making the most of it

Besides a new project of mine that is investigating the use of neural networks to carry out phishing campaigns (more on this at a later date!):

ava_1709_thief
Result of approx 3mil conversation corpus and 35 epochs. Not bad…

… and the upcoming Christchurch Hacker Conference, my main project remains my malware tracker (2017-12-01: decommissioned). So I thought I’d take the chance to run through some of the features and data being offered by it. But firstly, I’ll briefly cover off perhaps the most common query I receive concerning it: where does the data come from?

Continue reading “making the most of it”

missing links

Over the past couple of months I’ve been preparing a talk entitled ‘Beer, Bacon and Blue Teaming’. It covers building solid defense on a shoestring budget, with an outline along the lines of:

  • OSINT sources.
  • Spam traps.
  • Honeypots.
  • Automated analysis.
  • Dissecting LuminosityLink:
    • IDS.
    • Sysmon.
    • Configuration extraction.
    • Yara rule creation.

In this short blog post I’ll run over a few of the items in brief detail. Continue reading “missing links”

web spinning

In my younger years I had all sorts of collections: books, bottle caps, rocks, coins, action figures, movies, etc. Now, most of those collections sit at the back of my parents shed – although I do still have a tendency to hoard movies.

To many the idea of hoarding malware would be akin to hoarding venomous snakes in a dogs cage. What if one escapes? But, it does serve a very useful purpose of providing huge datasets for analysis – allowing for the creation of new signatures and anti-malware techniques whilst also improving malware analysis abilities.

Continue reading “web spinning”

stealthy, like a snake

Naja: a genus of venomous elapid snakes known as cobras. Pseudonaja textilis, more commonly known as the Eastern brown snake, is considered the world’s second most venomous land snake based on its LD50 value in mice.

Naja – in this instance – is a Windows trojan developed by me in Python, inspired by several other Python projects (mentioned throughout this post), which makes use of Metasploit shellcode to facilitate a reverse connection to targets. It is distributed in two parts and makes heavy use of various encoding mechanisms and encryption in conjunction with process injection to bypass antivirus and other mitigations like Microsoft’s EMET.

Note: This post was originally made on 16 Dec ’14, but has since been updated.
Continue reading “stealthy, like a snake”

overdue payment

Yesterday one of the mail admin’s at work forwarded me a message to take a look at. It was perpetuating to be from ANZ bank, suggesting a payment was due but macro’s should be enabled to view the document. It’s a pretty standard social engineering vector:

Obviously, this isn’t true. However, compared to other documents I’ve sighted recently a fair amount of effort has gone into this one, and there may have been some thought as to what bank the recipient may use. The other campaigns just seemed to indiscriminately select a bank – even one who didn’t operate in the location of the target. The document, as could be expected, has a macro attached to it that’s used to pull down malware from the internet. Heavy use of CallByName in conjunction with obfuscated strings and the banking vector would suggest it could be used to distribute Dridex, however there’s any possibility it could also be Locky. Unfortunately, by the time I had deobfuscated the contents of the macro the binary looks to have been removed from it’s host (I’ve put the feelers out on Twitter to see if anyone did) – but the process of deciphering the script to obtain the location for possible future incidents is still worth looking at.
Continue reading “overdue payment”

herding sheep

It goes without saying that Pokemon GO is a craze of magnitude that we haven’t seen for a long time, and undoubtedly one that will be around for quite some time. If memory serves me correctly, not even Angry Birds grew in popularity this rapidly – and it didn’t have the same positive effects (e.g. getting gamers outside and socialising with others).

“prepare for trouble, and make it double”

Whilst most observers may see the primary negative effect as the game being yet another contributor to mobile phone addiction – diluting what are likely already diluted “real world” skills – those of us with a more nefarious view of the world will see this as a prime opportunity to pop some shells. Just as the Rio Olympics have spurred a wave of phishing and malware attacks, it comes as no surprise that Pokemon GO has too. So, this made me think… exactly how covert can you make Android malware?
Continue reading “herding sheep”

held to ransom

As of late I’ve been keeping fairly busy, unfortunately with not a lot that I can blog about. I’ve built a new house, planned some overseas travel for later in the year, am in the midst of planning a security conference with some of the other ISIG and OWASP blokes (more on that later) and have been incredibly excited about Battlefield 1. I could have been left for another month and probably remained quiet on the blogging front, alas someone has prompted me to break the silence.

After a recent incident I was quizzed by this someone about how I approach handling situations where defenses fail and malware does make an impact – and they suggested I make a blog post to explain this. Well, I’m feeling pretty motivated today so let’s make that happen.

Most days I receive a couple of suspect files, emails or URL’s passed my way for inspection (the thought of those that I don’t receive is what keeps me awake at night), so I’ve selected one to illustrate my basic analysis process: a pretty standard case of ransomware via email, sent to one of our helpdesk staff.
Continue reading “held to ransom”