Thursday, June 11, 2015

Miscreant Impersonated Century Link Technician - What did they do?

Recently a friend came to me and asked if I would be interested in looking at one of their friends computer.  The reason behind it was a miscreant, who impersonated Century Link, called and gained remote access to the computer.  With this access they proceeded to state they were fixing the computer.  After cloning the hard drive, these are the steps I took to analyze it.

First, to clone the drive I used a duplicator.  One of these can be found on Amazon for less than a $100 depending on the model and the features you get.  One such model can be found at this link and I have also included a picture below:


After the drive is cloned, I use an external enclosure to mount the drive.  Similar to the one at this link or below:


When you mount the drive verify that you mount it read only.  I am utilizing a Debian linux distro called Kali to conduct the analysis.  Initially when I plugged the drive in I saw the following:


The hard drive after plugging it in showed up as /dev/sdb and it auto-mounted it's 2 partitions in the /media folder.  These were also mounted as you can see rw which stands for read-write.  However, to preserve the information we want to re-mount this hard drive as read-only so nothing can change.  To do this the following commands were issued:

umount /dev/sdb1 - Command to unmount the first partition
umount /dev/sdb2 - Command to unmount the second partition
mkdir /mnt/analysis - Create a directory under the /mnt partition to mount to
mount -t ntfs /dev/sdb2 /mnt/analysis -o ro - mount the 2nd partition to the /mnt/analysis directory read-only

After mounting the drive read-only I like to scan it with an anti-virus (AV).  The anti-virus that I have installed on Kali is ClamAV.  With up-to-date signatures I initiated a scan on the partition that I mounted.  Most of the time when an AV detects malware it will remove it, however I do not want it removed.  I want to use the results of the AV scan to assist in the analysis.  Let this run in the background as you conduct other tasks.  Below are the commands executed to run a scan on the second partition.

clamscan -i -r /mnt/analysis  
# The above command will run the ClamAV scan, -i will only display the infected files, -r does a recursive scan and then what directory or mount point do I want it to scan.

To create a timeline based on the files on the physical drive we will use a utility that is part of the sleuth kit called fls.  The description of fls as contained in the man page is fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode.

I used the following command to create the timeline:

fls -l -p -r /dev/sdb2 > fls-timeline-output.txt

After this command completes you will have a timeline of the filesystem.  To explain the output of this file.  It contains 9 columns that are tab delimited.
1st column at a high level is if it is a directory, file, a deleted file, file unique identifier, and parent identifier
2nd column is the filepath and filename
3rd column is the date/time of when the file was last modified
4th column is the date/time of when the file was last accessed
5th column is the date/time of when the master file table (MFT) was last modified
6th column is the date/time of when the file was created

Another method to get a timeline is with the following 2 commands:

fls -r -m "/mnt/analysis" /dev/sdb2 > fls-bodyfile.txt
mactime -b fls-bodyfile.txt -d > fls-bodyfile.csv

The above commands will create a comma-delimited file which will allow you to view it in Microsoft Excel or Libre / Open Office.

Glancing back at the anti-virus (AV) scan that is running it had come back flagging 3 files:

/Users/<>/AppData/Local/LogMeIn Rescue Applet/LMIR0001.tmp/lmi_rescue.exe: Win.Worm.Agent-9246 
/Users/<>/AppData/Local/LogMeIn Rescue Applet/LMIR0001.tmp/LMI_Rescue_srv.exe: Win.Worm.Agent-9246
/Users/<>/AppData/Local/LogMeIn Rescue Applet/LMIR0001.tmp/ra64app.exe: Win.Worm.Chir-1896

With these results I am more interested in that the miscreant may have used "LogMeIn" to remotely control the computer.So what probably occurred was they called up impersonating Century Link technical support and then convinced the user to install the LogMeIn software.  Going back to the first time line that we gathered let's grep for the keyword of "LogMeIn".

cat fls-timeline-output.txt | grep -i "LogMeIn" > fls-timeline-w-LogMeIn.txt

Results:
r/r 60435-128-4: Users/<>/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/H1057PY5/Support-LogMeInRescue.exe 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 1528128 0 0

r/r 60435-128-5: Users/<>/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/H1057PY5/Support-LogMeInRescue.exe:Zone.Identifier 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 2015-06-09 18:33:03 (MDT) 26 0 0

We can see that the timeframe of the creation of this file matches the approximate time frame of when the miscreant was communicating with the user.  The phone call was probably minutes before this file was downloaded and installed.  With this timestamp we can begin to identify the activity that occurred on the computer while the miscreant was social engineering the user.  June 9, 2015 @ 6:33:03 PM if this is correct. 

The LogMeIn installed itself inside of the following directory Users/<>/AppData/Local/LogMeIn Rescue Applet/LMIR0001.tmp/.  Located in this directory is a session log which tells us the technician ID that was used by the miscreant and when the remote control / view of the session began.  Some of the information has been removed.

2015-06-10 12:33:05 AM|00000fc4||Starts=Rescue Applet
2015-06-10 12:33:05 AM|00000fc4||AppletRole=Standalone
2015-06-10 12:33:05 AM|00000fc4||AppletVersion=7.6.403.1728
2015-06-10 12:33:05 AM|00000fc4||OperatingSystem=Windows N 6.1.7601
2015-06-10 12:33:05 AM|00000fc4||Folder=C:\Users\<>\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\
...
2015-06-10 12:33:35 AM|00001160||Gateway=control.app02-04.logmeinrescue.com
2015-06-10 12:33:47 AM|00001160|360164719|TechnicianID=14565682
...
2015-06-10 12:34:02 AM|00001178|360164719|AppletRole=Remote Control/View
2015-06-10 12:34:02 AM|00001178|360164719|AppletVersion=7.6.403.1728
...
2015-06-10 12:52:25 AM|00001178|360164719|Stops=Rescue Applet
2015-06-10 12:54:29 AM|00000fc4||Stops=Rescue Applet
2015-06-10 12:54:30 AM|00001160|360164719|Stops=Rescue Applet

From this we can observe that they began the remote control session according to this log on June 10, 2015 at 12:34:02 and ended on June 10, 2015 at 12:54:30.  This is approximately 20 minutes that they were controlling the computer.

The time zone discrepency could be that the time displayed in the session.log is in UTC time.  I called LogMeIn technical support to ask what information they would need to look into such an occurrence.  They were not very helpful and stated that the above Technician ID does not help them identify such an instance.  They did say if the 6 digit alpha-numeric code that was used to connect the remote session could be found it would be helpful.

Looking through the temporary internet files to identify additional sites visited and files downloaded.  I found the following site being accessed: http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/   
This site was accessed at Jun 09 2015 18:41:53.  It was probably used to explain to the user that rundll32.exe was a malicious process running on the computer as shown on the site and in the picture below:


It also appears that they convinced them to go into or were guided to view the disk defrag screen, process manager, and other programs where typical errors are located to help convince the user that the PC was infected.  Then the session ended.  I could not find additional files that were downloaded.  I did find that from the command line the miscreant tried to use ping, probably to convince the user the computer could not connect to something.  This was done by looking at the internet history, pre-fetch files and other executables that were run.

Even though it appears this miscreant did not get anything, they are after any information they can get.  This ranges from bank account information, credit card information and more.  I have seen it where they will create the victim an email account to use so the victim will be able to transfer documents back and forth to them.

When this sort of intrusion occurs the hard drive should be wiped and reinstalled regardless of the situation.

No comments:

Post a Comment

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...