Packet Analysis – Page 3 – Lost in Security (and mostly everything else)

2018-07-07 Remcos Malspam

Herbie July 7, 2018 July 7, 2018Packet Analysis

A quick write-up on this Remcos malspam. Some other previous entries that I have done aboutr Remcos can be found below: http://www.herbiez.com/?p=1106 http://www.herbiez.com/?p=1073 All the emails seem to come from the sender info@yusheng-wiremesh.com with the subject of “Returned Funds fort Invoice DFER4567 July Despatch.” The malspam also comes with an ACE attachment, that when extracted out, gives us the following binary: “Returned Funds fort Invoice DFER4567 July Despatch.exe.” A quick glance at some of the emails shows that they are all being sent from this IP address: 185.163.111.81 which shows a rDNS entry of “sv2.sendomail.eu” out of Romania. One thing…

2018-06-20 Formbook Malspam

Herbie June 21, 2018 June 21, 2018Packet Analysis

For this post, I was able to find some Formbook malspam within the email filters. Formbook malware is considered to be a data theft/form grabber with some other add-ons under it’s tool belt. Based on the following deep dives into Formbook from FireEye (http://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html) and ThisIsSecurity (http://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/), this malware sample follows the patterns described pretty closely (pay particular attention to the process injection section from FireEye). The email itself was about an invoice that needed to be reviewed. There was a RAR file as an attachment which, un-compressed, showed there was an EXE file inside. This is the file that…

2018-06-08 LokiBot Malspam

Herbie June 9, 2018 June 9, 2018Packet Analysis

For something different today, found some DHL inspired LokiBot malspam in the email filters. LokiBot is considered an information stealer as it looks through the system for any credentials that it can grab. As Brad mentioned in an older SANS ISC blog entry, the emails that LokiBot uses vary and does not seem to follow any kind of pattern. The pattern is noticeable when you look at the infection (this will be discussed later). In the meantime, if you are wanting to read a great detailed article/breakdown on LokiBot, check out this paper from Rob Pantazopoulos via the SANS Reading…

2018-05-29 More Emotet Malspam

Herbie May 30, 2018 May 30, 2018Packet Analysis

Quick post for today. Looks like some more Emotet maldocs. As usual, these two dealt with an invoice of some sort. While the sender is not the same in both instances, and the hash of the attachments are different as well, they both end up using the same URLs to download the malicious binary. For the artifacts, please see my Github repo for this here. IOCs: ===== 150.95.224.218 / fotofolly[.]com (HTTPS) 177.185.192.135 / maisbrasilphoto[.]com.br (GET /yWEiMr/) 74.139.102[.]161 (HTTPS) Artifacts: ========== File name: Payroll[1].doc File size: 120K File path: NA MD5 hash: 9166fbf7ad1ab5c1a5e23aa985f20d98 Virustotal: http://www.virustotal.com/#/file/4042cf05a1f96d50cae7d92bb912250ca2ef91b205a119e111ce7065e3ebde13/detection Detection ratio: 26 / 58 First…

2018-04-21 “TOP URGENT//: REQUEST FOR QUOTAION” Malspam Leads To CVE-2017-11882/Possible Remcos Infection

Herbie April 23, 2018 April 23, 2018Packet Analysis

Yesterday while looking for some malspam, I came across some emails that used the CVE-2017-11882 exploit which leveraged an AutoIT script to launch the Remcos keylogger process which used some anti-sandbox techniques as well. For some more information about the CVE, please see the following links: http://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882 2018-02-17 REMCOS RAT FROM MALSPAM And some similarities to this post: 2017-06-23 LOKI BOT MALWARE USING CVE 2017-0199 as well. Most of the activity from this infection was on the host and not much at the network level from what I was able to determine. All the artifacts found from this investigation…

2018-04-20 Pony/Fareit Malspam

Herbie April 21, 2018 April 21, 2018Packet Analysis

Found some malspam that looks to be Pony/Fareit related. Generally speaking, Pony/Fareit deals with credential stealing varying from FTP to email clients and any other credential that it may be able to obtain. The results that I got from my VM are different than what I got from Any.Run and Payload Security. For example, on my VM it did not reach out to “myrfrers[.]com” domain, nor did the Any.Run sample try to reach out to the “pornhouse[.]mobi” domain. I also did not see anything from the limited run of ProcMon relating to any FTP sites, or anything trying to obtain…

2018-03-09 Emotet From Malspam

Herbie March 10, 2018 March 10, 2018Packet Analysis

A quick post today for some more emotet malspam that I was able to find. Nothing really special about this one with the exception of it using punycode for the URL. Outside of that, this is pretty much the standard old emotet infection that most have seen. I did notice though that my run of the maldoc and the run used within Any.Run resulted in somewhat a different chain. Maybe the difference between Windows 7 x32 and x64 bit. At this time I am not sure. As usual, artifacts and such can be found via my repo here. IOCs: =====…

2018-02-17 Remcos RAT from malspam

Herbie February 18, 2018 February 18, 2018Packet Analysis

Earlier this morning I came across some emails that had a subject line that caught my attention. They were all from the same sender and all of them had the same maldoc attached to them. From what I can tell this looks to be related to the REMCOS RAT as documented by Fortinet here. The interesting tidbit with this one was the fact that it was keylogging and also taking screenshots of my desktop as well from time to time. As usual, for any of the PCAPs, ProcMon logs, and artifacts that I managed to capture, check out the Github…

2018-02-16 Emotet Maldoc

Herbie February 17, 2018 February 17, 2018Packet Analysis

Here is a quick writeup for another Emotet maldoc that I saw. Unfortunately I did not get a copy of the email but it did have a link in it which lead to the maldoc. There were two things in this sample that I saw that were different: 1) no communications over TCP port 8080, and 2) the POST actually returned a status 200 and not the usual status 400. Outside of that, this was pretty much the same emotet that I have seen in the past. Nothing over how to walk through the script this time outside of a…

2017-11-17 Maldoc Using CVE 2017-0199

Herbie November 17, 2017 November 17, 2017Packet Analysis

This is a quick writeup on some maldocs that I was able to find in our email filters that used the CVE2017-0199 in them. The emails had the same attachments in them (from a hash perspective) which was a Word document and an Excel spreadsheet. The Word document had a hidden OLE object while the Excel spreadsheet had the hidden OLE object on the 3rd tab in the spreadsheet. Both these Office documents would reach out to a malicious domain and grab the HTA file which would then have code in it to go and doiwnload the actual malicious binary…