTS.DLL",PlatformClientMain
- Open a Windows command prompt and cd to the working directory. Run Folder2Iso.exe "Folder2Iso" "%USERPROFILE%\Downloads\T1553.005.iso" "DECLASS" 0 0 0 "None". This will take all the content of the Folder2Iso folder and create an ISO of it.
- Email the ISO file, host it on a web server and send a phishing link, double click it on your host, and/or execute from command line with powershell Mount-DiskImage -ImagePath "%USERPROFILE%\Downloads\NOBELIUM.iso"
- In the newly mounted drive, double clicking the Reports shortcut which will launch the DOCUMENTS.dll SCYTHE Campaign.
If you would like to test this from an automated perspective, you can download the ISO file from the VFS directory to your VFS:/shared/ISO directory and run the compound action from our Community Threats Compound Actions GitHub.
Detect and Respond
This technique and procedure brings many test cases to mind that you can easily test with the procedure we have documented in this post. For detection engineering, we have a number of hypothesis that come to mind:
- ISO file downloaded from Internet by non-IT user is suspicious
- ISO file sent via email is suspicious
- ISO mounted is suspicious on non-IT user systems
- Process execution from a mounted drive is suspicious
- Network connection from a process that runs from a mounted drive is suspicious
After emulating the attack, you now know where you stand. For each control, determine if the adversary behavior was:
- Log locally
- Log centrally
If not, the recommendations are:
- Detect downloading of ISO from the Internet and prevent the download by users that do not require that capability.
- Detect ISO being sent via email and prevent the file type for users that do not require that capability.
- Detect mounting of ISO on systems that do not require this functionality
- Monitor the execution and arguments of rundll32.exe.
Depending on your defensive stack, here are some great resources for detecting these behaviors:
- Defender by @Cyb3rMonk
- Sentinel/Sysmon by @Cyb3rMonk
- Yara by @cyb3rops
- Other detection ideas by @BlackMatter23
Understanding adversary behaviors and recent attacks provide numerous test cases that may have not been tested in your environment. As attackers show these new behaviors, it is important to attack, detect, and respond to them. This involves testing, measuring, and training your people, process, and technology on a cyclical basis.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.