YARA rule for Dridex

Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.

rule dridex : dridex
{
meta:
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true

strings:
$domain = “g-t-c-co.uk” nocase
$ip = “185.11.240.14” wide ascii
$mail = “ali73_2008027@yahoo.co.uk” wide ascii

condition:
$domain or $ip or $mail
}

Will be writing more as days go by.

Happy Malware Analysis!!!!!

List of IOCs collected so far

Hunters,

This post is to share indicators of compromise that I collected so far for analysis and investigation that I have been doing.

Most of the them are collected from other websites as json, MISP exports etc. Normally I update that back to csirtg.io/users/makflwana but I just wanted to share it on my blog too.

Following are the links where you find the list of IOC in CSV format – some indicators are quite old and some are new. I will see if an re-verify but that will take some time.

Link: https://github.com/makflwana/IOCs-in-CSV-format

Happy Hunting!!!!!

A javascript file – Invoice from UK

It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.

email

Email Analysis :

  • sender : Woodard.52@sunshine-yorkshire.co.uk
  • IP – extracted from the header : 130.204.206.58 – 602ad0ccae26.softphone.blizoo.bg – Blugaria
  • Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
  • No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.

Attachment:

  • Zip file with my email id : myemailid_addition_028146
  • Contains javascript : addition-7866.js

Javascript analysis:

  • Javascript seems to be incomplete and functions are not properly defined
  • only see eveal :  eval(aZRcdUoP1.split(”).reverse().join(”));
  • aZRcdUoP1 is only defined variable however it is commented out.
  • Function aZRcdUoP1.split is not defined at all.

There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/

File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:

  • MD5: ee427a22d3a6e25251bbfb7bc3823140
  • SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
  • SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e

JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.

Final words:

The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.

Security Controls:

  • Endpoint protections – normally all corporate organiations has it
  • Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
  • Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.

The Vendor, The MSSPs and The Consultant

I have been waiting for quite a while to write something about my experience with vendors, MSSPs and consultants. This is my own opinion and is not targeting any specific entity. I have worked with multiple vendors, MSSPs and consultants and what I have always noticed is, the “OUR” attitude. I do understand they are here to make money and sell their services/solutions, but there is nothing wrong in sprinkling it with some honesty.

  • Vendors – Buy our products and you will be safe.
  • MSSPs – Subscribe to our services and you will be safe.
  • Consultants – Implement our recommendations and you will be safe.

We all know once you are connected to Internet eventually there would be someone to target and successfully gain access to your systems. Its not about ‘if’ its about ‘when’ (SANS GCIH). There are no “PERFECT” systems. There are ways to access air-gapped systems too. But this is beyond this article.

I see, Vendors are for detection and prevention – MSSPs are more reactive – but lot of customers and few eyes and sometimes those eyes are not much experienced – Consultants – How many consultants have actually used the product that they are endorsing/recommending – wouldn’t it be good if they are recommending a product/solution that they have actually used.

This attitude is one of the many reason why organisations get breached – ofcourse security awareness and correct implementation of security controls is also required – but imagine, if all three work together and provide honest, correct and pro-active solutions to customers, it would be a completely different picture. Also, organisations need to heavily invest on people. Lot of organisations are relying on outsourcing their security, and completely depending on them. This concept is wrong and every organisations should have security team with expertise in multiple areas internally to have additional eyes on the organisation.

Understand, our adversary – CYBER CRIMINALS – work as a team and with a strategy and we should too.

CIF – Feodotracker threat feeds

Good Day guys!!!!!.

Was able to write another yml script to collect feeds from Feodotracker and has been uploaded on my github account and also a project that I am honoured to work on with CSIRT (with guidance of Wes Young) – BEARDED AVENGER. This is a new version of CIF.

Threat feeds is provided in RSS format and therefore RSS parser have been used. YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

Happy Hunting!!!!!!!

CIF – cleanmx threat feeds

Good Day today indeed. Have finally got some time to work on my skills for CIF and writing configuration (YAML scripts) to fetch open source threat feeds.

Started with a disabled configuration (/etc/cif/rules/disabled/cleanmx.cfg) for cleanmx. The cleanmx.cfg file provided should be referenced for the remote sites and id for cleanmx, that will require to write yml script.

The threat feed is provided in XML format and remote site link can be fetched either from the config file or directly from the cleanmx site (support.clean-mx.de). I will always recommend to check the links for the feeds on the browser regularly to see whether it is responding and whether it is correct link to fetch the feeds. Sometimes they change.

YML script is available on my github account – https://github.com/makflwana/CIF-Threat-Feeds-and-parsers

I will be writing more scripts to fetch open source threat feeds. If you guys have any threat feeds that are open source and not covered yet please let me know.

Happy Hunting!!!!!!!

CIF – Collective Intelligence Framework – My deployment

Morning Everybody!!!!

Been working on crafting my skills in Threat Intelligence and available open source system. As the title says I have been working on CIF from CSIRT and wanted to share my experience and my personal future developments.

Following are few screenshots of the system :

threat feeds ioc type applicationscif map

CIF comes with few default threat feeds and parsers. The scripts have parsers and remote hosts that are sending feeds. IOCs (Indicators of Compromise) such as IP address, URL, MD5 etc are fetched from the feeds. The scripts are written in YAML – human reabable text based language.

Visualisation is provided by Kibana (works on kibana 3 – shown above and Kibana 4 ) and ElasticSearch (1.4) is as database. Working on getting this to be updated on 2.x – requires full cluster update.

Experience :

  • I am running on a VM, Ubuntu, and have no issues. Sometimes do have to restart apache2, elasticsearch and cif services to populate custom dashboards and real-time data. Although one can make it as automated task by scripting or configure in cron tab.
  • System responsiveness is very good and intelligence feeds are quite good. Can be easily integrated with SIEM for additional context.
  • If you are security researcher and able to identify new IOC, you can update them on csirt.io and than it can be pulled as feeds onto the system – https://csirtg.io/users/makflwana/feeds

Future work:

  • I am currently working on more feeds – open source and writing parsers for them. I will be updating them on my github account : https://github.com/makflwana
  • STIX and TAXII – if i can
  • Working with CSIRT with regards to cif v3 – Bearded Avenger

Final words:

This is an excellent open source initiative from CSIRT (http://csirtgadgets.org/) in providing us with a framework and platform to share intelligence. One of the reason why hackers are one step ahead is they have better information sharing than organisation fighting against them and most of that is free and available in underground – dark net as we say. Meanwhile, vendors charges thousands and millions to share threat information.

 

Malware Analysis – Mind Map

Its been long time have updated my blog. Just busy @work and with family and trying to juggle a lot. Have been working a mind maps and this is the first one.

Malware Analysis is something I like and interested in.

I will creating other mind-maps. Mind-maps are also available on my github account here – https://github.com/makflwana/Tools-mindmap

Happy hunting!!!!!

Malware Analysis - mind-map
Malware Analysis – mind-map

Dridex malware dropper -New doc 115.doc

On a pleasant morning I received an email with an doc attachment. The email was not having any text or message. Subject was name of the attachment ‘New Doc 115’. It was my curious mind (place where the cat gets kills inevitably) that I decided to analyse it. The email actually identified it as a spam likely because of the sender or may be the attachment. But why ?

OLE documents with malicious macros are not new and this method is widely used to compromise a host. Once the doc file is accessed the embedded macros are executed (security options always prompts user to enable the macro). Following email is an example of such a social engineering attempted on my mailbox. The analysis conducted to identify indicators of compromise and what was the motive of the document/macros.

Spam email

email

Email Header Extract:

Looking at the email header we can see the sender is ali73_2008027@yahoo.co.uk with address 122.52.162.226.

Attachment : New Doc 115.doc

word-macro

The document has multiple macros. MS Word identifies and also shows security warnings. Once the macros are enabled document will drop malware and infect the host.

