I created a video showing how to de-obfuscate a DOSfuscated PowerShell command obtained from a maldoc I analyzed in diary entry "De-DOSfuscation Example":
Reader Frank submitted a suspicious email with attachment: a score of zero on VirusTotal, but McAfee warned for an exploit. Taking a look at the content, Frank notice content that looked like encrypted code.
At the Internet Storm Center, we regularly get malware and fraudulent emails including Bitcoin addresses. Like the extortion emails including leaked passwords. And we often search online for these Bitcoin addresses, to see what else we can find.
If you are doing memory forensics using Volatility, maybe you have noticed that one of the disadvantages that you can't do a live analysis. If you need to do live memory forensics, then Rekall is your best friend.
While reviewing my honeypot logs, I found some interesting entries associated with the Mirai botnet starting the 30 November 2018. This is the last log sample that was captured 2 days ago:
In today&#;x26;#;39;s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA. According to the article, there is a large phishing campaign that is that is targeting Gmail and Yahoo accounts.
The SANS Holiday Hack Challenge is an annual, free CTF. Most of you already know that.
In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for biggest organizations. To better manage them, tools can be deployed to perform many different tasks:
The Christmas break is coming for most of us, let&#;x26;#;39;s take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be infected by a malware. As best practices, we must have antivirus enabled, we can deploy AppLocker to allow only authorized applications to be launched, we can restrict applications to be executed from locations like %APPDATA% or %TEMP% but they are tools that are much more difficult to restrict on a regular host like... Powershell! If you uninstall Powershell from a modern Windows version, you'll simply miss nice features. That&#;x26;#;39;s why, in many cases, a simple uninstall is not possible. That's also the reason why Powershell remains a nice first stage infection method:
Microsoft just published an out-of-band patch for Internet Explorer. It fixes a memory corruption vulnerability in the scripting engine. This vulnerabiliy is identified as %%cve:2018-8653%%.
Reader Jason submitted a malicious document that he analyzed completely. A small problem encountered by Jason was the following: the malicious document, emailed to his users, was contained in a password protected ZIP file.
Over the past several months I have been observing random Remote Desktop Protocol (RDP) activity targeting my honeypot. Back in September, US-Cert  issued an alert regarding RDP being actively used and exploited by malicious actors released by the FBI .
I received some questions about the de-DOSfuscation I did with Python in my last diary entry: "Yet Another DOSfuscation Sample".
First sextortion, now bombstortion?
Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or moreâ€¦
December 2018 Security Updates
Richard Porter --- ISC Handler on Duty
Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.
Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news.
Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.
Last few days we&#;x26;#;39;re seeing increased attacks from %%ip:188.8.131.52%%, which is trying to exploit open Docker instances (%%port:2375%%). The container (being named java123) is based on image ahtihhebs/picture124, and executed with payload:
If you haven&#;x26;#;39;t uninstalled Flash yet, maybe today should be that day. The update posted yesterday has a remote code exec proof-of-concept already here:
In many penetration tests, there&#;x26;#;39;ll be a point where you need to exfiltrate some data. Sometimes this is a situation of "OK, we got the crown jewels, let&#;x26;#;39;s get the data off premise". Or sometimes in this phase of the test the goal is "let&#;x26;#;39;s make some noise and see if they&#;x26;#;39;re watching for data exfiltration - hmm, nothing yet, let&#;x26;#;39;s make some LOUDER noise and see (and so on)". As with most things, there&#;x26;#;39;s a spectrum of methods to move the target data out, with various levels of difficulty for detection.
Reader Mike submitted a malicious Word document. The document (MD5 6c975352821d2532d8387f19457b584e) contains obfuscated VBA code that launches a shell command. That shell command is hidden somewhere in the document (not in the VBA code).
Wireshark version 2.6.5 is available: release notes.
We&#;x26;#;39;ve seen the Elasticsearch being exploited using queries with script_fields for a while now, but we&#;x26;#;39;re seeing an increased activity.
Yesterday, I wrote a diary about a nice obfuscated shell script. Today, I found another example of malicious shell script embedded in an Apple .dmg file (an Apple Disk Image). The file was delivered through a fake Flash update webpage:
One of our readers, Nathaniel Vos, shared an interesting shell script with us and thanks to him! He found it on an embedded Linux device, more precisely, a QNap NAS running QTS 4.3. After some quick investigations, it looked that the script was not brand new. we found references to it already posted in September 2018. But such shell scripts are less common: they are usually not obfuscated and they perform basic features like downloading and installing some binaries. So, I took the time to look at it.
ViperMonkey: a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files.
I made a video for my diary entry "Dissecting a CVE-2017-18822 Exploit":
By default the Docker Engine API listens on a unix socket only,&#;x26;#;xc2;&#;x26;#;xa0;but the http interface can be configured and will&#;x26;#;xc2;&#;x26;#;xa0;listen&#;x26;#;xc2;&#;x26;#;xa0;to&#;x26;#;xc2;&#;x26;#;xa0;port 2375. If you need to have a http listener, configure it to listen on local ip&#;x26;#;39;s only.&#;x26;#;xc2;&#;x26;#;xa0;Shodan will give almost 800 accessible Docker Engine API&#;x26;#;39;s. The&#;x26;#;xc2;&#;x26;#;xa0;Open Docker Engine API&#;x26;#;39;s is being actively scanned, as we&#;x26;#;39;ve detected in our Honeytrap network.
In politic, there is a strategy which says â€œdivide and conquerâ€. It's also true for some pieces of malware that spread their malicious code amongst multiple sources. One of our readers shared a sample of Powershell code found on Pastebin that applies exactly this technique. Thanks to him!
I am sure that many penetration testers among our readers try to minimize their travel. While many years ago we had to be physically present for internal penetration tests, today it is very common that client organizations setup virtual machines for penetration testers, which are then used to perform internal penetration tests.
Apache today released an advisory, urging users who run Apache Struts 2.3.x to update the commons-fileupload component . Struts 2.3.x uses by default the old 1.3.2 version of commons-fileupload. In November of 2016, a deserialization vulnerability was disclosed and patched in commons-fileupload . The vulnerability can lead to arbitrary remote code execution.
Here is another example of malicious Powershell script found while hunting. Such scripts remain a common attack vector and many of them can be easily detected just by looking for some specific strings. Here is an example of YARA rule that I&#;x26;#;39;m using to hunt for malicious Powershell scripts:
About a week ago, I was asked for help with another malicious RTF file.
Last week, on the inception diary of this series , I've talked about LaunchAgent and LaunchDaemon, probably the most known and popular persistence mechanisms under macOS. But there are other mechanisms, definitely not new and well known in the *nix world, which are still linked or managed by launchd :
I received a malicious Word document with detections on VirusTotal, but it does not exhibit malicious behavior in a sandbox.
Microsoft&#;x26;#;39;s Windows Defender on Windows 10 supports sandboxing now.
Reader Tor submitted a suspicious email he received today. It has a Word document attachment, which, no surpise, has VBA macros.
I was asked how I knew that the content of the email in my last diary entry, was compressed RTF.
A few months ago, Rob wrote a nice diary to explain how to dissect a (malicious) Office document (.docx). The approach was to use the OpenXML SDK with Powershell. This is nice but how to achieve the same on a Linux system? One of our readers (thanks Mike!) provided us with the steps to perform the same kind of analysis but on a Kali instance (replace Kali with your preferred distribution).
The most visible scams you typically see are distributed rather broadly without targeting specific groups. They usually operate on the assumption that it will his at least a couple of victims willing to fork over some money for the elusive gain promised by the scam. On the other hand, scams can be more effective if they are targeting smaller groups. The scam can use a message that is particularly focusing on concerns to the group.