When Johannes mentioned a VLC update (version 3.0.18) on Thursday's Stormcast, I started VLC and let it check for updates: it reported that I had the latest version. But I knew I didn't.

Saturday I checked again, still no updates. So I started Wireshark, let VLC do an update check, and saw this:

An HTTP request is made to host update.videolan.org path /vlc/status-win-x64. The reply says 3.0.16 is the latest version.

That's why I get no updates when VLC does the check.

The same is true for 32-bit VLC.

I informed the Videolan team.

Update: the version files are updated:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Guy's diary entry "Linux LOLBins Applications Available in Windows" reminded me of another Linux tool that is available on Windows: the ancient finger command.

Here is an example with weather info for the North Pole:

Communication takes place over TCP. Destination port is 79.

The finger.exe command sends the string before the @ sign to the host specified after the @ sign.

finger.exe is not proxy aware, and port 79 is hardcoded inside the finger.exe executable. Not as a number, but as a protocol name (finger) that is defined in the services list (%SystemRoot%\system32\drivers\etc\services);

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Some useful Linux applications that are now part of default installation in Windows 10, Windows Server 2019/2022 (LOLBins - Living Off the Land Binaries). 

 

cURL

 

The first one is curl which can be very useful for scripting to download or upload files and/or use with a username/password (curl --help) and save the output either to a new filename or the same:

 

C:\Users\guy\Downloads>curl https://handlers.sans.edu/gbruneau/scripts/Example.csv -o Example.csv
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  230k  100  230k    0     0  1443k      0 --:--:-- --:--:-- --:--:-- 1461k

 

tar

 

The next application is tar (tar --help) is used to store, extract and manipulate archive files. Let’s take the previous file Example.csv, archive and compress it and then review the result. Using the same options as Linux will use gzip compression and create the file Example.tgz:

 

-c Create  -r Add/Replace  -t List  -u Update  -x Extract
-f <filename>  Location of archive
-v Verbose
-z, -j, -J, --lzma  Compress archive with gzip/bzip2/xz/lzma

C:\Users\guy\Downloads>tar zcvf example.tgz Example.csv
C:\Users\guy\Downloads>dir Example.*
 Volume in drive C is Starbase
 Volume Serial Number is EEB2-C010

 Directory of C:\Users\guy\Downloads

12/03/2022  01:39 PM           236,526 Example.csv
12/03/2022  01:46 PM            38,247 example.tgz
 

To extract the file(s), using the following command:

C:\Users\guy\Downloads>tar xvf example.tgz
x Example.csv

 

To view the content of the archive:

 

c:\Users\guy\Downloads>tar ztvf Example.tgz
-rw-rw-rw-  0 0      0      236526 Dec 03 13:39 Example.csv

 

PktMON

 

This tool is a Windows original which I think is worth mentionning again. I wrote a diary in May 2020 [1] on how to use PktMON to capture packets using this tool in Windows 10. The resulting packet capture can be converted into a pcapng format to be read later with Wireshark.

 

OpenSSH

 

The last one that is always useful is ssh/scp/sftp which is using the OpenSSH. The location of the OpenSSH binaries is: C:\Windows\System32\OpenSSH

 

ssh
scp
sftp
ssh-add.exe
ssh-agent.exe
ssh-keygen.exe
ssh-keyscan.exe

 

First lest create some public/private keys using the default user home directory:

 

C:\Users\guy>ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\guy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\guy/.ssh/id_rsa.
Your public key has been saved in C:\Users\guy/.ssh/id_rsa.pub.
[...]
C:\Users\guy>cd .ssh

C:\Users\guy\.ssh>dir
 Volume in drive C is Starbase
 Volume Serial Number is EEB2-C010

 Directory of C:\Users\guy\.ssh

12/03/2022  02:10 PM    <DIR>          .
12/03/2022  02:10 PM    <DIR>          ..
12/03/2022  02:10 PM             2,655 id_rsa
12/03/2022  02:10 PM               567 id_rsa.pub
11/10/2022  01:49 PM               545 known_hosts

 

Now ssh/scp/sftp is ready to use with a public key to a remote server. By default OpenSSH doesn't run the SSH listener service but it can be configured using the information posted here in a Microsoft article.

 

[1] https://isc.sans.edu/diary/Windows+10+Builtin+Packet+Sniffer+PktMon/26186
[2] https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview
[3] https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_server_configuration
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Introduction

Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years.  During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.

Metadata tags in the malware code are tied to a specific distribution campaign.  The "obama" series distribution tag includes a 3-digit suffix, and it currently represents thread-hijacked emails with attachments for HTML smuggling.  When opened, the attached HTML file presents a password-protected zip archive to download, and the web page displays the password.

In recent months, password-protected zip archives for Qakbot have contained disk images using the .iso file extension.  However, on Thursday 2022-12-01, zip archives for obama224 Qakbot contained images using the .vhd file extension.

VHD files have been used by other criminal groups to distribute malware, but this is the first I remember seeing them for obama-series Qakbot.

In Microsoft Windows, ISO files can easily be mounted by any normal user account.  However, VHD images require an administrative Windows account.  Because of this, normal user accounts in an Active Directory (AD) environment cannot mount VHD files on a Windows client without administrative login credentials.  VHD images can easily mount on stand-alone Windows 10 or 11 hosts that use administrative accounts.

Shown above:  Chain of events for obama224 distribution Qakbot activity.

Qakbot infections occasionally lead to VNC activity.  Qakbot also leads to Cobalt Strike if the infected host is part of an AD environment.  This was the case as recently as Monday 2022-11-28 with a BB08 distribution Qakbot infection.

Let's review an infection in my lab environment, using screenshots from each step of the process.

Step by Step Screenshots

Shown above:  Thread-hijacked email with an attachment for HTML smuggling opened in Thunderbird.

Shown above:  The same email in Microsoft Outlook can open the HTML attachment in Microsoft Edge.

Shown above:  Opening the HTML attachment Microsoft Edge presents a password-protected zip archive and shows u1515 as its password.

Shown above:  Using the password to click our way to the VHD image.

Shown above:  In an AD environment, you need administrative permissions to mount the VHD image.

Shown above:  Contents of the VHD image.

I used the domain administrator login credentials to mount the VHD image.  It mounted as the next available drive letter, using DOCFOLDER as the newly-mounted disk's name.  Double-clicking the visible Windows shortcut runs a hidden Qakbot DLL.  The shortcut uses a command prompt (cmd.exe) to run rundll32.exe [filename],DrawThemeIcon as its target.

While Qakbot is quite dangerous, this type of infection requires a victim with administrative access willing to click through various notifications and warnings before an infection occurs.

Shown above:  The last warning I clicked through to infect my lab host.

Final Words

While this campaign is clever, it uses VHD images that require administrative access to successfully infect a Windows host.  How effective this is in an AD environment?  How many organizations allow administrative privileges for all user accounts?  Unfortunately, poor security practices can overcome some of the most effective security measures.  Human nature is why malware like Qakbot remains successful, despite the increased security of default Windows settings.

13 examples of malspam from Thursday 2022-12-01, along with the associated HTML files, VHD images, and Qakbot DLL files are available here.

Brad Duncan
brad [at] malware-traffic-analysis.net

Earlier today, I was browser recently made public vulnerabilities for tomorrow's version of our @Risk newsletter. What stuck out was a set of about twenty vulnerabilities in Netgear and DLink routers:

%%CVE:2022-44186%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_pri.
%%CVE:2022-44187%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via wan_dns1_pri.
%%CVE:2022-44188%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter enable_band_steering.
%%CVE:2022-44190%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.
%%CVE:2022-44191%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameters KEY1 and KEY2.
%%CVE:2022-44193%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameters: starthour, startminute , endhour, and endminute.
%%CVE:2022-44194%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameters apmode_dns1_pri and apmode_dns1_sec.
%%CVE:2022-44196%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_push1.
%%CVE:2022-44197%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
%%CVE:2022-44198%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_push1.
%%CVE:2022-44199%% -  Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter openvpn_server_ip.
%%CVE:2022-44200%% -  Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.
%%CVE:2022-44184%% -  Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/httpd via parameter wan_dns1_sec.
%%CVE:2022-44201%% -  D-Link DIR823G 1.02B05 is vulnerable to Commad Injection.
%%CVE:2022-44202%% -  D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow.
%%CVE:2022-44801%% -  D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control.
%%CVE:2022-44804%% -  D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via the websRedirect function.
%%CVE:2022-44806%% -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow.
%%CVE:2022-44807%% -  D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow via webGetVarString.

Interestingly, both the Netgear and the D-Link security pages are silent about it. The D-Link.

The Netgear page lists another vulnerability for today. D-Link's page appears to have yet to be updated. The last D-Link vulnerability seems to have been patched about two years ago.

All vulnerability point to the same GitHub repo for exploit code, but the link in the NVD database isn't working. The repository, however, exists with various IoT vulnerabilities and exploits. It is hard to match up the vulnerabilities with specific exploits.

So what does this all mean:

1. Vendors aren't going to save you.
2. Your router is probably vulnerable.
3. If you still have the admin interface exposed (and that is what appears to be targeted here): Consider yourself lucky. Someone else will probably upgrade the router for you to prevent others from taking hold of it.
4. Use a non-default password and a non-default network address scheme internally to make attacks via the browser (SSRF, CSRF...) more difficult.
5. Use a "proper" open-source router. (OPNSense, PFSense...) . At least you will not have paid a vendor for software they stopped supporting during beta testing, and I find them MUCH easier to keep up to date.

Sorry for the rant.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|