FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

A blast from the past - XXEncoded VB6.0 Trojan, (Fri, Sep 4th)

While going over what my e-mail malware quarantine caught during this week, I found a message which made me feel rather nostalgic. Among the usual maldocs, ZIPs and ACEs, there was also an e mail carrying an XXE file in its attachment.
  • September 4th 2020 at 07:38
  • β†—

Sandbox Evasion Using NTP, (Thu, Sep 3rd)

I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic:
  • September 3rd 2020 at 08:54
  • β†—

Python and Risky Windows API Calls, (Wed, Sep 2nd)

The Windows API is full of calls that are usually good indicators to guess the behavior of a script. In a previous diary, I wrote about some examples of "API call groups" that are clearly used together to achieve malicious activities[1]. If it is often used in PowerShell scripts, here is an interesting sample in Python that uses the same technique. It calls directly Windows API though 'ctypes'.Β 
  • September 2nd 2020 at 09:14
  • β†—

Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st)

LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused.
  • September 1st 2020 at 18:04
  • β†—

Finding The Original Maldoc, (Mon, Aug 31st)

Xavier wrote about a "Malicious Excel Sheet with a NULL VT Score" and I showed how to extract the VBA code from the maldoc cleaned by AV.
  • August 31st 2020 at 07:02
  • β†—

Malicious Excel Sheet with a NULL VT Score: More Info, (Sat, Aug 29th)

The maldoc Xavier mentioned in diary entry "Malicious Excel Sheet with a NULL VT Score" is indeed corrupt, and that explains its low score on VT. I believe this maldoc has been cleaned by an anti-virus program: (incomplete) deletion of VBA modules.
  • August 30th 2020 at 10:03
  • β†—

Example of Malicious DLL Injected in PowerShell, (Fri, Aug 28th)

For a while, PowerShell remains one of the favorite languages for attackers. Installed by default (and almost impossible to get rid of it), powerful, perfectly integrated with the core operating system. It's very easy to develop specific PowerShell functions that will provide interesting features for an attacker but, if written in PowerShell, they could easily ring a bell for the defenders (example: by using many suspicious API calls). Another technique to expand the language with more functions is just to load a DLL! I found a sample that exfiltrates data from the victim's computer.
  • August 28th 2020 at 06:44
  • β†—

Security.txt - one small file for an admin, one giant help to a security researcher, (Thu, Aug 27th)

During the last few months, I’ve noticed a significant increase in the number of vulnerability reports for domains registered to some of our customers. I would guess that this increase probably stems from more time being devoted by bug bounty hunters and security researchers to finding vulnerabilities due to their Covid-19 related self-isolation. Whatever the cause is however, the increased number of reports is probably felt by many organizations around the world.
  • August 27th 2020 at 07:09
  • β†—

Malicious Excel Sheet with a NULL VT Score, (Wed, Aug 26th)

Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found aΒ sampleΒ that just hasΒ a very nice score of 0/57 on VT. Yes, according to all AV's the file is safe. Really? If it matched one of my hunting rules, there is for sure something suspicious inside. Let's have a look at it.
  • August 26th 2020 at 06:03
  • β†—

Keep An Eye on LOLBins, (Tue, Aug 25th)

Don't misread, I won't talk about "lolcats" today but "LOLBins" or "Living Off The Land Binaries".Β All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, management of files, and many more. Those tools are installed by default and available to all users without specific access rights (most of the time). Also very important, they are signed by the operating system so they are usually considered safe by default.Β 
  • August 25th 2020 at 07:25
  • β†—

Tracking A Malware Campaign Through VT, (Mon, Aug 24th)

During the weekend, I found several samples from the same VBA macro. The only difference between all the samplesΒ was the URL to fetch a malicious PE file. I have a specific YARA rule to search for embedded PowerShell strings and my rule fired several times with the same pattern and similar size. Here is the pattern:
  • August 24th 2020 at 07:34
  • β†—

Small Challenge: A Simple Word Maldoc - Part 4, (Sun, Aug 23rd)

I diary entry "Small Challenge: A Simple Word Maldoc - Part 2", we used my tool numbers-to-string.py to convert and decode the numbers in malicious VBA macro code to a BAT command.
  • August 23rd 2020 at 19:22
  • β†—

Remote Desktop (TCP/3389) and Telnet (TCP/23), What might they have in Common? , (Sat, Aug 22nd)

I'm glad you asked. I'm always interested in trends and reviewing the activity capture by my honeypot over this past week, it shows that no matter what port the RDP service is listening on, a specific RDP string (Cookie: mstshash=) might be sent to any ports to find out if it is listing for this service. Here are some examples:Β 
  • August 22nd 2020 at 20:25
  • β†—

Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th)

If you haven't heard, SANS suffered a "Data Incident" this summer, the disclosure was released on August 11.Β  Details can be found in several locations:
  • August 20th 2020 at 15:43
  • β†—

Example of Word Document Delivering Qakbot, (Wed, Aug 19th)

Qakbot[1] is back on stage at the moment!Β Many security companies already reported some peaks of activity around this malware. On my side,Β I also spotted several samples. TheΒ one that I'll cover todayΒ has been reported by one of our readers (thanks to him) and deserves a quick analysis of the obfuscation used by the attackers. It is not available on VT at this time (SHA256:507312fe58352d75db057aee454dafcdce2cdac59c0317255e30a43bfa5dffbc)
  • August 19th 2020 at 05:13
  • β†—

Using API's to Track Attackers, (Tue, Aug 18th)

For a few days, I’m keeping an eye on suspicious Python code posted on VT. We all know that VBA, JavaScript, Powershell, etc areΒ attacker’s best friends but Python is also a good candidate to perform malicious activities on a computer. Even if Python isn't installed by default, it’s easy to β€œcompile” a Python script to make it portable via a PE file. There exists multiple tools to achieve this, my favorite being 'pyinstaller':
  • August 18th 2020 at 06:52
  • β†—

ISC Blocked, (Tue, Aug 18th)

This morning at the ISC was a bit more interesting than usual. Β As I was skimming through the emails I found the usual great submissions from readers, but what got my attention was an email from Iztok, and others, indicating that the ISC was inaccessible because the ISC site was placed on a blocklist by Cisco Talos.
  • August 18th 2020 at 00:21
  • β†—

Password Reuse Strikes Again!, (Mon, Aug 17th)

Over the weekend the Canada Revenue Agency (CRA), the Canadian equivalent of the U.S. IRS, shut down their online accounts due to account compromises which began at least a couple of weeks.Β Once the bad guys had access to the accounts they would change the users email address and banking information and attempt to apply for or redirect COVID-19 benefits. Β 
  • August 17th 2020 at 23:12
  • β†—

Small Challenge: A Simple Word Maldoc - Part 3, (Sun, Aug 16th)

In the solution I presented last weekend for "Small Challenge: A Simple Word Maldoc", I forgot to address one point when converting and decoding the numbers in the VBA code with my tool numbers-to-string.py, you can see it here:
  • August 16th 2020 at 09:21
  • β†—

Wireshark 3.2.6 Released, (Sat, Aug 15th)

Wireshark version 3.2.6 was released.
  • August 15th 2020 at 20:02
  • β†—

Definition of 'overkill' - using 130 MB executable to hide 24 kB malware, (Fri, Aug 14th)

One of our readers, Lukas, shared an unusual malicious executable with us earlier this week – one that was 130 MB in size. Making executables extremely large is not an uncommon technique among malware authors[1], as it allows them to easily avoid detection by most AV solutions, since the size of files which AVs will check is usually fairly low (tens of megabytes at most). In order to increase the size of their creations, malware authors commonly embed images in the executables or include large chunks of β€œempty space” (i.e. null bytes) in them.
  • August 14th 2020 at 06:46
  • β†—

To the Brim at the Gates of Mordor Pt. 1, (Wed, Aug 12th)

Search & Analyze Mordor APT29 PCAPs with Brim
  • August 12th 2020 at 17:38
  • β†—

Microsoft August 2020 Patch Tuesday, (Tue, Aug 11th)

This month we got patches for 120 vulnerabilities total. According to Microsoft, two of them are being exploited (CVE-2020-1380 and CVE-2020-1464), and one was previously disclosed (CVE-2020-1464).
  • August 11th 2020 at 21:30
  • β†—

Scoping web application and web service penetration tests, (Mon, Aug 10th)

Before starting any penetration test, the most important part is to correctly scope it – this will ensure that both the client’s expectations are fulfilled and that enough time is allocated to make sure that the penetration test is correctly performed.
  • August 10th 2020 at 09:57
  • β†—

Small Challenge: A Simple Word Maldoc - Part 2, (Sun, Aug 9th)

There are many interesting solutions to my "Small Challenge: A Simple Word Maldoc" diary entry: static analysis solutions, dynamic analysis and even a combination of both. You can find them in the comments and on Twitter.
  • August 9th 2020 at 20:49
  • β†—

Scanning Activity Include Netcat Listener, (Sat, Aug 8th)

This activity started on the 5 July 2020 and has been active to this day only scanning against TCP port 81. The GET command is always the same except for the Netcat IP which has changed a few times since it started. If you have a webserver or a honeypot listening on TCP 81, this activity might be contained in your logs. I have included the URL to the IPDetails reported to ISC that shows similar activity from the same source IP address listed in this diary.
  • August 8th 2020 at 23:57
  • β†—

A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th)

Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that it’s a file less macro. The malicious Base64 code Β is stored in multiples environment variables that are concatenated then executed throughΒ an IEX command:
  • August 6th 2020 at 06:37
  • β†—

Internet Choke Points: Concentration of Authoritative Name Servers, (Tue, Aug 4th)

A utopian vision of the Internet often describes it as a distributed partnership of equals giving everybody the ability to publish and discover information worldwide. This open, democratic Internet is often little more than an imaginary legacy construct that may have existed at some time in the distant past, if ever. Reality: Today, the Internet is governed by a few large entities. Diverse interconnectivity and content distribution were also supposed to make the Internet more robust. But as it has been shown over and over again, a simple misconfiguration at a single significant player will cause large parts of the network to disappear.Β 
  • August 4th 2020 at 15:01
  • β†—

Reminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th)

Just a quick reminder: We are continuing to seeΒ small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The exploit is rather simple and currently used to find vulnerable systems by reading benign LUA source code files.Β 
  • August 4th 2020 at 11:20
  • β†—

Powershell Bot with Multiple C2 Protocols, (Mon, Aug 3rd)

I spotted another interesting Powershell script. It's a bot andΒ is delivered throughΒ a VBAΒ macro that spawns an instance ofΒ msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique[1]). I don’t have the original document butΒ based on a technique used in the macro, it is part of a Word document. It callsΒ Document_ContentControlOnEnter[2]:
  • August 3rd 2020 at 09:22
  • β†—
❌