INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Handling BOM MIME Files
Published: 2024-06-19
Last Updated: 2024-06-19 09:23:22 UTC
by Didier Stevens (Version: 1)
A reader contacted me with an eml file (which turned out to be benign) that emldump.py could not parse correctly.
I've written several diary entries explaining how to analyse MIME/eml files with my emldump.py tool, back in the days when threat actors were discovering all kinds of obfuscation tricks that I tried to defeat in my emldump.py tool.
The output of emldump.py for a sample MIME/eml file looks like this ...
Red the full entry:
https://isc.sans.edu/diary/Handling+BOM+MIME+Files/31022/
New NetSupport Campaign Delivered Through MSIX Packages
Published: 2024-06-17
Last Updated: 2024-06-17 07:22:40 UTC
by Xavier Mertens (Version: 1)
It's amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really "cool" for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol! If some are popular and often searched as evidence of compromise, like AnyDesk or TeamViewer), there are others, like NetSupport, that tend to remain below the radar. This one is available for free for 30 days (more than enough to launch a campaign) and provides all the expected features to interact with victims ...
Red the full entry:
https://isc.sans.edu/diary/New+NetSupport+Campaign+Delivered+Through+MSIX+Packages/31018/
Port 1801 Traffic: Microsoft Message Queue
Published: 2024-06-12
Last Updated: 2024-06-12 17:49:25 UTC
by Johannes Ullrich (Version: 1)
I planned a bit a more conclusive story here, but after running into issues decoding the packets and running out of time between looking at student papers, I figured I would leave it up to the audience ;-) Maybe someone here better understands the Microsoft Message Queue (MSMQ) protocol.
Yesterday's Microsoft patch Tuesday included a single critical vulnerability, a code execution vulnerability in MSMQ. I noted in the podcast that we see some "background hum" on port 1801, the port used by MSMQ ...
So I fired up some netcat listeners on port 1801, and after a short wait, this is what I got ...
Red the full entry:
https://isc.sans.edu/diary/Port+1801+Traffic+Microsoft+Message+Queue/31004/