Tag Archives: remote access trojan

DNSMessenger: 2017’s Most Beloved Remote Access Trojan (RAT)

DNSMessenger: 2017’s Most Beloved Remote Access Trojan (RAT)

I’ve written a lot about Remote Access Trojans (RATs) over the last few years. So I didn’t think there was that much innovation in this classic hacker software utility. RATs, of course, allow hackers to get shell access and issue commands to search for content and then stealthily copy files. However, I somehow missed, DNSMessenger, a new RAT variant that was discovered earlier this year.

The malware runs when the victim clicks on a Word doc embedded in an email – it’s contained in a VBA script that then launches some PowerShell. Nothing that unusual so far in this phishing approach..

Ultimately, the evil RAT payload is set up in another launch stage. The DNSMessenger RAT is itself a PowerShell script. The way the malware unrolls is intentionally convoluted and obfuscated to make it difficult to spot. .

And what does this PowerShell-based RAT do?

RAT Logic

No one’s saying that a RAT has to be all that complicated. The main processing loop accepts messages that tells the malware  to execute commands and send results back.

Here’s a bit of DNSMessenger code to probe the DNS servers. The addresses are hardcoded.

The clever aspect of DNSMessenger is that — surprise, surprise — it uses DNS as the C2 server to query records from which it pulls in the commands.

It’s a little more complicated than what I’m letting on, and if you want, you can read the original analysis done by Cisco’s Talos security group.

Stealthy RAT

As noted by security pros, DNSMessenger  is effectively “file-less” since it doesn’t have to save any commands from the remote server onto the victim’s file system. Since it uses PowerShell, this makes DNSMessenger very difficult to detect when it’s running.  Using PowerShell also means that virus scanners won’t automatically flag the malware.

This is right out of the malware-less hacking cookbook.

Making it even more deadly is its use of the DNS protocol, which is not one of the usual protocols on which network filtering and monitoring is performed — such as HTTP or HTTPS.

A tip of the (black) hat to the hackers for coming up with this. But that doesn’t mean that DNSMessenger is completely undetectable. The malware does have to access the file system as commands are sent via DNS to scan folders and search for monetizable content. Varonis’s UBA technology would spot anomalies on the account on which DNSMessenger is running on.

It would be great if it were possible to connect the unusual file-access activity to the DNS exfiltration being done by DNSMessenger. Then we’d have hard-proof of an incident in progress.

Varonis Edge

We’ve recently introduced Varonis Edge, which is specifically designed to look for signs of attack at the perimeter, including VPNs, Web Security Gateways, and, yes, DNS.

As I mentioned in my last post, malware-free hacking is on the rise and we should expect to see more of it in 2018.

It would be a good exercise to experiment and analyze a DNSMessenger-style trojan. I can’t do it this month, but I am making as my first New Year’s resolution to try experimenting in January on my AWS environment.

In the meantime, try a demo of Varonis Edge to learn more.

More NSA Goodness: Shadow Brokers Release UNITEDRAKE

More NSA Goodness: Shadow Brokers Release UNITEDRAKE

Looking for some good data security news after the devastating Equifax breach? You won’t find it in this post, although this proposed federal breach notification law could count as a teeny ray of light. Anyway, you may recall the Shadow Brokers, which is the group that hacked the NSA servers, and published a vulnerability in Windows that made WannaCry ransomware so deadly.

Those very same Shadow Brokers have a new product announcement that also appears to be based on NSA spyware first identified in the Snowden documents. Bruce Schneier has more details on its origins.

(Way back in 2014, Cindy and I listened to Schneier speak at a cryptography conference, warning the attendees that NSA techniques would eventually reach ordinary hackers. Once again, Schneier proved depressingly right.)

Known as United Rake or UNITEDRAKE in hacker fontology, this is an advanced remote access trojan or RAT along with accompanying “implants” – NSA-speak for remote modules. It makes some of the admittedly simple RATs I investigated in my pen testing series look like the digital-version of Stone-Age tools.


How do we know how UNITEDRAKE works?

The Shadow Brokers kindly published a user’s manual. I highly recommend that IT folks who only know about malware by scanning the headlines of tech-zines peruse the contents of this document.

Forgetting for a moment that Evil Inc. is behind the malware, the 67-page manual appears on the surface to be describing a legit IT tool: there are sections on minimum software requirements, installation, deployment, and usage (lots of screenshots here).

Manage remote implants or modules from the UNITEDRAKE interface.

To my eyes, this is a detailed user’s manual that puts many business-class software collateral to shame. It’s the productized malware that we often hear about, and now we can all see for our itself. UNITEDRAKE will likely be sold on the dark web, and the manual is the teaser to get hackers interested.

I didn’t see all the capabilities explained that were implied in the screen shots, but there’s enough in the manual to convince the likely buyer that UNITEDRAKE is the real-deal and worth the investment

But It’s Still a Trojan

Once you read through the UNITEDRAKE manual, you see it’s essentially a RAT with a classic modern architecture: the client-side with the implants is on the victim’s computer, and it communicates to the hacker’s server on the other side of the connection.

Port 80 seems to be the communications channel, and that means HTTP is the workhorse protocol here —although raw TCP is mentioned as well.

In the RAT world, the client-side is the victim’s computer.

Scanning a few specialized websites, I learned that NSA implants such as Salvage Rabbit can copy data off a flash drive, Gumfish can take pictures from an embedded  camera, and Captivated Audience can — what else — spy on users through a laptop’s microphone. You can read more about this spy-craft in this Intercept article.

The NSA guys at least get credit for creative product naming.

The Prognosis

Obviously, the NSA was in a better position to install these implants than typical hackers. And it’s unclear how much of the NSA-ware the Shadow Brokers were able to implement.

In any case, with phishing and other techniques (SQL-injection, and say probing for known but unpatched vulnerabilities), hackers have had a good track record in the last few years in getting past the perimeter undetected.

Schneier also says that Kapersky has seen some of these implants in the wild.

