Security Posts

Infocon: green

Commando VM: The Complete Mandiant Offensive VM
Categories: Security Posts

Commando VM: The Complete Mandiant Offensive VM, (Tue, Jul 16th)

The good folks at Mandiant have created the Commando VM, a fully customized, Windows-based security distribution for penetration testing and red teaming.
From the project’s About Commando VM content:
“Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests. The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as PowerView and BloodHound without having to worry about placing output files on client assets.” Many of the expected tools are available on this platform, over 140, including:
  • Nmap
  • Wireshark
  • Covenant
  • Python
  • Go
  • Remote Server Administration Tools
  • Sysinternals
  • Mimikatz
  • Burp-Suite
  • x64dbg
  • Hashcat
The team claims support for blue teams as well. In their own words, “Commando VM provides blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends.” While a bit more in spirit than reality with the Commando VM, any aspirations to support the purple team approach are welcome and admirable. Installation is extremely straightforward, the platform is built out via Boxstarter, Chocolatey, and MyGet packages, and takes a bit of time to complete, more than an hour in multiple test scenarios for me. Full, thorough installation guidelines are here. The fast and furious version is simply this:
  • Create and configure a new Windows Virtual Machine, update it completely, then take a snapshot
  • Download and copy install.ps1 on the newly configured and updated VM
  • Open an elevated PowerShell console
  • Enable script execution: Set-ExecutionPolicy Unrestricted
  • Execute the installer script: .\install.ps1
Be patient, let it finish, and keep an eye on the console from time to time as it progresses.
As always, please read the project content in full. You can also download the full Commando VM repository from GitHub as a zip package or clone it accordingly. Given its Windows-centric focus, Commando VM includes a few tools that have advanced Windows exploitation practices, with particular attention to .NET and WMI.
In the reverse engineering category, there’s ILSpy, the open-source .NET assembly browser and decompiler.
For command and control, there’s Covenant, “a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.”
From FortyNorth Security, also see WMImplant, “a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine.” FortyNorth Security and Chris Truncer also offer up WMIOps, “a powershell script which uses WMI for various purposes across a network.”
WMIOps is used to “perform a variety of actions on hosts, local or remote, within a Windows environment and is designed primarily for use on penetration tests or red team engagements.” As such, it includes:
  • Process functions: Get-RunningProcessesWMI (accounts with active processess)
  • User operations: Find-ActiveUsersWMI (whois on target)
  • Host enumeration: Get-ActiveNICSWMI (dump target NICs)
  • System manipulation operations: r Invoke-ServiceManipulation (service buggery)
  • File operations: Invoke-FileTransferOverWMI (exfil)
In the big bucket o’ exploitation tools, a few favorites lurk.
EvilClippy, as part of its role as a cross-platform assistant for creating malicious Microsoft Office documents, includes the likes of VBA stomping (P-code abuse). EvilClippy puts fake VBA code from a text file (VBA) in all modules, while leaving P-code intact, abusing an undocumented feature of module streams. It’s a straightforward as EvilClippy.exe -s fakecode.vba macrofile.doc A wise and recent red team re-orientation towards C# opportunities is also well represented. FuzzySec’s Sharp-Suite, GhostPack, and SharpSploit are all present and accounted for. Commando VM owes a great debt to the hard work of the SpecterOps team. Ryan Cobb produced Covenant as well as SharpSploit.
Ryan states that there is a “trend developing on the offensive side of the security community in porting existing PowerShell toolsets to C#. With the added security features in PowerShell (ie. ScriptBlock Logging, AMSI, etc.), it makes sense that red teamers are investing in other options, and C# is the logical next step from PowerShell.” Note that SharpSploit is designed as a library, so there is only a SharpSploit.dll.
Ryan’s teammate, Will Schroeder aka harmj0y, created GhostPack, generically referred to as “collection of security related toolsets.” ;-)
Therein, you will find the likes of Seatbelt, a “C# project that performs a number of security oriented host-survey safety checks relevant from both offensive and defensive security perspectives.”
Given the spirit of purple team embraced by the Commando VM team, Seatbelt seems like an ideal way to bring us to conclusion for this quick Commando VM overview. In order to make use of Seatbelt you need to compile it yourself, the project team is not releasing binaries.
To do so, simply download Visual Studio Community 2019 on your Commando VM, set it up for Windows development (.NET, desktop, and UWP), and then open Seatbelt.sln, found in C:\tools\GhostPack\Seatbelt. Be sure to run Visual Studio as administrator for this step. In Solution Explorer, right-click Seatbelt and select Build. You’ll then find Seatbelt.exe in C:\tools\GhostPack\Seatbelt\Seatbelt\bin\Debug.
Pop a command shell, run Seatbelt.exe all and revel in the results, including the likes of system data (incoming RDP sessions, firewall rules, autoruns, etc), user data (saved RDP connections, 7 days of IE bookmarks and history, saved credential in Windows Vault, etc), and other collection options such as listing Kerberos tickets, Kerberos TGTData (ALL TEH TGTZ!), 4624 events from the security event log, and installed patches via WMI. You can quickly see how Seatbelt can serve both red and blue causes. Great stuff from the Mandiant team for Commando VM, a complete Mandiant offensive VM indeed. As alway, be cautious in your use, lots of chaos to be created with this platform, ensure you have permission and purview. Cheers…until next time. Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Update: format-bytes.py Version 0.0.9

Didier Stevens - 53 min 34 sec ago
This new version of format-bytes brings support for TLV records. Here is an example with certificates in the Windows registry: More details will be provided in an upcoming blog post. format-bytes_V0_0_9.zip (https)
MD5: 2F97370D12A7DBB53EB8B30AA0A40463
SHA256: 87C9F3120673C0E92C9562EC2687B60AA93DAF612CE854939E48F6E902BFBBB4
Categories: Security Posts

Reduce the cost of tool sprawl with smarter network monitoring

BreakingPoint Labs Blog - 2 hours 7 min ago
Monitoring tools have always been critical for ensuring network performance and security. Top…
Categories: Security Posts

Understanding And Testing The TLS1.3 Encryption Standard

BreakingPoint Labs Blog - 2 hours 7 min ago
People often state that change is good. This statement is obviously relative. Change can be either…
Categories: Security Posts

Ixia at Tech Field Day 19

BreakingPoint Labs Blog - 2 hours 7 min ago
We have a long history of working with Steve Foskett (@SFoskett) and his band of merry men (and…
Categories: Security Posts

Exploiting PHP Phar Deserialization Vulnerabilities - Part 2

BreakingPoint Labs Blog - 2 hours 7 min ago
Part 1 of this blog is here.  Hands-on exploitation: phpBB 3.2.3 Remote Code Execution…
Categories: Security Posts

Raspberry Flavored Sploits and the Internet of Threats

BreakingPoint Labs Blog - 2 hours 7 min ago
While some like to talk about the Internet of Things – which is the wonderful web of everything…
Categories: Security Posts

SANS Conducts A Review of Ixia’s Vision ONE Packet Broker

BreakingPoint Labs Blog - 2 hours 7 min ago
The SANS Institute recently conducted a review of Ixia’s Vision ONE product. The full report can be…
Categories: Security Posts

What Is a Next Generation Firewall?

BreakingPoint Labs Blog - 2 hours 7 min ago
A Next Generation Firewall (NGFW) is a device that incorporates both the features of a traditional…
Categories: Security Posts

Vision X Best of Show Special Prize at Interop Tokyo 2019

BreakingPoint Labs Blog - 2 hours 7 min ago
Ixia's Vision X - 2019 Tokyo Interop Best of Show Special Prize Winner  There are a number of…
Categories: Security Posts

How The New TLS1.3 Standard Will Affect Your Encryption Tactics

BreakingPoint Labs Blog - 2 hours 7 min ago
The IETF released a new version of their encryption standard called RFC 8446 (Transport Layer…
Categories: Security Posts

Introducing Ixia’s Newest Packet Broker: Vision X

BreakingPoint Labs Blog - 2 hours 7 min ago
As the FIFA Women’s World Cup matches start up, you can bet I will be live-streaming games — at…
Categories: Security Posts

SWEED: Exposing years of Agent Tesla campaigns

Cisco Talos - Mon, 2019/07/15 - 20:25
By Edmund Brumaghin and other Cisco Talos researchers.

Executive summaryCisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

2017: SteganographyOne of the earliest SWEED campaigns Talos identified dates back to 2017. In this attack, the actors placed droppers inside of ZIP archives, and then attached those ZIPs to emails. The attachments usually had file names similar to "Java_Updater.zip" or "P-O of Jun2017.zip". Here's an example of an email associated with this campaign:
The attached ZIP archive contained a packed version of Agent Tesla. The packer uses .NET and leverages steganography to hide and decode a second .NET executable, which uses the same technique to retrieve the final Agent Tesla payload. Here's the file stored in the resource:
And here's the algorithm used to decode the PE stored in that image:
The decoded binary is stored in the array.

January 2018: Java droppersIn early 2018, we observed that SWEED began leveraging Java-based droppers. Similar to previous campaigns, the JAR was directly attached to emails and used file names such as "Order_2018.jar". The purpose of the JAR was to obtain information about the infected system and facilitate the download of a packed version of Agent Tesla. Interestingly, only a few months prior to these campaigns, a HackForums user with the account name "Sweed" actively sought out a Java crypter — but we'll get to that activity later.
April 2018: Office exploit (CVE-2017-8759)In April 2018, SWEED began making use of a previously disclosed Office exploit. One of the documents featured in these email campaigns was notable because it was a PowerPoint document (PPXS). Code contained inside one of the slides triggers an exploit for CVE-2017-8759, a remote code execution vulnerability in Microsoft .NET framework.
You can see the execution of external content hosted on the attacker-controlled web server using the file name "chuks.png". As expected, the PNG is not actually an image. Instead, it is a Soap definition in XML, as seen in the screenshot below:
The purpose of this code is to decode a URL and download a PE32 hosted on an attacker-controlled web server. The resulting executable is a packed version of Agent Tesla.
May 2018: Office exploit (CVE-2017-11882)In May 2018, campaigns being conducted by SWEED began leveraging another vulnerability in Microsoft Office: CVE-2017-11882, a remote code execution bug in Microsoft Office that is commonly observed being leveraged in malicious documents used in commodity malware distribution.

