Showing posts from October, 2017

Knock Knock Knocking on EhDoor (The Curious Case of an EPS file)

INTRODUCTION This all started with the great analysis and blog done by RSA in August 2017 about a phishing wave targeting Russian Banks. This was followed by another great blog by McAfee on the same subject but my focus will be on a specific aspect mentioned in the RSA blog which is the exploit used. “FireEye discovered a malicious docx exploiting a zero day vulnerability in Microsoft’s Encapsulated Postscript (EPS) filter, in the summer of 2015. This EPS exploit was assigned CVE-2015-2545. In March 2017, FireEye observed both nation state and financially motivated actors using EPS zero day exploits assigned as CVE-2017-0261 and CVE-2017-0262, prior to Microsoft disabling EPS rendering in its Office products with an update in April 2017.” PART 1 - ADDITIONAL SAMPLE RELATED TO THE PHISHING CAMPAIGN. One thing I took from the analysis done on the samples from the RSA blog was the name of the EPS file which was “image1.eps”. If you take that and search it, one of the results ha

Continued Activity targeting the Middle East

This blog will discuss and uncover additional details regarding a recent campaign targeting entities in the Middle East. On Tuesday September 26, 2017 MalwareBytes blogged about a phishing campaign targeting the Middle East, more specifically Saudi Arabia. I started by trying to find the sample that the blog post analyzed and I was able to find it submitted to the great sandboxing site of Hybrid Analysis (Big Shutout to @PayloadSecurity for the great service). The file ( b0a365d0648612dfc33d88183ff7b0f0 ) was named GSB[.]doc which is short for (Government Service Bus) or in Arabic (قناة التكامل الحكومية) as seen below The lure document perpetrating to be from GSB or تكامل Looking at the Macro code within the document, I was able to find that the code doesn't only try to get additional scripts from pastebin but also try to reach to filebin site as well to fetch the same file as shown below after doing some cleanup on the code Moving on, I wanted to try an