Blog

Archive for October 8th, 2019

What data does Vidar malware steal from an infected host?, (Wed, Oct 9th)

Introduction

What is Vidar?  Vidar is malware that’s an information stealer.  It has very distinct infection traffic.  What does it steal?  Let’s examine some infection traffic to find out.  Today’s diary reviews some infection traffic from a malicious Word document discovered on Tuesday 2019-10-08 that uses macros to push Vidar.


Shown above:  The malicious Word document found in VirusTotal.

The malicious Word document

VirusTotal and other sources like URLhaus show a malicious Word document (SHA256 hash: 0c91fa2d30e1981d8ac276ecaacb4225c3bef5be8143597720e37e7dc5447099) was available on two blacklisted URLs hosted at speciosarepublic[.]com as early as Tuesday 2019-10-08.  I checked one of the URLs and was able to retrieve the Word document.


Shown above:  Downloading the malicious Word document.


Shown above:  Opening the malicious Word document.


Shown above:  After enabling macros, you can see text that was probably supposed to appear before enabling macros.

Infection traffic

I submitted the URL to the Any.Run sandbox, and it generated traffic with alerts for Vidar.  When viewed in Wireshark, the last HTTP request in the infection traffic ends with:

POST / HTTP/1.1  (zip)

This indicates a zip archive was sent to a command and control server at weimachel[.]net.


Shown above:  Infection traffic from the Any.Run analysis filtered in Wireshark.


Shown above:  Follow TCP stream in Wireshark for the last HTTP POST request.


Shown above:  This TCP stream has multiple HTTP POST requests, so scroll down to find the final one.


Shown above:  Scroll down further, and you’ll find the zip archive sent during the final HTTP POST request.

Extracting the zip archive from the pcap

We can extract data from the final HTTP POST request from the pcap.  Then we can carve the zip archive from the extracted data as shown in the images below.


Shown above:  File –> Export Objects –> HTTP…


Shown above:  Wireshark’s HTTP object list, and exportable data that contains the POST-ed zip archive.


Shown above:  After exporting the binary from Wireshark, open it in a hex editor and delete data POST-ed before the actual zip archive.


Shown above:  The first two bytes of a zip archive show as ASCII characters PK, so delete POST-ed data before that.


Shown above:  The beginning is of the zip archive is now the beginning of the file.


Shown above:  Delete the ending boundary marker from the HTTP POST request at the end of this file.

After you’ve carved and saved the binary, it should be a fully-functional zip archive.  The contents can be extracted with an archive manager, and you can review what data was exfiltrated from the infected Windows host.  This data includes system information, passwords, browser cookies, and a screenshot of the desktop.


Shown above:  Contents of the zip archive, after it’s carved from the extracted data.

Final words

Sandbox analysis of this malicious Word doc can be found here, where you can download the pcap, review the data, and try extracting the zip archive using Wireshark.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft October 2019 Patch Tuesday, (Tue, Oct 8th)

This month we got patches for 59 vulnerabilities total. None of them have been previously disclosed nor are being exploited according to Microsoft. 

Amongst 9 critical vulnerabilities, its worth mentioning the remote code execution one which affects Microsoft XML Core Services (CVE-2019-1060). To exploit this vulnerability, an attacker would have to convince a user to access a specially crafted website designed to invoke MSXML through the web browser. When Internet Explorer parses the malicious content, the attacker could run malicious code remotely on users’s system.  

There is also a critical remote execution vulnerability Windows Remote Desktop Client (CVE-2019-1333). To exploit this vulnerability, an attacker would have to force the user to connect to a malicious server or compromise a legitimate server to host the malicious code on it, and wait for the users to connect. 

