Besides a new project of mine that is investigating the use of neural networks to carry out phishing campaigns (more on this at a later date!):
… and the upcoming Christchurch Hacker Conference, my main project remains my malware tracker (2017-12-01: decommissioned). So I thought I’d take the chance to run through some of the features and data being offered by it. But firstly, I’ll briefly cover off perhaps the most common query I receive concerning it: where does the data come from?
Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:
- OSINT sources.
- Spam traps.
- Automated analysis.
- Dissecting LuminosityLink:
- Configuration extraction.
- Yara rule creation.
In this short blog post I’ll run over a few of the items in brief detail. Continue reading “missing links”
This is just a short post detailing a quick trick to remove VBA project protection in MS Office documents: tested with a Word 2003 document linked attached to a banking themed email.
The document in question is one of a range that comes as an attachment, apparently from one of several Australian/NZ banks (as outlined here):
In my younger years I had all sorts of collections: books, bottle caps, rocks, coins, action figures, movies, etc. Now, most of those collections sit at the back of my parents shed – although I do still have a tendency to hoard movies.
Yesterday one of the mail admin’s at work forwarded me a message to take a look at. It was perpetuating to be from ANZ bank, suggesting a payment was due but macro’s should be enabled to view the document. It’s a pretty standard social engineering vector:
Obviously, this isn’t true. However, compared to other documents I’ve sighted recently a fair amount of effort has gone into this one, and there may have been some thought as to what bank the recipient may use. The other campaigns just seemed to indiscriminately select a bank – even one who didn’t operate in the location of the target. The document, as could be expected, has a macro attached to it that’s used to pull down malware from the internet. Heavy use of CallByName in conjunction with obfuscated strings and the banking vector would suggest it could be used to distribute Dridex, however there’s any possibility it could also be Locky. Unfortunately, by the time I had deobfuscated the contents of the macro the binary looks to have been removed from it’s host (I’ve put the feelers out on Twitter to see if anyone did) – but the process of deciphering the script to obtain the location for possible future incidents is still worth looking at.
Continue reading “overdue payment”
A project I’m involved with that’s still in it’s early stages is the development of an automated, intelligent security environment that consists of:
- Firewall, router and switch configuration management (existing in-house developed software).
- Asset management and vulnerability scanning (Metasploit and OpenVAS).
- Malware detection and analysis (analysis performed by Cuckoo).
- Intrusion detection and analysis.
The last two are the final pieces to our puzzle, and given the data has high:
- Variety: applicance, application and server logs.
- Velocity and Volume: dozens of networks across the globe, hundrens of servers, 1000+ databases, 1000+ applications.
… it’s really a no brainer to use Hadoop as the storage framework. To dip our toes into the newfound waters of big data, whilst also evaluating a solution that could prove useful in piecing together our environment, I pieced together a network analysis server consisting of Snort, Hadoop, Pig and PacketPig. Continue reading “oinkception”