Wpbullet – A Static Code Analysis For WordPress (And PHP)

A static code analysis for WordPress Plugins/Themes (and PHP)InstallationSimply clone the repository, install requirements and run the script$ git clone https://github.com/webarx-security/wpbullet wpbullet$ cd wpbullet$ pip install -r requirements.txt$ python wpbullet.pyUsageAvailable options:–path (required) System path or download URL Examples:–path=”/path/to/plugin"–path="https://wordpress.org/plugins/example-plugin"–path="https://downloads.wordpress.org/plugin/example-plugin.1.5.zip"–enabled (optional) Check only for given modules, ex. –enabled="SQLInjection,CrossSiteScripting"–disabled (optional) Don’t check for given modules, ex. –disabled="SQLInjection,CrossSiteScripting"–cleanup (optional) Automatically remove content of .temp folder after scanning remotely downloaded plugin$ python wpbullet.py –path="/var/www/wp-content/plugins/plugin-name"Creating modulesCreating a module is flexible and allows for override of the BaseClass methods for each module as well as creating their own methodsEach module in Modules directory is implementing properties and methods from core.modules.BaseClass, thus each module’s required parameter is BaseClassOnce created, module needs to be imported in modules/__init__.py. Module and class name must be consistent in order to module to be loaded.If you are opening pull request to add new module, please provide unit tests for your module as well.Module templateModules/ExampleVulnerability.pyfrom core.modules import BaseClassclass ExampleVulnerability(object): # Vulnerability name name = "Cross-site Scripting" # Vulnerability severity severity = "Low-Medium" # Functions causing vulnerability functions = [ "print" "echo" ] # Functions/regex that prevent exploitation blacklist = [ "htmlspecialchars", "esc_attr" ]Overriding regex match patternRegex pattern is being generated in core.modules.BaseClass.build_pattern and therefore can be overwritten in each module class.Modules/ExampleVulnerability.pyimport copy…# Build dynamic regex pattern to locate vulnerabilities in given contentdef build_pattern(self, content, file): user_input = copy.deepcopy(self.user_input) variables = self.get_input_variables(self, content) if variables: user_input.extend(variables) if self.blacklist: blacklist_pattern = r"(?!(\s?)+(.*(" + ‘|’.join(self.blacklist) + ")))" else: blacklist_pattern = "" self.functions = [self.functions_prefix + x for x in self.functions] pattern = r"((" + ‘|’.join(self.functions) + ")\s{0,}\(?\s{0,1}" + blacklist_pattern + ".*(" + ‘|’.join(user_input) + ").*)" return patternTestingRunning unit tests: $ python3 -m unittestDownload Wpbullet

