Burrowing your way into VPNs, Proxies, and Tunnels | Mandiant
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 37c40d0b-392a-42d4-a4b3-7e26c6e3a154 |
| Fingerprint | a450a87f2173e2f7 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | June 29, 2022, midnight |
| Added to db | Nov. 6, 2023, 6:54 p.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | Burrowing your way into VPNs, Proxies, and Tunnels |
| Title | Burrowing your way into VPNs, Proxies, and Tunnels | Mandiant |
| Detected Hints/Tags/Attributes | 127/4/106 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.mandiant.com/resources/blog/burrowing-your-way-into-vpns |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 330 | ✔ | Threat Intelligence | https://www.mandiant.com/resources/blog/rss.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 397 | cve-2021-44228 |
|
| Details | Domain | 11 | hide.me |
|
| Details | Domain | 5 | localhost.run |
|
| Details | Domain | 36 | schemas.openxmlformats.org |
|
| Details | Domain | 1 | get-my-ip.ddns.softether-network.net |
|
| Details | Domain | 1 | keepalive.softether.org |
|
| Details | Domain | 1 | update-check.softether-network.net |
|
| Details | Domain | 5 | softether.net |
|
| Details | Domain | 2 | vpn.company.com |
|
| Details | Domain | 1 | proxy.company.com |
|
| Details | Domain | 1 | hideservers.net |
|
| Details | Domain | 1 | issuer.country |
|
| Details | Domain | 1 | localtunnel.net |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 1373 | twitter.com |
|
| Details | File | 263 | iexplore.exe |
|
| Details | File | 137 | conhost.exe |
|
| Details | File | 1 | 'appinstaller.exe |
|
| Details | File | 4 | 'bitsadmin.exe |
|
| Details | File | 1 | 'certoc.exe |
|
| Details | File | 2 | 'certreq.exe |
|
| Details | File | 11 | 'certutil.exe |
|
| Details | File | 1 | 'cmdl32.exe |
|
| Details | File | 1 | 'desktopimgdownldr.exe |
|
| Details | File | 1 | 'diantz.exe |
|
| Details | File | 2 | 'esentutl.exe |
|
| Details | File | 1 | 'expand.exe |
|
| Details | File | 1 | 'extrac32.exe |
|
| Details | File | 1 | 'findstr.exe |
|
| Details | File | 1 | 'finger.exe |
|
| Details | File | 1 | 'gfxdownloadwrapper.exe |
|
| Details | File | 2 | 'hh.exe |
|
| Details | File | 1 | 'ieexec.exe |
|
| Details | File | 1 | 'imewdbld.exe |
|
| Details | File | 1 | 'makecab.exe |
|
| Details | File | 2 | 'mpcmdrun.exe |
|
| Details | File | 1 | 'printbrm.exe |
|
| Details | File | 1 | 'replace.exe |
|
| Details | File | 2 | 'squirrel.exe |
|
| Details | File | 2 | 'wsl.exe |
|
| Details | File | 1 | 'xwizard.exe |
|
| Details | File | 27 | tls.cer |
|
| Details | File | 14 | response.html |
|
| Details | File | 3 | tags.raw |
|
| Details | File | 8 | pe.dat |
|
| Details | File | 2 | vpn_bridge.config |
|
| Details | md5 | 1 | befec87a9742ba8e8f6e61e1133f55fb |
|
| Details | md5 | 1 | 4c5f27d28f369da5d5ecce947bb22943 |
|
| Details | md5 | 1 | 6de8cc7217cb3e0c235fcdde83b1140b |
|
| Details | md5 | 1 | a2d34e8c543aef78766b37dcaa5f7686 |
|
| Details | md5 | 1 | 2586bb9e27a4b3da4ed0f5d15883f84e |
|
| Details | md5 | 1 | 5d1dbfdc47e820605fedabb98cf17dd5 |
|
| Details | md5 | 1 | 995f7d9ca805cce59acbeff82ed4adc6 |
|
| Details | md5 | 1 | 2e09a136e40143ed3317c9ce6ea027a6 |
|
| Details | md5 | 1 | 96842ad6cc00fab5776171c56812b9a5 |
|
| Details | md5 | 1 | 2bf422e19e721b461f9e98271fb28ad3 |
|
| Details | md5 | 1 | 35fcc4b19946d1bc9c21add1f42d2b63 |
|
| Details | md5 | 1 | f224e0c1ad6d27c76b1f87fdb8ada639 |
|
| Details | md5 | 1 | 61d59eb2799b1a77eedf34b145cf23e1 |
