Share this page!

Stephan Berger Profile picture
Twitter logo
Jan 31 6 tweets 3 min read
1/ In a recent case, the TA installed DWservice as a backdoor. [1]

I installed the software on my test machine, which works incredibly well!

The screenshot shows the desktop from my lab machine, which I accessed from within the browser.

🤯

🧵 #CyberSecurity
2/ The screenshot above depicts the content of the config.json file, which is located in the installation directory of DWservice, and could be interesting for LEA purposes (the key could be linked to an account).

Below is another screenshot with various features of the service.
3/ In our case, the path to the binary was C:\Programdata\DWAgent\native\dwagsvc.exe, but the path can be changed during installation.
4/ In the EventLogs, the service installation and the start of the service are logged.

7045: A service was installed in the system. Service Name: DWAgent Service

7036: The DWAgent service entered the running state.
5/ @mgreen27's @velocidex Velociraptor Applications Artifact ("Bulk indicator hunt over Windows.Sys.Programs") also searches for installation of DWservice, among other known RMM solutions.
6/ And: The file dwagent.log in the installation path records the IP address from the source host, which connects to the DWservice agent. 🕵️👮

References:

[1] dwservice.net
[2] github.com/mgreen27/Detec…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Jan 25
1/ Three observations while playing around with a malicious OneNote sample we discovered today at a customers network:

Purchase_order__01_B2202026_2022-07-18_09-15-49.one

MD5: 99388b4d4f9c52a79e84e9538d92d979

🧵 #CyberSecurity
2/ In this case, a malicious .bat file gets executed when the user double clicks "View Document".

The malicious .bat file is written to a temporary folder:

C:\Users\<username>\AppData\Local\Temp\OneNote\16.0\Exported\{0438B35A-EB92-4C25-8DB6-5413952EFD08}\NT\0\.bat"
3/ This might come in handy for a forensic investigation when we have to prove, for example, that the user indeed clicked the button.

Otherwise, the malicious file would not have been written to disk / to the Exported OneNote folder.
Read 5 tweets
Stephan Berger Profile picture
Jan 24
1/ Playing around with the BatLoader sample showcased first in the @VMware blog [1][2].

"The novaPDF installer is edited using the tool Advanced Installer to add a PowerShellScriptInline custom action that executes a malicious PowerShell script."

🧵

#CyberSecurity
2/ What is exciting for us as analysts: After installing the Advanced Installer on my VM, the BatLoader MSI package can be opened inside Advanced Installer, and the PowerShell code can be copied out (see above).

How to create PS custom actions is described here [3].
3/ After the initial infection, in this case, Nsudo was used for performing configuration changes on the infected machine.

In the commands presented in the VMware blog, we can see the typical Nsudo command line "-U:T", as I also describe here:

Read 4 tweets
Stephan Berger Profile picture
Jan 21
1/ @hackerkartellet and I were investigating an IIS web server exhibiting strange behavior (screenshot below).

Even though the customer reinstalled the server, the AppPools were still crashing regularly after the reinstall.

Let's dig in. 🕵️

#CyberSecurity
2/ An incredible useful first step on any new case is to run chainsaw. [1]

"Rapidly Search and Hunt through Windows Forensic Artifacts."
3/ Chainsaw already gives us a first hint that the server could be compromised (PrintNotifyPotato.exe in the ProgramData directory..) and also shows which AppPool or website could be affected (SubjectUserName in this example).
Read 12 tweets
Stephan Berger Profile picture
Jan 20
1/ USB malware, part 6: vjw0rm

Have I mentioned before why user agent analysis can be so valuable? 🤠

IServerXMLHTTPRequest2.setRequestHeader(

"User-Agent:", "vjw0rm_6CC1197B\<hostname>\<username>\Microsoft Windows 10 Enterprise\Windows Defender\\YES\TRUE\"

);

#CyberSecurity
2/ We have seen the above user agent during an infection at a customer's site.

UA consist of the hostname, user name, OS version, and whether Defender is enabled.

User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]
[2]
3/ We can find hosts infected with vjw0rm not only with the user agent, but we have various other hunting options. 🕵️
Read 11 tweets
Stephan Berger Profile picture
Jan 6
1/ I recently tweeted that we still see Andromeda infections and alerts relatively frequently. [1]

... 🤯

"Mandiant discovered that UNC4210 re-registered at least three expired ANDROMEDA command and control (C2) domains and began profiling victims [...]" [2]

🧵 #CyberSecurity
2/ "[...] a USB infected with several strains of older malware was inserted [...].

When the system's user double clicked a malicious link file (LNK) disguised as a folder within the USB drive, a legacy ANDROMEDA sample was automatically installed and began to beacon out." [2]
3/ We continue to see a lot of AV (and EDR) detections of USB malware among our customer networks, including Andromeda malware and, in one recent case, even a successful infection with Andromeda.

The user also clicked on an LNK file on the infected USB stick.
Read 13 tweets
Stephan Berger Profile picture
Jan 5
1/ We recently had a case where a TA compromised an Azure Global Admin account.

The TA used the compromised account to spun up over 200 VMs to mine cryptos with it. The compromise was only noticed due to skyrocketing Azure costs. 💸

🧵
#CyberSecurity
2/ The miner connected to a subdomain of miner[.]rocks - as my teammate @NOP_0x90v1 pointed out, collect and monitor all DNS requests, and any DNS request containing a crypto related keyword (in our case, "miner") should trigger an alert.
3/ The following thread by @cyb3rops goes exactly in this direction, and within this thread's discussions, a (current) repo with IPs and domain names of crypto-related sites is also referenced. [1]



References:
[1] github.com/stamparm/maltr…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(