SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 34 perc 8 másodperc
2022. június 24.

Python (ab)using The Windows GUI, (Fri, Jun 24th)

A quick diary to wrap-up the week with a nice Python script that interacts with the victim. Most malicious scripts try to remain below the radar to perform their nasty tasks. I found a Python script that has some interesting features. The file has a VT score of 10/55 (SHA256:e21f6c09fb1658397d0996751f4c79114f50a0853668227c1c589fb716b31603)[1]. The core feature is this script is to implement a keylogger but it has interesting capabilities.

First, it retrieves its C2 server via a simple HTTP request and extract it from the returned HTML code:

The protocol implemented with the C2 servers is very simple and seems to be "homemade", just a TCP session waiting for commands based on single letters:

There are classic commands to start/stop the keylogger, to upload/download files but you can also interact with the Windows 10 GUI. There is an interesting Python module loaded: "win10toast_click"[2]. This module helps to display Windows Toast notifications[3] like this example:

Here is the code used by the malicious script:

The attacker will display a notification to the victim and, if clicked, a browser will be launched with a (probably malicious) webpage with the help of the web-browser module[4]. This is perfect to conduct social engineering attacks and, for example, ask the user to leave credentials on a rogue site.

[1] https://www.virustotal.com/gui/file/e21f6c09fb1658397d0996751f4c79114f50a0853668227c1c589fb716b31603/detection
[2] https://pypi.org/project/win10toast-click/
[3] https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/adaptive-interactive-toasts?tabs=builder-syntax
[4] https://docs.python.org/3/library/webbrowser.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 23.

FLOSS 2.0 Has Been Released, (Thu, Jun 23rd)

When you have to deal with malware in your day job, for research purposes, or just for fun, one of the key points is to have a lab ready to be launched. Your sandbox must be properly protected and isolated to detonate your samples in a safe way but it must also be fulfilled with tools, and scripts. This toolbox is yours and will be based on your preferred tools but starting from zero is hard, that's why there are specific Linux distributions built for this purpose. The one that I use in FOR610 and for my daily investigations is REMnux[1], created and maintained by Lenny Zeltser[2]. This environment offers tons of tools that help to perform all the malware analysis steps from static analysis up to code reversing and debugging.

Even if it does not reveal a lot of information about the malware capabilities (especially today with all the obfuscation techniques in place), static analysis remains an important first step because:

  • It's safe (you don't execute the malware)
  • It's fast and can be automated to perform the "triage" of your sample
  • It main still reveals interesting information that will help you to conduct the next steps.

The static analysis relies on information present in the file like... strings! But even strings can be challenging to find, we can indeed face:

  • ASCII strings
  • Unicode strings

But they are techniques used by attackers to hide strings. A common technique is called "stack strings".

The technique is pretty simple: some space is reserved on the stack then the string is rebuilt by moving all characters one by one. In the example above, the string will be:

0x50 ("P"), 0x72 ("r"), 0x6F ("o"), 0x67 ("g") ...

The results in memory will be:

Program Files\...

FLOSS is a tool that helps to extract strings from an executable (PE) file. FLOSS means "FLARE Obfuscated String Solver". It supports stack strings but also a new version has been released two days ago and it supports a new obfuscation technique: "tight strings". The principle is close to the stack strings but strings are also encoded!

FLOSS supports also simple ASCII & Unicode strings. This make is a perfect tool to extract useful strings from a PE file. Remember: it works only with executable files because it emulates the code to rebuild the strings!

FLOSS is a Python project[3] and is available as a standalone script but can be also "imported" and used in your own projects. It is available on REMnux and I'm sure that Lenny will push an update soon!

[1] https://remnux.org
[2] https://zeltser.com
[3] https://github.com/mandiant/flare-floss

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 23.

ISC Stormcast For Thursday, June 23rd, 2022 https://isc.sans.edu/podcastdetail.html?id=8062, (Thu, Jun 23rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 22.

Malicious PowerShell Targeting Cryptocurrency Browser Extensions, (Wed, Jun 22nd)

While hunting, I found an interesting PowerShell script. After a quick check, my first conclusion was that it is again a simple info stealer. After reading the code more carefully, the conclusion was different: It targets crypto-currency browser apps or extensions. The script has a very low score on VT: 1/53[1].

It collects details about the infected computer:

The next function called is the most interesting one:

You can see that three browsers are targeted: Chrome, Brave, and Edge. The second foreach() loop tries to find interesting extensions installed in browsers:

The list is pretty long and I don't display all of them. Here are the ones related to Chrome:

Let's take the patch of "Coinbase-C": A simple Google search returns indeed references to the application ID:

https://chrome.google.com/webstore/detail/coinbase-wallet-extension/hnfanknocfeofbddgcijnmhnfnkdnaad

While analyzing the code, I found two commented lines:

The very long line contains another PowerShell script that is decoded and launched via Start-Job(). It's purpose is to monitor the clipboard of the infected computer. To do this, it implements a listener to intercept clipboard activity:

Here is the function that checks for an interesting content:

You can guess that, if a wallet address is found, it will be replaced by the imposter's one. Why this feature was disabled (commented)? I don't know, maybe the script is still being debugged and has been uploaded to VT as a first check? Note that there is no code obfuscation! Yet?

