Case study: “Imminent RATs” (II)

Analysis (follow-up)

In the previous article, we had determined there was “something weird” in the computer, and we had downloaded both, a possibly malicious .doc and a user executable and mailbox. It’s time to get down to work to see what they may contain…

[Note: As a good security practice, malicious files should NEVER be shared without minimal protection. Therefore, you can download both files from here, but they are zipped with the password “infected”. Please, handle them with extreme care, you’ve been warned.]

To start with, we can open the user’s .pst to verify that the infection path is correct, something we can easily do from Windows with the Kernel Outlook PST Viewer:
[Read more…]

Case study: “Imminent RATs” (I)

Note: This is a fictional story; the characters and situations are not real. The only real thing is the technological part, which is based on a mixture of work done, experiences of other colleagues and research carried out.
These articles are part of a basic incident response workshop. Therefore, there are things that could be done more efficiently and elegantly… but the idea was to do them in a simple way so that they were easy to understand. And like any good practical workshop, you can follow it step by step: you can download a Remnux virtual machine with everything you need for the workshop here (for VMWare) or here (.ova format)).

Incident Response in less than 15 lines

Ultra-fast summary of incident response:

  • Preparation: We prepare ourselves for a possible attack by deploying detection and response measures in the Organization.
  • Detection and analysis: We detect possible attacks and analyze them to determine whether or not they are false positives, and in the event of an attack we analyze its severity.
  • Containment, eradication and recovery: We contain the spread of the attackers through the system, expel them and return the system to normal operation.
  • Post-incident lessons: We analyze the incident in search of measures to improve both the security of the system and the response itself for future incidents.

[Read more…]

Security in Windows Server 2019

At the end of last December, Microsoft published a document titled What’s new in Windows Server 2019, covering the new features and renewed functionalities provided by the new version of Windows Server. This post will focus on those features related to security improvements provided by Windows Defender ATP that had already been seen in Windows 10 through Windows Defender Exploit Guard, EMET (Enhanced Mitigation Experience Toolkit, which ceased to have support last July 31, 2018), as well as WDAC (Windows Defender Application Control).

While writing this post, the research deepened and led to a much more comprehensive document on ATP, specifically Windows Defender Advanced Threat Protection. This post is intended to be a brief, orderly summary of the links in the aforementioned document.

Windows Defender Advanced Threat Protection (ATP)

The Windows Defender ATP system is designed to protect the kernel and system memory from malicious files and processes, either by blocking or terminating them, in order to prevent host intrusion. In its development, it relies on several aspects to be taken into account to reduce intrusion.

1. Attack Surface Reduction (ASR)

Attack Surface Reduction (ASR) is based on a complex set of rules managed by system administrators that allow to block potentially dangerous files based on their behavior. These rules block these files based mainly on the following aspects or behaviors:

  • Executable in mail.
  • Secondary processes, Win32 API calls from macros or executables created by Office applications, as well as the possibility of code injection.
  • Scripts that execute code downloaded by them, unsigned and unreliable processes from USB, …

2. Network Protection

This network filtering capability is located in the system kernel and is aimed at protecting the host. In this case, it blocks outgoing computer connections against potentially dangerous domains to prevent phishing damage, sites that may attempt to install malware on the machine, and even spread to other machines on the network. The blocking relies mainly on reputation intelligence based on both the IP and the domain name, combining online searches and caching. If the result indicates that the connection is to a bad reputation site, the Internet connection (to this web-based malware) is blocked, whether the call is generated from a browser or from a background process.

3. Controlled Access Folder

In recent years, ransomware attacks that led to the encryption of files in organizations and businesses have been notorious. To avoid these behaviors, controlled access to folders is available. In essence, the aim is to avoid the use of files by processes not defined as trusted. The management of this feature in the IT infrastructure can be carried out through GPO or PowerShell. In addition to controls definition, each time an attempt to make a change to protected directories is blocked, an alert is generated in Windows Defender ATP.

4. Exploit Protection

Vulnerability protection was already present in EMET and is now available in Windows Defender ATP. Since EMET is no longer supported, Microsoft has implemented mechanisms for migrating the rules defined in EMET to ATP. Among the mitigations it carries out are those related to code execution, remote image integrity validation, blocking of non-trusted sources, API validations, blocking of secondary processes and driver validation. As mentioned above, some were already present in EMET and others are their own or have been improved by ATP.

With respect to the four points cited so far, all these mechanisms can be enabled in audit mode, in which the system simulates its execution, leaving traces of the simulated actions in the event logs, so that after a given analysis period, it can be determined if the rules designed are valid and can go live. In addition, the administrator can enable the notification so that the user is aware of the locks. This is useful in case a false positive occurs, so the user can notify the error caused by the locking mechanism.

5. Windows Defender Application Control (WDAC)

As indicated in the article, WDAC appeared with Windows Server 2016. As a management improvement, Microsoft has developed Code Integrity (CI) policies so executables that put integrity at risk can be blocked. In this case, instead of considering all the applications and libraries as trustworthy, the approach is reversed and non-trust is assumed, so which applications users can run and which code can be executed in the system kernel must be established explicitly. On the other hand, it also incorporates the ability to block unsigned scripts and .msi, as well as determine whether add-ons or application modules can be executed, making use of simple rules that relate executables to libraries.

6. Hardware-based isolation

  • Application isolation

This model is based on the definition of the sites that the organization considers trustworthy. Therefore, access to sites not included will be considered non-trustworthy. When accessing a non-trusted site, access is done in an isolated container, so if the site is really malicious, the host will be protected against intrusion, since the container is anonymous and has no access to user credentials.

