For this week’s TTP Tuesday, we wanted to focus on some techniques that often go under the radar. APT40 seems to use valid credentials for a lot of their attacks, whether they get these credentials from watering holes, data dumps, or files on a compromised box. This chain will find and exfiltrate files that possibly contain cleartext credentials. These types of files are prevalent in numerous organizations, these files are often created by users or administrators who do not remember all their passwords. Development teams can also leave passwords inside code files, documentation, or other configuration files.
Looking for these types of files can be a long-running process, so to keep the TTPs runtime to a minimum we are only identifying filenames that contain “user” or “pass” in the user’s home directory. Identifying files with suspicious names is only the first step, we then go through the identified files and ensure that the file isn’t in a binary format while also doing some rudimentary checks for special characters in the text of the file, since this aligns with “most” current password requirement policies. After identifying the files, we compress the files and serve them on a website.
The chain stands up a minimal website with a link to the compressed file. The website is designed to only receive two requests and then it shuts itself down. This allows the malicious actor to visit the website (first request), and download the file (second request). After the second request, the clean-up phase starts.
The clean-up TTP will execute after the two requests have taken place. This will remove the files that were created during the previous steps.
Next week we will be starting a brand new theme!
Watch a demonstration: APT40 Find and Exfiltrate
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg