Posts

POWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE & TWITTER

Image
INTRODUCTIONThis post will discuss an ongoing campaign that have been operational since at least August 2017. The post will look into the delivery of the malware, some analysis on the payload, and some additional insights in relation to the campaign. It is by no means a full in depth analysis of the malware and all it's functionality. 
LAWYER UP!!This all started with a tweet by the AWESOME Jacob Soo (@_jsoo_) whom I recommend you go and follow if you are interested in analyzing malware and tracking different threat actors. The sample is a ZIP file titled "Dubai_Lawyers_update_2018.zip" and the archive contains two LNK files that are perpetrating to be PDF files. The actors in this case borrowed couple of files from the British Embassy site and used them as decoy documents to lure victims into believing that these files are in fact legitimate. https://assets.publishing.service[.]gov.uk/government/uploads/system/uploads/attachment_data/file/754075/Dubai_List_of_Lawyers_-_Nov…

PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions

Image
INTRODUCTIONThe great people at ClearSky reached out to me a couple of days ago regarding a sample that they suspected could be related to MuddyWater. 

They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine.

However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack.
THE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELLThe sample that was shared with me is a macro laced word document called "Egyptairplus.doc" with an MD5 hash of fdb4b4520034be269a65cfaee555c52e. The macro code contains a function called Worker() which calls multiple other functions embedded in the document to ultimately run a PowerShell command: "powershElL -EXEC bypAS…

Clearing the MuddyWater - Analysis of new MuddyWater Samples

Image
INTRODUCTIONIt has been over 2 months since I last wrote about MuddyWater or Temp.Zagros as named by FireEye. To be honest, I felt they were going quiet for a while; but boy was I wrong. Starting this week I have picked up some new interesting samples. Although these new samples have lots of similarities with the ones from earlier in the year, there are still some interesting aspects and additional, you guessed it, obfuscation used in the new samples. Their heavy focus on layered obfuscation and preference for PowerShell is still apparent. However, I will highlight what changed based on the samples that I have analyzed.
Below are screenshots of some of the recent lure documents used by this group. All Hashes are at the end of the blog.

You can see from the above screenshots that their targeting seem to continue to focus on the Middle East Region (Turkey and Iraq) and Pakistan. As mentioned in my previous blogs, these lures can give us an idea of the organizations and industries that mig…