Threat Hunting – Chthonic Banking Trojan

This is a lab that is conducted in a test bed. The resources were downloaded from malware.trafficanalysis.net. The samples provided came from a case study of an Office workstation that was a victim of a Malware.

We have been called in an office environment where a possible banking malware was identified by the installed detection systems. We will uncover the alert obtained in deep for further analysis. The management would like to know what the purpose of malware was and has there been any external communication involved in the attack. Also, there is also a chance of malware propagating to another system connected to the same network.

Image credits: https://media.kasperskydaily.com/wp-content/uploads/sites/92/2014/12/06042006/Chtonic-a-new-version-of-banking-trojan-Zeus.png

Download URL: http://www.malware-traffic-analysis.net/2017/10/21/2017-10-21-traffic-analysis-exercise.pcap.zip

The zip file contains only one .pcap file. Considering this as non-tampered pcap we begin the analysis with a manual approach. The task starts with determining below given basic information and then moving onto the core details of the compromise:

  • IP address of the victim
  • Domain and Hostname name
  • Operating system version
  • Suspicious External IP Address involved.

We begin our investigation where the basic communication starts with a DHCP handshake. The client server communication happens in 4 phases which are “Discover, Offer, Request, Acknowledge.” They are pretty much self-explanatory. For further details you can refer below refence link:

https://www.netmanias.com/en/post/techdocs/5998/dhcp-network-protocol/understanding-the-basic-operations-of-dhcp

A couple of DNS requests are observed which are made to dns.msftncsi.com. Indicating this as a windows system and update fetching mechanisms are mainly responsible for such requests. However, it is advised to ensure you have these domains whitelisted and IP addresses id verified against them. Phishing or spamming URL are hosted against these domains, and spoofed updates can also be sent over the network from such malicious domains.

The request number 6-7 are (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Kapil Kulkarni. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/sJxWPPYkBps/