We see how the vulnerability abuses the Equation Editor in Office when executing the sample in ThreatGrid:
As seen below, the malicious document is designed to appear as if it is an invoice.
As consistent with previous campaigns, the purpose of this malicious document is to download and execute a packed version of Agent Tesla.
2019: Office macros and AutoIT droppersBeginning in 2019, the campaigns associated with SWEED began leveraging malicious Office macros. As with previous attacks, they are leveraging spear-phishing emails and malicious attachments to initiate the infection process.
The attached XLS contains an obfuscated VBA macro, which executes a PowerShell script using a WMI call. The PowerShell script is also obfuscated using XOR operations to hide its code. Once decoded, it reveals itself to be .NET.
This .NET code is responsible for performing some checks and downloading another executable file. The obfuscation scheme used in this code is the same as the one used in the previously described PowerShell. The downloaded file is then saved and executed.
Call graph after WMI execution.
The downloaded binary is an AutoIT-compiled script. The script has a lot of junk code designed to make the analysis more difficult and time-consuming.
Extracted AutoIT script.
The strings and some of the commands contained in the AutoIT script have been obfuscated using XOR operations, as described below.
The decoder receives two hex strings: The first is the string to deobfuscate, while the second determines the number of rounds of the XOR operation. The XOR operation is performed on each character against the length of the second parameter. This operation is then repeated for as many times as the length with the length and the position. If the length value is one, then the operation is repeated twice using the same key, which leads to a plaintext hex string.

After performing environment checks, the malware will reconstruct the assembly code which is obfuscated in a hex string. Using the AutoIT scripting language Dll* family functions the code is loaded into the current process address space.
Memory allocation
Finally, the malware executes the assembly code with two arguments. The first argument is the path for an executable. This assembly will create a process with the executable and will inject the payload into this process.
As expected, the final payload in this campaign is another packed version of Agent Tesla.
UAC bypassOne of the common characteristics with several of the campaigns associated with SWEED is the use of various techniques to bypass User Account Control (UAC) on infected systems. An example of this is present within the campaigns observed in 2019. When the malware is first executed on systems, it executes "fodhelper.exe", which is a Windows process running as high integrity. Prior to executing it, the malware sets the following registry key:

HKCU\Software\Classes\ms-settings\shell\open\command
This registry key points to the location of the malicious executable:
This key is used by "fodhelper.exe" and its value is executed as administrator whenever fodhelper.exe is executed. This functionality simply allows for the malware to bypass UAC and is not a privilege escalation vulnerability — the user must already have administrative access rights on the system. It is used to avoid displaying a UAC prompt to the user. This second instance of the malware is then executed with administrative access to the infected system.

SWEED infrastructureThe various distribution campaigns linked to SWEED feature use of a limited amount of distribution and C2 infrastructure with the same servers used across many different campaigns over long periods of time. The majority of the registrants associated with the domains used by SWEED list the following email addresses:

aaras480@gmail[.]com
sweed.[redacted]@gmail[.]com
The registrant contact information used to register most of the domains is also consistent:
In April 2018, a security researcher published a screenshot of an RDP server believed to have been actively leveraged by SWEED (84.38.134[.]121):
In the screenshot above, the list of user accounts established on the RDP server can be seen, which includes an account named "sweed." The fact that multiple users are currently active indicates that this server is being used in a multi-user capacity and provides a platform on which members of SWEED can function collaboratively. This also likely indicates a business relationship between multiple individuals responsible for these ongoing malware distribution campaigns.

We also identified several DDNS domains which were being used to facilitate connectivity to the shared RDP server that feature many of the same values as the RDP user accounts:
  • sweedoffice[.]duckdns[.]org
  • sweedoffice-olamide[.]duckdns[.]org
  • sweedoffice-chuks[.]duckdns[.]org
  • www.sweedoffice-kc.duckdns[.]org
  • sweedoffice-kc.duckdns[.]org
  • sweedoffice-goodman.duckdns[.]org
  • sweedoffice-bosskobi.duckdns[.]org
  • www.sweedoffice-olamide.duckdns[.]org
  • www.sweedoffice-chuks.duckdns[.]org
During our analysis of various campaigns associated with SWEED, we identified several common elements that also reflect the distinct values associated with users of the RDP server. In many cases, the distribution servers being used to host malicious PE32 being distributed by SWEED contained a directory structure consisting of multiple directories containing the binaries being distributed. In many cases, the binary file names used, as well as the directory names used to host the malicious content reflected the same users present on the RDP server.

For example, in June 2019, the following URLs were hosting malicious content associated with these campaigns:
  • hxxp://aelna[.]com/file/chuks.exe
  • hxxp://aelna[.]com/file/sweed.exe
  • hxxp://aelna[.]com/file/duke.exe
Likewise, when investigating samples associated with known domains used to exfiltrate sensitive information from infected systems, we can see the following binary file names being used repeatedly across campaigns over a long period of time:
  • dadi.exe
  • kelly.exe
  • chuks.exe
  • olamide.exe
  • sweed.exe
  • kc.exe
  • hero.exe
  • goodman.exe
  • duke.exe
  • hipkid.exe
In several cases, the directory structure present on the distribution servers contained multiple directories hosting malicious files, an example listing below using the domain sodismodisfrance[.]cf:
  • sodimodisfrance[.]cf/2/chuks.exe
  • sodimodisfrance[.]cf/6/chuks.exe
  • sodimodisfrance[.]cf/5/goodman.exe
  • sodimodisfrance[.]cf/1/chuks.exe
  • sodimodisfrance[.]cf/1/hipkid.exe
  • sodimodisfrance[.]cf/5/sweed.exe
  • sodimodisfrance[.]cf/2/duke.boys.exe
These appear to match the handles used by actors known to be associated with SWEED. Another known domain used to exfiltrate sensitive information collected by Agent Tesla is sweeddehacklord[.]us. Analysis of known malware seen communicating with this domain shows similar patterns of operations.

In analyzing the malware activity associated with SWEED, we also investigated the use of interesting paths in the hosting of the administration panels associated with the various RATs and stealers being distributed by this group. Indeed, on a single C2 server, we identified several panel with the following URLs:
  • sweed-office.comie[.]ru/goodman/panel
  • sweed-office.comie[.]ru/kc/panel/
  • wlttraco[.]com/sweed-office/omee/panel/login.php
  • wlttraco[.]com/sweed-client/humble1/panel/post.php
  • wlttraco[.]com/sweed-client/sima/panel/post.php
  • wlttraco[.]com/sweed-office/omee/panel/post.php
  • wlttraco[.]com/sweed-office/kc/panel/post.php
  • wlttraco[.]com/sweed-office/olamide/panel/post.php
  • wlttraco[.]com/sweed-office/jamil/panel/post.php
  • wlttraco[.]com/sweed-client/niggab/panel/post.php
  • wlttraco[.]com/sweed-client/humble2/panel/post.php
  • wlttraco[.]com/sweed-office/harry/panel/post.php
Based on our research, as well as the panel-hosting locations, we believe that wiki, olamide, chuks, kc, goodman, bosskobi, dadi, hipkid, and others are SWEED customers or business associates. Using the binary file names, directory structures, and other artifacts, we have been able to identify interesting online behavior and interests exhibited across various hacking forums, IRC servers, etc. that appear to link some of these users with various elements of the malware distribution campaigns.

There are several other domains that can be linked to SWEED that appear to be associated with various malware families and distribution campaigns. These have been observed to resolve to the IP associated with the aforementioned RDP server, as well.
  • sweeddehacklord[.]us
  • sweed-office.comie[.]ru
  • sweed-viki[.]ru
Use of typosquattingAnother interesting element of many of the campaigns associated with SWEED is the use of typosquatting for the domains used to host the packed Agent Tesla binaries that have been distributed over the past few years.
Victims' geographic dispersion.
Looking at the victimology from a country point of view it is clear that there is no geographic focus, when choosing their target. SWEED target companies all over the world.
Breakdown of victim's activity by industry.
The breakdown by activity however does show a clear tendency for manufacturing and logistics companies.

Here's a rundown of these domains, along with the companies they are supposed to look like and the industry that the company is associated with. In some cases we were unable to determine the targeted organization from the typosquatted domain.
In all of the domains listed above, the registrant account information associated with the domains is consistent with what we have identified as associated with SWEED campaign activity.

Operational Security (OPSEC)We identified various behavior on hacking forums, IRC channels, and other web sites that appeared consistent with the TTPs we observed with the actor distributing this malware.

"SWEE D"During our analysis, we identified a user on HackForums using the moniker "SWEE D." In most of the online posts associated with this user, their contact information was included in the post and listed the Skype address "sweed.[redacted]".

In the months leading up to the January 2018 campaigns, we observed this user posting asking for access to a Java crypter. Typically, crypters are used to help evade antivirus detection as they "crypt" the contents of the malicious payload being distributed.
The same user posted repeatedly in threads related to Java crypters, and even annoyed other users with how often they were posting:
The same Skype account listed in the HackForums posts was also used by someone using the name "Daniel" in 2016 while commenting on a blog related to the creation of Facebook phishing pages:
This same Skype account was also used in 2015 by someone going by the name "[redacted] Daniel."
Note: [redacted] is also the name used in the email address associated with the registrant account for the domain wlttraco[.]com (sweed.[redacted]@gmail.com).

We also located screenshots that were published on the Twitter account .sS!.! showing the Discord server "Agent Tesla Live" that listed sweed ([redacted] Daniel) as a member of the staff.
It is important to note that the avatar used by this Discord user (SWEE D) is the same avatar that is used by Skype user sweed.[redacted].
We actually contacted SWEE D on Skype and were able to confirm that the same user operates the Discord and Skype accounts:
During our interaction with SWEE D, they mentioned that they are a student studying ethical hacking and that they work in the IT departments of various companies to help remove malware and increase their security.
This is contrary to the following activity which was observed in an IRC transaction where a user named "sweed" was submitting credit card information to a bot listening in the channel in an effort to check the validity and usability of presumably stolen credit card information.
The IRC channel appeared to be created and used solely for this purpose, with a bot named "chkViadex24" returning information related to the credit card that was submitted:
This is an example demonstrating how stolen credit information is actively being used by adversaries to determine whether or not they can monetize the information once they have stolen it from victims.

It's possible that "SWEE D", "sweed" and [redacted] Daniel may be the same person. We also identified the following LinkedIn profile that listed the same name:
This account lists Nigeria as their location. "[redacted]" is a Nigerian novel. Many of the details we identified during our analysis of "sweed," such as information in the LinkedIn profile, the references to "[redacted]," the registrant information used, and the location listed in the Skype account indicate the individual is likely located in Nigeria. We believe "sweed" is a key member of the group and that other accounts are likely associated with customers or business partners.

