A Digital Recon Gone Wild - Part 2

Continues from Part 1.

After E copied the weaponized Word documents and PDF files into the servers that were breached, the piece of malware we discovered copied them into a temporary folder, zipped them and send them via the HTTP POST request.
A little Wireshark by the company's CERT team showed that the IP address of the receiving server was somewhere in eastern Europe. We knew this IP already from the reverse engineering of the malware we found, but it was a good confirmation to see the IP being still alive. Our guys where trying to figure the exact location of the two servers that we discovered so far were getting the exfil of data.

Now we needed to wait and see whether any of the weaponized documents would download and extract the backdoor for us.

A little over two hours later we had one of our backdoors downloaded to a different computer by one of the exploits on a PDF.

E prepared one of the computers at the CERT lab to be the receiver for any backdoor. And, sure enough, a few minutes later we had a shell. Now, we stopped to analyse what we knew: unecrypted POST payloads, unmasked IP addresses inside a piece of attack code and a semi-simple exploit on a PDF that worked. On top of that, an UDP-based shell was working? We began to wonder the expertise and experience of the attackers.

In any case, we had a shell to a system where one of our PDFs was open. We began exploring and, as we did with our custimer, we installed other backdoors for redundancy.
The system we were in was a virtual machince (VM). However, since the network was bridged we moved laterally to other systems on the network. After a couple of hours digging, where surprinsingly we were not discovered, we found out that we were on a server farm that belonged to a web hosting company in eastern Europe.

After presenting all the information we gathered to the CISO and after explaining them that we had contacts on Interpol and other LE departments in Europe, we decided to talk to them.

The CERT decided to set a honeypot and have the malware moved there and maintain an open channels so we can also keep an eyes on the attackers if our backdoors would be discovered.

A week later, the Team together with the CISO and other members of the CERT, took a plane to Europe.

Standby for Part 3.