admin – Malware University

Manual Scraping

Posted on August 3, 2024 by admin

Sometimes it’s better to do things by hand. Google has some useful Dorks and may become difficult accessing enough results in an automated fashion. With a little JavaScript fu we can dig out of logistical messes with a human touch:

// Download from a Google search result to txt
// Get all links from the unique class (changes)
let links = document.querySelectorAll('.yuRUbf a');

// Extract the href attributes (URLs)
let urls = Array.from(links).map(link => link.href);

//
// Create a Blob from the URLs.
// This will help us create an easy-to-download text file for local consumption.
//
let blob = new Blob([urls.join('\n')], { type: 'text/plain' });

// Create a link element (to "download" later)
let link = document.createElement('a');

// Set the download attribute with a filename
link.download = 'urls.txt';

// Create a URL for the Blob and set it as the href attribute
link.href = window.URL.createObjectURL(blob);

// Append the link to the document body
document.body.appendChild(link);

// Programmatically click the link to trigger the download
link.click();

// Remove the link from the document
document.body.removeChild(link);

You can simply download and your browser should number them sequentially as you click along the results page numbers. From there, you can “cat * > somefile.txt” to aggregate results.

Happy link building, friends.

How to run: Open the Developer Tools for your browser (Ctrl + Shift + I). Click “console”. Copy/paste the code. Enjoy.

How this works: We use the results from manually searching Google to download a list of sites in the returned data series. A little JavaScript magic to create a downloadable element on-the-fly to quickly “scrape” data using Google’s coveted search capabilities.

Nitter Replacement

Posted on July 4, 2023 - July 4, 2023 by admin

Elon decided to kill Twitter recently. Here is a script which can read from your favorite author(s):

#!/bin/sh

[ -z "$1" ] && echo "USAGE: $(basename $0) username_to_search" && exit

USERNAME=$1

echo "Searching..."

ACCESS_TOKEN=$(curl -s -X POST "https://api.twitter.com/oauth2/token?grant_type=client_credentials" -u "CjulERsDeqhhjSme66ECg:IQWdVyqFxghAtURHGeGiWAsmCAGmdW3WmbEx6Hck" | jq .access_token | cut -d '"' -f 2)

GUEST_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $ACCESS_TOKEN" "https://api.twitter.com/1.1/guest/activate.json" | jq .guest_token | cut -d '"' -f 2)

USER_ID=$(curl -s -X GET -H "Authorization: Bearer $ACCESS_TOKEN" \
-H "x-guest-token: $GUEST_TOKEN" \
-H "x-twitter-active-user: yes" \
-H "Referer: https://twitter.com/" \
"https://api.twitter.com/graphql/oUZZZ8Oddwxs8Cd3iW3UEA/UserByScreenName?variables=%7B%22screen_name%22%3A%22$USERNAME%22%2C%22withSafetyModeUserFields%22%3Atrue%7D&features=%7B%22hidden_profile_likes_enabled%22%3Afalse%2C%22responsive_web_graphql_exclude_directive_enabled%22%3Atrue%2C%22verified_phone_label_enabled%22%3Afalse%2C%22subscriptions_verification_info_verified_since_enabled%22%3Atrue%2C%22highlights_tweets_tab_ui_enabled%22%3Atrue%2C%22creator_subscriptions_tweet_preview_api_enabled%22%3Atrue%2C%22responsive_web_graphql_skip_user_profile_image_extensions_enabled%22%3Afalse%2C%22responsive_web_graphql_timeline_navigation_enabled%22%3Atrue%7D" \
| jq -r '.data.user.result.rest_id')

curl -s -X GET -H "Authorization: Bearer $ACCESS_TOKEN" \
-H "x-guest-token: $GUEST_TOKEN" \
-H "x-twitter-active-user: yes" \
-H "Referer: https://twitter.com" "https://api.twitter.com/graphql/pNl8WjKAvaegIoVH--FuoQ/UserTweetsAndReplies?variables=%7B%22userId%22%3A%22$USER_ID%22,%22count%22%3A40,%22includePromotedContent%22%3Atrue,%22withCommunity%22%3Atrue,%22withSuperFollowsUserFields%22%3Atrue,%22withDownvotePerspective%22%3Afalse,%22withReactionsMetadata%22%3Afalse,%22withReactionsPerspective%22%3Afalse,%22withSuperFollowsTweetFields%22%3Atrue,%22withVoice%22%3Atrue,%22withV2Timeline%22%3Atrue%7D&features=%7B%22responsive_web_twitter_blue_verified_badge_is_enabled%22%3Atrue,%22responsive_web_graphql_exclude_directive_enabled%22%3Atrue,%22verified_phone_label_enabled%22%3Afalse,%22responsive_web_graphql_timeline_navigation_enabled%22%3Atrue,%22responsive_web_graphql_skip_user_profile_image_extensions_enabled%22%3Afalse,%22tweetypie_unmention_optimization_enabled%22%3Atrue,%22vibe_api_enabled%22%3Atrue,%22responsive_web_edit_tweet_api_enabled%22%3Atrue,%22graphql_is_translatable_rweb_tweet_is_translatable_enabled%22%3Atrue,%22view_counts_everywhere_api_enabled%22%3Atrue,%22longform_notetweets_consumption_enabled%22%3Atrue,%22tweet_awards_web_tipping_enabled%22%3Afalse,%22freedom_of_speech_not_reach_fetch_enabled%22%3Afalse,%22standardized_nudges_misinfo%22%3Atrue,%22tweet_with_visibility_results_prefer_gql_limited_actions_policy_enabled%22%3Afalse,%22interactive_text_enabled%22%3Atrue,%22responsive_web_text_conversations_enabled%22%3Afalse,%22longform_notetweets_richtext_consumption_enabled%22%3Afalse,%22responsive_web_enhance_cards_enabled%22%3Afalse%7D" \
| jq '..|.full_text?|select(length>0)'

MFA Abuse in Splunk

Posted on August 11, 2022 - August 11, 2022 by admin

With all the MFA bombing/lazy swiping going on, maybe you need to find such abuses in your environment.

Twilio, Cloudflare, and Cisco were all hit recently with 2FA/MFA attacks and valid stolen credentials.

index=okta sourcetype=OktaIM2:log eventType=system.push.send_factor_verify_push OR ((legacyEventType=core.user.factor.attempt_success) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH)) OR ((legacyEventType=core.user.factor.attempt_fail) AND (debugContext.debugData.factor=OKTA_VERIFY_PUSH))
| stats count(eval(legacyEventType="core.user.factor.attempt_success")) as successes count(eval(legacyEventType="core.user.factor.attempt_fail")) as failures count(eval(eventType="system.push.send_factor_verify_push")) as pushes by authenticationContext.externalSessionId, user, _time
| stats latest(_time) as lasttime earliest(_time) as firsttime sum(successes) as successes sum(failures) as failures sum(pushes) as pushes by authenticationContext.externalSessionId, user
| eval seconds=lasttime-firsttime
| eval lasttime=strftime(lasttime, "%c")
| search (pushes > 3)
| eval totalattempts=successes+failures
| eval finding="Normal authentication pattern"
| eval finding=if(failures==pushes AND pushes>1, "Authentication attempts not successful because multiple pushes denied", finding)
| eval finding=if(totalattempts==0, "Multiple pushes sent and ignored", finding)
| eval finding=if(successes > 0 AND pushes > 3, "Multiple pushes sent, potential abuse detected", finding)
| where seconds < 300

Virtualbox Automation

Posted on March 23, 2022 - March 23, 2022 by admin

The following Python code may be used to remotely control a Virtualbox-managed virtual machine. It is useful for batch testing or malware analysis (sandbox management).

#!/usr/bin/env python3

#
# Installing the virtualbox deps:
#   python3 -m pip install pyvbox
#   Download the VirtualBox SDK from https://www.virtualbox.org/wiki/Downloads
#   Unzip the package
#   cd sdk/installer
#   python3 vboxapisetup.py install
#

import virtualbox
import logging


class Sandbox(object):
    def __init__(self, name):
        vbox = virtualbox.VirtualBox()
        self.vm = vbox.find_machine(name)
        #self.session = virtualbox.Session()
        self.session = virtualbox.library.ISession(self.vm.create_session())

        return


    def start(self):
        logging.info('Starting the VM from Office snapshot')
        self.snapshot = self.vm.find_snapshot('Office 2007 Live')
        progress = self.session.machine.restore_snapshot(self.snapshot)
        progress.wait_for_completion()
        self.session.unlock_machine()
        # progress = self.vm.launch_vm_process(self.session, 'headless', '')
        progress = self.vm.launch_vm_process(self.session, '', '')
        progress.wait_for_completion()

        if self.vm.state == self.vm.state.running:
            print('Successfully running')
        print('Done')

        # Create guest session.
        self.console = virtualbox.library.IConsole(self.session.console)
        self.guest = self.console.guest
        # self.guest.sessions[0] contains our IGuestSession object
        self.os_type = self.guest.os_type_id	    # Example
        # self.guest = virtualbox.library.IGuest(self.session)
        # Session is already established in snapshot of unlocked machine?
        self.g_session = self.guest.create_session('malware', 'password', '', '')

        return


    #
    # Username is 'malware'; password is 'password'
    #
    def guest_session_test(self):
        self.console = virtualbox.library.IConsole(self.session.console)
        self.guest = self.console.guest
        # self.guest.sessions[0] contains our IGuestSession object
        self.os_type = self.guest.os_type_id	    # Example
        # self.guest = virtualbox.library.IGuest(self.session)
        # Session is already established in snapshot of unlocked machine?
        self.g_session = self.guest.create_session('malware', 'password', '', '')
        # 1 = R
        # 2 = 
        # 3 = RW
        flag = virtualbox.library.FileCopyFlag(0)
        # This stores the file in your user's home directory by default.
        self.g_session.file_copy_from_guest('C:/Program Files (x86)/Microsoft Office/Office12/GRAPH.EXE', 'C:/WINDOWS/Temp/graph.exe', [flag])


    def drop_artifact(self, artifact_path, destination_on_guest):
        logging.info('About to drop "{}" to "{}"'.format(artifact_path, destination_on_guest))
        flag = virtualbox.library.FileCopyFlag(0)
        progress = self.g_session.file_copy_to_guest(artifact_path, destination_on_guest, [flag])
        progress.wait_for_completion()
        logging.info('"{}" successfully dropped to guest'.format(artifact_path))

        return


    def receive_artifact(self, src_on_guest, path_host_save):
        logging.info('About to pull "{}" to "{}"'.format(src_on_guest, path_host_save))
        flag = virtualbox.library.FileCopyFlag(0)
        progress = self.g_session.file_copy_from_guest(src_on_guest, path_host_save, [flag])
        progress.wait_for_completion()
        logging.info('"{}" successfully saved to "{}"'.format(src_on_guest, path_host_save))

        return


    def execute_command(self, 
                        executable_path: str, 
                        arguments: [str],
                        environment_changes: [str],
                        process_create_flag: [virtualbox.library.ProcessCreateFlag],
                        timeout_ms: int,
                        priority: virtualbox.library.ProcessPriority,
                        affinity: [int]):
        terminate_flag = virtualbox.library.ProcessWaitForFlag(2)

        self.guest_process = self.g_session.process_create_ex(  executable_path, 
                                                                arguments, 
                                                                environment_changes,
                                                                process_create_flag,
                                                                timeout_ms,
                                                                priority,
                                                                affinity)
        logging.info('Process "{}" successfully kicked off...waiting for it to finish'.format(executable_path))
        self.process_wait_result = self.guest_process.wait_for(terminate_flag)
        if self.process_wait_result == virtualbox.library.ProcessWaitResult(5):
            logging.info('Process "{}" exceeded the timeout threashold of {} milliseconds'.format(  executable_path,
                                                                                                    str(timeout_ms))) 
        elif self.process_wait_result == virtualbox.library.ProcessWaitResult(2):
            logging.info('Process "{}" terminated gracefully'.format(executable_path))


    def stop(self):
        # Shut off VM
        progress = self.session.console.power_down()
        progress.wait_for_completion()

        return


s = Sandbox('Windows 7 Office')
s.start()
# s.guest_session_test()
s.drop_artifact('C:/WINDOWS/System32/cmd.exe', 'C:/WINDOWS/Temp/cmd_2016.exe')
#s.execute_command(  'C:/WINDOWS/Temp/cmd_2016.exe',
s.execute_command(  'C:/Program Files (x86)/Microsoft Office/Office12/GRAPH.EXE',
                    [],
                    [],
                    [virtualbox.library.ProcessCreateFlag(0)],
                    20000,
                    virtualbox.library.ProcessPriority(1),
                    [])
s.stop()

Repository Poisoning

Posted on March 23, 2022 - March 23, 2022 by admin

This stuff has been going on since at least the middle 2000s with the Debian APT repository getting popped by dikline, installing a backdoored ssh daemon and notifying a remote server when ruby was downloaded and installed.

An activist released several updates to a popular nodejs repository he helps run, which gets about 1 million downloads a week. RIAevangelist thought he could help the current situation in Eastern Europe by wiping all files on disk by renaming them all with a [heart] icon if a web service reported they were geolocated in Russia or Belarus.

He quickly had his Twitter account compromised and had docs dropped on him, alleging infidelity to his Japanese wife, along with other personal and family details and a message from the hacker to not mess around with things bigger than him.

