Week 3 – 2019

I’m curious to get feedback from people regarding writing up links going forward. I haven’t really seen a hit in the page views between links only and doing the full writeup, but I do save a significant amount of time by just compiling the links. Any feedback would be greatly appreciated.

Extra special thanks to my new contributor Lodrina Cherne for helping me out with the Malware and Threat Hunting sections this week (and hopefully again!). Lodrina has offered to help out for the next few weeks, and maybe more so she may be popping up again soon. Also, whilst Lordina has taken over these sections, she’s also awesome at forensic analysis.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

THREAT INTELLIGENCE/HUNTING

  • Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides an explanation of DNS tunneling for data exfiltration including a video from Jamie Blasco’s presentation at the Kaspersky Security Analyst summit.
    DNS tunneling techniques in cyberattacks

  • Andreas Sfakianakis at ‘Tilting at windmills’ links to his favorite 20 CTI videos of the year, including DFIR, red team / blue team, and ICS content.
    My Top 20 CTI/DFIR Talks for 2018

  • Matt at ‘Bit_of_Hex’ summaries the 400+ page report on the suspected APT breach of the SingHealth patient database between late 2017 and mid 2018 using ATT&CK.
    ATT&CKing the Singapore Health Data Breach

  • Richard Bejtlich at Corelight gives a history of network monitoring including the utility of Todd Heberlein’s Network Security Monitor at the Air Force Computer Emergency Response Team.
    Monitoring. Why Bother?

  • Wee-Jing Chung at Countercept looks at methods for detecting and IOCs for the post-exploitation agent SILTENTTRINITY. A malicious .XML file starts the infection, and with dynamic .NET assembly and reflective loading the attack concludes with running malicious Python code.
    Hunting for SILENTTRINITY

  • Patrick Olsen at ‘Incident Response Readiness’ posted a few times this week
  • Following on the highs and lows of the secret Office 365 Activities API in 2018, LGM reports the MessageBind function is back and logged for all users in O365 as of February 2019! This will help investigators determine if emails were read or accessed (preview pane or opened), be able to access search history and more.
    The Office 365 Magic Unicorn Tool Lives!

  • Matt Suiche at Comae Technologies discusses using the Microsoft Graph Security API, in particular the Alerts API, and wrote a PowerShell script (GetProcessSecurityAlerts.ps1) to leverage this information. From here an analyst has further information should they perform a memory dump and analyze it with Comae.
    Leveraging Microsoft Graph API for memory forensics

  • Frank Duff at MITRE provides a review of EDR detections in the first round of MITRE reports, including common pitfalls in reading the “stoplight” chart.
    Would a Detection by Any Other Name Detect as Well? — Part 1

  • Nextron released ASGARD v1.7 with a new file and memory evidence collection capability.
    ASGARD v1.7.2 with File and Memory Collection

  • Lee Holmes at ‘Precision Computing’ sets out to answer the question “Is it possible to extract the content of scripts (from disk) that were executed, even if those files were not captured?” Using WinDbg to create a known sample dump file, then searching through data using SOS and looking up the results with online documentation in PowerShell Source, Lee successfully recover PS commands from memory.
    Extracting Forensic Script Content from PowerShell Process Dumps

  • Secjuice share a source of threat intel sites you can use to enhance your SIEM
    Feed Your SIEM With Free Threat Intelligence Feeds

UPCOMING WEBINARS/CONFERENCES

PRESENTATIONS/PODCASTS

MALWARE

  • There were a few posts on the Carbon Black blog this week
    • Crypt0r ransomware, similar to WannaCry and NotPetya in making use of EternalBlue, an early indicator is running notepad.vbs from a Temp folder, then deleting VSCs. Files get a random extension or “personal service ID” which is written in the ransomware note “_Help.txt”
      TAU Threat Intelligence Notification – Crypt0r Ransomware
    • Swee Lai Lee posted about the MongoLock ransomware. The malware uploads files from common locations (Desktop, Recent folder, Documents, etc) then deletes them from the local drive. Files are hosted on TOR and a “Warning.txt” ransom note is left in the affected folders.
      TAU Threat Intelligence Notification – MongoLock Ransomware
    • Using research from Taha Karim, Erika Noerenberg presents a review of the WindShift APT group focusing on the Middle East and a macOS backdoor delivered through an Office document. Meeting_Agenda.zip contains Meeting_Agenda.app which establishes startup persistence.
      TAU Threat Intelligence Notification – WindTail (OSX)

  • CERT Poland unveils the Malware Database (MWDB) for users to store their malware samples, be able to see basic metadata, parent child relationships, and be able to search for shared indicators across samples. The malware you store can be accessed by an API or built on with Python. Note that third party access to “samples located in MWDB can be shared by external entities.”
    MWDB – our way to share information about malicious software

  • Checkpoint writes about GandCrab ransomware which no longer depends on PowerShell except for the first stage delivery. The next stage uses AutoIT to deliver 2 variants of GandCrab ransomware along with Betabot/Neuvert and AzorUlt data stealers.
    Check Point Forensic Files: GandCrab Returns with Friends (Trojans)

  • Aaron Riley and Marcel Feller at Cofense identified a South American banking trojan campaign using Windows Control Panel icons (.CPL file extensions). The second-stage payload are banking trojans with key logger capability like Banload.
    Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans

  • Marcus Edmonson posted a couple of times this week
    • He documented testing out Vidar trojan in Remnux, confirming the tepingost[.]ug domain associated with the malware and documented additional .dll files dropped under a randomly named folder in ProgramData. Data from the infected system including passwords from Outlook get stored in “information.txt” and “outlook.txt” before being zipped up and exfiltrated. (Notably, Microsoft identifies the Flash exploit as a clean file on VirusTotal as of this writing)
      Rig Exploit Kit – Vidar Behavioral Analysis
    • Marcus also shared an analysis of Black Energy, targeting powergrids in the Ukraine and associated with Sandworm Team. Using a .doc file and tools including Remnux, RegShot, and ProcMon, Marcus shows how a .lnk file in the Startup folder is created for persistence and also includes an analysis of the VBA macros dropped.
      Black Energy – Analysis

  • Vitali Kremez at Flashpoint explains that PowerRatankba was used in the recent Redbanc intrusion in Chile; the malware has ties to N. Korea associated APT group Lazarus (aka Hidden Cobra / Kimsuky). A Redbac IT employee, applying for a job posted on social media, executed a malicious executable as part of the interview process. The fake job application checks for admin privs and if an administrator account is found, establishes a foothold using services persistence.
    Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties

  • Abel Toro at Forcepoint examine the GoodSender malware that uses Telegram as C2, and then use this against the threat actor to uncover them.
    Tapping Telegram Bots

  • There were a couple of posts by Fortinet this week
    • Anthony Giandomenico provides an overview of the last 3 years of malware Internet of Things (IoT) trends, from the Mirai botnet, Hajime ransomware worm,  Brickerbot, and Hide ‘N Seek (HNS). Suggestions for protection of devices include identifying IoT assets and segmenting devices on a network.
      Fighting the Evolution of Malware
    • Xiaopeng Zhang breaks down the NanoCore RAT which can perform key logging, capture passwords, upload files, and more. Starting with delivery by Word document, there is a detailed analysis of the VBA code that executes when macros are enabled, and analysis of the second stage payloads.
      .Net RAT Malware Being Spread by MS Word Documents

  • There were a few posts by Malwarebytes this week
    • William Tsing gives an overview of APT10, commonly associated with the Chinese Ministry of State Security, which often attacks high value foreign targets. Common malware deployed includes Scanbox, Sogu, Poison Ivy, and PlugX. Citing the recent PWC/BAE report, the suggestion is made that Managed Service Providers may be the next APT10 focus.
      The Advanced Persistent Threat files: APT10
    • Jérôme Segura shares that the Fallout exploit kit is back, recently being distributed through malvertising and delivering GandCrab ransomware. New to this version of Fallout EK, Flash is exploited in order to delivery the PowerShell payload.
      Improved Fallout EK comes back after short hiatus
    • Pieter Arntz looks at takedowns for sites hosting malware, particularly on fake bank sites (the real financial institutions suffer the most from customers falling for fake sites). Arntz finds that the average time for a hosting provider to take down a site is 8 hours, with many being quicker and some being unresponsive, and suggests that users look at the reputation of hosting providers when signing up to do business with one.
      Hosting malicious sites on legitimate servers: How do threat actors get away with it?

  • Mike R looks at a malicious Word document targeted at Japanese targets using the Developer tab inside Word itself. Mike then moves onto Remnux, oletools, and Sysmon and looking at additional files dropped.
    Analyzing a Japanese Language Malicious Word Document

  • ASERT reports on Lojax and Fancy Bear, identifying LoJax servers and C2 domains, and looks at C2 domain registration back to 2004 and the spike in 2016/2017.
    LoJax: Fancy since 2016

  • There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
    • Rob VandenBrink describes Local Administrator Password Solution (LAPS) by Microsoft. From the Blue team: Restricting accessibility of passwords using MS Local Administrator Password Solution (LAPS) – just don’t put your DC in LAPS! From the Red team: an authorized user can still read these passwords in the clear!
      Microsoft LAPS – Blue Team / Red Team, (Mon, Jan 14th)
    • Brad Duncan describes three new campaigns for both Epoch 1 and Epoch 2 delivery types. Emotet has recently delivered other malware like Gootkit and IcedID/Bokbot.
      Emotet infections and follow-up malware, (Wed, Jan 16th)

  • There were a couple of posts at Cisco’s Talos blog
  • There were a couple of posts by Trend Micro this week

MISCELLANEOUS

SOFTWARE UPDATES

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

5 thoughts on “Week 3 – 2019

  1. I think just having the links is a great tool. I used to just scan the links anyway until I got to one I was interested in, and then I would read the description. I can just as easily click on the link and read the intro. Thanks for your work in putting this together each week.

    Liked by 1 person

  2. Phil,

    Thanks for putting together the weekly rundown of interesting links. I look forward to reading it, and it’s a great list.

    In terms of links vs. link + description, I’d say very brief descriptions are appreciated.

    The bigger bit of feedback I’d say is how the email subscription comes across. Right now it shows a snippet of your post and that’s it (screenshot below). It’d be great if it was more in a newsletter type format. Not a big deal, but wanted to pass along in case you’re interested.

    Keep up the good work!

    Regards, Jamie

    [image: image.png]

    On Sat, Jan 19, 2019 at 10:39 PM This Week In 4n6 wrote:

    > Phill Moore posted: “I’m curious to get feedback from people regarding > writing up links going forward. I haven’t really seen a hit in the page > views between links only and doing the full writeup, but I do save a > significant amount of time by just compiling the links. Any feed” >

    Liked by 1 person

    1. Hi Jamie, The email notification is a wordpress feature so don’t have much control of it.
      I might consider adding a newsletter feature as a patreon reward if there’s a call for it, because otherwise it’s just an extra bit of work for me to remember to do

      Like

  3. You might never see a dip if you only published links, but the brief descriptions are immensely useful. Thank you for all the time you spend on this project – it’s amazing.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s