FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Finding The Original Maldoc, (Mon, Aug 31st)

Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV.
  • August 31st 2020 at 07:02
  • ↗

Malicious Excel Sheet with a NULL VT Score: More Info, (Sat, Aug 29th)

The maldoc Xavier mentioned in diary entry "Malicious Excel Sheet with a NULL VT Score" is indeed corrupt, and that explains its low score on VT. I believe this maldoc has been cleaned by an anti-virus program: (incomplete) deletion of VBA modules.
  • August 30th 2020 at 10:03
  • ↗

Example of Malicious DLL Injected in PowerShell, (Fri, Aug 28th)

For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It's very easy to develop specific PowerShell functions that will provide interesting features for an attacker but, if written in PowerShell, they could easily ring a bell for the defenders (example: by using many suspicious API calls). Another technique to expand the language with more functions is just to load a DLL! I found a sample that exfiltrates data from the victim's computer.
  • August 28th 2020 at 06:44
  • ↗

Security.txt - one small file for an admin, one giant help to a security researcher, (Thu, Aug 27th)

During the last few months, I’ve noticed a significant increase in the number of vulnerability reports for domains registered to some of our customers. I would guess that this increase probably stems from more time being devoted by bug bounty hunters and security researchers to finding vulnerabilities due to their Covid-19 related self-isolation. Whatever the cause is however, the increased number of reports is probably felt by many organizations around the world.
  • August 27th 2020 at 07:09
  • ↗

Malicious Excel Sheet with a NULL VT Score, (Wed, Aug 26th)

Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to all AV's the file is safe. Really? If it matched one of my hunting rules, there is for sure something suspicious inside. Let's have a look at it.
  • August 26th 2020 at 06:03
  • ↗

Keep An Eye on LOLBins, (Tue, Aug 25th)

Don't misread, I won't talk about "lolcats" today but "LOLBins" or "Living Off The Land Binaries". All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, management of files, and many more. Those tools are installed by default and available to all users without specific access rights (most of the time). Also very important, they are signed by the operating system so they are usually considered safe by default. 
  • August 25th 2020 at 07:25
  • ↗

Tracking A Malware Campaign Through VT, (Mon, Aug 24th)

During the weekend, I found several samples from the same VBA macro. The only difference between all the samples was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:
  • August 24th 2020 at 07:34
  • ↗

Small Challenge: A Simple Word Maldoc - Part 4, (Sun, Aug 23rd)

I diary entry "Small Challenge: A Simple Word Maldoc - Part 2", we used my tool numbers-to-string.py to convert and decode the numbers in malicious VBA macro code to a BAT command.
  • August 23rd 2020 at 19:22
  • ↗

Remote Desktop (TCP/3389) and Telnet (TCP/23), What might they have in Common? , (Sat, Aug 22nd)

I'm glad you asked. I'm always interested in trends and reviewing the activity capture by my honeypot over this past week, it shows that no matter what port the RDP service is listening on, a specific RDP string (Cookie: mstshash=) might be sent to any ports to find out if it is listing for this service. Here are some examples: 
  • August 22nd 2020 at 20:25
  • ↗

Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th)

If you haven't heard, SANS suffered a "Data Incident" this summer, the disclosure was released on August 11.  Details can be found in several locations:
  • August 20th 2020 at 15:43
  • ↗

Example of Word Document Delivering Qakbot, (Wed, Aug 19th)

Qakbot[1] is back on stage at the moment! Many security companies already reported some peaks of activity around this malware. On my side, I also spotted several samples. The one that I'll cover today has been reported by one of our readers (thanks to him) and deserves a quick analysis of the obfuscation used by the attackers. It is not available on VT at this time (SHA256:507312fe58352d75db057aee454dafcdce2cdac59c0317255e30a43bfa5dffbc)
  • August 19th 2020 at 05:13
  • ↗

Using API's to Track Attackers, (Tue, Aug 18th)

For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc are attacker’s best friends but Python is also a good candidate to perform malicious activities on a computer. Even if Python isn't installed by default, it’s easy to “compile” a Python script to make it portable via a PE file. There exists multiple tools to achieve this, my favorite being 'pyinstaller':
  • August 18th 2020 at 06:52
  • ↗

ISC Blocked, (Tue, Aug 18th)

This morning at the ISC was a bit more interesting than usual.  As I was skimming through the emails I found the usual great submissions from readers, but what got my attention was an email from Iztok, and others, indicating that the ISC was inaccessible because the ISC site was placed on a blocklist by Cisco Talos.
  • August 18th 2020 at 00:21
  • ↗

Password Reuse Strikes Again!, (Mon, Aug 17th)

Over the weekend the Canada Revenue Agency (CRA), the Canadian equivalent of the U.S. IRS, shut down their online accounts due to account compromises which began at least a couple of weeks. Once the bad guys had access to the accounts they would change the users email address and banking information and attempt to apply for or redirect COVID-19 benefits.  
  • August 17th 2020 at 23:12
  • ↗

Small Challenge: A Simple Word Maldoc - Part 3, (Sun, Aug 16th)

In the solution I presented last weekend for "Small Challenge: A Simple Word Maldoc", I forgot to address one point when converting and decoding the numbers in the VBA code with my tool numbers-to-string.py, you can see it here:
  • August 16th 2020 at 09:21
  • ↗

Wireshark 3.2.6 Released, (Sat, Aug 15th)

Wireshark version 3.2.6 was released.
  • August 15th 2020 at 20:02
  • ↗

Definition of 'overkill' - using 130 MB executable to hide 24 kB malware, (Fri, Aug 14th)

One of our readers, Lukas, shared an unusual malicious executable with us earlier this week – one that was 130 MB in size. Making executables extremely large is not an uncommon technique among malware authors[1], as it allows them to easily avoid detection by most AV solutions, since the size of files which AVs will check is usually fairly low (tens of megabytes at most). In order to increase the size of their creations, malware authors commonly embed images in the executables or include large chunks of “empty space” (i.e. null bytes) in them.
  • August 14th 2020 at 06:46
  • ↗

Microsoft August 2020 Patch Tuesday, (Tue, Aug 11th)

This month we got patches for 120 vulnerabilities total. According to Microsoft, two of them are being exploited (CVE-2020-1380 and CVE-2020-1464), and one was previously disclosed (CVE-2020-1464).
  • August 11th 2020 at 21:30
  • ↗

Scoping web application and web service penetration tests, (Mon, Aug 10th)

Before starting any penetration test, the most important part is to correctly scope it – this will ensure that both the client’s expectations are fulfilled and that enough time is allocated to make sure that the penetration test is correctly performed.
  • August 10th 2020 at 09:57
  • ↗

Small Challenge: A Simple Word Maldoc - Part 2, (Sun, Aug 9th)

There are many interesting solutions to my "Small Challenge: A Simple Word Maldoc" diary entry: static analysis solutions, dynamic analysis and even a combination of both. You can find them in the comments and on Twitter.
  • August 9th 2020 at 20:49
  • ↗

Scanning Activity Include Netcat Listener, (Sat, Aug 8th)

This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. I have included the URL to the IPDetails reported to ISC that shows similar activity from the same source IP address listed in this diary.
  • August 8th 2020 at 23:57
  • ↗

A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th)

Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that it’s a file less macro. The malicious Base64 code  is stored in multiples environment variables that are concatenated then executed through an IEX command:
  • August 6th 2020 at 06:37
  • ↗

Internet Choke Points: Concentration of Authoritative Name Servers, (Tue, Aug 4th)

A utopian vision of the Internet often describes it as a distributed partnership of equals giving everybody the ability to publish and discover information worldwide. This open, democratic Internet is often little more than an imaginary legacy construct that may have existed at some time in the distant past, if ever. Reality: Today, the Internet is governed by a few large entities. Diverse interconnectivity and content distribution were also supposed to make the Internet more robust. But as it has been shown over and over again, a simple misconfiguration at a single significant player will cause large parts of the network to disappear. 
  • August 4th 2020 at 15:01
  • ↗

Reminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th)

Just a quick reminder: We are continuing to see small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The exploit is rather simple and currently used to find vulnerable systems by reading benign LUA source code files. 
  • August 4th 2020 at 11:20
  • ↗

Powershell Bot with Multiple C2 Protocols, (Mon, Aug 3rd)

I spotted another interesting Powershell script. It's a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique[1]). I don’t have the original document but based on a technique used in the macro, it is part of a Word document. It calls Document_ContentControlOnEnter[2]:
  • August 3rd 2020 at 09:22
  • ↗

Small Challenge: A Simple Word Maldoc, (Sun, Aug 2nd)

A reader submitted malicious Word document deed contract,07.20.doc (also uploaded the Malware Bazaar).
  • August 2nd 2020 at 20:58
  • ↗

What pages do bad bots look for?, (Sat, Aug 1st)

I’ve been wondering for some time now about what pages and paths are visited the most by “bad” bots – scrapers, data harvesters and other automated scanners which disregards the exclusions set in robots.txt[1]. To determine this, I’ve set up a little experiment – I placed robots.txt on one of my domains, which disallowed access to commonly used paths and PHP pages which might of interest to bots (login.php, /wp-admin/, etc.), configured the server to provide HTTP 200 response for these paths and pages and started logging details about requests sent to them.
  • August 1st 2020 at 14:28
  • ↗

Building a .freq file with Public Domain Data Sources, (Fri, Jul 31st)

This diary started out as a frequency analysis of zone files for domains that expire before May 2023. Our intent was to look for frequency of random on all Generic Top-Level Domains (gTLDs). This exercise quickly turned into “create the freq file” for the analysis.
  • July 31st 2020 at 22:52
  • ↗

Python Developers: Prepare!!!, (Thu, Jul 30th)

I know... tried it several times... growing up is hard. So instead, you decided to become a "Red Teamer" (aka Pentesters...). You got the hoodie, and you acquired a taste for highly caffeinated energy drinks. Now the only thing left: Learning to write a script. So like all the other "kids," you learn Python and start writing and publishing tools (Yes... all the world needed was DNS covert channel tool #32773... you realize you could have written that as a bash oneliner?).
  • July 30th 2020 at 15:54
  • ↗
❌