CyberDefenders — PhishStrike Challenge Walkthrough
A Cyber Threat Intelligence Challenge using MXToolBox, URLhaus, VirusTotal, MITRE ATT&CK, & MalwareBazaar
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive walkthrough of the PhishStrike challenge from CyberDefenders, you’re in the right place. Prepare to dive into the world of Cyber Threat Intelligence!
In this scenario, a phishing email is targeting members of our institution’s faculty which includes a suspicious link. Our goal is to analyze the phishing email artifact to discover more about the sender and the link to scope the potential impact on a victim. To unravel this mystery, we’ll leverage several tools as we follow the email thread, including:
MXToolBox: This tool helps us perform a detailed analysis of the email headers. It offers easy-to-read insights about the sender and any potential anomalies that we can explore.
URLhaus: After analyzing the headers, we may uncover some suspicious URLs. URLhaus is a service where we can gather intelligence about these URLs by checking them against a database of known malicious domains, giving us valuable context about potential malware hosted on them.
Virus Total: After identifying details about the malware, we can submit the file hashes to VirusTotal to get comprehensive scan results and analysis.
MalwareBazaar: This is a repository used to share malware samples with the infosec community. Here, we can search for additional reports about the uploaded samples to understand the malware’s behavior.
The exciting part is that the deeper we go, the more details we’ll uncover about the email payload, discovering more insights about the malware’s infrastructure. Sounds like a fun mystery, right? Let’s get into it!
And hey, if you find this walkthrough helpful — whether it levels-up your skills, gets you through a stumbling block, or serves as a handy reference — please give it a clap!
Thanks for reading and going on this investigation with me!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/phishstrike/
Challenge Scenario:
As a cybersecurity analyst for an educational institution, you receive an alert about a phishing email targeting faculty members. The email, appearing from a trusted contact, claims a $625,000 purchase and provides a link to download an invoice.
Your task is to investigate the email using Threat Intel tools. Analyze the email headers and inspect the link for malicious content. Identify any Indicators of Compromise (IOCs) and document your findings to prevent potential fraud and educate faculty on phishing recognition.
Setup the REMnux Analysis Environment & Extract the challenge file:
Safety first! When working with lab/challenge files from CyberDefenders (or any educational lab/challenge/range), it’s important to be responsible and stay safe by interacting with potentially malicious files in a dedicated, isolated virtual machine environment. For this challenge I’m using REMnux, a specialized Linux distribution for malware analysis.
To keep this write-up focused, I’m going to skip a step-by-step setup directions of REMnux, but if you’d like to set up your own environment, please follow the guide provided by REMnux directly. For reference, I used the virtual appliance method:
Once we have a safe virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start the investigation!
Question 1: Identifying the sender’s IP address with specific SPF and DKIM values helps trace the source of the phishing email. What is the sender’s IP address that has an SPF value of softfail and a DKIM value of fail?
Within the challenge file, there is a single email file — 194-PhishStrike.eml
We’ll need to start our investigation by analyzing the phishing email, starting with its headers. There are a few ways to approach header analysis of message, including opening it in an email client, a plaintext editor, or a header analysis tool. For this walkthrough, let’s start with an online header analysis tool — the MxToolBox Supertool Email Header Analyzer. This tool will allow us to copy and paste the headers and parse them in a more readable way.
But first, we need to obtain the headers. To do this, open the .eml file with any plain text editor within your analysis environment. The top section holds the message header information and the next section contains the body content which we’ll look at later.
Once the header is pasted into the MxToolBox, we can search the formatted fields easily. We need to look for the Received-SPF mail header. If you’re unfamiliar, according to MailTrap, Sender Policy Framework (SPF) is:
An authentication method used by senders to specify hosts that are allowed to send an email on behalf of the domain.
In the case of this phishing email, the value is softfail which tells us that the email was sent from an IP address not explicitly authorized by the sending domain’s SPF record. It’s important to know that the email is still accepted and not rejected like it would be if the value was hardfail which explains why it was delivered to the victims.
Question 2: Understanding the return path of the email helps in tracing its origin. What is the return path specified in this email?
