While most of us are preparing the switch to a new year (If it’s already the case for you: Happy New Year!), Attackers never stop and implement always new tricks to defeat our security controls. For a long time now, we have been flooded by sextortion emails. This is a kind of blackmail where someone threatens to share explicit images or videos unless the victim meets their demands. Even today, I receive regularly some of them.
Monthly Archives: December 2024
Changes in SSL and TLS support in 2024, (Mon, Dec 30th)
With the end of the year quickly approaching, it is undoubtedly a good time to take a look at what has changed during the past 12 months. One security-related area, which deserves special attention in this context, is related to the use of different versions of SSL and TLS on various servers on the internet, since information about support for these protocols can provide us with a good informal indicator for the overall “level of security” on the global network as a whole.
Phishing for Banking Information, (Fri, Dec 27th)
It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card.
From Bank of Montreal (BMO) website scam alerts, they uses a specific SMS number to send a text to their consumers: "The only BMO Alert you will receive on your mobile device via SMS regarding your accounts and credit cards will come from our 6-digit number “266898.” Our code never changes, so use this code to determine if it is BMO messaging you." [1] It is important to know how a bank will contact your by SMS. This is a copy of the text I received.
Is it Phishing? Any Suspicious Clues that Stand Out?
- The text I received was from a (438) area code and not from BMO, that is the first error.
- The second error is the card number "Starting in 5510 29**" which normally is the last 4 digits of the card that appears on statements vs. the beginning.
- The last clue is the website that contains spelling errors: bmo-securltyverlfy1[.]com [4] -> The website is spelled with the letter "l" vs the letter "i". This domain was registered on the 2024-12-11 [5] just in time for the holiday season.
Reviewing Domain Information
This domain resolves to IP 34.155.192.52 (ASN 396982). A review of VirusTotal relationship information from this domain shows as of this writing, 81 domains [2] have been created since the 23 Dec 2024 under this IP address targeting Canada Post, Scotiabank, rebate information, etransfer, Costco rewards, etc.
Indicators
34.155.192.52
bmo-securltyverlfy1[.]com
It is important to review carefully the data before entering any information. Stay safe.
[1] https://www.bmo.com/en-ca/main/personal/security-centre/scam-alerts/
[2] https://www.virustotal.com/gui/ip-address/34.155.192.52/relations
[3] https://www.virustotal.com/graph/34.155.192.52
[4] https://www.hybrid-analysis.com/sample/c76cbf6e22734f177e024e1fee02ed17a53413e0dfee02c6a6601be28280b167
[5] https://www.scamadviser.com/check-website/bmo-securltyverlfy1.com?utm_source=hybridanalysis
[6] https://www.sans.org/security-awareness-training/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Capturing Honeypot Data Beyond the Logs, (Thu, Dec 26th)
By default, DShield Honeypots [1] collect firewall, web and cowrie (telnet/ssh) [2] data and log them on the local filesystem. A subset of this data is reported to the SANS Internet Storm Center (ISC) where it can be used by anyone [3]. A common question that comes up from new users is whether there is any benefit to collecting PCAP data from the honeypots if the active services are already being logged. One example I often give of a useful benefit of having PCAPs is HTTP POST data. This data is not currently captured within the web honeypot logs, but can be seen within the PCAP data.
Compiling Decompyle++ For Windows, (Wed, Dec 25th)
Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++.
It's very easy to compile for Linux, but a bit more difficult for Windows.
This is how I compiled Decompyle++ on Windows:
I used Microsoft Visual Studio Community 2022.
First I launch the Visual Studio 2022 Developer Command Prompt:
Then I download Decompyle++'s source code and navigate to the containing directory.
There I launch this command: cmake .
And then I can start compilation (I'm compiling the Release configuration): msbuild pycdc.sln -t:Rebuild -p:Configuration=Release
And then I can find the disassembler (pycdas.exe) and decompiler (pycdc.exe) in the Release folder:
Here I use pycdc.exe to decompile a .pyc file:
In case you can't or don't want to compile this yourself, I'm sharing the executables I compiled here.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID:
Collecting data from file: Albertsons_payment.GZ 100.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Finally, it’s a Windows Cabinet file:
remnux@remnux:/MalwareZoo/20241218$ cabextract -t Albertsons_payment.GZ Testing cabinet: Albertsons_payment.GZ Chine_ana22893D347515193D264135FF38996037FF515169loodatke.PNG OK dc156637aebf04336700a9bc71c78aad OK 7cd592cb2f2179e188e9e99cb7c06bba Svcrhpjadgyclc.cmd OK 7afcba92a35ba26fcde12f3aba8ff7d8
The archive contains a picture that mimics a document:
The file with strange characters contains only an integer value:
64928
(The purpose is unknown at this time)
The .cmd file looks much more interesting!
Yes, even Windows bat files can be deeply obfuscated! The obfuscation used by the Attacker is called “string slicing”. Commands are reconstructed by extracting characters from a string. Here is a simple example:
set “VARIABLE=abcdef" echo %VARIABLE:~2,1%” c
The file seems to contain an interesting payload:
remnux@remnux:/MalwareZoo/20241218/files$ grep "----" Svcrhpjadgyclc.cmd %XbymqYoxZh% -----BEGIN X509 CRL----- -----END X509 CRL-----
Based on the file size, the deobfuscate process will take some time but also because the technique above is used multiple times. Let’s execute the script and capture its behaviour:
Here are the most interesting action performed by the script. The script uses a LOLbin called extrac32.exe[1]. To defeat security rules looking for suspicious processes, it copies commands to another directory. First cmd.exe:
C:WindowsSystem32extrac32 /C /Y C:WindowsSystem32cmd.exe "C:UsersPublicalpha.exe"
Then certutil.exe:
C:UsersPublicalpha /c extrac32 /C /Y C:WindowsSystem32certutil.exe C:UsersPublickn.exe
Based on the grep command (see above), we have an interesting payload in this file. Indeed, the copy of certutil.exe is used to extract the next stage from the .cmd file:
C:UsersPublicalpha /c C:UsersPublickn -decodehex -F "C:UsersREMDesktopfolderSvcrhpjadgyclc.cmd" "C:UsersPublicspoolsv.MPEG" 9 C:UsersPublicalpha /c C:UsersPublickn -decodehex -F "C:UsersPublicspoolsv.MPEG" "C:UsersPublicLibrariesspoolsv.COM" 12
The next stage is spoolsv.com[2] (SHA256:baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d).
The payload is a Delphi-based malware that looks to be Modiloader[3]. It tries to fetch the next stage from this URL: hxxps://swamfoxinnc[.]com/233_Svcrhpjadgy. The site does not provide the payload anymore but I was able to grab it from Virustotal. I simulated the website and content in my lab but spoolsv.com crashes! It just performed the DNS lookup but did not fetched the URL…
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/extract
[2] https://www.virustotal.com/gui/file/baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Christmas "Gift" Delivered Through SSH, (Fri, Dec 20th)
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: "christmas_slab.pdf.lnk"[1]. Link files (.lnk) are a classic way to execute something malicious on the victim's computer but the technique used here is interesting.
Command Injection Exploit For PHPUnit before 4.8.28 and 5.x before 5.6.3 [Guest Diary], (Tue, Dec 17th)
[Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th)
Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th)
RATs or “Remote Access Tools” are very popular these days. From an attacker’s point of view, it’s a great way to search and exfiltrate interesting data but also to pivot internally in the network. Besides malicious RATs, they are legit tools that are used in many organisations to perform “remote administration”. Well-known tools are: VNC, TeamViewer, AnyDesk and much more!