MalBabble: 2019

Wednesday, April 3, 2019

Mojave updates breaks VMWare Fusion

If you run Mac as a research machine as well, you might want to check your privacy settings if it all of a sudden stops responding. I noticed the Mojave update unchecked accessibility. you'll know if it fits -- the damn thing will not allow keyboard or mouse access in the VM.

See below:

https://communities.vmware.com/thread/594284

Sunday, March 10, 2019

OSX - mami

A bit older but a fun piece of malware that I ran into this weekend.

Easiest ways to detect:

These IP addresses as DNS servers: 82.163.143․135 and 82.163.142․137.
Finding a root CA for the domain cloudguard[dot]me
unusual files in /Library/LaunchDaemons and ~/Library/Application Support,

For network searching:

this blog has a list of domains that can be researched to look for traffic over port 80.

References:

Thursday, March 7, 2019

Basking in a little shade

I like malwarebytes work. When they write up malware, at least its informative and pleasing to use. The write up on Troldesh (shade) is a great example.

It gets right to the point: hey, everyone, while ransomware has trended down some families are still on the rise, especially this one.

Can't beat that. Gets right to the meat of things.

Infection vector: same ole same ole: email spam. In this case, you learn its vector is via attachments, especially zip files. If that isn't your normal email attachment, then give it a skip -- save yourself from being infected.

They do let me down a bit about the attribution. Saying something might be Russian in origin because its ransomware note is in both Russian and English makes me sad. Now if they had pointed to the orthography of the writing or the coding, maybe that could hold more water. It does hint that those two audiences are a focus.

Anyway, in the gems I saw in this article, the movies references used as extension were interesting. Many of these were not only very famous in the US but equally runaway famous in foreign countries, such as breaking bad, dexter, da Vinci code, etc.

When I see these, I tend to pay attention to where reporting is happening from. In this case, a wide array of English speaking, Chinese and Russian sites dominate.

Bonus Points (older reporting):

Wednesday, March 6, 2019

Its that time again

Yup. Like it says, here we go.

PirateMatryoshka

Torrent site infecting people with malware.

Makes for great headlines. Here's the actual report on securelist for deeper reading.

Torrents make for easy targets, since the people using the are stereotyped to be doing so for less than above board reasons. Any judgements aside, caution needs to be exercised regardless of why you are torrenting a file.

For downloaders:

Be cautious. Look at the number of seeders and peers. It's easy to abuse and inflate. Use https://iknowwhatyoudownload.com/en/api/ and sign up for the API. Look for the amount of activity there and double check it against what you are seeing.
Look up the tracker. If you can't easily find it via your favorite search engine, reconsider downloading from it.
Look for comments. See if they sound human and make sense. You know what to do if they don't.
Any kind of instructions are a dead give away to a likely bad file. If it asks for you to log in, provide data, authenticate, etc -- you are about to be phished, infected or generally done over in a very painful way.
File types matter. Use caution with an archive (rar, zip, 7zip, etc.) and completely avoid executable files if possible.
Download to a safe location. If you can, use a virtual machine.

For Researchers:

Head to here. Sign up for an API key. You can query up to a 1000 times for free. You can pivot off a lot of interesting elements here. My favorite one is the infohash, which provides a JSON of the following fields back.

Feel free to dig to your heart's content. Here's the full breakdown of what's available via the API.

You can also do it yourself with a bit of elbow grease: http://labs.boramalper.org/magnetico/

Friday, March 1, 2019

Less malware and just malware related fun

I read this article on March Malware Madness. The points in the article are articulated well enough that its worth the read and time on the points.

The marketing spin is only lightly applied so you won't be drowning in exhorts that their product does everything and anything security but you won't miss them either.

While the four scenarios and points were well done, they miss the number one hard thing that really is the at the root of the issue (root cause analysis, anyone?) that's being addressed: people.

Like this shamelessly borrowed unknown attributed image I found says, its really the people who are the root cause.

The right training, review of processes and company cultural changes that support security would go as far or, dare I say, farther to mitigate and control the problem.

Sunday, February 24, 2019

Rietspoof

Rietspoof

Multiple stage malware that starts in messenger or skype, delivers a script that infects and continues on through 4-5 stages depending on the target.

Community Names:

Trojan.YDJX-4
Generic.Trojan.Agent.TPE1UM
VBA:Rietspoof-A [Trj]

Attack Vector:

Links in Skype & Messenger

References:

Saturday, February 23, 2019

Separ

Password stealer virus with some interesting trends.

Community Names:
Separ
Tactics:

Living off the Land

Attack Vectors:

Primarily phishing emails with fake adobe pdf/installer infected attachments
Some entry points are by accident when people stumble across the infected sites

References:

https://hackercombat.com/whats-new-with-separ-malware-family-in-2019/
https://www.deepinstinct.com/2019/02/19/a-new-wave-of-the-separ-info-stealer-is-infecting-organizations-through-living-off-the-land-attack-methods/
https://threatpost.com/separ-malware-credentials-phishing/142009/
https://blog.talosintelligence.com/2018/06/threat-roundup-0622-0629.html

Friday, February 22, 2019

Shlayer

Shlayer is a macOS trojan first discovered by researchers at Intego in February 2018. It was first distributed masquerading as an Adobe Flash Player installer. This new variant is being distributed in a similar fashion, this time as an Adobe Flash update via browser pop-ups on hijacked or spoofed websites. In addition, malvertising has also been observed as another distribution method in this new campaign. The new campaign was discovered by Carbon Black’s Threat Analysis Unit (TAU). It was targeting all macOS released up to 10.14.3 Mojave, arriving as files signed by a legitimate Apple developer ID

References: https://www.bleepingcomputer.com/news/security/shlayer-malware-disables-macos-gatekeeper-to-run-unsigned-payloads/ https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8

Wednesday, February 20, 2019

Speak Up

Community Synonyms

Named after its C2.
Likely discovered under different names (TBD)

Detection Characteristics & Behavior

The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.

Attribution links

Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit.

Malware References

https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Tuesday, February 19, 2019

GoScanSSH