惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
美团技术团队
NISL@THU
NISL@THU
C
Cisco Blogs
SecWiki News
SecWiki News
N
Netflix TechBlog - Medium
Forbes - Security
Forbes - Security
Cloudbric
Cloudbric
雷峰网
雷峰网
T
Tailwind CSS Blog
博客园 - 司徒正美
The Register - Security
The Register - Security
L
LangChain Blog
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Threat Research - Cisco Blogs
I
InfoQ
S
Schneier on Security
L
Lohrmann on Cybersecurity
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
TaoSecurity Blog
TaoSecurity Blog
K
Kaspersky official blog
Google DeepMind News
Google DeepMind News
Cisco Talos Blog
Cisco Talos Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
WordPress大学
WordPress大学
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
Project Zero
Project Zero
The GitHub Blog
The GitHub Blog
D
Docker
N
News | PayPal Newsroom
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Hacker News: Front Page
云风的 BLOG
云风的 BLOG
Microsoft Security Blog
Microsoft Security Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 聂微东
Webroot Blog
Webroot Blog
MongoDB | Blog
MongoDB | Blog

Posts on Noah Bailey

How to turn anything into a router Deploy to Cloudfront from GitHub using OpenID Connect Backup Postgres databases with Kubernetes CronJobs The spelling error made 200 billion times a day Restarting Kubernetes pods using a CronJob You've just bought a new domain. Now what? Who Sawed My Motherboard??? Linux on the P8 Aliexpress Mini Laptop Recovering Mysql/Mariadb after a nasty crash Using EXIF data to pick my next lens Converting and developing RAW photos on Linux automatically Thank you, 2016 iPhone Don't Make It Work Self-hosted Surveillance with ZoneMinder Backups, Monitoring, and Security for small Mastodon servers Block web scanners with ipset & iptables Executing commands over SSH with GitHub Actions Debian Sid on encrypted ZFS Protect your dangerously insecure redis server Debian: the luxurious boring lifestyle Monitor radiation with a Raspberry Pi Simple Linux server alerts: Know your performance, errors, security, syslog, and security NUC crashes on debian 11 - How I fixed it Basic Linux server security with fail2ban, ossec, and firewall Windows 11 will create heaps of needless trash Domesticated Kubernetes Networking The Cursed Certificate Our mostly disposable and entirely stupid world Trying out OpenBSD (as a Linux geek) Making VoIP Calls with Antique Rotary Phones Monitoring WAN speed with speedtest-cli and ElasticSearch Monitoring WAN latency with InfluxDB The Zeroshell botnet returns Installing Gentoo on a vintage Thinkpad T60 Malware emails 2: Russian boogaloo TP-Link Device Weirdness ElasticSearch broke all my nice things (a story of cascading failure) A New Botnet is Targeting Network Infrastructure Malware on the Wire: Monitoring Network Traffic with Suricata and ClamAV Cloud Threat Protection with OSSEC and Suricata Surviving the Apocalypse with an Offline Wikipedia Server Being Attacked by Bots Linux Router, Firewall and IDS Appliance You Probably Don't Need a VPN Fix an Oversharded Elasticsearch Cluster Automating KVM Virtualization Update all your linux servers as fast as possible Cleanup Systemd Journald Storage Stop Putting Your SSH Keys on Github! Clustering KVM with Ceph Storage Stealing Windows Sessions FreeRadius Active Directory Integration Retrieving WPA2 Keys on Windows Deploy MDT Litetouch on Linux with TFTPD and Syslinux Generating MSI transform files with Orca The Inflatable Dinghy Generating Cisco IOS config files with Python Homebrew SAN Getting Cloudy
Malware Emails From Jerks
2020-04-10 · via Posts on Noah Bailey

Today, I got an email inquiring about a job opportunity. This was immediately pretty funny, since I don’t employ anybody including myself. Even better, the guy sent a Microsoft Excel file as the ‘resume’, so even if I was hiring… Sorry bud, not going to be you.

Now normally I just delete these documents and report spam. But seeing as how I’m locked into my house and have nothing better to do right now, I figured I might as well have some fun with this. So, here’s how to identify malware, and when you do, how to screw over the malware distributor.

Identifying Malware

First and foremost, this email attachment is a macro virus. This means that as soon as it opens in Microsoft Excel it will prompt the user to ‘Enable Macros’, then download a second stage trojan.

This loader then downloads additional malware to the system, typically ransomware.

So, the first step is to identify the threats. There are a few online tools for this, so we will start with the fastest and then move towards the most accurate.

VirusTotal

First step is to hit VirusTotal. It’s quick and dirty but gets the job done. In this case, this was the first time that VT had seen this hash, so very little recognition here.

https://www.virustotal.com/gui/file/006800b3ac96a69dc4e0797d89f3fb9211e8ec4da7e41737bfb51bc60ccaeb41/detection

CrowdStrike

Running Hybrid-Analysis generally gives a much better picture, since it runs a virtual machine that opens the file and runs whatever macros are inside it. Unlike VirusTotal, CrowdStrike finds lots and lots of nasties.

https://www.hybrid-analysis.com/sample/006800b3ac96a69dc4e0797d89f3fb9211e8ec4da7e41737bfb51bc60ccaeb41x

ANY.RUN

Any.run has a much more user-friendly viewport for these sorts of files, but doesn’t provide the same level of detail that CrowdStrike does. It does, however, show us a live view of the screen of our VM during this malware infection.

https://app.any.run/tasks/c11b50a6-202c-41d9-805f-fd7554e21651

…And it looks like David didn’t do a very good job on this one.

Analysis

So, what can we surmise from this sample? Well, it’s honestly pretty boring and pedestrian. Thanks for the crap malware, David.

This is typical Excel macro malware, likely a second stage downloader for some crypto locker that would show up after a couple hours to trash whatever network resources it can find.

Nasty Downloads

The macro downloads a file from a VM hosted in Alibaba Cloud, accessed by the URL http://march262020.com/files/april8.dll.

However, the malware also contains a few extra domains in case the main one gets taken down (which it will):

  • march262020.best
  • march262020.live
  • march262020.network

There is also the domain that the email was sent from:

  • jdscentral.com

And one other domain, though I’m not sure what this one is used for:

  • turn-eu.nenly.cn

Next, I like to check out whois data for the domain.

Domain name: march262020.com
Registry Domain ID: 2507617644_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-03-26T16:11:03.00Z
Registrar Registration Expiration Date: 2021-03-26T16:11:03.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC

Nasty Files

Once the trojan is installed, there are a few files that are executed:

Filename SHA1
ieTneVi.dll a7bdf8da3a30ac98a0df9fd0bd50f61a330056f1
umzioxa.dll a7bdf8da3a30ac98a0df9fd0bd50f61a330056f1
april8_1_.dll a7bdf8da3a30ac98a0df9fd0bd50f61a330056f1

Yep, all the dll’s it tries to load are exactly the same file with different names. Not sure what this is trying to accomplish, but our friend David could probably tell you.

The Server

So, what can we find out about the server hosting the second stage?

The second stage does earn a 13/77 on VT, so it is obviously malicious. But what is the actual server?

First step is to check out Whois. This IP address is registered to Alibaba Cloud (Germany).

NetRange:       47.254.128.0 - 47.254.191.255
CIDR:           47.254.128.0/18
NetName:        ALICLOUD-GM
NetHandle:      NET-47-254-128-0-1
Parent:         AL-3 (NET-47-250-0-0-1)
NetType:        Reassigned
OriginAS:       AS45102
Customer:       AliCloud (Germany) GmbH (C06869651)
RegDate:        2018-01-09
Updated:        2018-01-09

Unfortunately, shodan hasn’t scanned this box yet, so we’re on our own here. Running a curl -vvv 47.254.169.119 gives us this view of the headers:

> GET /files/april8.dll HTTP/1.1
> Host: march262020.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 10 Apr 2020 02:22:43 GMT
< Content-Type: application/x-msdos-program
< Content-Length: 372736
< Connection: keep-alive
< Last-Modified: Thu, 09 Apr 2020 17:43:47 GMT
< ETag: "5b000-5a2df28a71ac0"
< Accept-Ranges: bytes

Neat, so the server is on Nginx. Good choice, David. What else are you hiding?

According to nmap, a bog standard Buster box.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 c9:c1:13:91:22:45:ad:cf:63:99:53:d0:bc:e9:84:4e (RSA)
|_  256 78:be:ba:6f:b4:54:6b:c0:7c:44:3d:6c:8a:69:59:df (ECDSA)
80/tcp open  http    nginx
|_http-title: 403 Forbidden
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Taking out the Trash

So at this point I think it’s safe to say that David’s up to no good.

As of tonight, the 9th of April, I have submitted abuse reports:

  1. To NameCheap for the march262020.* domain
  2. To Alibaba Cloud for the server used to distribute malware
  3. To NameCheap for the jdscentral.com domain

What can be learned?

For those of us who use the web with integrity, it’s quite simple, don’t open strange emails from strangers.

But there’s a lot more to learn for spammers. This was a pretty botched execution. David, you need to do better.

  1. Do your research. It’s pretty obvious from my About page that I have no interest in hiring people.
  2. Be more selective with your target and adjust your methods accordingly. Again, a cursory glance at public information about me that I exclusively use GNU/Linux desktops, so what use would a Win32 binary be? Absolutely useless, David.
  3. Who on earth sends their resume as a spreadsheet? Has this phish ever worked? Ever?

Either way, the domains will be coming down very soon. One less scumbag out there 😄