6. The Ides of Arch
Developing News: Citrix Says its Network was Breached by International Criminals
Here are a few highlights from each article we discussed:
- ScanBox payload is not sophisticated:
- ScanBox checks for endpoint configurations, Windows based things like EMET and other common AV’s.
- Additionally, it checks for Flash, Java and Office versions for understanding what exploits might be effective against the victim.
- Grabs keystrokes, cookies, screen dimensions, and your HTTP POST requests.
- Typical attacker behavior is to compromise a website, SQL injection or WordPress bug, and then drop this kit in an iframe:
- It includes watering hole attacks.
- Attackers leveraging ScanBox don’t need to be sophisticated and need minimal infrastructure to pull off the attack.
- SQLMap plus a small VPS hosting a LAMP stack would be very common infrastructure here.
- ScanBox mitigations are tough, since this is based in the browser.
- Leverages EMET
- Detecting ScanBox:
- Since it’s a post-compromise framework, ensure your web frameworks/services are patched so the risk of compromise is lower.
- Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
- 39% of all existing Counter-Strike 1.6 game servers available online are malicious that have been set-up to remotely hack gamers’ computers. 2k out of 5k are malicious.
- RCE in CS 1.6.
- Purpose is to create a botnet with this RCE and dropping a custom Trojan called Belonard.
- Trojan setup persistence, replaces list of game servers with attacker controlled ones.
- Creates a service as its persistence mechanism. Calls downloaded DLL via schist.exe -k netsvcs.
- Belonard also installs in new game clients found on the device.
- Mitigation – A decent AV will hopefully protect you against the Belonard trojan.
- Attack vectors are a MITM scenario or if someone has compromised the pacman update servers only when attempting to install a package from a remote URL.
- Part of the HTTP headers (Content-Disposition) aren’t being properly sanitized by pacman (leading to directory traversal), so an attacker who is either MITM or controls the remote server being called can place malicious code anywhere in the file system, which could lead to arbitrary code execution.
- The Content-Disposition header field provides a suggestion to the client on how to process the data. It’s either “filename”, “inline” or “attachment”.
This Week’s Hoodie Scale
A (Key) Stroke of Genius
[Tarik]: 5/10 Hoodies
[Taylor]: 4.4/10 Hoodies
Gaming the System with the Belonard Trojan
[Tarik]: 3/10 Hoodies
[Taylor]: 2.5/10 Hoodies
What the Pacman
[Tarik]: 3/10 Hoodies
[Taylor]: 3.12/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!