We can utilize Carbon Black Investigate feature to see if there’s any malicious npm library been installed in our environments. Here’s the query to do that:
Search for effected coa & rc library versions:
(filemod_name:\coa-2.0.3* OR filemod_name:\coa-2.0.4* OR filemod_name:\coa-2.1.1* OR filemod_name:\coa-2.1.3* OR filemod_name:\coa-3.0.1* OR filemod_name:\coa-3.1.3* OR filemod_name:\rc-1.2.9* OR filemod_name:\rc-1.3.9* OR filemod_name:\rc-2.3.9*)
Search for possible C2:
netconn_domain:pastorcryptograph[.]at
IOC:
• pastorcryptograph[.]at
• sdd.dll from coa - SHA256: f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
• sdd.dll from rc - SHA256: 26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
• sdd.dll - SHA256: 687a401007c29ee595004d93c4dd5de6c5c9f86f811f8e1d9f1ad1962507cd65
Recently, I encountered incident where several hosts been infected by < █████████ >. So, to investigate this incident, we received bunch of logs to be analyze; mostly Linux related logs.
I’ve been thinking.. What if the host has been successfully brute-forced? How can we identify it?
In Linux, there are several logs that we can refer that contains authentication logs for both successful or failed logins, and authentication processes. Location & names of the logs varies; depending on system type. For Debian/Ubuntu, the logs located at /var/log/auth.log. For Redhat/CentOS, the logs located at /var/log/secure.
There are 2 more logs that we can refer; – /var/log/utmp: current login state by user. – /var/log/wtmp: record of each user login/logout.
So, what if we write a script to quickly go thru those mentioned logs & identify the culprits? Probably we can find out if our host has been successfully brute-forced.
Introducing.. Break-In Analyzer – A script that analyze the log files /var/log/auth.log (for Debian based systems), /var/log/secure (for RHEL based systems), utmp/wtmp for possible SSH break-in attempts. – https://github.com/zam89/Break-In-Analyzer
The output result will be written into text file; stored into folder named output. Inside the folder will contains file named: – auth_output.log – secure_output.log – utmp_output.log – wtmp_output.log
So, you must been wondering; how can I validate these IPs? whether they are harmless or not? Well, to do that, we can use AbuseIPDB to quickly see each of IP reputation; either they’re clean or has been reported due to malicious activity.
In this example, I’m using AbuseIPDB Bulk Checker from – https://github.com/AdmiralSYN-ACKbar/bulkcheck. This tool can perform bulk checking of IPs towards AbuseIPDB website. *Just a side notes: it require API key from AbuseIPDb. You can get it for free by registering on the website. Its limited to 1000 request/IPs per day.
So, I’m checking 203 IPs that we got from Break-In Analyzer script output (after removing duplicated using Excels) on AbuseIPDB if there is any records for those IPs. After the check completed, the result shows something like this:
AbuseIPDB Bulk Checker result
If you filter out by abuseConfidenceScore (removing score 0), you’ll see there are 3 IPs that having kinda high confidence score. The higher the score, the more chances the IP marked as malicious – meaning that the IP has been reported multiple times related to malicious activities.
Next, we cross check with our Break-In Analyzer outputs to see where did these IPs located on the logs. Or you can cross check directly with your logs. To do that, run command as below:
Carbon Black query that can be use to detect if any MSHTML RCE happened (probably need to be refined more):
((process_cmdline:control.exe AND ((process_cmdline:*.inf AND process_cmdline:AppData) OR (process_cmdline:*.cpl AND process_cmdline:../)) AND -process_cmdline:*\icedrive\*) OR ((hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (parent_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR parent_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52) OR (filemod_hash:6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B OR filemod_hash:938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52)))
Search if any assets making connections towards IOCs (known IOCs as of 9 Sept):
netconn_domain:joxinu.com OR netconn_domain:pawevi.com OR netconn_domain:macuwuf.com
According to the article, it was known as “Compilation of Many Breaches” (COMB). This data was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak contains email and password pairs.
Inside the data dump, it was structured something like this:
So I’m wondered… What if we extract either email or password only from all those files? We can maybe create a password list from that. Or we can analyze the password trend. See what’s the top password being used & stuff.
So… We’re not going thru all hundreds of files which total up 100GB+ to extract the password manually… That’s crazy ma man!
To make it easier, I’ve created a Python script to extract the password from all dump file recursively. The code as below:
#!/usr/bin/env python
import os
from timeit import default_timer as timer
from datetime import timedelta
inputfile = "/Desktop/test/data" #change this to your dump files locations
outputfile = open("extracted_password.txt", "w")
print("\nStart extracting...")
start = timer()
for path, dirs, files in os.walk(inputfile):
for filename in files:
fullpath = os.path.join(path, filename)
with open(fullpath, "r") as f:
#print(f.read())
for line in f:
email, password, *rest = line.split(":")
outputfile.write("%s" % password)
#print(password, end='')
outputfile.close()
print("Finish!\n")
end = timer()
print("Time Taken: ", end='')
print(timedelta(seconds=end-start))
Save the code above & run the script:
$ python password_extractor.py
It may takes some times depending on your hardware resources and dump file size. You should see output something like this after the script completed execution:
When completed, you should see a new file named “extracted_password.txt” being created. Inside it contains all the password from all dump file; consolidated into 1 single big ass file.
Now we can start analyzing the password pattern. We can use this command below to see what’s the top 10 password:
$ time sort extracted_password.txt | uniq -c | sort -bgr | head -10
F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss'
vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
region[0]: start=0 end=c0000000.
region[1]: start=100000000 end=240000000.
Cannot translate linear address 0.
... 10 MBs written.
... 20 MBs written.
<snip>
... 8180 MBs written.
... 8190 MBs written.
Finished writing core.
After it finished, it will create a file named memory.vmem.
There you have it. So you can start doing your memory analysis using volatility if you want.
For example, here we’ll be using volatility in order to find out the profile for which .vmem is created.
$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/memory.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028530a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002854d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-12-23 17:42:50 UTC+0000
Image local date and time : 2019-12-23 11:42:50 -0600
This server is trying to get us to run some calculations but it's just too fast for us. Can you work out a way to solve this?
Domain: cgames-nm02.allyourbases.co Port: 9010
Let’s try connect to the domain & port given via netcat
Hmm. There’s mathematic question that we need to solve. But we’re too slow on solving it..
What if we create a bot to solve those question?
import pwn
import re
host, port = 'cgames-nm02.allyourbases.co', 9010
session = pwn.remote(host, port)
while True:
try:
what = session.recv(1024)
questionrm = (what.replace('=','')) #remove =
print "Q: " + questionrm
math = eval(questionrm)
math_str = str(math)
print "AS: " + math_str
print session.sendline(math_str)
print session.recvline()
except EOFError:
print('Done!')
break
session.close()
