Section 1 - KQL 101

I decide to do a brief scoping of the organization's size.

Employees
| count

Employees
| summarize count() by role

Envolve Labs employs 1,000 people, with most employees being human resources and marketing associates, closely followed by lab technicians, medical researchers, finance associates and IT associates.

A single "person" in the Employees table (for a total of 1,001 employees) seems to be some sort of test user with placeholder values (their name is "name" and so on.)

Section 2 - Clustering and Attribution

Security researchers recently noted a domain used in phishing campaigns targeting the medical industry: disarm-remarkable.science. Better safe than sorry, I opt to check if we've received any emails with this domain:

Email
| where tostring( parse_url(link).Host) == "disarm-remarkable.science"

Unfortunately, there it is. IT Associate Terry Simpson received an email offering "research opportunties", with a link prompting to download a ResearchBibliographyGenerator.zip on 2022-01-07 at 13:21:39 in the afternoon. The sender is john-n-johnmoderno@yahoo.com with the reply-to being vaccinejournal@yahoo.com. The email passed our filters, being deemed safe. I first confirm if Terry Simpson clicked the link, downloaded the file and opened it:

Email
| where tostring( parse_url(link).Host) == "disarm-remarkable.science"
| distinct link
| lookup OutboundBrowsing on $left.link == $right.url

Unfortunately, Terry Simpson clicked the link just three seconds after receiving the email; the IP address and user agent corresponds to his device. Before pivoting to his device and what could've happened in it, I check for other signs of phishing attempts from the sender and reply-to with this query:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders

The malicious email addresses are:

• pfizar.fda@hotmail.com
• vaccinepandemic@aol.com
• john-n-johnmoderno@yahoo.com
• vaccinejournal@yahoo.com
• journal@protonmail.com

20 emails were sent from all known malicious email addresses, targeting 20 distinct recipients. The role breakdown is as follows:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| summarize count() by role

Picking up from the emails we discovered, there are many other previously-unseen domains:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_domains"] = tostring(parse_url(link).Host)
| where isnotempty(bad_domains)
| distinct bad_domains

I did a series of nested lookups until I managed to catch all the domains and IPs associated to the threat actor. The final queries and results are as follows:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_domains"] = tostring(parse_url(link).Host)
| where isnotempty(bad_domains)
| distinct bad_domains
| lookup PassiveDns on $left.bad_domains == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

A total of 12 distinct IP addresses.

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_domains"] = tostring(parse_url(link).Host)
| where isnotempty(bad_domains)
| distinct bad_domains
| lookup PassiveDns on $left.bad_domains == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain

A total of 18 distinct domains. Checking against the Email table shows that not all domains were used in the phishing campaign i.e. there are only 20 emails containing any of these domains (see [5]).

Finally, I checked what files the targets were prompted to download. We already know Terry got the ResearchBibliographyGenerator.zip, but what about the others?

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_files"] = tostring(
    parse_path(
        tostring(
            parse_url(link).Path
        )
    ).Filename
)
| where isnotempty(bad_files)
| distinct bad_files

Despite the subject lines generally implying these would be links to (false) login pages (see [5]), all the links lead to file downloads. It goes without saying that these files are malicious and very likely dropped some sort of payload once executed by the target(s). I checked for this with:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
let bad_files_var =
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_files"] = tostring(
    parse_path(
        tostring(
            parse_url(link).Path
        )
    ).Filename
)
| where isnotempty(bad_files)
| distinct bad_files;
FileCreationEvents
| serialize
| extend payload = next(filename)
| where payload !in~ (bad_files_var)
and filename in~ (bad_files_var)

All files are immediately followed by a updater.dll file. Note that in the table above the timestamp, sha256 hash and size correspond to the malicious downloads (i.e. the .exe, .zip, .pptx, .docx and .xls files) and not the payload. There are 29 instances of this file across 29 distinct hostnames. The affected users are:

FileCreationEvents
| where filename =~ "updater.dll"
| distinct hostname
| lookup Employees on $left.hostname == $right.hostname
| distinct role, name
| sort by role asc

The breakdown per role is as follows:

• IT associate: 8
• Human Resources associate: 7
• Trial Administrator: 5
• Lab Technician: 4
• Medical Researcher: 2
• Finance associate: 2
• Marketing associate: 1

To make sure I uncovered a payload, I check information on the updater.dll file itself:

FileCreationEvents
| where filename =~ "updater.dll"
| distinct sha256, path

A rundown of this information:

• The file has multiple versions with 13 distinct hashes.
  1. 42a337bcec26df0130a11baf9e60179993851b88f1cabec52973f88774e903fb: flagged as 8UWLNSE4.dat, rated malicious by VirusTotal.
  2. 1dc1dbfc1d636fed5cebe43787a7abf2df4fbb51e1beaec34ba72dd5152edc81: flagged as S4ZD8JVW.dat, rated malicious by VirusTotal.
  3. 370ce39ba328329ff16b5ede1079f6402e68abceb34e65cb31883a3b3730b530: flagged as JFDTBIEC.dat, rated malicious by VirusTotal.
  4. 09704c11681590ec76715c1a07f342d187c34965f122911037a18433409cdd99: flagged as F4CUA24P.exe, rated malicious by VirusTotal.
  5. 0e7e0e888f22b5cc83ce5f2560f9f331d89b8e02875e98ace822e074f2ee486b: flagged as WFTIN7YS.exe, rated malicious by VirusTotal.
  6. e3970346ff7fcc3665f027d7f221968087f3c42705f5799fbc1d2811ab1ca4ea: flagged as C2YOXQ7U.dat, rated malicious by VirusTotal.
  7. 3666cb55d0c4974bfee855ba43d596fc6d10baff5eb45ac8b6432a7d604cb8e9: flagged as ISDQKWGM.dll, rated malicious by VirusTotal.
  8. ebff4951be5e2481866fc61806b6bf8ebad297f09632a9c067bcdcec6d203521: flagged as 6EWO98LG.dat, rated malicious by VirusTotal.
  9. ea05ff75fef906a60545129a7c5bea2956bfde63b8e714eb42db3ae50b99dec3: flagged as 818Y827X.exe, rated malicious by VirusTotal.
  10. 94783f97b5a9312bdf1d9760f5ec1de2e36882989bc00aa218812684604b530f: flagged as YA8ZY0QV.dll, rated malicious by VirusTotal.
  11. 9bd3ea0950fdc75d21a8ee4926c0a14354db620f3a1f4895961e282022074c23: flagged as Q9QQ4IZO.dll, rated malicious by VirusTotal.
  12. ca1cc5c10de551849bb4d408b7db40e8d95b1ec5e5426860e4903131c754068c: flagged as VG6MTLXW.dll, rated malicious by VirusTotal.
  13. 12fe773f0937324b86821dab26d5b90f75c61adb24fc90a99d5c590304d1d8a0: flagged as CRKY4ZTN.dat, rated malicious by VirusTotal.
• The file is dropped at three possible locations in a target's system:
  1. C:\ProgramData\USOShared\updater.dll
  2. C:\Windows\system32\updater.dll
  3. C:\ProgramData\Microsoft\Applications\updater.dll

It's pretty clear there's nothing good about this. To check what (if anything) the threat actor did in our systems, I use this query:

let bad_addr_table =
Email
| where sender in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
or reply_to in ("john-n-johnmoderno@yahoo.com", "vaccinejournal@yahoo.com")
| distinct reply_to, sender; //generate a table with these two columns
let bad_files_var =
bad_addr_table
| project bad_addr = sender
| union (bad_addr_table | project bad_addr = reply_to) //merge the two columns into one
| distinct bad_addr
| lookup Email on $left.bad_addr == $right.sender //lookup all bad email addresses as senders
| project ["bad_files"] = tostring(
    parse_path(
        tostring(
            parse_url(link).Path
        )
    ).Filename
)
| where isnotempty(bad_files)
| distinct bad_files;
FileCreationEvents
| where filename in (bad_files_var)
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| sort by hostname, timestamp asc

All affected hostnames had malicious commands executed. In general, all of them:

