- November 13, 2024
- Beazley Security Labs
Hunting Mice In Tunnels
Threat Actor abusing free Cloudflare Argo Tunnels for C2 contained by Beazley Security MDR.
Executive Summary
Earlier this week, Beazley Security Managed Extended Detection and Response (MXDR) identified and thwarted a threat actor within a client's environment. As part of our investigation, we identified some tactics, techniques, and procedures (TTPs) and some recently compiled executables being used that are not commonly encountered in our regular investigations. The threat actor employed an unusual method in an attempt to hide malware command and control (C2) traffic, along with freshly compiled payloads that exhibited low initial detection rates on VirusTotal. This case presented several interesting techniques that prompted our MDR team to engage Beazley Security Labs for further investigation. As part of our investigation into this activity, we are sharing aspects of our analysis to assist other organizations in detecting and defending against the TTPs we observed.
Note: This blog post includes some of the initial activity that Beazley Security MDR observed, we’ll be publishing a follow up blog post with additional analysis into other binaries dropped during the campaign.
Beazley Security Labs would like to thank Ralph Bailey, Kelsey O'Connell, and Troy Walters from Beazley Security MDR for their investigative efforts used to describe the timeline of events in this blog post, along with their support in pulling suspicious binaries dropped as part of this attack. Beazley Security Labs would also like to thank Tom Hegel at Sentinel One for his guidance and assistance in the initial phases of this investigation.
Incident Details
This investigation began when our MXDR solution generated the following alerts by leveraging raw Endpoint Detection and Response (EDR) telemetry:
Outbound network connection via command line PowerShell
Domain account discovery via
net.exeExecution of
nltest
This activity occurred within a short amount of time and on the same endpoint at a specific client site, so our MXDR solution correlated them together and escalated the alerts as a group. Our SOC team identified the activity originated with a malicious executable being downloaded and executed via obfuscated PowerShell. We have taken to calling this malicious DLL ‘Dormouse’ for reasons we will explain below. The threat actor then followed up by installing CrossTec Remote Control, a remote administration tool created by a legitimate software company.
The threat actor quickly moved to reconnaissance on the internal environment by enumerating possible Active Directory domain controllers, domain admins, extracting the Security Account Manager (SAM) registry hive for user passwords, and checking user permissions. Some of the threat actor tools also started achieving persistence through Windows Autorun registry keys and the Windows task scheduler. Given all of the activity observed, Beazley Security MDR immediately reacted to contain the activity by isolating the endpoint from the network.
A condensed kill chain is presented below, and a more detailed timeline can be found in the appendix.
Figure 1: Threat Campaign Kill Chain
The Downloader (Dormouse)
Beazley Security Labs chose to focus analysis on the binary that performs the initial C2 callback to the Cloudflare tunnels. This file (asdin2oe.exe) on the surface, looks like a PyInstaller package. PyInstaller is a legitimate packaging system to deliver python scripts as standalone Windows executables. As such, the file will drop a lot of Python related libraries but does not appear to drop an actual packaged python script. What it does drop is a small DLL file that it will execute via rundll32:
rundll32.exe C:\Users\<USER>\AppData\Roaming\qWDwLtxA\3bXh3hAE.ywe start
Note: the path and executable names above were dynamically generated from the downloader and should not be used for detection rules
This small DLL has an encoded configuration that it decodes during runtime using a large XOR key:
Figure 2: Downloader Decoding C2 Configuration
There are a few things in the decoded configuration block, but these three are most interesting:
PowerShell that checks privileges before executing ‘
systeminfo’Hard coded HTTP POST headers used when connecting back to C2
Six hardcoded Cloudflare tunnel domains. Dormouse will randomly select one to connect to.
Before connecting back to its randomly selected C2, this downloader will:
Take the output from the ‘
systeminfo’ command execution mentioned abovePrepend a hardcoded value (in our case, ‘01075\n’)
XOR this data with a hardcoded key (in our case, 0x78)
This XOR’d data is the payload sent back to C2 upon callback.
Figure 3: XOR’d systeminfo output prior to C2
Once we knew a little about this small downloader DLL, we used its static attributes and dynamic behaviors to search for more samples of it in VirusTotal. A few of the behaviors we pivoted searches on included:
C2 URL consistent pattern:
<x>-<x>-<x>-<x>.trycloudflare[.]com/init1234Runs
systeminfo(the output is part of the C2 callback)A DLL with just two exports: ‘
DllEntryPoint’, ‘start’PowerShell calling ‘
[Security.Principal.WindowsIdentity]::GetCurrent().Name’
Through these searches, we found eight additional samples of this downloader. All eight appeared to have been originally packaged in PyInstaller packages. The two earliest submitted samples had the lowest detection rates, showing how benign software package systems can be used to deliver malware.