The C2 communications occur via a newly (2022-06-14) registered domain: wmail-endpoint[.]com

Finally, the script includes the capability to execute extra PowerShell code received from the C2 server:

Besides the clipboard monitoring function, the information about the installed browser extensions is exfiltrated to the attacker. For which purpose? Reconnaissance only? It's unclear...

[1] https://www.virustotal.com/gui/file/0bbce92b547f0e99a37636b090cb05d9633cc05e1ce876e0076ca32dc4c901c4/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 22.

ISC Stormcast For Wednesday, June 22nd, 2022 https://isc.sans.edu/podcastdetail.html?id=8060, (Wed, Jun 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 21.

Experimental New Domain / Domain Age API, (Tue, Jun 21st)

One of our goals is to provide data to "color your logs" (or "Augment" them, as vendors may say). I have been experimenting with various ways to get simplified access to "domain age" data for a while now. This means not just data about new domains but how old a particular domain is. It may be an interesting parameter to add to when investigating.

To make it easier to retrieve this data, we now have two new API functions, and I may finally document them properly at https://isc.sans.edu/api (where you will find all the other random data we make available). I have been playing with this for a while and may have posted about it, but now it is as ready as it will be for a while.

Lookups are simple:

curl --user-agent 'this is Dr. J' 'https://isc.sans.edu/api/domainage/sans.org?json'

Just replace "sans.org" with the domain you are interested in.

For domains "first seen" on a particular date, try:

curl --user-agent 'this is Dr. J' 'https://isc.sans.edu/api/recentdomains/2022-06-01?json'

if you omit the date, the last date ("today") is returned. This only works for dates one month back.

Quick FAQ:

  • Where does the data come from?
    Multiple sources. Some domains we discover by seeing them in our web/ssh/firewall log data. Some comes from registrars, some from certificate transparency logs. Some of the old domain data comes from "whois" lookups.
  • How "good" is the "firstseen" date?
    We call it "firstseen" for a reason. This is the first time we have seen the domain. It may be older. Sometimes this is based on whois data, but not always.
  • What is the rate limit / SLA for this API:
    Right now, we do not have a strict rate limit. But this is meant for occasional, not bulk, lookup. One lookup a second, maybe a thousand or so a day, should be good. We do not do API keys or authentication. But please add some information to the user agent that allows us to reach out in case of a problem. Some default user agents may get blocked, so customize your user agent (we want to get at least rid of requests that are too lazy to alter their user agent)
  • Are there any restrictions on usage?
    Do not resell. Other than that, you are OK to use it. Please attribute. Our standard "creative commons" license applies if you are interested in details. Please ask us if you have questions.
  • What is the data quality?
    That is what I want you to tell me? See errors/omissions? Let us know. The data is provided "as-is" (but you will get the money back that you didn't pay if something is wrong)
  • What is the "type" about?
    Treat it as a "comment," but it is still being developed.
  • What output formats do you support
    RTFM at isc.sans.edu/api 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 21.

ISC Stormcast For Tuesday, June 21st, 2022 https://isc.sans.edu/podcastdetail.html?id=8058, (Tue, Jun 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 20.

Odd TCP Fast Open Packets. Anybody understands why?, (Mon, Jun 20th)

TCP Fast Open (TFO) is a relatively new TCP feature. The corresponding RFC7413 was published in 2014 and labeled "Experimental" [1]. The feature has been showing up in browsers and operating systems in the last couple of years. In particular, together with TLS 1.3, it can significantly decrease the time it takes to set up a connection.

The "textbook" TCP handshake starts with an "SYN" packet from the client to the server. The server responds with an "SYN-ACK," and finally, the client completes the handshake with an "ACK." The original RFC for TCP (RFC793) does allow the first "SYN" packet to hold data, but the server does not process the data until the handshake is complete. As a result, there is no point in sending data that early, and historically, data on SYN was hardly ever seen legitimately.

One of the reasons TCP servers do not respond immediately is the danger of spoofing. It is possible to spoof TCP SYN packets. A spoofed HTTP request over TCP could trick the server into flooding an unsuspecting victim with data, leading to amplification attacks as we usually see with UDP. By waiting until the handshake is completed, some spoofing danger is reduced by verifying the sequence numbers.

TFO is built for a particularly common use case where a client establishes multiple connections to a server in quick succession. The first time the client connects, it uses a specific TCP option to request a "TFO Cookie." The server will respond with a unique cookie. Future SYN packets by the same client will include this cookie, validating that the packet is not spoofed. Data is processed immediately if the cookie is valid. Any data will be buffered if the cookie is invalid until the handshake is complete, falling back to the pre-TFO behavior.

The cookie itself has to be at least four bytes long. The RFC suggests that the server encrypts the IP address with a secret only known to the server. Four bytes is as long as the TCP sequence number and should provide a similar level of security. As far as the client is concerned, the cookie is a "random" value that is saved for a particular server.

Now why the lengthy introduction?

Lately, I am seeing a good number of Suricata alerts like:

[**] [1:2200036:2] SURICATA TCP option invalid length [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 

Investigating them, I found that these alerts point to connections with short 2-byte TCP cookies. I see these packets from about a dozen different sources, but one source, %%ip:135.181.78.222%% is by far the most "popular" one.