Conclusion
SWEED has been active for at least three years — and a user with that name has been active on various forums, IRC channels and Discord servers since at least 2015. Currently, SWEED is actively targeting small and medium-sized companies around the world. Based on the TTPs used by this group, SWEED should be considered a relatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. SWEED consistently leverages packing and crypting in order to minimize detection by anti-malware solutions. We assess that SWEED also does not have effective operational security, as they used several of the same online accounts for about five years, allowing for the discovery of a lot of their information, operations and associates.

At this time, we cannot say with certainty whether the other accounts and associated individuals associated with SWEED are business associates or customers. However, they all use the same infrastructure in a coordinated manner across domains, rely on the same malware and packers, and all operate very similarly. While SWEED is relatively well-known in the security research community, this research provides insight into how these cybercriminal organizations operate and evolve over time in an effort to maximize their ability to generate revenue and evade detection. We expect SWEED to continue to operate for the foreseeable future and we will continue to monitor their activities to ensure that customers remain protected.

Coverage
Ways our customers can detect and block this threat are listed below.


Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOCs)
The following IOCs have been observed as being associated with malware campaigns conducted by this group.
Campaign #1Java_Updater.zip -> 59b15f6ace090d05ac5f7692ef834433d8504352a7f45e80e7feb05298d9c2dd
P-O of Jun2017.zip -> e397ba1674a6dc470281c0c83acd70fd4d772bf8dcf23bf2c692db6575f6ab08
Agent Tesla: 8c8f755b427b32e3eb528f5b59805b1532af3f627d690603ac12bf924289f36f
Campaign #2Java sample=> d27a29bdb0492b25bf71e536c8a1fae8373a4b57f01ad7481006f6849b246a97
Campaign #3New Order For Quotation.ppsx -> 65bdd250aa4b4809edc32faeba2781864a3fee7e53e1f768b35a2bdedbb1243b
Campaign #4SETTLEMENT OF OUTSTANDING.xlsx -> 111e1fff673466cedaed8011218a8d65f84bee48d5ce6d7e8f62cb37df75e671
Campaign #5Request and specification of our new order.xls -> 1dd4ac4925b58a2833b5c8969e7c5b5ff5ec590b376d520e6c0a114b941e2075
Agent Tesla -> fa6557302758bbea203967e70477336ac7a054b1df5a71d2fb6d822884e4e34f

Domainssweeddehacklord[.]us
sweed-office.comie[.]ru
sweed-viki[.]ru
sweedoffice.duckdns[.]org
sweedoffice-olamide.duckdns[.]org
sweedoffice-chuks.duckdns[.]org
www.sweedoffice-kc.duckdns[.]org
sweedoffice-kc.duckdns[.]org
sweedoffice-goodman.duckdns[.]org
sweedoffice-bosskobi.duckdns[.]org
www.sweedoffice-olamide.duckdns[.]org
www.sweedoffice-chuks.duckdns[.]org
aelna[.]com
candqre[.]com
spedaqinterfreight[.]com
worldjaquar[.]com
zurieh[.]com
aiaininsurance[.]com
aidanube[.]com
anernostat[.]com
blssleel[.]com
bwayachtng[.]com
cablsol[.]com
catalanoshpping[.]com
cawus-coskunsu[.]com
crosspoiimeri[.]com
dougiasbarwick[.]com
erieil[.]com
etqworld[.]com
evegreen-shipping[.]com
gufageneys[.]com
hybru[.]com
intermodaishipping[.]net
jltqroup[.]com
jyexports[.]com
kayneslnterconnection[.]com
kn-habour[.]com
leocouriercompany[.]com
lnnovalues[.]com
mglt-mea[.]com
mti-transt[.]com
profbuiiders[.]com
quycarp[.]com
regionaitradeinspections[.]com
repotc[.]com
rsaqencies[.]com
samhwansleel[.]com
serec[.]us
snapqata[.]com
sukrltiv[.]com
supe-lab[.]com
usarmy-mill[.]com
virdtech[.]com
willistoweswatson[.]com
xlnya-cn[.]com
zarpac[.]us
Oralbdentaltreatment[.]tk
wlttraco[.]com

Categories: Security Posts

isodump.py and Malicious ISO Files, (Mon, Jul 15th)

SANS Internet Storm Center, InfoCON: green - Mon, 2019/07/15 - 16:57
Inspired by my diary entry "Malicious .iso Attachments", @Evild3ad79 created a tool, isodump.py, to help with the analysis of ISO files. Without any arguments or options, the tool displays its usage: When you just provide it an ISO file, it does nothing: You have to provide a command, like displaying metadata (-M): Or listing the content (-l): This ISO file contains a file named PAYMENT.EXE, it's very likely a PE file (starts with 4D5A, or MZ). With the provided hashes, we can search for it on VirusTotal. The file can be selected (-s 0) and dumped to stdout (-d). I like this feature, it allows me to pipe the malware into another analysis tool, without writing it to disk: If you just need to look at the first file, you can omit option -s:   Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Cloud Security and Risk Mitigation

AlienVault Blogs - Mon, 2019/07/15 - 15:00
The cloud certainly offers its advantages, yet as with any large-scale deployment, the cloud can offer some unforeseen challenges.  The concept of the cloud just being “someone else’s data center” has always been a cringe moment for me because this assumes release of security responsibility since ‘someone else will take care of it’.  Yes, cloud systems, networks and applications are not physically located within your control, but security responsibility and risk mitigation are.  Cloud infrastructure providers allow a great deal of control in terms of how you set up that environment, what you put in your environment, how you protect your data and how you monitor that environment.  Managing risk throughout that environment and providing alignment with your existing security framework is what is most important. Privacy and Risk With GDPR and the “sister” policies in the U.S. as seen with Arizona, Colorado, California and others, organizations are faced with increased requirements when it comes to protecting data in the cloud.  And it is not as simple as deploying Data loss prevention (DLP) in a data center since the data center has now become fragmented.  You now have a bunch of services, systems and infrastructures that are no longer owned by you, but still require visibility and control.  Cloud services and infrastructures that share or exchange information also become difficult to manage: who owns the SLAs? Is there a single pane of glass that monitors everything?  DevOps has forced corporations to go as far as implementing micro-segmentation and adjusting processes around firewall rule change management.  Furthermore, serverless computing has provided organizations with a means to cut costs and speed productivity by allowing developers to run code without having to worry about infrastructures and platforms.  Without having a handle on virtual private clouds and workload deployments, however, things can quickly spin out of control and you start to see data leaking from one environment just as you’ve achieved a comfortable level of security in another.  Mitigation Several steps can be taken to help mitigate risk to an organization’s data in the cloud.
  1. Design to align. First and foremost, align your cloud environment with cybersecurity frameworks. Often organizations move to the cloud so rapidly that the security controls historically applied to their on-premise data centers, which have evolved and hardened over time, do not migrate effectively, or map directly to the cloud.  Furthermore, an organization may relax the security microscope on widely used SaaS applications.  But even with these legitimate business applications, without the right visibility and control, data may end up being leaked.  Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a  highly secure, optimized and more productive implementation of a cloud platform, giving better results and a successful deployment.  Moreover, being able to do this while implementing the cloud technology can help demonstrate measurable security improvement to the business by giving a “before” and “after” implementation picture.
  2. Make yourself at home. Cloud systems and networks should be treated the way you treat your LAN and Data Center.  Amazon’s Shared Responsibility Model, for example, outlines where Amazon’s security responsibility ends, and your security responsibility begins.  While threats at the compute layer exist, as we’ve seen with Meltdown, Foreshadow and Spectre, recent cloud data breaches have shown a breakdown in an organization’s security responsibility area, namely operating system security, data encryption and access control.  If your organization has standards that govern the configuration of servers, vulnerability management, patching, IAM, encryption, segmentation, firewall rules, application development and monitoring, see to it that those standards are applied to cloud services and are audited regularly.  Routine assessments of cloud infrastructure architectures by a third party can be done just as effectively as a review of your LAN & WAN for best security practices.
  3. Stop the “sneaking out at night”.  Not too long ago, you would see organizations struggle with employees setting up unsecured wireless access points in an attempt to gain more flexibility and efficiency with their everyday job.  The nickname is “shadow IT” where business units avoid getting IT and security involved in what they’re doing so they can move faster. Fast forward to today - wireless controllers providing rogue detection and Intrusion Prevention Systems (IPS) capabilities have helped reign in that activity.  With the cloud, employees are setting up cloud storage accounts, serverless computing environments and virtual private networks as needed to circumvent lengthy and cumbersome change control procedures, cut costs and gain similar flexibility and efficiency.   By rearchitecting legacy networks, re-adjusting decades old processes and procedures, implementing cloud proxy or CASB technology, and coupling that with strong endpoint security controls and an effective awareness campaign, an organization can provide that level of flexibility and efficiency, but still provide for data protection. 
  4. Keep a close watch.  The Cybersecurity Operations Center (CSOC) should no longer be concerned with just the local network and data centers.  The operational monitoring procedures, threat hunting, intelligence, and incident response that the SOC uses also apply to cloud environments where the organization’s data resides. Monitoring SaaS applications where corporate data may reside is challenging but can be done using effective endpoint security coupled with the monitoring of cloud access solutions (CASB, Proxy, and others).  For a serverless environment, depending on your CSOC requirements, this may mean the application of third-party monitoring platforms or solutions above and beyond what cloud providers offer.  In all cases, event logging and triggers need to feed back to the CSOC to be correlated with local event data, analytics and threat intelligence.
With all the cloud services available, and new services being offered daily, it is no wonder companies struggle to manage risk.  Shifting from a culture of “do whatever it takes to get the job done” to “do what is right for the business” takes a lot of coordinated effort and time but is rooted in security becoming a business enabler rather than continuing to be in the business of ‘no’.  Organizations must include security in technology decisions if security is to continue to protect the business, and security must understand the needs of the business and changes in technology in order to be that enabler.  To help to  prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions to accommodate that speed and convenience or find themselves constantly trying to keep up.   
Categories: Security Posts

Cupón descuento en @0xWord: Unos libros "dibujados" y vacaciones

Un informático en el lado del mal - Mon, 2019/07/15 - 07:53
Como todos los años, 0xWord va a cerrar durante unas semanas en el mes de Agosto, así que desde hoy mismo hasta el día 25 de Julio a las 24:00:00 horas, vamos a tener activo un cupón descuento del 10% en todo el material que compres en la Tienda de 0xWord. Solo debes introducir el cupón VERANO2019 en la fase de compra online en la tienda y obtendrás el descuento.
Figura 1: Cupón descuento en 0xWord: Unos libros "dibujados" y vacaciones
Este descuento se aplica a todo el material de la tienda, desde los libros de 0xWord, a los packs descuento, incluidos los que están dentro del "máster" de estudios de ciberseguridad, los cómics que tenemos en 0xWord, las novelas de lectura - perfectas para estar en la playa leyendo - de 0xWord Pocket, también los Virtual Books, los peluches hechos a mano de la FOCA o Cálico Electrónico, los pósters, las pegatinas de Fear The FOCA, el pendrive 3D de Cálico Electrónico, Armatura, etcétera.

