Introduction

On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as:

  • Fwd:Ticket k29y729n71c52h692o53171
  • ReTicket 985v49f155t06g78v412a3n382
  • Fwd:Ticket 048f1v00u98
  • ReTicket y18k9178280
  • Ticket p574v892f453b467
  • Ticket e26099p58v65x073
  • ReInquiry 9l48o77
  • Inquiry m70q200kd80
  • ReInquiry t63j288d271f997b083a57c547
  • ReInquiry f514f830p417n06h5150s036r838

An example of the message text:

Check the payment report created for [recipients email address] as you just ordered.

You may need Doc Passcode: [string of alphanumeric characters]

[fake senders name]

The attached Word documents were approximately 70 kB in size and password-protected. The document file names started with the string of alphanumeric characters from the subject line followed by the recipients email address. File names all ended with the .docx file extension.

This diary documents my investigation into this wave of malspam. Were always thankful for people who submit samples of emails and malware like this to the ISC.

The email

The email appeared somewhat common for most malspam we see. People sometimes think if malsapm has the recipients name in the email, it must be targeted. However, thats often not the case. This type of malspam is easily automated, and it can seem convincing when the recipient border-width:2px" />
Shown above: An example of the malspam.

The attachment

The document would only open after using the password from malspam it was attached to. This tactic typically allows the document to bypass detection in anti-virus tools. border-width:2px" />
Shown above: Request for the attached documents password.

The document had three embedded objects that were supposedly Word documents. Dragging and dropping the objects onto the desktop revealed these were the same Visual Basic Script (VBS) file. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Text from the embedded VBS file.

ng>The traffic

Executing the VBS file on a Windows host in my lab generated HTTP traffic. This is typically an attempt to download additional malware like a Windows executable or DLL file. border-width:2px" />
Shown above: Traffic generated by the .vbs file.

I searched reverse.it (also available as Payload Security on hybrid-analysis.com) and found 21 items submitted on Monday 2017-03-20 associated with the domain. Most were other documents from the same type of malspam. Two were attempts to analyze an extracted .vbs file. One was a query to the callback URL. None of these examples made it any farther than I did.

NOTE: Getting these search results on reverse.it requires a login. border-width:2px" />
Shown above: Search results on reverse.it (hybrid-analysis.com) for the callback domain.

Indicators of compromise (IoC)

The following indicators are associated with todays malspam example:

Password-protected Word document:

Word document with password-protection removed:

VBS file embedded in the Word document:

Traffic generated by the VBS file:

  • 184.154.24.34 port 80 - indigopoolandoutdoor.com - GET /log.pkp

Final words

Last week, someone at cysinfo.com blogged about similar malspam designed to infect Windows hosts with an Ursnif banking Trojan. This type of password-protection technique in malspam attachments is nothing new. Ive certainly seen it before, and some creative Google searching will reveal this started years ago. However, I havent seen much about this in public forums lately.

Most security professionals assume we all know about it, so it doesnt usually make any headlines. I advise people this is still a thing.

Of course, properly-administered Windows hosts are far less vulnerable to this type of infection. The hosts I use in my lab environment are a different story. If anyone knows of someone who was actually infected from one of these password-protected documents, please share your tale in the comments.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / Passwords help keep hackers like this out, but passwords are pretty terrible. (credit: TeachPrivacy)

The operator of a website that accepts subscriber logins only over unencrypted HTTP pages has taken to Mozilla's Bugzilla bug-reporting service to complain that the Firefox browser is warning that the page isn't suitable for the transmission of passwords.

"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (update: the link is no longer public). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."

Update: Around the same time this post was going live, participants of this Reddit thread claimed to hack the site using what's known as a SQL injection exploit. Multiple people claimed that passwords were stored in plaintext rather than the standard practice of using cryptographic hashes. A few minutes after the insecurity first came up in the online discussion, a user reported the database was deleted. Ars has contacted the site operator for comment on the claims, but currently Ars can't confirm them. The site, http://www.oilandgasinternational.com, was displaying content as it did earlier at the time this update was made.

Read 6 remaining paragraphs | Comments

 
Skype CVE-2017-6517 DLL Loading Local Code Execution Vulnerability
 
USB Pratirodh CVE-2017-6911 Insecure Password Storage Information Disclosure Vulnerability
 
Cisco IOS and IOS XE Software CVE-2017-3849 Denial of Service Vulnerability
 
Cisco IOS and IOS XE Software CVE-2017-3850 Denial of Service Vulnerability
 
ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability
 

Cisco Systems said that more than 300 models of switches it sells contain a critical vulnerability that allows the CIA to use a simple command to remotely execute malicious code that takes full control of the devices. There currently is no fix.

Cisco researchers said they discovered the vulnerability as they analyzed a cache of documents that are believed to have been stolen from the CIA and published by WikiLeaks two weeks ago. The flaw, found in at least 318 switches, allows remote attackers to execute code that runs with elevated privileges, Cisco warned in an advisory published Friday. The bug resides in the Cisco Cluster Management Protocol (CMP), which uses the telnet protocol to deliver signals and commands on internal networks. It stems from a failure to restrict telnet options to local communications and the incorrect processing of malformed CMP-only telnet options.

"An attacker could exploit this vulnerability by sending malformed CMP-specific telnet options while establishing a telnet session with an affected Cisco device configured to accept telnet connections," the advisory stated. "An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."

Read 5 remaining paragraphs | Comments

 
IBM Algorithmics One-Algo Risk Application CVE-2017-1155 Unauthorized Access Vulnerability
 
[SECURITY] [DSA 3796-2] sitesummary regression update
 
[security bulletin] HPSBUX03596 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Access Restriction Bypass, Unauthorized Access
 
Microsoft Windows Local Privilege Escalation Vulnerability
 
Wordpress Anyone Plugin 'by-email.php' Session Management Security Bypass Vulnerability
 
Red Hat CloudForms Management App CVE-2017-2653 Security Bypass Vulnerability
 
IBM Cognos Business Intelligence CVE-2016-8960 Privilege Escalation Vulnerability
 
IBM Cognos Business Intelligence Server CVE-2016-9985 Local Information Disclosure Vulnerability
 
 
[SECURITY] [DSA 3813-1] r-base security update
 
[SECURITY] [DSA 3812-1] ioquake3 security update
 
[SECURITY] [DSA 3811-1] wireshark security update
 
CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service
 
Trend Micro ServerProtect for Linux Unspecified Cross Site Scripting Vulnerability
 

An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all Political and start dropping packet bombs, a technical challenge came up that made me really think.

  1. What traffic is really hitting the proxy?
  2. How many proxy bypass rules are in place?
  3. Are you inspecting Encrypted Traffic?
  4. Who/What is in the Encryption Inspection Bypass list?

Google recently released some numbers on encrypted traffic and we are WELL past the 50% mark [1] [2] [3]. With the ease of getting signed certificates through organizations like Letsencrypt and the high level of privacy concerns in the world, it only makes sense [4].

The observation, proxy was politically driven, senior management did not have the right business understanding of what a proxy does. Further, the word proxy had become and abstract term for the concept of filtering, blocking, and proxy. This made it hard when vendor uses industry language and organization says yes, we understand that is whats REALLY going on but please say proxy for that with management.

Now to the discovery portion of our diary, how long has it been since you have looked at what is actually flowing out of your environment? Yes yes.. we know that everything runs over ports 80 or 443, but after taking a look at my own environment? A little bit more of non 80/443tcp traffic was leaving that expected (and that was even with the cynical pre-disposition).

With a greater than 50% of traffic being encrypted it is clear that the topic of decryption needs to be revisited. Along with that, what is actually being picked up outbound and what is not hitting the known exit points (e.g. is it really going over 443?).

[1] http://www.pcmag.com/news/342935/77-percent-of-google-internet-traffic-now-encrypted

[2] http://www.newsfactor.com/news/Google--77--of-Traffic-Is-Encrypted/story.xhtml?story_id=111003TV6AOF

[3] https://www.inferse.com/40477/google-transparency-report-2016/

[4] https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco IOS and IOS XE Software CVE-2017-3881 Remote Code Execution Vulnerability
 
Mozilla Firefox CVE-2017-5428 Integer Overflow Vulnerability
 
Google Android Qualcomm Fingerprint Sensor Driver Multiple Privilege Escalation Vulnerabilities
 
Internet Storm Center Infocon Status