My takeaway: We should be more than a little afraid of UNITEDRAKE, and other proven productized malware than hackers with some pocket change can easily get their hands on.

We never believed the perimeter was impenetrable! Learn how Varonis can spot attackers once they’re inside.

Please Disable UPnP on Your Router. Now!

Please Disable UPnP on Your Router. Now!

Remember the first large-scale Mirai attack late last year? That was the one directed at IP cameras, and took advantage of router configurations settings that many consumers never bother changing. The main culprit, though, was Universal Plug and Play or UPnP, which is enabled as a default setting on zillions of routers worldwide.

Also known as port forwarding, UPnP is a convenient way for allowing gadgets, such as the aforementioned cameras (or WiFi-connected coffee pots), to be accessible on the other side of the firewall through a public port. UPnP automatically creates this public port when these gadgets are installed.

Command and Control Meets UPnP

However, this convenience factor provides an opening for hackers. In the case of Mirai, it allowed them to scan for these ports, and then hack into the device at the other end.

Hackers have now found an even more diabolical use of UPnP with the banking trojan Pinkslipbot, also known as QakBot or QBot.

Around since 2000, QakBot infects computers, installs a key logger, and then sends banking credentials to remote Command and Control (C2) servers.

Remember C2?

When we wrote our first series on pen testing, we described how remote access trojans (RATs) residing on the victims’ computers are sent commands remotely from the hackers’ servers over an HTTP or HTTPS connection.

This is a stealthy approach in post-exploitation because it makes it very difficult for IT security to spot any abnormalities. After all, to an admin or technician watching the network it would just appear that the user is web browsing — even though the RAT is receiving embedded commands to log keystrokes or search for PII, and exfiltrating passwords, credit card numbers, etc. to the C2s.

The right defense against this is to block the domains of known C2 hideouts. Of course, it becomes a cat-and-mouse game with the hackers as they find new dark spots on the Web to set up their servers as old ones are filtered out by corporate security teams.

And that’s where Pinkslipbot has added a significant innovation. It has introduced, for lack of a better term, middle-malware, which infects computers, but not to take user credentials! Instead, the middle-malware installs a proxy C2 server that relays HTTPS to the real C2 servers.

Middle-malware: C2 servers can be anywhere!

The Pinkslipbot infrastructure therefore doesn’t have a fixed domain for their C2 servers. In effect, the entire Web is their playing field! It means that it’s almost impossible to maintain a list of known domains or addresses to filter out.

What does UPnP have to do with Pinkslipbot?

When the Pinkslipbot is taking over a consumer laptop, it checks to see if UPnP is enabled. If it is, the Pinkslipbot middle-malware issues a UPnP request to the router to open up a public port. This allows Pinslipbot to then act as a relay between those computers infected with the RATs and the hackers’ C2 servers (see the diagram).

It’s fiendish, and I begrudgingly give these guys a (black) hat tip.

One way for all of us to make these kinds of attacks more difficult to pull off is to simply disable the UPnP or port-forwarding feature on our home routers. You probably don’t need it!

By the way, you can see this done here for my own home Linksys router. And while you’re carrying out the reconfiguration, take the time to come up with a better admin password.

Do this now!

Security Stealth Wars: IT Is Not Winning (With Perimeter Defenses)

PhishingFUD malware, malware-free hacking with PowerShell, and now hidden C2 servers. The hackers are gaining the upper-hand in post-exploitation: their activities are almost impossible to block or spot with traditional perimeter security techniques and malware scanning.

What to do?

The first part is really psychological: you have to be willing to accept that the attackers will get in. I realize that it means admitting defeat, which can be painful for IT and tech people. But now you’re liberated from having to defend an approach that no longer makes sense!

Once you’ve passed over this mental barrier, the next part follows: you need a secondary defense for detecting hacking that’s not reliant on malware signatures or network monitoring.

I think you know where this is going. Defensive software that’s based on – wait for it — User Behavior Analytics (UBA) can spot the one part of the attack that can’t be hidden: searching for PII in the file system, accessing critical folders and files, and copying the content.

In effect, you grant the hackers a small part of the cyber battlefield, only to defeat them later on.

Disabling PowerShell and Other Malware Nuisances, Part III

Disabling PowerShell and Other Malware Nuisances, Part III

This article is part of the series "Disabling PowerShell and Other Malware Nuisances". Check out the rest:

One of the advantages of AppLocker over Software Restriction Policies is that it can selectively enable PowerShell for Active Directory groups. I showed how this can be done in the previous post. The goal is to limit as much as possible the ability of hackers to launch PowerShell malware, but still give legitimate users access.

It’s a balancing act of course. And as I suggested, you can accomplish the same thing by using a combination of Software Restriction Policies (SRP) and ACLs, but AppLocker does this more efficiently in one swoop.

Let’s Get Real About Whitelisting

As a practical matter, whitelisting is just plain hard to do, and I’m guessing most IT security staff won’t go down this route. However, AppLocker does provide an ‘audit mode’ that makes whitelisting slightly less painful than SRP.

AppLocker can be configured to log events that show up directly in the Windows Event Viewer. For whatever reason, I couldn’t get this to work in my AWS environment. But this would be a little less of a headache than setting up a Registry entry and dealing with a raw file — the SPR approach.

In any case, I think most of you will try what I did. I took the default rules provided by AppLocker to enable the standard Windows system and program folders, added an exception for PowerShell, and then created a special rule to allow only member of a select AD group — Acme-VIPs in my case — to access PowerShell.

AppLocker: Accept the default path rules, and then selectively enable PowerShell.

Effectively, I whitelisted all-the-usual Windows suspects, and then partially blacklisted PowerShell.

PowerShell for Lara, who’s in the Acme-VIPs group, but no PowerShell for Bob!

And Acme Was Hacked

No, the hacking of my Acme domain on AWS is not going to make any headlines. But I thought as a side note it’s worth mentioning.

I confess: I was a little lax with my Amazon firewall port setting, and some malware slipped in.

After some investigation, I discovered a suspicious executable in  the \Windows\Prefetch directory. It was run as a service that looked legit, and it opened a zillion UDP ports.