Here is a decoded sample packet:

The packets always use a 2-byte TFO cookie. No server provides a cookie, so the cookie is "spoofed." The source IP itself may be spoofed. TTLs appear to be "random," and other parameters like the MSS change from packet to packet.

So the real question: Why? Is this an attempt to detect how servers respond to these invalid cookies? Maybe someone found some form of application attack? The packets do not include payload, so a bit hard to tell. Or some cover channel using TFO cookies as a "key"?

I am attaching a copy of the traffic I saw recently from 135.181.78.222. The destination IP is obfuscated.

https://isc.sans.edu/diaryimages/oddtfo.pcap

 

[1] https://www.rfc-editor.org/rfc/rfc7413.html 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 20.

ISC Stormcast For Monday, June 20th, 2022 https://isc.sans.edu/podcastdetail.html?id=8056, (Mon, Jun 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 19.

Video: Decoding Obfuscated BASE64 Statistically, (Sun, Jun 19th)

I recorded a video for my diary entry "Decoding Obfuscated BASE64 Statistically ".

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 19.

Wireshark 3.6.6 Released, (Sun, Jun 19th)

Wireshark version 3.6.6 was released.

If you use Wireshark on Windows 11, you need to upgrade to this version, because of the bump to Npcap version 1.60. There's an issue with Npcap 1.55 on Windows 11, which is installed by Wireshark 3.6.5 installers on Windows.

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 18.

Decoding Obfuscated BASE64 Statistically, (Sat, Jun 18th)

In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string.

I want to show here how this can be done through statistical analysis of the encoded payload.

First of all, Xavier mentions a great method to quickly find payloads inside scripts: look at the longests strings first.

Although the strings command is usually given binary files for processing, it works on text files too. My strings.py tool has an option to sort strings by their lenght: option -L.

This is the result of running that strings.py -L command on Xavier's sample:

Another method I like to find payloads inside files (binary or text) is to run my base64dump.py tool on the file, searching for all supported encodings (option -e all):

There's a very long string (78369 characters long) that looks like it is encoded with b85 (a variant of BASE85). But notice that only 63 unique characters are used to encode the payload, so this is probably not BASE85, but maybe a variant/obfuscation of BASE64.

This string does not decode to a payload I recognize.

So let's extract this encoded payload and do some statistical analysis to try to figure out what we are dealing with.

I select the longest string:

Then I use my tool re-search.py to extract the JavaScript string with single quotes. I use regular expression '[^']+' for this (a single quote followed by any characters that are not a single quote, and then another single quote):

My tool re-search extracts all strings that match the provided regular expression. If you use a capture group in your regular expression, then re-search reports the first capture group, and not the complete match. I use this to extract the encoded payload without surrounding single quotes, using regular expression '([^']+)'.  ([^']+) is the first capture group:

Now that I have isolated the payload, I pipe this into my tool byte-stats.py to produce statistical information for the bytes that make up that encoded payload:

There are 65 unique bytes in the encoded payload, most of them printable characters, except for 2 whitespace characters.

Next, I use option -r (range) to print out the ranges of bytes found inside this encoded payload:

I have almost all BASE64 characters: all the digits, all the lowercase letters, and all the uppercase letters except letter A. And I don't have BASE64 characters +/=.

But I do have 4 characters that are not part of the BASE64 character set: ! & and the whitespace characters newline and carriage-return. These last 2 are actually not part of the payload, but just the end-of-line printed by re-search.

That can be confirmed by using option -a to print out all the byte statistics:

From these stats, I do indeed see that the carriage-return (0x0d) and newline (0x0a) characters appear only once.

And that characters ! and & (which are not part of the standard BASE64 character set) both do appear exactly 53 times each. Which is a bit odd, I would expect different frequencies, if they encode different bits.

To find out a bit more of the use of these 2 characters, I will use my re-search tool to search for them and their surrounding characters.

First I start with the ! character: regular expression ..!.. looks for 5 characters where the third character is !. And I use option -u to produce a unique least of matches (e.g., no doubles):

From this output, it appears that each time character ! is found in the encoded payload, it is followed by character &.

I double-check by using a capture group to extract character ! and the next character:

That confirms it: each time ! appears, it is followed by &.

Let's now do the same analysis for the & character:

And from this I conclude: each time the & character appears, it is preceded by the ! character.

So it looks like the obfuscation (or part of it) consists of inserting string !& at different places in the encoded payload (53 times). I double check this by using sed to remove string !& and calculating new statistics:

This confirms it: characters ! and & no longer appear in the statistics, so they always appear as a pair in the original encoded payload.

I will now remove string !& from the encoded payload, and then try to decode it with base64dump:

That fails. Throwing away !& does not yield a valid BASE64 string. I will now force decoding, by truncanting the payload to a multiple of 4 characters (valid BASE64 strings have a length that is a multiple of 4):

And now I do see something that I recognize, the start of a try statement:

So this is JavaScript that contains another encoded payload (looks like BASE64).

But, when I scroll down, the decoded payload suddenly starts to include binary data:

So my hypothesis that string !& was just inserted into a valid BASE64 string, to hinder decoding, is wrong.

Next hypothesis: string !& represents a valid BASE64 character, and I need to do a search and replace of string !& (e.g., not remove it, but replace it).

Replace it by which character? Looking at the statistics of the encoded payload, I noticed that BASE64 characters A + / = are missing. So it could be that string !& represents one of these 4 characters (actually, = is not possible, because that character can only appear at the end to a valid BASE64 string).

So let's try. I replace !& with A and try to decode:

And that works.

78316 characters were decoded, and that is the complete payload (78317 includes the EOL newline character):

And the decoded payload looks like another JavaScript script:

And it was properly decoded, because it doesn't contain binary data:

Only printable and whitespace bytes.

Thus, by performing statistical analysis of the encoded payload, I figured out it is BASE64 but obfuscated by replacing character A by string !&.

Of course, this is something Xavier found much faster by looking at the code of the decoder: replace !& with A.

But this was a good opportunity to illustrate how you can try to decode an obfuscated payload, if you don't have the decoder. That is something I have to do occasionaly. This is also a good sample to illustrate this method, because most encoding characters are left untouched. It is more difficult if many characters have to be substituted. And I do have an example of that too, but that is for another blog post.

Now that this payload is decoded, I will just spend some extra time looking at the encoded payloads inside the decoded payload:

So it looks like the decoded payload contains 2 long BASE64 strings:

Let's take a look at the first one:

That looks like JavaScript, similar to the original sample.

Here is the second payload:

That is the Houdini VBS script. Since it was not present on VirusTotal, I did submit it (also to MalwareBazaar).

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 17.

Critical vulnerability in Splunk Enterprise?s deployment server functionality, (Fri, Jun 17th)

Splunk published an advisory about a critical security vulnerability in deployment server, which is a component that comes installed (but not fully used) with every Splunk Enterprise installation. However, due to it being very useful, almost every organization I’ve seen (and I’m a Splunk person really) uses it – which makes this even more dangerous.

So what is the vulnerability about?

When you use deployment server, it allows you to create configuration bundles that can be automatically downloaded by Splunk Universal Forwarder (SUF) agents (or other Splunk Enterprise instances such as heavy forwarders). These configuration bundles can, among plain text configuration files also contain binary packages (most commonly used for specific connectors).

The administrator of a deployment server controls which SUF can download what – this can be done by IP addresses, DNS names or architecture. And since those bundles can contain binary files, once fetched by a SUF, as you can probably guess, the SUF will happily execute it. And by default, most SUF agents will run as SYSTEM on Windows …

The published vulnerability (the exploit has not been published yet, and we have not seen any information about exploitation at the time of posting this diary) allows an attacker, that has compromised a single SUF in an organization to abuse the vulnerability and presumably push a new configuration bundle to every other SUF in the organization. As I wrote above, since SUF can download and execute binaries, and as it quite often runs as SYSTEM, this can be translated to pwning a whole organization. Eeek!

What can we do?

Splunk’s answer currently is to update to 9.0, which fixes the vulnerability. However, v9.0 is literally 2 days old so if you decide to go this way be careful!
There are no fixes for any of the older versions! Which means that you are almost certainly affected.

The only solution I am aware of at the moment (and thanks to Boris Kresoja and Alan Osmanagic for testing – Splunk guys working with me) is to disable deployment server so it is down, and bring it up only if you need to push configuration updates. Any bundle that has been already downloaded to a SUF will continue working.

An easy way to do this is to run the following command:

$ /opt/splunk/bin/splunk disable deploy-server

Keep in mind that you need to restart Splunk after the command above – if you don’t, all active connections to deployment server will continue to work.
Beside this we recommend that you install deployment server on a standalone Splunk Enterprise instance, where you can upgrade it to v9.0 (with less risk). It looks as the rest can stay as it is in that case; I’ll update the diary if we get new information.

--
Bojan
@bojanz
NFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 17.

Malspam pushes Matanbuchus malware, leads to Cobalt Strike, (Fri, Jun 17th)

Introduction

On Thursday 2022-06-16, threat researchers discovered a wave of malicious spam (malspam) pushing Matanbuchus malware:

Today's diary reviews the activity, which led to Cobalt Strike in my lab environment.


Shown above:  Flow chart for Matanbuchus activity on Thursday 2022-06-16.

Email and Attachment


Shown above:  Screenshot from one of the emails pushing Matanbuchus on 2022-06-16.


Shown above:  The email attachment is a zip archive that contains an HTML file.


Shown above:  The HTML file pretends to be a OneDrive page, however, the HTML file actually contains base64 text that is converted to a file for download.


Shown above:  Zip archive downloaded from the HTML file contains an MSI package.


Shown above:  MSI extracted from the second zip archive is signed using a certificate, apparently from Digicert.

Running the MSI Package


Shown above:  MSI package pretends to install an Adobe font pack.


Shown above:  Installation process presents a fake error message.


Shown above:  VBS file that generated the fake error message, and the Matanbuchus DLL saved to the infected host in two different locations.

NOTE: In the above image, the Matanbuchus file main.dll was dropped by the .msi package, while 2100.nls was retrieved through HTTPS traffic after main.dll was run.  Both have the same SHA256 hash.


Shown above:  Scheduled task to keep the Matanbuchus malware persistent.

Traffic From an Infected Windows Host


Shown above:  Traffic from an infected Windows host filtered in Wireshark (part 1 of 2).


Shown above:  Traffic from an infected Windows host filtered in Wireshark (part 2 of 2).

Indicators of Compromise (IOCs)

SHA256 hashes for 7 unique attachments from 14 email examples on 2022-06-16:

  • 72426e6b8ea42012675c07bf9a2895bcd7eae15c82343b4b71aece29d96a7b22  SCAN-016063.zip
  • 6b2428fcf9e3a555a3a29fc5582baa1eda15e555c1c85d7bef7ac981d76b6068  SCAN-026764.zip
  • af534b21a0a0b0c09047e1f3d4f0cdd73fb37f03b745dbb42ffd2340a379dc42  SCAN-068589.zip
  • b9720e833fa96fec76f492295d7a46b6f524b958278d322c4ccecdc313811f11  SCAN-231112.zip
  • 23fe3af756e900b5878ec685b2c80acd6f821453c03d10d23871069b23a02926  SCAN-287004.zip
  • 53af0319d68b0dcbf7cb37559ddfd70cce8c526614c218b5765babdc54500a49  SCAN-446993.zip
  • 4242064d3f62b0ded528d89032517747998d2fe9888d5feaa2a3684de2370912  SCAN-511007.zip

SHA256 hashes for HTML files extracted from the above 7 zip archives:

  • d0e2e92ec9d3921dc73b962354c7708f06a1a34cce67e8b67af4581adfc7aaad  SCAN-016063.html
  • 56ec91b8e594824a678508b694a7107d55cf9cd77a1e01a6a44993836b40ec7a  SCAN-026764.html
  • cc08642ddbbb8f735a3263180164cda6cf3b73a490fc742d5c3e31130504e97c  SCAN-068589.html
  • e3b98dac9c4c57a046c50ce530c79855c9fe4025a9902d0f45b0fb0394409730  SCAN-231112.html
  • c117b17bf187a3d52278eb229a1f2ac8a73967d162ad0cfc55089d304b1cc8a7  SCAN-287004.html
  • 82add858e5a64789b26c77e5ec4608e1f162aacbc9163920a0d4aa53eb3e9713  SCAN-446993.html
  • 5708dced57f30ff79e789401360300fe3d5bdcf8f988ede6539b9608dfeb58fd  SCAN-511007.html

SHA256 hashes for zip archives generated by the above 7 HTML files:

  • 63242d49d842cdf699b0ec04ad7bba8867080f8337d3e0ec7e768d10573142b3  SCAN-016063.zip
  • 6c5eb5d9a66200f0ab69ee49ba6411abf29840bce00ed0681ec8b48e24fd83da  SCAN-026764.zip
  • ef4ea3976bad1cd68a2da2d926677c0cb04f4fc6e0b629b9a29a1c61ae984c46  SCAN-068589.zip
  • 19bbebd1e8ec335262e846149a893f4ce803f201e4dee7f3770d95287f9245f3  SCAN-231112.zip
  • de26167160e7df91bbd992a3523ea6a82049932b947452bb58e9eed3011c769a  SCAN-287004.zip
  • 7f0bf9496f21050fbc1a3ce5ad35dc300f595c71ad9e73ff5fc5c06b2e35a435  SCAN-446993.zip
  • 1bc74dfb2142e4929244c6c7e10415664d4e71a5301eaf8e03cb426fab0876f8  SCAN-511007.zip

SHA256 hashes for .msi packages extracted from the above 7 zip archives:

  • face46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666  SCAN-016063.pdf.msi
  • e22ec74cd833a85882d5a8e76fa3b35daff0b7390bfbcd6b1ab270fd3741ceea  SCAN-026764.pdf.msi
  • 2d8740ea16e9457a358ebea73ad377ff75f7aa9bdf748f0d801f5a261977eda4  SCAN-068589.pdf.msi
  • 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da  SCAN-231112.pdf.msi
  • c6e9477fd41ac9822269486c77d0f5d560ee2f558148ca95cf1de39dea034186  SCAN-287004.pdf.msi
  • 4fd90cf681ad260f13d3eb9e38b0f05365d3984e38cfba28f160b0f810ffd4d3  SCAN-446993.pdf.msi
  • 7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9  SCAN-511007.pdf.msi

32-bit DLL for Matanbuchus:

SHA256 hash: f8cc2cf36e193774f13c9c5f23ab777496dcd7ca588f4f73b45a7a5ffa96145e

  • File size: 410,624 bytes
  • File location: hxxps://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/auth.aspx
  • File location: C:\Users\[username]\AppData\Local\AdobeFontPack\main.dll
  • File location: C:\Users\[username]\AppData\Local\x86\[4 ASCII characters for hex].nls
  • File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • Run method: regsvr32.exe [filename]

Note: The above DLL was dropped by the .msi package, then it was also retrieved over HTTPS from telemetrysystemcollection[.]com. The HTTPS traffic is probably a way to update the DLL, but in this case, the new file had the same file hash as the original.

