Thursday, December 21, 2023

Speeding up report reading and security/SOC alert triaging by auto-highlighting keywords on webpages

Introduction:

If you're a security analyst or threat researcher, you may spend a lot of time reading reports/blogs or looking through SIEM. 

It might get annoying to look for specific keywords/fields when looking through things, especially SIEM output. I know I had this issue.

I thought it'd be nice to have an extension that auto-highlighted things for me. While looking for such extension I found "Highlight This" extension. There are multiple extensions like that but this one took URL's of keywords so I thought it was perfect to pair it with Github as I may be adding/removing keywords.

Extension can be found here: https://chromewebstore.google.com/detail/highlight-this-finds-and/fgmbnmjmbjenlhbefngfibmjkpbcljaj?pli=1

Developers sites:

https://highlightthis.net/

https://deboel.eu/

The extension developer does have an optional subscription service which gives you additional abilities. (https://highlightthis.net/Subscription.html


Github repo I'm using this with is here: https://github.com/BoredHackerBlog/highlight_keywords

You should probably make your own list based on your needs.

Setup:

Download the extension and remove the default list. Activate subscription or activate free version (or try unlimited version for a limited time)

Add a new list. In my case, I'm pulling a list of keywords from Github so I can keep updating the list on Github in the future.

Add a list URL and customize all other options then start browsing!

I disabled "Only detect complete words" which can cause some bad highlighting, I'd recommend messing around and finding what works best for you.



The extension also gives you a report of the things it detected:



Results:

The DFIR Report page kinda looks like this:


https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/

Some XML sample logs


https://github.com/BoredHackerBlog/mitre_attack_xml_eventlogs/



Friday, November 17, 2023

Quick sample analysis which ended up dropping asyncrat

 I came across a sample that involving traffic to 91.92.242.28:222.

There is sandbox report here: https://tria.ge/231113-v9lgtaec41

I only looked at it because it involved so many files.

This is very quick and lazy analysis. I didn't spend time decompiling .NET.

At the time of analysis, the page has open directory.

There is a script and .jpg file which is a zip file.


Script downloads zip and extracts it to Public folder and initially starts f1.vbs file.

Zip files has several files:


f1.vbs ends up launching f1.bat


f1.bat ends up launching powershell and f1.ps1


Powershell sets up a scheduled task to launch tron.vbs


tron.vbs launches tron.bat


tron.bat launches tron.ps1


This is where things are kinda interesting (relative to all the stuff above...)

Powershell has functions to decode/deofuscate the other files


If we look at runpe and msg file, which the script next loads, it's pretty easy to see partial MZ header



Next it loads text from files for execution




It would finally run this:

$Coment is runpe.txt data and $JR is msg.txt data.

$u = [Reflection.Assembly]

$u::Load($Coment).GetType(NewPE2.PE).GetMethod(Execute).Invoke($null,[object[]] (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,$null,$JR,$true))

https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load?view=net-7.0 


I saved the PE files after they were decoded/deobfuscated. 

msg was asyncrat

https://www.virustotal.com/gui/file/a11cc3de26de3241be5f24c8c0d3e44b16e4fee35b8a306026e86590ccd8a0c1?nocache=1

runpe was injector

https://www.virustotal.com/gui/file/a550a06a66009040462411867fce966b24499290d08bac8b3596f715cd5c6596?nocache=1


So many files and so much execution just to drop asyncrat.



Sunday, October 22, 2023

Using command line redirection and DLL ordinals to potentially bypass detections

I came across this during a pentest. The techniques mentioned here are not new and there are already some detections in place but I don't see these techniques being used regularly...


Command redirection

The concept of redirection for command line is well known and is commonly used. (This should provide more info: https://ss64.com/nt/syntax-redirection.html

For example, you can do `COMMAND > output.txt` to save output from a command.

There is also `<` where you can pass input from a file to an interactive binary or executable.

Additionally, you can also do | to pass input to a binary. 

Here are examples:





The redirection technique using < is what I observed during an alert from a pentest.

