Just some random thoughts about this kind of threat
Some days ago, a non-technical friend asked me some informations about ‘fileless malware’.
Has been pretty difficult to explain this concept to a person lacking a correct security knowledge, so i have make a recap of this talk in a brief article “4Dummies”.
Six Python tools useful for identify and analyse malware
Python is a very used scripting language in the field of computer forensics and malware analysis.
Today, we look at some of the tools developed in this scripting language that are useful in the analysis of malicious programs.
A command line tool to analyse malware, developed by Joxean Koret.
It does have support for hexadecimal viewing and disassembly PE and ELF file formats , follows direct call/jmp instructions in the interactive command line, displays function names and string data references.
It also supports plugins to add more features.
Open-source tool and python framework to filter file formats in e-mails, web pages or files.
Detects many common file formats and can remove active content.
A library that allows using YARA in Python programs.
It covers all YARA’s features, from compiling, saving and loading rules to scanning files, strings and processes.
A ‘pure python’ honeyclient implementation that allows to give insights into malicious web sites, including the exploits on the page and their consequences.
A python interface to Clamd (ClamAV antivirus daemon) useful to add virus detection capabilities to python software.
The software is currently developed and maintained by Alexandre Norman.
It’s important to have the right tools to analyze suspect documents!
Spread of Wannacry Ransomware has been slowed simply registering a domain name
In these hours everyone is writing something about Wannacry ransomware, often even providing discordant or misleading information.
So if you want more information about the infection, take a look at the links in the ‘References’ section at the bottom of the article, while now I want to tell you the story of the researcher who unknowingly saved the world from a poor quality ransomware and by the same users that not install the security patches on their systems.
Once executed, the WannaCry ransomware does not infect system immediately: reverse engineers found that the dropper first tries to connect a domain, which was initially unregistered:
If the connection to the above-mentioned domain fails, the dropper proceeds to infect the system and starts encrypting files.
However, if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module: the real purpose of this switch is actually unknown.
Suddenly, an unaware hero comes up to the stage!
A security researcher, tweeting as MalwareTech, registered the strange domain by spending just £10 and accidentally triggering the “kill switch” that can prevent the spread of the WannaCry ransomware, at least for now:
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Obviously, the response by the cybersecurity community has been enthusiastic:
Whoa! Well done! And thank you! pic.twitter.com/HF29VyVDdR
— lady secitup (@secitup) May 13, 2017
— JMac (@johnmcl69) May 13, 2017
— Victor Gevers (@0xDUDE) May 13, 2017
Registers domain name, takes down botnet with cosmic ninja death blow. pic.twitter.com/rvT7ul0zkN
— DigiP ㊙寅 Я не бот (@xxDigiPxx) May 13, 2017
I'll buy you a T-shirt with this tweet hashtag #superhero.
— Rickey Gevers (@UID_) May 13, 2017
— Charles Benjamin (@charlesbdb) May 13, 2017
Good job, MalwareTech!
Really simple-to-use tools, available to everyone!
Internet Worm Maker Thing is a free tool by which wich can make many kinds of malware and worms with the ability of infect victim’s drives, files, shows message, disable anti-virus software and much more.
The VBS script can be compiled into executable in order to elude antivirus.
Frightened? Consider that there are a lot of similar tools, for example:
DelMe Virus Maker
DelMe Virus Maker has more features than Internet Worm Maker Thing and a more simple UX.
The generated malware can be saved in VBS format (and after compiled with other tools).
JPS Virus Maker
Similar to previous tools, but with some additional ‘offensive’ features.
And this tools are freely available on internet, with just a simple search on google: any script kiddie (or angry employee) can download one of this application and turn into a threat.
So, update you antivirus/antimalware, always!
Chad Russell is a cyber security veteran of 15 years who has held CISSP, CCNP, MCSE, and MCDBA certifications. Chad has taught Microsoft Engineering courses as a certified trainer, and has acted as a security engineering consultant for companies such as SAP, Microsoft, and Oracle. Currently, Chad conducts security risk assessments for companies throughout North America with an emphasis on cloud security, identity governances, network security, social engineering, mobile security, breach assessments, database security, and access management.
If you need to generate your own rules starting from recovered evidences
YARA is a tool aimed at helping malware researchers to identify and classify malware samples.
Basically, write some antivirus signatures (or essentially regular expressions) and it can search a binary file for them.
Theoretically invisible to standard anti-malware defenses.
DNSMessenger is completely fileless, it works only in memory and don’t save data on filestystem.
Furthermore it uses DNS queries to conduct malicious PowerShell commands on compromised computers, a technique that makes it invisible to standard anti-malware defenses.
The malware spreads via a malicious Word document crafted to appear as if it were associated with a secure e-mail service that is secured by McAfee:
Once opened, the document launches a VBA macro to execute a PowerShell script in order to run the backdoor onto the target system.
The backdoor establishes a 2-way communications channel over DNS requests, using DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.
The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code.
As part of those requests, it retrieves the domain’s DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.
This malware sample is an excellent example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting.
It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.
More information and technical analysis on original post on Talo’s Blog:
A new malware campaign targets Chrome users
Today while browsing a (compromised) WordPress site that shall remain unnamed, I came across a very interesting “hack” that was pulled off with a bit more finesse than most of the drive-by-infection attempts.
You can, with HERCULES!
The tool is useful to generate PoC in order to check the accuracy of various antivirus solutions: the payload is obfuscated and hidden using UPX.
WHAT IS UPX ?
UPX (Ultimate Packer for Executables) is a free and open source executable packer supporting a number of file formats from different operating systems. UPX simply takes the binary file and compresses it, packed binary unpack(decompress) itself at runtime to memory.
HERCULES supports those linux versions:
- Ubuntu: 16.04 / 15.10
- Kali linux: Rolling / Sana
- Manjaro: all versions
- Arch Linux: all versions
- Black Arch: all versions
- Parrot OS: 3.1
go get github.com/fatih/color
go run Setup.go