It took me an afternoon or two to figure all this out. My tip offs were when my server became somewhat sluggish, and then receiving an Amazon email politely suggesting that my EC2 instance may have been turned into a bot used for a DDoS attack.

This does relate to SRP and AppLocker!

Sure, had I activated these protection services earlier, Windows would have been prevented from launch the malware, which was living in in a non-standard location.

Lesson learned.

And I hold my head in shame if I caused some DDos disturbance for someone, somewhere.

Final Thoughts

Both SRP and AppLocker also have rules that take into account file hashes and digital certificates. Either will provide an additional level of security that the executable are really what they claim to be, and not the work of evil hackers.

AppLocker is more granular than SRP when it comes to certificates, and it allows you to filter on a specific app from a publisher and a version number as well. You can learn more about this here.

Bottom line: whitelisting is not an achievable goal for the average IT mortal. For the matter at hand, disabling PowerShell, my approach of using default paths provided by either SRP or AppLocker, and then selectively allowing PowerShell for certain groups — easier with AppLocker — would be far more realistic.

Next Steps

It may seem odd if you’ve just gone through all three parts of this series about disabling PowerShell to find us suggesting a course on writing more PowerShell. It’s not hypocritical. It’s using the right tool for the right job at the right time.

To that tend, if you’re interested in learning more practical, security focused PowerShell, you can unlock the full 3 hour video course on PowerShell and Active Directory Essentials with the code cmdlet.

Pen Testing Active Directory Environments, Part IV: Graph Fun

Pen Testing Active Directory Environments, Part IV: Graph Fun

If we haven’t already learned from playing six degrees of Kevin Bacon, then certainly Facebook and Linkedin have taught us we’re all connected. Many of the same ideas of connectedness also play out in Active Directory environments. In this post, we’ll start out where we left off last time in thinking about the big picture of Active Directory users and groups.

Or more accurately pondering the big graph of Active Directory. And the game we’re playing is closer to four degrees of Ted, your overworked IT admin or other privileged user.

Graphically Speaking

Why do we need to think about graphs in AD environments?

These structures form naturally from AD group membership. At the Acme company, I already set up groups for Acme-Clevels, Acme-VIPs and Acme-Serfs. These AD groups can contain either users or other groups. IT often establishes AD environments with group hierarchies so they can control permissions at finer levels with each hop down the hierarchy.

Since the last post, for example, I added a group for Acme-Legal under Acme-VIPs. In Acme Legal, there are legal subgroups for Acme-Patents and Acme-Compliance. As Acme’s beloved IT admin, I can set permissions that allow only members of Acme-Patents to view and update certain directories or include all of Acme-Legal or even all of Acme-VIPs.


Part of the Acme AD hierarchy.

The computer science-y word for the hierarchies I’m describing is known as directed acyclic graphs or DAGs. For anyone who’s ever taken a basic CS class such as “Data Structures for Poets and Aspiring Sous Chefs”, this core graph type always comes up.

Pen testers who work in AD environment are also very fond of these graphs. They allow them to quickly hunt down users who’ll have the credentials they need. A gentle intro to the subject can be found in this Def Con presentation. I’ll add the usual qualifier: the whole area of graph theory is a rich one, and we’ll only be sipping its foamy crema in this post.

One use of these ideas is known as “derived admin”, which involves hopping around the network while gaining local admin privileges. We’ll do something a little different: finding users who have permissions to a file we’re interested but can’t access.

Practicing Law Without the Right Permissions

Let’s say I’ve landed on Acme’s Salsa server with Bob’s plain credentials — Bob is in the Acme-Serfs’ group. Bob has enough file permissions to help me move around the server, but not enough to allow access to interesting content.

I come across a tempting directory named “Top Secret”. Unfortunately, I can’t navigate into it. I now use PowerView’s Get-PathACL to get a little more insight.


Wouldn’t you know it, but “Top Secret” gives access to those only in Acme-Legal (and Administrators). As an Acme-Serfs member, I’ve been excluded.

Here’s the problem. I’d like to discover all the users under the Acme-Legal umbrella since any user in the Acme-Legal hierarchy would give me the right privileges.

The goal is to find all those users – in graph-speak, the leaves — under Acme-Legal.  And then hope that one of these users are on the Salsa server so I can steal their credentials through pass-the-hash.

If you do this on an ad-hoc, manual basis this can get complicated very quickly for even small companies. For example, I can try running Get-NetGroupMember, write down all the groups and users that are spit out and then repeat until exhaustion sets in.

Paul Revere Rides Again

The better way to do this, of course, is to automate the task using PowerShell.

We need to build what’s known in the trade as adjacency lists — it’s a array structure for representing the DAG. For each Acme group, I can quickly access the immediate members under it.

I’m not much of a PowerShell scripter, but in an afternoon or two I was able to generated these lists using PS’s associative arrays and arraylist data types, along with using PowerView’s Get-NetGroupMember.

You can see the partial results below, with the variable $GroupAdj containing it all.


Yeah, it’s a great homework assignment to work this out for yourself.

Do some of these ideas seem familiar in a kind of Paul Revere-metadata way?  Of course, sociologist Kieran Healy’s great Using Metadata to Find Paul Revere should come to mind! Healy’s post was a first introduction to metadata and graphs for many of us.

His problem was finding all the Tea Partiers — the original version 1.0 — that Paul Revere was connected to. By the way, his post shows you how to create what’s known by the graph-erati as the “transitive closure” for each node.  I’ll take that up next time for our Acme graph.

This time we’ll solve a far simpler puzzle: given a specific Acme user and a group, is there are connection between the two? Essentially, I want to see if there’s a path from an AD group to the user by navigating my adjacency lists.

If you’ve the taken the computer course for poets that I mentioned earlier, you know about breadth-first search (BFS) and depth-first search (DFS) algorithms. As a cool pen tester, I wrote a couple of lines of code that implements  BFS and kept in a file call depthsearch:


Classic depth-first-search in PowerShell. By the way ArrayLists are the way to implement simple queues!

