Showing posts tagged #security

Return Home

I've recently come across an APT named Dimnie by Palo Alto's Unit42 (full report here). The purpose of Dimnie is to exfiltrate sensitive data to the attacker. The peculiarity about Dimnie is that it does so with a peculiar trick. Dimnie changes the HTTP Host header to point to a well-known trusted domain while it actualy sends the request to an attacker-controlled server. This can be done as the HTTP Host header is not actually used for routing, but rather for virtual hosting purposes, as the docs say. This makes the HTTP request look like it's headed to a trusted

Read More

Notice: As noted by @Antelox this is just a loader that drops LokiBot, not LokiBot itself.

Preface

Loki is a credential harvester bot sold in Russian underground forums and black markets.

Loki as advertised

Goal

For this blogpost, the goal will be to defeat/patch Loki's anti measures to be able to properly analyze malicious behavior.

Analysis

Initial triage

File hashes for the sample I'll be using:

MD5: 09D2E274F1F50AB81105A3A6B9BE34CF
SHA-1: 04AD370BFE1A0AFA273568EE18F8C14BD8E612DC
SHA-256: D7AAAFB88B91A937D1EF8BCAA97F88A13545364269F510A95DAB4A72B68A4313

The sample has a pretty low detection ratio (8/58) as of now (29/03/2017) on VirusTotal.

TrID report:

Win32 Executable Delphi generic (37.4%)
Windows screen saver (34.

Read More

Previous analysis:

We are presented with a Word document that has macros. The VBA code for the macros is obfuscated but we can clearly see that it is using some interesting Win32 API calls like VirtualAlloc and CallWindowProc, which later renames.

Thus, we can just set a breakpoint on the renamed CallWindowProc function to trace shellcode. (This is explained more in depth by the Minerva guys).


Shellcode

The shellcode first resolves LdrLoadDLL:

Then resolves Kernel32.dll

Resolves ExpandEnvironmentStringsA:

And calls it with %TMP%\\bg618.exe.

Then resolves CreateFileA, VirtualAlloc, VirtualFree and CreateWindowProcA, ReadFile, CloseHandle and

Read More

Cerber is a popular ransomware that it's still active. In this blogpost, we will analyze and dump Cerber's config using the Cuckoo Sandbox for it.

Prior analysis of Cerber already exist (like this one by Hasherezade).
As state by Hasherezade, Cerber stores it's configuration in an RCDATA resource bundled in the PE header. This RCDATA resource is encrypted and cerber uses a dedicated function to decrypt it.

We will begin analyzing said binary.

CRC32: EF4C42F6
MD5: 9A7F87C91BF7E602055A5503E80E2313
SHA-1: 193F407A2F0C7E1EAA65C54CD9115C418881DE42

If we analyze the function after which call a clear-text configuration is loaded in memory we can see it is using

Read More

In this post I will analyze one on the ELF files captured on my honeypot. First, a dynamic analysis will be performed. Once we aknowledge it's behaviour we will move onto a more in-deep static analysis.

Let's start!


We are presented with a 32-bit ELF un-stripped executable.

$ file 05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf 
05fd293845e7517bcfc6e8a7fa845ef101bf716c5ec6d40c74c6f7e8aed656bf: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped, too many notes (256)

Analyzing the network traffic

Executing the malware sample with Wireshark listening on our routing machine shows that our sample is trying to contact server 218.2.0.

Read More