SOC Alert Analysis: Phishing Mail Detected – Excel 4.0 Macros

by Joseph Damonin Cybersecurity, Phishing Email, SOC Analyston Posted on

Introduction

Hello, and thank you for joining me in my latest blog entry! Today, we’re exploring an intriguing Security Operations Center (SOC) Alert from LetsDefend, a platform celebrated for its innovative approach to cybersecurity training. LetsDefend excels in providing a hands-on learning environment, offering simulated settings and authentic scenarios. This approach is essential for cybersecurity professionals to sharpen their abilities in detecting and managing a variety of cyber threats. The emphasis on practical, real-world applications makes LetsDefend a crucial resource for those eager to keep pace with the dynamic field of cyber defense. Let’s dive into this specific SOC Alert, examining its intricacies and learning how to effectively tackle such cybersecurity issues.

Our focus in this analysis is on a challenge related to a macro-enabled Excel file discovered in a phishing email.

In the email security segment, we have access to the original email that set off the alert, along with the option to download the questionable file for analysis to confirm whether it’s truly harmful. If you’re undertaking this lab as well, it’s advisable to download and examine the file in a secure, controlled environment that can be readily decommissioned after the investigation. For my part, I’ll be conducting this lab within an isolated Linux virtual machine that I’ve prepared. For this lab, I’ll be utilizing RemNUX, a specialized Linux distribution. RemNUX is designed specifically for malware analysis and reverse engineering, offering a suite of tools tailored for these purposes in a secure environment.

Once I downloaded the zip file into my secure environment, I extracted it and obtained the following three files:

The Case Analysis

Now we’re all set to commence the analysis of this potentially malicious phishing email.

Parse Email

To initiate the investigation, we’ll begin by collecting detailed information about the incoming email.

From the email page, it’s evident that this email was received on June 13, 2021, at 02:11 PM.

The alert reveals that the SMTP address associated with the email is 24.213.228.54.

The alert also informs us that the sender’s email address is trenton@tritowncomputers[.]com, while the recipient’s email address is lars@letsdefend[.]io.

I suspect the email content is dubious because of its poorly written language and the fact that it solely refers to a document attachment.

The email includes a compressed file attachment.

The information we’ve collected in this phase of the investigation will be valuable in aiding our efforts in the later stages.

Are There Attachments or URLs in the Email?

Yes, there is a single attachment included in the email.

11f44531fb088d31307d87b01e8eabff.zip

Analyze URL/Attachment

There are a variety of services that we can use to validate the legitimacy of the Excel file that we extracted earlier.

  • AnyRun (https://any.run/report/1df68d55968bb9d2db4d0d18155188a03a442850ff543c8595166ac6987df820/45232809-6b44-4018-8f1a-57d4ed4ed4c4)
  • VirusTotal (https://www.virustotal.com/gui/file/1df68d55968bb9d2db4d0d18155188a03a442850ff543c8595166ac6987df820)
  • Hybrid Analysis (https://www.hybrid-analysis.com/sample/1df68d55968bb9d2db4d0d18155188a03a442850ff543c8595166ac6987df820)

Based on the analysis from these services, it’s determined that the file is malicious, equipped with macros designed to download files from external websites onto the local machine.

Additionally, I’ve gathered valuable information regarding Indicators of Compromise (IoC) that might prove useful in later stages of the investigation.

  • 188[.]209[.]214[.]83:443 – Contacted Host
  • 188[.]213[.]19[.]81 – Contacted Host
  • https://royalpalm[.]sparkblue[.]lk/vCNhYrq3Yg8/dot.html – Contacted URL
  • https://nws[.]visionconsulting[.]ro/N1G1KCXA/dot.html – Contacted URL
  • 192[.]232[.]219[.]67 – DNS Request

Check If Mail Delivered to User

The alert indicates that the email was permitted to be delivered to the user.

Delete Email From Recipient

It’s crucial to eliminate the email from the inbox to prevent the user from executing the file, which could lead to malicious files being introduced onto their computer. However, this implies that up until now, there’s a possibility that the user might have already executed the program.

