Share this page!

Stephan Berger Profile picture
Twitter logo
Dec 17 8 tweets 3 min read
1/ USB malware, part 4: Blast from the past. Again, a user executed a shortcut on a USB stick, which led to the execution of the following commands:

🧵 #CyberSecurity
2/ 'C:\Windows\system32\cmd.exe' /c cls&cls&cls&cls&cls&cls&start explorer FACTURE' 'PROFORMA&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit

Explorer is opened as a camouflage. In the background, the VBE script 'd:\notepad.vbe' runs (sample [1] ).
3/ The code is encoded (hence the E in VBE), but with CyberChef, we can at least get some readable code, but the script uses other obfuscation techniques, which are relatively easy to reversing.

@_bromiley wrote an excellent article about VBE files. [3]
4/ The malware drops the file notepad.vbe into the directory "C:\Users\<username>\AppData\Roaming\notepad\" and sets the hidden flag on the file.

This is to protect the file from an "easy" discovery.
5/ The run key is used as persistence ("software\microsoft\windows\currentversion\run\notepad") with the value "wscript.exe /b 'c:\users\<username>\appdata\roaming\notepad\notepad.vbe", which again should be noticed relatively quickly during an AutoRuns hunting on the network.
6/ Our sample reach out to two IP addresses on port TCP/4747. We see the same port used in another sandbox analysis. [2]
7/ Despite the age (I have found references to this malware from 2015), we have seen a recent successful infection at a customer's site.

Hunting for processes (wscript.exe) connecting to external IP addresses on this port could be promising in some circumstances.
8/ References:

[1] virustotal.com/gui/file/a022a…
[2] hybrid-analysis.com/sample/a022a4e…
[3] bromiley.medium.com/malware-monday…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Dec 16
1/ And the next case where a user downloaded a malicious file via Discord. [1]

After mounting the ISO, we find the file AnyDesk.exe, again very large and again with filler bytes. [2]

🧵 #CyberSecurity
2/ AnyDesk.exe (from the downloaded and mounted ISO archive) is already known by several AV vendors

(MD5 b7746c3c810615a1a8e367db9f3386eb).
3/ The user executed the malicious file, which resulted in a network request to an IP address belonging to AS 44477, Stark Industries Solutions (@UK_Daniel_Card - I learned my lesson 😜)

Check out the relations, where different themes were used for naming the ISO files.
Read 7 tweets
Stephan Berger Profile picture
Dec 15
1/ USB-Malware, part 3: Here we go again - a malicous USB-stick contained various shortcuts (DCIM.lnk, Video.lnk, etc.), including the malicious payload 'DCIM.JPG'.

🧵 #CyberSecurity
2/ After clicking on one of the shortcuts, the infection chain was kicked off (@MarvHaim did the first analysis 💪):

C:\Windows\system32\Wscript.exe' /e:Vbscript.Encode DCIM.JPG

The file DCIM.JPG is - surpise - not an actual JPG image but an obfuscated malicious VBS script. [1]
3/ The execution of the malicious script resulted in the following actions:

dcim.jpg was copied to c:\users\<username>\perflogs\dcim.jpg, following by setting the file attributes 'system' and 'hidden'.
Read 8 tweets
Stephan Berger Profile picture
Dec 14
1/ USB-Malware, part 2: Even though the Andromeda botnet was busted years ago, we still see infected USB sticks in corporate networks equipped with malicious code which tries to infect the host. 🧵

#CyberSecurity
2/ Recently, @f0r3idd3n_news investigated a case where an EDR prevented the start of a malicious DLL from the USB stick.

C:\Windows\system32\rundll32.exe' \\_-_-__-__-_--__-_-----__-_____-_-_-__-_-_--_--_-_--.{5EA8A78C-FA18-418A-A1FD-7D179EBFDBF7},8akw6YkuEYiuwGqe
3/ The entry point into the DLL in our example is 8akw6YkuEYiuwGqe.

@CrowdStrike recently published an excellent analysis of precisely this behavior and how to interpret the characters. [1] As Crowdstrike writes:
Read 5 tweets
Stephan Berger Profile picture
Dec 13
1/ In the last few weeks, we have investigated various infections with the malware dubbed "Raspberry Robin" by RedCanary.

As described by Microsoft and observed in our own investigations, the infections lead to further malware, in our case, Agent Tesla. 🧵
2/ Raspberry Robin uses msiexec.exe to download a malicious MSI package, using short domain names, as described in [1].

In addition, we observed port 8080 in the corresponding network request in all infections examined - a good indicator for #hunting in the firewall logs.
3/ @Kostastsale tweeted a regex for hunting these C2 requests and @felixaime a link to a repository consisting of Raspberry Robin domains (also called QNAP Worm). [3][4]

The domains contacted by our infected machines are also listed on the IOC inventory 👌 (passive DNS, anyone?)
Read 13 tweets
Stephan Berger Profile picture
Dec 6
1/ One of our analysts compiled various data from a potential infection on a client (screenshot below) and then asked for help assessing this finding.

Unfortunately, the host was rebuilt by the client, so we could not pull the DLL and further evidence from the host.🧵 Image
2/ How might we find the original executable that triggered this sequence of commands? Google did not return any helpful results.

First, I looked up a domain at VT that was contacted by the software (see evidence above).

There is a "Downloaded File" linked (updates.txt). Image
3/ The content of updates.txt file was stored at VT, and we found two URLs to MSI Installer. Image
Read 5 tweets
Stephan Berger Profile picture
Dec 4
1/ Defender prevented the execution of the malware 'Casdet' on an endpoint.

Especially with AV alerts, besides the detection, I am always interested in the birth time of the detected file.

Was the file detected when it was written to the disk, or since when is it present? 🧵
2/ As visible in the screenshot, the malware was already on the host for a month.

The AV scanner detected a ZIP file, most likely containing the main infection file.

Due to the long duration (from birth to detection), we have to assume that the user ran the payload.
3/ The detected file is known on VT, with a size of 3.81 MB.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(