Thursday, February 8, 2018

Malware Analysis, Threat Intelligence and Reverse Engineering: workshop slides


Last month, when I was in-between jobs, I gave a workshop for a group of 20-25 enthusiastic women, all either starting in infosec, or with an interest to start in this field.

The event, now obviously expired, can be found here:
CWF Women in Cyber Event #1: Malware Fundamentals

For that purpose, I had created a full workshop: slides or a presentation introducing the concepts of Malware Analysis, Threat Intelligence and Reverse Engineering.

The idea was to convey these topics in a clear and approachable manner, both theory and in practice; for the latter, I had set up a custom VM, with Labs, including my own created applications, some with simple obfuscation.

All participants were very enthusiastic, and I hope to have sparkled most, if not some of them to pursue a career in this field. For this exact same reason, I am now releasing the presentation to the public - the VM and recordings however will not be published, as I created these solely for CWF.

You may however download the LAB material from Github below:
https://github.com/bartblaze/MaTiRe

Without any further ado, you may find the slides below, on either SlideShare or SpeakerDeck:

SlideShare




SpeakerDeck




Any feedback is always appreciated.

I would also like to thank Nathalie for putting me in touch with Rosanna, the organiser of the CyberWayFinder program. And of course, my gratitude to all the attendees for making it so early on that Saturday-morning in Brussels, Belgium.:)

Mind the disclaimer. License: CC Attribution-NonCommercial-NoDerivs License

Wednesday, January 24, 2018

Quickpost: SteamStealers via Github


Back in 2014, I created a blog post named 'Malware spreading via Steam chat', where I analysed and discussed one of the first 'SteamStealers' - malware that is exclusively targeting gamers, or at least those who use Steam.

You can read that blog post here. Another SteamStealer technique was via a Chrome extension, and there are many others reported as well - if you fancy a read, check out the blog post and paper here.

This blog is meant as a quick post and heads-up, as some cybercriminals who use SteamStealer, are now also resorting to using Github. I was notified of this by Malwarehunterteam on Twitter:




In this example, Evrial uses Github to copy/steal clipboard contents, and replaces Steam trade offer links. Note that Evrial is a full-blown infostealer.


Another recent example, given to me by advicebanana, is a SteamStealer for the sole purpose of stealing your Steam credentials. In this specific case, the malware was redirected from:
http://screenpicture[.]pro/image293[.]jpg to the following page or Gist, hosted on Github:
https://raw.githubusercontent[.]com/Hamlo22888/Sur/master/image293[.]scr

While the gist is already offline at time of posting, it's possible some Steam users may have been tricked into downloaded and executing the file.

Interesting to note that the debug path in this specific sample is:
D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb
While in my original blog post, from 2014, it was as follows:

d:\asd\????????_new\??#\add\SteamComplex\SteamStealer\?????????? ?????????? (18)\SteamStealer\obj\Release\vv.pdb

It appears the original SteamStealer developer is still going strong.

For preventing getting scammed or ending up with a SteamStealer on your machine, follow the prevention tips in this blog post.



Conclusion

SteamStealers are (again) alive and well. While there was a drop observed at some point, due to the enormous amount of scamming websites, it appears the SteamStealer malware is back in business.

Github is also getting more popular among cybercriminals - often whitelisted in organisations, it offers yet again another method of hosting malware.

As mentioned before, follow the prevention tips in my earlier blog post to stay safe.


Indicators


Wednesday, December 6, 2017

StorageCrypt ransomware, a coinminer and more



Lawrence over at Bleeping Computer posted an interesting blog yesterday:
StorageCrypt Ransomware Infecting NAS Devices Using SambaCry

In that blog, Lawrence pointed out quite some users had issues with a new ransomware, dubbed StorageCrypt, and possibly spread via a worm.

There is a Windows component and a Linux component. We'll briefly take a look at both, hopefully providing some additional insight and indicators.


Windows artifacts

美女与野兽.exe is the Windows component, and as pointed out by Lawrence, translates loosely to 'Beauty and the Beast'.

This executable is packed with ASPack, and appears to to display worm-like and backdoor behaviour, with the additional 'feature' of spreading itself via removable drives. After unpacking the sample, it reveals some interesting strings:

1.vbpSMSS.EXEhttp://www.freewebs.com/kelly6666/sm.txthttp://www.freewebs.com/kelly6666/lo.txtDBST32NT.LOG.bak.exeV1.8Start Success.logyyyymmddmmssTxt Open ,Repair the application! is running, Repair the application from backup. is running, Repair the application from MySelf. running is running, update the application !Get V Data!Read Tname to memory.icoKill icoExtractIcons...Write to Tname...ip addr addedGetFolderFileDate...Replace all attrib.I m here!-->Insert Error : for .dll.dll  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShellexplorer.exe UserinitHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows9xPacksHKEY_CLASSES_ROOT\txtfile\shell\open\command NOTEPAD.EXE %1HKEY_HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATAErrorC:\boot_net.datC:\dosnal.exeFind all exe file from Local host*.exeDownload files is accomplish!Run files of download is success![autorun]Download files1 is accomplish!Run files1 of download is success!This program cannot be run in DOS mode.This program must be run under Win32Autorun.infsuccess.txtcmd.exe /C net view command.exe /C net view  to find to Create file.exeopen=.exeGet Local host IP: Rnd IP:DiskC:\dntboot.binip packet too_bigip unload
Whatever was hosted at www.freewebs[.]com, cannot be retrieved as it no longer exists.

In any case, binaries similar as to this one, appear to have been floating the web for quite a while, as can be observed in this analysis result from 2013 by Team Cymru's TotalHash.

I've uploaded the unpacked sample on Hybrid Analysis.


Linux artifacts

The Linux component appears to exist out of a Samba vulnerability, dubbed SambaCry, and assigned CVE-2017-7494 from earlier this year.

There are several components, which are listed in the table below.


Filename Hash Purpose
kJn8LUAZ.so 6b5b4fce04f36101c04c0c5b3f7935ea Downloads ‘sambacry’
ZbdofxPY.so 053bb22c2cedf5aa5a089bfd2acd31f6 Downloads ‘sambacry’
sambacry ffe17e314f7b1306b8badec03c36ccb4 Fetch other payloads
httpd1 a5e8cb2e7b84081f5b1f2867f2d26e81 Miner config
minerd32 a016b34ade18626f91d14e46588d6483 Coinminer
watchcat32 ac9ad6bc8cd8118eaeb204c2ebf95441 Watchdog

The 'sambacry' binary will, after one of the .so files has downloaded it, download a set of other files from the C2 server, which is 45.76.102[.]45.

These files are to support the coin mining and, alongside installed, is also what appears to be a watchdog, which monitors the miner process. Additionally, it runs the following in a loop:

while true do  
 ps -ef|grep -E "wget|curl"|grep -v $$|grep -v 45.76.102.45|awk '{print $2}'|xargs kill -9 
done

Whoever's behind this campaign is using the email address madhatterss@protonmail[.]com, as defined in the miner configuration:

{
        "url" : "stratum+tcp://xmr.pool.minergate.com:45560",
        "user" : "madhatterss@protonmail.com",
        "pass" : "x",
        "algo" : "cryptonight"
}

While analysing both Windows and Linux artifacts, I have not observed any ransomware behaviour, so likely the latter is installed manually later on by the attacker.

If you run a Samba server, patch immediately, as this vulnerability has already been reported in April.


Indicators



Sunday, December 3, 2017

Notes on Linux/BillGates



In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.

You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:
Notes on Linux/Xor.DDoS

This post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.


What is BillGates?

BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.

However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote commands are executed as well as additional malware downloaded.


How can I identify BillGates artefacts?

Please find below a table with indicators.

Indicator Notes
/etc/cmd.n
/etc/conf.n
/etc/init.d/DbSecuritySpt
/etc/init.d/selinux
/etc/rcX.d/97DbSecuritySpt Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt
/home/ll2 Identify all files with random names in /home/
/tmp/.bash_root.tmp3
/tmp/.bash_root.tmp3h
/tmp/bill.lock Identify all .lock files in /tmp/
/tmp/bill.lod Contains Process ID (PID) of malware main module
/tmp/gates.lod
(or gates.lock)
Contains PID of malware main module
/tmp/moni.lod
(or moni.lock)
Contains PID of malware 'watchdog'
/tmp/notify.file
/usr/bin/*.lock Identify all .lock files in /tmp/
/usr/bin/bsd-port/.sshd
/usr/bin/bsd-port/*.lock
/usr/bin/bsd-port/getty
/usr/bin/bsd-port/getty/*.lock Identify all .lock files in /usr/bin/bsd-port/getty/
/usr/bin/pojie Identify all files with random names in /usr/bin/
/usr/lib/libamplify.so Configuration file



How can I identify BillGates DDoS modules?

