Searching inside a PDF document

I have received a PDF document from a fake Paypal address. The PDF name is Paypal_EmailID_JK… To be sure whether  the document is malicious or not I used the pdfid.py tool as in the screenshot below .

PDFid1

It is clear that there are 25 objects and 4 URLs in the document, /JS pointing to 0 meaning there is no javascript in this document. Also /OpenAction is 0 meaning there is no malicious action.But let use the pdfid.py with -e option for more information as in the figure below

Pdfid2

We see the nothing apended After last %%EOF and the Total entropy.Finally I use

pdf-parser.py to extract those URLs as in the picture below

pdf-parder1

The PDF appears to be from Paypal but in fact will redirect the victim to the

https://www.hasanacademy.com/buy.php

Happy Hunting.

Advertisements

Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on blockchalna.info and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.

Reference

https://blog.talosintelligence.com/2018/02/coinhoarder.html

https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/02/26230545/BTC_IOCs.pdf

https://umbrella.cisco.com/blog/2016/12/22/protecting-bank-pocket-rise-criminal-activity-correlates-bitcoin-price-surge-holidays/

5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from browseraloud.com , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The browseraloud.com server was hacked , obfuscated javascript was added to download the code from coinhive.com and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.

References

Sophos

Skynews

Cryptominer RubyMiner Targets web servers

According to a Check Point Research finding, a new malware package designed to mine cryptocurrency is attacking web servers in an effort to infect them. The malware uses a variation of an open-source Monero miner (XMRig), possibly because the software required does not require an extremely powerful server to operate. According to the article, the attack uses vulnerabilities from 2012 and 2013. Systems targeted included those running PHP, Ruby on Rails, and Microsoft IIS. The vulnerability in Ruby on Rails is CVE-2013-0156. This vulnerability provides the attacker a means to inject objects into the system that can execute arbitrary code. The malware flushes the crontab (on a Unix system) and then installs its own crontab entry. This entry runs one minute past the hour, every hour. The command downloads a robots.txt file from a web server under the control of the attackers. This downloaded file is then executed each time crontab executes the command. The article postulates this could be so that the attackers could execute a kill switch if desired or possibly to update the malware. The open-source package XMRig normally donates five percent of the earnings to XMRig’s author. Apparently, the individual(s) behind this attack were not inclined to lose any potential gains and removed the donating code from the version used in the infection.

Indicators of Compromise:

  • 761f5cfd0a3cddb48c73bc341a4d07a9
  • 91d31ed8e569c0089fa070ed125e1fc5
  • a6a57e6a216dff346a22f51639c4b99c
  • 203.24.188.242
  • Internetresearch.is
  • dgnfd564sdf.com
  • lochjol.com

It is recommended to patch the operating system,patch the applications and check crontab for unusual entry.

References 

https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/

 

A look at Redline from Mandiant

Redline is a nice tool to investigate a particular host for signs of compromises. It works on Windows and is freely available on the FireEye site .

redline1
Redline Interface

At a glance, we have options to collect data from the host or Analyse an existing data collected file. In our case , I am going to create  a Standard Collector for the sake of this demo.

Redline2
Redline Review Script Configuration

It is clear that the script will run the Collector and save it to a folder named ‘Sessions\AnalysisSession2´ in our case because we run the script twice as in the figure below

redline5
AnalysisSession2.mans file to import in Redline

As said in the Readme.txt file, AnalysisSession2.mans has to be openend in Redline to continue with the investigation. We can go through the System Information,Processes,…

The tool is worth a try.

Happy investigations

redline6
Investigative options after opening the AnalysisSession2.mans file

Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.

HSDFSDCrypt-spam-email

The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.

HSDFSDCrypt-ransom-note

The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open