Last Updated: 2017-09-22 23:54:32 UTC
by Russell Eubanks (Version: 1)
Regularly the President of the United States delivers the State of the Union address. This practice "fulfills rules in Article II, Section 3 of the U.S. Constitution, requiring the President to periodically give Congress information on the "state of the union” and recommend any measures that he believes are necessary and expedient.".
What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.
By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.
What are some candidates to include in your State of the Union?
- Effectiveness of your program
- Opportunities to improve your program
- Communicate recent achievements
- Demonstrate stewardship of your resources
- Show how your team supported objectives of your organization
- Possible actions that you want others to take
- Clear call to action to the leaders to increase support, funding, and staffing
- Opportunity to receive feedback
How are you communicating the State of Your Security Union? Please leave what works in our comments section below!
Last Updated: 2017-09-22 04:02:28 UTC
by Brad Duncan (Version: 1)
I previously wrote a diary on Hancitor back in February 2017. Even though I haven't written a diary about it lately, it's been a near-daily occurrence since then. There's been no significant change, which is why I haven't bothered. Thursday 2017-09-21 included yet another wave of malicious spam (malspam) pushing Hancitor Word documents. Since it's been a while, let's review indicators for this most recent wave.
Hancitor, also known as Chanitor or Tordal, pushed Pony and Vawtrack last year. However, this year it stopped using Vawtrack and now pushes DELoader/ZLoader. The most recent technical write-ups I've seen on Hancitor are here, here, and here.
At least two Twitter accounts routinely tweet indicators for Hancitor malspam like URLs and file hashes. The ones I routinely check are @cheapbyte (example) and @James_inthe_box (example). However, other accounts also tweet Hancitor indicators. You can keep up with this near-daily information by searching Twitter for recent tweets tagged #hancitor.
Thursday's emails were disguised as yet another invoice, this time spoofing a company named Advanced Maintenance. Advanced Maintenance is a general contract and maintenance "handyman" company with various locations in the US. The emails all spoof a domain name registered by the company's President/CEO named advutah.com. However, these messages are not related to Advanced Maintenance, and they do not actually come from that domain.
Advanced Maintenance is aware of this malspam. If you go to the company's official website, you'll see a warning to ignore these emails.
Links in the email point to various URLs designed to download a malicious Word document. As in previous waves of malspam, the downloaded Word document has macros designed to infect a vulnerable Windows computer, if enabled.
I infected a host in my lab. Network traffic was typical for what we've seen in recent months from Hancitor malspam. The only difference? I didn't see a base64 string in the initial HTTP GET request for the Word document like I did earlier this week. That base64 string represents the recipient's email address, which has been standard practice for months now. However, this time, the initial HTTP GET request used a plaintext string for the recipient's email address.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Some alerts from the Snort subscription ruleset using Snort 220.127.116.11.
The infected host
After a cursory search, I couldn't determine how malware stays persistent on an infected Windows host. However, I did find several artifacts for encrypted traffic-related services like Tor.
Indicators of Compromise (IOCs)
The following IOCs and other indictors are for Hancitor malspam on Thursday 2017-09-21.
- Date/Time: Thursday 2017-09-21 as early as 16:58 UTC through at least 18:42 UTC
- Sender (spoofed): "Advanced Maintenance Inc." <email@example.com>
- Examples of subject lines:
- Subject: FW: Your Invoice I114738207 from Advanced Maintenance
- Subject: FW: Your Invoice I131761045 from Advanced Maintenance
- Subject: FW: Your Invoice I144174411 from Advanced Maintenance
- Subject: FW: Your Invoice I156641102 from Advanced Maintenance
- Subject: FW: Your Invoice I182402737 from Advanced Maintenance
- EAFGI.COM - GET /in.php?n=[recipient's email address]
- elefson.info - GET /in.php?n=[recipient's email address]
- elefsonhvac.biz - GET /in.php?n=[recipient's email address]
- TRUSTDEEDCAPITAL.NET - GET /in.php?n=[recipient's email address]
- TRUSTDEEDCAPITAL.ORG - GET /in.php?n=[recipient's email address]
- wpipm.org - GET /in.php?n=[recipient's email address]
- 18.104.22.168 port 80 - saritbida.com - POST /ls5/forum.php
- 22.214.171.124 port 80 - saritbida.com - POST /mlu/forum.php
- 126.96.36.199 port 80 - saritbida.com - POST /d2/about.php
- 188.8.131.52 port 80 - 3dprintbudapest.com - GET /wp-content/plugins/all-in-one-seo-pack/1
- 184.108.40.206 port 80 - 3dprintbudapest.com - GET /wp-content/plugins/all-in-one-seo-pack/2
- 220.127.116.11 port 80 - 3dprintbudapest.com - GET /wp-content/plugins/all-in-one-seo-pack/3
- 18.104.22.168 port 80 - hanrinkedhed.com - POST /bdl/gate.php
- api.ipify.org - GET /
- checkip.dyndns.org - GET /
- Various IP addresses over various TCP ports - Tor traffic
- 10.0.2.2 port 443 - TCP SYN packet approx once avery 5 minutes
Malware recovered from the infected host:
- File size: 390,656 bytes
- File name: invoice_729017.doc
- File description: Word document with macros that run Hancitor
- File size: 194,048 bytes
- File location: C:\Users\[username]\Local\Temp\BNE53F.tmp
- File location: C:\Users\[username]\Roaming\Awceiv\coof.exe
- File description: Follow-up malware, DELoader/ZLoader
As it stands, the open nature of our Internet makes it easy for criminals behind Hancitor malspam and other campaigns to operate. For example:
- Email protocols make it trivially easy for criminals to spoof a sending address and other header lines to mislead recipients.
- Hosting providers and tools like Wordpress allow practically anyone to set up a website, then forget to keep it patched and up-to-date. Enormous numbers of these legitimate websites are compromised by criminals and used in various campaigns.
- Requirements to fraudulently establish an account at a hosting provider are easy to obtain. This encourages a cycle of abuse as criminals establish new servers, those servers are reported, the hosting provider shuts them down, and criminals set up new servers.
- Windows is still a mainstream operating system, and its default settings provide criminals relatively easy targets to infect. Outdated versions like Windows 7 and XP still account for over 50% of the desktop market share. These hosts are even easier to infect, especially if they're not up-to-date and patched.
I view network-enabled computing devices like I view most middle-aged adults living a sedentary lifestyle. Both are probably healthier than they seem, even if there is plenty of room for improvement. All you need is the right mindset. The Internet is a wonderful place, but it's also a great equalizer. Both good and bad people coexist in the same space when we're online. It pays to be careful if you're out and about in a cyber sense--whether you're reading email, browsing the web, or interacting with social media.
As usual, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers. Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring. If you have any other tips, please share them in the comments.
Traffic and malware samples for today's diary can be found here.
brad [at] malware-traffic-analysis.net