Let’s say I’m watching to see who’s logging into Salsa using crackmapexec with --lusers option. I discover that someone named Cal is now on the server. He’s seems like an IT guy based on running the Get-NetUser cmdlet.

So I now run my depthsearch script with parameters Acme-Legal and cal.


Eureka! Next I just need to dump his hash using crackmapexec and then I can pop a shell with Empire – remember from last time?

And the Lesson Is  … Role Based Access Controls

In my role as Acme admin, I created a special group known as Acme-SnowFlakes, where I put Cal the IT guy. The Acme-Snowflakes group is itself buried down in the hierarchy under the Acme-Patents group. In this make believe scenario, once upon a time we needed to give Cal access to legal folders and then we promptly forgot to remove these special Snowflakes.

As a pen tester, I can now report to management about a small hole in the Acme permission structure.

We covered a lot of ground this time, but there is an important lesson. Once the hackers get in and then leverage Active Directory metadata, they have – let’s face it – awesome power. The goal is to make it harder for them.

And one of the ways to do that is through role-based access control policies that always forces you to restrict who has access to sensitive files. An IT group that’s on its game would have been questioning why Cal had give access to the “Top Secret” directory used by the legal department.

Enough preaching!

We’ll go over some of these same ideas again next time, and then explore derivative admins, which is a variation of the concepts we’ve covered in this post.

Continue reading the next post in "Pen Testing Active Directory Environments"

Pen Testing Active Directory Environments, Part III:  Chasing Power Users

Pen Testing Active Directory Environments, Part III:  Chasing Power Users

For those joining late, I’m currently pen testing the mythical Acme company, now made famous by a previous pen testing engagement (and immortalized in this free ebook). This time around I’m using two very powerful tools, PowerView and crackmapexec, in my post-exploitation journey into Acme’s IT.

Before we get into more of the details of hunting down privileged users, I wanted to take up one point regarding Active Directory mitigations that I touched on last time.

Protecting the VIPs

As we saw, PowerView cmdlets give pen testers and hackers incredibly valuable information about the user population. It does this by pulling attributes out of Active Directory, some of which can then be used to launch a phishing-whaling attack.

So you’re wondering whether or not we can put restrictions on who gets to see the data? Or what data is made available in the first place?

Yes and yes.

For the purposes of this post, I’m proposing a quick fix. We’ll simply prevent some key AD attributes from being displayed in PowerView’s Get-NetUser cmdlet.

We really don’t want to make it easy for hackers to access phone numbers, mail addresses, and other personal information of the C-suite.

These folks may not have customer accounts and credit card numbers in their files, but they surely have access to key corporate IP – contracts, plans, pending deals, etc.

The answer can be found in the Active Directory Computer and User interface.

Our first priority should be to secure Ted Bloatly, Chief Honcho (CEO) of Acme.

If we click on his Security tab, we can view a list of broad AD attribute permissions — personal, phone and email — that we can allow or deny access to.

For Mr. Bloatly, I’ll simply deny access to his contact information (see below) for anyone in the Acme domain.


I really don’t want hackers and even employees to get this kind of sensitive data.  If you want to know anything about Mr. Bloatly, you’ll have to find out the old-fashioned way, by contacting his loyal personal assistant, Smithers.

Sure we can be more granular about who gets to see this information. Clicking on “Advanced” lets you enable certain groups to view Bloatly’s contact information: for example, I could allow access for just the Acme-VIPs group, the C-levels of the company.

In any case, if we go back to the Salsa server that we landed on, and run Get-NetUser, we’ll see that his postal address and the personal info about his bowling habits no longer shows up.


We’ll delve into other ways to restrict access to AD attributes later on in this series.

The Credential Hunt

Building on the scenario from last time, I’m back on Salsa with Lele’s credential. Lele, like her friend Bob, is in the Acme-Serfs group.

Let’s rerun Get-NetComputer.


You’re probably thinking, as I did when I set this up, that Enchilada is where the important people hang out. “Big Enchiladas”, right?

Let’s see if Lele’s credentials will allow me access to it. One quick way to do this is to use crackmapexec and point it at the server you’re trying to access—it will let you know whether can log in (below).


My pen testing senses are tingling. I’m denied access to Enchilada, but allowed access to Taco and Salsa.

It’s like the equivalent of a sign that says “Private Property: Keep Out!”. You know there has to be something valuable on the Enchilada server.

We’re now at the point where you have to find the users who’ll get you what you want – access to Enchilada.

Like last time, we can run Get-GroupMembers Acme-VIPs. I’ve found two power users now– Ted Bloatly and Lara Crasus. (fyi: I added VIP Lara since the previous post.)

What you can hope for is that one of these VIPs will let you log on to the Salsa machine. Then we can grab the hashes, and use them with crackmapexec to get into Enchilada.

By the way, this brings up an important point about risk assessments regarding user accounts: you have to be very careful about assigning user account access rights.

One common technique is to assign multiple accounts to the same user with each account having its own privileges. This avoids the problem of an over-privileged account logging into a less-privileged account’s machine, thereby leaving it open to credential theft and pass-the-hash.

So let’s say Acme hasn’t learned this lesson, and Ted Bloatly occasionally uses his one AD account to log into the Salsa server used by the plebians.

We can set an alarm.

Enter something like Invoke-UserHunter –GroupName Acme-VIPs on the command line, then check the output and repeat. Obviously, we can do a better job of fine-tuning and automating. I’ll leave that as a homework assignment.

Once we find an Acme-VIPs member, we dump the hash using the --lsa option for crackmapexec and the pass-the-hash using the –H option to log into the Enchilada server.

PowerShell Empire and Reverse Shells

One aspect of hopping around a domain that’s worth talking about is the topic of getting shell connections. So far I’ve been cheating a little bit in showing screen output from the actual server.

In real life, hackers and pen testers are using reverse-shells — remember those? — to see what’s going on from a remote terminal.

In my last pen testing series, getting a reverse shell from a PowerShell environment was a bit rocky. In fact, I didn’t really have a good way of doing this,

And the I discovered PowerShell Empire.

It describes itself as having the ability “to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz… all wrapped up in a usability-focused framework”

Amen, and it lives up to its billing. This is powerful stuff and I attained beautiful remote PowerShell access to the Acme environment.

If you want to play around with Empire for yourself, you can download it from GitHub here. With a little bit of struggle (and two aspirins later), I installed it on an Ubuntu Linux server in my AWS environment.

In terms of its remote PowerShell powers, it allows you to create a Listener, which lives at one end of the connection. And then you grab some shell code to run on the victim’s machine. Ultimately, it launches an Agent, which is what you interact with in Empire.



PowerShell Empire: multiple agents each with its own shell connection.  Shellcode runs on the target computer. Awesome power.

Effectively, we’re implementing the PowerShell version of the reverse shell that I previously accomplished with ncat.

You can have many agents running at a time and interact concurrently with each PowerShell session on the target machines.


PowerShell connection back to Salsa!

This is very powerful, and I’m only scratching the surface.

Let’s take a breath.

In my next post, we’ll go into more detail for this Empire-based reverse PowerShell technique, and demonstrate how you can use it to hop around the Acme domain using crackmapexec to inject the shellcode for the next hop.

Yes, we’ll get back into exploiting the information in Active Directory groups and in particular use the relationships in it to guide which users to chase down. It’s referred to as derived or derivative  admins.

I’ll leave you with this interesting observation made by (I believe) Will Graebner: pen testers think in graphs, IT people think in terms of lists.

Meditate on that thought till next time.

Continue reading the next post in "Pen Testing Active Directory Environments"

When a Cyber Attack Is a Political Weapon

When a Cyber Attack Is a Political Weapon

We’re not surprised when hackers attack companies to scoop up credit card numbers or to cause IT disruption. If they’re state sponsored, they may target organizations to pull out intellectual property – military secrets or other sensitive information — as part of a cyber-espionage program.

But hackers associated with a party (or state) hacking into another political party’s IT system to pull out embarrassing material?

We’re in uncharted territory.

Before you start shouting at your laptop, I’m well aware of the long pre-digital history of political dirty tricks. And in particular, one botched operation in which the analog hackers from one party were prevented from physically exfiltrating data from the HQ of the opposition party.

However, the use of digital attack techniques by political operatives is a new, and yes, frightening reality. I might add that earlier this year, we foresaw this possibility in our Six IT Predictions for 2016 post.

Our prediction — premonition? — went even further when we suggested that such a data breach “would bring the issue of cybersecurity prominently into the campaign as a major issue that is closely related to geopolitical threats such as the spread of terrorism.”

We were eerily accurate.

Over the summer, the Democratic National Committee (DNC) was hacked by groups likely connected with Russian intelligence. The techniques used – spear phishing, remote access trojans, implants, C2 servers — are familiar tools of the trade for hackers extracting credit numbers or other monetizable data.

In this case, the hackers instead went after emails, which were then published on the Web for maximum public exposure and to inflict maximum damage.

Of course, we’ve seen a similar type of doxing in the Sony incident. In that case, a state actor targeted a private company with the hope of causing massive economic harm.

But in the DNC incident, one political entity went after another for political reasons.

And as we prognosticated, cyber security then became part of our national political agenda when our two presidential candidates were asked to discuss their thoughts on this topic during last week’s debate.

Though a particular candidate’s response left a least one blogger scratching his head.

Email: The Mother Lode of Embarrassing

Just as we were getting over the DNC attack, along comes another politically motivated revenge attack. This time, a domestic conservative online publication obtained emails hacked from Hillary Clinton’s campaign computers. In particular, they published an audio email attachment of Clinton addressing a fundraising gathering.

These two recent attacks highlight something that security pros in the corporate sector have known – emails are a one stop-shop for sensitive personal information.

And that makes lots of sense.

For the financially motivated hackers, the treasure is in the personally identifiable information (PII) in documents and presentations scattered throughout a file system.

But for those seeking to put a spotlight on sensitive inside information, the quickest and easiest route is email servers and personal email accounts. In effect, the hackers have a digital window into unguarded conversations, which in the analog era would have required a physical intervention and messy wire clips.

Remember the data source of the most news-worthy (and occasionally hilarious) content in the Sony breach?

They were the emails between executives, and executives and stars in which erratic behaviors, incredible salaries, and juicy gossip were discussed.

As a side note: it was thought that one of the motivations of the Watergate burglars was to replace a defective wire tap that had been previously placed on one of the phones in the DNC’s office. There’s nothing new in obtaining political muck to throw at your opponents by listening in on conversations.

Frank Wills: Early Proponent of Monitoring as a Defense

It’s natural to think that the Sony and DNC doxings don’t apply to your company.

But can you and your executives’ email stand a public airing?

Likely not. Even excluding the potential of embarrassment, there’s intellectual property or internal information that you’d probably not have your competitors see.

As some politicians like to say, don’t waste a crisis.

It should be apparent by now that US organizations have serious gaps in learning when they’ve been breached, discovering what’s been exposed, and then sharing information about the cyber incident.

We’ve argued in this blog that a national data security law with a breach notification requirement would go a long way toward improving baseline standards. And we hope preventing or limiting the next OPM, Target, or political HQ breach.

With these attacks against politicians will our lawmakers finally be nudged by, well, self-interest to put such a law into place?

We’re not sure. But it has been noted that when a certain jurist’s privacy was violated back in the video store-age, a new privacy law went into effect pretty darn quickly.

While we’re waiting for such a law, you can take a cue from Frank Wills, the security guard who spotted the Watergate burglar-hackers.

No doubt the Watergate complex could have installed better perimeter defenses — improved locks, windows, etc. — but they at least had a fallback defense with their on-the-ground security team.

Wills employed an analog form of what we would now call user behavior analytics or UBA. Simply put: UBA says understand what’s normal in your environment, and when something out of the ordinary is detected, investigate, and then raise an alarm if need be.

