Fancy NTLM Relay
In today’s episode of #RabbitHoleWednesday, I stumbled upon this tweet —
— about APT28’s activities. While several points were intriguing, two items particularly caught my eye:
- The use of a headless browser (which isn’t exactly groundbreaking, but perhaps not widely recognized?).
- The mention of mockbin sites.
I decided to delve deeper into the Mockbin aspect. Notably, none of the samples referenced in the tweet were available on VT.
However, my exploration on VT led me to a collection, pointing me to another intriguing APT28 PowerShell script: https://www.virustotal.com/gui/file/52951f2d92e3d547bad86e33c1b0a8622ac391c614efa3c5d167d8a825937179/detection.
If you examine the bottom of the CERT UA blog — https://cert.gov.ua/article/5702579 — , you’ll spot a screenshot of a script bearing a striking resemblance.
This particular PowerShell script establishes a local HTTP server leveraging .NET’s HttpListener. It’s designed to set up a byte array for NTLM Type 2 authentication, initiate a hidden process to map a network drive, and continuously listen for HTTP requests. It’s equipped to manage NTLM authentication, either by challenging clients or by routing messages to mockbin[.]org.
Upon closer inspection, I realized the script had been defanged. I fixed it, and you can review my modified version here https://github.com/MHaggis/notes/blob/master/utilities/FancyNTLMRelay/readme.md.
I modified it to write to disk + provided the original. Both work.
I noticed a lot of this appears to resemble Inveigh — https://github.com/Kevin-Robertson/Inveigh
I suspect they incorporated enough to make a MVP (minimal viable product) to evade common signatures.
Why low/no scores on VT?
- Most likely caused by scripts being defanged and not running.
- No static signatures
- Not sure 🤷
Additional finds on VT:
- https://www.virustotal.com/gui/file/5c08c1c1b7e089b172e30b9ad452bab7ce64ee48201f603fc96fd9c6e24db1dc
This seems pretty limited out there. Pivoting on some of the bytes, I found a bunch of Inveigh on VT.
Happy hunting!