Second file sent over HTTPS traffic from telemetrysystemcollection[.]com:

SHA256 hash: 39ec827d24fe68d341cff2a85ef0a7375e9c313064903b92d4c32c7413d84661

  • File size: 832,128 bytes
  • File location: hxxps://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/home.aspx
  • File type: base64 text

SHA256 hash: a5b06297d86aee3c261df7415a4fa873f38bd5573523178000d89a8d5fd64b9a

  • File size: 605,184 bytes
  • File description: XOR-ed binary converted from the above base64 text
  • File type: data
  • Note: This binary XOR-ed with the ASCII string: FuHZu4rQgn3eqLZ6FB48Deybj49xEUCtDTAmF

SHA256 hash: bd68ecd681b844232f050c21c1ea914590351ef64e889d8ef37ea63bd9e2a2ec

  • File size: 605,184 bytes
  • File type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
  • File description: DLL file converted from the above XOR-ed binary
  • Note: Unknown entry point for this DLL file

First Cobalt Strike file (ASCII text):

SHA256 hash: 4ee7350176014c7fcb8d33a79dcb1076794a2f86e9b2348f2715ca81f011e799

  • File size: 1,668 bytes
  • File location: hxxp://144.208.127[.]245/cob23_443.txt
  • File type: ASCII text, with very long lines, with no line terminators

SHA256 hash: 7643468adbc1fca4342b7458f0e1dc4ae11c0dde7c06e52fea02c1e057314def

  • File size: 834 bytes
  • File type: data
  • File description: above ASCII text entered into hex editor converted to data binary

Second Cobalt Strike file (32-bit DLL):

SHA256 hash: 6d3259011b9f2abd3b0c3dc5b609ac503392a7d8dea018b78ecd39ec097b3968

  • File size: 16,384 bytes
  • File location: hxxp://144.208.127[.]245/cob_220_443.dll
  • File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
  • Run method: regsvr32.exe [filename]

Infection traffic:

Traffic for Matanbuchus DLL:

  • 213.226.114[.]15 port 443 (HTTPS) - telemetrysystemcollection[.]com - GET /m8YYdu/mCQ2U9/auth.aspx

Additional traffic returning base64 text for XOR-encoded binary:

  • 213.226.114[.]15 port 443 (HTTPS) - telemetrysystemcollection[.]com - GET /m8YYdu/mCQ2U9/home.aspx

Matanbuchus C2 traffic:

  • 213.226.114[.]15 port 48195 (HTTP) - collectiontelemetrysystem[.]com - POST /cAUtfkUDaptk/ZRSeiy/requets/index.php

Traffic caused by Matanbuchus for Cobalt Strike:

  • 144.208.127[.]245 port 80 - 144.208[.]127.245 - GET /cob23_443.txt
  • 144.208.127[.]245 port 80 - 144.208[.]127.245 - GET /cob_220_443.dll

First Cobalt Strike C2 traffic:

  • 185.217.1[.]23 port 443 - hxxps://extic[.]icu/empower/type.tiff
  • 185.217.1[.]23 port 443 - hxxps://extic[.]icu/[unknown]

Second Cobalt Strike C2 traffic:

  • 190.123.44[.]220 port 443 - hxxps://reykh[.]icu/load/hunt.jpgv
  • 190.123.44[.]220 port 443 - hxxps://reykh[.]icu/thaw.txt

Note: The above Cobalt Strike activity did not generate any DNS traffic for the associated .icu domains.

Final Words

14 email examples, a packet capture (pcap) of traffic from an infected Windows host, and the associated malware/artifacts can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 17.

ISC Stormcast For Friday, June 17th, 2022 https://isc.sans.edu/podcastdetail.html?id=8054, (Fri, Jun 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 16.

Houdini is Back Delivered Through a JavaScript Dropper, (Thu, Jun 16th)

Houdini is a very old RAT that was discovered years ago. The first mention I found back is from 2013! Houdini is a simple remote access tool written in Visual Basic Script. The script is not very interesting because it is non-obfuscated and has just been adapted to use a new C2 server (%%ip:194.5.97.17%%:4040).

The RAT implements the following commands:

Nothing really fancy here. What’s more interesting is the way it is delivered to the victim. A classic technique is used: a phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js”. The file has a VT score: 22/56 [1].

The JavaScript is pretty well obfuscated but, once you check deeper, you quickly realize that most of the code is not used. The main function is kk():

The technique used is simple: A variable is defined and set to false (example: __p_0015805216). Then code blocks are executed if the variable is true (which of course will never happen).

JavaScript is a very beautiful/ugly language (select your best feeling) that is very permissive with the code. So, another technique is the creation of environment variables that become functions:

When I'm teaching FOR610, I like to say to students that they must find their way and go straight to the point to find what the script being analyzed tries to do. In the case of scripts like this one, usually, there is a payload encoded somewhere. I like to use this simple one-liner to get the longest file of the file:

