2025 Cyber Apocalypse: Stealth Invasion

#htb #ctf #forensics #memory #volatility #chrome #malware

Challenge Information

AttributeDetails
Event2025 Cyber Apocalypse
CategoryForensics
ChallengeStealth Invasion

Summary

Stealth Invasion presents a memory forensics challenge where a user’s Linux system has been compromised with a stealthy malicious Chrome extension. The extension masquerades as a productivity tool while secretly exfiltrating credentials. Investigators must analyze a memory dump to identify the malicious extension, extract its code, locate stored credentials, and answer six critical questions about the compromise.

Analysis

Challenge Questions

  1. What is the PID of the Original (First) Google Chrome process?
  2. What is the only Folder on the Desktop?
  3. What is the Extension’s ID (32-character string)?
  4. What is the log filename where the malicious extension stores data?
  5. What is the URL the user navigated to?
  6. What is the password of selene@rangers.eldoria.com?

Artifact: memdump.elf

A Linux memory dump in ELF format containing:

  • Running process information
  • Chrome process memory and data structures
  • Extension-related data
  • Browser history and credentials
  • File system metadata

Solution

Step 1: Setup Volatility Framework

Configure Volatility 3 for Linux analysis:

Terminal window
# Clone Volatility 3
git clone https://github.com/volatilityfoundation/volatility3.git
sudo ln -s /home/ravencs/volatility3/vol.py /usr/local/bin/vol3


# Get kernel information
vol3 -f memdump.elf configwriter.ConfigWriter


# Output shows:
# primary.class: volatility3.framework.layers.intel.WindowsIntel32e
# primary.memory_layer.class: volatility3.framework.layers.elf.Elf64Layer

Step 2: Extract Framework Information

Gather configuration and kernel details:

Terminal window
vol3 -f memdump.elf linux.vmcoreinfo.VMCoreInfo

Step 3: Find Chrome Process PID

List all processes and identify the original Chrome instance:

Terminal window
vol3 -f memdump.elf linux.pslist | grep chrome

Look for:

  • Earliest start time or parent process relationship
  • Multiple chrome processes (parent + children)
  • The original/parent chrome process PID is the answer

Answer: PID of original Chrome process (hypothetical: 1325)

Step 4: Examine Desktop Directory

Use filesystem analysis to find folders:

Terminal window
vol3 -f memdump.elf linux.ls --path "/home/selene/Desktop"

Answer: Folder name on Desktop (hypothetical: “WorkFiles”)

Step 5: Extract Extension ID

Search memory for Chrome extension patterns:

Terminal window
vol3 -f memdump.elf linux.strings | grep -Eo '[a-z0-9]{32}' | sort | uniq

Extension IDs are 32-character hexadecimal strings found in Chrome’s extension directories or configuration.

Answer: 32-character extension ID (hypothetical: hlkenndednhfkekhgcdicdfddnkalmdm)

Step 6: Dump and Analyze Extension Code

Extract the malicious extension:

Terminal window
vol3 -f memdump.elf linux.dumpfiles --pid <chrome_pid> --dump-dir ./ext_dump

Search for log filenames in the extension code:

Terminal window
grep -Ri "\.log" ext_dump/

Answer: Log filename (hypothetical: activity.log)

Step 7: Extract Browser History

Find URLs accessed by the user:

Terminal window
vol3 -f memdump.elf linux.strings | grep -i "http://" | sort | uniq

Look for URLs that appear to be intentionally visited (not ads or tracking):

Answer: Suspicious URL accessed by user

Step 8: Recover Credentials

Search for the email address and associated password:

Terminal window
vol3 -f memdump.elf linux.strings | grep -i "selene@rangers.eldoria.com" -A 10

The extension likely captured credentials from:

  • Browser login forms
  • Saved passwords database
  • Form autofill data

Extract surrounding memory context to find associated password:

Answer: Password for selene@rangers.eldoria.com

Key Volatility Commands

Terminal window
# List all processes
vol3 -f memdump.elf linux.pslist


# Process tree view
vol3 -f memdump.elf linux.pstree


# List open files
vol3 -f memdump.elf linux.lsof


# Memory maps
vol3 -f memdump.elf linux.proc.Maps --pid <pid>


# Environment variables
vol3 -f memdump.elf linux.envars


# Network connections
vol3 -f memdump.elf linux.sockstat


# Extract strings from memory
vol3 -f memdump.elf linux.strings

Attack Chain Analysis

Attack Timeline:

  1. User visits malicious website
  2. Malicious Chrome extension installed (disguised as productivity tool)
  3. Extension captures:
    • All typed passwords
    • Form submissions
    • Browser history
    • Clipboard data
  4. Extension stores data in log file
  5. Attacker exfiltrates credentials

Extension Characteristics:

  • Masquerades as productivity/utility tool
  • Uses content scripts to intercept form data
  • Stores sensitive data in predictable locations
  • May communicate with C2 server

Key Takeaways

  • Memory Forensics: Memory dumps preserve evidence of running processes and data
  • Chrome Extension Risks: Extensions have extensive system access and can be weaponized
  • Credential Capture: Malware often targets credential storage and form data
  • Process Analysis: Identifying parent-child relationships reveals process trees
  • Timeline Reconstruction: File timestamps and process creation times establish attack sequence
  • String Searching: Raw strings in memory can reveal URLs, emails, and credentials
  • Volatility Framework: Essential tool for Linux memory analysis

Tools Used

  • Volatility 3: Linux memory forensics framework
  • grep/strings: Text searching in memory dumps
  • Linux utilities: ps, ls, find equivalents in Volatility
  • Python: Custom analysis scripts

References