INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Files with TXZ extension used as malspam attachments
Published: 2024-05-27
Last Updated: 2024-05-27 06:38:59 UTC
by Jan Kopriva (Version: 1)
Malicious e-mail attachments come in all shapes and sizes. In general, however, threat actors usually either send out files, which themselves carry a malicious payload – such as different scripts, Office documents or PDFs – or they send out “containers”, which include such files – e.g., image files or archives. These container files, especially, can sometimes be quite unusual… Which is where today’s diary comes in.
While going over messages that were caught in my malspam traps over the course of May, I found multiple e-mails that carried files with TXZ extension as their attachments. Since this extension is hardly the most common one, I needed quick help from Google to find that it was associated with Tar archives compressed with XZ utils. It seems that even when it comes to malicious e-mail attachments, use of this extension is relatively unusual, since a quick check revealed that my malspam traps haven’t caught any such files in in 2021, only one file in 2022, and none in 2023.
As it turned out, however, both the 2022 file and the current files, that my malspam traps caught, were actually not TXZ files, but rather renamed RAR archives ...
Although threat actors commonly modify extensions of malicious files they send out, I was a little mystified by the change in this case, given the aforementioned less-then-common use of TXZ files, and – presumably – their limited support by archiving utilities. Further Google searching, however, soon revealed the reason for it ...
Read the full entry:
https://isc.sans.edu/diary/Files+with+TXZ+extension+used+as+malspam+attachments/30958/
Is that It? Finding the Unknown: Correlations Between Honeypot Logs & PCAPs [Guest Diary]
Published: 2024-05-28
Last Updated: 2024-05-29 00:46:39 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Joshua Jobe, an ISC intern as part of the SANS.edu BACS program]
Introduction
Upon starting the Internship in January 2024, I wondered how I was going to tackle analyzing all the logs, how to parse and understand JSON files, and make sense of the plethora of details to even try to make an attack observation. Where do the files go, how do we correlate the filenames with the hashes, what’s the deal with webhoneypot logs? During the Introductory Call, Mentor Handler, Guy Bruneau, mentioned the DShield SIEM [1] he has been working on for everyone to use to enhance the internship experience. I felt this was the perfect opportunity to build something that will assist with correlating the ‘attacks’ on the sensors by ingesting the logs into a SIEM. This is especially useful for those that want to see the details in a way that is more organized and easier to extrapolate data. However, simply reviewing activity in the SIEM may not always be enough to build a complete picture for an attack observation. Likewise, simply parsing through the logs may not always give you a complete picture either.
This blog post will walk through the steps I have taken to build a bigger picture to make an attack observation, briefly going over various attacks such as malicious files, HTTP requests, Cowrie/Webhoneypot JSON logs and PCAPs.
Where to Start
After initially setting up the DShield Honeypot (sensor), it will inevitably take 2-3 weeks or more to begin seeing attacks, especially any that may involve uploading/downloading files. Be patient. Interesting IP addresses, files, URLs, TTY logs, etc. will show up. It is imperative that you follow the instructions to properly expose your sensor or sensors to the internet.
For example, I am running two sensors behind an Asus RT-AC86U router, since this router doesn’t natively allow the same port entries when Port Forwarding two internal IP addresses, I opted to setup one sensor with only TCP ports 8000, 2222, 2223, 8443 open with the second sensor open to the entire port range: TCP/UDP 1:65535. Utilizing the demilitarized zone (DMZ) is not currently an option due to how my network is setup. The sensor with the entire port range open tends to see more traffic.
Once you have your sensors up and running, I highly recommend setting up the DShield SIEM previously mentioned. Here are some recommendations to consider for the SIEM ...
Read the full entry:
Analysis of ?redtail? File Uploads to ICS Honeypot, a Multi-Architecture Coin Miner [Guest Diary]
Published: 2024-05-22
Last Updated: 2024-05-23 00:05:28 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Robert Riley, an ISC intern as part of the SANS.edu BACS program]
Introduction
Honeypot file uploads can be like opening pandoras box, never knowing what may get uploaded. Malware comes in all sorts of varieties and flavors, many suited for specific purposes and some for multiple. Today, we'll look at a malware named “redtail” and its purpose falls under the category, "Coin miners", software illegally uploaded to hosts for the purpose of covertly mining cryptocurrency for a remote actor by hijacking a host’s resources. The question we’d like answered is what capabilities do modern coin miners possess, and how can they be identified? Using this information from modern threat feeds could both give further insight into the threat actors perpetuating this attack, while also giving a glimpse into the current capabilities of coin miner malware actively being used in today’s threat landscape.
Description of the Subject
The “redtail” samples being evaluated are a look into a modern variant of coin miner malware being used in the wild today. The samples are interesting in that they have the capability to run on 4 different CPU architectures, showing just how much this malware could potentially infect a vast number of devices/hosts. We’ll be looking into the process of how the threat actor gained initial access, who are the threat actors, the different samples uploaded, and how these samples were identified as a coin miner ...
Read the full entry: