Flerken – Obfuscated Command Detection Tool

Command line obfuscation has been proved to be a non-negligible factor in fileless malware or malicious actors that are “living off the land". To bypass signature-based detection, dedicated obfuscation techniques are shown to be used by red-team penetrations and even APT activities. Meanwhile, numerous obfuscators (namely tools perform syntax transformation) are open sourced, thus making obfuscating given commands increasingly effortless.However, the number of suitable defenses remains to be few. For Linux command line obfuscation, we can barely find any detection tools. Concerning defenses against Windows command obfuscation, existing schemes turn out to either lack of toolization, or only partially resolve the entire problem, sometimes even inaccurately.To better facilitate obfuscation detection, we have proposed Flerken, a toolized platform that can be used to detect both Windows (CMD and Powershell) and Linux (Bash) commands. The name of Flerken is inspired by a cat-like yet extremely powerful creature from Marvel world. Flerken is build on the basis of carefully collection of black/white samples, and can be divided into two sub-schemes, namely Kindle (Windows obfuscation detector) and Octopus (Linux obfuscation detector). To help optimize Flerken’s classification performance, we adopt techniques such as machine learning, bi-directional feature filter ring, script sandboxing.DocumentationFor a detailed description of Flerken, please review our specification document here.Quickstart Installation Step 1: Ensure you have installed python 3.x on your server, you can use the following command to check it. [root@server:~$] python -V Step 2: Install the required components, all the prerequisite components have been declared in requirement.txt. [root@server:~$] pip install -r requirement.txt Step3: Custom your Flerken APP config as you want. Path: flerken/config/global_config.py Step4: Now you can run it! [root@server:~$] python runApp.py Step 5(Optional): You can build your own whitelists for reducing false positive rate. Path: flerken/config/whitelists/ How to use It’s very easy to use as shown in the following picture, and we will also release API interfaces as soon.Getting HelpIf you have any question or feedbacks on Flerken. Please create an issue and choose a suitable label for it. We will solve it as soon as possible.Build-in 3rd partiesFlaskFlask-WTFFlask-Limiterfrankie-huang/pythonMySQLjQuerySwiperAuthorsYao ZhangZhiyang ZengDownload Flerken

Link: http://feedproxy.google.com/~r/PentestTools/~3/XuqcFjTq6S8/flerken-obfuscated-command-detection.html

NovaLoader, yet another Brazilian banking malware family

As part of our daily threat tracking activity, ThreatLabZ researchers recently came across an interesting Brazilian banking malware campaign. The malware, NovaLoader, was written in Delphi and made extensive use of Visual Basic Script (VBS) scripting language. Although the final payload was not entirely new and has been discussed by other security researchers, we found that the multi-stage payload delivery was unique.
 
Delivery method
In earlier documented campaigns, the delivery methods for this malware included spam, social engineering, and fake sites for popular software such as Java. The malware operators use a variety of available options to ensure malware delivery and try to avoid detection by security products. They often do so by abusing popular legitimate services like Dropbox, GitHub,  Pastebin, AWS, GitLab, and others, as well as URL shorteners and dynamic DNS services such as No-IP and DynDNS.
NovaLoader is known to use AutoIt, PowerShell, and batch scripts in the infection chain, but this is the first time we have seen it use VBS. In this campaign, it is also using encrypted scripts instead of simply obfuscated ones.
Fig.1: NovaLoader Infection flow
 
Main Dropper
MD5: 4ef89349a52f9fcf9a139736e236217e
The main dropper is very simple; its only purpose is to decrypt the embedded VB script and run the decrypted script.
 
Fig. 2: Stage 1 VB script decryption loop
 
Stage 1 Script
Embedded script before and after decryption:
Fig. 3: VB script before and after decryption
This VBS file will decrypt a URL (dwosgraumellsa[.]club/cabaco2.txt) to download another encrypted script and run that after decryption.
D
Fig. 4: Download request for the next stage, an encrypted payload
 
Stage 2 Script
Downloaded VB script looks like the following after decryption:
Fig. 5: VBS after decryption
The VB script will send a GET request to “http://54.95.36[.]242/contaw.php” , possibly to let the command-and-control (C&C) server know that it is running on the system. After that it will try to detect presence of virtual environment using Windows Management Instrumentation (WMI) queries, as shown below.
Fig. 6: VM detection code
NovaLoader will drop and copy following executable files into the directory C:\\Users\\Public\\:
C:\\Windows\\(system32|SysWOW64)\\rundll32.exe
C:\\Windows\\(system32|SysWOW64)\\Magnification.dll
Fig. 7: C&C notification request
After that it will download a following files from 32atendimentodwosgraumell[.]club
32atendimentodwosgraumell[.]club/mi5a.php decrypted and saved at C:\Users\Public\{random}4.zip
32atendimentodwosgraumell[.]club/mi5a1.zip saved at C:\Users\Public\{random}1.zip
32atendimentodwosgraumell[.]club/mi5asq.zip saved at C:\Users\Public\{random}sq.zip
Then it will send multiple GET requests to “54.95.36.242/contaw{1-7}.php”
Fig. 8: Multiple C&C requests
GET /contaw.php
GET /contaw2.php?w={redacted}BIT-PC_Microsoft%20Windows%207%20Professional%20_True
GET /contaw3.php?w={redacted}BIT-PC
GET /contaw4.php?w={redacted}BIT-PC
GET /contaw5.php?w={redacted}BIT-PC
GET /contaw6.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM
GET /contaw7.php?w={redacted}BIT-PC_2/1/2019%205:05:06%20PM_CD=414KbCD1=9160Kb_
It will also drop several files into the C:\Users\Public\ directory:
Dropped files
MD5
Comment
DST.exe
51138BEEA3E2C21EC44D0932C71762A8
copied rundll32.exe
I
3DC26D510907EAAC8FDC853D5F378A83
encypted file containing various values like version, extension etc.
I_
A34F1D7ED718934185EC96984E232784
encrypted configuration file
KC
89473D02FEB24CE5BDE8F7A559631351
similar to file named “I"
mwg.dll
F3F571288CDE445881102E385BF3471F
copied magnification.dll
PFPQUN.DST
8C03B522ACB4DDC7F07AB391E79F1601
support dll to decrypt main payload
PFPQUN1.DST
F3D4520313D05C66CEBA8BDA748C0EA9
encrypted main payload
winx86.dll
87F9E5A6318AC1EC5EE05AA94A919D7A
Sqlite dll
Fig. 9: Files dropped by script And, finally, it will execute the decrypted DLL exported function using the copied rundll32.exe file.
Fig. 10: Executing the stage-3 payload
The stage-3 payload is a DLL file that acts as a loader for the final payload. It is run via rundll32.exe and its purpose is to decrypt and load the final payload.
 
Final payload
The final payload is written in Delphi. It has multiple capabilities including stealing victim’s credentials for several Brazilian banks. It monitors the browser window’s title for bank names and if a targeted tab is found, the malware can take control of the system and block the victim from the real bank’s page to do its nefarious activities by communicating to its C&C. Its activity is quite similar to the well-known Overlay RAT.
Some of the interesting commands used by the malware include:
Command String
Description
<|SocketMain|>
To stabilize socket connection
<|Info|>
Sends infected OS details
<|PING|>
Checking status of the connection
<|Close|>
Close all connections
<|REQUESTKEYBOARD|>
Sends keystrokes to the active application window
<|MousePos|>
Set mouse position
<|MouseLD|>
Set mouse left button down
<|MouseLU|>
Set mouse left button up
<|MouseRD|>
Set mouse right button up
<|MouseRU|>
Set mouse right button down
<|Desktop|>
Share compromised system desktop
<|gets|>
Check gets in C&C response to check if data is correct reply with <|okok|>
Fig. 11: NovaLoader C&C commands
There were many interesting strings related to the Brazilian banks found in malware:
Strings in malware
Corresponding bank site
caixa
http://www.caixa.gov.br
bancodobrasil
https://www2.bancobrasil.com.br
bbcombr
https://www.bb.com.br/
bradesco
https://banco.bradesco/
santander
https://www.santander.com.br/
bancodaamazonia
https://www.bancoamazonia.com.br/
brbbanknet
https://brbbanknet.brb.com.br/netbanking/
banese
https://www.banese.com.br/
banestes
https://www.banestes.com.br/
bancodoestadodopar
https://www.banpara.b.br/
bancobs2
https://www.bs2.com/
citibankbrasil
https://www.citibank.com.br
bancofibraonline
https://www.bancofibra.com.br/
agibank
https://www.agibank.com.br/
bancoguanabara
http://www.bancoguanabara.com.br/
ccbbrasil
http://www.br.ccb.com
bancoindusval
https://www.bip.b.br/ir
internetbankingbancointer
https://internetbanking.bancointer.com.br/
modalbanking
https://modalbanking.modal.com.br/
bancopan
https://www.bancopan.com.br/
pineonline
https://www.pine.com/
Fig. 12: Some of the targeted bank strings found in the malware
 
Conclusion
The Brazilian actors are among the top contributors of global cybercrime and they are always coming up with new ways to infect their targets using spam, social engineering, and phishing. In this campaign, we have observed them targeting Brazilian financial institutions using malware written in Delphi. The Zscaler ThreatLabZ team is actively tracking and reviewing all malicious payloads to ensure that our customers are protected.
 
IOCs
Md5
60e5f9fe1b778b4dc928f9d4067b470b
4ef89349a52f9fcf9a139736e236217e
100ff8b5eeed3fba85a1f64db319ff40
99471d4f03fb5ac5a409a79100cd9349
cb2ef5d8a227442d0156de82de526b30
a16273279d6fe8fa12f37c57345d42f7
ac4152492e9a2c4ed1ff359ee7e990d1
fdace867e070df4bf3bdb1ed0dbdb51c
4d5d1dfb84ef69f7c47c68e730ec1fb7
6bf65db5511b06749711235566a6b438
c5a573d622750973d90af054a09ab8dd
ef5f2fd7b0262a5aecc32e879890fb40
35803b81efc043691094534662e1351c
34340c9045d665b800fcdb8c265eebec
a71e09796fb9f8527afdfdd29c727787
5a9f779b9cb2b091c9c1eff32b1f9754
a7117788259030538601e8020035867e
cb9f95cec3debc96ddc1773f6c681d8c
a7722ea1ca64fcd7b7ae2d7c86f13013
URLs
185[.]141[.]195[.]5/prt1.txt
185[.]141[.]195[.]81/prt3.txt
185[.]141[.]195[.]74/prt1.txt
dwosgraumellsa[.]club/cabaco2.txt
wn5zweb[.]online/works1.txt
23[.]94[.]243[.]101/vdb1.txt
167[.]114[.]31[.]95/gdo1.txt
167[.]114[.]31[.]93/gdo1.txt

Link: http://www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family

Application News – Application Security Weekly #58 Application Security Weekly #58

    In the Application Security News, Breach at IT outsourcer Wipro, SCP serves the file it wants, Confluence Path traverses to RCE, another Local PrivEsc on Windows, easier sandboxing for C and C++ APIs, and Computer Science plus Ethics! Bugs, Breaches, and More! Breach at IT Outsourcer Wipro SCP Serves the File It Wants […]
The post Application News – Application Security Weekly #58 Application Security Weekly #58 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/RJxQ7ssiw_Q/