惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Spread Privacy
Spread Privacy
V
Visual Studio Blog
爱范儿
爱范儿
Apple Machine Learning Research
Apple Machine Learning Research
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
GbyAI
GbyAI
Google DeepMind News
Google DeepMind News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
V2EX
J
Java Code Geeks
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
B
Blog RSS Feed
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
The Register - Security
The Register - Security
Latest news
Latest news
The Cloudflare Blog
Project Zero
Project Zero
月光博客
月光博客
U
Unit 42
Vercel News
Vercel News
Attack and Defense Labs
Attack and Defense Labs
Know Your Adversary
Know Your Adversary
V
Vulnerabilities – Threatpost
F
Full Disclosure
Schneier on Security
Schneier on Security
Google Online Security Blog
Google Online Security Blog
MyScale Blog
MyScale Blog
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
博客园 - 叶小钗
腾讯CDC
博客园 - 三生石上(FineUI控件)
T
The Blog of Author Tim Ferriss
D
Darknet – Hacking Tools, Hacker News & Cyber Security
博客园 - Franky
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
Security Latest
Security Latest
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
MongoDB | Blog
MongoDB | Blog
D
DataBreaches.Net
SecWiki News
SecWiki News
Recorded Future
Recorded Future
NISL@THU
NISL@THU
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cloudbric
Cloudbric

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) A New Botnet is Targeting Network Infrastructure Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Malware Emails From Jerks Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Retrieving WPA2 Keys on Windows Deploy MDT Litetouch on Linux with TFTPD and Syslinux Generating MSI transform files with Orca The Inflatable Dinghy Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
Malware emails 2: Russian boogaloo
2020-10-24 · via Posts on Noah Bailey

Today I got yet another malware email. They just won’t leave me alone. I suspect it has to do with the upcoming US election, based on all the CISA alerts I’ve seen over the last couple days.

However, after going down the rabbit hole with this malware I do suspect that whatever is behind it is more sophisticated than a simple ransomware gang. I won’t speculate too much, but because of its highly distributed and evasive design it could be the work of a larger enterprise.

The email itself is pretty basic:

Job Application
From:Stephenie Schmuff <[email protected]>
To:Noah Bailey <[email protected]>
Date:Friday, October 23rd, 2020 at 14:50

Dear,

I'm very interested in applying for a position you advertised on the employment portal recently.

Please take a minute to review my attached Resume and Cover letter Documents:

- Up-To-Date Resume
- Customized Cover Letter

It would be a great pleasure to hear back from you soon to discuss this exciting opportunity.
Thank you.

Pretty dumb, considering I have zero employees and have never posted any jobs anywhere. What would an employee of mine do exactly? Wash my dishes? Feed my cats? All I ask is that these hackers do a little due diligence!!

Regardless, I grabbed a zip of the attachments and fed it through a few sandboxes.

Stage 1: Excel macros

First was to feed the excel sheet directly into Hybrid-Analysis (CrowdStrike):

https://www.hybrid-analysis.com/sample/0bd62462edc5ca217ba2cdc54e717b951a0eec461705f1d2c28f382dd63b77b2?environmentId=120

Sadly, it was unable to perform a proper analysis marking it as ambiguous.

JoeSandbox did a lot better, finding some interesting results:

https://www.joesandbox.com/analysis/303332/0/html

Namely, it extracts a macro that downloads a file from a remote server: hxxp://205.185.113.20/cXQT5g

According to public whois data, that IP belongs to FranTech Solutions. Attempting to access the site gives this message:

*   Trying 205.185.113.20:80...
* Connected to 205.185.113.20 (205.185.113.20) port 80 (#0)
> GET / HTTP/1.1
> Host: 205.185.113.20
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Fri, 23 Oct 2020 20:37:33 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 26
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0
< Expires: 0
< Last-Modified: Fri, 23 Oct 2020 20:37:33 GMT
< Pragma: no-cache
< Vary: Accept-Encoding
< 
* Connection #0 to host 205.185.113.20 left intact
Default campaign not found

Based on the ‘Default campaign not found’ text, I suspect that this is a compromised webserver that is being used to distribute the malware.