1. Ran any of these discovery commands:
   • whoami: Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name. [Microsoft Learn].
   • ipconfig /all: Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. [Microsoft Learn]
   • ping: Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) echo Request messages. [It is] the primary TCP/IP command used to troubleshoot connectivity, reachability, and name resolution. [Microsoft Learn]. They check against Google's 8.8.8.8
   • net user: [...] displays a list of all user accounts for the local computer. [Microsoft Learn]. They tried to check for Administator accounts, but mistyped the command.
2. Created a scheduled task that ran once a minute, executing a file named infector.exe as SYSTEM; this file is located in the system32 folder.
3. Used procdump64.exe, a legitimate SysInternals utility to create process dumps; in this case, of lsass.exe (Windows' Local Security Authority Subsystem Service).
4. Used CobaltStrike's /C getsystem to obtain SYSTEM privileges. The parent process is cmd.exe.
5. Used mimikatz.exe, a credential dumping utility [Official Github].
6. Copied all contents of the Public Documents, Downloads and Research folders to F:\exfil\Users\
7. Copied the data (after compressing to a .gz file) to Pastebin.com, a legitimate text storage site frequently used by threat actors; in our case, they've used it for data exfiltration.

In some specific devices, they ran these commands in addition to the previously-examined:

1. reg add HKLM\SYSTEM\CurrentCOntroLSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f: In the hostnames belonging to Marketing associate Michael Chambers (ANZL-LAPTOP), Lab Technician Mary Steele (4P7P-DESKTOP), and IT associate Tyler Sealock (PSB0-LAPTOP).
2. net user Administratr [sic]: In the hostnames belonging to Lab Technician James Garvey (8IMM-LAPTOP), Marketing associate Michael Chambers (ANZL-LAPTOP), IT associate Tyler Sealock (PSB0-LAPTOP), Finance associate Alice Hooser (HYV7-LAPTOP), IT associate Scott Cayo (M491-LAPTOP), Human Resources associate Diane Rhodes (WNUE-LAPTOP)
3. updater.dll -p <IPADDR:PORT>: In the hostnames belonging to IT associate Terry Simpson (DLY5-DESKTOP) (IP 199.57.49.250, port 8888), Finance associate Alice Hooser (HYV7-LAPTOP) (IP 210.97.157.245, port 8888), IT associate Scott Cayo (M491-LAPTOP) (IP 181.190.66.175, port 8888). These addresses are among the discovered IPs in [8].

The threat actor didn't seem to do anything else in the system according to the logs, seemingly content with exfiltrating proprietary information, company research, and whatever personal information might've been caught in the sweep.

However, there are reports of another, unrelated campaign that ocurred just three days later. This case will be explored in the next section.

Section 3 - Phishing and More

Two Envolve Labs employees received emails from a QQ.com account; this email provider is owned by the Chinese company Tencent, and it's also available in English. This is already quite suspicious. These emails contain a url to a clan.io webpage.

Email
| where * has "clan.io"

The attackers must've done research on these employees--Erica Wilson (Finance Associate) and Verna Fleeger (Medical Researcher)--as their subject matter is wholly unrelated to their jobs or the company itself, instead posing as a seller of Naruto merchandise (a popular manga and anime series). I confirmed if either of them clicked the link with:

Email
| where link has "clan.io"
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| distinct ip_addr
| lookup OutboundBrowsing on $left.ip_addr == $right.src_ip
| where url has "clan.io"
| lookup Employees on $left.ip_addr == $right.ip_addr
| distinct timestamp, url, role, name, ip_addr

Only Finance Associate Erica Wilson clicked it; since it's clearly a fake login page, it's likely her credentials were stolen and used to log into her corporate account. To check this, I edit the previous KQL query into this:

Email
| where link has "clan.io"
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| distinct ip_addr
| lookup OutboundBrowsing on $left.ip_addr == $right.src_ip
| where url has "clan.io"
| lookup Employees on $left.ip_addr == $right.ip_addr
| distinct username
| lookup AuthenticationEvents on $left.username == $right.username
| where src_ip != "192.168.1.219" //Erica's IP

There's indeed a successful login roughly a day after Erica clicked the link; the IP address and user agent aren't Erica's usual. It will do good to check for this IP address elsewhere; a query such as search "223.80.243.56" shows that the IP appears in three other tables: AuthenticationEvents (multiple times besides Erica's account), InboundBrowsing and PassiveDns. Let's check them in order:

AuthenticationEvents
| where src_ip == "223.80.243.56"
| where result has "successful"

There are 17 login attempts, 9 failed and 8 successful. The employees that had their accounts compromised are as follows:

AuthenticationEvents
| where src_ip == "223.80.243.56"
| where result has "successful"
| distinct username
| lookup Employees on $left.username == $right.username
| distinct role, name, username, email_addr, hostname

Most were Trial Administators (3), followed by Finance Associates (2) and Human Resources, IT and Marketing Associates (1 each). Other targeted roles include two Lab Technicians (unsuccesful login); otherwise the numbers and proportions remain similar.