Link: http://www.kitploit.com/2019/05/wpbullet-static-code-analysis-for.html

Abuse of hidden “well-known” directory in HTTPS sites

WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade and Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions. In this blog, we are focusing on the Shade and Troldesh ransomware and phishing pages that we detected last month. Shade ransomware has been quite active in the wild and we have been seeing a lot of compromised WordPress and Joomla sites being used to spread the ransomware. The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites might have outdated CMS/plugins/themes or server-side software. Fig 1: Hits of Shade and phishing in detected CMS sites During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware (13.6 percent) and phishing (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors. We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages. The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain. The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site. The different types of threats that we found under the hidden directory in the past month are shown in the below image. Fig 2: Threats in hidden directory Fig 3: Shade ransomware vs. phishing pages in the hidden directory   Case I: Shade/Troldesh ransomware under the hidden directory   The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month. Fig 4: Shade/Troldesh ransomware hits over one month In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below. Fig 5: Shade in hidden SSL validation directory inst.htm and thn.htm are HTML files that redirect to download ZIP files. reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file. msg.jpg and msges.jpg are EXE files that are the Shade ransomware. Fig 6: Shade Infection chain Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below. Fig: 7 Malspam mail   Fig 8: Redirector to download ZIP The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function. Fig 9: Decryption function After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it. Fig 10: Simplified JavaScript code The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”. Fig 11: Shade configuration xcnt = Count of encrypted files xi = ID of infected machine xpk = RSA public key for encryption xVersion = Version of current Shade ransomware The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007. Fig 12: Encrypted files It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below. Fig 13: Shade wallpaper README.txt has ransom note in both Russian and English languages. Fig 14: Shade ransom note Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware   Case II: Phishing pages under the hidden directory The graph below shows the different types of phishing pages under the hidden directory that we detected last month. Fig 16: Phishing hits over one month The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others. Fig 17: OneDrive phishing page Fig 18: Yahoo phishing page Fig 19: DHL phishing page   IOCs: aioshipping[.]com/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg judge[.]education/.well-known/pki-validation/ssj.jpg hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg rdsis[.]in/.well-known/pki-validation/msg.jpg khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf judge[.]education:80/.well-known/pki-validation/ssj.jpg minifyurl[.]net/.well-known/pki-validation/mxr.pdf neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg globalkabar[.]com/.well-known/pki-validation/sserv.jpg ereservices[.]com:80/.well-known/pki-validation/ssj.jpg dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg dichvucong[.]vn/.well-known/acme-challenge/msg.jpg thuducland[.]net/.well-known/acme-challenge/sserv.jpg sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg ereservices[.]com/.well-known/pki-validation/ssj.jpg hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg ceroshop[.]net/.well-known/acme-challenge/nba1.jpg thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg aa[-]publisher.com:80/.well-known/mxr.pdf duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg ea[-]no7.net/.well-known/pki-validation/messg.jpg tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/msges.jpg tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip needcareers[.]com/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msg.jpg mytripland[.]com:80/.well-known/pki-validation/sserv.jpg learning[.]ipeary.com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/msg.jpg diennangmattroi[.]com/.well-known/pki-validation/msges.jpg diennangmattroi[.]com/.well-known/pki-validation/msg.jpg alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip 24bizhub[.]com/.well-known/pki-validation/msges.jpg 24bizhub[.]com/.well-known/pki-validation/msg.jpg thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg test[.]digimarkting.com/.well-known/pki-validation/msg.jpg needcareers[.]com/.well-known/pki-validation/msg.jpg hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip designitpro[.]net/.well-known/acme-challenge/msg.jpg zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg vina[.]fun:80/.well-known/acme-challenge/ssj.jpg nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg hexamersolution[.]com/.well-known/acme-challenge/msg.jpg hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg dongha[.]city:80/.well-known/acme-challenge/ssj.jpg domika[.]vn/.well-known/acme-challenge/msg.jpg coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg brace[-]dd.com/.well-known/pki-validation/msg.jpg angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg advancitinc[.]com/.well-known/pki-validation/msg.jpg vodai[.]bid/.well-known/pki-validation/ssj.jpg thucphammena[.]com/.well-known/acme-challenge/ssj.jpg thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip needcareers[.]com/.well-known/pki-validation/tehnikol.zip needcareers[.]com/.well-known/pki-validation/stroi-industr.zip maithanhduong[.]com/.well-known/pki-validation/pik.zip luongynhiem[.]com/.well-known/pki-validation/gkpik.zip lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg kinder[-]express.de/.well-known/acme-challenge/reso.zip khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg jambanswers[.]org/.well-known/pki-validation/ssj.jpg intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg goindelivery[.]com/.well-known/pki-validation/major.zip fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg bolt[-]fast.com/.well-known/pki-validation/gkpik.zip bmt[.]today/.well-known/acme-challenge/ssj.jpg blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg attireup[.]com/.well-known/acme-challenge/tehnikol.zip attireup[.]com/.well-known/acme-challenge/stroi-industr.zip acreationevents[.]com/.well-known/acme-challenge/msg.jpg yeu82[.]com/.well-known/acme-challenge/ssj.jpg yeu81[.]com/.well-known/acme-challenge/ssj.jpg yeu49[.]com/.well-known/acme-challenge/ssj.jpg yeu48[.]com/.well-known/acme-challenge/ssj.jpg vuacacao[.]com/.well-known/acme-challenge/ssj.jpg vision[-]ex.de/.well-known/acme-challenge/reso.zip vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf variantmag[.]com/.well-known/acme-challenge/sserv.jpg valentinesblues[.]com/.well-known/pki-validation/sserv.jpg uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg tropictowersfiji[.]com/.well-known/pki-validation/pik.zip thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf theotokis[.]gr/.well-known/pki-validation/mxr.pdf thefashionelan[.]com/.well-known/pki-validation/msg.jpg tanione[.]com:80/.well-known/acme-challenge/ssj.jpg tanione[.]com/.well-known/acme-challenge/ssj.jpg steeveriano[.]com/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip shafercharacter[.]org/.well-known/acme-challenge/messg.jpg service[.]baynuri.net/.well-known/acme-challenge/messg.jpg samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip realman[.]work/.well-known/acme-challenge/reso.zip rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf rarejewelry[.]net/.well-known/acme-challenge/messg.jpg qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg panama[.]driverclub.co/.well-known/pki-validation/pic.zip ngheve[.]com/.well-known/acme-challenge/ssj.jpg nfc[.]com.vn/.well-known/acme-challenge/msg.jpg next[-]vision.ro/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/mxr.pdf neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg mytripland[.]com/.well-known/pki-validation/ssj.jpg myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg mskhangroup[.]com/.well-known/pki-validation/pic.zip mskhangroup[.]com/.well-known/pki-validation/msg.jpg morganbits[.]com/.well-known/acme-challenge/mxr.pdf mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg meliscar[.]com:80/.well-known/pki-validation/ssj.jpg meliscar[.]com/.well-known/pki-validation/ssj.jpg manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf maithanhduong[.]com/.well-known/pki-validation/msg.jpg lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg lastra[.]top/.well-known/pki-validation/msg.jpg laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg incgoin[.]com/.well-known/pki-validation/reso.zip hexacode[.]lk/.well-known/acme-challenge/ssj.jpg happysungroup[.]de/.well-known/pki-validation/ssj.jpg goindelivery[.]com/.well-known/pki-validation/reso.zip goindelivery[.]com/.well-known/pki-validation/msg.jpg goindelivery[.]com/.well-known/pki-validation/kia.zip gnb[.]uz/.well-known/pki-validation/ssj.jpg geecee[.]co.za/.well-known/pki-validation/msg.jpg geecee[.]co.za/.well-known/pki-validation/kia.zip gdn[.]segera.live/.well-known/pki-validation/sserv.jpg fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg ereservices[.]com/.well-known/pki-validation/sserv.jpg ede[.]coffee/.well-known/acme-challenge/ssj.jpg dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf diota[-]ar.com/.well-known/acme-challenge/mxr.pdf diamondking[.]co/.well-known/pki-validation/sserv.jpg dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg designitpro[.]net/.well-known/acme-challenge/reso.zip damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg dailynow[.]vn/.well-known/acme-challenge/msg.jpg choviahe[.]cf/.well-known/acme-challenge/ssj.jpg cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg business[.]driverclub.co/.well-known/pki-validation/msg.jpg bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg bcspremier[.]ru/promo/well-known/images/background_sm.jpg bcspremier[.]ru/promo/well-known/images/background_lg.jpg atiqah[.]my/.well-known/pki-validation/sserv.jpg aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg 24bizhub[.]com/.well-known/pki-validation/tehnikol.zip 24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/reso.zip ipeari[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/stroi-invest.zip ipeari[.]com/.well-known/pki-validation/tehnikol.zip learning[.]ipeary.com/.well-known/pki-validation/msg.jpg learning[.]ipeary.com/.well-known/pki-validation/reso.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip test[.]digimarkting.com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/reso.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg SBS[.]ipeary.com/.well-known/pki-validation/reso.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/msg.jpg natristhub[.]club/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/stroi-industr.zip natristhub[.]club/.well-known/pki-validation/stroi-invest.zip natristhub[.]club/.well-known/pki-validation/tehnikol.zip natristhub[.]club/.well-known/pki-validation/tehnikol1.zip    

Link: https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites

Androwarn – Yet Another Static Code Analyzer For Malicious Android Applications

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali, with the androguard library.This analysis leads to the generation of a report, according to a technical detail level chosen from the user.FeaturesStructural and data flow analysis of the bytecode targeting different malicious behaviours categories Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…Device settings exfiltration: software version, usage statistics, system settings, logs…Geolocation information leakage: GPS/WiFi geolocation…Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…Telephony services abuse: premium SMS sending, phone call composition…Audio/video flow interception: call recording, video capture…Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…PIM data leakage: contacts, calendar, SMS, mails, clipboard…External memory operations: file access on SD card…PIM data modification: add/delete contacts, calendar events…Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…Report generation according to several detail levels Essential (-v 1) for newbiesAdvanced (-v 2)Expert (-v 3)Report generation according to several formats Plaintext txtFormatted html from a Bootstrap templateJSONUsageOptionsusage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}] [-d] [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}] [-w]version: 1.4optional arguments: -h, –help show this help message and exit -i INPUT, –input INPUT APK file to analyze -o OUTPUT, –output OUTPUT Output report file (default “./_<timestamp>.<report_type>") -v {1,2,3}, –verbose {1,2,3} Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3) (default 1) -r {txt,html,json}, –report {txt,html,json} Report type (default "html") -d, –display-report Display analysis results to stdout -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, –log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL} Log level (default "ERROR") -w, –with-playstore-lookup Enable online lookups on Google PlayCommon usage$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3By default, the report is generated in the current folder.An HTML report is now contained in a standalone file, CSS/JS resources are inlined.Sample applicationA sample application has been built, concentrating several malicious behaviours.The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.Dependencies and installationPython 2.7 + androguard + jinja2 + play_scraper + argparseThe easiest way to setup everything: pip install androwarn and then directly use $ androwarnOr git clone that repository and pip install -r requirements.txtChangelogversion 1.5 – 2019/01/05: few fixesversion 1.4 – 2019/01/04: code cleanup and use of the latest androguard versionversion 1.3 – 2018/12/30: few fixesversion 1.2 – 2018/12/30: few fixesversion 1.1 – 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packagingversion 1.0 – from 2012 to 2013ContributingYou’re welcome, any help is appreciated :)ContactThomas Debize < tdebize at mail d0t com >Join #androwarn on FreenodeGreetingsStéphane Coulondre, for supervising my Final Year projectAnthony Desnos, for his amazing Androguard project and his help through my Final Year projectDownload Androwarn

Link: http://feedproxy.google.com/~r/PentestTools/~3/CXJc4Zacvso/androwarn-yet-another-static-code.html

Ghidra – Software Reverse Engineering Framework

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, Mac OS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.In support of NSA’s Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.This repository is a placeholder for the full open source release. Be assured efforts are under way to make the software available here. In the meantime, enjoy using Ghidra on your SRE efforts, developing your own scripts and plugins, and perusing the over a million lines of Java and Sleigh code released within the initial public release. The release can be downloaded from our project homepage.DemoDownload Ghidra

Link: http://www.kitploit.com/2019/03/ghidra-software-reverse-engineering.html

Pftriage – Python Tool And Library To Help Analyze Files During Malware Triage And Analysis

pftriage is a tool to help analyze files during malware triage. It allows an analyst to quickly view and extract properties of a file to help during the triage process. The tool also has an analyze function which can detect common malicious indicators used by malware.DependenciespefilefilemagicNote: On Mac – Apple has implemented their own version of the file command. However, libmagic can be installed using homebrew$ brew install libmagicUsageusage: pftriage [options]Show information about a file for triage.positional arguments: file The file to triage.optional arguments: -h, –help show this help message and exit -i, –imports Display import tree -s, –sections Display overview of sections. For more detailed info pass the -v switch –removeoverlay Remove overlay data. –extractoverlay Extract overlay data. -r, –resources Display resource informations -D DUMP_OFFSET, –dump DUMP_OFFSET Dump data using the passed offset or ‘ALL’. Currently only works with resources. -a, –analyze Analyze the file. -v, –verbose Display version. -V, –version Print version and exit.SectionsDisplay Section information by using the -s or –sections switch. Additionally you can pass (-v) for a more verbose view of section details.To export a section pass –dump and the desired section Virtual Address. (ex: –dump 0x00001000) —- Section Overview (use -v for detailed section info) —- Name Raw Size Raw Data Pointer Virtual Address Virtual Size Entropy Hash .text 0x00012200 0x00000400 0x00001000 0x000121d8 6.71168555177 ff38fce4f48772f82fc77b4ef223fd74 .rdata 0x00005a00 0x00012600 0x00014000 0x0000591a 4.81719489022 b0c15ee9bf8480a07012c2cf277c3083 .data 0x00001a00 0x00018000 0x0001a000 0x0000ab80 5.28838495072 5d969a878a5106ba526aa29967ef877f .rsrc 0x00002200 0x00019a00 0x00025000 0x00002144 7.91994689603 d361caffeadb934c9f6b13b2474c6f0f .overlay 0x00009b30 0x0001bc00 0x00000000 0x00000000 0 N/AResourcesDisplay resource data by using -r or –resources. —- Resource Overview —- Type: CODATA Name Language SubLang Offset Size Code Page Type 0x68 LANG_RUSSIAN RUSSIAN 0x000250e0 0x00000cee 0x000004e4 0x69 LANG_RUSSIAN RUSSIAN 0x00025dd0 0x000011e6 0x000004e4 Type: RT_MANIFEST Name Language SubLang Offset Size Code Page Type 0x1 LANG_ENGLISH ENGLISH_US 0x00026fb8 0x0000018b 0x000004e4To extract a specific resource use -D with the desired offset. If you want to extract all resources pass ALL istead of a specific offset.ImportsDisplay Import data and modules using -i or –imports. Imports which are identified as ordinals will be identified and include the Ordinal used.[*] Loading File… —- Imports —- Number of imported modules: 4 KERNEL32.dll |– GetProcessHeap |– HeapFree |– HeapAlloc |– SetLastError |– GetLastError WS2_32.dll |– getaddrinfo |– freeaddrinfo |– closesocket Ordinal[3] (Imported by Ordinal) |– WSAStartup Ordinal[115] (Imported by Ordinal) |– socket Ordinal[23] (Imported by Ordinal) |– send Ordinal[19] (Imported by Ordinal) |– recv Ordinal[16] (Imported by Ordinal) |– connect Ordinal[4] (Imported by Ordinal) ole32.dll |– CoCreateInstance |– … ExportsDisplay exports using -e or –exports.[*] Loading File… —- Exports —- Total Exports: 5 Address Ordinal Name 0x00001151 1 FindResources 0x00001103 2 LoadBITMAP 0x00001137 3 LoadICON 0x000010e9 4 LoadIMAGE 0x0000111d 5 LoadSTRINGWMetadataFile and version metadata is displayed if no options are passed on the commandline.[*] Loading File…[*] Processing File details…—- File Summary —- General Filename samaple.exe Magic Type PE32 executable (GUI) Intel 80386, for MS Windows Size 135168 First Bytes 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 Hashes MD5 8e8a8fe8361c7238f60d6bbfdbd304a8 SHA1 557832efe10daff3f528a3c3589eb5a6dfd12447 SHA256 118983ba4e1c12a366d7d6e9461c68bf222e2b03f3c1296091dee92ac0cc9dd8 Import Hash 0239fd611af3d0e9b0c46c5837c80e09 ssdeep Headers Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI Linker Version 12.0 – (Visual Studio 2013) Image Base 0x400000 Compile Time Thu Jun 23 16:04:21 2016 UTC Checksum 0 Filename sample.exe EP Bytes 55 8b ec 51 83 65 fc 00 8d 45 fc 56 57 50 e8 64 Signature 0x4550 First Bytes 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 Sections 4 Entry Point 0x139de Packed False Size 135168 Characteristics IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPEDAnalyzePFTriage can performa a simple analysis of a file to identify malicious characteristics.[*] Loading File…[*] Analyzing File…[*] Analysis Complete… [!] Checksum Invalid CheckSum [!] AntiDebug AntiDebug Function import [GetTickCount] [!] AntiDebug AntiDebug Function import [QueryPerformanceCounter] [!] Imports Suspicious API Call [TerminateProcess] [!] AntiDebug AntiDebug Function import [SetUnhandledExceptionFilter] [!] AntiDebug AntiDebug Function import [IsDebuggerPresent]Overlay DataOverlay data is identified by analyzing or displaying section information of the file. If overlay data exists PFTriage can either remove the data by using the (–removeoverlay) switch or export the overlay data by using the (–extractoverlay) switch.Download Pftriage

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZjjYohz9GbE/pftriage-python-tool-and-library-to.html