Miners, miners everywhere!

It is evident that cryptocurrencies are fashionable. The price increase of, for example, Bitcoin with respect to last year is exponential, as can be seen in the following Coinbase graph:

Everyone, including cybercriminals, want to take advantage of this hype, and we have detected that, just as the price increase of Bitcoin or Monero (widely used in cybercrime) has been exponential, so has the activity of attacks related to the distribution of miners who plan to compromise computers and get our electricity for free.

So far this year we have detected an increasing tendency to distribute miners. Through a specific technique, they use vulnerabilities in the insecure processes of “deserialization” of Java objects to, after exploiting them, download and execute the miner on the compromised server or computer. These vulnerabilities, although not new, are trying to be exploited by numerous groups of criminals. [Read more…]

Templates with bad intentions

A few days ago while analyzing several emails I came across one that contained a suspicious attachment. It was a .docx document that at first glance had nothing inside but it occupied 10 kb.

The mail had passed all the barriers, both SPF, as the two antiviruses that gateways have, and also the anti-spam filter.

The .docx file can be treated as a tablet. Once extracted its content, I began to analyze all the files in the directory in search of domains or IP addresses that could be seen clearly:

And I managed to find something interesting inside the path word/_rels/document.xml.rels where the following appears:
[Read more…]

Droppers from Locky Ransomware with extra anti-Sandboxing

Recently an old acquaintance has returned to his old ways. This is the Ransomware “Locky”, which about a year ago was very active through #Malspam campaigns (Spam Mail with the purpose of installing malware in the victim’s system) mostly with scripting files such as “.js “,” .wsf “or” .vbe “. Since then it has continued to maintain activity, although to a lesser extent.
Recently they have started a new campaign in which they use .doc (MSOffice Word) files with macros, like the following:


[Read more…]

Phishing: improving our campaigns

One of the most important things when carrying out a phishing campaign [Obviously, always from legal terms Ed.] is to ensure that our mail gets to evade the anti-spam filters and thus be able to reach the victim’s inbox.

In this post we are not going to explain how Gophish, que ya hemos mencionado en algún post, we will simply explain a series of steps to follow to make our emails more reliable. It is worth adding that following these steps does not ensure 100% success, each mail manager has its own filtering rules.

We start from the basis that Gophish is already installed, so the next step would be to obtain a domain and make a series of changes in DNS administration.
[Read more…]

Analysis of Linux.Helios

For several weeks we have been detecting a new variant of malware for Linux and IoT architectures from the malware laboratory of S2 Grupo, registered for the first time on the VirusTotal platform on October 18, which we have called Linux.Helios, due to the name of certain functions present in the sample.

We emphasize that the main antivirus signatures do not unanimously classify this sample: they range from ELF.DDoS to Tsunami, through Gafgyt or Mirai.
[Read more…]

JAFF Ransomware via PDF attachment with Doc

We continuously receive phishing emails coming from a variety of sources, often containing attachments with malicious payloads. In this case the attachment was a bit more interesting because it embedded a .docm file inside a .pdf file.

The email that arrived to our servers had “Order” as subject, and no visible content, only a p(paragraph) HTML entity with an empty symbol, but fun was on the attachment.

Attack stages

The attachment was a proper PDF file that contained a .docm file embedded. Once you opened the pdf file de docm would unpack and execute its macros leading to the download of a file that, once repacked by the macro on execution, would be executed in the system.
[Read more…]

Personal Countersurveillance (I): Facial Recognition

(Please note some of the internal links are in Spanish)

Those of us who work in the cybersecurity sector are accustomed to hearing about threats and defense measures, but almost always referring to a virtual environment. However, there are other dimensions, such as physical security, that can affect us in different ways.

This series has been inspired by the paper by Adam Harvey of the Chaos Communication Congress of 2016: “Retail Surveillance / Retail Countersurveillance”. In it I will discuss some concepts concerning surveillance systems and counter-surveillance measures that can be used to avoid recognition by third parties.

This first article focuses on facial recognition, some of its most controversial applications to date and their implications.

Figure 1: Anonymous. Image taken from http://luisjimenez.com/wp-content/uploads/2016/05/faception.jpg [Posted on 15/05/2017]

[Read more…]

The mimi (mimikatz) side of #NotPetya

(Please note some of the internal links are in Spanish)
One of the things that most caught our attention from the #NotPetya malware lab is the module that appears to contain code from the mimikatz tool. It is an automation of the process of any pentest that we believe is worth studying and treat it with love, to learn.
For the analysis we focus on the 32-bit version of the binary:
[Read more…]

The Evolution of Trickbot

From the malware lab of S2 Grupo we have been monitoring the movements of a Trojan known as Trickbot. Its relationship with Dyre, another older Trojan with which it shares many design features, and the speed at which it evolves, has captured our interest ever since we saw the first samples.

This malware is usually categorized as a banking Trojan since it has so far been very oriented towards data theft relating to banking, but its modular design allows to expand its capabilities at any time so as to perform any kind of extra action.

During its early versions, some very good analyses were already done such as those of @hasherezade in the malwarebytes blog and Xiaopeng Zhang in that of Fortinet. But the development of Trickbot has continued during the last few months, reaching version 17 in less than 6 months. So we thought that it would be interesting to check the changes it has undergone during its evolution and to delve deeper into some of its most curious techniques when performing different actions.
[Read more…]

MOSH, beyond SSH

Today, I do not think it necessary to mention what the SSH (Secure Socket Shell) protocol is, since it would be really difficult to live without it today. Therefore, SSH is considered globally as the “mega” indispensable tool for any administration work. Among the advantages of its use we can find: secure access to remote machines, access to services on other machines by creating direct or reverse tunnels, creation of proxy socks, creation of secure channels for the encapsulation of traffic from unsecured applications … etc.

Among the innumerable advantages of this protocol, there is a point that can sometimes be a great inconvenience, the performance of the connection.

To try to solve this problem and add improvements, Mosh (mobile shell) emerged, an application that offers several advantages over the traditional SSH connection. It was presented at the USENIX Annual Technical Conference 2012 by Keith Winstein & Hari Balakrishnan, M.I.T. Computer Science and Artificial Intelligence Laboratory.

[Read more…]