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Azure App Service Remote Code Execution Vulnerability
%%cve:2019-1372%% No No Less Likely Less Likely Critical    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1307%% No No Critical 4.2 3.8
%%cve:2019-1308%% No No Critical 4.2 3.8
%%cve:2019-1335%% No No Critical 4.2 3.8
%%cve:2019-1366%% No No Critical 4.2 3.8
Hyper-V Information Disclosure Vulnerability
%%cve:2019-1230%% No No Less Likely Less Likely Important 6.8 6.1
Internet Explorer Memory Corruption Vulnerability
%%cve:2019-1371%% No No Less Likely Less Likely Important 6.4 5.8
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2019-1358%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1359%% No No Less Likely Less Likely Important 7.8 7.0
Latest Servicing Stack Updates
ADV990001 No No Critical    
MS XML Remote Code Execution Vulnerability
%%cve:2019-1060%% No No Less Likely Less Likely Critical 6.4 5.8
Microsoft Browser Spoofing Vulnerability
%%cve:2019-0608%% No No Less Likely Less Likely Important 2.4 2.2
%%cve:2019-1357%% No No Less Likely Less Likely Important 3.5 3.2
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
%%cve:2019-1375%% No No Less Likely Less Likely Important    
Microsoft Edge based on Edge HTML Information Disclosure Vulnerability
%%cve:2019-1356%% No No Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2019-1327%% No No Less Likely Less Likely Important    
%%cve:2019-1331%% No No Less Likely Less Likely Important    
Microsoft Graphics Components Information Disclosure Vulnerability
%%cve:2019-1361%% No No Important 5.5 5.0
Microsoft IIS Server Elevation of Privilege Vulnerability
%%cve:2019-1365%% No No Less Likely Less Likely Important 7.5 6.7
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-1070%% No No Important    
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2019-1329%% No No Important    
%%cve:2019-1330%% No No Less Likely Less Likely Important    
Microsoft SharePoint Spoofing Vulnerability
%%cve:2019-1328%% No No Important    
Microsoft Windows CloudStore Elevation of Privilege Vulnerability
%%cve:2019-1321%% No No Less Likely Less Likely Important 5.8 5.2
Microsoft Windows Denial of Service Vulnerability
%%cve:2019-1317%% No No Less Likely Less Likely Important 6.4 5.8
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2019-1320%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1322%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1340%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Windows Setup Elevation of Privilege Vulnerability
%%cve:2019-1316%% No No Less Likely Less Likely Important 7.3 6.6
Microsoft Windows Transport Layer Security Spoofing Vulnerability
%%cve:2019-1318%% No No Less Likely Less Likely Important 7.7 6.9
Microsoft Windows Update Client Elevation of Privilege Vulnerability
%%cve:2019-1323%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1336%% No No Less Likely Less Likely Important 7.0 6.3
Open Enclave SDK Information Disclosure Vulnerability
%%cve:2019-1369%% No No Less Likely Less Likely Important    
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2019-1333%% No No More Likely More Likely Critical 7.5 6.7
SQL Server Management Studio Information Disclosure Vulnerability
%%cve:2019-1313%% No No Less Likely Less Likely Important    
%%cve:2019-1376%% No No Less Likely Less Likely Important    
VBScript Remote Code Execution Vulnerability
%%cve:2019-1238%% No No Less Likely Less Likely Critical 6.4 5.8
%%cve:2019-1239%% No No Critical 6.4 5.8
Win32k Elevation of Privilege Vulnerability
%%cve:2019-1362%% No No Important 7.0 6.3
%%cve:2019-1364%% No No Important 7.0 6.3
Windows 10 Mobile Security Feature Bypass Vulnerability
%%cve:2019-1314%% No No Less Likely Less Likely Important    
Windows Code Integrity Module Information Disclosure Vulnerability
%%cve:2019-1344%% No No Less Likely Less Likely Important 5.5 5.0
Windows Denial of Service Vulnerability
%%cve:2019-1343%% No No Less Likely Less Likely Important 6.5 5.9
%%cve:2019-1346%% No No Less Likely Less Likely Important 5.7 5.1
%%cve:2019-1347%% No No Less Likely Less Likely Important 5.7 5.1
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2019-1319%% No No Less Likely Less Likely Important 7.0 6.3
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2019-1342%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1315%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1339%% No No Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
%%cve:2019-1363%% No No Important 5.5 5.0
Windows Imaging API Remote Code Execution Vulnerability
%%cve:2019-1311%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-1345%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1334%% No No Less Likely Less Likely Important 4.7 4.2
Windows NTLM Security Feature Bypass Vulnerability
%%cve:2019-1338%% No No Important 5.3 4.8
Windows NTLM Tampering Vulnerability
%%cve:2019-1166%% No No Less Likely Less Likely Important 5.9 5.3
Windows Power Service Elevation of Privilege Vulnerability
%%cve:2019-1341%% No No More Likely More Likely Important 7.8 7.0
Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
%%cve:2019-1325%% No No Less Likely Unlikely Important 5.5 5.0
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
%%cve:2019-1326%% No No Less Likely Less Likely Important 7.5 6.7
Windows Secure Boot Security Feature Bypass Vulnerability
%%cve:2019-1368%% No No Less Likely Less Likely Important 4.9 4.4
Windows Update Client Information Disclosure Vulnerability
%%cve:2019-1337%% No No Less Likely Less Likely Important 5.5 5.0

 


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →