Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Daily Network Security Podcast (Stormcast) for Wednesday, February 6th 2019 - Internet Security | DShield SANS Daily Network Security Podcast (Stormcast) for Wednesday, February 6th 2019


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Mimikatz Defenses; LibreOffice Vulnerability; Firefox 65 And HTTPS AV Scanning

SANS Daily Network Security Podcast (Stormcast) for Wednesday, February 6th 2019
00:00

My Next Class

Intrusion Detection In-DepthMadridMar 25th - Mar 30th 2019
Defending Web Applications Security EssentialsSan DiegoMay 9th - May 14th 2019

… more classes

Spotify spotify logo

Discussion

New Files detected related to [[ LuckyCat ]] Malware Campaign !!!

According to: Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list. We also observed new malware delivered through mail communications from mail sender: "v.bernadskaya@ethnosafe.com" to multiple users. Security Team expects that those people affected with such malicious mail have been registered before in in-trusted websites which make them victims to such attacks. Malicious files detected which has been found were with multiple names like: ”Offer for approval.doc”.
The difference between this campaign detected by us and which reported by CISCO Talos is these all files were .doc not power point files but they meet in point that both campaigns abuses CVE-2017-0199 but this file threat actor was VBA_MACRO which considered the main threat actor in most mail campaign containing Microsoft files.

CVE-2017-0199 which affect most MS office from 2007-2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1 and Windows 8.1. This vulnerability allow remote attackers to execute arbitrary code via a crafted document,
aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.

These URLs: "hxxp://216.170.120.102/metu.exe" as GET request and "hxxp://changdeacorp.com/finet/leotuyy/fre.php" as POST were detected in C' communications from infected machines, then download files like: "996E.exe" "dio.zip".
We noticed also PowerShell call and executing multiple queries like this value:
"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName" ".
There are multiple attempts to open admin directories like this one: "C:\Users\admin\AppData\Local\Temp\" and creating multiple file like: unjl3fxo.k5p.psm1 and ajpaqbyx.i25.ps1.

Indicators of compromise:

"IPs"
216.170.120.102
103.63.2.245
93.159.231.232
93.159.231.128
93.190.235.135
8.253.204.121

"Hashes"(SHA256)
ef2a14d2971fbd7bc068a7bfd7e943057d0a486c0270b30977d501f616449c9f

"Domains/URLs"
changdeacorp.com
ddacenona.com
ezzy-corp.com

hxxp://changdeacorp.com/finet/leotuyy/fre.php
hxxp://focail.com/austin1/fre.php
hxxp://martreding.com/blue1/fre.php
hxxp://ezzy-corp.com/tall8/fre.php
hxxp://sunwest-kh.com/white6/fre.php
hxxp://216.170.120.102/metu.exe
hxxp://427.cc/
hxxp://037.cc/
Posted by MoNour on Wed Feb 06 2019, 22:08

Login here to join the discussion.

Intrusion Detection In-DepthMadridMar 25th - Mar 30th 2019
Defending Web Applications Security EssentialsSan DiegoMay 9th - May 14th 2019
Intrusion Detection In-DepthSan AntonioMay 28th - Jun 2nd 2019
Defending Web Applications Security EssentialsMunichJul 1st - Jul 6th 2019
Intrusion Detection In-DepthBostonJul 29th - Aug 3rd 2019
Defending Web Applications Security EssentialsSan JoseAug 12th - Aug 17th 2019
Defending Web Applications Security EssentialsBrusselsSep 2nd - Sep 7th 2019
Intrusion Detection In-DepthLondonSep 23rd - Sep 28th 2019