Essentially, the attacker added their commands for ntds dump to a text file then passed the text file to ntdsutil.exe using <. so `ntdsutil < filewithcommands.txt`

Usually, this is what you may see: ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration 

If your detections are looking specifically for command w/ "ac i ntds" and "create full" and the attacker uses the redirection technique, you may miss a detection.

There are sigma rules here that would and wouldn't miss this: https://detection.fyi/search/?query=ntdsutil

I just thought it was interesting for the attacker to write commands to text file and dump ntds.dit this way since I've never seen it being done like that.


Rundll32 w/ ordinals

This once again is not new. If you've done malware analysis, you've probably seen dll functions being called by the ordinal #. 

Essentially, you can call a function by ordinal instead of the function name.

These articles should explain the concept better:

https://www.pcmatic.com/blog/running-dll-files-malware-analysis/ 

https://kamransaifullah.medium.com/practical-malware-analysis-chapter-3-basic-dynamic-analysis-42e1b7e913d4

Here's an example:

instead of using LaunchApplication, I can use #1 as that's the ordinal.


The way this technique was abused during pentest was for lsass dump. The attacker used rundll32 w/ C:\windows\System32\comsvcs.dll to dump lsass.

Typical command you'll see for this is ".\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full"

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs.dll

If we go look at comsvcs.dll and for MiniDump, we'll see MiniDumpW at 18 (hex -> decimal would be 24)

Instead of writing MiniDump with comsvcs.dll in rundll32, the attacker replaced it with #24. If you're looking specifically for comsvcs and minidump, the rule would miss this. Again, this was the first time I've seen someone do lsass dump this specific way.

There are some rules here that would and wouldn't detection this technique: https://detection.fyi/search/?query=comsvcs



Just wrote this to share and to keep this in mind when looking at alerts, hunting, or writing detections. 

This assumes you only have 4688/command line logs. I'm aware that there are other ways to detect this activity but 🧂 sometimes you're lucky to even have 4688. 🧂 (yeah I work for a managed security provider)


https://twitter.com/cyb3rops/status/1389592014812024843



https://www.linkedin.com/posts/the-cyber-security-hub_activity-6909066000407633921-jVZQ



Saturday, October 7, 2023

Installing Whonix Gateway on Proxmox for threat & malware research

Intro

Whonix is a tool for routing traffic through Tor.  Whonix VM's come as Desktop/with UI or CLI. They provide two types of VM's, one is gateway and one is workstation. Whonix gateway can be used to route traffic through tor when you attach other VM's to it. 

In this post, I'm just setting up Whonix Gateway CLI so I can route my VMs through tor while I'm reaching malware or threats. 

This set up may not always be ideal for research as some C2's, phishing kits, and OSINT research sites may block tor exit nodes.


Warning: This method isn't officially supported by Whonix and I can't guarantee this is 100% safe and won't leak anything or won't allow an attacker to escape the whonix network or fingerprint you. Do your threat modeling and risk assessment for what you're planning to research or allow to execute in VM's. Follow official Whonix guidelines if you don't know what you're doing or don't feel comfortable doing this.


Proxmox Network Preparation

We need to create a new Linux Bridge/virtual network for Whonix so VM's can communicate with Whonix Gateway.

In proxmox host network settings, add a new Linux Bridge



Click "Apply Configuration" at the top to finish creating the bridge.

fyi: you may see vmbr1 if you don't have another bridge set up already.


Creating a VM

We need to create a VM to run to run Whonix Gateway in. We'll create the VM first then import the Whonix Gateway VMDK into it.

Pick a name

Click Do not use any media
Delete the disk, we'll import a disk later

CPU & Memory can be left at default values, however, I'm lowering my memory to 1024.
Network can be left as default vmbr0. We'll add 2nd interface later.

Once the VM is created, go to VM Hardware and add Network Device.

Pick and add Whonix bridge

That's all.

Loading the Whonix Gateway disk

Download Whonix CLI OVA file from here: https://www.whonix.org/wiki/VirtualBox#CLI

SCP the file to Proxmox.

Use tar to extract the OVA file, which will give you VMDK files.


Use qm import command to import the disk to your VM

The whonix-gateway-cli VM I created earlier has the id of 100. My storage is local-lvm (it's default proxmox storage). 


