Advent of Cyber 2024 — Day 1
McSkidy began investigating a suspicious website claiming to offer YouTube to MP3 conversion. The trail hinted at a hacker known as “Glitch,” but deeper exploration unveiled the involvement of another mysterious figure, “M.M.,” pointing to poor OPSEC practices.
Learning Objectives
- Investigating malicious link files.
- Understanding Operational Security (OPSEC) and common mistakes.
- Tracking and attributing digital identities in cyber investigations.
Procedures Followed
1. Initial Investigation
- Accessed the suspicious website (a YouTube to MP3/MP4 conversion site) hosted on the AttackBox.
- Observed site features and noted references to “The Glitch” on the About Page.
2. Download Analysis
- Used a test YouTube link shared on the description (https://www.youtube.com/watch?v=dQw4w9WgXcQ) to generate a ZIP file (
download.zip
). - Extracted the archive to reveal two files:
song.mp3
andsomg.mp3
. - Analyzed file types using the
file
command: song.mp3
: A regular MP3 audio file.somg.mp3
: A disguised Windows shortcut (.lnk
), pointing to a malicious PowerShell script.
3. Inspecting the Malicious Shortcut
- Examined
somg.mp3
usingexiftool
: - Revealed a PowerShell command designed to:
- Download a script (
IS.ps1
) from a remote server. - Execute the script to exfiltrate sensitive information ( cryptocurrency wallets).
4. PowerShell Script Analysis
- Investigated the downloaded script. It targeted sensitive data and included a distinctive signature:
Created by the one and only M.M.
5. Attribution through GitHub
- Searched for the unique string from the script on GitHub.
- Discovered a repository with discussions revealing the identity of “M.M.” as Mayor Malware.
- Poor OPSEC practices included: Reusing handles across platforms. Publicly responding to queries about the malicious code. Metadata in the script pointing to the same individual.
Answers to questions
- Author of song.mp3: Tyler Ramsbey.
2. Command and Control (C2) URL: http://papash3ll.thm/data
- Identity of M.M.: Mayor Malware.
- Number of Commits on Repo: 1.
Lessons Learned
- OPSEC Mistakes:
i. Reusing identities and metadata makes it easier to track and attribute cyber activities.
ii. Public discussions on open platforms like GitHub can expose attackers.
2. Malware Analysis:
.lnk
files can act as vectors for executing malicious scripts.- PowerShell commands can be powerful yet vulnerable if improperly secured.
3. Investigation Tools:
- ExifTool: Crucial for inspecting file metadata.
- GitHub Search: Effective for tracing code origins and attribution.
Reflection
This task underscored the importance of attention to detail when investigating cybersecurity incidents. Understanding attacker behaviors, tools, and mistakes provides critical insights into their operations. The exercise highlighted how small oversights in OPSEC can lead to significant attribution successes for investigators.
Looking forward to the challenges and lessons Day 2 will bring!