Malware Archives | Page 3 of 32

January 27, 2021 by Didier Stevens

Update: XORSelection.1sc Version 6.0

I released an update to my 010 Editor script XORSelection.1sc.

010 is a binary editor with a scripting engine. XORSelection.1sc is a script I wrote years ago, that will XOR-encode a (partial) file open in the editor.

The first version just accepted a printable, arbitrary-length string as XOR-key. Later versions accepted an hexadecimal key too, and introduced various options.

With version 6.0, I add support for a dynamic XOR-key. That is a key that changes while it is being used. It can change, one byte at-a-time, before or after each XOR operation at byte-level is executed.

Hence option cb means change before, and ca means change after. Watch this video to understand exactly how the key changes (if you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation).

I made this update to my XORSelection script, because I had to “manually” decode a Cobalt Strike beacon that was XOR-encoded with a changing XOR key (it is part of a WebLogic server attack). Later I included this decoding in my Cobalt Strike beacon analysis tool 1768.py.

The decoding shellcode is in the first 62 bytes (0x3E) of the file:

After the shellcode comes the XOR-key, the size and the beacon:

We can decode the beacon size, that is XOR-encoded with key 0x3F0882FB, as follows. First we select the bytes to be decoded:

Then we launch 010 Editor script XORSelection.1sc:

Provide the XOR key (prefix 0x is to indicate that the key is provide as hexadecimal byte values):

And then, after pressing OK, the bytes that contain the beacon size are decoded by XOR-ing them with the provided key:

This beacon size (bytes 00 14 04 00) is a little-endian, 32-bit integer: 0x041400.

To decode the beacon, we select the encoded beacon and launch script XORSelection.1sc again:

This time, we need to provide an option to change the XOR-decoding process. We press OK without entering a value, this will make the next prompt appear, where we can provide options:

The option we need to use to decode this Cobalt Strike beacon, is cb: change before.

In the next prompt, we can provide the XOR-key:

And we end up with the decoded beacon (you can see parts of the PE file that is the beacon):

Remark that you can enter “h” at the option prompt, to get a help screen:

I made this video explaining how to use this new option, and also explaining how the XOR key is changed exactly when using option change before (cb) or change after (ca).

If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.

XORSelection_V6_0.zip (https)
MD5: C1872C275B59E236906D38B2302F3F4B
SHA256: 1970A506299878FAC2DDD193F9CE230FD717854AC1C85554610DDD95E04DE9E9

January 18, 2021 by Didier Stevens

Video: Maldoc Analysis With CyberChef

In this video, I show how to analyze a .doc malicious document using CyberChef only. This is possible, because the payload is a very long string that can be extracted without having to parse the structure of the .doc file with a tool like oledump.py.

I pasted the recipe on pastebin here.

December 16, 2020 by LCDI

The Vermont Privacy Project

As the internet ties in more and more with our daily lives, internet privacy has become a big concern. The Vermont Privacy Breach project at the Leahy Center is a team of students working with a Champlain student supervisor and a Leahy Center Fellow Judy Boyd to try and tackle this growing issue. Our goal is to reduce the number of privacy incidents on residents of the State of Vermont. We plan to accomplish this by providing simple resources. Small businesses, local governments, and nonprofits can then use these to make themselves more secure.

What We Have Accomplished?

Over the course of the semester, the team has been hard at work researching privacy breaches and other data. The plan is to use this data to create simple presentations that can be given to businesses and people alike. Our team extensively researched what a data privacy breach is, who it affects, and how to prevent them. We all put our research into a shared Google Drive folder and refined the scope of the project. We focused on teaching and presenting to others what privacy breaches were and how to prevent them. Phase One of this project encompassed common risks, the impact of breaches on individuals and organizations, and measures to prevent or mitigate risk. At this point, we are currently in the process of creating an initial presentation outlining Phase One of this project.

What is a Data Breach? A laptop with a skull and crossbones over it

A data breach is any unauthorized access into a business, state agency, or individual’s digital systems. These attacks can come in a large variety of ways, and each come with their own challenges. For example, phishing attacks will look like messages sent from a company but trick you into putting in your info so the attacker can use it themselves. Ransomware and malware are other forms of attacks. These are programs that are downloaded onto the machine that can read files, edit them, or even lock out the entire computer. Then there are attacks that try to overload your connection to the internet, called DDoS attacks, which flood your connection with junk information.

These are all incredibly dangerous and serious issues for anybody with a computer, and as technology advances, we’re finding those computers in everyday objects. If you have any sort of wireless surveillance in your home, that could become a risk. But, by limiting who has access to your devices and watching what you download, you bring that risk down considerably. The steps to better computer safety are simple, anybody can do them, it’s just a matter of spreading that information. Therefore, we’re excited to have the opportunity to work on that goal and help those in our community and elsewhere.

What’s Next?

The next steps of our project are to finalize and practice our Phase One Presentation and prepare for our first presentation. We are really looking forward to collaborating with the Burlington Sunrise Rotary Club. It’s exciting to see the progress we have made with this project and we hope to see a glimpse of what may come next. For Phase Two of this project, we will be looking at privacy risks related to Local Government agencies, non-profits, and small businesses. For example, we’re interested in how we can bring this to more people.

Stay up to date with the Leahy Center by following us on LinkedIn, Twitter, Instagram, and Facebook!

The post The Vermont Privacy Project appeared first on The Leahy Center for Digital Forensics & Cybersecurity.