Archive for April 1st, 2019

Fake AV is Back: LaCie Network Drives Used to Spread Malware, (Tue, Apr 2nd)

I have not seen much Fake AntiVirus lately. Maybe I haven’t been looking for it. But this weekend, I received a few identical spam messages with slightly different subjects advertising that I had won a licensed copy of ESET’s NOD32 Anti Virus. Many anti-malware products are offering free or highly discounted initial licenses to lure buyers, so this email may seem legitimate to some, even though it wasn’t done terribly convincing (I am using a script to defang HTML in all email I receive which may account for some of the formatting issues):

The link, went down the folling redirect chain:[IP Address]/LaCie/Tirel/eav_1year.exe&client=clck&sign=[hex hash]
ftp://[IP Address]/LaCie/Tirel/eav_1year.exe

The FTP URL is typical for a LaCie network connected drive. It isn’t clear how the attacker obtained access to this drive, but typically, these drives are compromised via weak passwords or vulnerable applications installed on the drive. 

The binary does result in a mixed Virustotal picture, but oddly enough, it looks like I was the first one uploading it, about two days after I saw the email:

ESET’s product did not recognize the file as malicious. This being an FTP URL made it easy to get a directory listing:

The executables in this folder are triggering various malware signatures. Other files appear to include simple password brute force utilities supporting the guess that this drive was compromised using a simple password.

The first directory contains a number of password protected zip files with various tools (based on the ZIP file listing) including openvpn configuration files.

Oracle.rar includes the obligatory xmrig miner which is still part of pretty much any compromised system I am running into.

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Analysis of PDFs Created with OpenOffice/LibreOffice, (Mon, Apr 1st)

From time to time, I get a question about PDFs that have an /OpenAction, but don’t seem to contain (malicious) code.

When you look at such a PDF with, everything looks OK, except that there is an /OpenAction:

You can also find search keywords like /OpenAction using‘s statistics option (-a). Best is to combine this with option -O to look inside stream objects, should they be present:

The /OpenAction is in object 12:

This /OpenAction is typically added by OpenOffice and LibreOffice when creating a PDF document. Its purpose is to present the first page when you open the document for the first time. This is called an Explicit Destination.

/OpenAction here is not used to execute JavaScript code upon opening of the PDF (as is often the case with malicious PDFs), but it is used to present the first page with the desired position and zoom. This is explained in the PDF reference documents:

This explicit destination refers to object 1: this is a page:

When you encounter a document like this, it’s most likely not malicious. Should you suspect that this is targeted, then you could continue your analysis as explained in diary entry series “It is a resume“, for example. A targeted attack might use a more sofisticated exploit, without any of the signs reported by pdfid or pdf-parser’s statistics. But it’s very unlikely to find this in common maldocs.

Here is a video for this quick analysis:


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →