Posts

The next evolution in Office365 phishing campaigns

Image
  It comes as no surprise that Office365 is one of the most targeted services for phishing attacks worldwide. Credentials for enterprise Microsoft accounts are some of the most valuable for threat actors who can leverage them for a number of activities with this initial access vector. This ranges from stealing emails, business email compromise (BEC), to internal spear-phishing and malware attacks. The latest wave of Office365 credential harvesting attacks involve multiple steps. This includes the phishing email itself, a malicious URL, a legitimate document hosting service (such as *.clickfunnels[.]com or *.larksuite[.]com ), and the fake login page. These kits are also known as a "LogoKit" for being able to dynamically alter the page's appearance based on the domain in the target's email address.  Demo of how this works:  https://app.any.run/tasks/e59d36ba-5a2c-49e3-8b59-8044bf593689/ (Fig. 1 - Current phishing chain leveraged in this campaign from January to Februar

Latest wave of Cerberus targets English-speaking users

Image
  Following the recent discoveries shared by @MalwareHunterTeam and @LukasStefanko on Twitter, I took a closer look at the ongoing Cerberus Android banking Trojan campaign. It has recently reared its head to target English-speaking users via a fake food delivery app: (Figure 1 - The fake website that drops food-delivery.apk) (Figure 2 - Downloading and granting permissions to the Trojanised application) If successfully downloaded and permissions are granted, the user's device is infected with a banking Trojan that shares multiple similarities to the infamous Cerberus Android banking Trojan. Further investigation in this campaign revealed the attacker's infrastructure through a mutual host, gTLD (.top), and the same registrant details.  Virus Total Graph of the campaign: Themes of Trojanised Applications distributed by this Cerberus operator: Cerberus web injects database: (Figure 3 - Picture of the Cerberus web injects database for reference) Analysis: The Cerberus

Using a Discord server as a Personal CTI Dashboard

Image
  Discord is one of the best platforms that has helped me get through 2020 after joining various online communities such as The Many Hats Club or participating in virtual conferences such as conINT .  As a cyber threat intelligence (CTI) analyst myself, I am often looking for new ways to consume news and find new threats, which I believe Discord (if configured correctly) can offer.  Although I do work for a Threat Intelligence Provider (TIP) with the ability to generate powerful dashboards that can scrape and feed me any source on the internet, not everyone else does. I like having a backup and having custom notifications that Discord can provide.  The Discord bot ecosystem is a great place due to developers generously offering their services for the community for free. There are premium services that can remove the rate limits and other caps but that's not really necessary if you use multiple bots like in this write up and for this specific use case. Here is how I currently have

Amadey Trojan distributed by DPRK-affiliated APT groups

Image
  Malicious Word doucments titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc” were recently uploaded to malware submission sites such as ANY.RUN, VMRay, and VirusTotal: Analysis of the Word documents revealed that a VBA macro is used to drop a secondary payload and connects the infected device to the adversary’s command and control (C&C) server. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The payload is hosted on a compromised website and is retrieved by the Amadey Trojan once the malicious macros are enabled. VirusTotal campaign graph: Analysis: Commodity malware, such as the Amadey Trojan, is a concern because it does not require its operator to have any development capability, only the capacity to deploy it. This increases the number of potential attackers in the ecosystem. Furthermore, commodity malware and

AnyRun Christmas CTF

Image
  Keen-eyed Tweeps may have noticed that AnyRun tweeted out a Christmas CTF in their Xmas post card this year (see above). I enjoy a good CTF and with some help from @KrabsOnSecurity we uncovered a code for a free trial of AnyRun Explorer (an account option which is not on the pricing package).  The CTF started with the above tweet, which contains a QR code. Once scanned a message appears: Using the built-in QR code scanner on my iPhone the code, the message appeared. I then chucked this into base64decode as I have inspected enough malicious code to realise when it is encoded this way: I got stuck here as the decoded output does not look like any encoded/encryption I have seen before. Luckily, @KrabsOnSecurity noticed this is an ID for an AnyRun sample run: This revealed a glowing Christmas tree produced by a PowerShell script that, when downloaded, contained the code for the CTF: And voila! We earned ourselves a nice trial of AnyRun explorer after a short CTF on Twitter: References: h

Analysis of the NetWire RAT campaign

Image
  Executive summary: Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN).  The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages  URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here. NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke

Operational Security Tips and Tricks

Image
For my last blog of 2020, I wanted to share a short checklist for users and researchers to keep themselves secure on the internet. Many attackers cast a wide net and many of those that fail the basics get caught. Hopefully this guide will help those on the path to Operational Security (OPSEC): Social Media: Set social media accounts (e.g. Twitter, Facebook, Instagram, Tiktok) to private. Avoid using your real name when creating accounts. Avoid using identifiable personal pictures for profile pictures and cover pictures. Leave bio details blank and avoid sharing identifiable information. Do not check-in to locations or share your location for social media posts. Have a vetted list of friends/contacts that you permit to view your social media content.  Finally, personnel who work in cleared positions may often ask family members not to share pictures of you and prevent tagging.  Personal Security (PERSEC): Use more than one email account - ideally one for critical services like finances,

Analysis of Meyhod JavaScript Web Skimmers

Image
  A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC). While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC: Active compromise of dovesfarm.co.uk: Skimmer 1: Identifier - sClass="yeikyd" - 'dovesfarm.js' (available here ) Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here ) Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here ) Skimmer 1 - Listener: Skimmer 2 and 3 - Listener: Skimmed Data: RC4 encryption: Data collected: Credit Card Number, Card Holder Name, CVV, expiry day, mont