The Evolution of Trickbot

From the malware lab of S2 Grupo we have been monitoring the movements of a Trojan known as Trickbot. Its relationship with Dyre, another older Trojan with which it shares many design features, and the speed at which it evolves, has captured our interest ever since we saw the first samples.

This malware is usually categorized as a banking Trojan since it has so far been very oriented towards data theft relating to banking, but its modular design allows to expand its capabilities at any time so as to perform any kind of extra action.

During its early versions, some very good analyses were already done such as those of @hasherezade in the malwarebytes blog and Xiaopeng Zhang in that of Fortinet. But the development of Trickbot has continued during the last few months, reaching version 17 in less than 6 months. So we thought that it would be interesting to check the changes it has undergone during its evolution and to delve deeper into some of its most curious techniques when performing different actions.
[Read more…]

MOSH, beyond SSH

Today, I do not think it necessary to mention what the SSH (Secure Socket Shell) protocol is, since it would be really difficult to live without it today. Therefore, SSH is considered globally as the “mega” indispensable tool for any administration work. Among the advantages of its use we can find: secure access to remote machines, access to services on other machines by creating direct or reverse tunnels, creation of proxy socks, creation of secure channels for the encapsulation of traffic from unsecured applications … etc.

Among the innumerable advantages of this protocol, there is a point that can sometimes be a great inconvenience, the performance of the connection.

To try to solve this problem and add improvements, Mosh (mobile shell) emerged, an application that offers several advantages over the traditional SSH connection. It was presented at the USENIX Annual Technical Conference 2012 by Keith Winstein & Hari Balakrishnan, M.I.T. Computer Science and Artificial Intelligence Laboratory.

[Read more…]

Mirai meets OpenSSL

It is not a surprise that new variants of Mirai and more come to light, being available to anyone the source code of the bot, the CnC server and the download server. However, they all had relatively similar features (except for the variant for Windows, of course).

On March 19 came a new version of Mirai that caught our attention because of its size. While the usual is to find Mirai binaries of around tens of Kbs, this new sample has 1.6 Mbs. The TELNET connection that preceded the download of the binary is exactly the same as in previous catches.
[Read more…]

Shadow Brokers: exploiting Eternalblue + Doublepulsar

(Just one month after publishing this post in spanish, these exploits were used in conjunction with the WanaCry ransomware to perform one of the largest worldwide cyber attacks of the last few years.
Hundreds of companies (Hospitals too) were compromised and all their data was encrypted.)

A few days ago the news broke out that the group Shadow Brokers had released a new batch of exploits of the NSA. As if this were not enough, in the github where the exploits are there is also information on how to attack the banking systems.

The vast majority of published exploits make compromising a Windows system childlike and almost as we see in movies, since they are several 0-day (now patched by Microsoft) that attack the SMB protocol in all its versions.

Of all the exploits available, the one that has drawn the most attention to the community has been the combo called Eternalblue + Doublepulsar. In this post we will explain how to deploy a test environment where you can test the exploits.

(Editor’s note: Needless to say, the information is provided for informational and didactic purposes in order to collaborate in improving the knowledge of cybersecurity technicians. Cybercriminals do not need anyone to teach them how to use exploits, and to those unsuspecting scriptkiddies who think of playing cybercriminals, well, good luck in the courts).
[Read more…]

What is a TDS (Traffic Director System)?

The idea to write this post came from investigating multiple cases of infections in computers because of the ubiquitous Exploit Kits (EK). A visit to a website that apparently should not carry any risk ended with the user calling the security service because he could not open his files and said that an image appeared on the screen asking him for money to recover his data. And in other cases not even that, because he had become infected with a RAT or a banking Trojan and was not aware of it.

There are simple redirection methods that are implemented directly on the web server. They are options that allow to manage the visits to this website and adapt its behavior to the preferences or characteristics of the visitors.

[Read more…]

Is your NAS exposed to the Internet?

The widespread use of devices connected to the network, such as cars, medical equipment, industrial controllers (PLCs), appliances, etc., has brought with it a new and extremely vulnerable landscape.

While there has been a breakthrough in connectivity issues (Twitter is everywhere!), the security issue has also been set aside. This is mainly due to the fact that for most users and organizations, Internet security is not a fundamental factor, which is why cases such as Mirai, one of the largest distributed denial of service attacks that has been recorded so far, which is just one of the first cases that we have to face in this new scenario..

The proliferation of interconnected devices has brought many advantages to users (homes, organizations): flexibility, mobility, automation, efficiency, etc., but what happens when we do not take the appropriate security measures and are unprotected by default?

You will then see how a series of small weaknesses can lead to a large leak of information, compromising personal, financial and confidential data, both private and organizational.

[Read more…]

Abusing corporate webmail for C&C and exfiltration

Let’s assume an organization that has basic security measures: workstations cannot make direct connections to the Internet, only being able to carry out web requests through a proxy server, which is also the only one that can make external DNS queries.

HTTP and DNS traffic generated by this proxy server are properly monitored, and the proxy “breaks” HTTPS, so techniques like the domain fronting can also be detected. Only a few whitelisted websites are accessible. [Read more…]

TLS client fingerprinting with Bro

In this post, we will play with Bro IDS as a client fingerprinting techniques exploration tool.

As is known, during the initial TLS handshake (used, among others, by HTTPS on web browsers), a message called ClientHello is exchanged. In this message, the client specifies the supported cryptographic primitives (the so-called cipher suites).

For example, Firefox 50.1.0 under Linux sends a ClientHello like this, as shown with the Wireshark dissector: [Read more…]