Oilrig / Cleaver Malicious Scheduled Task Detection

2017-09-08T00:00:00
ID OPENVAS:1361412562310108232
Type openvas
Reporter Copyright (C) 2017 Greenbone Networks GmbH
Modified 2018-04-26T00:00:00

Description

This script tries to detect several indicators for malicious tools used by Iranian APT group

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_oilrig_malware_detection.nasl 9632 2018-04-26 13:47:37Z mmartin $
#
# Oilrig / Cleaver Malicious Scheduled Task Detection
#
# Authors:
# Christian Fischer <christian.fischer@greenbone.net>
# Jan Philipp Schulte <jan.schulte@greenbone.net>
# Adrian Steins <adrian.steins@greenbone.net>
#
# Copyright:
# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.108232");
  script_version("$Revision: 9632 $");
  script_tag(name:"last_modification", value:"$Date: 2018-04-26 15:47:37 +0200 (Thu, 26 Apr 2018) $");
  script_tag(name:"creation_date", value:"2017-09-08 10:20:33 +0200 (Fri, 08 Sep 2017)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"Workaround");

  script_name("Oilrig / Cleaver Malicious Scheduled Task Detection");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2017 Greenbone Networks GmbH");
  script_family("Malware");
  script_dependencies("smb_registry_access.nasl");
  script_require_ports(139, 445);
  script_mandatory_keys("SMB/registry_access");

  script_tag(name:"summary", value:"This script tries to detect several indicators for malicious tools used by Iranian APT group 'OILRIG / CLEAVER'.");
  script_tag(name:"vuldetect", value:"Enumerate the Windows registry and check for the existence of two scheduled tasks, namely 'GoogleUpdatesTaskMachineUI' and 'JavaUpdatesTasksHosts'.");
  script_tag(name:"insight", value:"The APT group uses social engineering attacks to deploy various scripts that also install tasks on the target machine.

      In order to keep a persistent control of the target system, tasks are being created and scheduled. The Windows registry holds a list of all created tasks.

      Therefore the infection can be validated by checking for the existence of the specific registry entries.");
  script_tag(name:"impact", value:"The affected system suffers from data exfiltration.");
  script_tag(name:"solution", value:"A whole cleanup of the infected system is recommended.");

  exit(0);
}

include("smb_nt.inc");
include("secpod_smb_func.inc");

report = 'The following suspicious tasks have been found (Registry Key:Content):\n';

foreach item (make_list("Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks", "Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree"))
{
  itemList = registry_enum_keys( key:item );

  foreach key (itemList)
  {
    fullKey = item+"\"+key;

    found = registry_get_sz(key:fullKey, item:"Path");

    if ("GoogleUpdatesTaskMachineUI" >< found)
    {
      match1 = TRUE;
      report += "HKLM\"+fullKey+":"+found+'\n';
    }

    if ("JavaUpdatesTasksHosts" >< found)
    {
      match2 = TRUE;
      report += "HKLM\"+fullKey+":"+found+'\n';
    }
  }
}

if (match1 && match2)
{
  security_message( port:0, data:report);
}

exit( 99 );