Posts

HOW DO YOU LIKE DEM EGGS? I LIKE MINE SCRAMBLED, REALLY SCRAMBELED - A LOOK AT A RECENT more_eggs SAMPLES

Image
BACKGROUND The topic of discussion have been covered quite well in the past years. With some  analysis focusing on the human element and actors behind the tools  and  other analysis attributing to different groups  and some focusing on  the malware  and  final payload . This blog will just focus on some recent samples related to what i think is  more_eggs  and my attempt (successful or not, I will let you be the judge of that) at analyzing them and some questions I have. I won't be discussing any attribution or provide my thoughts on that in this blog.  HIGH LEVEL ANALYSIS OF SAMPLES This all started with a tweet -  https://twitter.com/jaydinbas/status/1633063201607675909?s=20 File Name : Axiance_Full_Reports[.]zip Hash : 631f92c9147733acf3faa02586cd2a6cda673ec83c24252fccda1982cf3e96f6 The file is a ZIP file that include an LNK file and a JPG. The LNK as you would expect includes an obfuscated code within it that is consistent with these types of campaigns. && c!QlGg!!dFsw!

POWERSING - FROM LNK FILES TO JANICAB THROUGH YOUTUBE & TWITTER

Image
INTRODUCTION This post will discuss an ongoing campaign that have been operational since at least August 2017 . The post will look into the delivery of the malware, some analysis on the payload, and some additional insights in relation to the campaign. It is by no means a full in depth analysis of the malware and all it's functionality.  LAWYER UP!! This all started with a tweet by the AWESOME Jacob Soo ( @_jsoo_ ) whom I recommend you go and follow if you are interested in analyzing malware and tracking different threat actors. The sample is a ZIP file titled "Dubai_Lawyers_update_2018.zip" and the archive contains two LNK files that are perpetrating to be PDF files. The actors in this case borrowed couple of files from the British Embassy site and used them as decoy documents to lure victims into believing that these files are in fact legitimate. https://assets.publishing.service[.]gov.uk/government/uploads/system/uploads/attachment_data/file/754075/

PRB-Backdoor - A Fully Loaded PowerShell Backdoor with Evil Intentions

Image
INTRODUCTION The great people at ClearSky  reached out to me a couple of days ago regarding a sample that they suspected could be related to MuddyWater.  They suspected so because the sample had some similarities with the way MuddyWater lures look like and some similarities in some PowerShell obfuscation, in specific the character substitution routine. MuddyWater Sample New Sample However, after analyzing the sample and investigating it more, I was able to showcase that this is indeed something different but nonetheless interesting. This blog is a walk through my analysis and will highlight initial insights into this potential attack. THE SAMPLE - FROM AIRMILES TO MACRO CODE TO POWERSHELL The sample that was shared with me is a macro laced word document called "Egyptairplus.doc " with an MD5 hash of  fdb4b4520034be269a65cfaee555c52e .  The macro code contains a function called Worker() which calls multiple other functions embedded in the document to u

Clearing the MuddyWater - Analysis of new MuddyWater Samples

Image
INTRODUCTION It has been over 2 months since I last wrote about MuddyWater or Temp.Zagros as named by FireEye . To be honest, I felt they were going quiet for a while; but boy was I wrong. Starting this week I have picked up some new interesting samples. Although these new samples have lots of similarities with the ones from earlier in the year, there are still some interesting aspects and additional, you guessed it, obfuscation used in the new samples. Their heavy focus on layered obfuscation and preference for PowerShell is still apparent. However, I will highlight what changed based on the samples that I have analyzed. Below are screenshots of some of the recent lure documents used by this group. All Hashes are at the end of the blog. You can see from the above screenshots that their targeting seem to continue to focus on the Middle East Region (Turkey and Iraq) and Pakistan. As mentioned in my previous blogs , these lures can give us an idea of the organizations and indust