image of breaking badness
Breaking Badness
Breaking Badness

6. The Ides of Arch

Developing News: Citrix Says its Network was Breached by International Criminals


Here are a few highlights from each article we discussed:

A (Key) Stroke of Genius

  • ScanBox payload is not sophisticated:
    • Modular Javascript exploit kit has been around since around 2014.
    • ScanBox checks for endpoint configurations, Windows based things like EMET and other common AV’s.
    • Additionally, it checks for Flash, Java and Office versions for understanding what exploits might be effective against the victim.
  • Grabs keystrokes, cookies, screen dimensions, and your HTTP POST requests.
    • The key logger Javascript affects the compromised website only.
  • Typical attacker behavior is to compromise a website, SQL injection or WordPress bug, and then drop this kit in an iframe:
    • It includes watering hole attacks.
  • Attackers leveraging ScanBox don’t need to be sophisticated and need minimal infrastructure to pull off the attack.
    • SQLMap plus a small VPS hosting a LAMP stack would be very common infrastructure here.
  • ScanBox mitigations are tough, since this is based in the browser.
    • Some browsers have JavaScript protections like XSS filters, but those won’t help.
    • An aggressive but impractical approach is blocking JavaScript.
    • Leverages EMET
  • Detecting ScanBox:
    • Since it’s a post-compromise framework, ensure your web frameworks/services are patched so the risk of compromise is lower.

Gaming the System with the Belonard Trojan

  • Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading one of the malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5).
  • 39% of all existing Counter-Strike 1.6 game servers available online are malicious that have been set-up to remotely hack gamers’ computers. 2k out of 5k are malicious.
  • RCE in CS 1.6.
  • Purpose is to create a botnet with this RCE and dropping a custom Trojan called Belonard.
    • Trojan setup persistence, replaces list of game servers with attacker controlled ones.
    • Creates a service as its persistence mechanism. Calls downloaded DLL via schist.exe -k netsvcs.
    • Belonard also installs in new game clients found on the device.
  • Mitigation – A decent AV will hopefully protect you against the Belonard trojan.

What the Pacman

  • Attack vectors are a MITM scenario or if someone has compromised the pacman update servers only when attempting to install a package from a remote URL.
  • Part of the HTTP headers (Content-Disposition) aren’t being properly sanitized by pacman (leading to directory traversal), so an attacker who is either MITM or controls the remote server being called can place malicious code anywhere in the file system, which could lead to arbitrary code execution.
    • The Content-Disposition header field provides a suggestion to the client on how to process the data. It’s either “filename”, “inline” or “attachment”.

This Week’s Hoodie Scale

A (Key) Stroke of Genius

[Tarik]: 5/10 Hoodies
[Taylor]: 4.4/10 Hoodies

Gaming the System with the Belonard Trojan

[Tarik]: 3/10 Hoodies
[Taylor]: 2.5/10 Hoodies

What the Pacman

[Tarik]: 3/10 Hoodies
[Taylor]: 3.12/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!