Week 5 – 2019

Thanks to Lodrina for her help, you can catch her teaching FOR500 in St Louis next month, and she’s also asked me to share that her company is hiring in Boston.

As always, Thanks to those who give a little back for their support!






  • Brian Laskowski at Laskowski-Tech examines web traffic to reveal attempted exploit of a vulnerability in Think PHP. The dropped malware “runs mimikatz, drops executables, schedules tasks, runs a crypto miner” and more, and provides IOCs to detect the malware delivered by this type of attack.
    Everything and the Kitchen Sink

  • Carbon Black gives an example of spoofing Parent ID Processes; similar examples of this were brought up in the DFIR community by Didier Stevens about 10 years ago
    TAU Threat Intelligence Notification: PPID Spoofing – Explorer CLSID

  • Cert Polska covers new tools Modlishka and evilginx2 which can automate MITM proxy based phishing attacks which they have seen being used against Polish banks. Certain types of 2-factor authentication such as U2F hardware tokens are suggested as solutions against the attack.
    Recommendations on mitigation of man-in-the-middle phishing attacks (evilginx2/Modlishka)

  • Hod Gavriel at Cyberbit writes about a new variety of Ursnif targeting Italian users. Hod focuses on decrypting, deobfuscating, and decompressing the various layers inside this Ursnif sample which are layered one on top of another like a Russian nesting doll.
    New Ursnif Malware Variant – a Stunning  Matryoshka (Матрёшка)

  • Sarah Hawley, Ben Read, Cristiana Brafman-Kittner, Nalani Fraser, Andrew Thompson, Yuri Rozhansky, Sanaz Yashar at FireEye report on APT39 based in Iran. FireEye believes they have traced activity of the group as early as 2014 and have seen a focus on the telecom and travel sectors, including activity to collect personal information for monitoring and tracking. Backdoors leveraged by the group include SEAWEED, CACHEMONEY, and POWBAT. While there are similarities to APT34, FireEye believes APT39 to be separate and provides tools seen at each stage of the attack lifecycle.
    APT39: An Iranian Cyber Espionage Group Focused on Personal Information

  • Raul Alvarez at Fortinet discusses how Jaff ransomware, first seen in 2017, is delivered as a PDF email attachment where the user is prompted to open an embedded document. From there the macros and API calls involved are detailed, ending with files being encrypted with the .jaff extension.
    Looking Into Jaff Ransomware

  • Amirreza Niakanlahiji and Pedram Amini at InQuest look at an Excel document found in the wild starting with Python scripts, Structured Storage Viewer, and a hex editor.
    Extracting “Sneaky” Excel XLM Macros

  • Sherri Davidoff at LMG Security writes about a case where a healthcare org was hit with a successful ransomware attack. While their client paid the ransomware fee, LMG detonated the decryption tool in a sandbox and found the vaccine included delivery of the IcePoint RAT.
    Ransomware Decryption is Like a Box of Chocolates…

  • There were a couple of posts on the Malwarebytes blog
    • Pieter Arntz interviews Head of Threat Intelligence at Malwarebytes, Jérôme Segura. Segura cites the book Virtual Honeypots by Provos and Holz and gives advice for getting into the field, including to always “publish your work and discoveries”.
      Interview with a malware hunter: Jérôme Segura
    • Hasherezade looks at the Trojan.CryptoStealer.Go data stealer written in GoLang including how data is packaged up for exfil. A detailed walkthrough of looking at the malware using IDAGolangHelper by George Zaytsev in IDA Pro is provided.
      Analyzing a new stealer written in Golang

  • Marco Ramilli writes about how .csv files have been previously documented as being potentially malicious if opened in Excel, providing links to work previously done using this technique, then poses a question about if similar content can be delivered over GoogleSheets. By using a .csv file, the technique appears to evade Google filters, and a user downloading a GoogleSheet could be subject to infection.
    Spreading CSV Malware over Google Sheets

  • Marcus Edmonson at ‘Data Analytics & Security’ (and one of the newest GREM analysts – congrats!) dives into a sample associated with APT32 looking at network traffic and code to show dropper functionality.
    APT 32/OceanLotus – Sample:D592B06F9D112C8650091166C19EA05A