And that’s exactly what sharp-eyed Wills did: he noticed duct tape placed on one of the door locks. Suspecting a burglary, he notified the DC police who upon arrival discovered five men inside the offices of the DNC.

And the rest as they say is history.

Whether you’re an IT person who works for a political party or not, you’ll want to take security expert Troy Hunt’s course on insider threats. It’s free!



New SamSam Ransomware Exploiting Old JBoss Vulnerability

New SamSam Ransomware Exploiting Old JBoss Vulnerability

One of the lessons learned from the uptick in ransomware attacks is that it pays to keep your security patches up to date. A few months ago the SamSam/Samas malware was (and is still) having great success primarily against healthcare companies and hospitals.

The attack vector, though, was not based on phishing or social engineering. SamSam instead exploits a very old (and surprising) vulnerability in JBoss, Red Hat’s Java-based web server environment.

No Phishing

JMX is the administrative console web app for JBOSS — yes, everything starts with a J. Unfortunately, by default, the JMX home page is available externally without any authentication checks.

Like any good admin took, JMX gives you access to some basic functions including running Java code.

Are you thinking what I’m thinking?

Hackers discovering this JBoss vulnerability quickly realized that if they could upload a simple shell they were on their way to controlling the server.

And that’s the way this exploit works. If you want to read the technical details and the coding involved, you can google on “jboss vulnerability”.

This is a very well-known security hole – the CVE dates back to 2010—and it has since been patched.

But it has come back into the limelight because the SamsSam ransomware has very successfully used it against healthcare orgs, which for whatever reasons are more likely to have JBoss installations.

Once the cyber thieves gain entry through JMX, they upload the ransomware. And start collecting the fees. No phishing required.

How bad is the problem?

According to Cisco security researchers, there could be as many as 3.2 million installations at risk.

Remote Access Trojan by Any other Name

Attackers can find sites that have JBoss by Google dorking, which allows you to search for part of the telltale URL – in this case “jmx-console”—that indicates a JBoss server on an exposed site.


It’s an admin console! It’s a remote access trojan! It’s both!

In looking at the JBoss attack techniques, I saw lots of code where the JMX interface acts as starting point to uploading and launching other software, say a reverse shell. So the vulnerability leaves open other attacks, not necessarily ransomware.

To put it bluntly, the JMX interface is an unintentional Remote Access Trojan or RAT, which we wrote about in our pen testing series.

Normally the attacker has to first install the RAT, but with these unpatched Red Hat installations it’s there — gasp!— waiting for them.

Maybe it’s a good time now to bring all your systems up to date with the latest security patches — I’m talking to you healthcare orgs!


Cyber Espionage: Could Russian and Korean Hackers Have Been Stopped (With U...

Cyber Espionage: Could Russian and Korean Hackers Have Been Stopped (With UBA)?

Once upon a time, breaking into the Democratic National Committee required non-virtual thieves picking real door locks and going through file cabinets. And stealing the design secrets of a fighter jet was considered a “black bag” job that utilized the talents of a spy who knew how to work a tiny spy camera. Then, the stealthy spy could pass the micro-film to a courier by exchanging identical brief cases.

Times have changed.

In the last few days, two stories have shown us, if we still needed more evidence, how modern espionage has evolved into hacking. Cyber spies can conduct first-class intelligence operations without leaving their desks at the IT departments of their Dr. Evil-ish security agencies.

Spies Like Us

Yesterday, The Washington Post said that Russian government hackers had penetrated the DNC’s computer network.

According to security experts who were brought in by the DNC, the cyber spies thoroughly compromised the DNC’s computers and were able to read all email and chat traffic.

Unfortunately, this news is hardly a surprise. In fact, we predicted this would happen.

It’s believed that two separate and perhaps competing Russian hacking groups were involved, with one of them having broken into the DNC network as far back as last summer. No financial information about donors was taken. The hackers were engaging in espionage, gaining access to the DNC’s opposition research on Donald Trump.

And then on the Korean peninsula, South Korean officials said 40,000 documents related to the wing design of the US’s F-15 fighter jet had been taken by their friendly neighbors to the north.

Stealthy Attacks

We have more information about the Russian spies, so let’s look at that incident first.

One of the Russian cyber groups involved in the DNC was identified as Cozy Bear. This is the same group responsible for attacks at the White House. The second group is called Fancy Bear, and they have been known to exploit zero-day vulnerabilities.

Security experts say that both groups have also used phishing attacks in the past. Cozy Bear and Fancy Bear are believed to be connected to Russian intelligence agencies.

At this point, though, we’re not sure exactly how the gangs broke into the DNC network.

However, we do know that once in, they inserted remote access trojans (RATs) and implants that allowed them to remotely log keystrokes, execute commands, and transfer files. The Russian cyber gangs also used Command and Control (C2) techniques, which embed the commands to control the RATs in an HTTP stream.

As far as IT admins were concerned, some users at the DNC were communicating with one or more web sites, when in fact these C2 web sites were run by the cyber gangs and used to orchestrate the attack.

The Russian cyber spies also hid their actions by using PowerShell commands — malware-less hacking. And they also stole credentials with Mimikatz, which was run as a stealthy PowerShell script, in a Pass-the-Hash/Pass-the-Ticket attack.

Putting on our intelligence analyst’s hat, I think we can say with good confidence that the North Koreans used similar techniques. A phish mail, for example, involving fake Apple IDs was used to initially enter Sony in Pyongyang’s massive doxing of that company.

The current attack that was launched against Korean Air Lines began in 2014. The North Korean cyber spies likely used the aforementioned stealth techniques to keep their implants and document exfiltration activities below the radar.

Spy Lessons

If you’ve been following along, none of the above — unfortunately should be new to you. In fact, for anyone who’s been keeping track of hacking incidents over the last few years, these different techniques and tools are just familiar parts of the landscape.

We’ve known for a very long time the smart hackers get around perimeter defense using phishing, SQL-injection, or zero-day vulnerabilities. And then once in, they have many ways to remain stealthy and avoid triggering virus scanners.

Instead of trying to build a higher wall, a more practical approach is to spot the hackers when they’re inside and then prevent them from accessing and exfiltrating sensitive data.

In both the DNC and Korean Air Lines incident, the IT teams eventually noticed some anomalies. However, at that point, it was far too late in terms of preventing the surveillance of internal emails and the removal of data.

A far better solution is to automate the anomaly detection so that when files are accessed at unusual times for a given user or PowerShell executables launched by users who hardly or never run these apps, then the alarms will go off.

We are, of course, talking about User Behavior Analytics (UBA). As these incidents teach us, the protection of sensitive data is too important to be based on hunches or the blind luck of an alert IT person looking at audit trails.

Instead, UBA’s predictive algorithms can compare current access patterns against historical records in order to spot the hackers in closer to real-time.

Think of UBA as giving your IT group the power to spy on hackers and cyberspies. It’s far more efficient and cheaper than training and outfitting an agent. Sorry, 007!

Got UBA?  Learn more about how Varonis can protect you data. 

Malware Coding Lessons for IT People, Part I: Learning to Write Custom FUD ...

Malware Coding Lessons for IT People, Part I: Learning to Write Custom FUD (Fully Undetected) Malware

This article is part of the series "Malware Coding Lessons for IT People". Check out the rest:

The world of hacking is roughly divided into three different categories of attackers:

  1. The “Skids” (Script kiddies) – beginning hackers who gather existing code samples and tools for their own use and create some basic malware.
  2. The “Buyers” – hackpreneurs, teenagers, and other thrill seekers who purchase malware coding services in the cloud, collect PII, and then perhaps resell the stolen personal data over the black market.
  3. The “Blackhat coders”- malware wizards who code new malware and work out exploits from scratch.

Can anyone with good software skills get to the level of “Blackhat coder”? No, you’re not going to be creating something like regin after attending a few DEFCON conference sessions.

On the other hand, I really believe that an IT security person should master some of the programming concepts that go into malware.

Why Should an IT Person Learn These Dark Skills?

File that under “know your enemy”. As Inside Out blog has been pointing out, you have to think like a hacker to stop one. I’m an infosec specialist at Varonis and in my experience, you’ll be better at data security once you understand how the offense plays its game.

And that’s the reason I decided to start this series of posts on the details underlying malware and different hacking tool families.  Once you understand how relatively simple it is to create undetectable malware, you’ll want to take a different approach to data security at your organization. More on that later.

I won’t be getting too technical, so don’t get scared off.

For these informal “hacking 101 classes”, you’ll need coding knowledge — C# and Java — and some understanding of Windows.  Keep in mind that most real-world malware tools are coded in C/C++/Delphi in order to discard the dependency of .NET framework when coding with C#.

I also like using C# in my coding examples since it can be read like a story even if one isn’t familiar with the syntax.

Keyloggers for IT People

A keylogger is a piece of a software or hardware that can intercepting and record the keystrokes of a compromised machine. Think of it as digital tap that captures every keystroke from the keyboard.

Often the keylogger function is embedded in another piece of malware. Andy has already written about  how keyloggers are typically part of Remote Access Trojans or RATS, which also provide stealthy ways to get the logged keystrokes back to the attacker.

There are hardware/fimware keyloggers, but they’re less common since they require physical access to the machine or directly tampering with the hardware.

However, the key logger function is fairly easy to code.  So let’s break it down now. But first a few warnings to make our lawyers happy.

If you’re going to try some of this on your own in a business environment, make sure to get permission and perhaps work your tests in a separate VM.

Next, the examples below will not compile on their own. I’m just showing you the bits of code that perform the desired action — it’s not the most elegant or best way to do it.

Finally, I will not be showing you how to make the keylogger persistent so that it survives a reboot, or will I show how to make it avoid detection through using special coding techniques. I don’t want to go too far into the dark side. Let’s just say malware in the wild is good at being resistant to removal even if you manage to detect it.

Let’s dive into the code.

To hook into the keyboard, all you have to do is use these two C# lines:


public static extern int GetAsyncKeyState(Int32 i);

You can read more about the GetAsyncKeyState API from MSDN:


Summing up these two lines of code in one sentence: it determines whether a key is up or down at the time the function is called, and whether the key was pressed after a previous call to GetAsyncKeyState .

Now you continually call this function to get the keyboard data you need:

while (true)
                for (Int32 i = 0; i < 255; i++)
                    int state = GetAsyncKeyState(i);
                    if (state == 1 || state == -32767)


What’s going on here?

The loop will poll the keyboard every 100 milliseconds to detect the state of each key.

If one of them is pressed (or has been pressed), it will print it out to the console. In a real keylogger, the keystrokes would be buffered and then stealthily transmitted back to the hacker.

Smarter Keylogging

But wait, wouldn’t it make sense to zero in on a key stream going to a single app?

The above code pulls in the raw keyboard input from whatever window and input box that currently has the focus. If the goal of your hacking is to get passwords or credit card numbers, this approach is not very efficient.

It would get even harder if the keylogger were running on thousands of computers — this isn’t unheard of in the real world — and sending the results back to the hackers command center. A hacker would have a very difficult time parsing the stream to find the valuable information.

For the sake of argument, let’s assume what I really want to do is steal Facebook or Gmail credentials and use them to sell “Likes”.

Here’s the new idea: activate the keylogging method only when a browser is active, and the title of the web page contains the word “Facebook” or “Gmail”.

By using this method of limiting the input to browsers, I increase my chances of spotting user names and passwords.

Here’s my second version of the code:

while (true)  

              IntPtr handle = GetForegroundWindow();

              if (GetWindowText(handle, buff, chars) > 0)


                string line = buff.ToString();

                if (line.Contains("Gmail")|| line.Contains("Facebook - Log In or Sign Up "))


                   //Check keyboard





This code snippet will probe the active window every 100ms. GetForegroundWindow does the real heaving lifting . The title of the window will be returned in the “buff” variable, and the keyboard scanning code called if it contains the word “Facebook” or “Gmail.

You can learn more about this API at MSDN.

I’ve just ensured I will get the keystrokes only when the user is surfing within a browser, and only at the sites “Facebook” or “Gmail” login pages.

Even Smarter Keylogging

Let’s assume the hacker has been pulling the output from keyloggers using something like the code above. Suppose this is an ambitious hacker who has managed to infect tens or hundreds thousands of laptops. Result:  a huge file with megabytes of text in which the good stuff, emails addresses and passwords, are hidden.

It’s a good time to now make the acquaintance of regular expressions or regex.  It’s like a mini language for scanning patterns and matching against the pattern that we have defined.

You can read more about regexes here.

Here is an example of two regexes that would match the usernames and passwords from a wall of text:

//Identify Email

//Identify Password

The above regexes are meant to hint at what can be done with smart regex scanning.

With regex, I can search for social security numbers, credit card numbers, bank accounts, phone numbers, names, passwords — really anything that has a pattern can fall into a regex expression.

Admittedly it’s not the easiest thing to read. But regex is a programmer’s best friend — better than Red Bull!

Languages such as Java, C#, JavaSript and others have builtin regex functions in which you can insert the expression representing what you want match — the above cryptic code — and run it against the text containing the potential patterns.

For C#, the regex looks like:

Regex re = new Regex(@"^[\w!#$%&amp;'*+\-/=?\^_`{|}~]+(\.[\w!#$%&amp;'*+\-/=?\^_`{|}~]+)*@((([\-\w]+\.)+[a-zA-Z]{2,4})|(([0-9]{1,3}\.){3}[0-9]{1,3}))$");

Regex re2 = new Regex(@"(?=^.{6,}$)(?=.*\d)(?=.*[a-zA-Z])");

string email = "Oded.awask@gmail.com";

string pass = "abcde3FG";

Match result = re.Match(email);

Match result2 = re2.Match(pass);

The first regex (re) will match any email addressed inside a wall of text.

The second regex (re2) will match any password like patterns that are longer than six letters.

Free FUD

Back in my own lab, I used Visual Studio – you can use your favorite IDE — to code a malicious keylogger tool in under 30 minutes.

If I were a real hacker, I would define targets (i.e., banking sites, social sites, etc.) and then manipulate the code to fit my special needs. Of course, I’d also have to launch a phish mail campaign that has the exe embedded in a harmless looking invoice or other document.

The only question that’s left to answer: is it FUD??

I compiled my code, and then checked the exe against Virustotal. That’s a web tool that calculates the hash of the exe and compares against its database of known virus hashes.  No surprisingly, Virustotal couldn’t find a match.


That’s the point! It’s easy for hackers to continually evolve and change their code so it’s always a few steps ahead of the scanners.  If you can do your own coding, you’re almost guaranteed FUD.

The lesson for IT security is that virus scanners alone will not protect your organization.

Click here to see the complete analysis page at Virustotal.

In my next post, I’ll take on ransomware, and show you how easy it is to code a FUD version.

Continue reading the next post in "Malware Coding Lessons for IT People"

Entrepreneurial RATs: AlienSpy and TaaS (Trojans as a Service)

Entrepreneurial RATs: AlienSpy and TaaS (Trojans as a Service)

When I wrote about Remote Access Trojans (RATs), I thought they were like the mousetraps of the hacking world — it’s hard to improve on.

RATs let hackers get a foothold on a target system. Once the client-side payload has been installed (via phishing), the RAT operator can view and download files, upload additional malware, launch apps, and pop shells.

By listening on port 80 on the hacker’s C2 server, the RAT can hide its network traffic so that it appears as a vanilla web interaction. Additional stealthiness comes from other built-in anti-forensics.

In short: they’re hard to detect.

More evolved RATs, such as KilerRAT, go beyond these basic features. They can have embedded functions to log key strokes, access a laptop camera, or directly manipulate Windows registry entries.

Sure, they have more hack bling, but at its core, even newer RATS act a lot like the first gens I wrote about in my pen-testing series.

AdWind, AlienSpy & Co. Change the Game

It appears that a better kind of RAT has emerged from an evil hack laboratory. It’s called AdWind, and it represents the king RAT of a trojan pedigree.

The folks at Kaspersky who track these critters say that Adwind was released in 2013.

What makes this RAT very interesting is that you don’t necessarily have to purchase the software.


Malware has a pricing plan. It’s easier than ordering pizza. (Source: Kaspersky)

(By the way, you have to get used to the idea that RATs and other malware are sold like ordinary software on the Interweb.)

With Adwind, the malware is hosted in the cloud, and hackers pay a monthly fee. They can dynamically add on features, and pick their own targets through phishmail campaigns. In this model, the wannabe and newbie hackers don’t even have to bother with an installation — it’s all done for them.

The business minds behind this Trojan as a Service are, if anything, entrepreneurial.

Adwind also adds an interesting twist: it’s OS independent since it’s written in Java. It runs on Windows, Linux, or any platform that has a Java runtime environment. The phishmail containing the payload is really a JAR file.

The malware scene is a fluid one with product name changes and new features being added all the time.

At some point in 2015, AlienSpy was introduced as a better version of Adwind. This latest-and-greatest RAT has improved abilities to detect and disable anti-virus software — it can even turn off Windows UAC.

It also uses Allatori, a commercial Java obfuscator, which makes it very difficult to reverse-engineer the code. In other words, the hackers are protecting their intellectual property.

Son of AlienSpy

AlienSpy and its predecessor have been quite successful. According to Kaspersky, its various versions have infected over 400,000 systems worldwide.

Finally, to make this all very confusing, AlienSpy was recently rebranded because of all the attention and analysis it received. It’s now known as JSocket, and it’s reported to have improved self-encryption so it’s even harder to analyze.

Are you thinking what we’re thinking?

There’ll always be a new threat that can’t immediately be detected. Like their fuzzy counterparts, RATs are just part of the landscape.

RATS! Deal with them by reframing your security approach by working from the inside out. Learn more.