Big week for tool releases and malware analysis this week!
SOFTWARE UPDATES
- Didier Stevens updated two of his scripts
- Xor-kpa was updated to version 0.0.4 adding “the option -x to encode/decode, and also prints the hexadecimal value of the found keys”.
Update: xor-kpa.py Version 0.0.4 - PDF-Parser was updated to version 0.6.6 to fix a bug.
Update: pdf-parser Version 0.6.6
- Xor-kpa was updated to version 0.0.4 adding “the option -x to encode/decode, and also prints the hexadecimal value of the found keys”.
- Joe Sandbox 17 was released adding a host of new features including capturing “runtime information such as API and method calls for Macro code embedded in Microsoft Office files”, call graphs for the traced VBA code, “User Automation for Microsoft Office ActiveX and PDF links”, and more.
Joe Sandbox 17
- Atola Technologies has updated their Atola Insight Forensic to version 4.7. The update adds segmented hashing “which protects you from damaged target images and works in parallel with the multi-pass imaging engine”, as well as various other features and bug fixes
Atola Insight Forensic 4.7 – Segmented hashing
- Oxygen Forensics has updated their Detective product to version 9.0.3. This version adds the ability to brute-force Win Phone 8 device passcodes from a physical dump, a section to quickly access the extracted media files on a device, as well as improved support for a number of devices and apps.
Oxygen Forensic® Detective supports passcode brute force for Windows Phone devices
- “Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security”, was updated to version 7.01.456. The “major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter)”.
Elcomsoft Wireless Security Auditor Gets Wi-Fi Sniffer - Paul Sanderson has updated Forensic Browser for SQLite 3.2.0. The new features include “a new detach query results button to help you view multiple query result when working with complex queries or table relationships”, the ability to save queries and views to the footer of reports, better error handling for manual SQL entry, as well as a variety of other enhancements and bug fixes.
Forensic Browser for SQLite 3.2.0
- X-Ways Forensics 19.1 Preview 4 was released with improved reporting features, as well as other improvements.
X-Ways Forensics 19.1 Preview 4
- PassMark Software updated OSForensics to version 4.0.1002 fixing a variety of bugs and performance improvements.
V4.0.1002 – 1st of December 2016
- Guidance Software has updated the Tableau Firmware Updater to version 7.17, which includes an update for the Tableau Forensic USB 3.0 Bridge, model T8u. The firmware update improves imaging speeds to 340mb/s and displays the “serial number of the connected USB device … on the bridge’s LCD under the Device Info menu”.
Tableau Firmware Revision History
SOFTWARE/PRODUCT RELEASES
- Volume 19 of the Journal of Digital Investigation has been released.
Digital Investigation Volume 19
- Hasherezade has released a small tool called PE_unmapper which can help with malware analysis. Examiners can unpack malware, let the it run and then dump the result from memory into virtual format. This tool can then be used to convert the virtual format dumps into raw format.
Introducing PE_unmapper
- Carrie Roberts at Black Hill Information Security shared a Python script “to generate password usage statics in a Windows domain based on hashes dumped from a domain controller”.
Domain Password Audit Tool
- Talos have announced the release of the Function Identification and Recovery Signature Tool (FIRST) project. “It is an open-source framework that allows sharing of knowledge about similar functions used across file types that IDA Pro can analyze”. The aim of this project is to speed up analysis of samples that have already been looked at and annotated so that people don’t have to reinvent the wheel every time.
Project FIRST: Share Knowledge, Speed up Analysis
- Gransk, a document processing tool has been released. “Its primary objective is to quickly provide users with insight to their documents during investigations”. There’s also a handy YouTube video available showing Gransk in action.
Gransk
- GCHQ have released CyberChef, “the Cyber Swiss Army Knife – a web app for
encryption, encoding, compression and data analysis”. The code can be found here
Or you can access the tool online here. Overall it looks like a very useful tool.
- Microsoft has released a tool called SAMRi10, which is a “short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network”.
