History of a cyber-aggression "HACK"
I will tell you the story of my friend "GBen" who was the victim of a cyber-aggressor.
INTRODUCTION / CONTEXE
We currently work abroad and are staying in a hotel.
As in most hotels, a free WiFi connection (without login/mdp) is available.
GBen has a laptop:
– OS: Windows XP unofficial
– antivirus: Panda
– spybot search and destroy free
3:59 p.m. – Receiving a PayPal email
Shortly before we left work, GBen received an email from PayPal regarding a transfer of 200 euros to a person he did not know. The mail containing paypal.fr, the latter thinks of a scam and switches it to the SPAMs. Sure of himself, he does not evoke the slightest concern.
4:17 p.m. – Concern
Finally not so sure of himself, he wants to check his PayPal account. He can't connect to it but doesn't know if the error came from him or if he just forgot his password. Little sweat but hey we soon returned so he comforts himself by thinking that from his PC he will know more.
4:39 p.m. – Eye fracture
GBen enters his room, in a hurry to find out more, opens his computer and comes across a particularly generous image (a wallpaper of a dubious tone showing a woman approaching the quintal in small outfit on a motorcycle …).
"Ah what's the c's who did this, it's a shot of Eric it !!!"
There you go! Right away, I am the victim of an amalgamation. Admittedly I find some interest in the digital world and I like to make a bad joke but still …
4.47pm – Dring dring
My room's phone rings, I pick up:
"You're the one who changed my wallpaper??? You have nothing else to do seriously ???"
A few exchanges later, he tells me that Spybot has finished his analysis and that he has stuff in red …
4:53 p.m. – Signs that don't deceive
I arrive in his room and look for the folder in which the wallpaper was stored:
I slip him a slight "it stinks dude" … And the BIM: an image "anonymous" (as there are thousands on the net) jumps to our eyes with the windows viewer. I take a slight look at the current connections and notice right away that all the doors are open … Come on, cut it all off and analyze.
I quickly brief GBen on the current state of affairs:
– Someone has access to their computer either from the outside or through free wifi
– You can already tell yourself that the guy has potentially taken everything from you
– You feel violated… It's, but maybe he's still raping you, so don't hang around, we need to act !!!
16:58 – A dialogue that puts in the bath
– Uh… Eric… It's weird, I received this email from Paypal just now… I thought it was a fake so I switched it in the SPAMs, but I just received a second and thanks to the PC I know it's not a pipe …
– Whhaaattt ??!!! Frankly why didn't you check directly with your cell phone?
– I tried but I couldn't remember my password so I preferred to wait until I got home because all my logins and passwords are stored in my browser.
– Dude, I'm not an expert but basically: you have a guy who just robbed your digital apartment, he may even get all your papers, well certainly he could have done more harm because he put us the wallpaper which warned us of his presence , but hey right now it's wandering the net with your identity !!!!
Taken by sherlock Holmes, I embark on a cyber investigation while Gben contacts his bank and changes all his passwords.
Looking for evidence
This software allows you to search for spyware, adware or trojans present in your system.
I retrieve the analysis done by GBen and do the accounts:
No more or less than 5 RAT (Remote Access Trojan) in the same folder "C:-Users-Gben-AppData-Roaming" as that of the images imported by the attacker. Here's one of those RATs:
rat. PinMon:[SBI $36F1A822] Data (File, nothing done) C:-Users-Gben-AppData-Roaming-dclogs-2018-10-21-1.dc Category-Trojans ThreatLevel 10 Weblink http://forums.spybot.info/showthread.php?74416 Properties.size-4821 Properties.md5-F630059BDFC04917FDD1B51A8C6BFCF7 Properties.filedate-1540159224 Properties.filedatetext-2018-10-21 22:00:23
"Yeah cool Eric but what's a RAT??"
What is a RAT?
RAT – Remote Acces Trojan
This trojan, installed by the victim, hidden in a loophole (often updates that the victim will easily accept), allows for remote access with the administrator privileges of the victim.
Once the link is in place, the attacker has access to your entire system, for example:
– all files (photos, personal files such as account statements or photocopies of personal documents)
– the microphone
– changing registry bases
– the installation of programmes
"Oh abused, well on the other hand you talk a little Chinese there … What's a trojan?"
This is Professor Eric's "Greek mythology" break:
For ten years, an army broke its teeth trying to take the city of Troy without ever succeeding. So, a chick called Ulysses had an idea: "We're going to build a fucking wooden horse to offer them and we're going to hide in it to enter the city at the same time" …
Well the idea is a bit big but you have to get back into the context, they've been struggling for ten years… So why not?
Ulysses offers this horse to the Trojans. Two who are wary: Laocoon and Cassandra, but hey, Ulysses announced "I offer you this as a truce, if you accept it, we stop attacking you, and in addition we give you food and women."
Enticing! So the Trojans accepted the horse, and after watching the guys get away, they let their guard down and stuck it! BBQ, women and alcohol galore !!!!
Once the Trojans were well trimmed, the few soldiers of Ulysses got out of the horse and opened the door !!!! Ulysses and his potos landed and squirmed all the drunken meat that was lying there !!!!
Here's what a Trojan horse is:
This is a malicious feature, hidden in software or an update that will be installed with the consent of the user of course.
The latter is not to be overlooked, I do not have the knowledge to say that a hacker can or not recover the passwords present in Chrome knowing that they are encrypted before being stored in the system.
During our research, we had to think about the time, because where we are we have 6 hours less than in France, and GBen left the French time on his PC.
3:56 p.m. local time – 9:56 p.m. FR
We make the link with the payPal email confirming the transfer at 3:59 p.m.
3:59 p.m. local time – 9:59 p.m. FR
It is concluded that the attacker may not have the skills to retrieve passwords but simply used the browser and let the auto-fill. We've listed all the identifiers and passwords in Chrome's database so that GBen lists all of its password-changing actions to be done (because there were some left over from its first actions).
1. Day of aggression
I observed the activity during its absence and found only:
================================================== Action Time: 10/23/2018 22:09:53 --- - Time - 4:09 p.m. Description: Task Run Filename: dimsjob.dll Full Path: C:Windows-system32-dimsjob.dll More Information: SystemTask, 'Microsoft', 'CertificateServicesClient', SystemTask File Extension: dll ================================================== ================================================== Action Time: 10/23/2018 17:37:53 --- Description: Run . EXE file Filename: makecab.exe Full Path: C:Windows-SysWOW64-makecab.exe More Information: Microsoft Corporation, Microsoft® Windows® Operating System, Microsoft® Cabinet Maker, 6.1.7600.16385 (win7-rtm.090713-1255) File Extension: exe ==================================================
After some research, it turns out that makecab.exe is a file often easily infected, on the other hand, the "dimsjob.dll" will have a particular behavior and arouses my curiosity (if anyone ever wants me to send him so that he can unzipped it and analyze it, I would love it).
2. Rat installation day
This allows me to go back to the first infection of RAT on October 12, 2018.
================================================== Action Time: 12/10/2018 16:17:55 Description: System Shutdown Filename: Full Path: More Information: File Extension: ================================================== ================================================== Action Time: 12/10/2018 16:17:54 Description: User Logoff Filename: Full Path: More Information: Gben-PC-Gben File Extension: ================================================== ================================================== Action Time: 12/10/2018 16:05:12 Description: Software Crash Filename: Explorer.EXE Full Path: C:Windows-Explorer.EXE More Information: Explorer.EXE, 6.1.7601.23537, 57c44efe, ntdll.dll, 6.1.7601.23915, 59b94e4, c015000f, 000000000000008b0ca, dcc, 01d462348fd05015, C:-Windows-Explorer.EXE, C:-Windows-SYSTEM32-ntdll.dll, d597027d-ce27-11e8-be8d-01ec File Extension: EXE ================================================== ================================================== Action Time: 12/10/2018 16:05:09 Description: Software Crash Filename: Explorer.EXE Full Path: C:Windows-Explorer.EXE More Information: Explorer.EXE, 6.1.7601.23537, 57c44efe, SHELL32.dll, 6.1.7601.23893, 5993136a, c00000005, 0000000000000005000503a2, dcc, 01d462348fd05015, C:-Windows-Windows Explorer.EXE, C:Windows-system32 d3e2e37a-ce27-11e8-be8d-001eecd5ac3b File Extension: EXE ================================================== ================================================== Action Time: 12/10/2018 16:04:53 Description: Software Crash Filename: Explorer.EXE Full Path: C:Windows-Explorer.EXE More Information: Explorer.EXE, 6.1.7601.23537, 57c44efe, ntdll.dll, 6.1.7601.23915, 59b94e4, c015000f, 00000000000008b0ca, a08, 01d4623084afac99, C:-Windows-Explorer.EXE, C:-Windows-SYSTEM32-ntdll.dlc, ca3f3fa9-ce27-11e8-be8d-001edc File Extension: EXE ================================================== ================================================== Action Time: 12/10/2018 16:04:48 Description: Software Crash Filename: Explorer.EXE Full Path: C:Windows-Explorer.EXE More Information: Explorer.EXE, 6.1.7601.23537, 57c44efe, SHELL32.dll, 6.1.7601.23893, 5993136a, c00000005, 000000000000000005000503a2, a08, 01d423084afac999, C:-Windows-Explorer.EXE, C:Windows-system32 c733f00f-ce27-11e8-be8d-001eecd5ac3b File Extension: EXE ================================================== ================================================== Action Time: 12/10/2018 15:46:20 Description: Software Installation Filename: FlashUtil32-31-0-122-pepper.exe Full Path: C:Windows-SysWOW64-Macromed-FlashUtil32-31-0-122-pepper.exe More Information: Adobe Flash Player 31 PPAPI File Extension: exe ================================================== ================================================== Action Time: 12/10/2018 15:43:47 Description: Task Run Filename: sc.exe Full Path: C:Windows-system32-sc.exe More Information: SvcRestartTask, OfficeSoftwareProtectionPlatform File Extension: exe ================================================== ================================================== Action Time: 12/10/2018 15:36:00 Description: User Logon Filename: Full Path: More Information: WORKGROUP-Gben File Extension: ================================================== ================================================== Action Time: 12/10/2018 15:35:42 Description: System Started Filename: Full Path: More Information: File Extension: ==================================================
Two programs were implemented:
– An Adobe update
Let's not forget that the trojan is hidden in benign software.
In order to be sure of this connection, we set up a connection analyzer that allowed us to analyze the open doors in our Internet connection.
Thanks to the whois website, we have recovered the information necessary to identify the TCP link that belongs to the company Panda, but we can observe an address that sends a SYN-SENT in order to notify a distant address, here is the information revealed by whois:
inetnum: 22.214.171.124 – 126.96.36.199
descr: Bouygues Telecom Division Mobile
descr: Pool for APN 2G/3G/4G End users
status: ASSIGNED AP
We believe we have found the culprit because the addresses receiving the PayPal transfers were french-connotationed.
Well, it's almost midnight and we've come a long way tonight. However we do not have enough elements (and surely not enough skills in the field) to go further.
We're attacking the repair of GBen's laptop:
– extracting and cleaning gben's sensitive and personal data (analysis with Avast and spybot)
– formatting the beast
– installation of a ubuntu, (it will suffice, and it will be safer than an unofficial XP software)
GBen and I are not experts in cyber-attacks and yet this story will serve us well. Pay attention to your "digital life" because our environment (personal and professional) is increasingly dependent on cyberspace (Internet).
We have created a technical memo, we must "put soap":
-Source: Always check links, website addresses, never insert a USB key whose source you don't know (e.g. found key)
Analysis: I recommend doing a monthly scan using an anti-virus, anti-malware and anty-spyware
Vpn: Protecting your identity and especially when you use a free WiFi connection (I'll write an article about this risk)
– Official: Use only official programs and update them regularly
– Naïve: The user is always !!! Human error is often the root cause of infection. Be aware and interested in the digital world and especially the risks associated with it !!!
Thanks to GBen for granting the site the right to tell its story and thank you to the hacker's blog which has become for me a reference site.
Hoping that this misadventure can serve you not to live the same!
Don't hesitate to let me know!!