|
| Details | md5 | 1 | 2ce7a0ffa14134167945e8df84755f1c |
|
| Details | md5 | 2 | 9fb1191ba0064d317a883677ce568023 |
|
| Details | md5 | 2 | 00352d167c44272dba415c36867a8125 |
|
| Details | md5 | 1 | ce5d96252315e2c9d5fd9aeb98ae28ae |
|
| Details | IPv4 | 2 | 35.189.145.119 |
|
| Details | Mandiant Uncategorized Groups | 2 | UNC3500 |
|
| Details | Mandiant Uncategorized Groups | 4 | UNC2465 |
|
| Details | Mandiant Uncategorized Groups | 5 | UNC3661 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC270 |
|
| Details | Mandiant Uncategorized Groups | 10 | UNC530 |
|
| Details | Mandiant Uncategorized Groups | 2 | UNC875 |
|
| Details | Mandiant Uncategorized Groups | 10 | UNC961 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC1066 |
|
| Details | Mandiant Uncategorized Groups | 2 | UNC1575 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC1585 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC1615 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC1804 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC2984 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC3325 |
|
| Details | Mandiant Uncategorized Groups | 1 | UNC3804 |
|
| Details | Threat Actor Identifier - APT | 143 | APT40 |
|
| Details | Threat Actor Identifier - APT | 783 | APT28 |
|
| Details | Threat Actor Identifier - APT | 18 | APT12 |
|
| Details | Threat Actor Identifier - APT | 11 | APT22 |
|
| Details | Threat Actor Identifier - APT | 277 | APT37 |
|
| Details | Url | 22 | http://schemas.openxmlformats.org/package/2006/relationships |
|
| Details | Url | 1 | https://twitter.com/stvemillertime/status/1241027937970814976?s=20&t=t2esf89f6t8luibst8rv |
|
| Details | Url | 1 | http://35.189.145.119/hamcore.se2 |
|
| Details | Url | 1 | http://35.189.145.119/https |
|
| Details | Url | 1 | http://35.189.145.119/vpn_bridge.config |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_RTF_Embedded_1 {
meta:
description = "Detects a suspicious string often used in PE files in a hex encoded object stream along with a VPN or proxy filename in the hex object."
author = "Mandiant"
md5 = "befec87a9742ba8e8f6e61e1133f55fb"
strings:
$pe = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465"
$mz = /4d5a[a-zA-Z0-9]{19,21}ffff/
$vpn1 = /56504e[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/
$vpn2 = /76706e[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/
$vpn3 = /70726f7879[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/
$vpn4 = /50726f7879[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/
$vpn5 = /50524f5859[a-zA-Z0-9]{0,20}(2e657865|2e646c6c)/
condition:
filesize < 15MB and (uint16(0) == 0x5C7B) and ($pe or $mz) and (1 of ($vpn*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_OOXML_Target_1 {
meta:
description = "Detects an external relationship link in an OOXML with a VPN or proxy domain."
author = "Mandiant"
strings:
$relationship_external = /TargetMode=[\"\']External[\"\']/ ascii wide nocase
$anchor = "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">"
$s1 = " Target=" ascii nocase
$s2 = " TargetMode=" ascii nocase
$s3 = " Type=" ascii nocase
$s4 = " Id=" ascii nocase
$re = /Target=[\"\'][^\"\']{0,100}(vpn|proxy).{0,100}/ ascii nocase
condition:
(filesize < 10KB) and $anchor and $relationship_external and (1 of ($s*)) and $re
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_ArchiveEngine_ISOWithEmbeddedVPN_1 {
meta:
author = "Mandiant"
description = "Looking for ISO files with embedded payloads utilizing VPN strings."
md5 = "4c5f27d28f369da5d5ecce947bb22943"
strings:
$s1 = /vpn[^\.]{0,50}\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword
$s2 = /proxy[^\.]{0,50}\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword
$s3 = /vpn[a-zA-Z0-9\.]{0,50}\.(com|io|ru|org|net)/ ascii nocase
$s4 = /proxy[a-zA-Z0-9\.]{0,50}\.(com|io|ru|org|net)/ ascii nocase
$s5 = "remote access" ascii wide nocase fullword
$s6 = /localhost[^a-zA-Z0-9]{0,5}tunnel/ ascii nocase fullword
condition:
uint32(0x8000) == 0x30444301 and uint32(0x8004) == 0x00013130 and any of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_MacOS_VPNEngine_MachO_FEBeta_1 {
meta:
author = "Mandiant"
description = "This rule looks for Mach-O files with strings indicating relationship with a VPN client or domain."
md5 = "6de8cc7217cb3e0c235fcdde83b1140b"
strings:
$s1 = /vpn[^\.]{0,50}\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword
$s2 = /proxy[^\.]{0,50}\.(exe|dll|lnk|hta|rtf|ps1|vbs|vbe|pdf|doc)/ ascii nocase fullword
$s3 = /vpn[a-zA-Z0-9\.]{0,50}\.(com|io|ru|org|net)/ ascii nocase
$s4 = /proxy[a-zA-Z0-9\.]{0,50}\.(com|io|ru|org|net)/ ascii nocase
$s6 = /localhost[^a-zA-Z0-9]{0,5}tunnel/ ascii nocase fullword
condition:
filesize < 15MB and (uint32(0) == 0xBEBAFECA or uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xCEFAEDFE) and (1 of them)
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_NgrokConfig_1 {
meta:
author = "Mandiant"
description = "Rule looks for Ngrok YML config file."
md5 = "5d1dbfdc47e820605fedabb98cf17dd5"
strings:
$header = "authtoken:"
$tokenRE = /authtoken:\s+[a-zA-Z0-9]{24,30}_[a-zA-Z0-9]{16,22}/
$tunnel = "tunnels:"
condition:
filesize < 1MB and $header in (0 .. 20) and $tokenRE and $tunnel
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_NgrokConfig_2 {
meta:
author = "Mandiant"
description = "Rule looks for Ngrok YML config file."
md5 = "5d1dbfdc47e820605fedabb98cf17dd5"
strings:
$header = "authtoken:"
$tokenRE = /authtoken:\s[a-zA-Z0-9]{26,30}_[a-zA-Z0-9]{19,22}/
condition:
filesize < 1MB and $header at 0 and $tokenRE
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Linux_VPNEngine_GenericSoftEther_1 {
meta:
author = "Mandiant"
description = "Rule looks for SoftEther generic terms in samples."
strings:
$domain = "update-check.softether-network.net" ascii fullword
$keepalive = "keepalive.softether.org"
$vpn = "SoftEther Corporation" ascii fullword
condition:
filesize < 10MB and uint32(0) == 0x464c457f and all of them
} |
|
| Details | Yara rule | 1 | rule M_METHODOLOGY_VPNEngine_LoadVPNProxyChromeExtension_1 {
meta:
author = "Mandiant"
description = "Hunting rule that looks for files containing strings pertaining to execution of Chrome to launch an extension with VPN or proxy equities."
