Volume 24 – Number 01

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Interesting large and small malspam attachments from 2023

Published: 2024-01-03

Last Updated: 2024-01-03 13:17:51 UTC

by Jan Kopriva (Version: 1)

At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. Over the years, I found that, at a minimum, it is usually instructive to look at what the largest and the smallest pieces of malware that one managed to catch were. This held true even for 2023, as both the smallest and the largest sample I had turned out to be interesting in their own right. But let’s start at the beginning…

Over the last 12 months, 1152 potentially malicious attachments of various types were caught by my malspam trap. When I decompressed and/or unpacked all the images and archives, removed all duplicates and eliminated all the non-malicious files, I was left with 525 unique malicious samples – 285 of these were PE files with various extensions, and the rest were a wide assortment of scripts, Office files, PDFs, help files, shortcut links, etc.

The smallest malicious file among all of these was a VBE (an encoded VBScript file), which was quite surprising, since these are not too common in the wild – in fact, among all the “2023 malspam files”, there were only 2 VBEs (compared to 43 “traditional” VBS files).

Read the full entry:

https://isc.sans.edu/diary/Interesting+large+and+small+malspam+attachments+from+2023/30524/

Shall We Play a Game?

Published: 2023-12-22

Last Updated: 2023-12-22 06:05:22 UTC

by Xavier Mertens (Version: 1)

Our youngest readers won’t probably not get the point with this quote, it’s from the 1983 movie “WarGames”. I used this subject because I found yesterday a small game in Python that offers not only some fun but also malicious code that will exfiltrate your browser data!

The file is called “Dimension_Lands_10 (1)<dot>py” (SHA256: 8b9f750310115110cad2716ab7496344d543dd437e4452c5eafbe11aee28f492).

In a previous diary, I mentioned a malicious Python script based on a Tk interface. It seems to become popular because this new one does the same with a nice window. Compared to the other one, it has a great advantage: it’s a game and will attract more potential victims. People like small games to spend time during meetings.

And the game is properly working!

Read the full entry:

https://isc.sans.edu/diary/Shall+We+Play+a+Game/30510/

Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary]

Published: 2023-12-27

Last Updated: 2023-12-28 01:03:42 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Elias Bou Zeid, an ISC intern as part of the SANS.edu BACS program]

Introduction

In this digital age, as our dependence on technology grows, understanding which devices are connected to our networks and keeping track of their security updates is critically important. In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware. This finding serves as a stark reminder of the vast amounts of vulnerabilities available in the wild.

Description of Mirai

Mirai, a notorious malware strain, has caused a disruption since its inception. Designed to exploit the security weaknesses in IoT (Internet of Things) devices, it converts these devices into a network of bots, or a 'botnet,' used to launch large-scale network attacks. The fact that malicious actors are still leveraging Mirai is a showcase of Mirai's capabilities and its evolving threat landscape.

Mirai Overview

The method in which Mirai infiltrated numerous IoT devices was through common vulnerabilities, such as weak and default username and password combinations. Once Mirai gains access to a system, it carries out its primary function – to enslave devices and coordinate them for massive Distributed Denial of Service (DDoS) attacks. Mirai’s evasion & persistence mechanisms include but are not limited to the following ...

Read the full entry:

https://isc.sans.edu/diary/Unveiling+the+Mirai+Insights+into+Recent+DShield+Honeypot+Activity+Guest+Diary/30514/