Figura 2: Pack Colección Completa también con un 10% de descuento usando el CUPÓN
Si eres una empresa, o biblioteca de un centro de formación que quiere tener todos los libros disponibles para prestar - que normalmente son las instituciones que compran el pack Colección Completa -, te puedes llevar los 48 libros con el descuento del 10 % además del descuento que ya tiene el pack con tener todos los libros que hemos publicado.




View this post on Instagram


Como sabéis, los peluches de FOCA y Cálico Electrónico se hacen a mano. Como muchos se quedaron sin ellos, hemos hecho unos poquitos más que tenéis disponibles (hasta que se acaben) en la web de https://0xWord.com #calicoelectronicoA post shared by Chema Alonso (@chemaalonso) on May 28, 2019 at 3:33am PDT
Por supuesto, para este verano también las camisetas esas que uso yo de Evil:ONE, de Fear The FOCA y de "Yo Soy Maligno", que tenemos disponibles a la venta. Y esta semana o la siguiente tendréis probablemente un par de ellas nuevas de Cálico Electrónico y el Profesor Alonso, que son las que me han hecho Nikotxan y Cels Piñol para la próxima temporada de conferencias.



View this post on Instagram


Ouh yeah!!! Esta Feria del Libro también me han hecho unas camisetas del Maligno de #calicoelectronico }:) https://0xword.com/es/home/144-camiseta-maligno.htmlA post shared by Chema Alonso (@chemaalonso) on May 31, 2019 at 9:43am PDT
Además, como voy a estar primero de vacaciones y luego de viaje por el mundo, he dejado firmado unos libros con mis dibujos de No Lusers, para los primeros que los solicitéis. He dejado dedicados:
- 10 Pentesting con FOCA- 10 Hacking de Aplicaciones Web: SQL Injection- 10 Hacking Web Technologies- 10 Hacking iOS: iPhone & iPad [2ª Edición]- 5 Cómics de Evil: ONE- 1 póster de Profesor Alonso- 1 poster de Fear The FOCA
Para ello, en las observaciones debéis poner un mensaje que diga que queréis los libros dedicados por mí, para que os den uno de los que he dejado dedicados, que la vida me ha dado para lo que me ha dado. Ya sabéis que yo hago uno de mis dibujos de No Lusers en cada dedicatoria, y lleva un poco de tiempo.



View this post on Instagram


Dedicando libros de 0xWord palío mi vida como dibujante frustrado }:)A post shared by Chema Alonso (@chemaalonso) on Jan 17, 2019 at 12:04am PST
Después, la tienda cerrará para hacer inventario, descansar, y planificar el futuro, que necesitamos sentarnos y pensar hacia dónde queremos llevar este proyecto en el futuro, después de llevar más  de una década con él. hay que pensar en los siguientes pasos.


View this post on Instagram
Este fue solo la primera prueba de impresión del póster de Fear the FOCA hecho con poco color. Nada que ver con el póster final de FOCA en papel satinado y a todo color que hemos hecho en 0xWord, pero yo tenía tantas ganas de tenerlo que me lo puse en mi sitio de trabajo }:) #FearTheFOCA https://0xword.com/es/home/129-poster-fear-the-foca.htmlA post shared by Chema Alonso (@chemaalonso) on Nov 2, 2018 at 10:58pm PDT
Y para los que me preguntáis muchas veces cómo aprender seguridad informática, como mejorar, como reconvertirme de mi trabajo actual a trabajar en hacking, como pentester o como auditor de seguridad, la respuesta es: Estudiar, practicar, leer, ser parte de la comunidad. Esta es la organización del orden que recomendaríamos para estudiar en serio, si de verdad quieres aprender.

Figura 7: Master en Ciberseguridad con 0xWord por Chema Alonso
Así que aprovechad vuestro tiempo como hacemos todos y leed mucho este verano, os fines de semana en la playa o las tardes en la piscina. Es lo que yo pienso hacer, tal y como hago todos mis veranos.
Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

ISC Stormcast For Monday, July 15th 2019 https://isc.sans.edu/podcastdetail.html?id=6576, (Mon, Jul 15th)

SANS Internet Storm Center, InfoCON: green - Mon, 2019/07/15 - 05:00
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

IDA 7.3: CSS styling

Hex blog - Wed, 2019/06/19 - 13:08
Since version 7.3, IDA is styled using CSS. Please see this article to see what can be done, and how!
Categories: Security Posts

