Last Updated: 2016-06-10 06:22:12 UTC
by Xavier Mertens (Version: 1)
Sometimes students ask me the best way to jump into "the security world". I usually compare information security to medicine: You start with a common base (a strong knowledge in "IT") then you must choose a "specialization": auditor, architect, penetration tester, reverse engineer, incident handler, etc. Basically, those specializations can be grouped in two categories: "offensive" and "defensive". Many people like the first one because it looks more funny and the portrait of the hacker as depicted in Hollywood movies is tough! Being involved in a few call for papers for security conferences, I see a clear trend in submissions focusing on offensive security.
If breaking stuff is always nice (playing the "red team"), being able to defend them against attackers is also very rewarding (playing the "blue team"). So, back to the first student's question: Which side of the force to choose? I can't answer this question for you! It's a very personal choice based on your feelings but one thing is certain. There is clear overlapping between offensive and defensive security. Why? Here are two examples.
First from a defender perspective. To be able to properly defend your assets, you must know what techniques and tools will use the bad guys against you. This is the principle of "Know your enemy!". If you're involved in a security incident, your knowledge of the bad side will be very helpful to find how your server was compromised. If you're implementing a solution or writing some code, try to think as a bad guy and ask yourself "How would I try to break my setup".
On the other side, from an attacker perspective, you can improve your tasks by using defenders' techniques. While performing a pentest, we don't have unlimited time. A good idea is to rely on forensics investigation techniques. Indeed, operating systems like Microsoft Windows are well-known to keep trace of all the user activities in multiple places. It is possible to trace back all the actions performed by a user (which applications he started, the last files opened, network shares mounted, etc). This is a gold mine for a pentester too. Imagine that you just compromised a computer. You've your Meterpreter shell ready. And now? To save your time, just check the latest files opened by the victim, there are chances that they will be business related and contain juicy information. Which internal sites he visited? That's nice targets to pivot!
So, offensive or defensive security? Choose the one you like but think about both!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
Last Updated: 2016-06-09 00:11:10 UTC
by Brad Duncan (Version: 1)
About a week ago, I stopped seeing the daily deluge of malicious spam (malspam) distributing Dridex banking trojans or Locky ransomware. Before this month, I generally noticed multiple waves of Dridex/Locky malspam almost every day. This malspam contains attachments with zipped .js files or Microsoft Office documents designed to download and install the malware.
I haven't found much discussion about the current absence of Dridex/Locky malspam. Since the actor(s) behind Dridex started distributing Locky in back in February 2016 , I can't recall any lengthy absence of this malspam.
Shown above: Have others noticed a lull in Dridex/Locky? 
Of course, other campaigns are ongoing, so I figure it's time to review other examples of malspam. These campaigns are somewhat harder to find than Dridex/Locky malspam, but they're certainly out there.
However, my field of view is limited, and I can only report on what I'm seeing. With that in mind, this diary reviews two examples of malspam I found on Wednesday 2016-06-08.
Our first example was sent to one of the ISC handlers' email aliases. This example has a zipped .js file attachment.
Running the extracted .js file on a Windows host generated plenty of HTTP traffic.
I saw plenty of artifacts on the infected host, and at least one of the items appears to be Andromeda, based on alerts seen when I played back a pcap of the traffic in Security Onion using Suricata with the ETPRO ruleset.
The Snort subscriber ruleset also generated alerts on the same traffic that triggered Andromeda hits with the ETPRO ruleset.
Our second example is Brazilian malspam in Portuguese sent to a different email address. Instead of an attachment, this one has a link to download the malware.
The link from the malspam redirected to malware hosted on 4shared.com.
Here's what the HTTP traffic looked like from the infected host:
In addition to the HTTP traffic, I saw IRC activity on TCP port 443 from the infected host to a server on ssl.houselannister.top at 220.127.116.11.
Of note, the hostname/username for my infected Windows host in this pcap is a throwaway. Also, the IP address listed in the IRC channel is not the actual IP address of my infected host.
Alerts from this traffic show a Mikey variant, and this infection apparently added my Windows host to a botnet.
Indicators of compromise (IOC) - first example
Domain used for the initial malware download by the .js file:
- 18.104.22.168 port 80 - www.owifdsferger.net
- 22.214.171.124 port 80 - www.dorimelds.at
- 126.96.36.199 port 80 - www.opaosdfdksdfd.ro
- 188.8.131.52 port 80 - www.brusasport.com
Post infection traffic that triggered alerts for Andromeda malware:
- 184.108.40.206 port 80 - secure.adnxs.metalsystems.it - POST /new_and/state.php
Other HTTP traffic during this infection:
- 220.127.116.11 port 80 - antoniocaroli.it - GET /prova/sd/Lnoort.exe
- 18.104.22.168 port 80 - www.antoniocaroli.it - GET /prova/sd/Lnoort.exe
- 22.214.171.124 port 80 - antoniocaroli.it - GET /prova/sd/romeo.exe
- 126.96.36.199 port 80 - www.antoniocaroli.it - GET /prova/sd/romeo.exe
- 188.8.131.52 port 80 - www.amicimusica.ud.it - GET /audio/js.mod
- 184.108.40.206 port 80 - 220.127.116.11 - GET /js/calc.pack
- 18.104.22.168 port 80 - statcollector.at - GET /statfiles/pz/ft.so
- 22.214.171.124 port 2352 - Attempted TCP connection to dop.premiocastelloacaja.com
- 126.96.36.199 port 80 - goyanok.at - HTTP POST triggered alert for Ursnif variant
Indicators of compromise (IOC) - second example
Traffic to retrieve the initial malware:
- 188.8.131.52 port 80 - www.grupoc4.top - GET /m.php?id=[name]
- NOTE: See the pcap for the URL from 4shared.com hosting the initial malware
- 184.108.40.206 port 80 - www.ruthless.sexy - Callback from the infected host
- 220.127.116.11 port 80 - lol.devyatinskiy.ru - Callback from the infected host
- 18.104.22.168 port 80 - api.devyatinskiy.ru - Callback from the infected host
- 22.214.171.124 port 80 - 126.96.36.199 - GET /fix.dll
- 188.8.131.52 port 443 - attempted TCP connections to imestre.cheddarmcmelt.top
- 184.108.40.206 port 443 - IRC traffic to ssl.houselannister.top
Malspam is a pretty low-level threat, in my opinion. Most people recognize the malspam and will never click on the attachments or links. For those more likely to click, software restriction policies can play a role in preventing infections. And finally, people should be using properly administered Windows hosts and follow best security practices (up-to-date applications, latest OS patches, etc).
The same thing goes for Dridex/Locky malspam, which I expect will return soon enough.
But many vulnerable hosts are still out there, and enough people using those hosts are still tricked by this malspam. That's probably why malspam remains a profitable method to distribute malware.
Pcaps and malware for this ISC diary can be found here.
brad [at] malware-traffic-analysis.net