dimanche 10 décembre 2017

An inside view of a password stealer campaign

After a lightning talks at botconf 2017 I'll try to describe here the full story behind the fav.al malware campaign.
This is not something new, after looking at this internet I've found an article about this case in 2016 but I cannot find any article about the big picture of this case. So, here we go

This is a verrrrry classic case in cyber crime. During the last 5 years I've seen a lot of cases like this one.

Starting line

By looking on public sandboxes I have found a recurrent domain hosting Agent Tesla panel:
[+] 1eb54cd95709b62ebafa50b5dc051a41225b1de236bf8d269ceeac1087f9fbb1 POST -> t4st.fav.al/st/post.php
[+] 78ca1db4616ac10d6ae34a9f8b85b63966fad43fed0f40cf61d9fcde74892d94 POST -> t2st.fav.al/st/post.php
fav.al is known since almost May 2016 for hosting Pony Formbook or Agent Tesla on many different sub domains.
Before giving details on the infrastructure, a quick reminder about the malware used:
Family Method Gate UserAgent
Pony POST gate.php
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
Agent Tesla POST post.php
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv: Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Form Book GET / POST config.php?id= / config.php
Mozilla Firefox/4.0
Those malware are designed to crawls the victim computer and search for saved credentials like FTP, RDP, Email, web sites... in Browser, registry, config files ...
Some good analyzes:

Agent Tesla:


Almost 2 of these malware are open sources. Pony and Agent Tesla has leaked sometimes ago. I draw your attention on these very lame malware. Here, they used the default configuration for Pony and Agent Tesla. The gate is by default, the web requests are by default etc. Take a look at how, in 2017, crooks used old lame Pony shits to infects people protected by "next gen anti virus".
I've work in AV industry, I know how it's difficult to implement protections on Windows without false positive (thanks to all the fucking third party software developed by n00b) but COME ONE! PONY!

Put a global hook (even in userland LOL) and blocks every POST request on gate.php and white list browsers ! Trust me you will catch 80% of the cyber crime... You can even propose a premium version which blocks POST on fre.php and you can be the best AV on Gartner...

kns1.al, fav.al and ddf.al as panel C&C since 2015

These crooks use only a few domains during the operation, and split different victims on different sub domains.
Each sub domains are configured with 2 panels, Formbook and {Pony|Agent Tesla}. In the past this gang used Zeus too
dff.al was known since almost 2015-08-24 (bd1e28f55b2b335e27762425ebc70ffe17d468d7896bf2869bc0e5fa3e4220e2 - (hxxp://files1.ddf.al/bin1.exe)
This looks like a kind of password stealer as service infrastructure.

                      |                             |                             |    
                   fav.al                         ddf.al                        kns1.al
                      |                             |                             |                                                       
                      |                             |                             |        
                 401.fav.al                     d1.ddf.al                      bin1.kns1.al      
                 402.fav.al                     dbr.ddf.al                     bon1.kns1.al
                 403.fav.al                     f1.ddf.al                      byn1.kns1.al
                 404.fav.al                     files.ddf.al                   dan1.kns1.al
                 ali1st.fav.al                  files1.ddf.al                  dan1-d.kns1.al
                 cent1.fav.al                   frank1.ddf.al                  dave1.kns1.al
                 char2.fav.al                   111.dff.al                     denko1.kns1.al
                 charles1.fav.al                owe1.ddf.al                    dinu1.kns1.al
                 charles1-s.fav.al              owe2.ddf.al                    gt1.kns1.al
                 daniel1.fav.al                 owe3.ddf.al                    jeff1.kns1.al
                 dave1.fav.al                   legend1.ddf.al                 jones1.kns1.al
                 db.fav.al                      s1.ddf.al                      ld1.kns1.al
                 dfg2.fav.al                                                   ld1files.kns1.al
                 dfg3.fav.al                                                   nasty1.kns1.al
                 dfg2-s.fav.al                                                 sailheats2.kns1.al
                 dino1.fav.al                                                  sheats1.kns1.al
                 ebu1.fav.al                                                   swain1.kns1.al
                 gabriel1-st.fav.al                                            swain2.kns1.al
                 g1.fav.al                                                     tunapy1.kns1.al
                 g2.fav.al                                                     wal1.kns1.al
                 g3.fav.al                                                     wal2.kns1.al
                 gr2-s.fav.al                                                  wal3.kns1.al
                 heat1.fav.al                                                  wal4.kns1.al
                 idino2.fav.al                                                 wal5.kns1.al
Some panels example from CCT:

This team don't use mass spreading, they select specific victims (we will understand how later), I have seen ~110 victims dispatched in many sub domains. They use password stealer for grabbing access on company and try to steal money.
Password stealer are only one part of their business. During data analysis I have seen that they also used Phishing, scam and CVV laundering.

An inside view

There is a repetitive behavior with lame botmaster. In many case they infect themselves with the malware.
I suspect 2 behaviours behind that:
  • The botmaster wants know if everything is okay with the botnet and the self-infection is used as monitoring
  • The botmaster is a n00b

I think for this case, it's both :).
On one panel, a victim appears to be one admin behind those Formbook & Agent Tesla panels.

