Security Magic

Update February 11, 2021: This appears to be a Danabot downloader. I ran across the following sample: https://www.virustotal.com/gui/file/d2d729f364e3232e22746fd6520caefff465e2ae605e6429205793db37088a27/detection After grabbing the downloaded executable from the link in the VBS, I ran it through a sandbox. https://app.any.run/tasks/1cc898a5-c0b1-413f-86b1-3dedd259c191/ Today I saw another one a here is that sandbox run: https://app.any.run/tasks/8173f683-8629-405a-b074-c3d1a44e04db Quick post on this, I've run across a variant of a VBS downloader that does not appear to have a lot of detection and can only find a few other similar samples. There appears to be junk comments to throw off analysis and AV detection, but otherwise its fairly easy to follow. Here is a screenshot: As you can see this downloads another file, which appears to be placed in "programdata" and registered using regsvr32. The couple samples I've worked ...

Updated January 8,2021 (Added additional Lure observations at bottom) This is just a short, quick update. It would appear that the initial vector has changed. CDN.shopify.com and Sites.Google.com no longer seem to be hosting these redirects/PDF files which contain redirects. However, after hunting on the icon hash in virustotal, I ran across another 100MB+ file with the PDF icon hash.  The file used a similar naming convention to other observed samples in the past, containing the following " rent-check-bounced-letter ". Doing a quick Google search for "rent-check-bounced-letter" gives me the results. The link for this is "hxxps://www.braveheartmarine[.]com/rent-check-bounced-letter". Running this in my lab, showed the same style of selecting "PDF" or "Doc" for download, which then lead to a series of redirects to the Exe file. I have not been very successful running these on App.Any.Run... Here is the following attempt. https:...

Over the last couple days of this new year, I've seen a couple Quasar RATs come across my path. So I decided to highlight some of the analysis here. The first sample I'm looking at is invoice.iso (8fc2bdfaf329c652090d6bcd2f88b764). As you can see from the app.any.run link this ends up dropping and executing a simple VBS file. Clearly, we see that this attempts to use "MSHTA" to navigate to the minpic[.]de link pictured above. This results in the following powershell script, cleverly disguised as a JPEG file. When we run a simple base64 decoding against this we get another URL in the minpic[.]de domain called by powershell.  hxxps://www.minpic[.]de/t/be5r/18jv5z. When we look at this page, we see yet another powershell script which again references another link in the minpic[.]de domain! When we look at this URL we find a page that contains a whole bunch of Hex code! The previous powershell script, which references this page of Hex code, als...

Some of the latest samples I've been seeing for Emotet look like the this  app.any.run report. Using CyberChef , we can decode the powershell from this sample to extract the download links for the malware From_Base64('A-Za-z0-9+/=',true) Remove_null_bytes() Find_/_Replace({'option':'Regex','string':'[`\'+()]'},'',true,false,true,false) Find_/_Replace({'option':'Regex','string':'\\]e1r\\[S'},'http',true,false,true,false) Extract_URLs(false) Find_/_Replace({'option':'Simple string','string':'@'},'\\r',true,false,true,false) > Of course some of the "replace strings" will vary, so this recipe will have to be changed in certain places at times. Some other additional items to look at, from an EDR perspective might be: Rule 1: ParentProcess contains Rundll32.exe AND process contains Rundll32.exe AND ProcessPa...

Just a quick update, I've been hunting this malware for a bit, you can see details on this malware on my previous post or the write-ups from Morphisec or Red Canary . Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately. Quickly I found one called "Hole in One Certificate Template Free" hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119 I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though. I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2. Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing ...

As I continue to hunt for various lures and redirects for the Jupyter Infostealer, outlined in my previous article , I am amazed at the vast array of searches that lead to the malware! I took a game I enjoy and decided to search for that, using known "initial" pages where the redirects have been seen. Oh.... they got Dragon Quest too! This makes me sad.... As it is, I've found several other links just like this and so far all of the ones I've found in the last couple days end up landing on the same file Hash (different name of course) as the one in my previous article . Hash: da2eb36e763ecf1a47532e9f8efeacb7 Again, also many redirects involved, mostly .tk TLDs. I suspect these large droppers are being rotated out on some schedule, monthly perhaps. So maybe I won't run into a new sample dropper and .DLL for a bit. If anyone finds anythign different, please let me know!

*Updated March 10, 2022 (Detection rules for new variant observed March 2022.) I have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A Solarmarker I was excited to see this writeup since this was a malware family that myself and other researchers on twitter were discussing for a couple weeks prior to the Morphisec article, before there was an attributed name to the malware. This was in October, and we were all sharing some bits of information we had on this, since that time I have also been using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on this malware. Recently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo . Again, I was very excited to see some more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided excellent information! Since I've been tracking this for sometime, and commenting on all new sampl...