Threat Research

How Researchers Collect Indicators of Compromise

LevelBlue-spiderlabs
How Researchers Collect Indicators of Compromise

Researchers detonated a Snake Keylogger sample from MalwareBazaar, traced its external connections, and developed a Suricata rule that decodes Base64-encoded SMTP exfiltration to detect stolen data such as cookies and host identifiers. The investigation linked C2 IPs and demonstrated that existing ET rules missed the exfiltration until a signature targeting the Subject header and base64-decoded payload was created. #SnakeKeylogger #VIPKeylogger

Keypoints

  • Snake Keylogger (.NET) observed stealing keystrokes, browser cookies, geolocation, and system info, exfiltrating via FTP, SMTP, or HTTP.
  • Malware sample discovered on MalwareBazaar and further examined via VirusTotal, which listed some IOCs but lacked exfiltration-focused signatures.
  • Dynamic analysis used FlareVM, Procmon, ProcDot, Tcpview, Wireshark, Zui/Brim, and Suricata to collect host and network IOCs.
  • Detonation revealed external connections (e.g., 158.101.44[.]242 and 104.21.48[.]1) on ports 80, 443, and 587, with SMTP activity on port 587.
  • Existing ET rule (sid:2060048 “ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)”) did not trigger because the malware Base64-encodes exfiltrated data.
  • Decoded Base64 payloads contained markers like “Cookies” and “VIP Recovery” enabling reliable identification of exfiltrated content.
  • A Suricata rule was crafted to match Subject/PC Name/VIP Recovery in headers, detect Content-Transfer-Encoding: base64, decode a limited number of bytes, and search decoded data for keywords, producing actionable alerts.

MITRE Techniques

  • [T1056] Input Capture – SnakeKeylogger records keystrokes and system information as part of its data-stealing capabilities (“…its capabilities include recording keystrokes, stealing browser cookies, capturing geolocation and system information…”).
  • [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to external IPs/C2 servers over network channels including SMTP/HTTP/FTP (“…exfiltrated via FTP, SMTP, or HTTP.”).
  • [T1071] Application Layer Protocol – Exfiltration occurred over SMTP (port 587) using SMTP protocol fields to carry data (“…the analysis reveals four external connections using ports 80, 443, and 587… particularly interested in the activity on port 587.”).
  • [T1140] Deobfuscate/Decode Files or Information – The malware Base64-encodes stolen data; defenders decode Base64 to reveal exfiltrated content (“…the stream above immediately reveals why the signature didn’t trigger… the malware exfiltrates data using Base64 encoding.” ).
  • [T1496] Resource Hijacking (indirect data staging) – Use of email subject metadata (“VIP Recovery”, “Pc Name”) to tag and organize exfiltrated data for the attacker (“…Subject line carries key metadata, such as the infected PC Name and a suspicious tag: VIP Recovery.”).

Indicators of Compromise

  • [IP Address] C2/network connections – 158.101.44[.]242, 104.21.48[.]1
  • [Port] Network service usage – SMTP on port 587, HTTP on port 80, HTTPS on port 443
  • [Email Headers/Strings] SMTP subject and header markers – “VIP Recovery”, “Pc Name”, “Subject” (used for signature matching)
  • [Payload Strings] Decoded content markers – “Cookies”, “VIP Recovery” (found in Base64-decoded payload)
  • [File Source] Malware repository/sample context – SnakeKeylogger sample from MalwareBazaar (analyzed via VirusTotal and detonated locally)

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researchers-collect-indicators-of-compromise/