INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Malware Dropped Through a ZPAQ Archive
Published: 2023-11-01
Last Updated: 2023-11-01 06:33:33 UTC
by Xavier Mertens (Version: 1)
Did you ever seen ZPAQ archives? This morning, my honeypot captured a phishing attempt which lured the potential victim to open a "ZPAQ" archive. This is not a common file format. This could be used by the attacker to bypass classic security controles. What Wikiepadia says about ZPAQ:
ZPAQ is an open source command line archiver for Windows and Linux. It uses a journaling or append-only format which can be rolled back to an earlier state to retrieve older versions of files and directories. It supports fast incremental update by adding only files whose last-modified date has changed since the previous update. It compresses using deduplication and several algorithms (LZ77, BWT, and context mixing) depending on the data type and the selected compression level. To preserve forward and backward compatibility between versions as the compression algorithm is improved, it stores the decompression algorithm in the archive.
The file was called "Purchase Order pdf<dot>zpaq" (SHA256:1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6). The fact that the archive is using an "exotic" compress algorithm, the VT score is null! I tried the classic tools on a stock Windows operating systems, including 7Zip and no one was able to decompress the archive. This is a strange because it reduces the number of potential victims! On Windows, you can use PeaZip.
Read the full entry:
https://isc.sans.edu/diary/Malware+Dropped+Through+a+ZPAQ+Archive/30366/
Multiple Layers of Anti-Sandboxing Techniques
Published: 2023-10-31
Last Updated: 2023-10-31 14:51:53 UTC
by Xavier Mertens (Version: 1)
It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing)
Like all scripting languages running in the Windows eco-system, Python can call any Microsoft API call and there are useful to perform check at operating system. Here is what the scripts try to detect ...
Read the full entry:
https://isc.sans.edu/diary/Multiple+Layers+of+AntiSandboxing+Techniques/30362/
Flying under the Radar: The Privacy Impact of multicast DNS
Published: 2023-10-30
Last Updated: 2023-10-30 15:30:39 UTC
by Johannes Ullrich (Version: 1)
The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.
What is multicast DNS?
Typically, we think of DNS as a client-server protocol where our clients will connect to preconfigured resolvers. In this scenario, it is possible to register hostnames dynamically. Still, the setup is complex and requires configuring the DNS server to allow for these registrations. For a home user, this is complex, but you would still like to have the option to refer to systems by hostname instead of by IP address.
Multicast DNS solves two issues: It allows hosts to register their name and any services they offer and allows hosts connected to the same local network to find services offered by hosts on the network. Multicast DNS uses port 5353 and the multicast group 224.0.0.251 (IPv4) or ff02::fb (IPv6). These are link-local addresses, and the traffic is not routable. The main security feature of Multicast DNS is that the messages only reach local hosts on a (believed to be) trusted local network. There is no authentication or encryption of the messages as this would require some cryptographic key infrastructure. The protocol is supposed to be "plug and play."
Netbios and LLMNR have played roles like this in Windows, but even Windows has been moving to mDNS. While mDNS was originally developed by Apple as "Bonjour", it has now been adopted by Windows and Linux. Another similar protocol is SSDP (Simple Service Discovery Protocol). SSDP is often used next to mDNS. But SSDP never became an IETF standard, and no RFC describes it. Instead, the SSDP standard is now defined as part of Universal Plug and Play (UPNP) [upnp] ...
Read the full entry:
https://isc.sans.edu/diary/Flying+under+the+Radar+The+Privacy+Impact+of+multicast+DNS/30358/