Companies and open source projects around the world are concerned with such behavior as this is, yet again, another example of massive supply chain dependencies in our software world which are taken for granted. All you need is one bad actor to potentially bring your business or community down.

Some companies may be paranoid and resourceful enough to maintain their own repositories if they were not already doing so. Otherwise they will continue to trust the devil they don’t know.

This is a potentially big blow for the open source community and high level interpreted languages everywhere.

Trust is paramount to business.

Bastion

Posted on November 5, 2021 - November 5, 2021 by admin

Not all job scams are the same. Some have you work legitimately and pay a going rate, while in this case you deliver them the expertise needed to steal. Hacking group FIN7 was caught operating Bastion Security, fronting as a British company yet operating out of Russia.

A threat intelligence company had a source join the underground group via the front business. The spy was able to obtain FIN7 tooling once joining. Carbanak and Lizar/Tirion were the tools he found the group using for “pentests”.

Jobs were advertised around $1000 USD per month for 9 – 12 hours of work per day through the week. Rough conditions for Eastern Europeans.

Bastion took cover with their name, trying to pass themselves off as other legitimate security-named companies registered and known to major search engines. Their website looks legitimate yet is mostly copied from Convergent Network Solutions.

Part of the demands of the group is for an operator to install VMs locally with ports to the host unblocked.

OpenSea NFT Bug

Posted on October 14, 2021 - October 14, 2021 by admin

Users are being sent “gifts” with executable photos. Within a browser context. Siphoning off peoples’ JS-powered wallet by communicating within the browser. Requires some social engineering to get an extra click, confirming the siphoning.

Watch your wallets.

WHOIS Quick Summary

Posted on October 9, 2021 - October 9, 2021 by admin

This is a useful WHOIS query tool. Gives you the most important information you need in an easy-to-read-and-understand format.

#!/bin/bash

if [ -e ${1} ]; then
    echo "You did not supply a domain"
    exit 1
fi

DOMAIN=${1}
CMD=$(whois ${DOMAIN})

function HandleRIPE {
    # I wanted to make life hard on myself by echoing out the unformatted string.
    # We get to play with grep-based look ahead parsing to extract strings.
    # xargs will clean the output.
    # echo "INetNum|"$(echo ${CMD} | grep -o -P '(?<=inetnum:).*(?=netname:)' | xargs)
    echo "INetNum|"$(echo "${CMD}" | grep -m 1 'inetnum' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Country|"$(echo "${CMD}" | grep -m 1 'country' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "OrgName|"$(echo "${CMD}" | grep -m 1 'org-name' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Phone|"$(echo "${CMD}" | grep -m 1 'phone' | cut -d':' -f2- | xargs 2>/dev/null)
    Remarks=()
    # echo "${CMD}" | grep 'remarks' | while read -r line ; do
    while read line; do
        found=0
        fmt_line=$(echo "${line}" | cut -d':' -f2- | xargs 2>/dev/null)
        len_remarks=${#Remarks[@]}
        if [ ${len_remarks} -eq 0 ]; then
            Remarks+=("${fmt_line}") 
            # echo "Remarks|${fmt_line}"
        else
            for i in "${Remarks[@]}"; do 
                echo "$i" | grep "${fmt_line}" 2>&1 > /dev/null
                if [ $? -eq 0 ]; then 
                    # Remarks+=("${fmt_line}")
                    # echo "Remarks|${fmt_line}"
                    found=1
                fi
            done
            # BASH is not a real programming language.
            # Can't do [ ! ${found} ]
            # # true -eq false if [[ ${found} -eq false ]]; then
            if [ ${found} -eq 0 ]; then 
                Remarks+=("${fmt_line}")
            fi
        fi
    # done
    done < <(echo "${CMD}" | grep 'remarks')
    # Damned subshells, need to implement process substitution to redirect output from separate processes to keep
    # this variable alive.
    for i in "${Remarks[@]}"; do
        echo "Remarks|${i}"
    done
}

function HandleARIN {
    # I wanted to make life hard on myself by echoing out the unformatted string.
    # We get to play with grep-based look ahead parsing to extract strings.
    # xargs will clean the output.
    # echo "INetNum|"$(echo ${CMD} | grep -o -P '(?<=inetnum:).*(?=netname:)' | xargs)
    echo "INetNum|"$(echo "${CMD}" | grep -m 1 'NetRange' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Country|"$(echo "${CMD}" | grep -m 1 'Country' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "OrgName|"$(echo "${CMD}" | grep -m 1 'OrgName' | cut -d':' -f2- | xargs 2>/dev/null)
    echo "Phone|"$(echo "${CMD}" | grep -m 1 'OrgAbusePhone' | cut -d':' -f2- | xargs 2>/dev/null)
    Remarks=()
    # echo "${CMD}" | grep 'remarks' | while read -r line ; do
    while read line; do
        found=0
        fmt_line=$(echo "${line}" | cut -d':' -f2- | xargs 2>/dev/null)
        len_remarks=${#Remarks[@]}
        if [ ${len_remarks} -eq 0 ]; then
            Remarks+=("${fmt_line}") 
            # echo "Remarks|${fmt_line}"
        else
            for i in "${Remarks[@]}"; do 
                echo "$i" | grep "${fmt_line}" 2>&1 > /dev/null
                if [ $? -eq 0 ]; then 
                    # Remarks+=("${fmt_line}")
                    # echo "Remarks|${fmt_line}"
                    found=1
                fi
            done
            # BASH is not a real programming language.
            # Can't do [ ! ${found} ]
            # # true -eq false if [[ ${found} -eq false ]]; then
            if [ ${found} -eq 0 ]; then 
                Remarks+=("${fmt_line}")
            fi
        fi
    # done
    done < <(echo "${CMD}" | grep 'remarks')
    # Damned subshells, need to implement process substitution to redirect output from separate processes to keep
    # this variable alive.
    for i in "${Remarks[@]}"; do
        echo "Remarks|${i}"
    done
}

#
# If we receive a RIPE query, the user supplied an IP.
# We also need to handle ARIN queries.
#
echo "${CMD}" | grep "RIPE" 2>&1 > /dev/null
if [ $? -eq 0 ]; then
    HandleRIPE  
    exit 0
fi
echo "${CMD}" | grep "ARIN" 2>&1 > /dev/null
if [ $? -eq 0 ]; then
    HandleARIN
    exit 0
fi

#
# Command xargs by itself removes the whitespace, amazing!
#
echo "Registrar|"$(echo "${CMD}" | grep -m 1 'Registrar URL' | cut -d':' -f2- | xargs 2>/dev/null)
echo "AbuseEmail|"$(echo "${CMD}" | grep -m 1 'Registrar Abuse Contact Email' | cut -d':' -f2 | xargs 2>/dev/null)
echo "AbusePhone|"$(echo "${CMD}" | grep -m 1 'Registrar Abuse Contact Phone' | cut -d':' -f2 | xargs 2>/dev/null)
# Two results are returned on some WHOIS in the field.  Only show the date, not time.
echo "CreationDate|"$(echo "${CMD}" | grep -m 1 'Creation Date' | cut -d':' -f2 | cut -d'T' -f1 | xargs 2>/dev/null)

Resourceful Fraudster Frees Phones, Gets Prison

Posted on September 21, 2021 - September 21, 2021 by admin

AT&T, world’s largest telecom company, reported losses over $200,000,000 USD after a Pakistani fraudster, Muhammed Fahd, started and managed several unlocking services since the summer of 2012.

Fahd recruited AT&T employees with monetary bribes to allow his companies the ability to unlock tethered cell phones purchased under contract by customers of AT&T. AT&T caught on in April 2013, blocking the ability of certain staff to unlock cell phones.

A malware developer was hired to create software which allowed the fraud team to collect and analyze network data of how AT&T was unlocking customers’ cell phones. This allowed the team to unlock cell phones via their third-party companies from Pakistan.

The bribery continued with asking employees to implant hardware devices such as WiFi access points within the company’s internal network.

At least 1,900,033 cell phones were unlocked by his team, allegedly worth $201,497,430.94 USD to AT&T. His companies included Swif Unlocks Inc, Endless Trading FZE, Endless Connections Inc, and iDevelopment Co.

Hong Kong made the arrest of Fahd in February 2018. August 2019 he was extradited to the US to face judgement. He is now sentenced to 12 years in prison for committing wire fraud, which he admitted to in September 2020.

PowerShell Monitor File Activity

Posted on September 14, 2021 - September 14, 2021 by admin

This script allows you to monitor the file-related events (recursive) under a given folder. Be careful with short paths.

$folder = 'c:\scripts' # Enter the root path you want to monitor.
$filter = '*.*'  # You can enter a wildcard filter here.  Like *.bat.

# In the following line, you can change 'IncludeSubdirectories to $true if required.                          
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}

# Here, all three events are registerd.  You need only subscribe to events that you need:

Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore green
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}

Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore red
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}

Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore white
Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}