SAMRi10 – Hardening SAM Remote Access in Windows 10/Server 2016
PRESENTATIONS/PODCASTS
- Didier Stevens posted a number of videos last week relating to EMET and a Hancitor Maldoc.
- Videos of Black Hat USA and Black Hat Europe 2016 have been uploaded to the Blackhat YouTube channel. They have been placed in their respective playlists.
- Black Hat Europe 2016 – videos, briefings/slides
- Black Hat USA 2016 – videos, briefings/slides
- The presentations from Hacktivity 2016 have been uploaded to YouTube. They can be found here.
- Joshua James shared a video on how to acquire memory in Windows using FTK Imager.
[How To] Forensic Memory Acquisition in Windows – FTK Imager
- SANS uploaded a number of videos from the 2016 DFIR Summit as well as a couple of course updates to their YouTube channel.
- Adrian Crenshaw uploaded a number of videos from BSides Philly 2016 to his YouTube channel.
BSides Philly 2016
- This week’s episode of the Digital Forensics Survival podcast covers the Trash folder on OS X. Each user has their own .Trash folder, as well as a .Trash folder for each volume. Each user also has their own .Trash folder on the externally mounted volume, which can be helpful in tying a delete action to an account. Michael has also included the two articles that he has written on the Trash folders in the show notes.
DFSP # 041 – Trash Talkin’
- Lesley Carhart was on the Cigital Silver Bullet Podcast to discuss her background in DFIR and the Security industry. One of the main things I got out of this interview was the point that examiners shouldn’t try to make the evidence fit their conclusions. Examiners should, of course, create theories of what they think happened, but the evidence needs to support it, not ignored if the data doesn’t fit the theory. Lesley also mentions that when looking at a potential employer, people should look for a workplace that fosters education, that encourages employees to go to conferences, training courses, certifications etc and is invested in your development.
Show 128: Lesley Carhart Discusses Incident Response and Digital Forensics
- Black Hills Information Security have posted the webcast that John Strand did “with Security Weekly and Endgame about Threat Hunting [using Open Source Software Bro] on 11/15/16”.
WEBCAST: Threat Hunting Using Open Source Software Bro Part 1
FORENSIC ANALYSIS
- Oleg Afonin at Elcomsoft explains how to acquire a locked iPhone using a lockdown record. This post also explains how to deal with iPhones that have backup encryption enabled. Unfortunately, this method will only work if you are able to obtain an extraction prior to the phone being shutdown/reboot (as long as it’s been unlocked once since being turned on).
Acquisition of a Locked iPhone with a Lockdown Record
- Ryan McGeehan explains how to obtain, protect and examine your CloudTrail logs, which “is your most important resource in an AWS breach”.
Investigating CloudTrail Logs
- Somehow I missed this article by Paul Sanderson that was posted a couple weeks ago. Thankfully he tweeted it out again this week. This article explains the Write Ahead Log found in SQLite Databases and how a forensic SQLite viewer such as SQLite Forensic Toolkit will provide examiners with significantly more useful information than a non-forensic SQLite viewer.
How NOT to examine SQLite WAL files
- Mutaz Alsallal shares a few examples of endpoint threat detection by using QRadar and the process logs generated by Microsoft Sysmon.
Detect Endpoint Threats by Analyzing Process Logs in QRadar
- The Mobile App Forensics team at Champlain College continued their examination of the iOS app MapMyRun where they were able to confirm the Android team’s findings, as well as identify the username and password stored in plain text. The Android team focused on the messaging app Voxer where they found that the database stored the location of where each party’s messages were sent from.
Mobile App Forensics: Second App Completion
MALWARE
- Adam at Hexacorn explores the winlogon executable to determine why it had a moon and starts icon pre Win 8
The Archaeologologogology #2 – the romantic view as seen through the winlogon.exe’s window…
- Andrew Dove at Airbus analyses a Word document used to infect users with the Hancitor malware. Due to the heavily obfuscated VBA macros Andrew chooses to run the malware in a “controlled environment and follow the execution in Word’s debugger”. Interestingly even if you enable macros in Words Trust Centre, if you hold the Shift key down whilst opening a document no macros will run (primarily targeted at the “Document_Open” routines). Andrew then proceeds to analyse the macro code, and shellcode before examining the payload.
Analysing the Hancitor Maldoc
- Also on Hancitor, Roy Moshailov at Morphisec analyses the full Hancitor attack chain – from Maldoc with spelling errors, to shellcode purporting to be Winword, as well as C2 communication
New Wave of Hancitor Comes with New Evasive Techniques
- And regarding the Shift key trick mentioned above, Philippe Lagadec advises that the shift key trick only works when pressed. If a macro is set to run on document close the shift key has to be pressed again whilst closing the document or else the code will still run. Also, “ActiveX object events are NOT disabled when the user holds the Shift key down”.
VBA Macro analysis: Beware of the Shift Key!
- Donna Wang and Jacob (Kuan Long) Leong at Fortinet have a writeup a newly discovered piece of malware named Proteus. Proteus is “a multifunctional botnet written in .NET that appears to be a proxy, coin miner, e-commerce merchant account checker, and keylogger”. It’s interesting to see that a large amount of malware is written in .NET, which researchers are able to reverse. I’m not sure if this is because this is easier to write in, or it gets the same result as malware written in other languages that are harder to reverse, or both.
A New All-in-One Botnet: Proteus - Malwarebytes Labs shared a few posts this week
- Hasherezade and Jérôme Segura share some information about the VindowsLocker ransomware which “is written in C# and mildly obfuscated. Files are encrypted with AES and it adds the .vindows extension to each one.” The interesting thing about this malware is that it abuses the Pastebin API to communicate with C&C. They also share a decryptor tool which runs on the infected machine to decrypt the files.
Tech support scammers up their game with ransomware (UPDATED) - Nathan Collier shares some information about an Android app named com.adups.fota “found on China-made mobile devices running the Android OS”. This app is a backdoor/information stealing trojan and can only be disabled (not uninstalled) as it is a system app.
Mobile Menace Monday: Adups, old and new - William Tsing walks through a process of attribution of a banking-themed phish.
Attribution Part II: Don’t overthink it
- Hasherezade and Jérôme Segura share some information about the VindowsLocker ransomware which “is written in C# and mildly obfuscated. Files are encrypted with AES and it adds the .vindows extension to each one.” The interesting thing about this malware is that it abuses the Pastebin API to communicate with C&C. They also share a decryptor tool which runs on the infected machine to decrypt the files.
- Mandiant, a FireEye company, has “responded to the first Shamoon 2.0 incident against an organization located in the Gulf states”. “Shamoon 2.0 is a reworked and updated version of the malware” seen used by a “suspected Iranian hacker group called the ‘Cutting Sword of Justice’” back in 2012. This post provides a summary of what Mandiant uncovered based on the samples that they have analysed. The malware scans IP addresses, attempts to access various shares, enables the Remote Registry service, creates a scheduled task to execute the malware ntssrvr32.exe in the system32 directory, modifies the system clock, wipes the MBR/VBR and “attempts to overwrite Windows operating system files … [with] a .JPG file depicting the death of Alan Kurdi”.
Fireeye Responds To Wave Of Destructive Cyber Attacks In Gulf Region
- Palo Alto have a couple of articles this week
- Robert Falcone has also obtained a sample of Shamoon 2.0/Disttrack and provides his thorough analysis.
Shamoon 2: Return of the Disttrack Wiper - Cong Zheng and Tongbo Luo have identified an Android trojan called PluginPhantom, which “is the first to use updating and to evade static detection”. PluginPhantom “abuses the legitimate and popular open source framework “DroidPlugin”, which allows an app to dynamically launch any apps as plugins without installing them in the system”.
PluginPhantom: New Android Trojan Abuses “DroidPlugin” Framework
- Robert Falcone has also obtained a sample of Shamoon 2.0/Disttrack and provides his thorough analysis.
- Monnappa at Cysinfo explains a recent spear phishing attempt to target Indian Government organisations. The attacker’s “spoofed an email id that is associated with Indian Ministry of Defence” and attached both a publically available, legitimate document on Cyber Security and a maldoc that drops a backdoor using malicious macros. Monnappa then examines the maldoc and the dropped executable before providing information about the C&C.
Malware Actors Using Nic Cyber Security Themed Spear Phishing To Target Indian Government Organizations
- Stefan Ortloff at Securelist was able to obtain some samples of a new wave of Mirai that has been seen attacking home routers in Germany (although later this was seen worldwide). The malware resides in memory (and won’t survive a reboot), “closes vulnerable port using iptables”, resolves C&C servers using Googles DNS and “scans the internet for open TCP 7547 and infect other devices”.
New wave of Mirai attacking home routers - Shelly Giesbrecht at the Cisco Security blog describes what in a general IR Go-Bag. Her go bag includes a powerful laptop, write blockers and the various other bits and pieces you would expect “various boot disks, an array of cables, small toolkits, cameras, anti-static bags, labels and multiple external storage drives to ensure all data can be collected”.
What’s in Your Incident Response Go-Bag? - Trend Micro have posted a couple of articles this week
- Stephen Hilt and Fernando Mercês have analysed a newly discovered variant of HDDCryptor, which they believe was “used in a recent attack against San Francisco Municipal Transport Agency (SFMTA)”. They observed some changes in the malware, such as the newer version creating a folder “WWW” in the “C:\Users” folder rather than creating a new user account as in previous iterations. This folder stores the tools used to encrypt the hard drive and connected file shares. They mention that 30GB of data was exfiltrated from the SFMTA attack except this may have been prior to installing HDDCryptor; I may have missed it but it doesn’t look like data exfil was in its list of capabilities.
HDDCryptor: Subtle Updates, Still a Credible Threat - Jason Gu analyses some SMSSecurity apps that purport to generate One Time PINs for various banks, but in reality are just trojans. The malware contains anti-forensics checks to ensure that it’s running on a device rather than an emulator. Once the malware is installed it attempts to root the device and install TeamViewer QuickSupport to allow the attacker to take control of the device.
New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer
- Stephen Hilt and Fernando Mercês have analysed a newly discovered variant of HDDCryptor, which they believe was “used in a recent attack against San Francisco Municipal Transport Agency (SFMTA)”. They observed some changes in the malware, such as the newer version creating a folder “WWW” in the “C:\Users” folder rather than creating a new user account as in previous iterations. This folder stores the tools used to encrypt the hard drive and connected file shares. They mention that 30GB of data was exfiltrated from the SFMTA attack except this may have been prior to installing HDDCryptor; I may have missed it but it doesn’t look like data exfil was in its list of capabilities.
- David Bianco at Enterprise Detection & Response shares a process for utilising a string comparison algorithm to calculate the “Damerau-Levenshtein distance” and identify potential malware. By finding process names that have a high similarity score hunters may be able to locate malware that has similar, but not correct names (ie scvhost instead of svchost).
Hunting for Malware Critical Process Impersonation
- Amanda at Secured.org has shared a number of resources for those that want to get into reverse engineering malware.
How to Start Reverse Engineering Malware
- Andrew Tappert at ForcePoint explains a PoC Linux rootkit showcased by Michael Leibowitz at Black Hat 2016, “that demonstrates two interesting techniques: 1. infecting systems via the initial ramdisk, and 2. deceiving system owners using container primitives”.
The Horse Pill Rootkit Vs. Forcepoint Threat Protection For Linux - There were a couple articles on Fortinet this week
- Lilia Elena Gonzalez Medina examines the Bladabindi/njRAT trojan which uses the .NET framework and provides “the malicious actor with unauthorized access to the infected computer in order to collect different kinds of information”. The keylogger sets itself up to run from the Temp directory using the the Run key, as well as startup, and stores its keylogs inside the registry. Using this information an analyst should be able to identify the initial date of infection (there’s a lot of artefacts created).
Bladabindi Remains A Constant Threat By Using Dynamic DNS Services - Sarah Wu and Jacob Leong share some information on Cerber 5.0.1 and compare it to its predecessor Cerber 5.0.0, primarily relating to the multithreading support found in the later version. They also provide a brief timeline of versions and when they were identified.
Cerber 5.0.1 Arrives with New Multithreading Method
- Lilia Elena Gonzalez Medina examines the Bladabindi/njRAT trojan which uses the .NET framework and provides “the malicious actor with unauthorized access to the infected computer in order to collect different kinds of information”. The keylogger sets itself up to run from the Temp directory using the the Run key, as well as startup, and stores its keylogs inside the registry. Using this information an analyst should be able to identify the initial date of infection (there’s a lot of artefacts created).
- Nick Biasini and Edmund Brumaghin at Talos comment on Cerber 5.0.1 which has been seen in a recent spam campaign. The e-mail spam “combines the use of redirections via Google, and the use of a Tor2Web proxy service in an attempt to evade detection and make mitigation more difficult”. From there it drops a Word maldoc that employs “junk code and other evasion techniques to make detection more difficult”.
Cerber Spam: Tor All the Things!
- Emsisoft have released a decryptor for the NMoreira/XRatTeam/XPan ransomware. ”Encrypted files have either the extension *.maktub or *.__AiraCropEncrypted!”. The decryptor can be found at the link below.
Emsisoft Decrypter for NMoreira
- Whilst not directly Malware related, I imagine this might come in handy for those performing malware analysis. Pat Shaughnessy has written a guide for learning to read x86 assembly language. Pat breaks down how to read the language and then walks through how to read some of his own code translated into assembly.
Learning to Read x86 Assembly Language
MISCELLANEOUS
- Digital Forensics Corp have posted a review of some training put on by Syntricate. The training appeared to cover AccessData products and the author advises that prior to taking the course “students should have gone through either AccessData’s BootCamp training or possess a few years of hands-on work experience with FTK software.”
Get More Info About The Forensic Course
- Dr. Eric Cole has an article on the SANS InfoSec Reading Room on Insider Threats and the Need for Fast and Directed Response.
Insider Threats and the Need for Fast and Directed Response - Thomas White at Tribal Chicken has provided a guide for “configuring a basic Cuckoo Sandbox installation on a FreeBSD host”.
Guide: Cuckoo Sandbox on FreeBSD - Carolyn Casey explains that, in the US, “federal judges can [now] issue warrants for remote searches of computers outside their jurisdiction related to investigating suspects whose identities are concealed through anonymization, such as in child pornography websites”. This came as a result of Congress failing “to block or delay changes to Rule 41(b) of the Federal Rules of Criminal Procedure before Dec. 1, 2016”.
Breaking News Alert – Expanded Federal Remote Computer Search Changes are Now the Law
- Scott J. Roberts shares his thoughts on the importance for DFIR and Security professionals to learn to code. Scott includes a variety of resources for learning Python, which has become the defacto standard for the IT Security industry.
Python for CND
- Demisto have posted the Lessons Security Professionals Can Learn from “Mr. Robot”. I haven’t watched the second season yet so I’m unable to provide commentary, have to avoid spoilers!
Lessons Security Professionals Can Learn from “Mr. Robot” - Jake Williams has posted a couple of articles this week
- First he shares his thoughts on performing DFIR on the e-voting system used in the US in the most recent election. Jake makes the valid point that “Every four years we criticize the security of the e-voting machines without actually doing anything about it”. He also makes the claim that the security on these systems is probably not as good as it needs to be and that a proper security audit is required.
DFIR in the election recount(s) - Secondly he shares a handy mnemonic for learning the 7 phases of the Cyber Kill Chain™; “Real Women Date Engineers In Commando Armor”.
Kill chain mnemonic
- First he shares his thoughts on performing DFIR on the e-voting system used in the US in the most recent election. Jake makes the valid point that “Every four years we criticize the security of the e-voting machines without actually doing anything about it”. He also makes the claim that the security on these systems is probably not as good as it needs to be and that a proper security audit is required.
- There were a couple of articles on Forensic focus this week
- Azeem has posted a review of the FTK training from AccessData. Azeem attended a 3-day training course on a variety of the FTK products (Imager, PRTK, Registry Viewer and FTK itself). Azeem felt that the course was put together well, and covered a large breadth of topics, as well as adequately preparing him for the ACE Certification. The main takeaway I got from this article was that he had been using the tool for a number of years but after taking the training really understood what it was capable of. This is something that I’ve been considering lately with regards to moving to X-Ways. It’s quite simple to discount the tool as too difficult, or lacking functionality, but with the right training you can identify its strengths and weaknesses and figure out if it actually doesn’t fit into your workflow, or you don’t know how to make it work for you.
Review: Advanced FTK Training From AccessData - Belkasoft have created a Forensic Services department which can assist with a large variety of services.
Belkasoft Opens Forensic Services Department
- Azeem has posted a review of the FTK training from AccessData. Azeem attended a 3-day training course on a variety of the FTK products (Imager, PRTK, Registry Viewer and FTK itself). Azeem felt that the course was put together well, and covered a large breadth of topics, as well as adequately preparing him for the ACE Certification. The main takeaway I got from this article was that he had been using the tool for a number of years but after taking the training really understood what it was capable of. This is something that I’ve been considering lately with regards to moving to X-Ways. It’s quite simple to discount the tool as too difficult, or lacking functionality, but with the right training you can identify its strengths and weaknesses and figure out if it actually doesn’t fit into your workflow, or you don’t know how to make it work for you.
- VMRay have announced a connector created by the MISP project “to enable automatic submission of a file from MISP into VMRay, then through our API ingest the results, in particular, the IOCs uncovered as a result of the analysis”.
Threat Intelligence Sharing With MISP And VMray - “SEC Consult has created proof of concept disk images that will crash Encase” Imager (up to 7.10, the latest release), and Encase Forensic (tested with version 7.08.00.137). The researchers didn’t test En8 but I imagine that’s affected as well. The vulnerability can cause Encase Imager/Forensic to crash, but researchers were also able to create a Heap-based buffer overflow using a manipulated ReiserFS that could allow an attacker to gain arbitrary code execution. Guidance has advised that they will fix the vulnerability at a later date. I can understand why they’re not treating this with much urgency; the likelihood that someone will create a specially crafted disk image that contains malware specifically for Encase (whilst potentially higher than some of the other platforms), is still minimal.
SEC Consult Vulnerability Lab Security Advisory < 20161128-0 > - Jared Atkinson has published documentation on his PowerForensics tool. The documentation can be found here.
- Samuel Alonso shares a white paper “that goes through the current challenges faced by researchers to attribute cyber attacks”.
Paper: Wave your false flags! Deception tactics muddying attribution in targeted attacks
- The Call for Presenters for BloomCon 2017 has opened and closes March 1st, 2017. BloomCon is a security and DFIR conference held in Bloomsburg, PA, March 24-25 2017.
BloomCon 2017
- Brian Carrier has “set up a Google Group to allow educators to share their experiences, data, slides, etc [with using Autopsy in their education program]. If you are using Autopsy in your classroom, sign up and join the conversation”.
Autopsy For Education Google Group
- Whilst not directly DFIR/InfoSec related I feel this is important to share, Lesley Carhart has written her thoughts on the importance for folks in the IT industry to look after themselves. Neglect your health as much as you want, but it’ll catch up to you eventually, and it won’t be pretty.
Health and Wellness in InfoSec
- DFIR Guy at DFIR.Training has answered the question of “will you add free training resources to your training repository”. The TLDR version is no. He explains that a training course needs to be from someone recognised as an expert in the field or tool (where recognised training org usually uses recognised trainers, and the developer is an expert in their tool) to be worthwhile (in his opinion). I imagine the caveat is that if the training is free, but meets the above criteria, it will make it onto the list.
Free #DFIR training is great! Except when it’s not.
And that’s all for Week 48! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 