Using Anomaly Detection to find malicious domains

Fox-IT - Tue, 2019/06/11 - 15:00
Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of  our Security Operations Center. One of these areas is applying data science techniques to real world data in real world production environments, such as anomalous SMB sequences, beaconing patterns, and other unexpected patterns. This blog entry will share an application of machine learning to detect random-like patterns, indicating possible malicious activity. Attackers use domain generation algorithm[1] (DGA) to make a resilient Command and Control[2] (C2) infrastructure. Automatic and large scale malware operations pose a challenge on the C2 infrastructure of malware. If defenders identify key domains of the malware, these can be taken down or sinkholed, weakening the C2. To overcome this challenge, attackers may use a domain generation algorithm. A DGA is used to dynamically generate a large number of seemingly random domain names and then selecting a small subset of these domains for C2 communication. The generated domains are computed based on a given seed, which can consist of numeric constants, the current date, or even the Twitter trend of the day. Based on this same seed, each infected device will produce the same domain. The rapid change of C2 domains in use allows attackers to create a large network of servers, that is resilient to sinkholing, takedowns, and blacklisting. If you sinkhole one domain, another pops up the next day or the next minute. This technique is commonly used by multiple malware families and actors. For example, Ramnit, Gozi, and Quakbot use generated domains in the malware. Methods for detection Machine-learning approaches are proven to be effective to detect DGA domains in contrast to static rules. The input of these machine-learning approaches may for example consist of the entropy, frequency of occurrence, top-level domain, number of dictionary words, length of the domain, and n-gram. However, many of these approaches need labelled data. You need to know a lot of ‘good’ domains, and a lot of DGA domains. Good domains can be taken, for example, from the Alexa and Majestic million sets and DGA domains can be generated from known malicious algorithms. While these DGA domains are valid, they are only valid for the remainder of the usage of that specific algorithm. If there is a new type of DGA, chances are your model is not correct anymore and does not detect newly generated domains. Language regions pose a challenge on the ‘good’ domains. Each language has different structures and combinations. Taking the Alexa or Majestic million is a one-size-fits-all approach. Nuances might get lost. To overcome the challenges of labelled data, unsupervised machine learning might be a solution. These approaches do not need an explicit DGA training set – you only need to know what is normal or expected. A majority of research move to variants of neural networks, which require a lot of computational power to train and predict. With the amount of network data this is not necessarily a deal-breaker if there is ample computing power, but it certainly is a factor to consider. An easier to implement solution is to look solely at the occurrences of n-grams to define what is normal. N-grams are sequences of N consecutive elements such as words or letters, where bi-grams (2-grams) are sequences of two, tri-grams (3-grams) are sequences of three, etc. To illustrate with the domain ‘google.com’: “This is an intuitive way to dissect language. Because, what are the odds you see a ‘kzp’ in a domain? And what are the odds you see ‘oog’ in a domain?”   We calculate the domain probability by multiplying the probability of each of the tri-grams and normalise by dividing it by the length of the domain. We chose an unconditional probability, meaning we ignore the dependency between n-grams as this speeds up training and calculation times. We also ignored the top level domain (e.g. “.co.uk”, “.org”) as these are common in both normal as in DGA domains and will focus our model to the parts of the domain that is distinctive. If the domain probability is below a predefined threshold, the domain is deviant from the baseline and likely a DGA domain. Results To evaluate this technique we trained on roughly 8 million non-unique common names of a network, thereby creating a baseline of what is normal for this network. We evaluated the model by scoring one million non-unique common names and roughly 125.000 DGA domains over multiple algorithms, provided by Johannes Bader[3]. We excluded some domains that are known to use random generated (sub)-domains from both the training- and evaluation set, such as content delivery networks. Figure below illustrates the log probability distributions of the blue baseline domains, i.e. the domains you would expect to see, and the red DGA domains. Although a clear distinction between the two distributions can be seen there is also a small overlap between the -10 and -7.5 visible. This is because some DGA domains are much alike to regular domains, some baseline domain are random-like, and for some domains our model wasn’t able to correctly distinguish it from DGA domains. For our detection to be practically useful in large operations, such as Security Operation Centers, we need a very low false positive rate. We also assumed that every baseline has a small contamination ratio. We chose for a ratio of 0.001%. We also use this as the cut-off value between predicting a domain as DGA or not. During hunting this threshold may be increased or completely ignored. True DGA True Normal Predicted DGA 94.67% ~0 Predicted Normal 6.33% ~100% Total 100% 100% If we take the cut-off value at this point we get an accuracy (the percentage correct) of 99.35%  and an F1-score of 97.26. Conclusion DGA domains are a tactic used by various malware families. Machine learning approaches are proven to be useful in the detection of this tactic, but lack to generalize in a simple and strong solution for production. By relaxing some restrictions on the math and compensating this with a lot of baseline data, a simple and effective solution can be found. This simple and effective solution does not rely on labelled data, is on par with scientific research and has the benefit to take into account the common language of regular domains used in the network. We demonstrated this solution with hostnames in common names, but it is also applicable for HTTP and DNS. Moreover, a wide range of applications is possible since it detects deviations from the expected. For example random generated file names, deviating hostnames, unexpected sequences of connections, etc.
  1. This technique is recently added to the MITTRE ATT&CK tactics. https://attack.mitre.org/techniques/T1483/
  2. For more information about C2, see: https://attack.mitre.org/tactics/TA0011/
  3. https://github.com/baderj/domain_generation_algorithms
Categories: Security Posts
Syndicate content