The next table I decide to check is PassiveDns, as it can uncover more domains and IP addresses the threat actors might be using. A query like...

PassiveDns
| where ip == "223.80.243.56"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain

...uncovers 10 distinct domains, and appending an extra lookup like this...

PassiveDns
| where ip == "223.80.243.56"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

...uncovers 8 distinct IP addresses. Additional nested lookups fail to uncover any new domains or IPs. This information can be used to investigate this campaign further.

Checking AuthenticationEvents again to see if any of these newly-discovered IPs also attempted to log into corporate accounts reveals that only IP 223.80.243.56 was involved. Checking for malicious domains against the Email table, however, reveals this:

let bad_domain =
PassiveDns
| where ip == "223.80.243.56"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain in (bad_domain)
| distinct ip;
Email
| where tostring(parse_url(link).Host) in (bad_domain)

Days before Erica Wilson and Verna Fleeger were targeted, so were Trial Administrator David Martin, Finance Associate Jaime Stanfill, Medical Researcher Sue Jordan and Marketing Associate Bobby Painter. Of these, only David Martin was compromised (see [19]). There's a new threat actor email address: tenen_tenen@aol.com. Only one of the emails was blocked by our filter: the one intended for Sue Jordan.

Finally, we can check InboundBrowsing with the known malicious IPs to find hints of recon by the threat actor.

let bad_domain =
PassiveDns
| where ip == "223.80.243.56"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain in (bad_domain)
| distinct ip;
InboundBrowsing
| where src_ip in (bad_ips)

The threat actor's recon activities span between Dec. 28th 2021 to Jan. 2 2022; besides strangely nonsensical search terms, the threat actor looked at the "Careers" and "Internships" pages. Most worryingly, on Jan. 10 2022, there's evidence of exfiltration from various employee email accounts. I used this query to better isolate this information:

let bad_domain =
PassiveDns
| where ip == "223.80.243.56"
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain in (bad_domain)
| distinct ip;
InboundBrowsing
| where src_ip in (bad_ips)
| extend affected_user = tostring(parse_url(url_decode(url)).['Query Parameters'].["login_user"])
| extend affected_folder = tostring(parse_url(url_decode(url)).['Query Parameters'].["mailbox_folder"])
| extend exfil = tostring(parse_url(url_decode(url)).['Query Parameters'].["output"])
| where isnotempty(affected_folder) and isnotempty(affected_user) and isnotempty(exfil)

The employees are:

• Human Resources associate Margaret Ferris
• Marketing associate Joseph Talley
• Finance associate Erica Wilson
• Finance associate Mariana Patterson
• IT associate Blake Welsh
• Trial Administrator Catherine Dornier
• Trial Administrator Sarah Combs
• Trial Administrator David Martin

In light of this activity, perhaps it would be for the best to check AuthenticationEvents for any suspicious failed logins.

AuthenticationEvents
| where src_ip !startswith "192.168." //filter out internal corporate IPs
and result =~ "failed login"

This results in 1,331 failed login attempts from external IP addresses; a brief skim shows that the attackers tried a single password multiple times across multiple accounts and rotated through them. Since such a table is too unweildy to analyze properly, I decided to append summarize by count(), like this:

AuthenticationEvents
| where src_ip !startswith "192.168."
and result =~ "failed login"
| summarize count() by password_hash
| sort by count_

This is clearly a password spray attack. Running a similar query but for Succesful Logins shows that very few were actually successful (4 at most). The following is a list of all malicious IPs involved in the password spray attack and the domains they resolve to, if any:

AuthenticationEvents
| where src_ip !startswith "192.168."
and result =~ "failed login"
| distinct src_ip
| lookup PassiveDns on $left.src_ip == $right.ip