Below are the details of the doc file:

Filename New Doc 115.doc
Size 69632 bytes – 68 Kb
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251
Author 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Feb 10 08:02:00 2016, Last Saved Time/Date: Wed Feb 10 08:02:00 2016
Number of Pages 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5 98803eca69d946c5060316959f5d6eec
SHA1 41772ad8a7e7aec1b72286bf0b02c67a1a1baeb2
SHA256 421dd4156a7fa04da8c8eb9f3322b653d70cdb63bd1acb90b064202a2af2b5f2
SHA512 cd048439a1839bb8d82922684771ca20a01238185b493eedd82380f14ab0afbf210c4caf4c8dbcfb0146b47becfe72dbe5153e44d08dfd3723e0dda766b16a42
External site analysis Virus Total Link

 

Static Malware Analysis

This section shows methods for static malware analysis using OfficeMalScanner and Oledump.

To extract malicious macros OfficeMalScanner was used.

officemalscanner
Using OfficeMalScanner’s info mode, malicious macros can be extracted.

  1. Extracted Macros can be viewed in text editor. The macros will give some idea about what macros are written to do.
  2. Function names within macros are written in Spanish. Further information were identified using Oledump as shown in following screenshot. Macros are stored as streams in the word doc.
  3. Oledump.py can be used to get required information as shown in the screenshot.

oledump macro extractoledump.py pathtofile/New doc 115.doc

embedded objectoledump.py -s 7 pathtofile/New doc 115.doc . Stream 7 is the embedded object

sambof macro
Stream 14 – Interesting Macro named ‘SamboF’

Main Functions with translation:

  1. CIF as String
  2. Fecha as Date – Date as Date
  3. CuentaPropia2 as String – Own account2 as String
  4. cadSQL as String – cad SQL instance
  5. ConceptoTr as String – ConceptTr as String
  6. Tipo as Byte – Kind as Byte
  7. SufijoOEM as String – Suffic OEM

The functions is likely looking for the specific attributes in the SQL database or documents holding financial records.

Dynamic Malware Analysis

  1. Macros were enabled to see how the system behaves and what changes to registry or process are made.
  2. With windows defender enabled, following signatures were triggered when document was downloaded.anti-virus detection
  3. Ran the macros on Windows VM with no anti-virus or anti-malware. Enabling macros, a file label8.exe under the user Temp directory is created.label.exe proc
  4. Process Explorer with Virus Total integration was used to identify changes on the system and process which can be checked against Virus Total in real-time but no new process identified besides label8.exe.
  5. PE explorer and OllyDBG gives error when the file is being accessed syaing its not an EXE

Opening the file in notepad shows HTML response code as shown below :

response

6. System performance affected drastically where by CPU usage went to 100% as shown in the screenshot below. Ending the exe process, improved the performance and CPU usage went to normal.

cpu usage

7. The interface was being sniffed by the IPS with Emerging Threats Traffic triggered following signatures :

ips signautresSignature ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016 triggered. Interface shown – Snorby installed on Security Onion.

From the triggered signature we can say the communications was related to Dridex Malware. The malware is designed to steal banking credentials and other personal information of the user such as financial records of the user. Following payload shows the host being communicated – g-t-c.co.uk.

Dridex payload

payload

Indicators associated with the malware:

  1. 11.240.14 – g-t-c-co.uk
  2. ali73_2008027@yahoo.co.uk
  3. 122. 52.162.226 – 122.52.162.226.pldt.net, Phillipines

From the analysis we can say that users are still being targetted with specific type of malware such as Dridex which is used for stealing banking credentials with intent for fianancial gain. The macros were identified suspicious by Windows Defender and Virus Total and therefore we can say the methods that were used to send the malware is known. Also , the email was actually identified by spam as the sender email was yahoo.co.uk.

Understand the exposure level of a user is high and so is the risk. Besides relying on anti-virus or spam gateway we must make sure users are aware of these techniques and educated with regards to spam and phishing.