{"id":16925,"date":"2023-06-03T11:37:23","date_gmt":"2023-06-03T09:37:23","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=16925"},"modified":"2024-04-12T16:33:25","modified_gmt":"2024-04-12T14:33:25","slug":"scanning-for-indications-of-moveit-transfer-exploitation-with-thor-lite","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2023\/06\/03\/scanning-for-indications-of-moveit-transfer-exploitation-with-thor-lite\/","title":{"rendered":"Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.19.4″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” theme_builder_area=”post_content” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

<\/blockquote>\n

On June 1st, the vendor of MOVEit Transfer, previously known as Ipswitch but now called Progress, announced the discovery of a critical security vulnerability that has been exploited. MOVEit is an enterprise software utilized by numerous organizations globally for secure managed file transfer. According to Shodan, an internet search engine, there are currently over 2,500 servers publicly accessible on the open Internet running MOVEit.<\/span>
<\/span><\/p>\n

You can find more information on the threat in the vendor’s advisory and the following articles by TrustedSec, Huntress Labs and Mandiant:<\/span><\/p>\n

<\/blockquote>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_blurb title=”Vendor Advisory” url=”https:\/\/community.progress.com\/s\/article\/MOVEit-Transfer-Critical-Vulnerability-31May2023″ image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-10.07.18.png” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

The advisory by the vendor Progress was published on 01.06. and gets constantly updated<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_blurb title=”TrustedSec Article” url=”https:\/\/www.trustedsec.com\/blog\/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations\/” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-10.04.50.png” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

This article by TrustedSec lists a lot of indicators and contains information on the dropped web shell<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_blurb title=”Huntress Labs Article” url=”https:\/\/www.huntress.com\/blog\/moveit-transfer-critical-vulnerability-rapid-response” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-09.59.14.png” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Huntress Labs reports on the activity including log file entries, IOCs and a YARA rule<\/p>\n

[\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_3″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_blurb title=”Mandiant Report” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-10.44.35.png” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Mandiant’s report attributes the activity to UNC4857<\/span><\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Upon initial awareness of the compromise, we initiated our own investigation and promptly released a series of detection rules to our public repositories. These Indicators of Compromise (IOCs) and YARA rules were immediately accessible to users of THOR Lite.<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-10.12.50.png” title_text=”Screenshot 2023-06-03 at 10.12.50″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-03-at-10.12.59.png” title_text=”Screenshot 2023-06-03 at 10.12.59″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

While having detection mechanisms in place is a positive step, assessing the situation and ensuring that no system in the network has been impacted by the threat is often a challenging task.<\/p>\n

To facilitate this process and perform a rapid scan of your own environment at no cost, one option is to utilize the THOR Lite scanner. By employing this tool, you can leverage the rules mentioned earlier and swiftly evaluate your network for potential threats.<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Enter THOR Lite<\/span><\/h1>\n

THOR Lite is the streamlined version of our compromise assessment scanner, THOR. It utilizes YARA rules and Indicators of Compromise (IOCs), such as hash values and file names, to effectively identify malicious activity.<\/p>\n

In this technical blog article, we will delve into the utilization of THOR Lite for scanning end systems to detect any signs of malicious activity associated with the MOVEit exploitation.<\/p>\n

Furthermore, we will explore the diverse range of indicators that THOR Lite can detect, guide you through the process of tool setup and configuration, and offer tips for comprehending the scan results.<\/p>\n

By the end of this article, you will have a comprehensive understanding of how to utilize THOR Lite to conduct compromise assessments within your network.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-14.51.18.png” title_text=”Screenshot 2023-03-31 at 14.51.18″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Download THOR Lite<\/h1>\n

Visit the product page,<\/a> subscribe to the newsletter to get the program package and a license file.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-15.15.03.png” title_text=”Screenshot 2023-03-31 at 15.15.03″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Email content:<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-15.18.55.png” title_text=”Screenshot 2023-03-31 at 15.18.55″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Getting Started<\/h1>\n

Once you have downloaded the program package in the form of a ZIP archive, extract its contents and locate the license file (.lic). Move the license file to the program folder.<\/p>\n

To initiate the program, simply double-click on the “thor64-lite.exe” file without any additional flags. Alternatively, you can open a Windows command line with administrator privileges and navigate to the directory where you extracted the program package.<\/p>\n

Upon running the program, a scan window will appear, automatically closing upon completion of the scan. Typically, scans require approximately 1-4 hours to complete, although there are techniques to expedite the scanning process.<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-16.17.04.png” title_text=”Screenshot 2023-03-31 at 16.17.04″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-16.21.11.png” title_text=”Screenshot 2023-03-31 at 16.21.11″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Flags to Consider<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

--nosoft --nolowprio<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
If you are scanning virtual machines or systems that experience constant high load from other processes, it can be beneficial to utilize the “–nosoft” and “–nolowprio” flags. These flags allow THOR to run with the same process priority as any regular process, helping to ensure that the scan operates smoothly alongside other ongoing processes.<\/span><\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
--lookback 150 --global-lookback<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
If you are interested in scanning recently created files and log entries, these flags direct THOR to exclusively scan elements that have been created or modified within the past 150 days. Any file or event log entry older than that timeframe will be ignored, resulting in a significantly smaller set of elements being scanned.<\/span><\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”3_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
--cpulimit 30<\/pre>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
To minimize the impact on end users working on a system during the scanning process, you have the option to reduce the CPU usage of the scanner to, for example, 30%. By doing so, you can prevent them from noticing the scan by decreasing the overall system load and fan noise.<\/span><\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” min_height=”222.2px” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Recommended CommandLine Flags for this Use Case<\/h1>\n
If a regular scan takes an excessive amount of time, we recommend utilizing the following command line flags to expedite the scan process by limiting it to the changes that have occurred within the last 150 days:<\/p>\n
thor64-lite.exe --nolowprio --lookback 150 --global-lookback<\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
To minimize CPU usage and make it as inconspicuous as possible for end users working on the scanned systems, employ the following command:<\/span><\/p>\n
thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35<\/pre>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Update the Signatures<\/h1>\n
To ensure that THOR always operates with the latest set of signatures related to the MOVEit exploitation, we are continuously working on enhancing and updating them. To incorporate the newest signatures, utilize the following command:<\/p>\n
thor-lite-util.exe upgrade<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
Interpreting the Scan Results<\/h1>\n
During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” custom_padding=”0px|||||” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
After the scan finishes, users can find an HTML report in the program folder that lists all findings.\u00a0<\/p>\n
[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-31-at-17.27.02.png” title_text=”Screenshot 2023-03-31 at 17.27.02″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
We recommend searching the HTML report for the “MOVEit” keyword and only review matches with the specific IOCs and YARA rules related to this activity.<\/p>\n
[\/et_pb_text][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n
THOR Lite is able to detect various forensic artefacts:<\/p>\n