INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Who You Gonna Call? AndroxGh0st Busters! [Guest Diary]
Published: 2024-07-16
Last Updated: 2024-07-17 00:33:04 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Michael Gallant, an ISC intern as part of the SANS.edu BACS program]
Introduction
During my internship at the SANS Internet Storm Center, I was tasked with setting up a honeypot, an internet device intentionally vulnerable, to observe and analyze attack vectors. Among the numerous attacks recorded, one particular observation stood out: the AndroxGh0st malware. This threat targets Laravel web applications and poses major risks to sensitive data. In this post, I aim to share my experience and raise awareness about AndroxGh0st, detailing its exploitation methods and providing strategies to defend against it.
Understanding AndroxGh0st
AndroxGh0st is a Python-scripted malware designed to target .env files that contain sensitive information in web applications, specifically those using the Laravel framework. This malware is part of a botnet operation that primarily aims to steal credentials and abuse other functions such as vulnerability scanning, Simple Mail Transfer Protocol (SMTP), application programming interfaces (APIs), and web shell deployment.
What is Laravel?
Laravel is an open-source PHP web application development framework. It simplifies development with built-in database interaction, authentication, routing, sessions, and caching features. Laravel is popular for designing web applications such as e-commerce platforms, social networking platforms, APIs (Application Programming Interfaces), and Content Management Systems (CMS). Laravel applications often handle critical data, making them attractive targets for attackers. The added complexity of Laravel can lead to security oversights, providing opportunities for exploitation and including exposed default settings or sensitive files, making it easier for attackers to gain access.
Read the full entry:
https://isc.sans.edu/diary/Who+You+Gonna+Call+AndroxGh0st+Busters+Guest+Diary/31086/
"Reply-chain phishing" with a twist
Published: 2024-07-16
Last Updated: 2024-07-16 12:45:28 UTC
by Jan Kopriva (Version: 1)
Few weeks ago, I was asked by a customer to take a look at a phishing message which contained a link that one of their employees clicked on. The concern was whether the linked-to site was only a generic credential stealing web page or something targeted/potentially more dangerous. Luckily, it was only a run-of-the-mill phishing kit login page, nevertheless, the e-mail message itself turned out to be somewhat more interesting, since although it didn’t look like anything special, it did make it to the recipient’s inbox, instead of the e-mail quarantine where it should have ended up.
The reason for this probably was that the message in question contained what looked like a reply to a previous e-mail exchange. This might have made it appear more trustworthy to the spam/phishing detection mechanisms that were employed to scan it, since – as far as my understanding goes – automated spam/phishing detection mechanisms tend to consider messages with reply-chains to be somewhat more trustworthy than plain, unsolicited e-mails from unknown senders.
It should be mentioned that threat actors commonly use replies to legitimate messages in account takeover/BEC-style phishing attacks, however, in this case, the situation was somewhat different – the original (replied-to) message was from someone not associated with the targeted organization in any way. Use of this approach (i.e., “replying” to a message with no relevance to the recipient) can sometimes be seen in generic phishing, however, if someone receives an e-mail which contains a reply to a message from someone they have never even heard of, it doesn’t exactly make the message appear trustworthy… Which is where the slight twist, which was used in this message, comes in.
In the message, the ”reply” part was hidden from the recipient bellow a long list of empty paragraphs (well, paragraphs containing a non-breaking space). And although this technique is not new, since the aforementioned customer’s IT specialists weren’t aware of it, and a quick Google search failed to provide any write-ups of it, I thought it might be worthwhile to go over it here.
As the following example from my “phishing collection” shows, at first glance, an e-mail messages, in which this technique is used, would look quite normal, and a recipient might not notice anything suspicious (besides the overall “this is an obvious phishing” vibe).
Read the full entry:
https://isc.sans.edu/diary/Replychain+phishing+with+a+twist/31084/
Protected OOXML Spreadsheets
Published: 2024-07-15
Last Updated: 2024-07-15 04:54:57 UTC
by Didier Stevens (Version: 1)
I was asked a question about the protection of an .xlsm spreadsheet. I've written before on the protection of .xls spreadsheets, for example in diary entries "Unprotecting Malicious Documents For Inspection" and "16-bit Hash Collisions in .xls Spreadsheets"; and blog post "Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets".
.xlsm spreadsheats (and .xlsx) are OOXML files, and are thus ZIP files containing mostly XML files ...
Read the full entry:
https://isc.sans.edu/diary/Protected+OOXML+Spreadsheets/31070/