Once the Importing is done and you get the message of successful import, run qm rescan.

Feel free to remove the extracted files and ova file.


Modifying the Whonix Gateway VM again

Now we need to enable the disk and change our boot settings.

Go to Whonix-gateway-cli VM and Hardware tab and double click on "Unused disk 0" then click Add


Go to Options, double-click Boot Order and modify it to boot from scisi0/the disk we just loaded.


Configuring networking inside whonix-gateway-cli VM

Make sure to remember the MAC addresses for net0 and net1 listed in hardware tab.

Essentially, we want to make sure that net1/vmbr2/whonix network has 10.152.152.10 IP.

net0/vmbr0/normal network needs to be configured w/ static IP.

Start the VM and go to the console.

Login with user/changeme then go through all the set up steps.

When the machine is trying to connect to tor, press control+c to cancel the script and get a shell.


Edit the network configuration


Change the default eth0 configuration to configuration that matches your network. Since Proxmox VM isn't behind NAT, it should be matching the network your proxmox machine is on.

This is default:

This is what I changed the configuration to:

Reboot the VM.

Login and run "ip a" command to ensure that Whonix network has 10.152.152.10 IP and eth0 has an actual IP for your normal network. Check the MAC address to make sure it matches the hardware you have attached.


Run "sudo systemcheck" to make sure you're connected to tor.


Check your IP and make sure it's not your IP.


Reboot the VM.

Attaching a VM or Container

I'm attaching a container to the whonix network but you pretty much do the same with VM but static IP assignment needs to be done inside the VM rather than proxmox webui. Check whonix docs and links below.

I have created an Ubuntu container with the following network settings

Check IP


End

Have fun researching threats & malware!

Links

https://www.whonix.org/

https://www.whonix.org/wiki/VirtualBox#CLI

https://www.whonix.org/wiki/Documentation

https://www.whonix.org/wiki/Other_Operating_Systems

https://malware.news/t/setting-up-whonix-gateway-in-vmware-workstation/61279 

Tuesday, November 29, 2022

OpenSSL-1.0.0-fipps Linux Backdoor - Notes

Introduction:

In some security/malware chat room, someone posted about an ELF backdoor, at the time, I couldn't find much information about it and any related samples or reports. Few weeks ago, I saw similar sample being discussed on twitter, which was found by a researcher in an open directory.

In this post, I just have some notes on my analysis/research of this sample and related samples. This might help with writing a signature or doing further research. I'm just calling this OpenSSL-1.0.0-fipps backdoor since that's what it initially sends to the C2 server and "fipps" has an extra p. 

As far as I'm aware, I haven't found similar samples with the searches I've done and I have not seen any samples successfully connect to C2 on any public sandboxes. I was also not able to find any executables for the C2 with some of the yara rules I wrote and queried Hybrid-Analysis for.

Notes:

It's a reverse shell/backdoor. The binary researches out to the C2 IP and Port defined in the binary. You can find C2 IP by just running strings.

Samples:
MD5 hashes:
eb7ba9f7424dffdb7d695b00007a3c6d VT: First Submission 2022-04-21 18:44:09 UTC, submission name: suspicious
97f352e2808c78eef9b31c758ca13032 VT: First Submission 2022-08-26 22:47:54 UTC, submission name: client
3e9ee5982e3054dc76d3ba5cc88ae3de VT: First Submission 2022-11-04 00:18:27 UTC, submission name: client

Sha256 hashes:
8cd16feb7318c0de3027894323a0ccaacb527e071aa4c4b691feb411b6bd0937
40da2329b2b81f237fc30d2274529e6fda4364516b78b4b88659c572fbc4bc02
4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8

C2s:
162.220.10.214
107.175.64.203
185.29.10.38

After doing some historic searches, the C2's were running Windows, not that it matters much.

TELFhash for the binaries is: t1afe0d814d67c0dad4ab20c30d4989a94a047eb2688752922ab98d9c1883d917f15cf5f

File command results & diff:
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=16eee120b0a557907a782d1405c8f86415902fa5, stripped
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=16eee120b0a557907a782d1405c8f86415902fa5, stripped
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=2c46d3c40075dc7a193f8041f9458b40fd1f31cf, stripped

BuildID are the same for eb7ba9f7424dffdb7d695b00007a3c6d and 97f352e2808c78eef9b31c758ca13032 and only diff is the IP.

< 00004110: 0000 0000 0000 0000 3130 372e 3137 352e  ........107.175.
< 00004120: 3634 2e32 3033 0067 6574 6966 6164 6472  64.203.getifaddr
---
> 00004110: 0000 0000 0000 0000 3136 322e 3232 302e  ........162.220.
> 00004120: 3130 2e32 3134 0067 6574 6966 6164 6472  10.214.getifaddr

Not 100% sure about the reason for this and why someone modified just the IP and why it wasn't recompiled.


eb7ba9f7424dffdb7d695b00007a3c6d was the sample being discussed in a chat room, the user mentioned that the file was dropped after log4j exploitation. 

The most recent sample 3e9ee5982e3054dc76d3ba5cc88ae3de was found in an open directory. Here's the tweet regarding it: https://twitter.com/r3dbU7z/status/1588337205595951106 In the reply tweet below (https://twitter.com/1ZRR4H/status/1588398704913895425 ) the user mentions finding a webshell as well. Maybe the threat actor is initially gaining access through external web vulns. I'm not really sure.

Finally, there is 97f352e2808c78eef9b31c758ca13032 and I'm not sure where it came from. The sample was discovered after searching for the following yara rule on Hybrid Analysis:

rule elf_backdoor_fipps
{
    strings:
        $a = "found mac address"
        $b = "RecvThread"
        $c = "OpenSSL-1.0.0-fipps"
        $d = "Disconnected!"
    condition:
        (all of them) and uint32(0) == 0x464c457f
}

(there is also "dbus-statd" that appears in the all the binaries)

There is also a Suricata signature published by Proofpoint/EmergingThreats that exists:

alert tcp any any -> any 443 (msg:"ET MALWARE Malicious ELF Activity"; dsize:<50; content:"OpenSSL-1.0.0-fipps"; startswith; fast_pattern; reference:md5,eb7ba9f7424dffdb7d695b00007a3c6d; classtype:trojan-activity; sid:2036592; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_12;)

The suricata signature above is for initial connection from the backdoor to the c2 server.
When the sample runs, it prints "!!!Hello World!!!" and the mac address it found, connects to the C2 server, sends OpenSSL-1.0.0-fipps and the mac address.


There also appears to be I guess a heartbeat packet which looks like this:


Processing of commands takes place at FUN_00401f23 (i'm just using names ghidra assigns):


The binary is stripped and I wasn't able to figure out every single function or execute every single function but it has typical backdoor capabilities and it's also able to gather some info and send it back to the C2. There also seems to be encoding of the output (by FUN_00402181 ??) before it gets sent via network. 

1: grab user and system info

3: shell?
5: write file?
7: not sure
0xb: delete a file
0xd: directory/file listing?
0xf: not sure
0x11: not sure
0x13: not sure
0x17: seems to return c2 connection info

It does have functions for doing network connections, killing processes, etc...

From doing some testing, the command input that it expects seems to be 16 bytes. The following worked for me for deleting a file:
\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00 (command) \x05\x00 (input size)\x00\x00\x00\x00delme
0b is the command (byte next to 0b is supposed to the secondary command if that function supports it) and 05 is the number of bytes to read afterwards, delme is 5 bytes.


I'm not sure about the impact of changing other values in that 16 byte input but I know it changes the way the backdoor processes the input & encodes (first 8 bytes).


Conclusion:

It's a weird backdoor that I haven't found much info about or have seen fully run in a sandbox while being connected to its C2. 

I assume it's being used after initial access through web/external vulnerability (according to the tweets related to the latest sample, the threat actor had some usernames and active directory info they had taken from an organization they breached) but I'm not sure as there aren't many samples (or reports) I was able to find with the TELFhash and yara rule I made. It's very easy for the threat actor to modify the strings in the binary. I did see some specific assembly instructions that I wrote a yara rules for but they came back with the files that I already had.

Links: