|A compilation of security news and blog posts from the 24th of July to the 30th. We talked about ransomware, the Dark Web, smart toys, encryption, and others.
|A compilation of security news and blog posts from the 24th of July to the 30th. We talked about ransomware, the Dark Web, smart toys, encryption, and others.
McAfee Security Scan Plus – Remote Command Execution
Many attackers continue to leverage PowerShell as a part of their
malware ecosystem, mostly delivered and executed by malicious binaries
and documents. Of malware that uses PowerShell, the most prevalent use
is the garden-variety stager: an execu…
The Iranian COBALT GYPSY threat group uses social media to build trust with targets.
Three dimensions that better position organisations for security successCategory:Information SecurityRisk ManagementRead about the three maturity dimensions that better position organisations for cybersecurity success.
As a reverse engineer on the FLARE Team I rely on a customized
Virtual Machine (VM) to perform malware analysis. The Virtual Machine
is a Windows installation with numerous tweaks and tools to aid my
analysis. Unfortunately trying to maintain a custom VM like this is
very laborious: tools frequently get out of date and it is hard to
change or add new things. There is also a constant fear that if the VM
gets corrupted it would be super tedious to replicate all of the
settings and tools that I’ve built up over the years. To address this
and many related challenges, I have developed a standardized (but
easily customizable) Windows-based security distribution called FLARE VM.
FLARE VM is a freely available and open sourced Windows-based
security distribution designed for reverse engineers, malware
analysts, incident responders, forensicators, and penetration testers.
Inspired by open-source Linux-based security distributions like Kali
Linux, REMnux and others, FLARE VM delivers a fully configured
platform with a comprehensive collection of Windows security tools
such as debuggers, disassemblers, decompilers, static and dynamic
analysis utilities, network analysis and manipulation, web assessment,
exploitation, vulnerability assessment applications, and many others.
The distribution also includes the FLARE team’s public malware
analysis tools such as FLOSS and FakeNet-NG.
You are expected to have an existing installation of Windows 7 or
above. This allows you to choose the exact Windows version, patch
level, architecture and virtualization environment yourself.
Once you have that available, you can quickly deploy the FLARE VM
environment by visiting the following URL in Internet Explorer
(other browsers are not going to work):
After you navigate to the above URL in the Internet Explorer, you
will be presented with a Boxstarter WebLauncher dialog. Select
Run to continue the installation as illustrated in Figure 1.
Figure 1: FLARE VM Installation
Following successful installation of Boxstarter WebLauncher, you
will be presented with a console window and one more prompt to enter
your Windows password as shown in Figure 2. Your Windows password is
necessary to restart the machine several times during the installation
without prompting you to login every time.
Figure 2: Boxstarter Password Prompt
The rest of the process is fully automated, so prepare yourself a
cup of coffee or tea. Depending on your connection speed, the initial
installation takes about 30-40 minutes. Your machine will also reboot
several times due to the numerous software installation’s
requirements. During the deployment process, you will see installation
logs of a number of packages.
Once the installation is complete, it is highly recommended to
switch the Virtual Machine networking settings to Host-Only mode so
that malware samples would not accidentally connect to the Internet or
local network. Also, take a fresh virtual machine snapshot so this
clean state is saved! The final FLARE VM installation should look like
Figure 3: FLARE VM installation
NOTE: If you encounter a large number of error messages, try to
simply restart the installation. All of the existing packages will be
preserved and new packages will be installed.
The VM configuration and the included tools were either developed or
carefully selected by the members of the FLARE team who have been
reverse engineering malware, analyzing exploits and vulnerabilities,
and teaching malware analysis classes for over a decade. All of the
tools are organized in the directory structure shown in Figure 4.
Figure 4: FLARE VM Tools
While we attempt to make the tools available as a shortcut in the
FLARE folder, there are several available from command-line only.
Please see the online documentation at http://flarevm.info for the most up to
In order to best illustrate how FLARE VM can assist in malware
analysis tasks let’s perform a basic analysis on one of the samples we
use in our Malware Analysis Crash Course.
First, let’s obtain some basic indicators by looking at the strings
in the binary. For this exercise, we are going to run FLARE’s own
FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for
additional information about the tool. You can launch it by clicking
on the FLOSS icon in the taskbar and running it against the sample as
illustrated in Figure 5.
Figure 5: Running FLOSS
Unfortunately, looking over the resulting strings in Figure 6 only
one string really stands out and it is not clear how it is used.
Figure 6: Strings Analysis
Let’s dig a bit more into the binary by opening up CFF Explorer in
order to analyze sample’s imports, resources, and PE header structure.
CFF Explorer and a number of other utilities are available in the
FLARE folder that can be accessed from the Desktop or the Start menu
as illustrated in Figure 7.
Figure 7: Opening Utilities
While analyzing the PE header, there were several indicators that
the binary contains a resource object with an additional payload. For
example, the Import Address Table contained relevant Windows API calls
such as LoadResource, FindResource and finally WinExec. Unfortunately,
as you can see in Figure 8 the embedded payload “BIN” contains junk so
it is likely encrypted.
Figure 8: PE Resource
At this point, we could continue the static analysis or we could
“cheat” a bit by switching over to basic dynamic analysis techniques.
Let’s attempt to quickly gather basic indicators by using another
FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network
emulation tool which tricks malware into revealing its network
functionality by presenting it with fake services such as DNS, HTTP,
FTP, IRC and many others. Please visit http://fakenet.info for additional
information about the tool.
Also, let’s launch Procmon from Sysinternals Suite in order to
monitor all of the File, Registry and Windows API activity as well.
You can find both of these frequently used tools in the taskbar
illustrated in Figure 9.
Figure 9: Dynamic Analysis
After executing the sample with Administrator privileges, we quickly
find excellent network- and host–based indicators. Figure 10 shows
FakeNet-NG responding to malware’s attempt to communicate with
evil.mandiant.com using HTTP protocol. Here we capture useful
indicators such as a complete HTTP header, URL and a potentially
unique User-Agent string. Also, notice that FakeNet-NG is capable of
identifying the exact process communicating which is
level1_payload.exe. This process name corresponds to the unique
string that we have identified in the static analysis, but couldn’t
understand how it was used.
Figure 10: FakeNet-NG
Comparing our findings with the output of Procmon in Figure 11, we
can confirm that the malware is indeed responsible for creating
level1_payload.exe executable in the system32 folder.
Figure 11: Procmon
As part of the malware analysis process, we could continue digging
deeper by loading the sample in a disassembler and performing further
analysis inside a debugger. However, I would not want to spoil this
fun for our Malware Analysis Crash Course students by sharing all the
answers here. That said all of the relevant tools to perform such
analysis are already included in the distribution such as IDA Pro and
Binary Ninja disassemblers, a nice collection of debuggers and several
plugins, and many others to make your reverse engineering tasks as
convenient as possible.
FLARE VM is a constantly growing and changing project. While we try
to cover as many use-case scenarios as possible it is simply
impossible due to the nature of the project. Luckily, FLARE VM is
extremely easy to customize because it was built on top of the
Chocolatey project. Chocolatey is a Windows-based package management
system with thousands of packages. You can find the list here: https://chocolatey.org/packages.
In addition to the public Chocolatey repository, FLARE VM uses our own
FLARE repository which constantly growing and currently contains about
What all this means is that if you want to quickly add some package,
let’s say Firefox, you no longer have to navigate to the software
developer’s website. Simply open up a console and type in the command
in Figure 12 to automatically download and install any package:
Figure 12: Installing packages
In a few short moments, Firefox icon is going to appear on your
Desktop with no user interaction necessary.
As I’ve mentioned in the beginning, one of the hardest challenges of
unmanaged Virtual Machine is trying to keep all the tools up to date.
FLARE VM solves this problem. You can completely update the entire
system by simply running the command in Figure 13.
Figure 13: Staying up to date
If any of the installed packages have newer versions, they will be
automatically downloaded and installed.
NOTE: Don’t forget to take another clean snapshot of an updated
system and set networking back to Host-Only.
I hope you enjoy this new free tool and will adopt it as another
trusted resource to perform reverse engineering and malware analysis
tasks. Next time you need to set up a new malware analysis
environment, try out FLARE VM!
In these few pages, we could only scratch the surface of everything
that FLARE VM is capable of; however, feel free to leave your
comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm
A wide variety of threat actors began distributing HawkEye malware
through high-volume email campaigns after it became available for
purchase via a public-facing website. The actors behind the phishing
campaigns typically used email themes based on current events and
media reports that would pique user interests, with the “Subject” line
typically containing something about recent news. Although HawkEye
malware has several different capabilities, it is most often
associated with credential theft.
In the middle of June, we observed a phishing campaign involving the
distribution HawkEye malware. The threat actors behind this campaign
are not targeting any specific group of industries or any specific region.
Figure 1 shows a sample phishing email used by HawkEye operators in
this latest campaign. The message is designed to entice recipients to
open the attachment. In this most recent campaign, the phishing email
contained a DOCX attachment, and the attackers named the document
appropriately so the recipient believed it involved a recent
transaction or invoice.
Figure 1: Sample phishing email
As seen in Figure 2, the deployment of the malware has several
stages of execution, including the following:
Figure 2: Infection Vector and Execution
In the observed campaign, the actors used an embedded OLE object to
deliver the payload to the victim’s machine. The malicious payload,
HawkEye, is embedded in the DOCX file and dropped in the %temp% folder
after the victim double-clicks on the object (Figure 3).
Figure 3: Embedded OLE Object
The HawkEye malware is primarily used for credential theft and is
often combined with additional tools to extract passwords from email
and web browser applications. These additional tools are contained in
an encrypted resource section of the binary.
The HawkEye malware is capable of the following:
After initial checks and system enumeration, HawkEye sends the
following data to the command and control (C2) server:
Along with its ability to steal sensitive information, HawkEye is
capable of spreading through USB or removeable drives and can also
steal Bitcoin wallets, as seen in Figure 4.
Figure 4 : USB spreading and Bitcoin Stealing
The HawkEye malware in this campaign contained encrypted resources
sections, which add functionality that enables the attackers to
exfiltrate more data. FireEye observed the same pattern in previous
HawkEye campaigns. The encrypted data is decrypted at run time and
then injected in to the target process, vbc.exe. The encryption logic
used is a custom algorithm and varies with the campaign. Figure 5
shows an example of the custom encryption algorithm.
Figure 5: Custom decryption routine
After decrypting the resource section, the following files can be extracted:
Figure 6: Components of malware
The payload uses the Windows task scheduling feature for its
persistance mechanism on the victim’s computer. It schedules a task to
execute on user login. The configuration data shown in Figure 7 is
used to schedule the task.
Figure 7: Task Scheduler.xml
CMemoryExecute.dll is responsible for running a .NET executable
capable of using the Windows Native API to inject MailPV.exe and
WebBrowserPassView.dll into VBC.exe, which the Visual Basic Command
Line Compiler. MailPV and WebBrowserPassView are used in order to
extract credentials from the list of email and web browser clients
noted in the following section.
WebBrowserPassView.dll, extracted from the resource section, is a
password recovery tool that extracts passwords stored in the following
The extracted passwords are stored in a created text file: “%temp%\holderwb.txt”
The MailPV.exe file is password recovery tool that extracts password
for following email clients:
The extracted passwords are stored in a created text file: “%temp%\holdermail.txt”
The first C2 traffic observed is the malware’s check to get the
external IP address of the infected machine. Figure 8 shows an example
of the external IP address query.
Figure 8 : External IP Address Query
As noted, the malware sends gathered system information and security
program data to the C2 server after the external IP address is known.
HawkEye can be configured to send this information through multiple
methods, including via email or FTP.
In addition to the system data, the malware will upload any
collected credentials from email and web browser applications. To do
this, the malware will validate that holdermail.txt and holderweb.txt
exist and send the data to the C2 server. After the data is
exfiltrated, the TXT files are deleted from the victim’s machine.
In this campaign, the HawkEye payload was configured to upload the
data via email. Once the extracted data is received by the C2 server,
the server sends emails to the threat actors behind the campaign to
notify them that new stolen information is available. Figure 9 shows
some of the email templates used in this campaign and Figure 10 shows
the SMTP traffic on the network.
Figure 9: Email notification to HawkEye Customers
Figure 10: SMTP Handshake
HawkEye is a versatile Trojan used by diverse actors for multiple
purposes. The malware has been sold through a public-facing website,
which has allowed many different operators to use it. As is often the
case with commercial Trojans, HawkEye offers a variety of functions
for stealing stored data, grabbing form data, self-spreading, and
performing other functions. Consequently, HawkEye may facilitate a
number of different exploitative operations in compromised
environments, and can be used by actors with a wide range of
motivations. We have seen different HawkEye campaigns infecting
organizations across many sectors globally, and stealing user
credentials for diverse online services. This particular campaign
represents one segment of the numerous HawkEye activity sets.
Some notable threat operations where we have previously reported
HawkEye use include business email compromise campaigns, phishing
against Middle Eastern organizations, and prolific spam operations
(get an iSIGHT
intelligence subscription to learn more about these campaigns).
Based on previous observations, the phishing and lure techniques
used in these recent HawkEye campaigns have remained consistent, as
have the HawkEye binaries and associated payloads. However, the
attackers have altered the initial delivery method to use an embedded
OLE object, as opposed to past methods such as a macro embedded in a
Word document. The threat landscape is continiously evolving, and we
expect to see more new tricks and tactics being used by the actors
using this malware family.
FireEye Multi Vector Execution
(MVX) engine is able to recognize and block this threat.
Special thanks to John Miller and Nart Villeneuve for their
contributions to this blog.
Linux Kernel – ‘BadIRET’ Local Privilege Escalation
Adopt a security program that empowers your organization to protect its assets without stifling innovationCategory:Leadership InsightsRisk ManagementAdopt an IT security program that empowers your organization to protect its assets without stifling in…