Share this page!

Stephan Berger Profile picture
Twitter logo
Dec 15 ā€¢ 8 tweets ā€¢ 2 min read
1/ USB-Malware, part 3: Here we go again - a malicous USB-stick contained various shortcuts (DCIM.lnk, Video.lnk, etc.), including the malicious payload 'DCIM.JPG'.

šŸ§µ #CyberSecurity
2/ After clicking on one of the shortcuts, the infection chain was kicked off (@MarvHaim did the first analysis šŸ’Ŗ):

C:\Windows\system32\Wscript.exe' /e:Vbscript.Encode DCIM.JPG

The file DCIM.JPG is - surpise - not an actual JPG image but an obfuscated malicious VBS script. [1]
3/ The execution of the malicious script resulted in the following actions:

dcim.jpg was copied to c:\users\<username>\perflogs\dcim.jpg, following by setting the file attributes 'system' and 'hidden'.
4/ wscript.exe was copied to c:\users\<username>\perflogs\ and renamed into 'csrss.pif' [2]

Since Microsoft signed the file (wscript.exe), this results in a good #Hunting opportunity (Microsoft signed binary started from a directory within AppData).
5/ The malware sets ShowSuperHidden to zero (HKEY_USERS\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced)

for hiding system files.

If you're recording registry modifications, this would be another hunting opportunity.
6/ Next, persistence:

Good ol' Run key: run\visionneuse de photos windows'

with the following value/command:

c:\users\<username>\perflogs\csrss.pif /e:vbscript.encode 'c:\users\<username>\perflogs\dcim.jpg /minimized
7/ So, nothing really new or out of the ordinary, and hunting for persistences in a network should make the run key light up red.

Good luck šŸ€
8/ References:

[1] DCIM.jpg = virustotal.com/gui/file/1c44bā€¦
[2] csrss.pif = virustotal.com/gui/file/34008ā€¦

ā€¢ ā€¢ ā€¢

Missing some Tweet in this thread? You can try to force a refresh
怀

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Dec 14
1/ USB-Malware, part 2: Even though the Andromeda botnet was busted years ago, we still see infected USB sticks in corporate networks equipped with malicious code which tries to infect the host. šŸ§µ

#CyberSecurity
2/ Recently, @f0r3idd3n_news investigated a case where an EDR prevented the start of a malicious DLL from the USB stick.

C:\Windows\system32\rundll32.exe' \\_-_-__-__-_--__-_-----__-_____-_-_-__-_-_--_--_-_--.{5EA8A78C-FA18-418A-A1FD-7D179EBFDBF7},8akw6YkuEYiuwGqe
3/ The entry point into the DLL in our example is 8akw6YkuEYiuwGqe.

@CrowdStrike recently published an excellent analysis of precisely this behavior and how to interpret the characters. [1] As Crowdstrike writes:
Read 5 tweets
Stephan Berger Profile picture
Dec 13
1/ In the last few weeks, we have investigated various infections with the malware dubbed "Raspberry Robin" by RedCanary.

As described by Microsoft and observed in our own investigations, the infections lead to further malware, in our case, Agent Tesla. šŸ§µ
2/ Raspberry Robin uses msiexec.exe to download a malicious MSI package, using short domain names, as described in [1].

In addition, we observed port 8080 in the corresponding network request in all infections examined - a good indicator for #hunting in the firewall logs.
3/ @Kostastsale tweeted a regex for hunting these C2 requests and @felixaime a link to a repository consisting of Raspberry Robin domains (also called QNAP Worm). [3][4]

The domains contacted by our infected machines are also listed on the IOC inventory šŸ‘Œ (passive DNS, anyone?)
Read 13 tweets
Stephan Berger Profile picture
Dec 6
1/ One of our analysts compiled various data from a potential infection on a client (screenshot below) and then asked for help assessing this finding.

Unfortunately, the host was rebuilt by the client, so we could not pull the DLL and further evidence from the host.šŸ§µ Image
2/ How might we find the original executable that triggered this sequence of commands? Google did not return any helpful results.

First, I looked up a domain at VT that was contacted by the software (see evidence above).

There is a "Downloaded File" linked (updates.txt). Image
3/ The content of updates.txt file was stored at VT, and we found two URLs to MSI Installer. Image
Read 5 tweets
Stephan Berger Profile picture
Dec 4
1/ Defender prevented the execution of the malware 'Casdet' on an endpoint.

Especially with AV alerts, besides the detection, I am always interested in the birth time of the detected file.

Was the file detected when it was written to the disk, or since when is it present? šŸ§µ
2/ As visible in the screenshot, the malware was already on the host for a month.

The AV scanner detected a ZIP file, most likely containing the main infection file.

Due to the long duration (from birth to detection), we have to assume that the user ran the payload.
3/ The detected file is known on VT, with a size of 3.81 MB.
Read 10 tweets
Stephan Berger Profile picture
Dec 2
1/ We received a PDF from a third party, created from an Excel workbook. The document was forwarded to a customer and rejected by two different mail gateways due to a "macro detection".

However, the original workbook does not contain a macro. Why is the PDF rejected anyway? šŸ§µ
2/ With the command pdf-parser.py -a -O $filename (from @DidierStevens), we can display the elements in the PDF document.

In fact, a JavaScript object is present in the PDF document.
3/ We can display the JavaScript code with the following command line:
python pdf-parser.py -k /JavaScript -O $filename

Which doesn't look like very readable code, though šŸ¤”
Read 6 tweets
Stephan Berger Profile picture
Nov 6
1/ "They tried to stay stealthy and used the sysinternal's procdump tool, renamed in error.log to bypass Windows Defender detection and dump lsass process memory" [1]

A similar trick was presented by @mrd0x in November 2021. [2]

šŸ§µ #CyberSecurity
2/ This technique does not work as of today (well, yesterday) and generates a Defender AV alert on my test machine.

Pay attention to the detection name, which is "HackTool" in the screenshot below.
3/ I can't stress enough how awesome @cyb3rops' AV cheat sheet is, which lists the Highly Relevant AV Keywords, with "HackTool" at the top (newest version here [3]).

As a system admin or SOC analyst, when seeing these keywords in an alert, the alert should be prioritized. šŸš’šŸ§Æ
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(