This guy stayed infected from 09/13/2017 to 09/22/2017, I'll try to use the collected data to understand how he works and how are used the stolen data. Notice that doxing is not the point here.



As the screenshots shows, victims seems not really targeted, they look for small business easy to hack:

They used already pwned email inboxes for spreading password stealer through fake DocuSign notice:

With filename like "RBL-5019.Jpg,2800 PSI,1450 RPM.Jpg.exe" (81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1) or "Desktop.zip" (dfdc0b9e2cffead30a77bfffad6fb621f6eccaf6f5ace4b1d46bfe7b141a6028).

After stealing passwords, this admin spy on victims activities and discuss with other people on how he can hijack money:

The majority of victims came from China and USA:

In this panel we can see 17 victims, after grabbing all the panels I have counted 101 victims

Admin opsec

After a quick look we can easily understand that this guy looks like another Nigerian phishers. They often don't have any opsec, they have facebook account with cash photo etc because they know that there is no law or resources for arresting them.

This is the desktop of this guy:

He uses hacked RDPs and socks proxies for hiding his IP:

Another interesting fact, apparently this guy doesn't really know how malware works. In the conversation below you can see a "MASTER" botmaster angry because somebody uploads malware sample on VirusTotal, and our guy apologies:

I have also seen that they used ICQ, Jabber and Skype to communicate. On the same day and with the same person, they switch between 3 softwares and they quite never used OTR.


The autopwned guy seems to have the ability to crypt malware. Quite every sample I've found has the same lame VB5 packer

Some samples:
  • 15775abe5573192d8abe6fc03240ef8d0afc94bbae22df5f940a789146295ebb - Agent Tesla - t1st.fav.al/st/post.php
  • 81962cbfd51b64b51eeb4110ef139fd3c2791965621bf7ee65a422974a6ec4a1 - Agent Tesla - t4st.fav.al/st/post.php
  • f1b15760d728dc24cd87339be20cc4fe14359bf810f6866b3e21d7ade25846ed - Pony - riv1.fav.al/ddob/gate.php
(I cannot find any formbook sample :/)


This kind of autopwn allows us to better understand how criminals works, how they can make a lot of money with low investments.

This is far from APTs but the consequences are serious too. We seriously saw a lot of cases like this one, every week on public sandboxes or support forums. This is a big impunity industry of money stealing. I'm pretty sure that this guy is not a developer or system administrator. He doesn't know how a keylogger works, he is just one guy part of a big community of panels operators.
I understand that it's difficult to stop these criminals because of different countries law but we can maybe still make an effort on lame malware detection, no?

dimanche 26 novembre 2017

Rules #22 - Copypasta is made to ruin every last bit of originality

3 months since the last blogpost, it's time for an update \o.

By looking at some public sandbox feeds (ping @fumik0_) I've found an unusual patterns, reminding me old stuff:
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 GET -> rpc2.gdn/start/includes/tasks.php?hwid=71D7D653-460A-8BE7-264F6AF5
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 POST -> rpc2.gdn/start/inc.php/start/inc.php
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e GET -> rpc2.gdn/start/includes/tasks.php?hwid=49C78CBD-165E-D0CF-474D92B
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e POST -> rpc2.gdn/start/inc.php/start/inc.php

This is a "rat" (I don't know the name) that uses TeamViewer for spying on victims.

Panel overview

Let's start with a usual panel overview.
The interface is very simple, main page (click to enlarge):

With that, the botmaster can see when somebody is connected to the infected machine or not, if he has webcam or mic and basics system information.
There was 125 bots in this CNC.
The only other page is a quick settings:

This is very basic but enough for spying on people.

Now look at the interesting part: the binary.


The sample came from email with an attachment named probably "invoice.js" (e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6) that drops the RAT via store4caroption-support.info/KKK.exe (0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e)

The sample is a big package used to deploy TeamViewer and the RAT in %APPDATA\WebNet\ as hidden files:

SensApi.dll (833ff902452e5fb10b39ef90c2f1ec96beb0d8d0486dc378eb07c10b3672276c) is the RAT controller.
A quick static analyze with PEBear show us that this dll as 4 exports:
  • Entrypoint
  • IsDestinationReachableA
  • IsDestinationReachableW
  • isNetworkAlive.
IsDestinationReachableA, IsDestinationReachableW and isNetworkAlive are just wrapper to sensApi.dll (the real one, note the rat :)

Before jumping into the EntryPoint let's have a quick look at the strings:
process call create "%s"
TV started from Admin!!!
This OS is not supported!!!
High (Always Notify)
Medium (Default Notification)
Low (Default Notification)
error args
Request successfully!!!
run error
closed. exitcode: %d (%s)
%s PID:%d%s
Elevated: %s
RunAsAdmin: %s
AdminGroup: %s
device is missing
device is available
Command not found!!!
Windows Server 2016
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows XP x64
Windows Server 2003
Windows XP
Windows 2000
Content-Type: application/x-www-form-urlencoded
Windows Core Services
resource DLL

This binary seems very verbose with some recurrent patterns like "!!!".
I don't think it's common for skid to deal with TeamViewer so before reversing let's have a look on Google if the dev hasn't copy paste some functions from stackoverflow.
By searching strings like "High (Always Notify)" I've found some matching source code from a curious Github account:


After looking deeper in this github account and in the RAT, it look like the RAT is a fork, or an update of the source code in the github account.
We can found a lot for similar functions: (click to enlarge)

The RAT execute commands from CNC via the function RunCmd() in main.cpp. There is the available cmd in both version:
setintervalSet new interval for CNC ping
setserverSet new CNC
setpassSet new crypt config password
killKill TeamViewer
runexeDownload and run exes
deldllDelete dll
rundllDownload and run dlls
rebootRestart PC
poweroffShut down PC
restartRestart Process
terminateKill process
mydirReturn current dir
adminadminIs process admin ?
tasklisttasklistSend tasks list
cmdwndcmdwndRun hidden cmd
cmdcmdRun cmd
uacRe-run itself elevated via wmic process call create
plugin_startDownload, copy as .tiff and run an exe
plugin_delDelete a file
webcamWebcam on/off
micMic on/off
As you can see, only a few commands are copied from the github code. The major modification are around dealing with elevated process / UAC (because the original code seems really old).

CNC communication

The in the wild rat seems to have a different way to communicate with CNC. It communicate over HTTP in plain text (The github version used obfuscated HTTP requests).
  • /includes/tasks.php - GET hwid=%s
  • /includes/act_user.php - POST hwid=%s&tv_id=%s&tv_pass=%s
  • /includes/inc.php - POST uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%s&mic=%s

There is 2 domains as CNC: rpc2.gdn and num1.gdn


The Teamviewer part and the global architecture of the code are the same but that "in the wild" version looks like an updated light version.
This is a very basic malware but it work and it's very easy to use.

The Readme.md of the github version mention a forum post: http://ander-pub.cc/forum/threads/isxodniki-skrytogo-teamviewer.73/ that is actually down. If someone here has more information about this forum I'm very curious :)

Victims overview

In this campaign, crooks are targeting small company in different country (CN, AU, US, RU...).
I've found call centers, accounting etc.
Example of call center:

I don't think that victims are targeted by country but more by business or "money capacity"


I don't know if it's a fork or a copy pasta but i'm curious to know the story behind this malware and this campaign.

Code not packed, few victims, screencasting, all these stuff reminds me a targetted attack more than typical mass cybercrime.

Yara rules

Happy Hunting !

mardi 29 août 2017

From Onliner Spambot to millions of email's lists and credentials

Hey! It's time for another writeup about spambot.
Here I will explain how I have found millions of emails and credentials on a spambot server and why your creds can be in these databases.

I have written a lot about spambot on this blog for many reason. Spambots are often ignored by researchers and I don't understand why.
In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too.
Some malware campaigns like Locky are successful also because the spamming process works well.
This case is a good example :).

Spam the world

As introduction, we will have a look at what is a spambot, why crooks use them and why they need huge list of credentials.
In the past, it used to be easier for attackers to send mass spams: they just had to scan the Internet to find vulnerable SMTP server (with weak passwords or in Open Relay mode) and use them to send Spams.
However, nowadays, it's more complicated. There are a lot of anti spam companies, products or firewalls. Most of the open relays are blacklisted and the attackers have to find another way to send mass spams.
Among the available options, I have seen 2 very common behaviour:

PHP Mailer

The most used tricks I have seen is to use compromised websites. For instance, this kind of spamming campaign has been used for a big Andromeda campaign.
The principle is simple:
  • The spammer hacks a lot (10k/20k) of websites (via well known vulnerabilities on Wordpress, Joomla, OpenCart or FTP/SSH bruteforce etc) or buy access to a lot of websites on a random shop
  • He uses these websites for hosting a PHP script in charge of sending emails.
  • He controls all the websites via a software or a web panel and uses them to send spam
Due to the almost infinite number of out-of-date websites on the Internet, it's difficult to blacklist every websites and it's really easy to use them for the spammer.

Malware spammer

The other common way to send spam is more brutal. Here, the attacker creates or buys a specifique malware used to infects people and send spams.
The more the attacker infects people, the more he can distribute spams through different IPs.
However, a random pwned Windows machine is not enought to send spam. For that, the attacker needs some email server (SMTP) credentials. This is where you can be concerned by Spambot :)

Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it :D
And it's the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.
Lets go through an example to see how attackers create SMTP credentials lists:

Credentials: Spambots gasoline

I will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan called Ursnif. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.
Some emails example:
DHL notification:

Email targeting Hotel business:

If you're curious about this case, I have tried to give some details in 3 blog posts:
TL;DR: this malware, after infecting your machine, uses 2 modules:
  • A module in charge of sending spam
  • A module in charge of creating a huge list of SMTP credentials

To create the list, the attacker provides to the second module a list of emails and credentials like foo@bar.com:123456.
Then, the module tries to send an email using this combinaison. If it works, credential are added to the SMTP list. Else, credentials are ignored.
Thanks to free email services like outlook, gmail or your ISP, the attacker can suppose that a lot of people reuse the same password and use your outlook adress to send spam :)

It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop. Somebody even show me a spambot with a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like "user" or "admin".

Thanks to an open directory on the web server of the Onliner Spambot CNC, I was able to grab all the spamming data
It's composed of ~40GB of emails, credentials or SMTP configuration.
These data are composed of:
  • Huge lists of credentials like email:password (in clear text)
  • Huge lists of Emails to spam
  • Spambot configuration files
I have found around 80 millions credentials (unsorted, it's an estimation, I cannot deal with so big txt files).
One part (~2 millions) seems to come from a Facebook phishing campaign, those I have tested seems to be working and were not on HIBP.
Therefore, it's difficult to say where did your credentials come from.

Making emails lists like a pro

Inside all these data, we can see a lot of emails (used for sending spam to).
Because I have been following these guys for almost a year I'm able to explain how they built these lists.

After looking at the spambot logs, I have seen that it was used to send fingerprinting spam. What does this mean?.
Before starting a new malware campaign, the attacker used the spambot to send this kind of emails:
If you look at the email you will see that inside this random spam, there is a hidden 1x1 gif. This method is well known in the marketing industry.
Indeed, when you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif. With these information, the spammer is able to know when you have opened the email, from where and on which device (Iphone ? Outlook?...).
At the same time, the request also allows the attacker to know that the email is valid and people actually open spams :).
This is an example of a classification script found on one Onliner spambot server:

Example of output :

As a reminder: DON'T OPEN SPAM!


If you're a malware researcher, it's time to look deeper in the spambot business. It's a creative market which interracts with a lot of other cybercrime business.
Around Spambot you will often found phisher, password stealer botmaster, website scanners, malware developers, dropper developers, payload hosters, and so on.
The way is maybe short between the lame Pony you have received last month in a stupid .ace archive and a spambot that spread Ursnif.


Some urls found in spam configuration files:
  • hxxp://
  • hxxp://21emb.com/IMG_0557.zip
  • hxxp://cielitodrive.com/2.docm
  • hxxp://cielitodrive.com/IMG_0557.zip
  • hxxp://dcipostdoc.com/3.docm
  • hxxp://fondazioneprogenies.com/1.docm
  • hxxp://fondazioneprogenies.com/IMG_7339.zip
  • hxxp://intesols.com/IMG_8026.zip
  • hxxp://jltl.net/IMG_8026.zip
  • hxxp://liyuesheng.com/Report_Bill_ID20039421.zip
  • hxxp://lopezdelaisidra.com/107490427.zip
  • hxxp://maikaandfriends.com/Report_Bill_ID20593601.zip
  • hxxp://mc-keishikai.com/Report_Bill_ID73086492.zip
  • hxxp://pacific-centre.com/IMG_8026.zip
  • hxxp://reliancemct.com/IMG_9647.zip
  • hxxp://resital.net/IMG_0557.zip
  • hxxp://speaklifegreetings.com/IMG_9647.zip
  • hxxp://tspars.com/087578952.zip
  • hxxp://usedtextilemachinerylive.com/IMG_9647.zip
  • hxxp://webtoaster.net/IMG_0273.zip
  • hxxp://whatisaxapta.com/5.docm
  • hxxp://womenepic.com/4.docm
  • hxxp://www.loidietxarri.com/Report_Bill_ID87793518.zip

Thanks to Hydraze for reviewing \o/

dimanche 20 août 2017

A third look at JSDropper/ursnif campaign - Proxy Statistics


I've already talk a lot about the Ursnif campaigns against EU and mainly Italy spreaded by a JScript (you know, the jscript that contacts /r6.php?cmd=p&id= / /l2.php?cmd=p&id= / /re.php?cmd=p&id= etc) but 6 months after my last blogpost, crooks are still working and I have enough data for some cool statistics.
For the last 6 months I've collected access.log logs of one proxy used by this botnet. I'll try to details that here.
There is no magic, I've just use Splunk :D

As reminding, this campaign is used to spread Ursnif like that:

In the same "Proxy server", you can found further "proxy scripts" (usually 1 script / campaign) and those scripts looks like :

So, I've retrieve access.log of one of these proxies and I've extract traffic relative to our case.


Some global statistics for 1 proxy:
From February 2017 to August 2017
  • Total number of hits on all the proxy scripts: 924 021
  • From 108 367 unique IPs
  • on 16 different PHP proxy scripts
Filename Hits First seen url Malware
/3E2s4R.php 610787 June Onliner
/re.php 137352 June JSDropper
term.php 121669 February JSDropper
l2.php 52288 February JSDropper
r4.php 1848 February JSDropper
/0iSP0c.php 7 June Onliner
/130D0G.php 7 June Onliner
/1AtJai.php 7 June Onliner
/HTsGeg.php 7 June Onliner
/J65oH1.php 7 June Onliner
/PaD8qo.php 7 June Onliner
/XI2jHR.php 7 June Onliner
/8QE2UX.php 6 June Onliner
/Xou0HC.php 6 June Onliner
/19pYvo.php 5 June Onliner
/LPQQLc.php 5 June Onliner
We can see 2 different cases:
  • Some PHP proxies are used in production
  • Some PHP proxies seems used for tests only.

Tests proxies

I'll start with the "tests proxies". I call them like that because they have only a few hits (~5) and all the hits on those pages are done by the same IP :]
This IP is not new in this game :), do you remember the white listing feature set in the spam bot panel ?
This IP was in list of allowed IP in the Spambot panel:

Proxy scripts are configured to forward traffic to hxxp://, it's Onliner Spambot, proably the testing instance.

Production proxies

Some details about each proxy scripts:


This one is my favourite.
The proxy records 610 787 hits on this file, from ~ 100 000 unique IPs and I'm unable to find any sample on public sandox.
This is a lot of hits if we think that these statistics concern only 1 proxy! It was used to forward the Spambot traffic to


This one was hit 137 352 times by 1335 uniques IPs. It is used to forward JSDropper traffic to
This Proxy was used for the JSDropper campaign "NEWIT" (Ursnif)
Interesting fact of this one: 51.28% of hits are done by the IP (Italy).
Some IOCs:
  • d5291865ff80cd7cc9f425a145351bb7234383f1
  • 67e1c342f6b41d163a6208b3ccebb991c0650473


Used to forward JSDropper traffic to
121 669 hits from 2259 unique IPs.
It was used for campaigns "WASP","iphone","summer","old", "u1", "NEWIT" and "404" (Ursnif)

Some IOCs:
  • hxxp://www.volf.de/term.php?cmd=e
  • hxxp://pajaje.borec.cz/term.php?cmd=e
  • hxxp://hotelsantantonio.com/term.php?cmd=e
  • hxxp://
  • hxxp://fb-arredamenti.it/term.php?cmd=e
  • hxxp://psymaster.wz.cz/term.php?cmd=e
  • hxxp://getting-reconnected.de/term.php?cmd=e
  • hxxp://ebkk.nl/term.php?cmd=e
  • hxxp://supercondmat.org/term.php?cmd=e
  • 2016dfb44f452adcdd96b7781fdfb581ac72b0f7392404805f08d57210d16ad9
  • a1bd385b59efe1be13da9e8a008e06a6fb6cc07acd2727be22d076c7a2b27155
  • 01853d1552ca4032e5fdc251cc92d57dffd5912411666c7842106d730ada09f4


Used to forward JSDropper traffic to 52 288 hits from 716 unique IPs.
This one is very old. I've logs from November 2016 for this scripts.
At this time they was not using campaign or group name, and they was using ... Ursnif.

Some IOCs:
  • http://191860.webhosting63.1blu.de/l2.php
  • http://454391.webx04.mmc.at/l2.php
  • http://ballettschule-nottuln.de/l2.php
  • http://edle-steine.at/l2.php
  • http://enmoto.com/l2.php
  • http://evastrutzmann.at/l2.php
  • http://evi-verein.at/l2.php
  • http://fioravanti-production.org/l2.php
  • http://friesl-keramik.at/l2.php
  • http://ftp.dimensionevideo.it/l2.php
  • http://ftp.italiabrowsergame.com/l2.php
  • http://getting-reconnected.de/l2.php
  • http://gunnebo.eniac.it/l2.php
  • http://hobbygartenteich.at/l2.php
  • http://hotelsantantonio.com/l2.php
  • http://humanitas-gbr.de/l2.php
  • http://jambasket.com.hk/l2.php
  • http://juwelier-hohenberger.de/l2.php
  • http://katstones.de/l2.php
  • http://lklv.wz.cz/l2.php
  • http://mauriz.at/l2.php
  • http://meindl-edv.eu/l2.php
  • http://nr11303.vhost-enzo.sil.at/l2.php
  • http://pajaje.borec.cz/l2.php
  • http://patrickhess.de/l2.php
  • http://pferdemedizin-stanek.at/l2.php
  • http://portoverde.it/l2.php
  • http://positivemindstates.com/l2.php
  • http://psymaster.wz.cz/l2.php
  • http://reimer-wulf.de/l2.php
  • http://sca.homelinux.com/l2.php
  • http://spatialpourtous.com/l2.php
  • http://supercondmat.org/l2.php
  • http://tennis-arnfels.at/l2.php
  • http://tischlerei-kreiner.at/l2.php
  • http://umzuegeberlin.com/l2.php
  • http://www.diamondfitness.hu/l2.php
  • http://www.drogenhilfezentrum.de/l2.php
  • http://www.dtk-brandenburg.de/l2.php
  • http://www.elektro-morjan.de/l2.php
  • http://www.kurzhaarteckel-trakehner.de/l2.php
  • http://www.midnightlady2006.de/l2.php
  • http://www.msinformatica.it/l2.php
  • http://www.seelackenmuseum-sbg.at/l2.php
  • http://www.skyways-ragdolls-zwergspitze.de/l2.php
  • http://www.teeversand24.net/l2.php
  • http://www.valentinavalsania.it/mdb-databases/cgi-bin/l2.php
  • http://www.webstream.at/l2.php
  • a10cd296e3f58fe329bbff6edaf0bdbb1f9099a088b7a5cede583dda09dd7cf2
  • 5add967a8dc9d7669e7d8da9882329600874b3a35d2a8f087820438ae112cecd
  • fbfe6048514c7fc944c0f56a480d8c4963fce9018b5d3ae8cf39c5840979930c
  • 9a44ff53471012328a3b167c149ed71c2e82b117de8f9463f5773b5b4f5cc7b6
  • 0bf1c1b457818bf7acb6eda33b0f8eb6e9ce026aee620707f6b4e4b58a2e77d0


And the last one: r4.php.
1884 hits by 302 IPs. Used during the campaigns "mk1" "mk2" "bomber" and one with no name ""
Some IOCs:
  • hxxp://191860.webhosting63.1blu.de/r4.php?cmd=e
  • hxxp://werbekalender-werbenotebooks.de/r4.php?cmd=e
  • http://positivemindstates.com/r4.php?cmd=e
  • di000240.host.inode.at/r4.php?cmd=e
  • http://patrickhess.de/r4.php?cmd=e
  • c827511b425cbc91faf947f1c3d309db3dde7419fe8c892380a03c71b5196e0e


This threat start to be very noisy, they continue to spread malware always in the same way.
If somebody who's reading this works on the Ursnif part, don't hesitate to ping me I'll share my data :]

I hope that this example can help you to better understand cybercrime threats. Happy hunting \o/

mercredi 16 août 2017

Quick look at another Alina fork: XBOT-POS

Edit: In fact after looking at the sample it's a pure copy pasta of Tiny Nuke :) - cd025523e3aec57f809552b9d1adc4b89526cc632f6d4c481aa2c8c3501dda6b

Hi, it's time for a new post. Today I'll try to have a look at the "Team NZMR"
I've found this funny team by hazard on Twitter via the bot @ScumBots I would like to write this little blog post because I think that this is interesting to see an Alina panel behind a .onion domain and as you can see later, I like look at some weird panels :D.
Let's have a look on this server.
As we know, we have an Alina (Well known POS malware) panel at thzsmrjqqzpaz2mz.onion.link/al/loading.php.
Samples: 26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe)

In the same boring way, we can found:
  • a Fareit/Pony panel at https://thzsmrjqqzpaz2mz.onion.link/pn/admin.php (I don't have sample)
  • an Atmos at https://thzsmrjqqzpaz2mz.onion.link/at/cp.php :
    Sample e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (https://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe)

    Thanks to CCAM we can get 2 new servers used by this team:
    • http://netco1000.ddns.net/at/file.php
    • http://22klzn6kzjlwlmt2.onion.link/at/file.php
Those guys really want your creds and your credit card numbers :D

They also try to deal with ransomware (NZMR Ransomware) at https://thzsmrjqqzpaz2mz.onion.link/ed2/ without success...

But I've write this quick blog post for the last panel,
Let me introduce you XBOT panel \o/: https://thzsmrjqqzpaz2mz.onion.link/panel/
(click to enlarge)

The bot ad:
Selling xbot ,new bank trojan -- Modules -- Webinject -- Formgrabber -- Socket4/5 -- Hidden VNC
New bot bank xbot is available for rent (800$/monthly) -- server on tornetwork/clearnet
Customized programming service and web developer/c/c++/Python/NET/others
Team Coder/NZMR
xbot costs 3k $ modules available >webinject -- formgrabber -- Socket4/5 -- Hidden VNC
When buying xbot what do you get?
You will get the builder,bin/exe+socket.exe/server.exe hvnc
[+] - Free installation on your server in tornetwork or clearnet, you choose
[+] - monthly support paid 100 $ (you choose,with or without support)
[+] - Update bot for new version 400 $
[+] Rent xbot
Panel access (Clearnet/Tornetwork)
Bin (exe)
800 $ monthly (First 6 customers, others 1k $)
Support monthly 100 $ (btc)
I don't have any sample yet but if you have one, i'm REALLY interrested :D.
Thanks to Xylitol this panel looks like a mix between Alina and Dexter. For example the URI scheme "/front/stats.php", the successstatuscode 666 or this page "Version Control":

This panel looks designed for Banking stuff (webinjects) and POS malware.
From XBOT panel you can DL/Exec, Start VNC sessions, socks sessions and update bots:

We can also found some strange "webinjects" stuff:

where "view content" leads to these kinds of data:

Some settings (look at the Alinas 666 status code):

You can also add some bins in the panel database. Currently, they have 8472 Bins in the database.
And finally the bot lists (~600 bots if I trust the bots list).

I've uploaded the whole list of bots on this album. Ping me if you're on the list :D I'm really curious to see the binary part
And finally the database structure reminds again Alina: By this way we will find soon more Alina forks than Zeus forks \o/

So, NOPE! it's not a super new next gen POS malware, it's just another Alina Fork :D but this webinjects part looks curious :) and the team seems very active.
But come one, 3k$ for open sourced malware haha...

Thanks for your time, thanks to Xylitol and happy hunting :)


http://thzsmrjqqzpaz2mz.onion.link/al/Spark.exe (Alina) http://thzsmrjqqzpaz2mz.onion.link/payload.exe (Neutrino) http://thzsmrjqqzpaz2mz.onion.link/at/files/us.exe (Atmos) http://22klzn6kzjlwlmt2.onion.link/al/Spark.exe (Alina) http://22klzn6kzjlwlmt2.onion.link/al/payload.exe (Neutrino http://22klzn6kzjlwlmt2.onion.link/al/files/us.exe (Atmos) http://netco1000.ddns.net http://netco400.ddns.net/Dia (Gorynch) http://netco400.ddns.net/at/(Atmos) e34720cc8ab3718413064f19af5cc704e95661e743293a19f218d3b675147525 (atmos) 26aa9709d0402157d9d36e4849b1f9bacecd8875169c7f26d7d40c5c0c3de298 (Alina) 8a62f61c4d11d83550ab4baceb9b18d980a4c590723f549f97661a32c1731aff (neutrino)

dimanche 28 mai 2017

Feedback on how build SMB Honeypot


During the painful "Wannacry weekend" I've received a lot of message asking for help to create a SMB Honeypot.
I'll try here to explain how I've create mine.
It's 2017 but it looks like it's useful to remind that Honeypot are really useful.
I've read a lot of papers about Wannacry variants during the wannacry crisis, but I've never saw them in the wild. A lot of trolls has uploaded patched versions of the w0rm in Virustotal and has waited for the first paper about a new variante....

This post will not explain all the steps for building a Honeypot but it will try to give some tips and ideas.

Exposing port 445

So, we need to create a honeypot for monitoring SMB network and catching Wannacry in the more automatical way possible.
First of all let's try to expose port 445. In many countries, it's really complicated to expose SMB over the Internet \o/!

My first try was to install a Windows VM with a shared directory (Windows 7 x64 because it's a very used OS in corporations, and hey we're in 2017, people uses 64bits OSs), and configure NAT rules in my home router:
+--------+          +----------+          +----------+
|Internet|---445--->|homerouter|---445--->|Windows VM|
+--------+          +----------+          +----------+
I've obviously disable Windows Firewall and Windows Defender but when I've try to nmap the 445 port the port was always filtered:
Host is up.
445/tcp filtered microsoft-ds
After some tests with Wireshark it apears that my home router allows incomming packets on port 445 but blocks outcomming packets.
I've reproduce this behaviour on French ISPs (SFR, Numericable, Orange), French hoster OVH, UK ISPs and some Digital Ocean VPSs
Due to this, we have to bypass this hard coded Firewall rules. It's realy easy, we just have to forward SMB packets to another port than 445. But for that we need 2 other machine. One for forwarding incomming SMB packets to another port and the other for forwarding outcomming packets:
+--------+     |  
              +---+         +----------+
              +---+         +----------+
                                |       +---+        +----------+
                                +-5555->|Rpi|--445-->|Windows VM|
                                        +---+        +----------+
You need a few iptables rules (sorry in advance, I'm not an iptables Jedi \o/).
In the exposed VPS:

iptables -t nat -A PREROUTING -p tcp --dport 445 -j DNAT --to-destination HOME_ROUTER_IP:5555
iptables -A FORWARD -p tcp --dport 445 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

and for the RaspberryPi config:

iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination WINDOWS_VM:445
iptables -A FORWARD -p tcp --dport 5555 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

By this way, the 445 port of our Windows VM is ready to be pwned.
To accelerate the pwning rate, I use many cheap VPSs around the world (I've used DigitalOcean, 1&1, HostAfrika...)
+--------+     |  
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
              +---+               |
                                |       +---+        +----------+
                                +-5555->|Rpi|--445-->|Windows VM|
                                        +---+        +----------+                           
The big limit of this configuration is when the packet is into our Windows VM, the source IP is losted due to the iptables forwarding.
In my case I capture traffic on VPSs and retrieve pcaps via this trick (thanks to Kafeine :D)

Monitoring the endpoint

Because there is a lot of other malware than Wannacry it's important to monitor our Windows.
For that, you have a lot of tools available; ProcMon is a good candidate, it's easy to run it and collect pmon trace automatially with the command line, for example here, you can launch it and save a pml trace:
pmon.exe /AcceptEula /Backingfile C:\pmon.pml
To stop procmon, run it like:
pmon.exe /Terminate
There is a lot of solution for the behaviour part, you can use etw traces, Event viewer...
The hardest part is to collect files dropped into our Honeypot.
I think that the better way is to use Minifilter, you can intercept writed PE files and save them in a specific location. There is an almost ready to use example in the WDK.
You can also hook WriteFile API in userland but it's easily bypassable.

Just for fun you can even retrive writted files and a lot of cool information without developping tool, just with the very painfull powerfull debugger Windbg \o/.
The idea is to use Windbg as kernel debugger, break on each nt!ntWritefile, and save Buffer parameter :D.
But you can do more! Dumping lsass memory on each attack for example :) Oh, yes, forget about perf here :D it's for fun
You have 2 options: the native diabolic scripting language of Windbg or the awesome python interface pykd
Here I'll use pykd :)
Download VirtualKd and install it into the VM (copy the "target" directory and run vminstall)
Run vmmon before restarting the VM, on the next boot Windbg will pop.

Press f5 and let Windows boots. When Windows is ready, break into Windbg (ctrl+pause).
Now we can do everything we want. For example let's try to dump the memory of lsass (usefull for fileless attack :) ) By dumping lsass memory you can even easily extract the payload binary :).

For that, load pykd extension into Windbg via:
.load pykd
And create your python script as you want.
A dirty example here:
Finally, choose on wich action you want to break on Windbg, here we'll dump lsass each time it try to write a file:
bp nt!ntWriteFile "!py C:\smbhoneypot\dumper.py;g"
Here we go, you are abble to collect a memory dump of lsass eatch time it was exploited to drop someting!

From now you can extract just the buffer of ntWriteFile, you can break on the vulnerability itself and trace execution etc. Plug your brain and be creative !

It's quick to do, it's easy and it allow you to collect a lot of useful data.

Cleaning your honeypot

Another important point is to manipulate Virtual machine. For that you have a lot of tools availaible.
In my case, I use VMWare on Windows. VMWare has a useful tools called vmrun, with it you can power on ,power off,revert snapshot, retrieves files from VM (like a pmon trace), run command in VM, list files... etc
Some command line example:
create snapshot:
vmrun.exe-T ws snapshot c:\VMs\honeypot.vmx snapshot_name
revert snapshot:
vmrun.exe-T ws snapshot revertToSnapshot c:\VMs\honeypot.vmx snapshot_name
run program in guest:
vmrun.exe -gu windows_user -gp windows_pwd runProgramInGuest \
                              c:\VMs\honeypot.vmx -activeWindow \
                                 -interactive -noWait program.exe
get data from guest:
vmrun.exe -gu windows_user -gp windows_pwd copyFileFromGuestToHost \
                              c:\VMs\honeypot.vmx -activeWindow \
                                c:\guest\auto_run.txt c:\host\auto_run.txt
There is similare tools for every hypervizor.


Last point: don't forget store all the data. Store everything you can, even if you don't know yet what to do with these data.
Date, IPs source, memory dump, sample etc These data are gold mine.
You can found a lot of python lib for parsing pcap, you can export windbg output, you can graph your pmon traces with tools like ProcDot, forward your data in Kibana dashbords etc.


This kind of infrastructure cost me around 30€/months for VPSs + 30€ for a RaspberryPi so less than 500€ by year for having a look at what happening in the wild, Having data, making stats, start some investigation etc :)

This kind of project are awesome because you have to deals with network, system, a little bit a dev, databases etc. You can even use this kind of honeypot for learning forensic for example!
I strongly recommand to every people who want to learn malware hunting to build honeypots, on many services and on different countries.
Of course you cannot catch advanced attacks with honeypot, but you can catch interresting malware with RDP or VNC honeypots for example


Some link that can help you:
Tracing API call in Python: Fibratus
Example of how deal with pcap in Python
memdump tools from CCT
File System Filter Driver Tutorial
WinDbg cheat sheet
Using vmrun to Control Virtual Machines
Make ETW Great Again. - Ruxcon 2016
HONEY ? Where is my POS - Botconf

jeudi 16 mars 2017

Hancitor panel overview


These weeks I've read a lot of tweets about hancitor. Hancitor is even in the CheckPoint "top 5 Most Wanted malware" (¯\_(ツ)_/¯).
You can read a lot of good stuff about the Hancitor/Fareit/Vawtrack/H1N1 gang, binaries reverse, proxy infra... but nothing about Hancitor web panels. So, I've write this (very) quick blogpost to show the attacker point of view :]

Since admin has activated White-listing, it seems that it's not possible to access to the web panel via the Nginx Proxy. When you try to access to a page admin.php or panel.php etc, proxy returns a 403 error. For accessing the panel, you have to find the real IP behind proxies.

Before the white-listing system, it was possible to access to Hancitor CNC due to a lot of vulns. Because these vuln are patched today, it's time to disclose some stuff. Let's have a look at this dropper C&C.

Bypassing authentication

When you want to access to a page, the panel developer checks if the user is authenticated with this kind of code:
This is an old school kind of vulnerability \o/. They don't use an "exit()" after the header function.
When you browse the page with a browser like Firefox, you are correctly redirected to google.com, however if you grab the page with CURL or WGET the header function is ignored and... all the PHP code is executed :).

Here we go, the panel is composed of 4 parts:


This is the main page, with some data about infected hosts.


This page is used for sending commands to the bots. You can send commands to a specific group of bots or to a specific location.
The available commands are:
  • Download and Run
  • BOT Start
  • DLL Load
  • EXE Load
  • Uninstall
  • Load Config
  • Update
Two interesting facts: There is an "uninstall" command and if you send the correct POST request to the page commands.php, without authent', it works :)


This page is used for the password stealer module. I've never seen this feature used. It's maybe due to the fact that this gang use Fareit for stealing passwords...


And finally the statistics page, you can found online/Online in the last 12 hours/offline and create a new group of bots.
Thanks to a SQLi we can see that the database structure is:

As you can see, this super evil malware has a very basic CNC.
Some articles about this threat:
I hope that this quick post can be useful for somebody