  • Samip Pokharel at mas_kop9 discusses the NetWiredRC trojan used by APT33, breaking down the code and the C2 structure. There are over 100 different capabilities of the trojan including starting a remote shell and taking audio recordings and screenshots.
    Analysis of NetWiredRC trojan

  • Michael Gorelik, Alon Groisman and Bruno Braga at Morphisec look at targeted campaigns delivering the Orcus RAT from an actor they call PUSIKURAC, focused on information stealing and .NET evasion. Some interesting identifiers of the downloader include delivery of a Coca-Cola commercial, the video of which is appended with the Orcus RAT .NET executable.
    New Campaign delivers orcus rat

  • Matthew Bing at Arbor discusses CoAP reflection/amplification DDoS attacks, seen in use against mobile phones in China. CoAP is “a simple UDP protocol that is intended for low-power computers on unreliable networks, like Internet of Things (IoT) or mobile devices” – as such, the authors predict the attack may be seen more as IoT devices become more common.
    CoAP Attacks In The Wild

  • The Radware blog write about why cryptomining is popular for ease of use and ability to leverage the cryptomining foothold in conjunction with other types of attacks.
    The Rise in Cryptomining

  • Denis Legezo at Kaspersky writes about a Remexi campaign targeting foreign diplomats in Iran and “associated with an APT actor that Symantec calls Chafer.” The trojan uses legitimate Microsoft utilities like bitsadmin.exe, extract.exe, and taskkill.exe for exfil and C2. Remexi uses components written in C and AutoIT and varying persistence methods detailed by Denis.
    Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

  • Edmund Brumaghin and Paul Rascagneres with Jungsoo An at Cisco Talos detail an attack that hits close to home, a Word document purporting to be a job posting for Cisco Korea.
    Cisco Job Posting Targets Korean Candidates

  • Dan Chabala and Joseph Fleming at PhishLabs look at changes to mobile banking trojan BankBot Anubis, including the use of Telegram Messenger for delivery of C2 URLs.
    BankBot Anubis Switches to Chinese and Adds Telegram for C2

  • Lorin Wu at Threat Micro looks at mobile beauty apps that exhibit malicious indicators like application hiding and code packing, in addition to adware and pornography that can pop up in a mobile browser. Users upload their photos expecting to get them beautified, and it is suspected that the malware “authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.” While Google has already taken down these apps, their popularity with over 1 million downloads for some apps, is staggering.
    Various Google Play “Beauty Camera” Apps Sends Users Pornographic Content, Redirects Them to Phishing Websites and Collects Their Pictures

  • Martijn Grooten at Virus Bulletin shares a tweet by Robert M. Lee at Dragos suggesting the utility of journalists to threat intelligence teams. Martijn cites the prior work of Juan Andrés Guerrero-Saade from VB2015 paper which looks at security research becoming intelligence brokering.
    Threat intelligence teams should consider recruiting journalists

  • Juraj Jánošík at WeLiveSecurity posted a couple of times this week
    • They look at Russian-language spam delivering Shade / Troldesh ransomware. JavaScript attachments, delivered in a .zip file, are used as an attack vector. The downloader is named ssj.jpg, then masquerades as csrss.exe, before Shade / Troldesh is delivered, encrypting files with the .crypted000007 extension.
      Russia hit by new wave of ransomware spam
    • And also writes about the resurgence of the  “Love You” malspam campaign – just ahead of Valentines Day! The latest campaign, targeting Japan, delivers all kinds of malware including a “cryptominer, a system settings changer, a malicious downloader, the Phorpiex worm, and the infamous ransomware GandCrab version 5.1.” Like the Shade / Troldesh ransomware that Juraj also writes about this week, “Love You” is delivered in a .zip file containing Javascript.
      “Love you” malspam gets a makeover for massive Japan-targeted campaign

  • Stefan Hausotte at G DATA takes Ldpinch, an old info stealer, as an example of how to unpack and examine the different code blocks within a PE file.
    Unpacking 101: Writing a static Unpacker for Ldpinch



And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

One thought on “Week 5 – 2019

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s