TeamWork

CHALLENGE DESCRIPTION

It is Friday afternoon and the SOC at Edny Consulting Ltd has received alerts from the workstation of Jason Longfield, a software engineer on the development team, regarding the execution of some discovery commands. Jason has just gone on holiday and is not available by phone. The workstation appears to have been switched off, so the only evidence we have at the moment is an export of his mailbox containing today’s messages. As the company was recently the victim of a supply chain attack, this case is being taken seriously and the Cyber Threat Intelligence team is being called in to determine the severity of the threat.

SOLUTION

Identify the sender of the suspicious email.

Open any email, we should see something like this

From: TLDR InfoSec <dan@tldrnewsletter.com>
To: jasonlongfield@edny.net
Subject: 49K Building Systems Exposed =?utf-8?Q?=F0=9F=8F=A2=2C?= Cellebrite

Now filter all the emails

grep "From: " * | sort -u | cut -d '<' -f2

sort -u to filter unique emails, cut -d '<' -f2 to get the seconde field from < character. Now let try all of them =))

Answer

theodore.todtenhaupt@developingdreams.site

The suspicious email came from a custom domain, identify its creation date.

Hint

If the domain is expired or the WHOIS is somehow unavailable, you can find a WHOIS Lookup saved here

Answer

2025-01-31

The domain was registered shortly before the suspicious email was received, which likely corresponds to the time when the threat actor was planning this campaign. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

We go to MITRE ATT&CK and search for Resource Development on the top right search bar, and click on it.

From previous question, it asks about domain, let read through the techniques, and we will see the domain sub-technique.

Answer

T1583.001

The previously identified domain appears to belong to a company, what is the full URL of the company’s page on X (formerly Twitter)?i

Look at the domain’s name and hint from question.

It took me lots of time to figure it out, f*ckkkk

Answer

https://x.com/Develop_Dreams

Reading the suspicious email carefully, it appears that the threat actor first contacted the victim using the previously identified social media profile. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

Search for social media

Answer

T1585.001

What is the name of the game the threat actor would like us to collaborate on?

Click on that link, search for threat actor we will see 2 links, open those and search for game.

Answer

DeTankWar

What is the SHA-256 hash of the executable shared by the threat actor?

Search for SHA-256

Answer

56554117d96d12bd3504ebef2a8f28e790dd1fe583c33ad58ccbf614313ead8c

As part of the preparation of the tools for the attack, the threat actor hosted this file, presumably malware, on its infrastructure. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

Search for infrastructure

Answer

T1608.001

Based on the information you have gathered so far, do some research to identify the name of the threat actor who may have carried out this attack.

Answer

Moonstone Slee

What nation is the threat actor believed to be associated with?

Answer

North Korea

Another campaign from this threat actor used a trojanized version of a well-known software to infect victims. What is the name of this tool?

On the top right, we will see search bar, look for Moonstone Sleet, click on it, and search for trojan

Answer

Putty

Which MITRE ATT&CK technique corresponds to the activity of deploying trojanized/manipulated software?

Search for trojanized, we will see distributed

Answer

T1195.002

Our company wants to protect itself from other supply chain attacks, so in documenting more about this threat actor, the CTI team found that other security researchers were also tracking a group whose techniques closely match Moonstone Sleet, and discovered a new supply chain campaign around the end of July 2024. What technology is this campaign targeting?

Ahhhhh, I wasted lots of time for this. After searching like crazy with the hint from question, I got nothing.

I decided to ask ChatGPT, and well… We have the answer here.

Answer

NPM

We now need some indicators to be able to rule out that other systems have been compromised. What is the name and version of the lastest malicious package published? (Format: package-name vX.X.X)

Ask ChatGPT

Answer

harthat-hash v1.3.3

The malicious packages downloaded an additional payload from a C2 server, what is its IP address?

Search the name of malicious package and we will have the IP.

Answer

142.111.77.196

The payload, after being renamed, is finally executed by a legitimate Windows binary to evade defenses. Which MITRE ATT&CK technique corresponds to this activity?

Ask ChatGTP

Answer

T1218.011