Share this page!

Colin Hardy πŸ’» Profile picture
Twitter logo
25 Jan, 8 tweets, 3 min read
Here's why you should block and monitor .JNLP files

πŸ‘‰ They're XML files that can Download and Run content from remote locations... Image
Here, the JNLP file leads to a malicious JAR which in turn downloads Info-Stealer malware executable, disguised as a JPG... Image
The malware appears to be packed with UPX but the adversaries don't make it easy to unpack... ImageImage
By manually unpacking the malware, or using @unpacme (which is what I did) leads to you malware that attempts to Unhook itself from Sandbox / Security monitoring... Image
It loads a copy of Kernel32.dll from disk into RAM using CreateFileMappingW and MapViewOfFile then compares each function loaded from disk to the version in memory. It looks for a JMP instruction (E9 or FF) at the start of each function meaning the function is being hooked... Image
The malware then overwrites any hooked functions with a clean version it's loaded from disk; and then steals your data sending the contents back to it's C2: Image
Original blog where I saw this sample:
isc.sans.edu/forums/diary/A…
Here’s a video going into more detail about these files and the malware they can lead to:

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Colin Hardy πŸ’»

Colin Hardy πŸ’» Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cybercdh

Colin Hardy πŸ’» Profile picture
12 Jan
#CrowdStrike have produced fascinating research into #SUNSPOT malware, which was used to implant the SUNBURST / SolarWinds backdoor.

Here are my Threat Hunting tips to:

➑️ Find the malware on disk
➑️ Find the persistence
➑️ Decrypt the log files
➑️ Find if it's running

πŸ‘‡
The malware exists on disk as taskhostsvc.exe

You can use the following commands to look for files on Windows

dir taskhostsvc.exe /S /B
where /r . taskhostsvc.exe
SUNSPOT used a scheduled task set to execute when the host boots

You can find Scheduled Tasks so many ways; two methods are to use Autoruns (from sysinternals) or browse the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
Read 6 tweets
Colin Hardy πŸ’» Profile picture
3 Jan
#Zyxel announced CVE-2020-29583 fixing a backdoor admin account which gave attackers root on affected devices via SSH or web interface

If you want to examine the firmware you need to run a #known_plaintext_attack against an encrypted zip

Sounds hard; don't worry I got you... πŸ‘‡
Zyxel have actually removed the backdoored firmware versions from their portal; but you can still grab the latest version or earlier versions for further inspection.

Example:

portal.myzyxel.com/my/firmwares?f…
Now, unzip the contents and you should have something like this
Read 13 tweets
Colin Hardy πŸ’» Profile picture
31 Dec 20
#SUPERNOVA #SolarWinds malware is actually pretty boring. So boring in fact, I made a video.

Thread πŸ‘‡
Adversaries have injected a call to a method called DynamicRun() into the existing LogoImageHandler class. An existing method, ProcessRequest() has been trojan'ed to accept 4 GET parameters passed to the Orion web API Image
These GET parameters are designed to contain

"code" - a blob of C# code which is then compiled
"clazz" - the name of a class which is to be instantiated
"method" - the name of a method to call within the clazz
"args" - supplied to the aforementioned method Image
Read 6 tweets
Colin Hardy πŸ’» Profile picture
15 Dec 20
#SolarWinds #SUNBURST malware checks for a long list of security processes and services running on the endpoint to try and evade detection. It does this by hashing the lowercase process name and comparing it against hardcoded values. Thread πŸ‘‡
The hashing function isn't one I'm familiar with, FNV1A, but seems pretty straight forward to understand
FireEye did a great job in brute-forcing many of the hardcoded hashes and identified a big list of security tools that the malware is checking for

github.com/fireeye/sunbur…
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @cybercdh has new unrolls!

Check out other threads from @cybercdh!

Read all threads by @cybercdh