These modules are usually stored in /etc/, and will have the following names:

  • atddd 
  • cupsdd 
  • cupsddh 
  • ksapdd 
  • kysapdd 
  • sksapdd
  • skysapdd

It may however be useful to use the find command in conjunction with these names, in case they are residing in a different location than /etc/.


How can I identify other modifications BillGates made?

BillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the network. The following may be replaced:


  • /bin/lsof
  • /bin/netstat
  • /bin/ps
  • /bin/ss
  • /usr/bin/lsof
  • /usr/bin/netstat
  • /usr/bin/ps
  • /usr/bin/ss
  • /usr/sbin/lsof
  • /usr/sbin/netstat
  • /usr/sbin/ps
  • /usr/sbin/ss

A copy of the legitimate files is normally stored in:
/usr/bin/dpkgd/

Additionally, check for any potentially created jobs by looking in:
/etc/cron.X where X is a name or folder, for example /etc/cron.daily.

You may also wish to look in:
/var/spool/cron/


Removal instructions

While the ps command may be replaced, top is not. Run the top command and verify any illegitimate processes, usually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use cat for example to read them, and identify the PID of the malware.

Then, use kill to end the malicious process(es), and remove the files or artefacts as indicated in the table above.

Afterwards, use mv to move the legitimate files back to their original location. You can also use a file manager to easily move them, if you have one.

You may also use an anti-virus to identify and remove any malicious files, for example ClamAV does a great job - BillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don't forget to update the anti-virus' signatures first, if needed.

This same explanation but step-by-step to make it easy:


  • Identify malicious processes: use top or check the PID in BillGates' config files;
  • Kill malicious processes: use kill -9   to kill any of its processes;
  • Remove malicious files and folders, see the sections above;
  • Replace potentially hijacked files and restore them to their original location, see also above:
  • Identify any malicious tasks and delete them as indicated above;
  • Run top again to verify there are no malicious processes left;
  • Run an anti-virus or anti-malware as a secondary opinion;
  • Change your passwords, better be safe than sorry!

Conclusion

While Linux/BillGates may not be the biggest player on the market anymore, or even not as popular or common nowadays, the threat still exists, just like Xor.DDoS.

Practice proper security hygiene and take appropriate preventative measures.

In the resources section below, you may find additional useful links.


Resources

Saturday, November 4, 2017

CrunchyRoll hack delivers malware


Introduction

There's a Reddit post today with a PSA (Public Service Announcement) about Crunchyroll, a website that offers anime streaming, being hacked:

PSA : Don't enter crunchyroll.com at the moment, it seems they've been hacked.

As mentioned before, Crunchyroll offers anime streaming, and in their own words:
Enjoy your favorite anime & manga at the speed of Japan

The German Crunchyroll team has additionally issued the following warning:



The official CrunchyRoll Twitter account has tweeted the following:



If you are only interested in how to remove this malware, scroll down to the disinfection/removal section, or click here.


Update:  CrunchyRoll has announced, after a few hours, that the issue is resolved:



However, I still advise you to scroll over to the disinfection or removal section. Any questions, feel free to leave a comment, or contact me on Twitter.



Analysis

So, what happens when you visit the CrunchyRoll website? Curently, you get a message the website has encountered an error:

Figure 1 - CrunchyRoll error page

Earlier today, the CrunchyRoll website was showing the following:

Figure 2 - Likely hacked CrunchyRoll website (Image source)


While the CrunchyRoll team claims it was a DNS hijack, I have (so far) found no evidence as to the validity of this claim, and it rather appears someone was able to hack the website.

Either way, while this is bad, CrunchyRoll took swift action by taking down the website, and an investigation is under way.

