|
About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading. 1dnscontrol[.]com/flash_install.php Discoder/#BadRabbit IOCs as found by ESET: There are still lots of speculation though as analysis is early stage, more need to come. At least it's not Friday! Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Oct 24th 2017 |
| Thread locked Subscribe |
Oct 24th 2017 4 years ago |
|
Looking forward to hearing how this one gets in. Macros?
|
TuggDougins 37 Posts |
| Quote |
Oct 24th 2017 4 years ago |
Quoting TuggDougins:Looking forward to hearing how this one gets in. Macros? "It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further spreading." |
Brandon 7 Posts |
| Quote |
Oct 26th 2017 4 years ago |
|
Here are some pcap about the variant on Java
https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0 And also the way to detect easly bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64 GCC version:5.4.0 Pcap version:libpcap version 1.7.4 Pcre version:8.38 Boost version:1.58 Static memory support:no [10/27/17 14:02:17] Lan network stack ready. [10/27/17 14:02:17] Enable NIDSEngine on Lan network stack [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0] PacketDispatcher(0xbd6b50) statistics Connected to Lan network stack Total packets: 9612 Total bytes: 3350895 RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol Name:experimental0 Matchs:7 Evaluates:53 Name:experimental1 Matchs:7 Evaluates:23 Exiting process |
camp0 4 Posts |
| Quote |
Oct 27th 2017 4 years ago |
|
Here are some pcap about the variant on Java
https://www.dropbox.com/sh/liy3usle2h9lzw7/AABxG2L65hC3sJVzdCHFZHvZa?dl=0 And also the way to detect easily bubu@val1:~/c++/aiengine/src$ ./aiengine -i /home/bubu/pcapfiles/ratty/ -R -r "^\x05(\x00$|$)" -r "^\x05$" -m AIEngine running on Linux kernel 4.4.0-92-generic #115-Ubuntu SMP Thu Aug 10 09:04:33 UTC 2017 x86_64 GCC version:5.4.0 Pcap version:libpcap version 1.7.4 Pcre version:8.38 Boost version:1.58 Static memory support:no [10/27/17 14:02:17] Lan network stack ready. [10/27/17 14:02:17] Enable NIDSEngine on Lan network stack [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/072d69dc34676d269797afe1c68bc6d65f7e2711519c1bf2f3e7714ee62822f1.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 11 KBytes of memory Flow:[192.168.56.17:58739:6:134.255.216.114:1234] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/354e763f72eeed01067109bfd74d85c5e31e84ef6024bd8b459040a501e927dc.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory Flow:[192.168.56.11:52044:6:89.33.16.229:1337] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/3f3f44752da5d546c7acfddf5823307c6c92dc813323cc2fc3f04b98f5519901.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 12 KBytes of memory Flow:[192.168.56.10:49160:6:88.67.160.102:1188] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/62e9f321ddcaa209cc9e42697a97e0657aed8d6b1eb85035bd74c9c6ecc00295.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 13 KBytes of memory Flow:[192.168.56.21:62079:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/7f50695e93f855887fb1bfbabdb7bb2994e9b67d1f931f04be41ab5361842d56.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.17:49172:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/f137894ebaa308f62f4f5cfa3c2d1282ea3d474035606848b982a5a79602e279.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.13:52299:6:46.29.2.112:2049] pkts:4 matchs with (0xbeaee0)Regex [experimental0] [10/27/17 14:02:17] Processing packets from file /home/bubu/pcapfiles/ratty/fa168e58e1e42ae9c95088aec2a262ef8d5700f3241c1135d77f3e3484db1a74.pcap [10/27/17 14:02:17] Stack 'Lan network stack' using 15 KBytes of memory Flow:[192.168.56.13:49166:6:185.32.221.5:4000] pkts:4 matchs with (0xbeaee0)Regex [experimental0] PacketDispatcher(0xbd6b50) statistics Connected to Lan network stack Total packets: 9612 Total bytes: 3350895 RegexManager(0xbeabf0)[Generic Regex Manager] Plugged on TCPGenericProtocol Name:experimental0 Matchs:7 Evaluates:53 Name:experimental1 Matchs:7 Evaluates:23 Exiting process |
camp0 4 Posts |
| Quote |
Oct 27th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