strings:
$r1 = /chrome[^\r\n]*?--load-extension=/ ascii wide nocase
$s1 = "chrome" ascii wide
$s2 = "--load-extension=" ascii wide
$p1 = "vpn" ascii wide nocase fullword
$p2 = "proxy" ascii wide nocase fullword
condition:
filesize < 50KB and all of ($s*) and $r1 and ($p1 or $p2)
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_ChromeExtensions_1 {
meta:
author = "Mandiant"
md5 = "995f7d9ca805cce59acbeff82ed4adc6"
strings:
$manifest1 = "\"manifest_version\":" ascii nocase
$manifest2 = "\"name\":" ascii nocase
$manifest3 = "\"version\":" ascii nocase
$optional1 = "\"author\":" ascii nocase
$optional2 = "\"browser_action\":" ascii nocase
$optional3 = "\"content_security_policy\":" ascii nocase
$optional4 = "\"default_icon\":" ascii nocase
$optional5 = "\"default_locale\":" ascii nocase
$optional6 = "\"default_title\":" ascii nocase
$optional7 = "\"description\":" ascii nocase
$optional8 = "\"differential_fingerprint\":" ascii nocase
$optional9 = "\"icons\":" ascii nocase
$optional10 = "\"permissions\":" ascii nocase
$optional11 = "\"background\":" ascii nocase
$anchorre1 = /\"default_title\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre2 = /\"description\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre3 = /\"name\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre4 = /\"short_name\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre5 = /\"default_title\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre6 = /\"description\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre7 = /\"name\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre8 = /\"short_name\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
condition:
filesize < 1MB and $manifest1 and $manifest2 and $manifest3 and (2 of ($optional*)) and (1 of ($anchorre*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_ChromeExtensionInBinary_1 {
meta:
author = "Mandiant"
md5 = "2e09a136e40143ed3317c9ce6ea027a6"
strings:
$manifest1 = "\"manifest_version\":" ascii nocase
$manifest2 = "\"name\":" ascii nocase
$manifest3 = "\"version\":" ascii nocase
$optional1 = "\"author\":" ascii nocase
$optional2 = "\"browser_action\":" ascii nocase
$optional3 = "\"content_security_policy\":" ascii nocase
$optional4 = "\"default_icon\":" ascii nocase
$optional5 = "\"default_locale\":" ascii nocase
$optional6 = "\"default_title\":" ascii nocase
$optional7 = "\"description\":" ascii nocase
$optional8 = "\"differential_fingerprint\":" ascii nocase
$optional9 = "\"icons\":" ascii nocase
$optional10 = "\"permissions\":" ascii nocase
$optional11 = "\"background\":" ascii nocase
$anchorre1 = /\"default_title\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre2 = /\"description\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre3 = /\"name\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre4 = /\"short_name\": \"[^\"]{0,100}[pP]roxy[^\"]{0,100}\"/
$anchorre5 = /\"default_title\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre6 = /\"description\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre7 = /\"name\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
$anchorre8 = /\"short_name\": \"[^\"]{0,100}(VPN|\s+vpn|vpn\s+)[^\"]{0,100}\"/
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $manifest1 and $manifest2 and $manifest3 and (2 of ($optional*)) and (1 of ($anchorre*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_VPNEngine_GenericProxyVPNDomain_1 {
meta:
author = "Mandiant"
description = "Rule looks for generic proxy/vpn domains."
md5 = "96842ad6cc00fab5776171c56812b9a5"
strings:
$UniqueProxyVPNDomain = /(proxy|vpn)\.[^\.]{1,100}\.(net|com|org)/ ascii nocase fullword
condition:
filesize < 5MB and ((uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and $UniqueProxyVPNDomain
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Win_VPNEngine_PDB_1 {
meta:
author = "Mandiant"
description = "Rule looks for VPN or Proxy PDB."
md5 = "2bf422e19e721b461f9e98271fb28ad3"
strings:
$pdb = /RSDS[\x00-\xFF]{20}[a-zA-Z]:\\[\x00-\xFF]{0,500}(vpn|proxy)[\x00-\xFF]{0,500}\.pdb\x00/ ascii wide nocase
condition:
filesize < 5MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $pdb
} |
|
| Details | Yara rule | 1 | rule M_Hunting_AscensionEngine_gotunnelme_1 {
meta:
author = "Mandiant"
description = "Rule looks for binaries that use gotunnelme."
md5 = "35fcc4b19946d1bc9c21add1f42d2b63"
strings:
$anchor = "gotunnelme" ascii wide nocase
$func1 = "NewTunnelConn" ascii wide nocase
$func2 = "Tunnel" ascii wide nocase
$func3 = "StopTunnel" ascii wide nocase
$func4 = "ConnectRemote" ascii wide nocase
$func5 = "NewTunnel" ascii wide nocase
$func6 = "GetUrl" ascii wide nocase
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $anchor and (1 of ($func*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_AscensionEngine_golocaltunnel_1 {
meta:
author = "Mandiant"
description = "Rule looks for binaries that use golocaltunnel."
md5 = "35fcc4b19946d1bc9c21add1f42d2b63"
strings:
$anchor1 = "localtunnel.go" ascii wide nocase
$func1 = "readAtmost" ascii wide nocase
$func2 = "Network" ascii wide nocase
$func3 = "WaitFor" ascii wide nocase
$func4 = "Accept" ascii wide nocase
$func5 = "Addr" ascii wide nocase
$func6 = "URL" ascii wide nocase
$func7 = "ReachedEOF" ascii wide nocase
$func8 = "setDefaults" ascii wide nocase
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $anchor1 and (3 of ($func*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_AscensionEngine_localtunnelnet_1 {
meta:
author = "Mandiant"
description = "Rule looks for binaries that use localtunnel.net."
md5 = "35fcc4b19946d1bc9c21add1f42d2b63"
strings:
$s1 = "Localtunnel" ascii wide nocase
$s2 = "LocaltunnelClient" ascii wide nocase
$s3 = "ProxiedSslTunnelOptions" ascii wide nocase
$s4 = "ProxiedSslTunnelConnection" ascii wide nocase
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and all of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_AscensionEngine_zdtun_1 {
meta:
author = "Mandiant"
description = "Rule looks for binaries that use zdtun."
md5 = "f224e0c1ad6d27c76b1f87fdb8ada639"
strings:
$anchor = "zdtun" ascii wide nocase
$s1 = "zdtun_conn_close" ascii wide nocase
$s2 = "zdtun_conn_dnat" ascii wide nocase
$s3 = "zdtun_conn_proxy" ascii wide nocase
$s4 = "zdtun_conn_set_userdata" ascii wide nocase
$s5 = "zdtun_fds" ascii wide nocase
$s6 = "zdtun_finalize" ascii wide nocase
$s7 = "zdtun_get_stats" ascii wide nocase
$s8 = "zdtun_make_iphdr" ascii wide nocase
$s9 = "zdtun_purge_expired" ascii wide nocase
$s10 = "zdtun_set_dnat_info" ascii wide nocase
$s11 = "zdtun_set_mtu" ascii wide nocase
$s12 = "zdtun_set_socks5_proxy" ascii wide nocase
$s13 = "zdtun_conn_get_userdata" ascii wide nocase
$s14 = "zdtun_userdata" ascii wide nocase
$s15 = "zdtun_init" ascii wide nocase
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $anchor and (5 of ($s*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_AscensionEngine_GithubVPNProxy_1 {
meta:
author = "Mandiant"
description = "Rule looks for binaries that include vpn/proxy/tunnel github links"
strings:
$r1 = /github.com\/[^\/]+\/[^\/]*(vpn|VPN|proxy|Proxy|tunnel|Tunnel)[^\/]*\//
$vpn = "vpn" nocase fullword
$proxy = "proxy" nocase fullword
$tunnel = "tunnel" nocase fullword
condition:
((uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) or (uint32(0) == 0x464c457f)) and filesize < 20MB and $r1 and ($vpn or $proxy or $tunnel)
} |