HP Threat Research Blog Investigating Threats in HP Sure Controller 4.2: TVRAT

June 21, 2020 Category: Threat Research By: Alex Holland Comments: 0

Investigating Threats in HP Sure Controller 4.2: TVRAT

HP Sure Click Enterprise captures a wealth of information about threats at the time of execution. HP Sure Controller is a management interface that is designed to help security analysts to quickly understand the nature of threats isolated by HP Sure Click Enterprise. In this blog post, we describe a typical investigation workflow, highlighting some of the useful features and views built into HP Sure Controller that enable security teams to investigate threats efficiently.

Background

The attack was an attempted intrusion against a financial organisation in January 2020 that was stopped by HP Sure Click Enterprise. The delivery method of the downloader, a malicious Microsoft Word document, was notable because the attacker disguised it as a resume and then uploaded it to a legitimate job portal website. It was subsequently downloaded and opened by a member of the target organisation’s human resources department, bypassing email gateway and web proxy security controls. Ultimately, the downloader delivered TVRAT (also known as Spy-Agent), a remote access Trojan that is capable of remotely controlling an infected PC, transferring files and accessing the victim’s microphone and webcam.

Threat Table

The threat table view lists alerts generated by HP Sure Click Enterprise. To prioritise which activity to investigate, you can apply filters to the table by clicking on the ‘Add Filter’ button. You can also create and apply labels to alerts to organise them. Figure 1 shows a filter applied for alerts containing high severity events that HP Sure Click Enterprise has classified as malicious (true positive) or unknown. Two alerts for malicious Microsoft Word documents match this filter criteria.

Figure 1 – The threat table view of alerts in HP Sure Controller.

Threat View – Summary Tab

Clicking on one of the alerts opens the threat view ‘Summary’ tab, which gives an overview of information about the alert to enable an investigator to understand the threat quickly. The information about the alert shown on the ‘Summary’ tab includes:

  • the hostname of the endpoint
  • the user of the endpoint at the time of the activity
  • the names and hash values of resources that triggered the alert, e.g. filenames and URLs
  • the classification given by HP Sure Click Enterprise, i.e. True Positive, False Positive, Unknown
  • the time and duration of the activity, including if the alert was uploaded to Threat Cloud for additional analysis
  • MITRE ATT&CK techniques observed during the lifetime of the trace
  • files written to the filesystem during the lifetime of the micro-VM
  • DNS events
  • a process interaction graph showing parent-child relationships between processes
  • geolocation and a summary of network activity
  • a log of recent activity that allows HP Sure Controller users to comment on the threat

The Summary tab also allows users to download the files that triggered the alert (.VMM file) and the micro-VM trace (.XEVTS and .DEVTS files) at the time of the activity, in case there is a need to analyse the threat using other tools.

Figure 2 – The threat view of an alert in HP Sure Controller.

The severity of this alert is ‘High’ which indicates that suspicious behaviour commonly associated with malware occurred during the lifetime of the micro-VM.

In the ‘Resources’ section (Figure 2) a URL and a file called ResumeGabriellaGrey.doc are listed. The URL indicates that the user visited the website then downloaded and opened the file. To the left of the filename is a grey-coloured cloud icon which indicates that the file’s hash value is not currently recognised by Threat Cloud. However, a file called wpvnetwks.exe listed in the ‘Blacklistable Files’ section (Figure 2) is known by Threat Cloud. It was marked as clean, as indicated by the green cloud icon. An unknown dynamic link library (DLL) was also written to the filesystem three times during the trace:

  • msi.dll
  • KBuGDorsqg.dll
  • X6IPAYFwa2HOpeVE3gLRKCMb[1].dll

Looking up the hash value of wpvnetwks.exe in a malware repository such as VirusTotal reveals that the file is a legitimate digitally-signed executable used by TeamViewer, a remote access tool. In the ‘DNS Events’ section (Figure 3) you can see that seven suspicious DNS queries were made, including to domains associated with TeamViewer infrastructure.

Figure 3 – Continued threat view of an alert in HP Sure Controller.

The process interaction graph shows the parent-child relationships between processes created in the micro-VM and is designed to enable investigators to identify suspicious process relationships visually. You can see that a Microsoft Word process, winword.exe, created two child processes, wpvnetwks.exe and regsvr32.exe. Given our suspicion that wpvnetwks.exe is a file related to TeamViewer, it is unlikely that Microsoft Word would run this program legitimately. The other process created by Microsoft Word is also highly suspicious because regsvr32.exe is a tool that can be used to run malicious DLLs (T1117). At this stage, it seems a reasonable hypothesis that regsvr32.exe was used to run the DLL listed in the ‘Blacklistable Files’ section.

Despite TeamViewer being a legitimate tool, the summary of the activity in this alert suggests that it was likely used for a malicious purpose. We can inspect the micro-VM’s activity in granular detail using the other tab views to confirm this assessment.

Threat View – Graph Tab

The Graph tab displays a timeline view of the events that occurred in the micro-VM, which enables investigators to trace through activity event by event to understand it in more detail. Clicking on an event in the left-hand column highlights it on the timeline. High severity events are indicated by their pink-coloured background. The Graph view is often useful to understand the context of events