Tag Archives: SANS

Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers., (Tue, Dec 6th)

This post was originally published on this site

[This is a guest post submitted by Brock Perry [LinkedIn], one of our sans.edu undergraduate interns]

Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. Attacks against these devices are less likely to be identified by enterprise monitoring techniques, and compromise may go unnoticed. Unwitting users then become part of attack propagation.

An attack on Sept 19th, 2022, followed this familiar pattern, seeking to exploit known vulnerabilities in devices from multiple vendors – including D-Link, eir, Huawei, Netgear, TP-Link, and routers using Realtek SDK.


An attacker or compromised device made numerous attempts to connect to the target with weak ssh credentials before eventually authenticating.

Payload Drop

Upon authenticating, the attack downloads and executes the xd.86 payload.


The xd.86 botnet component searches out new targets. In the first 15 seconds, 1018 connection attempts are made to 115 unique addresses from an otherwise quiet system.

Outbound Connection Attempts

Unique Destinations

Destination ports reveal connections to standard HTTP ports and well-known ports used by Huawei (32715) and Oracle (7574).


Eleven attacks are apparent based on the strings from xd.86. When vulnerable devices are discovered, and authentication is successful, one of these 11 actions is carried out to propagate the attack further.


[1] – Attack Source – VirusTotal
[2] – Payload Source – Virus Total
[3] – Main Payload Reputation – Virus Total – d47eaac87456ac5929363eee7cffc57540f6130539967dd5cdaf0ddca04e1e94
[4] – Secondary Payloads
lol.sh – f0d12efb246fac3a93f2cab32924e202eddbe92e7d80ba8be3219f5aadf0551e
xd.mips – 19e9baefa16cef3bede1d8b58992fe2e3d857c4fd38a102bf06c577a25502d60
xd.arm7 – 9069ff0e1c75cae1f7b2db10c244004c84791f4f81eb4c11ee53b7b07fa06f96
[5] – Bot with Strings in Common
































































































































(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Finger.exe LOLBin, (Sun, Dec 4th)

This post was originally published on this site

Guy's diary entry "Linux LOLBins Applications Available in Windows" reminded me of another Linux tool that is available on Windows: the ancient finger command.

Here is an example with weather info for the North Pole:

Communication takes place over TCP. Destination port is 79.

The finger.exe command sends the string before the @ sign to the host specified after the @ sign.

finger.exe is not proxy aware, and port 79 is hardcoded inside the finger.exe executable. Not as a number, but as a protocol name (finger) that is defined in the services list (%SystemRoot%system32driversetcservices);


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd)

This post was originally published on this site


Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years.  During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader.

Metadata tags in the malware code are tied to a specific distribution campaign.  The "obama" series distribution tag includes a 3-digit suffix, and it currently represents thread-hijacked emails with attachments for HTML smuggling.  When opened, the attached HTML file presents a password-protected zip archive to download, and the web page displays the password.

In recent months, password-protected zip archives for Qakbot have contained disk images using the .iso file extension.  However, on Thursday 2022-12-01, zip archives for obama224 Qakbot contained images using the .vhd file extension.

VHD files have been used by other criminal groups to distribute malware, but this is the first I remember seeing them for obama-series Qakbot.

In Microsoft Windows, ISO files can easily be mounted by any normal user account.  However, VHD images require an administrative Windows account.  Because of this, normal user accounts in an Active Directory (AD) environment cannot mount VHD files on a Windows client without administrative login credentials.  VHD images can easily mount on stand-alone Windows 10 or 11 hosts that use administrative accounts.

Shown above:  Chain of events for obama224 distribution Qakbot activity.

Qakbot infections occasionally lead to VNC activity.  Qakbot also leads to Cobalt Strike if the infected host is part of an AD environment.  This was the case as recently as Monday 2022-11-28 with a BB08 distribution Qakbot infection.

Let's review an infection in my lab environment, using screenshots from each step of the process.

Step by Step Screenshots

Shown above:  Thread-hijacked email with an attachment for HTML smuggling opened in Thunderbird.

Shown above:  The same email in Microsoft Outlook can open the HTML attachment in Microsoft Edge.

Shown above:  Opening the HTML attachment Microsoft Edge presents a password-protected zip archive and shows u1515 as its password.

Shown above:  Using the password to click our way to the VHD image.

Shown above:  In an AD environment, you need administrative permissions to mount the VHD image.

Shown above:  Contents of the VHD image.

I used the domain administrator login credentials to mount the VHD image.  It mounted as the next available drive letter, using DOCFOLDER as the newly-mounted disk's name.  Double-clicking the visible Windows shortcut runs a hidden Qakbot DLL.  The shortcut uses a command prompt (cmd.exe) to run rundll32.exe [filename],DrawThemeIcon as its target.

While Qakbot is quite dangerous, this type of infection requires a victim with administrative access willing to click through various notifications and warnings before an infection occurs.

Shown above:  The last warning I clicked through to infect my lab host.

Final Words

While this campaign is clever, it uses VHD images that require administrative access to successfully infect a Windows host.  How effective this is in an AD environment?  How many organizations allow administrative privileges for all user accounts?  Unfortunately, poor security practices can overcome some of the most effective security measures.  Human nature is why malware like Qakbot remains successful, despite the increased security of default Windows settings.

13 examples of malspam from Thursday 2022-12-01, along with the associated HTML files, VHD images, and Qakbot DLL files are available here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Identifying Groups of "Bot" Accounts on LinkedIn, (Tue, Nov 29th)

This post was originally published on this site

As some have noted, LinkedIn has recently removed many accounts after identifying them as "bots" or "disingenuous" [1]. These removals are relatively easy to spot if they affect large companies like Amazon, Apple, and others. But they are a bit more challenging to spot if the fake accounts claim to work for smaller, relatively unknown companies.

Ukraine Themed Twitter Spam Pushing iOS Scareware, (Mon, Nov 28th)

This post was originally published on this site

With the expansion of Russia's invasion of Ukraine in February, Ukraine has made heavy use of social media to demonstrate die ability of the Ukrainian armed forces to repulse the attack. Ukraine often shares video clips showing attacks against Russian troops from drones or action camera footage from the front lines. These videos have been widely distributed, and various social media channels have shared them to build an audience for themselves.

Happy 22nd Birthday DShield.org!, (Fri, Nov 25th)

This post was originally published on this site

Traditionally, I consider the Thanksgiving weekend of 2000 the "Birthday" of DShield. I coded the first version of DShield over that weekend and made it public soon after. My records aren't that great, but here is an early screenshot of DShield.org courtesy of archive.org. There are a couple earlier once, but they are a bit too embarassing to post here :). What is now the Internet Storm Center was known as incidents.org back then.