Check If Someone Opened the Malicious File/URL

During the analysis of the file stage, when I examined each of the Indicators of Compromise (IoC) Host IP Addresses, I found that the IP address 188[.]213[.]19[.]81 had been contacted. This evidence confirms that the user did indeed read the email and opened the malicious Excel file on their machine. The source IP address for the request is identified as 172[.]16[.]17[.]57, which corresponds to the LarsPRD system.

Containment

It’s imperative to isolate this user’s machine, identified as the LarsPRD system with the IP address 172[.]16[.]17[.]57, from the rest of the network immediately. This precautionary measure is necessary to halt any potential spread of the malware to other systems within the network. By doing so, we can contain the threat and prevent it from escalating into a wider network compromise, which could lead to more severe data breaches or system failures. Quick and decisive isolation is a key step in effective incident response to limit the impact and scope of a cybersecurity incident.

Investigation Artifacts

  • trenton@tritowncomputers[.]com – Source Email Address
  • lars@letsdefend[.]io – Destination Email Address
  • 24[.]213[.]228[.]54 – SMTP Address
  • 172[.]16[.]17[.]57 – LarsPRD Machine
  • b775cd8be83696ca37b2fe00bcb40574 – MD5 Hash of the Excel File
  • 188[.]209[.]214[.]83 – Contacted Host
  • 188[.]213[.]19[.]81 – Identified C2 IP Address
  • https://royalpalm[.]sparkblue[.]lk/vCNhYrq3Yg8/dot.html – Contacted URL
  • https://nws[.]visionconsulting[.]ro/N1G1KCXA/dot.html – Contacted URL
  • 192[.]232[.]219[.]67 – DNS Request

Analyst Note

Initial Email Analysis

  • Date/Time Received: June 13, 2021, at 02:11 PM.
  • SMTP Address: 24[.]213[.]228[.]54.
  • Sender: trenton@tritowncomputers[.]com.
  • Recipient: lars@letsdefend[.]io.
  • Email Characteristics: Poor language, focuses on a document attachment.
  • Attachment: 11f44531fb088d31307d87b01e8eabff.zip (compressed file).

Attachment Analysis

  • File: Extracted Excel file from the zip.
  • Services Used:
    • AnyRun, VirusTotal, and Hybrid Analysis.
  • Findings: File confirmed malicious with harmful macros intended to download external files.

Indicators of Compromise (IoC) Identified

  • Contacted Hosts: 188[.]209[.]214[.]83, 188[.]213[.]19[.]81.
  • Contacted URLs: Various malicious links.
  • DNS Request: 192[.]232[.]219[.]67.

Containment Response

  • Isolation: LarsPRD system (IP: 172[.]16[.]17[.]57) isolated from the network to prevent malware spread.
  • Email Removal: Deleted the malicious email from the recipient’s inbox.
  • User Activity Check: Confirmed the user opened the malicious file (IP: 188[.]213[.]19[.]81 contacted).

Close Alert

Upon thorough analysis, we have confirmed the alert as a True Positive. The incident involved a phishing email with a malicious macro-enabled Excel file attachment intended to download harmful payloads. The identified IoCs and the user’s interaction with the malicious file corroborate the legitimacy of the threat.

The alert has been successfully resolved, with appropriate measures taken to mitigate the threat and prevent similar incidents. The incident will be documented for future reference and learning. Continued vigilance and improvement of our cybersecurity posture are imperative.

Conclusion

In wrapping up this blog post, we’ve navigated through the complex terrain of a sophisticated phishing attack, showcasing the critical importance of readiness and informed response in the realm of cybersecurity. Our journey from the initial discovery of the macro-enabled Excel file in a deceptive email to the strategic containment and analysis highlights the indispensable value of platforms like LetsDefend. These platforms not only illuminate the dark corners of cyber threats but also empower professionals with the hands-on experience necessary to counteract these threats effectively.

Our analysis underlines a pivotal message: cybersecurity is not just about the tools and technologies but about the keen eye for details, understanding of the threat landscape, and the swift, decisive actions of those at the cybersecurity frontlines. As we close this alert as a true positive, we acknowledge the continuous battle against cyber threats. Still, we also celebrate the resilience and adaptability of cybersecurity defenders. The insights gained today enrich our knowledge and sharpen our skills, fortifying our defenses for the challenges ahead. Stay vigilant, stay informed, and let’s continue to defend the digital frontier together.

Leave a Comment

Your email address will not be published. Required fields are marked *