Share this page!

Stephan Berger Profile picture
Twitter logo
Dec 13 13 tweets 4 min read
1/ In the last few weeks, we have investigated various infections with the malware dubbed "Raspberry Robin" by RedCanary.

As described by Microsoft and observed in our own investigations, the infections lead to further malware, in our case, Agent Tesla. 🧵
2/ Raspberry Robin uses msiexec.exe to download a malicious MSI package, using short domain names, as described in [1].

In addition, we observed port 8080 in the corresponding network request in all infections examined - a good indicator for #hunting in the firewall logs.
3/ @Kostastsale tweeted a regex for hunting these C2 requests and @felixaime a link to a repository consisting of Raspberry Robin domains (also called QNAP Worm). [3][4]

The domains contacted by our infected machines are also listed on the IOC inventory 👌 (passive DNS, anyone?)
4/ "Inclusion of a string of random alphanumeric characters as the URL subdirectory, frequently followed by the victim's hostname and username" [1].
5/ In all our incidents, the network request over msiexec used unencrypted HTTP, and the hostname and username were always part of the GET request.

If your company assigns the hostnames according to a specific pattern, search for hostnames in the proxy logs using a regex.
6/ Further, dllhost.exe, rundll32.exe, and regsvr32.exe have established (unencrypted) connections to TOR sites. Example:

rundll32.exe has initiated a HTTP connection to 212.186.71[.]38/tor/server/fp/ece1073ca9f22e30b024fc3bebc901b39a4552a5

Again, check your proxy logs. 🕵️‍♀️
7/ In some cases, we have also seen that the infection wrote a DLL in a random ProgramData directory and setup a persistence via scheduled task - the same behavior described by Microsoft [2].

Example:
8/ msiexec.exe created a scheduled task:

Name:
'Microsoft\Windows\RemoteApp and Desktop Connections Update\odbcaReady'.

Payload:
C:\ProgramData\ImportNotes\ThumbPuoh\IOSCsxft_wPFRT.dll
9/ Red Canary has published various Atomic Red team tests to simulate the detections for Rasperry Robin.

The tactic "Emulating Command Prompt reading and executing the contents of a CMD file" has changed in our cases and would probably no longer work. 🤔
10/ This atomic was developed specifically to emulate Raspberry Robin. It uses the "standard-in" command prompt feature (cmd /R <) to read and execute a file via cmd.exe.

cmd /r cmd<C:\AtomicRedTeam\atomics\T1059.003\src\t1059.003_cmd.cmd

From [1]
11/ In our cases, we observed the following command line:
cmd.exe /Q /C TyPe IEgl.LOG|CMD

On my system, the AtomicRedTeam payload also opens calc, but without using "cmd /R <".
12/ Raspberry Robin has become a critical finding due to further code reloading, which must be analyzed promptly and thoroughly.

For older infections, it is imperative to check for post-infection activity. Good luck 🍀
13/ References:

[1] redcanary.com/blog/raspberry…
[2] microsoft.com/en-us/security…
[3]
[4] github.com/SEKOIA-IO/Comm…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Dec 14
1/ USB-Malware, part 2: Even though the Andromeda botnet was busted years ago, we still see infected USB sticks in corporate networks equipped with malicious code which tries to infect the host. 🧵

#CyberSecurity
2/ Recently, @f0r3idd3n_news investigated a case where an EDR prevented the start of a malicious DLL from the USB stick.

C:\Windows\system32\rundll32.exe' \\_-_-__-__-_--__-_-----__-_____-_-_-__-_-_--_--_-_--.{5EA8A78C-FA18-418A-A1FD-7D179EBFDBF7},8akw6YkuEYiuwGqe
3/ The entry point into the DLL in our example is 8akw6YkuEYiuwGqe.

@CrowdStrike recently published an excellent analysis of precisely this behavior and how to interpret the characters. [1] As Crowdstrike writes:
Read 5 tweets
Stephan Berger Profile picture
Dec 6
1/ One of our analysts compiled various data from a potential infection on a client (screenshot below) and then asked for help assessing this finding.

Unfortunately, the host was rebuilt by the client, so we could not pull the DLL and further evidence from the host.🧵 Image
2/ How might we find the original executable that triggered this sequence of commands? Google did not return any helpful results.

First, I looked up a domain at VT that was contacted by the software (see evidence above).

There is a "Downloaded File" linked (updates.txt). Image
3/ The content of updates.txt file was stored at VT, and we found two URLs to MSI Installer. Image
Read 5 tweets
Stephan Berger Profile picture
Dec 4
1/ Defender prevented the execution of the malware 'Casdet' on an endpoint.

Especially with AV alerts, besides the detection, I am always interested in the birth time of the detected file.

Was the file detected when it was written to the disk, or since when is it present? 🧵
2/ As visible in the screenshot, the malware was already on the host for a month.

The AV scanner detected a ZIP file, most likely containing the main infection file.

Due to the long duration (from birth to detection), we have to assume that the user ran the payload.
3/ The detected file is known on VT, with a size of 3.81 MB.
Read 10 tweets
Stephan Berger Profile picture
Dec 2
1/ We received a PDF from a third party, created from an Excel workbook. The document was forwarded to a customer and rejected by two different mail gateways due to a "macro detection".

However, the original workbook does not contain a macro. Why is the PDF rejected anyway? 🧵
2/ With the command pdf-parser.py -a -O $filename (from @DidierStevens), we can display the elements in the PDF document.

In fact, a JavaScript object is present in the PDF document.
3/ We can display the JavaScript code with the following command line:
python pdf-parser.py -k /JavaScript -O $filename

Which doesn't look like very readable code, though 🤔
Read 6 tweets
Stephan Berger Profile picture
Nov 6
1/ "They tried to stay stealthy and used the sysinternal's procdump tool, renamed in error.log to bypass Windows Defender detection and dump lsass process memory" [1]

A similar trick was presented by @mrd0x in November 2021. [2]

🧵 #CyberSecurity
2/ This technique does not work as of today (well, yesterday) and generates a Defender AV alert on my test machine.

Pay attention to the detection name, which is "HackTool" in the screenshot below.
3/ I can't stress enough how awesome @cyb3rops' AV cheat sheet is, which lists the Highly Relevant AV Keywords, with "HackTool" at the top (newest version here [3]).

As a system admin or SOC analyst, when seeing these keywords in an alert, the alert should be prioritized. 🚒🧯
Read 8 tweets
Stephan Berger Profile picture
Nov 5
1/ A lot has been written about Named Pipes hunting, especially for finding Cobalt Strike.

Among others, @svch0st showcased how to find CS's (default) named pipes with @velocidex Velociraptor. [1] 🧵

#CyberSecurity
2/ However, in a recent IR, we saw Named Pipes according to the following scheme:

\\pipe\WkSvcPipeMgr_BYZAf4
\\pipe\Winsock2\CatalogChangeListener-RFSEe86-1
3/ The names of these named pipes are generated by the script random_c2_profile from @joevest [2].

With this script, CS profiles can be generated hassle-free because the default settings of CS are well-known and, therefore, easy to find.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(