Posts

Showing posts from January, 2021

AnyRun Christmas CTF

Image
  Keen-eyed Tweeps may have noticed that AnyRun tweeted out a Christmas CTF in their Xmas post card this year (see above). I enjoy a good CTF and with some help from @KrabsOnSecurity we uncovered a code for a free trial of AnyRun Explorer (an account option which is not on the pricing package).  The CTF started with the above tweet, which contains a QR code. Once scanned a message appears: Using the built-in QR code scanner on my iPhone the code, the message appeared. I then chucked this into base64decode as I have inspected enough malicious code to realise when it is encoded this way: I got stuck here as the decoded output does not look like any encoded/encryption I have seen before. Luckily, @KrabsOnSecurity noticed this is an ID for an AnyRun sample run: This revealed a glowing Christmas tree produced by a PowerShell script that, when downloaded, contained the code for the CTF: And voila! We earned ourselves a nice trial of AnyRun explorer after a short CTF on Twitter: References: h

Analysis of the NetWire RAT campaign

Image
  Executive summary: Threat actors continue to leverage the NetWire Remote Access Trojan (RAT) in malicious spam email attacks using low-detection scripts, URL shorteners, and the Discord content delivery network (CDN).  The Infection chain begins with a targeted email from the t-online[.]de mail service. These contain an XLS file or ZIP archive that, if opened, triggers embedded VBScript and PowerShell scripts. The secondary stage leverages  URL shorteners in the PowerShell script that pull down a batch file from the attacker’s server or from the Discord CDN. If successfully executed the victim’s device is infected with NetWire RAT and a connection is made to the command and control (C&C) server. Post-exploitative activities can then be initiated from here. NetWire RAT is a widely used off-the-shelf malware used by cybercriminals groups and Business Email Compromise (BEC) scammers. This includes features such as stealing credentials, recording audio, screen capture, and keystroke