$ awk '{print length, $0}' New-Order.js | sort -rn|head -1 78396 return 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gImZpZ2hRWEp5WVhrdWNISnZkRzkwZVhCbExtWnZja1ZoWTJnZ1B5QkJjbkpoZVM1d2NtOTBiM1I1Y0dVdVptOXlSV0ZqYUNBOUlHWjFibU4wYVc5dUlDaGpZV3hzWW1GamF5d2dkR2hwYzBGeVp5a2dldzBLSUNBZ0lIUm9hWE5CY21jZ1BTQjBhR2x6UVhKbk93MEtJQ0FnSUdadmNpQW9kbUZ5SUdrZ1BTQXdPeUJwSUR3Z2RHaHBjeTVzWlc1bmRHZzdJR2tyS3lrZ2V3MEtJQ0FnSUNBZ0lDQmpZV3hzWW1GamF5NWpZV3hzS0hSb2FYTkJjbWNzSUhSb2FYTmJhVjBzSUdrc0lIUm9hWE1wT3cwS0lDQWdJSDBOQ24wZ09pQXdMQ0FoUVhKeVlYa3VjSEp2ZEc5MGVYQmxMbTFoY0NBL0lFRnljbUY1TG5CeWIzUnZkSGx3WlM1dFlYQWdQU0JtZFc1amRHbHZiaUFvWTJGc2JHSmhZMnNzSUhSb2FYTkJjbWNwSUhzTkNpQWdJQ0IwYUdselFYSm5JRDBnZEdocGMwRnlaenNOQ2lBZ0lDQjJZWElnWVhKeVlYa2dQU0JiWFRzTkNpQWdJQ0JtYjNJZ0tIWmhjaUJwSUQwZ01Ec2dhU0E4SUhSb2FYTXViR1Z1WjNSb095QnBLeXNwSUhzTkNpQWdJQ0FnSUNBZ1lYSnlZWGt1Y0hWemFDaGpZV3hzWW1GamF5NWpZV3hzS0hSb2FYTkJjbWNzSUhSb2FYTmJhVjBzSUdrc0lIUm9hWE1wS1RzTkNpQWdJQ0I5RFF... (Remaining characters removed)

Now, you can search for this string and find that it is just returned, again, by a simple function:

This looks like a Base64-encoded string but it won't decode "as is". The attacker added some bad characters that must be replaced first:

The script drops two other samples on the file system:

C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\HUAqCSmCDP.js C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Local\Temp\hworm.vbs

An interesting point: Persistence is implemented via two techniques in parallel, via the registry (HKEY_CURRENT_USER\Software\Microsoft\Windoww\CurrentVersion\Run) and the Start menu (C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUAqCSmCDP.js)

[1] https://www.virustotal.com/gui/file/402a722d58368018ffb78eda78280a3f1e6346dd8996b4e4cd442f30e429a5cf/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 16.

ISC Stormcast For Thursday, June 16th, 2022 https://isc.sans.edu/podcastdetail.html?id=8052, (Thu, Jun 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 15.

Terraforming Honeypots. Installing DShield Sensors in the Cloud, (Wed, Jun 15th)

This is a bit different than our usual format. Instead of a blog post, we have a video presentation today: Dustin Lee, another SANS.edu undergraduate intern, put together a brief presentation about terraforming honeypots. In particular, Dustin explains how to install our honeypot with different cloud providers.

Enjoy. Clicking on the image will open the presentation video on YouTube.

Dustin's LinkedIn account: https://www.linkedin.com/in/dustin-lee-14367a7

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 15.

ISC Stormcast For Wednesday, June 15th, 2022 https://isc.sans.edu/podcastdetail.html?id=8050, (Wed, Jun 15th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. június 14.

Microsoft June 2022 Patch Tuesday, (Tue, Jun 14th)

This month we got patches for 60 vulnerabilities. Of these, 3 are critical, none previously disclosed, and none being exploited according to Microsoft.

The highest CVSS this month (9.8) is associated with a Remote Code Execution (RCE) vulnerability affecting Windows Network File System (CVE-2022-30136). This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. According to the advisory, disabling NFSV4.1 mitigates the vulnerability. The exploitability for this vulnerability is ‘More Likely’. Interestingly, last month (May/2022) we had a similar CVE affecting NFS (CVE-2022-26937) which, on the contrary, affected versions NFSV2.0 and NFSV3.0 and not NFSV4.1.

A second critical vulnerability worth mentioning is an RCE on Windows Hyper-V (CVE-2022-30163). According to the advisory, “to exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code”. The attack complexity is high. The CVSS score for this vulnerability is 8.5.

Although Follina's vulnerability CVE is not listed in June 2022 Patch Tuesday, the vulnerability advisory (CVE-2022-30190) recommends installing the June updates as soon as possible to fix the 0-day. Official Microsoft Guidance on CVE-2022-30190 is available at Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET and Visual Studio Information Disclosure Vulnerability %%cve:2022-30184%% No No Less Likely Less Likely Important 5.5 5.0 AV1 Video Extension Remote Code Execution Vulnerability %%cve:2022-30167%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-30193%% No No Less Likely Less Likely Important 7.8 6.8 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability %%cve:2022-29149%% No No Less Likely Less Likely Important 7.8 7.0 Azure RTOS GUIX Studio Information Disclosure Vulnerability %%cve:2022-30180%% No No Less Likely Less Likely Important 7.8 7.0 Azure RTOS GUIX Studio Remote Code Execution Vulnerability %%cve:2022-30177%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2022-30178%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2022-30179%% No No Less Likely Less Likely Important 7.8 7.0 Azure Service Fabric Container Elevation of Privilege Vulnerability %%cve:2022-30137%% No No Less Likely Less Likely Important 6.7 6.0 Chromium: CVE-2022-2007 Use after free in WebGPU %%cve:2022-2007%% No No - - -     Chromium: CVE-2022-2008 Out of bounds memory access in WebGL %%cve:2022-2008%% No No - - -     Chromium: CVE-2022-2010 Out of bounds read in compositing %%cve:2022-2010%% No No - - -     Chromium: CVE-2022-2011 Use after free in ANGLE %%cve:2022-2011%% No No - - -     HEVC Video Extensions Remote Code Execution Vulnerability %%cve:2022-29111%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-22018%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-30188%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-29119%% No No Less Likely Less Likely Important 7.8 6.8 Intel: CVE-2022-21123 Shared Buffers Data Read (SBDR) %%cve:2022-21123%% No No Less Likely Less Likely Important     Intel: CVE-2022-21125 Shared Buffers Data Sampling (SBDS) %%cve:2022-21125%% No No Less Likely Less Likely Important     Intel: CVE-2022-21127 Special Register Buffer Data Sampling Update (SRBDS Update) %%cve:2022-21127%% No No Less Likely Less Likely Important     Intel: CVE-2022-21166 Device Register Partial Write (DRPW) %%cve:2022-21166%% No No Less Likely Less Likely Important     Kerberos AppContainer Security Feature Bypass Vulnerability %%cve:2022-30164%% No No Less Likely Less Likely Important 8.4 7.3 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability %%cve:2022-30166%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability %%cve:2022-22021%% No No Less Likely Less Likely Moderate 8.3 7.2 Microsoft Excel Remote Code Execution Vulnerability %%cve:2022-30173%% No No Unlikely Unlikely Important 7.8 6.8 Microsoft File Server Shadow Copy Agent Service (RVSS) Elevation of Privilege Vulnerability %%cve:2022-30154%% No No Less Likely Less Likely Important 5.3 4.6 Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities ADV220002 No No Less Likely Less Likely       Microsoft Office Information Disclosure Vulnerability %%cve:2022-30159%% No No Less Likely Less Likely Important 5.5 4.8 %%cve:2022-30171%% No No Less Likely Less Likely Important 5.5 4.8 %%cve:2022-30172%% No No Less Likely Less Likely Important 5.5 4.8 Microsoft Office Remote Code Execution Vulnerability %%cve:2022-30174%% No No Less Likely Less Likely Important 7.4 6.4 Microsoft Photos App Remote Code Execution Vulnerability %%cve:2022-30168%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft SQL Server Remote Code Execution Vulnerability %%cve:2022-29143%% No No Less Likely Less Likely Important 7.5 6.5 Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2022-30157%% No No Less Likely Less Likely Important 8.8 7.7 %%cve:2022-30158%% No No Unlikely Unlikely Important 8.8 7.7 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability %%cve:2022-30160%% No No More Likely More Likely Important 7.8 6.8 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability %%cve:2022-30151%% No No Less Likely Less Likely Important 7.0 6.1 Windows Autopilot Device Management and Enrollment Client Spoofing Vulnerability %%cve:2022-30189%% No No Less Likely Less Likely Important 6.5 5.9 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability %%cve:2022-30131%% No No Less Likely Less Likely Important 7.8 6.8 Windows Container Manager Service Elevation of Privilege Vulnerability %%cve:2022-30132%% No No Less Likely Less Likely Important 7.8 6.8 Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability %%cve:2022-30150%% No No Less Likely Less Likely Important 7.5 6.5 Windows Desired State Configuration (DSC) Information Disclosure Vulnerability %%cve:2022-30148%% No No Less Likely Less Likely Important 5.5 4.8 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability %%cve:2022-30145%% No No Less Likely Less Likely Important 7.5 6.5 Windows File History Remote Code Execution Vulnerability %%cve:2022-30142%% No No Less Likely Less Likely Important 7.1 6.2 Windows Hyper-V Remote Code Execution Vulnerability %%cve:2022-30163%% No No Less Likely Less Likely Critical 8.5 7.4 Windows Installer Elevation of Privilege Vulnerability %%cve:2022-30147%% No No More Likely More Likely Important 7.8 6.8 Windows Kerberos Elevation of Privilege Vulnerability %%cve:2022-30165%% No No Less Likely Less Likely Important 8.8 7.7 Windows Kernel Denial of Service Vulnerability %%cve:2022-30155%% No No Less Likely Less Likely Important 5.5 4.8 Windows Kernel Information Disclosure Vulnerability %%cve:2022-30162%% No No Less Likely Less Likely Important 5.5 4.8 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability %%cve:2022-30141%% No No Less Likely Less Likely Important 8.1 7.1 %%cve:2022-30143%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-30149%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-30153%% No No Less Likely Less Likely Important 8.8 7.7 %%cve:2022-30161%% No No Less Likely Less Likely Important 8.8 7.7 %%cve:2022-30139%% No No Less Likely Less Likely Critical 7.5 6.5 %%cve:2022-30146%% No No Less Likely Less Likely Important 7.5 6.5 Windows Media Center Elevation of Privilege Vulnerability %%cve:2022-30135%% No No Less Likely Less Likely Important 7.8 6.9 Windows Network Address Translation (NAT) Denial of Service Vulnerability %%cve:2022-30152%% No No Less Likely Less Likely Important 7.5 6.5 Windows Network File System Remote Code Execution Vulnerability %%cve:2022-30136%% No No More Likely More Likely Critical 9.8 8.5 Windows SMB Denial of Service Vulnerability %%cve:2022-32230%% No No Less Likely Less Likely Important     Windows iSCSI Discovery Service Remote Code Execution Vulnerability %%cve:2022-30140%% No No Less Likely Less Likely Important 7.1 6.2

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.