Stage II: The Trojan

This analysis was based largely on these sandbox reports:

After the macro runs, this payload is downloaded and run in the background.

According to the scanner reports, it has two URLs on the server, though they are the exact same file:

  • hxxp://205.185.113.20/files/2.dll
  • hxxp://205.185.113.20/cXQT5g

When executed, the payload contacts an additional IP, 91.203.192.40:80 which appears to be the C2 server.

Next, msiexec is triggered by the dll file. This appears to be the piece that installs the persistent trojan.

During this stage of execution, there are some additional domains contacted by this malware:

donburitimesofindia.com. 600    IN      A       91.203.192.40
celtictimesofkarishan.com. 600  IN      A       91.203.192.40
wingtonwelbemdon.com.   600     IN      A       91.203.192.40
myworld2002020999.com  # NXDOMAIN
welcometothehotelsoflifes.com # NXDOMAIN
wheredidtheelllcctoncsgo.com # NXDOMAIN

When I attempted to map out the C2 server it appeared to be offline:

*   Trying 91.203.192.40:80...
* Connected to 91.203.192.40 (91.203.192.40) port 80 (#0)
> GET / HTTP/1.1
> Host: 91.203.192.40
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
< 
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0

Nmap reveals some interesting information:

PORT    STATE    SERVICE      VERSION
22/tcp  open     ssh          OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 de:50:0c:82:bd:b9:a0:f0:82:7c:bd:ce:b1:10:b9:0f (RSA)
|   256 51:38:7c:76:e5:31:e4:30:88:cc:49:bf:fe:c5:c8:e8 (ECDSA)
|_  256 45:6d:45:fe:4c:94:e2:f8:28:dc:07:2e:c2:95:20:10 (ED25519)
25/tcp  filtered smtp
80/tcp  open     http-proxy   HAProxy http proxy 1.3.1 or later
|_http-title: Site doesn't have a title (text/html).
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open     https?
445/tcp filtered microsoft-ds
Service Info: OS: Linux; Device: load balancer; CPE: cpe:/o:linux:linux_kernel

Likewise, according to whois data it is registered to a Russian ISP:

organisation:   ORG-GL395-RIPE
org-name:       Garant-Park-Internet LLC
org-type:       LIR
address:        Trofimova st., 1/17
address:        115432
address:        Moscow
address:        RUSSIAN FEDERATION
admin-c:        KV3284-RIPE

After examining the reports, I tried some different URLs but didn’t make any progress mapping out the C2 server:

$ curl -XPOST http://donburitimesofindia.com/web/post.php -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36' -vvv
*   Trying 91.203.192.40:80...
* Connected to donburitimesofindia.com (91.203.192.40) port 80 (#0)
> POST / HTTP/1.1
> Host: donburitimesofindia.com
> Accept: */*
> User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 23 Oct 2020 21:33:47 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 2
< Connection: close
< 

Despite my efforts, I can’t seem to decode the ‘magic string’ that the malware POSTs to this server:

[g+|?sy6WT=}XJ%~Wh~6hoq3H7*U{m4PV}Q}{Am3%b ?k+/7,?8nUh]q|$MH,<!9">f(a xQ:9?|,H<&Goakp0V}a3p@3hgxQ_G&B'+s:`"CdUcj^t!-bifBV')WpB1=]La-Q5ECdv*f~:\jj\V")3T85/_yHGE}o7I+M!ma825tn#)$;`r

Nonetheless, this is virulent and malicious software that we must fight back against.

Sysadmin’s Revenge

To protect the community, I have taken the following actions:

  • Contacted mail.com support to report the account for abuse
  • Contact the admin at FranTech regarding the compromised webserver (205.185.113.20)
  • Submitted an abuse ticket to NameCheap for the three active domains, and to potentially blacklist the three unregistered domains

So, within the next hours and days this operation will hopefully be shut down and inactive.