FortiSandbox Alert Details
Alert ID: FORTI-OBFUSCATION-1001-7842 Alert Time: 2024-03-01 09:30:15 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “XOR-Encrypted Data in Network Traffic” MITRE ATT&CK: T1001.002 – Data Obfuscation: Steganography
Alert Details:
File Analysis Report:
File Name: invoice_7842.pdf.exe (submitted from email quarantine)
File Size: 1.8 MB
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Source: Email attachment to finance@company.com
Submission Time: 09:15 EST
Sandbox Behavior Analysis:
File executed in sandbox environment
Established network connection to 185.143.221[.]89:443
Traffic analysis revealed XOR-encrypted data stream
Network Traffic Analysis:
Raw Traffic:
47 6f 74 20 61 20 63 6f 66 66 65 65 20 66 72 6f 6d 20 74 68 65 20 73 74 6f 72 65 2e
XOR Key: 0x42 (detected) Decrypted Data:
GET /beacon HTTP/1.1
Host: 185.143.221[.]89
User-Agent: Mozilla/5.0
Cookie: session=7a8b9c0d1e2f3a4b
Additional Findings:
File also contained steganographic image (PNG) with hidden payload
Payload extracted from image: Cobalt Strike beacon
XOR used to obfuscate C2 traffic
Detection Logic:
XOR encryption detected in network traffic (unusual)
Steganography in image file (hidden data)
Multiple obfuscation layers
Pattern matches advanced malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify FortiSandbox analysis
FortiSandbox Console
Confirmed XOR obfuscation and steganography
2. Email Investigation
Find source email
Proofpoint, Exchange
Email to finance@company.com from spoofed vendor
3. Quarantine Email
Block and remove email
Proofpoint
Email quarantined from all mailboxes
4. User Check
Verify if user executed file
CrowdStrike
User did not open attachment (alert before execution)
5. IOC Distribution
Block URLs and IPs
Palo Alto, Cisco Umbrella
C2 IP and domain added to blocklists
6. Threat Hunting
Check for similar files
FortiSandbox, Splunk
No other occurrences found
Jira Incident Report
Ticket: SOC-2024-151 Summary: T1001 – XOR-Obfuscated C2 Traffic with Steganography Status: RESOLVED Resolution: MALICIOUS – Blocked Before Execution Priority: P2 – MEDIUM Labels: T1001, data-obfuscation, xor, steganography, fortisandbox, phishing Components: Email-Security, Malware-Analysis
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Fortinet FortiSandbox.
Alert: “XOR-Encrypted Data in Network Traffic”.
File: invoice_7842.pdf.exe (email attachment).
Target: Finance Department.
Time: 2024-03-01 09:30 EST.
Technique: MITRE ATT&CK T1001.002 – Data Obfuscation: Steganography.
2. Technical Analysis:
Attack Chain:
09:10 – Email sent from “vendor@payment-update[.]net”
09:11 – Email delivered to finance@company.com
09:12 – FortiSandbox analyzes attachment (inline)
09:15 – Analysis begins
09:20 – XOR obfuscation detected
09:25 – Steganography identified
09:30 – Alert triggers
09:31 – Email quarantined
Obfuscation Techniques:
Layer 1: File masquerades as PDF (double extension)
Layer 2: Embedded image with steganography
Layer 3: XOR encryption (key 0x42) of C2 traffic
Layer 4: Base64 encoding within image metadata
Steganography Details:
Image: innocent-looking PNG of coffee cup
Hidden Data: Cobalt Strike beacon in image pixels
Extraction Method: LSB (Least Significant Bit) encoding
Payload Size: 256 KB hidden in image
C2 Communication:
Server: 185.143.221[.]89:443
Protocol: HTTPS with XOR-encrypted content
Beacon Interval: 60 seconds
3. Investigation Findings:
Timeline:
09:10 – Email sent
09:11 – Email delivered
09:12-09:30 – FortiSandbox analysis
09:30 – Alert triggers
09:31 – Email quarantined
09:32 – SOC investigates
09:35 – User confirmed (no execution)
Indicators of Compromise (IoCs):
File:
– invoice_7842.pdf.exe (SHA256: a1b2c3d4…)
Network:
– C2: 185.143.221[.]89:443
– XOR key: 0x42
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842 – Overdue Payment”
4. Containment Actions:
Immediate Actions:
Quarantined email from all mailboxes.
Blocked C2 IP at firewall and proxy.
Added file hash to blocklists.
User Notification:
Finance team alerted to campaign.
No user action needed (email not opened).
Email Rule Update:
Created Proofpoint rule to block .exe attachments.
Enhanced filtering for invoice-themed emails.
5. Root Cause Analysis:
Primary Cause: External attacker sending sophisticated malware via email.
Contributing Factors:
.exe attachments allowed (now blocked).
No user execution (prevented by sandbox).
6. Business Impact:
Operational Impact: None.
Data Exposure: None (email not opened).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
Email quarantined.
IOCs blocked.
Users notified.
Technical Controls Enhanced:
Blocked all .exe attachments via email gateway.
Enabled FortiSandbox inline analysis for all emails.
Created alert for XOR-encrypted traffic.
Enhanced steganography detection.
8. Conclusion:
A sophisticated malware used multiple obfuscation techniques including XOR encryption and steganography to hide its C2 traffic and payload. FortiSandbox detected the obfuscation and enabled blocking before any user could open the email.
Closure Rationale: Malware blocked; IOCs added; email policy updated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 10:30 EST