This case study describes an advanced investigation conducted for a client, where malicious network activity was detected and analyzed. The case demonstrates how packet capture (PCAP) analysis was utilized to identify a multi-stage attack, pinpoint suspicious network traffic, and mitigate ongoing threats.
Incident Overview
Background
The client, a mid-sized financial institution, reported unusual DNS activity and intermittent service slowdowns. When some endpoints showed unauthorized data uploads to external locations that were not recognized, that raised suspicions. Even with an IDS and a next-generation firewall, anomalous network activities were not detected.
Challenges
- Large Scale of Data
The network captured over 500 GB of PCAP traffic daily, necessitating efficient filtering and segmentation of relevant packets.
- Encrypted Traffic
Approximately 85% of traffic was encrypted, complicating content-specific analysis.
- Evasive Techniques
Attackers leveraged domain fronting, tunneling, and randomly generated subdomains to evade detection.
- Time Sensitivity
The client’s sensitive financial data was potentially at risk, requiring quick identification of suspicious activity within a short timeframe.
Investigation Methodology
Phase 1: Initial Evidence Collection
- Data Acquisition:
- Captured full packet traffic using tcpdump and exported relevant PCAP files from the client’s core network switches and mirrored ports.
- Focused initially on data transmitted to external destinations during unusual traffic volumes.
Phase 2: PCAP Analysis for Malicious Activity Detection
1. Preliminary Packet Filtering
Tools Used:
- Wireshark for initial packet inspection and filtering.
- Tshark for command-line-based, efficient parsing of massive PCAP files.
Key Findings:
Filter 1: DNS and HTTP Traffic:
Filtered packets matching unusual DNS queries like:
dns.qry.name matches “.*\.xyz$”
Detected a large number of requests to dynamically generated subdomains ending in .xyz—an indicator of Domain Generation Algorithm (DGA)-powered malware communication.
Filter 2: Data Exfiltration:
- Analyzed HTTP POST requests to external IPs outside typical geographic zones of operation.
- Logs highlighted base64-encoded payloads sent to an unidentified server in the form of:
POST /data HTTP/1.1
Host: sub.root.xyz
Content-Length: 1024
A repeated pattern emerged across endpoints, suggesting command-and-control (C2) traffic.
2. Suspicious Activity in Encrypted Traffic
Tools Used:
- Zeek for network monitoring and automated detection of malicious traffic patterns.
- JA3 Fingerprinting to identify anomalous SSL/TLS traffic.
Key Findings:
Session Metadata:
Detected unusual TLS handshakes initiated by internal devices, deviating from standard JA3 hashes for legitimate services.
From Zeek logs:
idOrig_h: ***.***.10.25
idResp_h: ***.**.113.45
ja3_hash: e7d7055djgv801fdabc185d0a11****
The hash was associated with malware families using encrypted communications.
Certificate Patterns:
Observed self-signed certificates with domains not matching official WHOIS registries, signaling potential malware-generated TLS sessions.
3. Behavior Analysis of Malicious Traffic
Tools Used:
- NetworkMiner for inspecting files and metadata extracted from PCAPs.
- Wireshark for manual verification.
Key Findings:
File Extraction:
- Extracted two suspicious executables from HTTP responses (modular.exe and update.bin) using NetworkMiner.
- Submitted hashes to VirusTotal:
- modular.exe: Associated with a known RAT
- update.bin: Confirmed to be a configuration file containing the malware’s C2 infrastructure.
Anomaly in Beacon Patterns:
Detected a consistent interval of traffic repetition every 60 seconds to sub.root.xyz, revealing beacon-like behavior indicative of C2 communications.
4. Data Exfiltration Confirmation
Tools Used:
- Arkime for session reconstruction.
- Bulk Extractor for carving sensitive data within packets.
Key Findings:
Session Reconstruction:
Reassembled streams containing sensitive databases exfiltrated via HTTP POST requests to external IPs.
Keyword Searching:
Using Bulk Extractor, identified keywords like customer_id within large packet sets, confirming theft of sensitive client data.
Phase 3: Correlation and Identification
- Cross-Referencing with OSINT:
- Shared malicious domains and IPs with threat intelligence feeds like AbuseIPDB and AlienVault OTX.
- Correlation pointed to an advanced malware family—connected to an APT group.
- MITRE ATT&CK Mapping:
- Tactic: Exfiltration Over C2 Channel.
- Technique: Dynamic DNS and JA3 fingerprinting evasion methods.
Attribution Challenges:
The attackers used rented botnets and fast-flux DNS, making precise attribution difficult but aligning their infrastructure with a previously cataloged APT group.
Mitigation and Remediation Efforts
- Immediate Containment:
- Blocked the detected IP addresses and domains associated with malicious communications.
- Isolated impacted endpoints and endpoints showing abnormal connection patterns.
- Enhanced Network Monitoring:
- Configured Zeek to monitor for beaconing traffic and unusual JA3 hashes.
- Deployed IDS with custom rules for DNS anomalies and suspicious HTTP POST traffic.
- Post-Incident Hardening:
- Implemented stricter egress filtering policies to prevent unauthorized external communication.
- Recommended full-packet capture solutions during peak business hours for improved future incident response.
Lessons Learned
- Encrypted Traffic Awareness:
The use of JA3 Fingerprinting proved invaluable for detecting malicious TLS communications where payload decryption was not possible.
- Scaling Challenges:
The sheer volume of network traffic necessitated meticulous filtering and automation, emphasizing the importance of powerful packet parsing tools like Tshark and Arkime.
Outcome
The investigation led to the successful identification and mitigation of malicious network activity linked to an advanced threat actor, under operational constraints, highlighting the value of skilled incident response and forensic expertise.
0 Comments