Powershell is a very nice language in Windows environments. With only a few lines of code, we can implement nice featuresâ€¦ for the good or the bad!
I regularly post diary entries analyzing malware. And a couple of times, I posted diary entries of files that turned out to be not malicious.
I helped out someone who was seeing entries in his log file he could not make sense of.
In diary entry "Maldoc Analysis of the Weekend", I use the strings method explained in diary entry "Quickie: String Analysis is Still Useful" to quickly locate the PowerShell command hidden in a malicious Word document.
As promised in yesterday&#;x26;#;39;s diary entry "Finding Property Values in Office Documents", I made a video illustrating 2 methods to extract a property from an Office document.
Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is uselessâ€¦ Event sites from the Alexa Top-1M may deliver malicious content (Github current position is 51). The URL has been found in a classic email phishing attempt. The content was recently uploaded (<24h) when I found it:
Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer&#;x26;#;39;s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because he knew the sender and pretended that the file was legit.
This month, we got patches for 74 vulnerabilities in total. One of them has been exploited and two vulnerabilities have been made public before today.
I made a video for yesterday&#;x26;#;39;s diary entry "Maldoc Analysis of the Weekend" (the analysis of a Word document with VBA launching a PowerShell command).
I did some research into the delivery of the malicious documents I analyzed this weekend (diary entries here and here).
Yesterday I received malicious Office document request15.doc (MD5 8598361ecbbffb35900d0720b0316a56).
Here is an interesting sample! It's a phishing page which entice the user to connect to his/her account to retrieve a potentially interesting document. As you can see, it's a classic one:
User Access Control (UAC) is a feature Microsoft added long time ago (initially with Windows Vista) in an attempt to limit what local administrators can do on Windows. Basically, when a user logs in that is a local administrator, his session token will only have basic privileges, even though the user is actually an administrator.
If you are like me, at some point in most penetration tests you&#;x26;#;39;ll have a session on a Windows host, and you&#;x26;#;39;ll have an opportunity to dump Windows credentials from that host, usually using Mimikatz. Mimikatz parses credentials (either clear-text or hashes) out of the LSASS process, or at least that&#;x26;#;39;s where it started - since it&#;x26;#;39;s original version back in the day, it has expanded to cover several different attack vectors. An attacker can then use these credentials to "pivot" to attack other resources in the network - this is commonly called "lateral movement", though in many cases you&#;x26;#;39;re actually walking "up the tree" to ever-more-valuable targets in the infrastructure.
Caleb, one of our readers has reported that Wikipedia articles have been "primed" and are being used actively in the various fake tech support phone campaigns.&#xc2;&#xa0; For instance, the Wikipedia article for SpyEye (https://en.wikipedia.org/wiki/SpyEye#cite_note-trusteerzeus-5 ) now contains this paragraph:
All too often when doing an internal security assessment or penetration test, a simple NMAP scan will find back-end infrastructure such as RADIUS servers, Hypervisors, iLo, iDRAC and other BMC host addresss - essentially the parts of the datacenter that real people shouldn&#;x26;#;39;t need access to.
Reader Carlos submitted an email with an attachment. It&#;x26;#;39;s a phishing email, the attachment is an HTML file, although the criminals try to make the recipient believe that it is a PDF file.
I created a video showing how to de-obfuscate a DOSfuscated PowerShell command obtained from a maldoc I analyzed in diary entry "De-DOSfuscation Example":
Reader Frank submitted a suspicious email with attachment: a score of zero on VirusTotal, but McAfee warned for an exploit. Taking a look at the content, Frank notice content that looked like encrypted code.
At the Internet Storm Center, we regularly get malware and fraudulent emails including Bitcoin addresses. Like the extortion emails including leaked passwords. And we often search online for these Bitcoin addresses, to see what else we can find.
If you are doing memory forensics using Volatility, maybe you have noticed that one of the disadvantages that you can't do a live analysis. If you need to do live memory forensics, then Rekall is your best friend.
While reviewing my honeypot logs, I found some interesting entries associated with the Mirai botnet starting the 30 November 2018. This is the last log sample that was captured 2 days ago:
In today&#;x26;#;39;s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. According to the article, there is a large phishing campaign that is that is targeting Gmail and Yahoo accounts.
The SANS Holiday Hack Challenge is an annual, free CTF. Most of you already know that.
In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for biggest organizations. To better manage them, tools can be deployed to perform many different tasks:
The Christmas break is coming for most of us, let&#;x26;#;39;s take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be infected by a malware. As best practices, we must have antivirus enabled, we can deploy AppLocker to allow only authorized applications to be launched, we can restrict applications to be executed from locations like %APPDATA% or %TEMP% but they are tools that are much more difficult to restrict on a regular host like... Powershell! If you uninstall Powershell from a modern Windows version, you'll simply miss nice features. That&#;x26;#;39;s why, in many cases, a simple uninstall is not possible. That's also the reason why Powershell remains a nice first stage infection method:
Microsoft just published an out-of-band patch for Internet Explorer. It fixes a memory corruption vulnerability in the scripting engine. This vulnerabiliy is identified as %%cve:2018-8653%%.
Reader Jason submitted a malicious document that he analyzed completely. A small problem encountered by Jason was the following: the malicious document, emailed to his users, was contained in a password protected ZIP file.
Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert  issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI .
I received some questions about the de-DOSfuscation I did with Python in my last diary entry: "Yet Another DOSfuscation Sample".
First sextortion, now bombstortion?
Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or moreâ€¦
December 2018 Security Updates
Richard Porter --- ISC Handler on Duty
Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.
Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news.
Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.
Last few days we&#;x26;#;39;re seeing increased attacks from %%ip:126.96.36.199%%, which is trying to exploit open Docker instances (%%port:2375%%). The container (being named java123) is based on image ahtihhebs/picture124, and executed with payload:
If you haven&#;x26;#;39;t uninstalled Flash yet, maybe today should be that day. The update posted yesterday has a remote code exec proof-of-concept already here:
In many penetration tests, there&#;x26;#;39;ll be a point where you need to exfiltrate some data. Sometimes this is a situation of "OK, we got the crown jewels, let&#;x26;#;39;s get the data off premise". Or sometimes in this phase of the test the goal is "let&#;x26;#;39;s make some noise and see if they&#;x26;#;39;re watching for data exfiltration - hmm, nothing yet, let&#;x26;#;39;s make some LOUDER noise and see (and so on)". As with most things, there&#;x26;#;39;s a spectrum of methods to move the target data out, with various levels of difficulty for detection.
Reader Mike submitted a malicious Word document. The document (MD5 6c975352821d2532d8387f19457b584e) contains obfuscated VBA code that launches a shell command. That shell command is hidden somewhere in the document (not in the VBA code).
Wireshark version 2.6.5 is available: release notes.