Posts

Attack campaign analysis and interdiction: Async RAT

Image
  Threat hunting in public sandboxes has been, admittedly, a hobby of mine for the last two years or so. Recently, I have been looking through the geo-specific uploads that arrive in one such sandbox called Any.Run. It is no secret I am from the UK, so from time-to-time I like to check what malware is currently being sent to companies in the UK. This one caught my eye: The file "astro-grep-setup.exe.doc" (available on Any.Run here ) was not uploaded to the sandbox by me, but instead by some stranger from the UK (or is potentially using a VPN server in the UK). It is 596 pages long and 1.38 MB. The attacker behind this document has used an interesting technique: macros are enabled when the document is opened and they deliver an installer for a legitimate app called "AstroGrep" (an open source Windows grep utility), which is also packed with another malicious application containing the Async RAT.  This technique is known as using a "binder" putting two apps

SharePoint Island Hopping: Phishing with compromised accounts

Image
  Phishing threat actors continue to launch successful credential harvesting campaigns via compromised Office 365 accounts. One of the most common themes for these campaigns is a "shared file" notification, whereby a compromised account shares a file with a user that is hosted in the SharePoint drive. The file is usually a PDF document that contains a URL to an external site embedded in an "open document" or "view file" button. If the user clicks on it and enters their credentials they are redirected to login.microsoftonline.com. Although this is an older scam, that has been around for several years, it is still highly effective and is being used to leap from one organisation to another. In this blog, I will analyse a long running phishing campaign that has compromised at least 45 different SharePoint accounts belonging to a variety of organisations over the last year. Fig. 1 - The typical phishing chain used in this campaign Fig. 2 - Various PDF documents

OSINT blog: Watch the skies

Image
Aviation is an interest of mine as some of my family worked on airlines and I enjoy volunteering my time to work with organisations such as the Aviation ISAC with vulnerability disclosure, threat intelligence, and security research. So when a nother interesting OSINT challenge with aviation-related attributes cropped up on my radar this week, shared by @fs0131y , I was keen to get stuck into it. Let's begin. Immediate analysis of this image can give us several clues and help us along. From the initial tweet, there are multiple attributes that will help with the rest of the challenge, this includes the time of day and the date, as well as what the aircraft's engine looks like. Using these attributes we can pivot to the next stage of our investigation. Some Googling of engines, as well as Boeing and Air Bus planes, using the grey circle around the front of the engine and the logo on the site, I found a similar looking plane belonging to Air France - an A318 to be precise. Some

Mo Money, Mo Magecart

Image
Online shopping sites are prime targets for cybercriminals. Large sites can process vast quantities of personal information and payment data, making them a high-value reward if successfully hijacked. On 29 April, Malwarebytes Threat Intelligence shared a JavaScript web skimmer their team discovered on a compromised French Canadian online shoe store. The skimmer was injected into the online store's checkout page and used to siphon off payment data and billing info. Data entered into the site was exfiltrated to a domain in Russia. I pivoted off this domain and looked at what was hosted on the same IP with a similar naming convention. This led to uncovered multiple other domains used for web skimming. I mapped the domains on VirusTotal graph here: I then chucked these domains into URLscan and uncovered at least five other sites that have been compromised in these attacks: Some additional pivoting uncovered a skimmer masquerading as a Bing Analytics domain that was injected

OSINT blog: You Sunk My Battleship

Image
  Another pandemic Friday night in, another OSINT challenge to find a mate using GEOINT. In our Discord server we have a channel called 'opsec fail club' where, occassionally, someone will challenge others to geolocate them exactly. It's a fun thing to do when bored and good to practise and refine your OSINT skills. Starting point: Using the above image I was able to find where @BigLDP was located exactly. I began with checking for battleships in the US that were musems. I came across USS Intrepid  - one of the most visited in the world: The ship @BigLDP was on was not USS Intrepid , however, but does still look like an Essex-classs aircraft carrier. So I was on the right track. After going through the list of post-war rebuilds I found one that was a museum - USS Lexington aka CV-16 or "The Blue Ghost".  I was able to find the directions and satellite images of USS Lexington and all I need to do now was confirm @BigLDP's exact location.  And in a few steps, it

Dead Drop Resolvers - Espionage Inspired C&C Communication

Image
  A “dead drop” is a well-known espionage tactic of passing items or information between two parties using secret locations. The two parties never meet and any sign of communication is concealed. This tactic is commonly used by intelligence officers to interact with their assets in the field to avoid any suspicious meetings or either caught talking to each other. For decades, intelligence agencies have used dead drops. Two infamous double agents from the CIA and FBI - Aldrich Ames and Robert Hanssen respectively - both used dead drops to supply information to their handlers from the Soviet Union. Cyber adversaries have also come to adapt this technique into their espionage campaigns. However, instead of a human source, state-backed computer network operations (CNOs) have leveraged legitimate services for covert communications or so-called “dead drop resolvers”.  In October 2019, ESET Research disclosed a report on Operation Ghost Dukes which detailed the activities of an APT group kn

The next evolution in Office365 phishing campaigns

Image
  It comes as no surprise that Office365 is one of the most targeted services for phishing attacks worldwide. Credentials for enterprise Microsoft accounts are some of the most valuable for threat actors who can leverage them for a number of activities with this initial access vector. This ranges from stealing emails, business email compromise (BEC), to internal spear-phishing and malware attacks. The latest wave of Office365 credential harvesting attacks involve multiple steps. This includes the phishing email itself, a malicious URL, a legitimate document hosting service (such as *.clickfunnels[.]com or *.larksuite[.]com ), and the fake login page. These kits are also known as a "LogoKit" for being able to dynamically alter the page's appearance based on the domain in the target's email address.  Demo of how this works:  https://app.any.run/tasks/e59d36ba-5a2c-49e3-8b59-8044bf593689/ (Fig. 1 - Current phishing chain leveraged in this campaign from January to Februar

Latest wave of Cerberus targets English-speaking users

Image
  Following the recent discoveries shared by @MalwareHunterTeam and @LukasStefanko on Twitter, I took a closer look at the ongoing Cerberus Android banking Trojan campaign. It has recently reared its head to target English-speaking users via a fake food delivery app: (Figure 1 - The fake website that drops food-delivery.apk) (Figure 2 - Downloading and granting permissions to the Trojanised application) If successfully downloaded and permissions are granted, the user's device is infected with a banking Trojan that shares multiple similarities to the infamous Cerberus Android banking Trojan. Further investigation in this campaign revealed the attacker's infrastructure through a mutual host, gTLD (.top), and the same registrant details.  Virus Total Graph of the campaign: Themes of Trojanised Applications distributed by this Cerberus operator: Cerberus web injects database: (Figure 3 - Picture of the Cerberus web injects database for reference) Analysis: The Cerberus

Using a Discord server as a Personal CTI Dashboard

Image
  Discord is one of the best platforms that has helped me get through 2020 after joining various online communities such as The Many Hats Club or participating in virtual conferences such as conINT .  As a cyber threat intelligence (CTI) analyst myself, I am often looking for new ways to consume news and find new threats, which I believe Discord (if configured correctly) can offer.  Although I do work for a Threat Intelligence Provider (TIP) with the ability to generate powerful dashboards that can scrape and feed me any source on the internet, not everyone else does. I like having a backup and having custom notifications that Discord can provide.  The Discord bot ecosystem is a great place due to developers generously offering their services for the community for free. There are premium services that can remove the rate limits and other caps but that's not really necessary if you use multiple bots like in this write up and for this specific use case. Here is how I currently have