What happens if you click the 'Download now' button? A new file, called CrunchyViewer.exe, will be downloaded from the following IP address:

109.232.225[.]12

This IP appears to have hosted fake antivirus software or similar in the past:

Figure 3 - Older resolutions (2010)

The newly download file is seemingly the legitimate CrunchyViewer or Crunchyroll, but, near the end of the file, there is a chunk of Base64 encoded data appended, as seen in Figure 4:

Figure 4 - base64 encoded data (click to enlarge)

Using a Base64 decoder, we get a new file, called svchost.exe. This binary will place a copy of itself in the current user's %appdata%\roaming folder, for example:

C:\Users\Yourusername\AppData\Roaming\svchost.exe

This file will periodically call to its C2, or command-and-control server, and wait for any commands:

145.239.41[.]131

Currently, it does not appear the C2 responds on that specific port (6969), however, it is online.

There are claims the malware will additionally install ransomware - I have not observed this behaviour, but it is definitely possible once the C2 sends back (any) commands. More likely, it is a form of keylogger - malware that can record anything you type, and send it back to the attacker.

Update: It appears however, thanks to ANY.RUN for the heads-up, (analysis here) that the malware actually downloads Meterpreter, which is a default Metasploit payload.

More information about Meterpreter can be found here, but basically, it can be viewed as a backdoor, as it allows the attacker to completely control your machine. However, it does appear the C2 server only downloaded Meterpreter for a limited amount of time - as port 6969 only responded within a specific time-frame.

Note that the disinfection or removal tips are still applicable in this case.

Svchost.exe will also create an autorun entry:

Figure 5 - newly created run key (click to enlarge)

This basically means the malware will start every time you (re)boot or restart the machine.

Just for fun, it appear that the miscreant's name, or the person responsible for creating the malware is named Ben, as appears from the debug paths:

C:\Users\Ben\Desktop\taiga-develop\bin\Debug\Taiga.pdb 
c:\users\ben\source\repos\svchost\Release\svchost.pdb

Taiga is 'A lightweight anime tracker for Windows'. This does not mean they are involved, but rather that 'Ben' has decided to include Taiga in the package.

Update: the developer of Taiga has included a fix for 'CrunchyViewer':
https://github.com/erengy/taiga/issues/489

Thus, if you now update or install the official Taiga application, it will prompt you if the malware is found, and is able to remove it.


Disinfection/Removal

Disinfection is rather straightforward:


  • Remove the malicious "Java" Run key, by opening Regedit, and browsing to:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Delete the 'Java' key;
  • Reboot your machine;
  • Remove the malicious binary, by navigating to:
    %appdata%\Roaming (for exampleC:\Users\Yourusername\AppData\Roaming\)
  • Delete the 'svchost.exe' file.
  • Perform a scan with your installed antivirus product;
  • Perform a scan with an online antivirus, which is different from the one you have. Alternatively, perform a scan with Malwarebytes.
  • Change all your passwords if possible. Better be safe than sorry.



Prevention


Prevention  advise in general, which also pertains to CrunchyRoll's compromise:

  • Install an antivirus;
  • Keep your browser up-to-date;
  • Install NoScript if you have Firefox;
  • Install a 'well-rounded' ad-blocker, for example uBlock Origin (works with most browsers);
  • If a website you visit frequently suddenly looks completely different, or urges you to download whatever, be safe rather than sorry, and leave the website.
  • Additionally, try to Google or use social media to verify if anyone else is experiencing the same issue.
In this particular case or incident, you may also want to block the two IP addresses as described in this blog post, by adding them in your firewall.



Conclusion

This hack shows that any website or organisation is, in theory, vulnerable to someone hijacking the website, and consequently download and install malware on a user's machine.

While it is uncertain what exactly happened, CrunchyRoll took correct action by taking the website down not too long after. At this point, it is best to monitor their Twitter account, and/or wait for an official statement.

If you have not executed the file, you should be safe. Simply delete the downloaded file.

Note that I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Update: the second-stage payload was the default Meterpreter by Metasploit. Updated analysis above. This does not affect or change the disinfection or removal steps.

Follow the prevention tips above to stay secure. Any questions or feedback? Feel free to leave a comment, or reach out to me on Twitter.



IOCs