On August 1st, 2024, at 2:00 AM EST, OTM Cyber analysts detected unusual network activity on one of OTM Cyber's public safety customer's networks using the OTM CyberSystem. The CyberSystem is a proprietary advanced Network Intrusion Detection System ("NIDS"), Host Intrusion Detection System ("HIDS"), Security Orchestration, Automation and Response ("SOAR"), and Security Information and Event Management ("SIEM") solution powering OTM Cyber's Security Operations Center ("SOC") as a service offering. The system tripped alarms for suspicious activity on both the host and the network. Following an investigation, the analyst determined with high confidence that the activity was malicious in nature. The affected system communicated with 149 different destination IP addresses within an hour, including suspicious connections to countries like Iran and Russia.
Upon investigation, an executable named "MediaTransferServer.exe" installed in the program files was identified as the source of the Command and Control ("C2") network traffic. This file, while performing legitimate functions for the NVMS5000 software suite, was also establishing C2 communication with external servers. The executable hash, C26247D9F9C947599868E04A73560DDC61DBDFF2D71AC2A397877BB85608D5F3, was analyzed, and its decompilation identified it as part of the NVMS5000 software suite developed by Shenzhen TVT Digital Technology Co., Ltd., a chinese based company. The decompilation also revealed that it was originally written in C++.
OTM Cyber identified the threat, mitigated it, and stopped it before there was any data loss or damage. The unique method of operation for the malicious software was such that it evaded detection by the customer's Endpoint Detection and Response ("EDR") solution and network firewall. OTM Cyber has communicated the detection to CISA, who has opened an investigation.
Unveiling the Malicious Code
Detailed analysis using OTM Cyber's proprietary sandbox and Hex-Rays decompiler revealed the malicious nature of the executable. Wireshark and CyberChef were used to analyze the traffic in detail, identifying the C2 commands and traffic patterns. XML-like structured commands embedded within UDP packets from the victim device indicated C2 activities. The external IP addresses involved were from data centers in Iran, Russia, Singapore, Hong Kong, Romania, Thailand, Georgia, Taiwan, Mexico, and others.
Suspicious Behavior of the Software
The compromised executable displayed behaviors typical of advanced malware designed to evade detection:
Anti-Sandbox Techniques:
The executable was coded to detect if it was running in a sandboxed environment and if it had debug logging enabled. It performed specific checks to identify virtual environments and sandbox-specific processes, making it extremely difficult to analyze in a controlled setting.
Anti-Debugging Measures:
The software included anti-debugging techniques to avoid detection and analysis by security researchers. It could detect if it was being debugged and would alter its behavior or terminate itself to prevent analysis.
Dynamic Configuration:
The IP addresses and ports used for C2 communication were dynamic and determined via a requested XML configuration file disguised as part of the legitimate NVMS service. This allowed the malware to adjust its communication methods based on the configuration received from the C2 server.
Masquerading as Legitimate Traffic:
The nature of the communication was masqueraded in such a way that a casual observer could easily write it off as Network Video Management System ("NVMS")-affiliated services and functions. However, detailed analysis uncovered the cryptic C2 style of communication and the attempts to disguise it as NVMS communication. The logic within the program made it clear that the software was designed to perform its primary function while hiding its malicious functions if it suspected inspection or debugging.
Indicators of Compromise:
Specific abnormal port usage (TCP 7680, UDP 8989) associated with C2 communication reaching out in short UDP packets to foreign IP addresses.
Repeating patterns of commands and device information exchanges.
Obfuscated or partially encoded traffic containing non-printable characters (#, %, $, etc.), indicative of typical C2 communication designed to evade detection by security tools.
Novel Attack Techniques
This attack demonstrated several novel techniques that highlight the advanced nature of the threat:
Service and Process Manipulation:
The executable could manipulate services and processes within the operating system, creating and deleting services, altering process privileges, and even restarting itself if terminated. This made it particularly resilient against traditional methods of malware removal.
Network Traffic Handling:
The executable dynamically set and retrieved network parameters, including IP addresses and ports. Functions within the software, such as sub_401C70 and sub_418F00, directly correlated with the structured communication seen in the C2 traffic. This adaptability allowed it to maintain persistent communication channels with its C2 servers.
Persistent Mechanisms:
The malware employed persistent mechanisms that could reverse any changes made to its process auto-start scripts. This ensured that even if the executable was renamed or its service was disabled, it would quickly restore itself to continue its malicious activities.
Command and Control Indicators:
Using Sysmon and event viewer, analysts identified MediaTransferServer.exe as the source of the C2 traffic. Key functions and configuration files dynamically set and retrieved network parameters, confirming the executable's involvement in these malicious activities. The structured XML-like C2 traffic contained commands and device information, typical of an advanced C2 communication protocol.
Conclusion
The discovery of the zero-day vulnerability in MediaTransferServer.exe underscores the critical importance of vigilant network monitoring and advanced cybersecurity measures. The sophisticated techniques employed by the malware, from anti-sandbox and anti-debugging measures to dynamic network configuration and persistent mechanisms, highlight the evolving nature of cyber threats. Continuous vigilance and rapid response are essential to protect against such advanced attacks.
The compromised executable, originating from Shenzhen TVT Digital Technology Co., Ltd., a Chinese company, raises significant security concerns given the known vulnerabilities and bans on similar surveillance solutions manufacturers in federal government locations in the United States.
For detailed behavioral analysis, please refer to the sandboxed behavior observed for this file here.
For more insights on OTM Cyber's cybersecurity solutions and how OTM Cyber can help safeguard your network, reach out to us at solutions@otmcyber.com
OTM Cyber – Securing Tomorrow, Today.
#CyberSecurity #HackedVision #C2Traffic #NetworkSecurity #OTMCyber #CyberThreats #Infosec #MalwareAnalysis #DigitalSecurity #CyberDefense #NetworkMonitoring #ZeroDayExploit #CyberAwareness #TechSecurity #CyberProtection