Profile picture
Nick Carr
@ItsReallyNick
, 9 tweets, 5 min read Read on Twitter
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Basic hunting rule for memory-injectable PowerShell shellcode: feye.io/psb64shcde
^this captures all of these files, it is further discussed here:
4/n
The same submitter then uploads a final hexcalc.exe version weaponized with CS/met http stager shellcode.
e48e566410f6238647eb5ed24cbd6910
Same attacker PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb

Higher detection rate on non-PS1 shellcode: virustotal.com/#/file/a8e3975…
5/n
Second stage payload is still live: hxxp://86.106.131.154:80/9Lre (f9ae24fb8983e22d904a064235eb4124)
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Refresher on specifying User-Agent when grabbing the payloads:
6/n
This final backdoored version of hexcalc.exe hits on the awesome hunting ruleset from @williballenthin, discussed (& yara rule linked) within his @OPCDE 2019 "Trade War: Shellcode's Wielding of Imports and Exports" presentation:
7/n
I mentioned the utility of PDBs as #threatintel pivots throughout this thread. Read @stvemillertime's PDB #DFIR primer:
8/n
Ultimately, this particular VT tester is sorta *meh* 😕
but the techniques used to detect, understand, and cluster/link this activity together work on real important stuff too -- we just can't always share that on Twitter.
Now go use the referenced #yara hunting rules. 😉
9/9
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Nick Carr
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#hunting #threatintel #DFIR #yara

More from @ItsReallyNick see all

Profile picture
Nick Carr
@ItsReallyNick
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec Next on the show we talked #APT29's early adoption of cross-platform scripting language backdoors. Their primary backdoor in 2014's #NoEasyBreach was the Python-based implant we call SEADADDY.

Every day or two, they'd move to 10 new systems, dropping SEADADDY on 9 of them.

35/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec We're finally seeing cross-platform script backdoors as a much wider trend. (Payloads in Go, D, etc). We highlighted this in our 2019 predictions:

For Python fans specifically, @byt3bl33d3r released #SilentTrinity last year: github.com/byt3bl33d3r/SI…

36/n
@cglyer @matthewdunwoody @FireEye @r00tbsd @SecurityBeard @CyberAmyntas @sj94356 @bread08 @DHSgov @CISAKrebs @CISAgov @riskybusiness @shmoocon @mattifestation @_devonkerr_ @williballenthin @cteo13 @Mandiant @gentilkiwi @PyroTek3 @NotMedic @DerbyCon @TalBeerySec @byt3bl33d3r The Python-based SEADADDY (SeaDuke) implant became APT29's workhorse for years, but we agree with @FSecure/@lehtior2's awesome 2015 deepdive on "The Dukes" that it emerged in mid-2014. READ: labsblog.f-secure.com/2015/09/17/the…

37/n
Read 6 tweets
Profile picture
Nick Carr
@ItsReallyNick
OVERRULED: Here's our take on outmaneuvering a potentially destructive adversary fireeye.com/blog/threat-re…
We talk compromise, RULER, and links to APT33.
Infosec Twitter suggests they dropped #SHAMOON 💥

Shout-out to co-authors: @QW5kcmV3 @_gackerman_ @a_tweeter_user @WylieNewmark
If you liked this part about our threat similarity engine; I have a confession: that is CYBER #machinelearning!

Designed by @BarryV & Nalani F.
Studied & prototyped by our data scientist @secbern.

Learn more here 📺: (it's not officially called APTinder)
If you like Operational Timelines, #AdversaryPursuit has you covered. We're including them in blogs because it's how we operate & it improves #threatintel sharing. Thx @QW5kcmV3

🖼️ #1: Suspected #APT33 ⏲️ fireeye.com/blog/threat-re…
🖼️ #2: Suspected #APT29 ⏲️ fireeye.com/blog/threat-re…
Read 3 tweets
Profile picture
Nick Carr
@ItsReallyNick
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets

Related threads

Profile picture
Zoe Tillman
@ZoeTillman
As AG Bill Barr prepares to testify this morning before the Senate Judiciary Committee, House Judiciary Dems have just released the letter that special counsel Robert Mueller sent to Barr on March 27
AG Bill Barr's hearing before Senate Judiciary is underway. Chair Lindsey Graham's opening remarks spend a lot of time on Peter Strzok (the FBI agent involved early in the Russia probe who sent anti-Trump texts), saying they'll focus on the origin of the probe post-Mueller
We now have Mueller's 3/27 letter to Barr. What he said:
- That Barr could release intros and executive summaries of both volumes asap
- That Barr's 3/24 letter "did not fully capture the context, nature, and substance" of the special counsel's work
buzzfeednews.com/article/zoetil…
Read 50 tweets
Profile picture
lexi 🦈 dragon!Kiri AU 📌
@dragonkirisquad
Eijirou is the young prince of a secretive but prosperous kingdom. He’s the only child of the queens, the heir to the throne. They couldn’t be more proud of him; he’s got a kind, sunny disposition, and they know he’s going to be a good king one day.
He’s full of energy, young and adventurous, compassionate and driven, brave and a little foolhardy. He likes to explore the kingdom and make odds and ends friends instead of taking his duties too seriously.

At 17, his kingdom goes to war.
No one tells him what the war is about, and three years later it doesn’t really matter; you’d hear a different story depending on who you talked to.
Read 330 tweets
Profile picture
Erik Loomis
@ErikLoomis
Here we go again: The reason that the history major is successful at Yale is because Yale kids are rich and know they can get a job with their Yale degree no matter the major. It's nothing more than that, not because they Do It Right.

newyorker.com/news/news-desk…
None of which isn't to say that there aren't good historians at Yale doing a great job. But can we quit focusing our higher education stories on a few elite schools, as if they actually matter to 99% of Americans, as opposed to 75% of the media who went to them.
The history major at my school in undergoing a complete massacre and Yale has absolutely nothing to offer us in fixing that.
Read 3 tweets
Profile picture
Erynn Brook
@ErynnBrook
When I'm feeling stuck, a haircut really helps.
Some internet dude who just followed me said “say it ain’t so” to this tweet, then “grrrr” when I said I had an appointment this afternoon? Wtf?
He blocked me after I sent him this. My dudes, have a conversation with yourselves.
Read 32 tweets
Profile picture
Eel Calumny
@marccold
Up next on the MARC Hall Channel's "Countdown to BIBFRAME" is our newest MARC Hall cataloging movie, METADATA KISS. Sponsored, creepily enough, by a lotion company. Make some popcorn and cuddle an archivist, 'cause here we go!
[Montage showing the Big City where our heroine now lives a life that is Not For Her. We know it's Not For Her because she lives in a high rise with floor to ceiling windows and all of her furniture is white and grey. Quel horreur.]
[Our heroine is walking down the street with her spunky best friend]

HEROINE: I don't know, Meg. Sometimes I feel I've lost my...library spirit.

BESTIE: Karen, you used to have more library spirit than anyone I know! I hope your Tragic Recent Breakup is not getting you down!
Read 30 tweets
Profile picture
Sarah Gailey
@gaileyfrey
Here is a thread of some Good Things for your Tuesday:

- Honey slowly drizzling off one of those fancy honey drizzlers onto one half of a roasted fig
- A dog wearing a little raincoat splashing in a puddle because you can't stop a dog from getting wet if he really wants to

- Frogs, just, all frogs, all of them
- The first night of fall that's cold enough to see your breath, when woodsmoke is in the air

- Finding the missing sock

- Warm laundry fresh out of the dryer
Read 32 tweets

Trending hashtags

#honest #WinterSolstice2018 #Canadians #FakeNews #Booker #RussiaProbe #lake365 #foraging #recirculation #electrofishing #TrumpShutdown #Rs #salmon #Tweets #Winning #Bill #scrutiny #time #rosehip #cladocera #CohenTestimony #beachclean #MailBomb #purely #GottaLoveOurPOTUS
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!