Sunday, April 23, 2017

Ransomware, fala sério!

Recently, a user contacted me in regards to what looks like a new, Brazilian ransomware. In this blog post, we're taking a quick look at the ransom and how to unlock or decrypt your files.

TL;DR: to unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

The title of this blog loosely translates to: ransomware, no way! (excuse my Portuguese)

The ransomware appears to call itself 'Sem Solução'; which translates to 'Hopeless' or 'No Solution'. I propose we call it 'Hopeless ransomware':

Figure 1 - 'Seus arquivos foram criptografados'

Sua IDNão a formas de recuperar sem comprar a senha, ser tenta eu apago tudo!O método de pagamento é via Bitcoins.  O preço é: 600,00 REAIS =  Bitcoins
Não tem Bitcoins?, pesquise no google e aprenda comprar ou clique em Compra Bitcoinsenvie os bitcoins para: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1Para receber a senha, voce precisa criar uma e-mail em https://mail.protonmail.comE enviar SUA ID para em 24h ou mais voce receberá a sua senha!, Obrigado..


Your IDNot the ways to recover without buying the password, be try I delete everything!The method of payment is via Bitcoins. The price is: 600,00 REAIS = Bitcoins
Do not have Bitcoins ?, search google and learn how to buy or click Buy BitcoinsSend the bitcoins to: 1LULpQbdvoAWqKzhe8fuMiPQ8iGdW36pk1To receive the password, you need to create an email at https://mail.protonmail.comAnd send YOUR ID to in 24h or more you will receive your password !, Thank you ..

The price is 600 REAIS (Brazilian Real), which currently amounts to 0.15 BTC.
(176 EUR | 155 GBP | 199 USD)

Interestingly enough, the ransomware has a built-in function to detect whether or not your machine belongs to a domain, and if so, will increase the amount of ransom to be paid to a whopping 1000 REAIS, or 0.25 BTC. (293 EUR | 259 GBP | 333 USD)

Figure 2 - Func _get_bitcoin_value()

The ransomware author or authors is/are definitely not kidding: if you enter a wrong password, the ransom will start deleting files.

Figure 3 - 'Error!", "Senha de descriptografia errada, NA PROXIMA 500 ARQUIVOS SERÃO EXCLUIDOS!'

Files to encrypt, including those used in virtualization software such as VMware for example:

zip, 7z, rar, pdf, doc, docx, xls, xlsx, pptx, pub, one, vsdx, accdb, asd, xlsb, mdb, snp, wbk, ppt, psd, ai, odt, ods, odp, odm, , , odc, odb, docm, wps, xlsm, xlk, pptm, pst, dwg, dxf, dxg, wpd, rtf, wb2, mdf, dbf, pdd, eps, indd, cdr, dng, 3fr, arw, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrw, nef, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, abw, til, aif, arc, as, asc, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bbb, bdb, bibtex, bkf, bmp, bpn, btd, bz2, c, cdi, himmel, cert, cfm, cgi, cpio, cpp, csr, cue, dds, dem, dmg, dsb, eddx, edoc, eml, emlx, EPS, epub, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, hpp, ics, idml, iff, img, ipd, iso, isz, iwa, j2k, jp2, jpf, jpm, jpx, jsp, jspa, jspx, jst, key, keynote, kml, kmz, lic, lwp, lzma, M3U, M4A, m4v, max, mbox, md2, mdbackup, mddata, mdinfo, mds, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nes, note, nrg, nri, afsnit, ogg, ova, ovf, oxps, p2i, p65, p7, pages, pct, PEM, phtm, phtml, php, php3, php4, php5, phps, phpx, phpxx, pl, plist, pmd, pmx, ppdf, pps, ppsm, ppsx, ps, PSD, pspimage, pvm, qcn, qcow, qcow2, qt, ra, rm, rtf, s, sbf, set, skb, slf, sme, smm, spb, sql, srt, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, wbverify, wav, webm, wmb, wpb, WPS, xdw, xlr, XLSX, xz, yuv, zipx, jpg, jpeg, png, bmp

Additionally, Steam users aren't spared of getting their files encrypted either:

Figure 4 - Executable files in Steam's games directory will be encrypted

In reality, it appears all files are encrypted, regardless of extension.

The ransomware ultimately calls home and leverages Pastebin to do so. However, when analysing the ransomware, none of the Pastebin links were online as they had been removed.

$data = "pcname=" & @ComputerName & "&hwid=" & $key & "&version=Locker"

At time of writing, no payments have been made as of yet to the Bitcoin address:

The ransomware encrypts files prepending the original extension with '.encrypted.'. For example;
image.png would become: image.encrypted.png

The ransomware is based on CryptoWire, an open-sourced ransomware written in AutoIT.


To unlock your files, you can use the key or password: 123
Para desbloquear seus arquivos, você pode usar a chave ou a senha: 123

Note: as always, prevention is more important than decryption or disinfection! Have a look at the dedicated page I've set up here.


While ransomware is anything but uncommon, ransomware very likely stemming from Brazil and specifically targeting Brazilian users and businesses, is a less frequent occurence. In fact, the only notable example, as far as I know, is TeamXRat also known as Xpan ransomware.

Below you may find IOCs.


Tuesday, March 28, 2017

Popular attacker tools & techniques: survey results

In my last blog post, I decided to create a survey as to get a better perspective on popular or favourite tools of attackers, red teamers and/or pentesters.

Below  I present the results, with additional & minimal commentary from my side. Comments are below the figures. Note this is not fully indicative of an attacker or threat actor's arsenal, but I do hope it can give anyone some pointers. Enjoy the journey.

Yes, you may use this data as long as you mention the original source, which is this exact blog post. You may find a direct SurveyMonkey link to the results here.

Figure 1 - What do you do
Answered: 76 

First and foremost question: what do you do? Are you a red/blue or purple teamer? Or no idea at all?
Most people that answered were red teamers. Awesome! If you have no idea what any of this means, or you are just starting with all this, then I definitely advise you to read the following:
The Difference Between Red, Blue, and Purple Teams.

Figure 2 - Favourite lateral movement method

Answered: 66

Second question definitely yielded interesting results; with Pass the Hash (PtH) as most favourite or preferred method of lateral movement. Note that I shamelessly used this list from Mitre's excellent ATT&CK page on Lateral Movement here:

Figure 3 - Favourite AV bypass tool
Answered: 64 

Bypassing AV can be interpreted quite broadly, but let's say using the most well-known tools with ability to evaded AV - with which Metasploit takes the lead, and Veil a close second.

Figure 4 - Favourite web app pentest tool
Answered: 66

Burp seems to have the biggest share of being most popular or used web app pentest tool.

Figure 5 - Favourite PowerShell tool
Answered: 66

This is definitely one of the, if not the most, interesting results of all questions. PowerShell Empire takes the lead, with PowerSploit following very closely... And not too far off is PowerShell itself. Draw your conclusions.

Figure 6 - Favourite credential dumper

Answered: 67

Mimikatz seems to be the most preferred credential dumper all around.

Figure 7 - Favourite password brute forcer

Answered: 66

Hashcat, Hydra and John the ripper rank amongst the top three of password brute forcers.

Figure 8 - Usage of RATs

Answered: 69 

This question and the next overlap slightly - if an attacker doesn't (or can't) build custom malware, they may be more inclined to use RATs (freely available or not). Building a RAT is definitely more trivial than building or writing custom malware.

However, don't be fooled. If an attacker is strongly motivated, it's not a question of if they'll get on the network, but when. Take appropriate defensive measures.

Figure 9 - Usage of malware
Answered: 58

Repeating: attackers will not hesitate to use custom malware which is adapted or tailored to/for your environment! (and to evade any security controls or measures in place)

Figure 10 - Application Whitelisting bypasses
Answered: 69

A rather surprising result, seeing 11 of the respondents either skipped, or didn't know what Application Whitelisting is. (and as such, how it may be bypassed)

I can definitely recommend you to check out Casey Smith's Catalog of Application Whitelisting Bypass Techniques.

Extra comments

... provided by some of the respondents yielded additional tools and information:

Lateral movement methods:
PowerUpSQL, CrackMapExecWin, smbexec, PowerSCCM, Kerberoasting, CobaltStrike (after obtaining admin creds for another system), WMI, Password reuse.

AV bypass:
PS Empire, PEspin, Shellter, and even manually.

Web app pentesting:
metasploitHelper, Dirb, dirbuster, Kali2.

PowerShell tools:
Compress-File.ps1, BloodHound, PowerLurk, PowerSkype.ps1, PowerOPS, PowerForensics,

Credential dumping:
mimikittenz, go-mimikatz.

Password brute forcing:
Nmap NSE "brute"-category scripts, patator, Invoke-SMBAutoBrute.ps1, HashcatOCL.

RATs and malware:
Empire, Meterpreter (Metasploit), ADC2.ps1, ThinkPwn, manwhoami/Bella, tinymet/Ultimet, CobaltStrike beacons.


You may wonder if every attacker will use every tool on this list. They may well do so, or not use any of the tools and scripts discussed at all, and rather write everything tailored to your environment.

Also keep in mind that an attacker's TTPs may change over the course of weeks, months or even years. However, some tools will always be popular and withstand the test of time.

What's next?

I definitely advise you to either subscribe to feeds, or follow people on Twitter - both red teamers and blue teamers. Often, they both provide a unique insight which in turn will help you to defend better as well. Don't hesitate to share your findings with the community!

Try to think like an attacker. Leave nothing out.

I'm not sure where to start.

Why not start by checking out a real live intrusion that happened, featuring APT29? There's an excellent presentation out there by Matthew Dunwoody and Nick Carr here:

Another excellent blog to check out is:

I additionally advise you to check out Matt Swan's Incident Response Hierarchy of Needs. If you like hierarchies or pyramids. definitely check out the threat intelligence Pyramid of Pain by David Bianco.

Lastly, there's a good paper on detecting lateral movement in Windows infrastructure by CERT-EU.

Still in doubt? Start Googling some of the TTPs mentioned above and check out their functionality - and shortcomings!

What about PowerShell and all its misuses?

If your organisation has no need for it, disable PowerShell by configuring AppLocker. Note that PowerShell has many valid usages as well, such as logon scripts. There's a short blog post by Michael Schneider here that touches on this very subject: A story about blocking PowerShell

If you do want to use PowerShell, I advise you to upgrade to the latest version (currently v5) and turn on all the logging! A blog post worth reading: Greater Visibility Through PowerShell Logging

And the last one in regards to PowerShell is a very recent blog post written by Ashley McGlone:
Practical PowerShell Security: Enable Auditing and Logging with DSC

What about AV and how it can be bypassed?

AV should never be your only layer of protection. Next-gen or not.

What about... ?

Where there are attackers, there are defenders and vice versa. Use Event Logging. Use Sysmon.

I'm a red teamer, where can I find more information?

A recent post by Artem Kondratenk offers a ton of resources and insight:
A Red Teamer's guide to pivoting

Can I use this data?

Of course! As long as you mention the original source, which is this exact blog post. You may find a direct SurveyMonkey link to the results here.

Thanks to all the participants, and to you for reading!

Please do comment with your feedback or questions or anything else you would like to discuss.

Sunday, March 12, 2017

Survey: favourite Red team / Pentest / Attacker methods & tools

Popular attacker tools & techniques: survey results

Yesterday I've set up a SurveyMonkey poll in regards to one's favourite Red team / Pentest / Attacker methods & tools.

Purpose of this survey is to get a better insight into which TTPs actual attackers usually use, or at least to get an insight in the most common methods leveraged by red teamers.

Unfortunately, the free version of SurveyMonkey allows only up to 10 questions. Answers are completely anonymous. The survey will run for 7 days, or until 100 responses are received, after which I'll publish a new blog post with the results and some comments.

You can find the survey below, please feel free to complete it and to share:

Saturday, February 25, 2017

Android malware on the rise

Recently, a friend of mine encountered an interesting phishing attempt:

The message reads:
DHL has attempted to deliver the parcel no.: 1993747, but nobody was available. Please arrange re-delivery using our mobile app: http://dhl-tracking[.]online/app.apk

In this blog post, we'll analyse the malware in question (Marcher, banking trojan) and provide disinfection and prevention advice. Click on any of the relevant links below according to your needs:



When you visit the link, a file called app.apk gets downloaded with the following characteristics:

MD5 80c797acf9bdbe225e877520275e15f5
SHA1 f255de54ffbff87067cfa7bc30d6d87a00aded8f
SHA256 fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d
Package name ijrtc.jwieuvxpjavuklczxdqecvhrjcvuho

The application presents itself as 'DHL Express Mobile' while being installed and will ask for device administrator rights:

Figure 1 - System service

Basically, the app can do anything it desires:

Figure 2 - Permissions; this includes & reading text messages

Figure 3 - Permissions; note the 'modify system settings'

The payload, or the actual malware that is installed, is the Marcher banking trojan. Recently, it has been masquerading as applications for package delivery, such as DHL in the example above, Posta Online or an app called Alza.

Marcher checks if any of the following antivirus or security products are installed:

Figure 4 - AV list

... And targets the following applications:

Figure 5 - Targeted apps

Besides targeting antivirus applications, Marcher also uses some nasty tricks to avoid removal:

  • Marcher installs itself as Device Administrator, effectively making the user unable to force the process to stop or uninstall the application normally;
  • When you attempt to force uninstall the application, it will show you the device administrator prompt, as seen in Figure 1, which will continue to pop-up.

All in all, the malware isn't obfuscated much, but still proves to have particular persistence mechanisms. One does not exclude the other.

If you are only here for Indicators of Compromise, please find below:

You may also want to check out my blog post which provides a plethora of options and software/tools on how to analyze Android malware:
Analysing Android files


Marcher proves more difficult to remove as outlined above. The best way in this case is to back up your files and reinstall your operating system.

There is an excellent article on MakeUseOf on how to get to your phone's 'safe mode', create a back-up and finally factory restore or reinstall your operating system:
Dealing with System Problems in Android: Safe Mode, Factory Reset & Restoring Backups

Alternatively, you may try the following steps to remove Marcher, which also involves going into safe mode:

  • Hold down the Power button on the side of your phone until a popup appears.
  • On the menu that shows up, hold down the Power Off option until a popup appears.
  • Tap OK to reboot into Safe Mode.
  • You should now be in Safe Mode.
  • Go to Settings > Security > Device administration > Device administrators or Phone administrators.
  • Tap on the malicious application.
  • Tap Deactivate in the next screen. In our example:

Figure 6 - deactive the app

  • Now, go to  Settings > Applications or Apps > Manage applications > tap the malicious app > Uninstall.

For normal applications that don't have device administrator rights, only the last step is sufficient.

Afterwards, change all your passwords and notify your bank to be on lookout for any fraudulent transactions. Do this also if your bank is not listed (affected banks pictured in Figure 5).

Additionally, you may want to run a scan with an antivirus or antimalware product for Android. If you're unsure which antivirus to run, you can try Avast (it also detects the Marcher version discussed in this blog post).

You may want to have a look at other antivirus products if Avast does not suit your needs. A good comparison can be found on AV-test's website: The best antivirus software for Android.

Note that the best course, in any case, is to backup your files and reinstall your device! Don't forget to change passwords and notify your bank.


  • Don't root your Android device(s).
  • Don't just install any app. Use common sense. When in doubt, do not install the app.
  • Be wary of suspicious-looking apps even when they have a lot of positive feedback. These may be fake comments. Ask friends, colleagues or Google. Still not sure? Do not install the app.
  • Download from official app stores only. Even though malware may exist on Google's Play store, chances are less likely.
  • Use the default, built-in security in Android. For example, do not allow installation of apps from unknown sources and Encrypt Device.
  • Always verify app permissions. Depending on the app, it should not be able to directly call other phone numbers.
  • Back up your files. If something like this ever happens to you, simply reinstall and restore.
  • Install an antivirus. This may be a resident one, meaning no active protection and scanning only.

More useful links are listed below in the Resources section.


While Windows malware still takes the biggest portion, malware for other operating systems is becoming more and more common. In regards to Android, make sure to follow the prevention tips above to stay safe.

Worth noting that, as always, prevention is better than disinfection. Create (and test) back-ups.


Analysing Android files - Blaze's Security Blog
Dealing with System Problems in Android: Safe Mode, Factory Reset & Restoring Backups - MakeUseOf
DevicePolicyManager - Android developer area
F-Secure Freedome VPN  - F-Secure
How Do I Delete Applications from My Android Device? - Lifewire
The best antivirus software for Android - AV-Test
What Is A Nandroid Backup and How Exactly Does It Work?  - MakeUseOf


Sunday, November 20, 2016

Nemucod downloader spreading via Facebook

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook's file extension filter:


What is an .svg file? From Wikipedia:

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
This means, more specifically, that you can embed any content you want (such as JavaScript). Moreover, any modern browser will therefore be able to open this file.

Contents of our 'photo' are as follows:

Copy of file on Pastebin here

It's a heavily obfuscated script, which, after opening, redirects you to the following website:

Fake Youtube - "You must install the codec extension to watch this video."

A website purporting to be Youtube, including a video from Facebook - of course, you'll need to install an additional extension to view it :)

The extension has no icon and thus seems invisible and has the following permissions:

Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook (harvesting your credentials in the process), but likely it downloads other malware to your machine.

One of my security colleagues had in fact noticed similar behavior and got ransomware (Locky) as payload:

The extensions' description can be one of the following, and seem semi-random. Note that other variations are possible:

One ecavu futolaz corabination timefu episu voloda 
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum

The Facebook security team as well as Google Chrome's store security team have been notified.

UPDATE 22/11/2016

  • The rogue Chrome extensions are removed from the store. 
  • Facebook is now filtering for SVG files as well:

Test.svg, containing just a window.alert() method


Remove the malicious extension from your browser immediately:

Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.


As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave.

Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.

For those interested, all related files have been uploaded to VirusTotal, and their hashes and domains can be found, as always, on AlienVault's OTX: