Erbium Stealer

Created by: sharat87

Date created: 2022-12-19

Last edited: 2023-01-24

Description: Heatmap of instances of ATT&CK techniques for Erbium Stealer based on recent public CTI reporting (sources in notes for each technique).

Techniques (34)

• Account Discovery

  ID: T1087

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406)).Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.

  For examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Code Signing

  ID: T1553.002

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. ^{[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)]} The certificates used during an operation may be created, acquired, or stolen by the adversary. ^{[[Securelist Digital Certificates](https://app.tidalcyber.com/references/3568163b-24b8-42fd-b111-b9d83c34cc4f)] [[Symantec Digital Certificates](https://app.tidalcyber.com/references/4b4f0171-827d-45c3-8c89-66ea801e77e8)]} Unlike [Invalid Code Signature](https://app.tidalcyber.com/technique/aa5a31d0-1b78-481d-a317-5089c1e111bf), this activity will result in a valid signature.Code signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. ^{[[Wikipedia Code Signing](https://app.tidalcyber.com/references/363e860d-e14c-4fcd-985f-f76353018908)][[EclecticLightChecksonEXECodeSigning](https://app.tidalcyber.com/references/2885db46-4f8c-4c35-901c-7641c7701293)]}

  Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Credentials from Web Browsers

  ID: T1555.003

  Tactics: Credential Access

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer, https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

  SHOW MORE

  Adversaries may acquire credentials from web browsers by reading files specific to the target browser.^{[[Talos Olympic Destroyer 2018](https://app.tidalcyber.com/references/25a2e179-7abd-4091-8af4-e9d2bf24ef11)]} Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key.^{[[Microsoft CryptUnprotectData April 2018](https://app.tidalcyber.com/references/258088ae-96c2-4520-8eb5-1a7e540a9a24)]}

  Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.^{[[Proofpoint Vega Credential Stealer May 2018](https://app.tidalcyber.com/references/c52fe62f-4df4-43b0-a126-2df07dc61fc0)][[FireEye HawkEye Malware July 2017](https://app.tidalcyber.com/references/7ad228a8-5450-45ec-86fc-ea038f7c6ef7)]} Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://app.tidalcyber.com/technique/9503955c-fa53-452a-b717-7e23bfb4df83).

  Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.^{[[GitHub Mimikittenz July 2016](https://app.tidalcyber.com/references/2e0a95b2-3f9a-4638-9bc5-ff1f3ac2af4b)]}

  After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• Credentials In Files

  ID: T1552.001

  Tactics: Credential Access

  Description: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

  SHOW MORE

  Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). ^{[[CG 2014](https://app.tidalcyber.com/references/46836549-f7e9-45e1-8d89-4d25ba26dbd7)]} Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. ^{[[SRD GPP](https://app.tidalcyber.com/references/a15fff18-5d3f-4898-9e47-ec6ae7dda749)]}

  In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.^{[[Unit 42 Hildegard Malware](https://app.tidalcyber.com/references/0941cf0e-75d8-4c96-bc42-c99d809e75f9)]} They may also be found as parameters to deployment commands in container logs.^{[[Unit 42 Unsecured Docker Daemons](https://app.tidalcyber.com/references/efcbbbdd-9af1-46c2-8538-3fd22f2b67d2)]} In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.^{[[Specter Ops – Cloud Credential Storage](https://app.tidalcyber.com/references/95d6d1ce-ceba-48ee-88c4-0fb30058bd80)]}

  Source: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

• Data from Local System

  ID: T1005

  Tactics: Collection

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

  Erbium Stealer Malware Report

  SHOW MORE

  Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.Adversaries may do this using a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), such as [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) as well as a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907), which have functionality to interact with the file system to gather information.^{[[show_run_config_cmd_cisco](https://app.tidalcyber.com/references/5a68a45a-a53e-5d73-a82a-0cc951071aef)]} Adversaries may also use [Automated Collection](https://app.tidalcyber.com/technique/107ad6c5-79b1-468c-9519-1578bee2ac49) on the local system.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• Debugger Evasion

  ID: T1622

  Tactics: Defense Evasion, Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.^{[[ProcessHacker Github](https://app.tidalcyber.com/references/3fc82a92-cfba-405d-b30e-22eba69ab1ee)]}Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.

  Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).^{[[hasherezade debug](https://app.tidalcyber.com/references/53b0c71d-c577-40e8-8a04-9de083e276a2)][[AlKhaser Debug](https://app.tidalcyber.com/references/d9773aaf-e3ec-4ce3-b5c8-1ca3c4751622)][[vxunderground debug](https://app.tidalcyber.com/references/8c7fe2a2-64a1-4680-a4e6-f6eefe00407a)]}

  Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) function calls such as OutputDebugStringW().^{[[wardle evilquest partii](https://app.tidalcyber.com/references/4fee237c-c2ec-47f5-b382-ec6bd4779281)][[Checkpoint Dridex Jan 2021](https://app.tidalcyber.com/references/a988084f-1a58-4e5b-a616-ed31d311cccf)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Deobfuscate/Decode Files or Information

  ID: T1140

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may use [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.One such example is the use of [certutil](https://app.tidalcyber.com/software/2fe21578-ee31-4ee8-b6ab-b5f76f97d043) to decode a remote access tool portable executable file that has been hidden inside a certificate file.^{[[Malwarebytes Targeted Attack against Saudi Arabia](https://app.tidalcyber.com/references/735647f9-9cd4-4a20-8812-4671a3358e46)]} Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.^{[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]}

  Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. ^{[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Disable or Modify Tools

  ID: T1562.001

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.^{[[SCADAfence_ransomware](https://app.tidalcyber.com/references/24c80db5-37a7-46ee-b232-f3c3ffb10f0a)]}Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://app.tidalcyber.com/technique/154dccf2-21fa-4aee-99cc-d959d841f8b1), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.^{[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)][[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)]}

  Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.^{[[disable_win_evt_logging](https://app.tidalcyber.com/references/408c0c8c-5d8e-5ebe-bd31-81b405c615d8)]}

  In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

  Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.^{[[chasing_avaddon_ransomware](https://app.tidalcyber.com/references/c5aeed6b-2d5d-4d49-b05e-261d565808d9)][[dharma_ransomware](https://app.tidalcyber.com/references/dfd168c0-40da-4402-a123-963eb8e2125a)][[demystifying_ryuk](https://app.tidalcyber.com/references/3dc684c7-14de-4dc0-9f11-79160c4f5038)][[doppelpaymer_crowdstrike](https://app.tidalcyber.com/references/54b5d8af-21f0-4d1c-ada8-b87db85dd742)]} For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.^{[[demystifying_ryuk](https://app.tidalcyber.com/references/3dc684c7-14de-4dc0-9f11-79160c4f5038)]}

  Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c)), which may lead to bypassing anti-tampering features.^{[[avoslocker_ransomware](https://app.tidalcyber.com/references/ea2756ce-a183-4c80-af11-92374ad045b2)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Dynamic-link Library Injection

  ID: T1055.001

  Tactics: Privilege Escalation, Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). ^{[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]}

  Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).^{[[Elastic HuntingNMemory June 2017](https://app.tidalcyber.com/references/8cd58716-4ff1-4ba2-b980-32c52cf7dee8)][[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]}

  Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module’s AddressOfEntryPoint before starting a new thread in the target process.^{[[Module Stomping for Shellcode Injection](https://app.tidalcyber.com/references/0f9b58e2-2a81-4b79-aad6-b36a844cf1c6)]} This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.^{[[Hiding Malicious Code with Module Stomping](https://app.tidalcyber.com/references/88983d22-980d-4442-858a-3b70ec485b94)]}

  Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Encrypted Channel

  ID: T1573

  Tactics: Command and Control

  Description: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

  SHOW MORE

  Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

  Source: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

• Exfiltration Over C2 Channel

  ID: T1041

  Tactics: Exfiltration

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• File and Directory Discovery

  ID: T1083

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://app.tidalcyber.com/technique/1492c4ba-c933-47b8-953d-6de3db8cfce8) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.^{[[Windows Commands JPCERT](https://app.tidalcyber.com/references/9d935f7f-bc2a-4d09-a51a-82074ffd7d77)]} Custom tools may also be used to gather file and directory information and interact with the [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560). Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).^{[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Indirect Command Execution

  ID: T1202

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8). For example, [Forfiles](https://app.tidalcyber.com/software/c6dc67a6-587d-4700-a7de-bee043a0031a), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), Run window, or via scripts. ^{[[VectorSec ForFiles Aug 2017](https://app.tidalcyber.com/references/8088d15d-9512-4d12-a99a-c76ad9dc3390)] [[Evi1cg Forfiles Nov 2017](https://app.tidalcyber.com/references/b292b85e-68eb-43c3-9b5b-222810e2f26a)]}Adversaries may abuse these features for [Defense Evasion](https://app.tidalcyber.com/tactics/8e29c6c9-0c10-4bb0-827d-ff0ab8922726), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or file extensions more commonly associated with malicious payloads.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Malicious File

  ID: T1204.002

  Tactics: Execution

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://app.tidalcyber.com/technique/ba553ad4-5699-4458-ae4e-76e1faa43291). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.Adversaries may employ various forms of [Masquerading](https://app.tidalcyber.com/technique/a0adacc1-8d2a-4e0b-92c1-3766264df4fd) and [Obfuscated Files or Information](https://app.tidalcyber.com/technique/046cc07e-8700-4536-9c5b-6ecb384f52b0) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.^{[[Password Protected Word Docs](https://app.tidalcyber.com/references/fe6f3ee6-b0a4-4092-947b-48e02a9255c1)]}

  While [Malicious File](https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://app.tidalcyber.com/technique/4f4ea659-7653-4bfd-a525-b2af32c5899b).

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Malicious Link

  ID: T1204.001

  Tactics: Execution

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://app.tidalcyber.com/technique/068df3d7-f788-44e4-9e6b-2ae443af1609). Links may also lead users to download files that require execution via [Malicious File](https://app.tidalcyber.com/technique/3412ca73-2f25-452a-8e6e-5c28fe72ef78).

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Modify Registry

  ID: T1112

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) may be used for local or remote Registry modification. ^{[[Microsoft Reg](https://app.tidalcyber.com/references/1e1b21bd-18b3-4c77-8eb8-911b028ab603)]} Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

  Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://app.tidalcyber.com/software/d796615c-fa3d-4afd-817a-1a3db8c73532) or other utilities using the Win32 API. ^{[[Microsoft Reghide NOV 2006](https://app.tidalcyber.com/references/42503ec7-f5da-4116-a3b3-a1b18a66eed3)]} Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. ^{[[TrendMicro POWELIKS AUG 2014](https://app.tidalcyber.com/references/4a42df15-4d09-4f4f-8333-2b41356fdb80)] [[SpectorOps Hiding Reg Jul 2017](https://app.tidalcyber.com/references/877a5ae4-ec5f-4f53-b69d-ba74ff9e1619)]}

  The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. ^{[[Microsoft Remote](https://app.tidalcyber.com/references/331d59e3-ce7f-483c-b77d-001c8a9ae1df)]} Often [Valid Accounts](https://app.tidalcyber.com/technique/a9b7eb2f-63e7-41bc-9d77-f7c4cede5406) are required, along with access to the remote system’s [SMB/Windows Admin Shares](https://app.tidalcyber.com/technique/bc2f2c6c-ffe7-4e78-bbac-369f6781bbdd) for RPC communication.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Native API

  ID: T1106

  Tactics: Execution

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

  Erbium Stealer Malware Report

  SHOW MORE

  Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.^{[[NT API Windows](https://app.tidalcyber.com/references/306f7da7-caa2-40bf-a3db-e579c541eeb4)][[Linux Kernel API](https://app.tidalcyber.com/references/0a30d54e-187a-43e0-9725-3c80aa1c7619)]} These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.^{[[OutFlank System Calls](https://app.tidalcyber.com/references/c4c3370a-2d6b-4ebd-961e-58d584066377)][[CyberBit System Calls](https://app.tidalcyber.com/references/c13cf528-2a7d-4a32-aee2-db5db2f30298)][[MDSec System Calls](https://app.tidalcyber.com/references/b461e226-1317-4ce4-a195-ba4c4957db99)]} For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.^{[[Microsoft CreateProcess](https://app.tidalcyber.com/references/aa336e3a-464d-48ce-bebb-760b73764610)][[GNU Fork](https://app.tidalcyber.com/references/c46331cb-328a-46e3-89c4-e43fa345d6e8)]} This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.^{[[Microsoft Win32](https://app.tidalcyber.com/references/585b9975-3cfb-4485-a9eb-5eea337ebd3c)][[LIBC](https://app.tidalcyber.com/references/a3fe6ea5-c443-473a-bb13-b4fd8f4923fd)][[GLIBC](https://app.tidalcyber.com/references/75a6a1bf-a5a7-419d-b290-6662aeddb7eb)]}

  Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.^{[[Microsoft NET](https://app.tidalcyber.com/references/b4727044-51bb-43b3-afdb-515bb4bb0f7e)][[Apple Core Services](https://app.tidalcyber.com/references/0ef05e47-1305-4715-a677-67f1b55b24a3)][[MACOS Cocoa](https://app.tidalcyber.com/references/6ada4c6a-23dc-4469-a3a1-1d3b4935db97)][[macOS Foundation](https://app.tidalcyber.com/references/ea194268-0a8f-4494-be09-ef5f679f68fe)]}

  Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6)).

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• Network Service Discovery

  ID: T1046

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.^{[[CISA AR21-126A FIVEHANDS May 2021](https://app.tidalcyber.com/references/f98604dd-2881-4024-8e43-6f5f48c6c9fa)]}Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

  Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.^{[[apple doco bonjour description](https://app.tidalcyber.com/references/b8538d67-ab91-41c2-9cc3-a7b00c6b372a)][[macOS APT Activity Bradley](https://app.tidalcyber.com/references/7ccda957-b38d-4c3f-a8f5-6cecdcb3f584)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Obfuscated Files or Information

  ID: T1027

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

  Erbium Stealer Malware Report

  SHOW MORE

  Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and [Deobfuscate/Decode Files or Information](https://app.tidalcyber.com/technique/88c2fb46-877a-4005-8425-7639d0da1920) for [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. ^{[[Volexity PowerDuke November 2016](https://app.tidalcyber.com/references/4026c055-6020-41bb-a4c8-54b308867023)]} Adversaries may also use compressed or archived scripts, such as JavaScript.

  Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. ^{[[Linux/Cdorked.A We Live Security Analysis](https://app.tidalcyber.com/references/f76fce2e-2884-4b50-a7d7-55f08b84099c)]} Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. ^{[[Carbon Black Obfuscation Sept 2016](https://app.tidalcyber.com/references/bed8ae68-9738-46fb-abc9-0004fa35636a)]}

  Adversaries may also abuse [Command Obfuscation](https://app.tidalcyber.com/technique/d8406198-626c-5659-945e-2b5105fcd0c9) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://app.tidalcyber.com/technique/a2184d53-63b1-4c40-81ed-da799080c36c). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. ^{[[FireEye Obfuscation June 2017](https://app.tidalcyber.com/references/6d1089b7-0efe-4961-8abc-22a882895377)] [[FireEye Revoke-Obfuscation July 2017](https://app.tidalcyber.com/references/e03e9d19-18bb-4d28-8c96-8c1cef89a20b)][[PaloAlto EncodedCommand March 2017](https://app.tidalcyber.com/references/069ef9af-3402-4b13-8c60-b397b0b0bfd7)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• OS Credential Dumping

  ID: T1003

  Tactics: Credential Access

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://app.tidalcyber.com/tactics/50ba4930-7c8e-4ef9-bc36-70e7dae661eb) and access restricted information.Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Process Discovery

  ID: T1057

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

  Erbium Stealer Malware Report

  SHOW MORE

  Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://app.tidalcyber.com/technique/710ae610-0556-44e5-9de9-8be6159a23dd) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://app.tidalcyber.com/software/abae8f19-9497-4a71-82b6-ae6edd26ad98) utility via [cmd](https://app.tidalcyber.com/software/98d89476-63ec-4baf-b2b3-86c52170f5d8) or Get-Process via [PowerShell](https://app.tidalcyber.com/technique/6ca7838a-e8ad-43e8-9da6-15b640d1cbde). Information about processes can also be extracted from the output of [Native API](https://app.tidalcyber.com/technique/1120f5ec-ef1b-4596-8d8b-a3979a766560) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.

  On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show processes` can be used to display current running processes.^{[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)][[show_processes_cisco_cmd](https://app.tidalcyber.com/references/944e529b-5e8a-54a1-b205-71dcb7dd304f)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• Process Hollowing

  ID: T1055.012

  Tactics: Privilege Escalation, Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.^{[[Leitch Hollowing](https://app.tidalcyber.com/references/8feb180a-bfad-42cb-b8ee-792c5088567a)][[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]}

  This is very similar to [Thread Local Storage](https://app.tidalcyber.com/technique/24e0b530-cca7-4c5c-83b2-97b83c716e42) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Reflective Code Loading

  ID: T1620

  Tactics: Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).^{[[Introducing Donut](https://app.tidalcyber.com/references/8fd099c6-e002-44d0-8b7f-65f290a42c07)][[S1 Custom Shellcode Tool](https://app.tidalcyber.com/references/f49bfd00-48d5-4d84-a7b7-cb23fcdf861b)][[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Mandiant BYOL](https://app.tidalcyber.com/references/445efe8b-659a-4023-afc7-aa7cd21ee5a1)]}Reflective code injection is very similar to [Process Injection](https://app.tidalcyber.com/technique/7a6208ac-c75e-4e73-8969-0aaf6085cb6e) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.^{[[Stuart ELF Memory](https://app.tidalcyber.com/references/402745e1-a65a-4fa1-a86d-99b37221095c)][[00sec Droppers](https://app.tidalcyber.com/references/7569e79b-5a80-4f42-b467-8548cc9fc319)][[Intezer ACBackdoor](https://app.tidalcyber.com/references/e6cb833f-cf18-498b-a233-848853423412)][[S1 Old Rat New Tricks](https://app.tidalcyber.com/references/20ef3645-fb92-4e13-a5a8-99367869bcba)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Screen Capture

  ID: T1113

  Tactics: Collection

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.^{[[CopyFromScreen .NET](https://app.tidalcyber.com/references/b9733af4-ffb4-416e-884e-d51649aecbce)][[Antiquated Mac Malware](https://app.tidalcyber.com/references/165edb01-2681-45a3-b76b-4eb7dee5dab9)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Software Discovery

  ID: T1518

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://app.tidalcyber.com/technique/e9bff6ff-3142-4910-8f67-19b868912602) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://app.tidalcyber.com/technique/9cc715d7-9969-485f-87a2-c9f7ed3cc44c).

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Spearphishing Attachment

  ID: T1566.001

  Tactics: Initial Access

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://app.tidalcyber.com/technique/b84435ab-2ff4-4b6f-ba71-b4b815474872) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Steal Application Access Token

  ID: T1528

  Tactics: Credential Access

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).^{[[Auth0 – Why You Should Always Use Access Tokens to Secure APIs Sept 2019](https://app.tidalcyber.com/references/8ec52402-7e54-463d-8906-f373e5855018)]} OAuth is one commonly implemented framework that issues tokens to users for access to systems. Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

  In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.^{[[Kubernetes Service Accounts](https://app.tidalcyber.com/references/a74ffa28-8a2e-4bfd-bc66-969b463bebd9)]}

  Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.^{[[Microsoft Identity Platform Protocols May 2019](https://app.tidalcyber.com/references/a99d2292-be39-4e55-a952-30c9d6a3d0a3)][[Microsoft – OAuth Code Authorization flow – June 2019](https://app.tidalcyber.com/references/a41c2123-8b8d-4f98-a535-e58e3e746b69)]} An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

  Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token.^{[[Amnesty OAuth Phishing Attacks, August 2019](https://app.tidalcyber.com/references/0b0f9cf6-f0af-4f86-9699-a63ff36c49e2)][[Trend Micro Pawn Storm OAuth 2017](https://app.tidalcyber.com/references/7d12c764-facd-4086-acd0-5c0287344520)]} The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.^{[[Microsoft – Azure AD App Registration – May 2019](https://app.tidalcyber.com/references/36a06c99-55ca-4163-9450-c3b84ae10039)]} Then, they can send a [Spearphishing Link](https://app.tidalcyber.com/technique/d08a9977-9fc2-46bb-84f9-dbb5187c426d) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://app.tidalcyber.com/technique/8592f37d-850a-43d1-86f2-cc981ad7d7dc).^{[[Microsoft – Azure AD Identity Tokens – Aug 2019](https://app.tidalcyber.com/references/44767d53-8cd7-44dd-a69d-8a7bebc1d87d)]}

  Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens^{[[Auth0 Understanding Refresh Tokens](https://app.tidalcyber.com/references/84eb3d8a-f6b1-4bb5-9411-2c8da29b5946)]}, allowing them to obtain new access tokens without prompting the user.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Steal Web Session Cookie

  ID: T1539

  Tactics: Credential Access

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

  Erbium Stealer Malware Report

  SHOW MORE

  An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.^{[[Pass The Cookie](https://app.tidalcyber.com/references/dc67930f-5c7b-41be-97e9-d8f4a55e6019)]}

  There are several examples of malware targeting cookies from web browsers on the local system.^{[[Kaspersky TajMahal April 2019](https://app.tidalcyber.com/references/1ed20522-52ae-4d0c-b42e-c680490958ac)][[Unit 42 Mac Crypto Cookies January 2019](https://app.tidalcyber.com/references/0a88e730-8ed2-4983-8f11-2cb2e4abfe3e)]} There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://app.tidalcyber.com/technique/d98dbf30-c454-42ff-a9f3-2cd3319cc0d9)) that can be set up by an adversary and used in phishing campaigns.^{[[Github evilginx2](https://app.tidalcyber.com/references/322e5d90-5095-47ea-b0e2-e7e5fb45fcca)][[GitHub Mauraena](https://app.tidalcyber.com/references/578ecf62-b546-4f52-9d50-92557edf2dd4)]}

  After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://app.tidalcyber.com/technique/d36a5323-e249-44e8-9c8b-5cc9c023a5e1) technique to login to the corresponding web application.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer,

• System Information Discovery

  ID: T1082

  Tactics: Discovery

  Description: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

  SHOW MORE

  An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as [Systeminfo](https://app.tidalcyber.com/software/cecea681-a753-47b5-9d77-c10a5b4403ab) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) on network devices to gather detailed system information (e.g. show version).^{[[US-CERT-TA18-106A](https://app.tidalcyber.com/references/1fe55557-94af-4697-a675-884701f70f2a)]} [System Information Discovery](https://app.tidalcyber.com/technique/a2961a00-450e-45a5-b293-f699d9f3b4ea) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.^{[[OSX.FairyTale](https://app.tidalcyber.com/references/27f8ad45-53d2-48ba-b549-f7674cf9c2e7)][[20 macOS Common Tools and Techniques](https://app.tidalcyber.com/references/3ee99ff4-daf4-4776-9d94-f7cf193c2b0c)]}

  Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.^{[[Amazon Describe Instance](https://app.tidalcyber.com/references/c0b6a8a4-0d94-414d-b5ab-cf5485240dee)][[Google Instances Resource](https://app.tidalcyber.com/references/9733447c-072f-4da8-9cc7-0a0ce6a3b820)][[Microsoft Virutal Machine API](https://app.tidalcyber.com/references/f565c237-07c5-4e9e-9879-513627517109)]}

  Source: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

• System Owner/User Discovery

  ID: T1033

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://app.tidalcyber.com/technique/368f85f9-2b15-4732-80fe-087694eaf34d). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://app.tidalcyber.com/technique/86e6f1f0-290b-4971-b50e-80e98a0a768b) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.

  On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.^{[[show_ssh_users_cmd_cisco](https://app.tidalcyber.com/references/11d34884-4559-57ad-8910-54e517c6493e)][[US-CERT TA18-106A Network Infrastructure Devices 2018](https://app.tidalcyber.com/references/8fdf280d-680f-4b8f-8fb9-6b3118ec3983)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• System Time Discovery

  ID: T1124

  Tactics: Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. ^{[[MSDN System Time](https://app.tidalcyber.com/references/5e15e03b-be8b-4f3d-a3ae-0df7a4ecfbec)][[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]}System time information may be gathered in a number of ways, such as with [Net](https://app.tidalcyber.com/software/c9b8522f-126d-40ff-b44e-1f46098bd8cc) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using w32tm /tz.^{[[Technet Windows Time Service](https://app.tidalcyber.com/references/0d908e07-abc1-40fc-b147-9b9fd483b262)]}

  On network devices, [Network Device CLI](https://app.tidalcyber.com/technique/284bfbb3-99f0-4c3d-bc1f-ab74065b7907) commands such as `show clock detail` can be used to see the current time configuration.^{[[show_clock_detail_cisco_cmd](https://app.tidalcyber.com/references/a2215813-31b0-5624-92d8-479e7bd1a30b)]}

  This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://app.tidalcyber.com/technique/0baf02af-ffaa-403f-9f0d-da51f463a1d8)^{[[RSA EU12 They’re Inside](https://app.tidalcyber.com/references/8330ab88-9c73-4332-97d6-c1fb95b1a155)]}, or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://app.tidalcyber.com/technique/90e6a093-3e87-4d74-8b68-38c7d7e5e93c)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.^{[[AnyRun TimeBomb](https://app.tidalcyber.com/references/cd369bf9-80a8-426f-a0aa-c9745b40696c)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Thread Execution Hijacking

  ID: T1055.003

  Tactics: Privilege Escalation, Defense Evasion

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.^{[[Elastic Process Injection July 2017](https://app.tidalcyber.com/references/02c9100d-27eb-4f2f-b302-adf890055546)]}

  This is very similar to [Process Hollowing](https://app.tidalcyber.com/technique/77100337-67a1-4520-b25a-3ddd72b0d5ac) but targets an existing process rather than creating a process in a suspended state.

  Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Virtualization/Sandbox Evasion

  ID: T1497

  Tactics: Defense Evasion, Discovery

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) during automated discovery to shape follow-on behaviors.^{[[Deloitte Environment Awareness](https://app.tidalcyber.com/references/af842a1f-8f39-4b4f-b4d2-0bbb810e6c31)]}Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://app.tidalcyber.com/technique/63baf71d-f46f-4ac8-a3a6-8345ddd2f7a8) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.^{[[Unit 42 Pirpi July 2015](https://app.tidalcyber.com/references/42d35b93-2866-46d8-b8ff-675df05db9db)]}

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

• Web Protocols

  ID: T1071.001

  Tactics: Command and Control

  Description: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

  SHOW MORE

  Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.Protocols such as HTTP/S^{[[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]} and WebSocket^{[[Brazking-Websockets](https://app.tidalcyber.com/references/fa813afd-b8f0-535b-9108-6d3d3989b6b9)]} that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

  Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer