SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 2 óra 21 másodperc
2 óra 55 perc

Decoding QR Codes with Python, (Sun, Mar 24th)

In diary entry "Sextortion Email Variant: With QR Code", I had to decode a QR code. I didn't mention it in my diary entry, but I used an online service to decode the QR Code (I didn't want to use my smartphone).

But what if you don't want to use any online service?

You can also use a Python module: python-qrtools. I installed it on Ubuntu 18 with the following command:

sudo apt-get install python-qrtools

And then I used a simple Python program like this one:

import sys
import qrtools

qr = qrtools.QR()
print(qr.decode(sys.argv[1]))
print(qr.data)

We received the sextortion email with QR code as a .msg file. These files can be analyzed with oledump.py:

Plugin plugin_msg can help with locating the streams that contain the attachments (images):

The beginning of the content of the attachment data streams indicates that these are .png files: \x89PNG.

Grepping for PNG reveals that stream 3, 11 and 19 contain the .png files:

Extracting the .png attachments to disk:

Decoding the QR code:

Images 1 and 2 don't contain a QR code (False), but image 3 does (True), and the Bitcoin address is displayed.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 23.

"VelvetSweatshop" Maldocs, (Sat, Mar 23rd)

Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".

There was a new wave of Excel maldocs encrypted with this password. MD5 3e55d5355bb56f5a5d91dd6961fa232a is one of them.

Looking a encrypted Office documents with oledump.py, you'll see the following streams:

If it's encrypted with a common password, you can use msoffcrypto-crack.py to recover the password:

And then you can save the decrypted Office document. Here I'm piping it again into oledump.py:

In a coming diary, I'll analyze the shellcode in this document.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 22.

Introduction to analysing Go binaries, (Fri, Mar 22nd)

Golang is gaining popularity by malware authors, and more golang based malware is being found in the wild. It is also one of my favourite programming languages, especially for all network related applications, for the reasons of:

  • the language syntax itself is simple, but you can do everything with it
  • binaries are being compiled statically, no need to install libraries
  • support for many operating systems and architectures
  • statically typed
  • goroutines (light weight threads)
  • channels (pipes using which goroutines communicate)

And my most important reason is that code I've created years ago, still compiles without the need to update or refactor the code to the newer compilers and language versions.  

Due the popularity of Golang by malware authors, we need more often to analyse these binaries and they are a bit different. Let me give you some primers.

Let's start first with a Hello World Golang application first, to give you an idea about the language and the structure.

package main

import "fmt"

func main() {
        fmt.Println("Hello World")
}

It starts with a package name, all files in the same folder will have the same package name. In this case main. Next we'll configure the imports, in this case the fmt library. Go is very struct and only allows imports that are being used. The main entry point is always called main. Now the code can be compiled for different architectures using the following command:

$ GOOS=linux GOARCH=amd64  go build -o hello ./hello.go 

 

Go compiled binaries are large, the Hello World example in this case is 1.9M. Now we know the basics, we can start analysing a real malware named sshd, which someone delivered kindly to our honeypots. Because of the large binaries, upx is being used often to suppress the file size. By default upx compress files can be decompressed using:

$ upx -d ./sshd 

 

When loading the binary into your favourite disassembler, you'll find many functions and strings. Most of those functions and strings are from default Go packages. If you have an address of a function start, the golang tool addr2line will come in handy. Addr2line uses the gopclntab section to retrieve data about the original function name, source file and locations. You'll probably encounter cases where the location of the source file contains the username in its path. 

$ echo "0x0062cd40" | go tool addr2line ./sshd
main.main
/root/go/src/sshcrack/sshcrack.go:184

 

There is also objdump which will output symbols and source locations together with assembly code if possible:

$ go tool objdump -s main ./vv 
...

  vv.go:321             0x6128e5                e8b6e9ffff              CALL main.post(SB)
  vv.go:321             0x6128ea                488b442418              MOVQ 0x18(SP), AX
  vv.go:321             0x6128ef                488b4c2420              MOVQ 0x20(SP), CX
  vv.go:322             0x6128f4                48890424                MOVQ AX, 0(SP)
  vv.go:322             0x6128f8                48894c2408              MOVQ CX, 0x8(SP)
  vv.go:322             0x6128fd                e86ee7ffff              CALL main.rsaDecrypt(SB)
  vv.go:322             0x612902                488b442410              MOVQ 0x10(SP), AX
  vv.go:322             0x612907                488b4c2418              MOVQ 0x18(SP), CX
  vv.go:323             0x61290c                48890424                MOVQ AX, 0(SP)
  vv.go:323             0x612910                48894c2408              MOVQ CX, 0x8(SP)
  vv.go:323             0x612915                e896feffff              CALL main.jsonload(SB)
  vv.go:323             0x61291a                488d742410              LEAQ 0x10(SP), SI
  vv.go:323             0x61291f                488d7c2440              LEAQ 0x40(SP), DI
...

 

Strings in the binary are not null terminated, but instead all concatenated to long strings. When strings are being referenced to, a following instruction will load the length. The instruction lea rax, ... loads the string reference, where the following instructions defines the length of the string to load, in this case 7 and makes it the string /bin/sh. In later Golang version this has been changed, as I believe, which I'll get back to in a later post.

 

Objects are being instantiated using runtime_newobject, taking a structure pointer as argument. The definition of the struct is being defined in the .typelink section of the binary. 

 

Version information in the binary can be found by searching for go1, which function runtime_schedinit references to. 

 

The call to sym.runtime.morestack_noctxt will resize the stack, as Go makes use of resizable stacks, then it will return to the start of the function, this pattern marks also the end and start of the function. 

 

This was just a quick overview of Golang binaries, more to follow. Please share your ideas, comments and/or insights, with me via social media, @remco_verhoef or email, remco.verhoef at dutchsec dot com. Have a great day!

Remco Verhoef (@remco_verhoef)
ISC Handler - Founder of DutchSec
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 21.

ISC Stormcast For Thursday, March 21st 2019 https://isc.sans.edu/podcastdetail.html?id=6422, (Thu, Mar 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 21.

New Wave of Extortion Emails: Central Intelligence Agency Case, (Thu, Mar 21st)

The extortion attempts haved moved to another step recently. After the “sextortion” emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you’re listed in an international investigation about a case of child pornography and that you’ll be arrested soon? Hopefully, the agent is a “nice guy” and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?

Here is a copy of the received email:

From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn[.]ga> To: <redacted> Subject: Central Intelligence Agency Case 61587423 Case #61587423 Distribution and storage of pornographic electronic materials involving underage children. My name is Huey Ferguson and I am a technical collection officer working for Central Intelligence Agency. It has come to my attention that your personal details including your email address (<redacted>) are listed in case #61587423. The following details are listed in the document's attachment: - Your personal details, - Home address, - Work address, - List of relatives and their contact information. Case #61587423 is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries. The data which could be used to acquire your personal information: - Your ISP web browsing history, - DNS queries history and connection logs, - Deep web .onion browsing and/or connection sharing, - Online chat-room logs, - Social media activity log. The first arrests are scheduled for April 8, 2019. Why am I contacting you ? I read the documentation and I know you are a wealthy person who may be concerned about reputation. I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case. Here is my proposition. Transfer exactly $10,000 USD (ten thousand dollars - about 2.5 BTC) through Bitcoin network to this special bitcoin address: 3EcEvozxnYvDX9EX3QR4PEYpdKbUKphLpv You can transfer funds with online bitcoin exchanges such as Coinbase, Bitstamp or Coinmama. The deadline is March 27, 2019 (I need few days to access and edit the files). Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you. Please do not contact me. I will contact you and confirm only when I see the valid transfer. Regards, Huey Ferguson Technical Collection Officer Directorate of Science and Technology Central Intelligence Agency

The mail includes also several times the same logo in a very poor quality:

Note also that pedophilia is written as “paedophilia”[1] (which is an alternative spelling but not usual). The only relevant information found about Huey Ferguson is coming from ca.gov[2].

Here is a copy of the SMTP headers:

Return-Path: <hueyferguson@wysa.cia-us-govn.ga> X-Original-To: <redacted> Delivered-To: <redacted> Received: by <redacted> (Postfix, from userid 65534) id 1270B1A8008F; Mon, 18 Mar 2019 21:54:15 +0100 (CET) Received: from mx.wysa.cia-us-govn.ga (mx.wysa.cia-us-govn.ga [54.39.181.120]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by <redacted> (Postfix) with ESMTPS id 2AB631A80088 for <redacted>; Mon, 18 Mar 2019 21:54:14 +0100 (CET) Received: from [127.0.0.1] (mx.wysa.cia-us-govn.ga [127.0.0.1]) by mx.wysa.cia-us-govn.ga (Postfix) with ESMTP id 44NT1t4GJLz2nKD for <redacted>>; Mon, 18 Mar 2019 20:54:10 +0000 (UTC) Date: Mon, 18 Mar 2019 20:54:09 +0000 From: "Huey Ferguson" <hueyferguson@wysa.cia-us-govn.ga> To: <redacted> Subject: =?UTF-8?Q?Central=20Intelligence?==?UTF-8?Q?=20Agency=20-?= =?UTF-8?Q?=20Case=20#61587423?= List-Unsubscribe: <http://wysa.cia-us-govn.ga/unsubscribe/WFFUV2c0bUl2ZkV3TCt6aXdBQkY1cWNNZ3Y4Z0EzbytueUxWQ1hsY3M5ZjF3dktzdXRiRUpWZ2FMZ0xDMkphRUlQVzZkYjI2cVhVcHlrNHRRc2hxUDRwbEordHdtYnBOUGpvNVpRL0RNVkU9> Reply-To: <hueyferguson@wysa.cia-us-govn.ga> User-Agent: Postfix 3.3.11 X-Sender: hueyferguson@wysa.cia-us-govn.ga X-Mailer: Postfix 3.3.11 X-Priority: 3 (Normal) Message-ID: <5c900571eee4c@wysa.cia-us-govn.ga>

The email address uses a domain name with the .ga TLD (Gabon, Africa) but does not exist. The SMTP server is located at OVH, Canada (%%ip:54.39.181.120%%). 

As usual with this kind of emails, same conclusion: just delete them and do not pay! But feel free to report more Bitcoin addresses to us!

[1] https://www.urbandictionary.com/define.php?term=paedophilia
[2] https://appellatecases.courtinfo.ca.gov/search/case/dockets.cfm?dist=0&doc_id=2266518&doc_no=S251894&request_token=NiIwLSIkXkg%2FWyBVSCNdUEJIQDw0UDxTJiJOJzNSMCAgCg%3D%3D

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 20.

ISC Stormcast For Wednesday, March 20th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6420, (Wed, Mar 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 20.

Using AD to find hosts that aren't in AD - fun with the &#x5b;IPAddress&#x5d; construct&#x21;, (Wed, Mar 20th)

In many internal assessments or "recon mission" style engagements, you'll need to figure out what all the internal subnets are before you can start assessing that address space for issues, targets or whatever you are looking for in that project.  Or, as I had this week, the request was for enumeration of all the hosts that AREN'T in AD.

In many environments, the DHCP server is quick to find, and you can dump the scopes out Easy as Pi (or pie if you prefer) - we covered this a while back: https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/

But say the DHCP servers are dispersed throughout the environment, it's still pretty common to see DHCP servers in each remote location for instance.  Or if you have subnets that don't have a DHCP scope.  How can you enumerate those remote subnets?

Well, you could certainly hijack the routing protocol and dump the routing table, but that's often a tough thing to get permission for.  

How about from the individual host entries in AD?  The IP address is listed there, and in a lot of shops you can assume a /24 for all subnets.  Or if not, larger subnets will just show up as contiguous /24's in your list if you make that assumption.  How does this look like in Powershell?

Let's start by collecting all the IPv4 addresses in play.  This is a "quick and dirty" collection, and will only collect the "first" adapter if  you have any multi-homed windows windows hosts.  We'll start with our old pal "get-ADComputer"

$addrs = get-adcomputer -filter * -property IPV4Address

Now, there are a ton of ways to get the /24's from this list, but since I'm lazy I'll use the "[IPAddress]" construct in PowerShell.  Let's take one element in the list above, and cast it into the "IPv4Address" type, then look at what's there:

[IPAddress] $addrs[6].IPv4Address


Address            : 873890058
AddressFamily      : InterNetwork
ScopeId            :
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 10.129.22.52

Perfect, that "Address" member is a straight numeric representation of the IP, and we can do a binary mask of it with the "-band" operator:
 

[ipaddress] ((([Ipaddress] $pcs.ipv4address[6]).address -band ([Ipaddress] "255.255.255.0").address))


Address            : 1474826
AddressFamily      : InterNetwork
ScopeId            :
IsIPv6Multicast    : False
IsIPv6LinkLocal    : False
IsIPv6SiteLocal    : False
IsIPv6Teredo       : False
IsIPv4MappedToIPv6 : False
IPAddressToString  : 10.129.22.0

That final member, IPAddressToString is the final value we want top use going forward!  Let's add "/24" to that, and dump it to a file.  Cleaned up, with a bit of error checking, our final code looks like:

$pcs = get-adcomputer -filter * -property IPV4Address
$subnets = @()
foreach ($addr in $pcs.ipv4address) {
    if ($addr.length -ne 0) {          # because lots of $pcs will have a null address
        $sub = [ipaddress] ((([ipaddress] $addr).address -band ([Ipaddress] "255.255.255.0").address))
        $subnets += $sub.IPAddressToString + "/24"
        }
    }
$subnets | sort | get-unique > subnets.csv

But what if we wanted just the AD members?  That's easy:

$pcs.ipv4address | sort > AD-hosts.csv


Or just the IP Addresses that are *NOT* AD?  This one is particularly useful in finding things on the network that may have been "flying under the radar" - computers that don't belong to the company for instance, or gear that was purchased by other departments.  Or even gear that was purchased by IT, but never properly inventoried so is now "lost".  Or (perish the thought) malicious hosts!

$targetnets = $subnets | sort  | get-unique
$domainips = $pcs.ipv4address | sort | get-unique
$NonADIPs = @()

foreach ($t in $targetnets) {
    $netbits = $t.Substring(0,($t.length-4))
    for ($hostbits = 1; $hostbits -le 254; $hostbits++) {
        if ( -not $domainips.contains($netbits+$hostbits)) {
            $NonADIPs += ($netbits+$hostbits)
            }
        }
    }
$NonADIPs > non-adips.csv

Next step?  Now that we have these lists, take the file of choice and dump it into nmap.  For instance, using the "nonad-ips.csv" file will scan any hosts that are not AD members.
for a simple ping scan:

nmap --open -sn -iL non-adips.csv -oA non-adips.pingscan

or for a simple tcp port scan (note that this not a scan of all ports):

nmap --open -Pn -iL non-adips.out -oA non-adips.scanned

or, if you are looking for non-firewalled windows hosts that aren't AD members (this is one of the concerns that had me writing this in the first place)

nmap -p445,139 --open -Pn -iL nonadips.out -oA nofw-win-non-ad.scanned

Pretty this up as needed - maybe add "--top-ports n" for the top "n" ports, or "-p0-65535" for all ports, but the defaults give you decent coverage to "see what's out there" fairly quickly.  Or if you're looking for something more specific, maybe non-ad hosts with SMBv1 enabled, run

nmap -p445,139 --open -Pn -iL nonadips.out --script smb-protocols.nse -oA nofw-win-non-ad-smb1.out

Then filter the output for just the problem children with:

type smb1.out.nmap | grep "scan report\|SMBv1"

Of course, you can use the subnets file for a more complete scan (which will include AD members), or you could also use the ad-hosts file to scan only AD members for whatever today's target of interest might be.

Or if you (or your client) is in a hurry, use MASSCAN (don't forget to use that bandwidth limiter!!!).  Play with the rate value a bit so that you end up with decent scan results without saturating any WAN or VPN links.  

Using a faster scanner means that you can maybe also scan the complete tcp port range, depending on your time budget and requirements:

masscan -p0-65535 --rate=1000 -iL non-adips.out -oX scan.out.xml

Note that you can still use --top-ports in masscan, so if you only want to hit the top 1000 ports, use "--top-ports 1000" in your final command.  

Finally, no matter what scanner you use, if you have enough information and enough bandwidth you can usually run multiple scans at different rates, depending on the architecture of the network.

If you're digging a bit deeper, of course you can take those same lists and use them as input to Nessus, OpenVAS or any other tool that you have in your arsenal, or whatever tool, script or playbook you may need to write that day.

Note that in any consulting engagement, time matters!  While your scanner is running, you should be off doing other things, not drinking coffee waiting for that scan to finish.  If this is an internal penetration test, you should be off getting domain admin and will likely have obtained all of your engagement targets by the time the scan finishes.  If this is an assessment, the subnet list will be useful, but most likely your final report will be mostly done by the time the scan wraps up - - or 90%-ish done if you needed those scan results for something specific, or if the scans find something surprising.

Keep in mind that this method will only find subnets that AD knows about directly.  So if you've got subnets that are dedicated to non-AD members - things like IP Phones, scales, shipping printers, scanners and the like (stuff that we call "IoT" these days), those subnets are "ships in the night" to AD.  You might find them using DNS or DHCP recon ( https://isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ), or you may need to look at actual routing tables for that (stay tuned for that).

Back to the PowerShell bits, the final scripts above are the ones I've been using for a while, mostly because they took all of 20 minutes to bust out, and they work well and "fast enough" for me, so I never did optimize them further.  I'm sure that there's a one-liner here or there that you could use to make it more efficient - please, use our comment form if you've got some suggestions there!  Or if you've found something spectacular with a portscan that didn't show up in the get-adcomputer list (we all have I'm sure), we're all kinds of interested in that too!!

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 19.

ISC Stormcast For Wednesday, March 20th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6418, (Tue, Mar 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 18.

Wireshark 3.0.0 and Npcap: Some Remarks, (Mon, Mar 18th)

I received a couple of questions regarding Wireshark and Npcap.

First of all, it's not a requirement to install Npcap if you want to upgrade to Wireshark 3.

You can just deselect the toggle to install Npcap:

And then Wireshark 3 will use WinPcap (installed with prior versions of Wireshark).

If you go to Help / About Wireshark, you can see what capture library is currently used by Wireshark on Windows:

Actually, you don't even have to install a packet capture library on the Windows machine you install Wireshark on, as long as you don't have to capture packets with Wireshark on that machine.

WinPcap is no longer maintained, and that is reflected in the version that comes bundled with Wireshark 2:

It dates from 2013.

Johannes also remarked that the Npcap license allows free use of Npcap on up to 5 Windows machines. If you have more in your organisation, you need to obtain a commercial license:

The standard version is also limited to installation on five systems.

However, there is an exception for Wireshark (and Nmap)

Copies of Npcap do not count toward the five copy, five computer, or five user limitations imposed by this section if they are installed and used solely in conjunction with any of the following software:

o The Nmap Security Scanner, as distributed from https://nmap.org

o The Wireshark network protocol analyzer, as distributed from https://www.wireshark.org/

If you install Wireshark with Npcap, and you use Npcap exclusively with Wireshark and/or Nmap, then the standard license still applies even with more than 5 machines.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 18.

ISC Stormcast For Monday, March 18th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6416, (Mon, Mar 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 17.

ISC Stormcast For Sunday, March 17th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6414, (Sun, Mar 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 17.

Video: Maldoc Analysis: Excel 4.0 Macro, (Sun, Mar 17th)

In this video, I provide more context to diary entry "Maldoc: Excel 4.0 Macros" by showing how to distinguish VBA and Excel 4.0 macros.

Then I proceed with the analysis of the Excel 4.0 macro sample.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 16.

Maldoc: Excel 4.0 Macros, (Sat, Mar 16th)

I've received several samples of malicious spreadsheets with Excel 4.0 macros over the last weeks, like this one: 7df15be35bd8fd1a98adc24e6be7bfcd.

Excel 4.0 macros predate VBA. When you take a look with oledump.py, you will notice that these spreadsheets do not contain streams with VBA code:

To check if a spreadsheet contains Excel 4.0 macros, you can use plugin plugin_biff with option -x (xlm, e.g. Excel 4.0 macros):

When a spreadsheet contains Excel 4.0 macros, you will get output like in the screenshot above:

  • There's a hidden Excel 4.0 macro sheet
  • There's a cell with label Auto_Open to achieve automatic execution upon opening of the spreadsheet (and clicking away the warnings)
  • There's a formula with a call to the EXEC function
  • In this sample the command executed by the EXEC function is concatenated from string fragments: msiexec is started to download and execute a msi file

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 15.

