Custom search

Wednesday, June 21, 2017

Importance of Threat Intelligence

In the cyber security world, threat intelligence become one of the most valuable weapon to fight the attackers, threat actors and part time hackers. Even at the heights of attackers like state sponsored attacks, threat intelligence able to detect and give good time to fight against them. Many usually asked us, what the use of collecting threat intelligence is. We answered them in this way, many attacks are sector based or targeting specific industry on the attackers’ interest. So we can collect those alert from difference sources and maintain the threat intelligence platform. Using that, we can detect attacks in the log monitoring and proceed to block them.

This is how it generally works. But if you go for deeper analysis on threat intelligence we will find more things like types of threat intelligence, how it is helpful in fighting against threat actors. Threat intelligence are categorised in to three types:

  • Strategic Intelligence
  • Operational Intelligence
  • Tactical Intelligence

Strategic Intelligence:

It’s a high-level one. People in the commanding position is required for thorough determination to critically assess threats.

Operational Intelligence:

It’s totally about how the organisation is working on determining the proactive assessment on the future cyber threats which is targeted on the organisation based on the sector based attacks.

Tactical Intelligence:

It’s all about attacker methodologies which is like tools, and tactics, and how dangerous the attacker is.


Overall, threat intelligence will enhance the cybersecurity posture and holistic risk management policies. So the decision making after the detection of intrusion will be better and lessons learned will be more valuable.


Saturday, June 3, 2017

250 Million Computers Infected With FIREBALL - Chinese Malware:

Recently, security researchers from Checkpoint discovered that heavy volume of Chinese threat operation infected over 250 million computers around the globe. Fireball converts the web browser to zombies by hijacking the browser and does fake search engine utility. So, Fireball installs plugins to induce the advertisement and act as a distribution of potentially unwanted application, adware and malware. A large digital marketing company called Rafotech, Beijing based firm, users Fireball to manipulate the victim's browsers and turn it to default home page and fake search engine.

key findings from checkpoint researchers

Infection flow created by checkpoint researchers
Malware distribution around the world
According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:
·        25.3 million infections in India (10.1%)
·        24.1 million in Brazil (9.6%)
·        16.1 million in Mexico (6.4%)
·        13.1 million in Indonesia (5.2%)
5.5 million In US (2.2%)


C&C addresses

·        attirerpage[.]com
·        s2s[.]rafotech[.]com
·        trotux[.]com
·        startpageing123[.]com
·        funcionapage[.]com
·        universalsearches[.]com
·        thewebanswers[.]com
·        nicesearches[.]com
·        youndoo[.]com
·        giqepofa[.]com
·        mustang-browser[.]com
·        forestbrowser[.]com
·        luckysearch123[.]com
·        ooxxsearch[.]com
·        search2000s[.]com
·        walasearch[.]com
·        hohosearch[.]com
·        yessearches[.]com
·        d3l4qa0kmel7is[.]cloudfront[.]net
·        d5ou3dytze6uf[.]cloudfront[.]net
·        d1vh0xkmncek4z[.]cloudfront[.]net
·        d26r15y2ken1t9[.]cloudfront[.]net
·        d11eq81k50lwgi[.]cloudfront[.]net
·        ddyv8sl7ewq1w[.]cloudfront[.]net
·        d3i1asoswufp5k[.]cloudfront[.]net
·        dc44qjwal3p07[.]cloudfront[.]net
·        dv2m1uumnsgtu[.]cloudfront[.]net
·        d1mxvenloqrqmu[.]cloudfront[.]net
·        dfrs12kz9qye2[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net
·        dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

File Hashes

·        FAB40A7BDE5250A6BC8644F4D6B9C28F
·        69FFDF99149D19BE7DC1C52F33AAA651
·        B56D1D35D46630335E03AF9ADD84B488
·        8C61A6937963507DC87D8BF00385C0BC
·        7ADB7F56E81456F3B421C01AB19B1900
·        84DCB96BDD84389D4449F13EAC75098
·        2B307E28CE531157611825EB0854C15F

·        7B2868FAA915A7FC6E2D7CC5A965B1E


It is important to remove the adware plugins and check the default homepage in web browser. If we didn't know about the plugins, extensions installed and unknown homepage in our web browser then it is high chances that the system is infected with hijacker infection of this kinds. Highly recommended to update the anti-malware software with latest update, also use additional adware cleaner from top AV programs. Bringing back the web browser to default settings can fight the browser hijack. Also recommended to block the listed cnc addresses in the firewall to prevent this attacks.

Post by

Source: CheckPoint blog

Tuesday, May 23, 2017

Description on Ransomware Attack Measures:

Description on Ransomware Attack Measures
  • ·         Make sure to have adequate backup processes on place and frequently test a restore of these backups ("Schrödinger's backup - it is both existent and non-existent until you've tried a restore")
  • ·         Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: 
       Open downloaded documents in 'Protected View'
       Open downloaded documents and block all macros
  • ·         Disable Windows Script Host
  • ·         Filter the following attachments on your mail gateway:.386, .ace, .acm, .acv, .ade, .adp, .adt, .ani, .app, .arc, .arj, .asd, .asp, .avb, .ax, .bas, .bat, .boo, .btm, .cab, .cbt, .cdr, .cer, .chm, .cla, .cmd, .cnv, .com, .cpl, .crt, .csc, .csh, .css, .dll, .drv, .dvb, .email, .exe, .fon, .fxp, .gms, .gvb, .hlp, .ht, .hta, .htlp, .htt, .inf, .ini, .ins, .iso, .isp, .its, .jar, .job, .js, .jse, .ksh, .lib, .lnk, .maf, .mam, .maq, .mar, .mat, .mau, .mav, .maw, .mch, .mda, .mde, .mdt, .mdw, .mdz, .mht, .mhtm, .mhtml, .mpd, .mpt, .msc, .msi, .mso (except oledata.mso), .msp, .mst, .nws, .obd, .obj, .obt, .obz, .ocx, .ops, .ovl, .ovr, .pcd, .pci, .perl, .pgm, .pif, .pl, .pot, .prf, .prg, .ps1, .pub, .pwz, .qpw, .reg, .sbf, .scf, .scr, .sct, .sfx, .sfx, .sh, .shb, .shs, .shtml, .shw, .smm, .svg, .sys, .td0, .tlb, .tmp, .torrent, .tsk, .tsp, .tt6, .url, .vb, .vbe, .vbs, .vbx, .vom, .vsmacro, .vss, .vst, .vsw, .vwp, .vxd, .vxe, .wbk, .wbt, .wIz, .wk, .wml, .wms, .wpc, .wpd, .ws, .wsc, .wsf, .wsh
  • ·         Filter the following attachments on your mail gateway:  (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm, .bin
  • ·         Block all program executions from the %LocalAppData% and %AppData% folder
  • ·         Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")
  • ·         Enforce administrative users to confirm an action that requires elevated rights
  • ·         Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.
  • ·         Activate the Windows Firewall to restrict workstation to workstation communication
  • ·         Using sandbox that opens email attachments and removes attachments based on behavior analysis
  • ·         Software that allows to control the execution of processes - sometimes integrated in Antivirus software- Free: AntiHook, ProcessGuard, System Safety Monitor
  • ·         Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer
  • ·         Server-side file screening with the help of File Server Resource Manager
  • ·         Block program executions (AppLocker)
  • ·         Detect and block exploitation techniques
  • ·         Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring 

post made by 

Measures To be taken care on Ransomware attacks:

Measures To be taken care on Ransomware attacks:
  • ·         Backup and Restore Process
  • ·         Block Macros
  • ·         Disable WSH
  • ·         Filter Attachments Level 1
  • ·         Filter Attachments Level 2
  • ·         Restrict program execution
  • ·         Show File Extensions
  • ·         Enforce UAC Prompt
  • ·         Remove Admin Privileges
  • ·         Restrict Workstation Communication
  • ·         Sandboxing Email Input
  • ·         Execution Prevention
  • ·         Change Default "Open With" to Notepad
  • ·         File Screening
  • ·         Restrict program execution #2
  • ·         EMET
  • ·         Sysmon
Post made by 

Monday, May 15, 2017

Possible Way To Fight Back WannaCry Ransomware

In the last post, we shown the steps to be followed in order to prevent ransomware attack. (check for the previous post:
In this post, we moved one more step ahead to fight this ransomware attack (wannaCry).
WannaCry Ransomware
Our researcher collected the ransomware sample (wannacry variants) and executed it in control environment. It clearly showed the behaviour of file encryption and demanding bitcoins. We tested with few decryption routines, but no success. Today, we got an opensource vaccine for this wannacry ransomware. That tool is called WannaCry Vaccine Tool. 

WannaCry Vaccine Tool
This vaccine tool created to overcome the infection of wannacry. But the catch is this tool need to be executed in our system first, so it will stop the wannacry ransomware variant. The WannaCry Vaccine Tool gets installed and prevent system from being affected by WannaCry Ransomeware. 

Tested by our researcher
Our researcher run this vaccine tool in windows xp environment and windows 7 OS environment (this two environments are attacked in the wild by wannacry ransomware). After executing the vaccine tool, our researcher executed the malware (wannacry), it drops the encryptor files and other handles, but this time, no files get encrypted. No infections found. This vaccine actually stops encryption of files in the system.

Want those files in your system, please check the following Github link:

Trustlook WannaCry Toolkit
  • Please check the python tool- WannaCry Ransomware scanner tool, use this tool for presence of wannacry ransomware scanner tool.
  • Wannacry vaccine tool is used to prevent the ransomware attack from file encryption and can't demand for ransom.
  • Most important thing is update the security patch from microsoft.

Post made by

MSIL Agent Sample - Malware Analysis

MSIL Agent Malware Analysis

In malware sample cluster, we found “MSIL agent -detection” as found in the top of the clusters. Clustering process is collecting or grouping similar set of samples under one set. We fired up our VM with all malware analysis tools and for the analysis purpose, we taken 2 samples by picking it random from that MSIL agent cluster.
We got the following two files:
Sample1 –
MD5:                     6c11ccfc559946574f4d2401ba040515
SHA-1                    f7a891ad465f3587ecc387f74d0c2095f214c108
SHA-256               6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0

Sample2 –
MD5:                     f5371ef52e97bc46b5e73ca6ece14e65
SHA-1:                  3ee5801d76345a0a77cc2bca5a76599ff4708722
SHA-256:              2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f

These two samples are comes under same set, we checked one important factor. Import hashing is that important factor in tracking malware samples. So we checked the import hashing of the two files and it is actually same.
And size is 7.0 KB (7168 bytes) for both the files. Even trid is same for the both files.
Generic CIL Executable (.NET, Mono, etc.) (82.9%)
Win32 Dynamic Link Library (generic) (7.4%)
TrID                      Win32 Executable (generic) (5.1%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)

TrID is same for both the file.

Sample 1

Sample 2
Analysis of the samples:
We looked in to the sample and started dissecting the file using IDA pro. The samples function names are:

Function Names

Traversing to the main function code, it shows code of adding auto start entry (run entry) and physical location of file. Usually, malware samples use run entry to keep persistence. The same thing used here, refer the below snapshots.

Run entry points to physical location
Run entry with MozillaFirefox as value, chrome as value and both these entries points to .lnk files inside the folder called Googlechrome. From the above the code, we found two .lnk files, windowsupdate.lnk and googleupdate.lnk.
When we further look in to the code, we found some other values in the run entry. Please refer the below snapshot:

Run entry points to physical location

In this part, we seen run entry with values such as Calculator and MediaPlayer. In both values, pointing to the same files under googlechrome folder. For comparison reason, we did quick analysis with the second file and we find the same value code, registry entries and file locations in the strings.
Interesting strings:
·         00000000110B   000000402F0B      0   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
·         00000000118B   000000402F8B      0   MozillaFirefox
·         0000000011AB   000000402FAB      0   C:\GoogleChrome\WindowsUpdate.lnk
·         0000000011EF   000000402FEF      0   Chrome
·         0000000011FD   000000402FFD      0   C:\GoogleChrome\GoogleUpdate.lnk
·         000000001247   000000403047      0   Microsoft
·         00000000125B   00000040305B      0   MediaPlayer
·         000000001273   000000403073      0   Calculator
These interesting strings clearly matches with the first sample set.
Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique
The file checksum (0x00000000) is invalid
The original filename (Mozilla.exe) is different than the file name (2a5692c4f72a1148926bbdbe0ae93489b85aff5af68a35655cb8300415e8f61f)
The file is not signed with a Digital Certificate

This table is the indicator for one of the file from a malware analysis tool. We checked the other file with the same tool for indicator and it is as follows:
Indicator                                                                                                                                 Severity
The time stamp (Year:2017)of the File Header reached the maximum (Year:2015) threshold
The size (7168 bytes) of the file reached the minimum (10240 bytes) threshold
The file opts for Address Space Layout Randomization (ASLR) as mitigation technique
The file checksum (0x00000000) is invalid
The original filename (Mozilla.exe) is different than the file name (6ab529495eeedb0f2521aba633d3f00ddf1706dd8759a0dd981ea1a824c89cd0)
The file is not signed with a Digital Certificate

Dynamic Analysis:
Till this point, we ran all the static malware analysis tools and checked the behaviour of the file based on the codes inside of the file. Let’s try dynamic analysis by executing any one of the sample and use diffing tools (ie differentiating tool or comparison tool). Comparing clean state of the OS with infected OS state, this is the purpose of the diffing tools in dynamic analysis.
At first stage,
                Executed the file and observed its behaviour, also collected the memory strings of the executed files. Once the file execution done, we ran the comparison tool (inctrl) and find the created registry traces, file created, folder created and even modified traces (like modification, deletion).
Observed registry trace,
                The same registry traces we seen in the code were found in the inctrl logs.
o                 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run             "Calculator"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Chrome"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MediaPlayer"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\GoogleUpdate.lnk
o   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "MozillaFirefox"
§  Type: REG_SZ
§  Data: C:\GoogleChrome\WindowsUpdate.lnk
We observed the same entry in regedit (checked manually):
Run Entries

We ran the autorun tool (from sysinternals) and found the logon entries.
Autorun tool showing Run entries
Both the inctrl logs and autoun shows that file not found in the folder googlechrome. And even the folder is not created. We unable to find the folder and file creation routines in these samples.
We wrote yara rules for detecting these files. So, just need to run the following yara rule in your system and check whether the system is infected with this variants or not.
YARA rules:
rule MSIL_AGENT_Chrome_Mozilla
                $string0= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C00570069006E0064006F00770073005500700064006100740065002E006C006E006B}
                $string1= {43003A005C0047006F006F0067006C0065004300680072006F006D0065005C0047006F006F0067006C0065005500700064006100740065002E006C006E006B}
                2 of them


This yara rule is more than enough for detecting this whole cluster samples. We scanned with the whole set of samples, this rule pick all the files without fail.

Post made by


Search results

Google Ads

Google Plus:


Total Pageviews


Hard work never fails!

Hard work never fails!