Hunting “Volt Typhoon” State-Sponsored Actor in Memory With Magnet AXIOM Cyber
This is a post authored by Matt Suiche (Director, Memory, IR & R&D).
The Cybersecurity and Infrastructure Security Agency (CISA) & partners recently released a joint cybersecurity advisory uncovering a new attack by a nation-state sponsored attacker dubbed as “Volt Typhoon” (also called BRONZE SILHOUETTE) where the threat actor leverages fileless techniques also known as “Living-Off-The-Land” (LOTL) techniques.
Several networks of critical infrastructures in the U.S. were targeted by Volt Typhoon using multiple “Living-Off-The-Land” (LOTL) techniques by leveraging built-in network administration tools to achieve their objectives, such as:
- certutil
- dnscmd
- ldifde
- makecab
- net user/group/use
- nltest
- ntdsutil
- reg query/save
- systeminfo
- tasklist
- wevtutil
- wmic
- xcopy
Additionally, several PowerShell scripts and commands allow the attacker to evade detection very efficiently by pretending to be legitimate system and network activity from endpoint detection and response (EDR) products.
This is one of the reasons proactive threat hunting is important. It’s also critical to have an adequate strategy for scenarios where your EDR or XDR fails to alert you of something abnormal. As attackers are becoming more efficient at evading most of EDRs and XDRs, that importance will only grow.
Several indicators have been shared in the advisory report, that were originally designed for on-disk files, which can also be used for memory hunting through YARA rules, which can be found at the end of this blogpost and used within AXIOM Cyber to scan the memory space of all processes through our newly integrated memory capabilities.
Sometimes YARA rules written for physical files include conditions specific to their “on-disk” attributes such as “filesize”, if we simply remove those conditions when performing memory scanning, we enable a new scope of search for those rules. This is where the case of the “EncryptJSP” and “ShellJSP” rules to detect the presence of Awen-derived web shell dropped by the attacker after moving laterally across different web servers to allow the threat actors execute a series of reconnaissance commands, but also for persistence and exfiltration [T1505.003].
This allows investigators and analysts to scan machines quickly and efficiently in a simple manner. For more information on using YARA rules in AXIOM Cyber check out: YARA Rule Processing in Magnet AXIOM Cyber
Find Out More About Memory Analysis in AXIOM Cyber
To learn more about the recently updated memory analysis capabilities of AXIOM Cyber check out Comae Memory Analysis Capabilities Integrated Into Magnet AXIOM Cyber.
To try the memory analysis capabilities of Comae in AXIOM Cyber for yourself, update to the latest version over at the Customer Portal or request a free trial today!
YARA Rules for Hunting “Volt Typhoon”
YARA rules can be added to the AXIOM Cyber processing engine through the configuration menu. Check out the video in the blog “YARA Rule Processing in Magnet AXIOM Cyber” to learn how.
ShellJSP
rule ShellJSP_Memory {
strings:
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "aes.encrypt(allStr)"
$s6 = "newid"
condition:
4 of them
}
EncryptJSP
rule EncryptJSP_Memory {
strings:
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
condition:
6 of them
}
CustomFRPClient
rule CustomFRPClient {
meta:
description=”Identify instances of the actor's custom FRP tool based on unique strings chosen by the actor and included in the tool”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "MAGA2024!!!" nocase ascii wide
$s5 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
all of them
}
HACKTOOL_FRP_Client
rule HACKTOOL_FRPClient {
meta:
description=”Identify instances of FRP tool (Note: This tool is known to be used by multiple actors, so hits would not necessarily imply activity by the specific actor described in this report)”
strings:
$s1 = "%!PS-Adobe-" nocase ascii wide
$s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide
$s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase
ascii wide
$s4 = "HTTP_PROXYHost: %s" nocase ascii wide
condition:
3 of them
}