Binary Analysis with Jupyter and Radare2, (Fri, Mar 15th)

Jupyter has become very popular within the data science community, as it is an easy way of working interactively with Python, R and other languages. Within Jupyter you'll create a notebook, which contains (live) code, visualisations and markdown. It is being used for data processing, numerical simulations, modelling, data visualisation, machine-learning and let's reverse engineering to this. 

If you combine Radare2 together with Jupyter, you'll have an interactive way of working with your binaries. You'll be able to execute individual steps, change them and re-execute, helping you with your analyses flow. What I really like about working with radare2 from within a notebook, is that all steps are being documented, registered and could be changed and re-run easily. Combining Radare2 possibilities with all that come with Jupyter is powerful beyond imagination. 

There's a docker image that can be used, surprisingly nl5887/radare2-notebook which contains jupyter-notebook with radare2 build on top. Cutter, the gui frontend of radare2 has also Jupyter support built-in, which can be used also.

To start the image run the following, which wil start jupyter while exposing ports 8888 (jupyter) and 6006 (tensorboard).

docker run -p 8888:8888 -p 6006:6006 -v $(pwd)/notebooks/:/home/jovyan/ nl5887/radare2-notebook

The output will show the url that needs to be used to connect to the notebook. This url contains a token that is being used to authenticate to Jupyter. 

Let's start with a simple notebook, that will extract (potentially) interesting IOCs out of a linux malware binary. Notebooks consists of different cell types, which could be markdown or code. We'll use a Python kernel with Jupyter, though many other languages are supported. Every code block is created as a separate cell.

try: # if using jupyter within cutter, use the following. This will use the current active binary. import cutter # we'll assign cutter to variable r2 to be consistent with r2pipe r2 = cutter except ModuleNotFoundError as exc: # using r2pipe to open a binary import r2pipe r2 = r2pipe.open("/home/jovyan/radare2/malware/vv")

Now we've created a r2pipe session with binary, we'll start basic analyses. We can use Jupyter magic commands, like  %time to get information about timings etc.

%time r2.cmd('aaa')

The binary has been analysed, now we can output information about the binary.

print(r2.cmd('i'))

If you append the character to the command, radare2 will output as json. The code below will parse the json information, pretty print it and extract the arch out of the structure.

from pprint import pprint r = json.loads(r2.cmd('ij')) pprint(r) print(r.get('bin').get('arch'))

This is all we need to know to build a simple IOC extractor, this cell will walk through all found string references and check it against some matchers. If it identifies ip addresses, urls, ansi output or email addresses, they'll be outputted. 

import r2pipe import json import struct import re import base64 from pprint import pprint, pformat IP_MATCHER = re.compile("(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:[:]\d+)?)") URL_MATCHER = re.compile('(?:(?:https?|ftp|file)://|www\.|ftp\.)[-A-Z0-9+&@#/%=~_|$?!:,.]*[A-Z0-9+&@#/%=~_|$]', re.IGNORECASE) EMAIL_MATCHER = re.compile('([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4})', re.IGNORECASE) def regex_matcher(matcher): return lambda st: matcher.findall(st) def contains_matcher(s): return lambda st: [st] if s in st else [] matchers = [regex_matcher(IP_MATCHER), regex_matcher(URL_MATCHER), regex_matcher(EMAIL_MATCHER), contains_matcher('\\e['), contains_matcher('HTTP')] def print_s(s, r): print('0x{:08x} 0x{:08x} {:10} {:4} {:10} {}'.format(s.get('paddr'), s.get('vaddr'), s.get('type'), s.get('length'), s.get('section'), r)) strings = json.loads(r2.cmd('izj')) for s in strings: try: st = base64.b64decode(s.get('string')).decode(s.get('type')) for matcher in matchers: matches = matcher(st) for match in matches: print_s (s, match) except ValueError as e: # print(e) continue except LookupError as e: # print(e) continue

Giving this output:

0x0010c3be 0x0050c3be ascii 15 .rodata \e[01;32mresumed 0x0010c3f0 0x0050c3f0 ascii 49 .rodata \e[01;33mpaused\e[0m, press \e[01;35mr\e[0m to resume 0x0010c4e0 0x0050c4e0 ascii 71 .rodata \e[1;32m * \e[0m\e[1;37mPOOL #%-7zu\e[0m\e[1;%dm%s\e[0m variant \e[1;37m%s\e[0m 0x0010c528 0x0050c528 ascii 60 .rodata \e[1;32m * \e[0m\e[1;37m%-13s\e[0m\e[1;36m%s/%s\e[0m\e[1;37m %s\e[0m 0x0010c568 0x0050c568 ascii 41 .rodata \e[1;32m * \e[0m\e[1;37m%-13slibuv/%s %s\e[0m 0x0010f8b0 0x0050f8b0 ascii 5 .rodata \e[0m\n 0x0010f8b6 0x0050f8b6 ascii 7 .rodata \e[0;31m 0x0010f8be 0x0050f8be ascii 7 .rodata \e[0;33m 0x0010f8c6 0x0050f8c6 ascii 7 .rodata \e[1;37m 0x0010f8ce 0x0050f8ce ascii 5 .rodata \e[90m 0x0011031d 0x0051031d ascii 7 .rodata \e[1;30m 0x00110388 0x00510388 ascii 61 .rodata \e[1;37muse pool \e[0m\e[1;36m%s:%d \e[0m\e[1;32m%s\e[0m \e[1;30m%s 0x001103c8 0x005103c8 ascii 81 .rodata \e[01;31mrejected\e[0m (%ld/%ld) diff \e[01;37m%u\e[0m \e[31m"%s"\e[0m \e[01;30m(%lu ms) 0x00110450 0x00510450 ascii 67 .rodata \e[01;32maccepted\e[0m (%ld/%ld) diff \e[01;37m%u\e[0m \e[01;30m(%lu ms) 0x001104c0 0x005104c0 ascii 78 .rodata \e[1;35mnew job\e[0m from \e[1;37m%s:%d\e[0m diff \e[1;37m%d\e[0m algo \e[1;37m%s\e[0m 0x001106c4 0x005106c4 ascii 8 .rodata \e[1;31m- 0x001106cd 0x005106cd ascii 7 .rodata \e[1;31m 0x0011076e 0x0051076e ascii 15 .rodata \e[1;31mnone\e[0m 0x0011077e 0x0051077e ascii 16 .rodata \e[1;32mintel\e[0m 0x0011078f 0x0051078f ascii 16 .rodata \e[1;32mryzen\e[0m 0x001107a0 0x005107a0 ascii 93 .rodata \e[1;32m * \e[0m\e[1;37m%-13s\e[0m\e[1;36m%d\e[0m\e[1;37m, %s, av=%d, %sdonate=%d%%\e[0m\e[1;37m%s\e[0m 0x00110828 0x00510828 ascii 73 .rodata \e[1;32m * \e[0m\e[1;37m%-13s\e[0m\e[1;36m%d\e[0m\e[1;37m, %s, %sdonate=%d%%\e[0m 0x00110878 0x00510878 ascii 37 .rodata \e[1;32m * \e[0m\e[1;37m%-13sauto:%s\e[0m 0x001108a0 0x005108a0 ascii 32 .rodata \e[1;32m * \e[0m\e[1;37m%-13s%s\e[0m 0x001108c8 0x005108c8 ascii 49 .rodata \e[1;32m * \e[0m\e[1;37m%-13s%s (%d)\e[0m %sx64 %sAES 0x00110900 0x00510900 ascii 45 .rodata \e[1;32m * \e[0m\e[1;37m%-13s%.1f MB/%.1f MB\e[0m 0x00110930 0x00510930 ascii 127 .rodata \e[1;32m * \e[0m\e[1;37mCOMMANDS \e[0m\e[1;35mh\e[0m\e[1;37mashrate, \e[0m\e[1;35mp\e[0m\e[1;37mause, \e[0m\e[1;35mr\e[0m\e[1;37mesume\e[0m 0x001124d0 0x005124d0 ascii 96 .rodata \e[1;37mspeed\e[0m 10s/60s/15m \e[1;36m%s\e[0m\e[0;36m %s %s \e[0m\e[1;36mH/s\e[0m max \e[1;36m%s H/s\e[0m 0x001131c8 0x005131c8 ascii 7 .rodata \e[1;33m 0x00113230 0x00513230 ascii 110 .rodata \e[1;32mREADY (CPU)\e[0m threads \e[1;36m%zu(%zu)\e[0m huge pages %s%zu/%zu %1.0f%%\e[0m memory \e[1;36m%zu.0 MB\e[0m

This is just a basic example of what you can do with radare2 together with Jupyter. You can find the complete notebook here, Github supports notebooks also, giving a nice view of it. Please share your ideas, comments and/or insights, with me via social media, @remco_verhoef or email, remco.verhoef at dutchsec dot com.

Remco Verhoef (@remco_verhoef)
ISC Handler - Founder of DutchSec
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 15.

ISC Stormcast For Friday, March 15th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6412, (Fri, Mar 15th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 14.

Tip: Ghidra &#x26; ZIP Files, (Thu, Mar 14th)

I don't know where I got the idea, but I erroneously assumed that Ghidra could help with the analysis of document files. Ghidra is a software reverse engineering framework developed by the NSA and released at RSA 2019.

My test revealed the following.

.doc files (e.g. Compound File Binary Format files) are not recognized at all:

But with .docx files (Office Open XML files, e.g. ZIP files), something else happened:

Ghidra recognizes the ZIP file format, and can look inside ZIP files. Here I'm opening a ZIP file containing an EXE:

I can select "File system" and browse the content of the ZIP file:

And then import the EXEs I want:

I like this feature, as my malware samples are often stored in a ZIP file. I can also select Batch and have all contained files (or a selection) imported.

Unfortunately, password protected ZIP files are not supported:

I don't think it would be difficult to add support for password protected ZIP file to Ghidra. When the NSA officially releases the source code, I'll take a look.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 13.

ISC Stormcast For Wednesday, March 13th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6410, (Wed, Mar 13th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 13.

Malspam pushes Emotet with Qakbot as the follow-up malware, (Wed, Mar 13th)

Introduction

I've posted several diaries about malicious spam (malspam) pushing Emotet malware.  In recent years, I've made sure to include information on the follow-up malware, since Emotet is also a distributor for other malware families.  Not much has changed since my previous diary about Emotet malspam in November 2018.  In the past two or three weeks, I've consistently seen Trickbot as the follow-up malware; however, this past Monday I also saw Qakbot as the follow-up malware.  Today's diary examines an Emotet infection from Monday 2019-03-11 that had Qakbot as the follow-up malware.


Shown above:  Flow chart for recent Emotet malspam infections I've seen during the past month or so.

Email example

Shown below is an example of Emotet malspam with a link for the XML document.  Clicking on the link downloaded an XML document with a .doc file extension that opens in Microsoft Word by default, if Word is installed on the victim's host.


Shown above:  Screenshot of Emotet malspam with a link for an XML document.

Downloaded XML doc

The downloaded XML document has macros that, if enabled, will infected a vulnerable Windows host with Emotet.


Shown above:  An XML document downloaded from a link in Emotet malspam.

Infection traffic

Infection traffic was typical for what I've seen with Emotet, and the Qakbot traffic was similar to patterns seen the last time I documented an example of Emotet + Qakbot in December 2018.


Shown above:  Traffic from an infected Windows host.


Shown above:  Alerts from Security Onion using Sguil with Suricata and the EmergingThreats Pro ruleset.

Post-infection forensics

The infected Windows host had post-infection artifacts similar to the last time I saw Emotet + Qakbot.  Both Emotet and Qakbot were kept persistent through the Windows registry.  Emotet generally saves follow-up malware under the C:\ProgramData folder, and that was where the Qakbot EXE was originally saved.  However, when Qakbot executed, it copied itself to another directory and replaced the original file with a re-named calc.exe.


Shown above:  Emotet and Qakbot persistent on my infected lab host.


Shown above:  Qakbot replaces the file it was originally downloaded as with calc.exe, a non-malicious file.

The following is data from malware I retrieved from my infected Windows host:

SHA256 hash: cf59f0ff182405c068262b1879f559f4244d4e94cc813f900c96c3eb89a59b10

  • File size: 199,348 bytes
  • File description: Downloaded XML doc with macro for Emotet

SHA256 hash: e6308496a22d317cf7e5a5469351c5cf4dc11ef7e47b39e9a97ea85707cbec8a

  • File size: 229,640 bytes
  • File description: Emotet malware binary retrieved by XML doc macro

SHA256 hash: ebb4e12bcc3b95e4b8b16798b7c46d24f8b973a210424512d580112534c2012e

  • File size: 229,640 bytes
  • File description: Updated Emotet malware binary (1st update)

SHA256 hash: c6ff3a2fd9e623754056a39f379eba289105f0a935dc05249ca1957cf35e84ac

  • File size: 339,720 bytes
  • File description: Updated Emotet malware binary (2nd update)

SHA256 hash: 9978756e1daf844bd734c6282fec583d5f3089be4e21d7fbd43877d25598f8f6

  • File size: 551,936 bytes
  • File description: Qakbot retrieved by Emotet-infected host (1st run)

Final words

On Monday 2019-03-11, I also saw Emotet + Trickbot on another lab host within an hour after I infected my first lab host with Emotet + Qakbot.  Pcap and malware from these two infections can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 12.

Microsoft March 2019 Patch Tuesday, (Tue, Mar 12th)

This month we got patches for 64 vulnerabilities. Two of them have been exploited and four have been made public before today.

Both exploited vulnerabilities (CVE-2019-0808 and CVE-2019-0797) affects win32k component on multiple Windows versions, from Windows 7 to 2019, and may lead to privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Amongst 17 critical vulnerabilities this month, it's worth mentioning CVE-2019-0697 which affects DHCP Client and may lead to remote code execution (RCE). This is the second critical vulnerability in DHCP client this year both scoring 9.8 CVSS v3. The other one was patched in January (CVE-2019-0547).

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) Active Directory Elevation of Privilege Vulnerability %%cve:2019-0683%% Yes No - - Important 4.9 4.4 Azure SSH Keypairs Security Feature Bypass Vulnerability %%cve:2019-0816%% No No Less Likely Less Likely Moderate     Best Practices Regarding Sharing of a Single User Account Across Multiple Users ADV190010 No No - -       Chakra Scripting Engine Memory Corruption Vulnerability %%cve:2019-0611%% No No - - Important 4.3 3.9 %%cve:2019-0746%% No No Less Likely Less Likely Important 6.4 5.8 %%cve:2019-0592%% No No - - Critical 4.2 3.8 Comctl32 Remote Code Execution Vulnerability %%cve:2019-0765%% No No Less Likely Less Likely Important 6.4 5.8 Internet Explorer Memory Corruption Vulnerability %%cve:2019-0763%% No No More Likely More Likely Critical 6.4 5.8 Internet Explorer Security Feature Bypass Vulnerability %%cve:2019-0761%% No No Less Likely Less Likely Important     %%cve:2019-0768%% No No More Likely More Likely Important 4.3 3.9 Jet Database Engine Remote Code Execution Vulnerability %%cve:2019-0617%% No No Less Likely Less Likely Important 7.8 7.0 Latest Servicing Stack Updates ADV990001 No No - - Critical     MS XML Remote Code Execution Vulnerability %%cve:2019-0756%% No No Less Likely Less Likely Critical 7.5 6.7 March 2019 Adobe Flash Security Update ADV190008 No No More Likely More Likely Low     Microsoft Browser Memory Corruption Vulnerability %%cve:2019-0780%% No No - - Important 6.4 5.8 Microsoft Browsers Security Feature Bypass Vulnerability %%cve:2019-0762%% No No - - Important 2.4 2.2 Microsoft Edge Elevation of Privilege Vulnerability %%cve:2019-0678%% No No - - Important 4.2 3.8 Microsoft Edge Memory Corruption Vulnerability %%cve:2019-0779%% No No - - Important 4.2 3.8 Microsoft Edge Security Feature Bypass Vulnerability %%cve:2019-0612%% No No - - Important 4.3 3.9 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability %%cve:2019-0748%% No No - - Important     Microsoft Office SharePoint XSS Vulnerability %%cve:2019-0778%% No No - - Important     Microsoft Windows Elevation of Privilege Vulnerability %%cve:2019-0766%% No No Less Likely Less Likely Important 6.7 6.7 NuGet Package Manager Tampering Vulnerability %%cve:2019-0757%% Yes No Less Likely Less Likely Important     SHA-2 Code Sign Support Advisory ADV190009 No No - -       Scripting Engine Memory Corruption Vulnerability %%cve:2019-0609%% No No - - Critical 6.4 5.8 %%cve:2019-0639%% No No - - Critical 4.2 3.8 %%cve:2019-0769%% No No - - Critical 4.2 3.8 %%cve:2019-0770%% No No - - Critical 4.2 3.8 %%cve:2019-0771%% No No - - Critical 4.2 3.8 %%cve:2019-0773%% No No - - Critical 4.2 3.8 %%cve:2019-0783%% No No More Likely More Likely Important 6.4 5.8 %%cve:2019-0680%% No No - - Critical 6.4 5.8 Skype for Business and Lync Spoofing Vulnerability %%cve:2019-0798%% No No Less Likely Less Likely Important     Team Foundation Server Cross-site Scripting Vulnerability %%cve:2019-0777%% No No Less Likely Less Likely Low     Visual Studio Remote Code Execution Vulnerability %%cve:2019-0809%% Yes No Less Likely Less Likely Important     Win32k Elevation of Privilege Vulnerability %%cve:2019-0797%% No Yes Detected Unlikely Important 7.0 6.3 %%cve:2019-0808%% No Yes - - Important 7.0 6.3 Win32k Information Disclosure Vulnerability %%cve:2019-0776%% No No Less Likely Less Likely Important 4.7 4.2 Windows ActiveX Remote Code Execution Vulnerability %%cve:2019-0784%% No No Less Likely Less Likely Critical 4.2 3.8 Windows DHCP Client Remote Code Execution Vulnerability %%cve:2019-0697%% No No Less Likely Less Likely Critical 9.8 8.8 %%cve:2019-0698%% No No Less Likely Less Likely Critical 9.8 8.8 %%cve:2019-0726%% No No Less Likely Less Likely Critical 9.8 8.8 Windows Denial of Service Vulnerability %%cve:2019-0754%% Yes No Less Likely Less Likely Important 5.5 5.0 Windows Deployment Services TFTP Server Remote Code Execution Vulnerability %%cve:2019-0603%% No No Less Likely Less Likely Critical 7.5 6.7 Windows GDI Information Disclosure Vulnerability %%cve:2019-0774%% No No Less Likely Less Likely Important 4.7 4.2 %%cve:2019-0614%% No No Less Likely Less Likely Important 4.7 4.2 Windows Hyper-V Denial of Service Vulnerability %%cve:2019-0690%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2019-0695%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2019-0701%% No No Less Likely Less Likely Important 6.8 6.1 Windows Kernel Elevation of Privilege Vulnerability %%cve:2019-0696%% No No More Likely More Likely Important 7.0 6.3 Windows Kernel Information Disclosure Vulnerability %%cve:2019-0755%% No No More Likely More Likely Important 5.5 5.0 %%cve:2019-0767%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0775%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0782%% No No Less Likely Less Likely Important 4.7 4.2 %%cve:2019-0702%% No No Less Likely Less Likely Important 5.5 5.0 Windows Print Spooler Information Disclosure Vulnerability %%cve:2019-0759%% No No Less Likely Less Likely Important 4.7 4.2 Windows SMB Information Disclosure Vulnerability %%cve:2019-0703%% No No More Likely More Likely Important 6.5 5.9 %%cve:2019-0704%% No No More Likely More Likely Important 6.5 5.9 %%cve:2019-0821%% No No More Likely More Likely Important 6.5 5.9 Windows Subsystem for Linux Elevation of Privilege Vulnerability %%cve:2019-0682%% No No Less Likely Less Likely Important 7.0 6.3 %%cve:2019-0689%% No No Less Likely Less Likely Important 7.0 6.3 %%cve:2019-0692%% No No Less Likely Less Likely Important 7.0 6.3 %%cve:2019-0693%% No No Less Likely Less Likely Important 7.0 6.3 %%cve:2019-0694%% No No Less Likely Less Likely Important 7.0 6.3 Windows VBScript Engine Remote Code Execution Vulnerability %%cve:2019-0772%% No No Less Likely Less Likely Important 6.4 5.8 %%cve:2019-0665%% No No More Likely More Likely Important 7.5 6.7 %%cve:2019-0666%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-0667%% No No More Likely More Likely Critical 7.5 6.7

 

--
Renato Marinho
Morphus Labs| LinkedIn|Twitt

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. március 12.

ISC Stormcast For Tuesday, March 12th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6408, (Tue, Mar 12th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.