Each sample of this downloader has a random word set as its internal product name (we saw ‘shiniest’, ‘vacuuming’, ‘misspellings’, etc.), and the one that found its way into our client environment was named ‘dormouse’.
Figure 4: Internal filename for downloader
A dormouse is a very small type of rodent, which is coincidentally fitting as this is a relatively small binary. There is quite a bit of junk code, but the functional parts appear to just check-in to C2, download payloads, and execute them. There does not appear to be any kind of remote-control functionality or processed commands. Hence, we started referring to this downloader internally as ‘dormouse’ and integrated the name into the theme of this blog post.
Abusing Cloudflare Tunnels
The domains used for dormouse’s C2 were also interesting. At first glance, the six hardcoded C2 domains used by the downloader mentioned above appeared to perhaps be attacker-controlled domains masquerading as a legitimate service. The general pattern was as follows: four random words prepended to ‘trycloudflare.com’.
<x>-<x>-<x>-<x>.trycloudflare[.]com
The `trycloudflare.com` domain is a legitimate Cloudflare service that lets users create "Cloudflare Argo Tunnels" with a single command, even without an account as seen in the image below:
Figure 5: Overview of try.cloudflare.com
The service creates a random temporary domain using the scheme described above and will tunnel traffic to the temporary domain to a server defined by the user. This service is provided in a free and automated way. You can read Cloudflare’s service documentation here.
While it is great for potential Cloudflare customers, it is not as great for network defenders as threat actors have yet another method to generate quick throw-away domains that tunnel traffic through a trusted service. Threat actors realized this quickly and have been abusing it since at least January of 2023, as reported by Phylum. There was also a report of various commodity RATs and worms using this technique earlier this year, as reported by Proofpoint. As organizations move more and more to the cloud, we expect more service companies to provide similar services such as the Microsoft Dev Tunnels described here.
Indicators of Compromise (IOCs)
Indicator | Description |
|---|---|
d8c57b8eae713dc3c711b5a0aee91e7a | MD5 PyInstall dropper for dormouse (active.exe, asdin2oe.exe) |
e8b664c677d031f1a35d08980a5c55a4 | MD5 DLL dormouse downloader (XdkZ46ju.tgG) |
%APPDATA%\Roaming\0neNote\client32.exe 9497aece91e1ccc495ca26ae284600b9 | Target download location for CrossTec |
bersandarpijar[.]com/active.exe | Download URL for the PyInstall dropper active.exe |
drum-drilling-gale-hourly.trycloudflare[.]com kingdom-skirt-rail-michael.trycloudflare[.]com efforts-fur-wiley-cells.trycloudflare[.]com milan-perfectly-narrow-lunch.trycloudflare[.]com person-satellite-excessive-labor.trycloudflare[.]com valued-tooth-appearance-wrist.trycloudflare[.]com | Cloudflare Tunnel domains abused in this particular campaign |
Conclusion
The Cybersecurity industry has always been a cat and mouse game. To avoid detection, Threat Actors leverage a variety of techniques and legitimate software and services to try and “blend in” with the huge volume of legitimate activity in an average organization’s I.T. environment.
In this case, we saw PyInstaller, Cloudflare Argo Tunnels, and the CrossTec Remote Control Application used in an attempt to blend in. Defenders must stay aware of all the continually evolving, novel ways threat actors will hide malicious activity amongst the noise.
Stay tuned for a future blog post with additional details into other binaries dropped as part of this attack campaign.
Appendix
Observed Activity
Step | Event |
|---|---|
1 | Command line PowerShell downloads hxxp://bersandarpijar[.]com/active.exe as |
2 | asdin20e.exe drops and executes DLL XdkZ46ju.tgG (Dormouse) via rundll32.exe |
3 | PowerShell AD enumeration via: ‘[adsiSearcher]'(ObjectClass=computer)').FindAll().count’ |
4 | Domain admin enumeration via: net group "Domain Admins" /domain |
5 | Domain enumeration via: nltest /dclist nltest /domain_trusts |
6 | Domain enumeration via: net1 user $user_account /domain |
7 | Persistence via Windows Registry runkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
8 | Command line PowerShell downloads and installs CrossTec Remote Control, as %APPDATA%\Roaming\0neNote\client32.exe |
9 | Persistence via schtasks.exe |
10 | Credential theft by exporting the Security Account Manager (SAM) database registry entries: reg save HKLM\sam sam |