COVID-19 VS ATT&CK

https://dribbble.com/shots/10495473-coronavirus/attachments/2330087?mode=media

Keeping with the trend

I’m one of the many infosec/techies currently sat working from home as a result of COVID-19… How fun!

I thought I’d ‘keep up with the trend’ and have my say on the Coronavirus. As a malware analyst, you come across some weird and wonderful “viruses” and “infections”.

It wasn’t until this week that it dawned on me that there are professionals (Reverse Engineers) currently trying to replicate this virus and perform tests (Dynamic analysis) to understand how we can develop a vaccine (IDS/IPS/AV/Firewall rules etc.)

I wanted to write an article about how similar Coronavirus as an attack on the human body is to a general everyday computer virus.

I’m going to do this with the help of the MITRE ATT&CK Framework!

TA0001

“The adversary is trying to get into your network.”

The Coronavirus is communicable, it spreads through:

1. Physical contact with an infected person
2. Contact with a contaminated surface
3. Bites from an insect or animal capable of transmitting the disease
4. Travel through the air

This sounds a lot like our initial access, for example:

1. Malicious JavaScript on an infected website.
2. Connecting to an infected network or other external remote services.

These two Initial Access vectors alone marry up with the 4 definitions of a communicable virus above.

TA0002

“The adversary is trying to run malicious code.”

“The virus then enters a cell and multiplies within the cell it infects, sometimes millions of times.”

Alright, so now we know how it gets in and “executes” its first stage payload, how does that look on a Computer, with reference to commonly seen attack techniques in the wild;

• Powershell
• VBScript
• User Execution via Phishing
• WMI

Interesting, and that’s just 4 ways to execute the virus!

TA0004

“All of those copies spill out into the victims airwaves”

“The adversary is trying to gain higher-level permissions.”

This attack is looking a lot to me like process injection. Process Injection is the method of executing arbitrary code in the address space of a seperate live process. Perhaps you see calls to:

• VirtualAllocEx — Memory allocation.
• WriteProcessMemory — Writing to the memory.
• CreateRemoteThread — Executing the code in that allocated space.

The good news for process injection, is that it’s typically good for evading detection from security… Are we feeling those symptoms 2 weeks later? Noticing it calling out to a C2 via a sore throat yet?

Spreading Onwards

“Infected victims then sneeze or touch handrails and other surfaces, spreading it to other potential victims.”

In terms of a virus attack inside an enterprise network, this is COVID-19’s detection pitfall. It seems to spray out most ‘ports’ of the victim. It’s noisy and messy, it simply doesn’t care and goes for max impact.

It’s effective and fast.

Breaking The Chain

“Handwashing and isolation!!1”

We’ve heard it since the beginning, we can battle this by upping our hygiene and isolating ourselves should we come into contact with someone showing symptoms, or show symptoms ourselves. We can also go for tests.

Almost like running an AV scan, threat hunting or disconnecting from the network.

TA0040

“The adversary is trying to manipulate, interrupt, or destroy your systems and data.”

The Coronavirus’ impact is just like it’s spreading, messy and noisy but a effective technique. It straight away goes for your lungs and throat, the thing that keeps things going inside your own network… A domain controller, perhaps?

Bone marrow and organs like the liver can become inflamed too, sounds all too like it tries to weaken your main network nodes so you lose sight of them or lose the data!

Recovery

So how do we recover from a malware attack like this?

• Mutexes — These are a great IOC to identify other infected machines, checking for a unique Mutex means we can identify other infected victims before they show harsher symptoms and harm others. Mutexes have been discussed in the past as a possible computer vaccine! See “Further Reading & References”.
• IDS/IPS rules — Rules are great if there’s a specific signature found during network forensics (Or surgery if you’re a doc ;) )
• Forensics — The more grim side to this story, sadly if something is destroyed by the virus, we have to hold a post mortem and understand the attack.

Further Reading & References

Thanks for reading, if you made it to the end of my *whatever you want to call this*.

• https://www.independent.co.uk/news/science/coronavirus-symptoms-fever-cough-flu-cold-difference-a9406256.html
• See how the coronavirus spreads so easily by Vox
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
• https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
• https://zeltser.com/malware-vaccination-infection-markers/