  • System isolation

Protect and maintain system integrity at startup

The system is prepared to prevent any bootkit from booting before the operating system boot loader. This is done using Root of Trust (RoT) based hardware, which is an element of the Unified Extensible Firmware Interface (UEFI). After this validation, Windows and firmware can be started.

Protect and maintain the integrity of the system after booting

Despite the mechanisms developed to avoid increasing privileges attacks, it is not yet certain that the integrity of the critical services of the operating system can be maintained. To do this Windows 10 introduced the security model based on virtualization (VBS). With this concept, it is possible to isolate data in a hardware-based model. In this way, critical services such as Credential Guard, Device Guard, Virtual TPM and parts of Windows Defender, etc., can be protected at runtime.

Validation of the integrity of the system locally and remotely

Through Trusted Platform Module 2.0 (TPM 2.0), the system obtains data that will serve as integrity measures. Both the process and the information are isolated from the hardware, so data collection is not subject to alteration. Through remote systems such as Intune or System Center Configuration Manager (SCCM) can be requested for analysis. If the analysis shows that the system is compromised, you could, for example, deny access to the resources offered by the compromised device.

As commented, what has been tried with this post is to make a first approach to Windows Defender ATP, offering an entry point of the options available to the system administrators, in order to maximize the levels of security offered by Windows Server 2019.

Bibliography and Resources

EternalSilence: Why your router may be at risk from this NSA tool

Today’s article is courtesy of John Mason, co-founder of and writer at TripwireStaySafeOnline, DigitalGuardian y Educause. You can find him on twitter as @JohnCyberMason.

Do you trust your router to keep you safe from hackers and spies? You may want to take another look just to make sure.

Akamai recently discovered a malware campaign that has already compromised over 45,113 home and office routers. This was done using a tool based on the United States of America’s NSA hacking tools which were leaked online in 2017. To explain how hackers use this tool to turn your router into a proxy server, we first have to understand how UPnP works.

UPnP is a protocol that eases device and service discovery as well as the configuration of consumer devices and networks. Its primary purpose was to allow devices on a LAN to automatically expose services and functionality other devices on the local network.

[Read more…]

Analysis of Linux.Haikai: inside the source code

A few days ago we got the source code of the Haikai malware, which corresponds to one of the many implementations carried out by the continuous recycling of source code belonging to different IoT botnets. Although we have not identified any new developments compared to previous IoT malware versions, it has allowed us to obtain a lot of information on techniques, improvements and authors.

It should also be noted that, according to different records obtained, this botnet has been in operation for most of the last month of June.

In the following lines the code will be analyzed, as well as the possible attributions and the implementations not referenced in the execution thread, which allow us to guess that the code is mutating in different lines in parallel for the same function.

So let’s start by analyzing the structure of the files. [Read more…]

Exchange forensics: The mysterious case of ghost mail (I)

Articles in the series “Exchange forensics: The mysterious case of ghost mail”: [1] [2] [3] [4]

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

‘Reversing’ of malware network protocols with ‘angr’

One of the most difficult objectives to obtain in the analysis of a malicious binary is usually discovering all of the functionalities that it has. If in addition, these functions are only executed at the discretion of the attackers through its control center, things get complicated. For various reasons, many times we cannot carry out a full dynamic analysis, such as the fall of the malware infrastructure or the isolation of the sample to avoid contact with the C&C. In these cases the analysis of the interaction between the server of the attacker and the sample is usually slower, since you have to create a fictitious server or be continually patching/deceiving the sample, to take it through all the different paths that we want to investigate. Depending on the size and complexity of the analyzed code or the objective of the analysis, this task can vary its difficulty and extension over time.

I am going to propose a study example of the functionalities of a fictitious RAT that can be executed according to the orders received from your C&C panel. Our goal would be to create a server that simulates the attacker’s. For this we have to understand the communication protocol between the server and the sample installed on the victim’s device.

[Read more…]

Some vulnerability in ASUS routers

A few months ago, I changed my old TP-LINK router to an ASUS. Since it is the de facto manufacturer recommended by my ISP, in order to avoid any complications that could lead to delays in getting my Internet up and running I decided to go with it.

Then comes a lonely afternoon of boredom, or perhaps out of habit (I wanted to start writing a report:D), so I start by trying a little apostrophe here, a marquee as the Wi-Fi name, , command execution in one of the network diagnostic pages and a long list of etc. In the end, one thing leads to another (you know how that goes…), you get involved and when you’re conscious you have Burp or ZAP open, you’ve gone over halfway through OWASP and you’ve been looking for hours for something to play with, something interesting to see how safe your brand-new router is. [Read more…]

Templates with bad intentions

A few days ago while analyzing several emails I came across one that contained a suspicious attachment. It was a .docx document that at first glance had nothing inside but it occupied 10 kb.

The mail had passed all the barriers, both SPF, as the two antiviruses that gateways have, and also the anti-spam filter.

The .docx file can be treated as a tablet. Once extracted its content, I began to analyze all the files in the directory in search of domains or IP addresses that could be seen clearly:

And I managed to find something interesting inside the path word/_rels/document.xml.rels where the following appears:
[Read more…]

Phishing: improving our campaigns

One of the most important things when carrying out a phishing campaign [Obviously, always from legal terms Ed.] is to ensure that our mail gets to evade the anti-spam filters and thus be able to reach the victim’s inbox.

In this post we are not going to explain how Gophish, que ya hemos mencionado en algún post, we will simply explain a series of steps to follow to make our emails more reliable. It is worth adding that following these steps does not ensure 100% success, each mail manager has its own filtering rules.

We start from the basis that Gophish is already installed, so the next step would be to obtain a domain and make a series of changes in DNS administration.
[Read more…]