Within the MxToolBox results, simply search for the Search for the Return-Path header to find the original sender address. Additionally, any bounces would be sent back to this address.
Question 3: Identifying the source of malware is critical for effective threat mitigation and response. What is the IP address hosting the malicious file associated with malware distribution?
To answer Question 3, we need to examine the email body content for any links or attachments sent to the victim. Since this information isn’t part of the mail headers, let’s return to the plain text editor where we opened the 194-PhishStrike.eml to view the email body.
Below the header section, we’ll see the content. Notice the text “VIEW INVOICE DOCUMENT HERE” holds a hyperlink to an IP address hosting an executable file. This is extremely suspicious and has all the hallmarks of a phishing link. It’s also the IP address we’re looking for to answer Question 3.
Question 4: Identifying malware that exploits system resources for cryptocurrency mining is critical for prioritizing threat mitigation efforts. The malicious URL can deliver several malware types. Which malware family is responsible for cryptocurrency mining?
We’ve identified the malicious URL within the email body, now let’s collect some threat intelligence by checking it on URLhaus, a malware URL submission platform used to track cyber threats, searching the URL hosting the executable file:
From the tags, we’ll notice that this URL is associated with several different malware types. To answer Question 4, we are interested in the tag associated with cryptocurrency mining — CoinMiner.
Question 5: Identifying the specific URLs malware requests is key to disrupting its communication channels and reducing its impact. Based on the previous analysis of the cryptocurrency malware sample, what does this malware request the URL?
Now, let’s click into the report to browse the detailed database entry. The first thing we’ll want is the SHA256 hash of the CoinMiner payload. Having the specific malware’s file hash in our possession allows us to pivot and check other threat intelligence services for hits and build a stronger malware profile.
For example, let’s navigate to VirusTotal and search the CoinMiner hash. We’ll check the Relations tab under Contacted URLs to understand what URLS the malware communicates with based on previous analysis on the service.
There are two URLs listed: One looks familiar to us from the phishing email, and the second one is new data — this is the one we’re looking for. With the additional information, we are starting to gain a better understanding of the malware’s infrastructure.
Question 6: Understanding the registry entries added to the auto-run key by malware is crucial for identifying its persistence mechanisms. Based on the BitRAT malware sample analysis, what is the executable’s name in the first value added to the registry auto-run key?
In the last question, we searched for information on the CoinMiner malware delivered by the phishing URL. This time, we’ll need to analyze the BitRAT sample downloaded from the same URL. We can accomplish this by heading back to URLhaus, copying the BitRAT payload hash this time, then submitting it to VirusTotal to view the report.
Back on VirusTotal, let’s check out the Behavior tab and scroll down to the Registry Actions > Registry Keys Set area:
While there are an overwhelming amount of entries listed, we can narrow the search by specifically looking for registry hives related to the persistence technique of abusing auto-run keys in the Windows registry.
To learn more about this technique and get some clues on what to look for in the report, let’s turn to MITRE ATT&CK:
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account’s associated permissions level.
The following run keys are created by default on Windows systems:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Now that we have this background information, we can apply the intelligence gained from MITRE ATT&CK to search for the default run keys in the VirusTotal report, leading us to the executable.
Question 7: Identifying the SHA-256 hash of files downloaded from a malicious URL is essential for tracking and analyzing malware activity. Based on the BitRAT analysis, what is the SHA-256 hash of the file previously downloaded and added to the autorun keys?
Continuing our BitRAT analysis on VirusTotal, let’s find the SHA-256 file hash of the executable we found in the previous question. To do this, we just need to expand the Files Dropped section and search for the executable’s name. Expanding the entry will show us the hash of the file.
Question 8: Analyzing the HTTP requests made by malware helps in identifying its communication patterns. What is the HTTP request used by the loader to retrieve the BitRAT malware?
We’ll approach this question the same we way did the previous two. This time, navigate to the Network Communication section and focus on HTTP Requests made by the malware.
Question 9: Introducing a delay in malware execution can help evade detection mechanisms. What is the delay (in seconds) caused by the PowerShell command according to the BitRAT analysis?
Moving right along, we’ll focus on analyzing any observed PowerShell commands executed by the BitRAT malware. We can find this information under the Process and service actions section under Shell Commands. After a quick analysis, we’ll locate the below PowerShell command:
There’s just one small obstacle, we can’t read the command directly yet since it has been encoded with Base64 (-enc.) Fortunately, we can easily decode this by leveraging a tool like CyberChef.
After opening the tool, paste the encoded string into the input field and then apply the From Base64 operation to the Recipe. While we could clean this up a bit further, the operation already allows us to see the deobfuscated string showing the delay in execution.
Question 10: Tracking the command and control (C2) domains used by malware is essential for detecting and blocking malicious activities. What is the C2 domain used by the BitRAT malware?
After reviewing the network connections on VirusTotal, we might think that we’ve already discovered the command and control (C2) URL, but none of the domains that we have uncovered so far fit the format that the question is looking for.
For our next steps, let’s check if we can find any additional information from the Community tab on the VirusTotal report. After reviewing a couple of the entries, we’ll stumble upon a solid lead from the extremely helpful comment below:
To double-confirm that this information is accurate, let’s head back over to URLhaus and click the BitRAT link to take us over to MalwareBazaar, a malware sample sharing platform for the infosec community, to see what additional threat intelligence may be available from other vendors.
On the MalwareBazaar page for the BitRAT sample, scroll down to the Vendor Threat Intelligence section and choose the Hatching Triage entry to see an overview of their findings. Notice anything interesting?
We found corroborating evidence confirming what we found on VirusTotal! Now that we’ve double-confirmed our findings, let’s submit the answer and move on to the final question of this challenge.
Question 11: Understanding the methods malware uses for exfiltrating data is crucial for detecting and preventing data breaches. According to the AsyncRAT analysis, what is the Telegram Bot ID used by the malware?
Back to URLhaus again to answer Question 11. Here we’ll apply the same process we did in the previous question, this time selecting the AsyncRAT link to view the sample on MalwareBazaar.
Since we acquired solid threat intelligence from the Hatching Triage in the last question, let’s analyze their full report to extract anything that will help us get closer to the answer.
Inside of the report, we’ll see that the data is collected by both static analysis and behavioral analysis. Let’s review the linked behavioral2 report to see the activities in detail, specifically focusing on the Network section.
Here we’ll discover the final details that we are looking for, the Telegram Bot ID the malware used for data exfiltration.
Now that we have successfully leveraged threat intelligence to solve the mystery — let’s wrap up this investigation!
Conclusion:
Great job! Starting with a single email, we used MXToolBox to learn about the spoofed trusted contact and found a suspicious URL within the body of the email. Using URLhaus and Virus Total, we collected threat intelligence about the three different malware samples delivered by the malicious server to understand their behaviors. Finally, we leveraged additional, external reports about the malware to uncover how data might have been exfiltrated. With the objectives completed, we have all the information we need to help keep the institution safe from this threat. Let’s close the book on the PhishStrike challenge!
A big thank you to CyberDefenders, for another engaging and realistic lab scenario. This one was exceptionally fun. I always enjoy a challenge that starts with a single artifact and leads through a sprawling investigation that requires deep dives into external research. In the real world, when time is of the essence, it’s important to be able to obtain insights for previously observed threats using platforms like VirusTotal and URLhaus to quickly identify, understand, and remediate a threat. Practicing in a lab environment is time well spent to prepare. I hope you found this walkthrough insightful too!
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
REMnux: https://remnux.org/
MxToolBox Supertool Email Header Analyzer: https://mxtoolbox.com/EmailHeaders.aspx
Mailtrap Email Headers: https://mailtrap.io/blog/email-headers/
URLhaus: https://urlhaus.abuse.ch/
VirusTotal: https://www.virustotal.com/
MITRE ATT&CK — Boot of Logon Autostart Execution: Registry Run Keys / Startup Folder ( T1547.001): https://attack.mitre.org/techniques/T1547/001/
CyberChef: https://gchq.github.io/CyberChef/
MalwareBazaar: https://bazaar.abuse.ch/
Recorded Future Triage Report: https://tria.ge/221025-mz5tpscdf8
