MISP - Malware Information Sharing Platform

(1) https://www.circl.lu/services/misp-training-materials/#misp-community-at-circl

MISP Virtual Machine

• VirtualBox image with MISP 2.4.41 - misp-training.ova SHA1 sum: 25378b139f38a6c9e378526560e125120f55e61a
• FIRST training VirtualBox image with MISP 2.4.48 - misp-training2.ova SHA1 sum: 9febe1f8f4b0b7d2b08dad3eb94a68429ee989d5
• Virtual image with MISP 2.4.49 - newtraining.ova SHA1 sum: 9f02793f3c79959dd62055cdbc21dbc13da7c443

Login and passwords for the VirtualBox MISP image are the following:

MISP admin:  admin@misp.training/Password1234
MISP user:  user@misp.training/Password1234
SSH: misp/Password1234
MySQL:  root/Password1234 - misp/Password1234

If you want to convert the image from VirtualBox to Parallels:

• Get ovftools from VMware:https://developercenter.vmware.com/web/dp/tool/ovf/3.5.2
• Convert image: /Applications/VMware\ OVF\ Tool/ovftool –lax misp-training.ova misp-training.vmx
• Open misp-training.vmx in Parallels
• It converts and starts the image and it is ready to be used on a DHCP’ed IP address

+---------------------------------------------+

TODO

(1) At the browser after you have login as admin
     Enter "http://192.168.1.32/servers/serverSettings/MISP" into the bwoser
     CLEAR the value of MISP.baseurl


(2) Add the following line into /etc/apache2/apache2.conf 

"ServerName misp"

Then /etc/init.d/apache2 stop
         /etc/init.d/apache2 start

Reference: http://askubuntu.com/questions/256013/could-not-reliably-determine-the-servers-fully-qualified-domain-name

(3) 

ADS Revealer

Phrozen ADS Revealer

Phrozen ADS (Alternate Data Stream) Revealer is a Microsoft Windows program, especially designed to reveal possible malicious ADS files in your file system. Since the Alternate Data Stream functionality is only available for NTFS (New Technology File System), the program is able to scan and detect this kind of files only for this type of file system (Physical Hard Drive/Virtual Hard Drive/Physical Removable Device/Virtual Removable Device). If some ADS Files are detected during the scan you then can decide wether or not you want to keep them or to back them up. You can also have a content preview to detect in one glance if it looks legitemate or not. Phrozen ADS Revealer is the perfect tool to sanitize your NTFS file systems against bloated content or hidden malwares. Another great tool to put in your collection and 100% free.

https://www.phrozensoft.com/download-2.html

RunPE Detector

Phrozen RunPE Detector is a security program, especially designed to detect and defeat some suspicious processes using a generic method. We at Phrozen Software do things differently, more creatively. So, when we set ourselves the task of creating a novel way of detecting, disabling and removing RATs, we didn't want to take the route every other anti-virus company has done before us. Phrozen Software studied the behaviour of RATs and discovered that hackers virtually always use a technique called RunPE. This technique spawns a legitimate process – often the default browser or a Microsoft system process – and replace it with a malicious program code directly in memory. Your computer is thus tricked and treats the malicious code as a legitimate process. The user and his anti-virus program have no idea that his default browser is effectively turned into a virus.

https://www.phrozensoft.com/download-1.html

DDOS Mitigation

(1) SingTel Backbone 50G. Cleanpipe guarantees 20G

(2) Starhub Backbone 20G. Cleanpipe guarantees only 400Mbps

(3) Subscribed

• Singtel - 2x200 Mbps
• Starhub - 2x200 Mbps

(3) Akamai

• https://blog.radware.com/security/2012/02/ddos-attacks-myths/
• The proper way to measure attacks is by their bytes-per-second (BPS) and packets-per-second (PPS) properties. If the number of packets is high, the attack is more serious. Following this logic, a 10Mbps UDP flood would be more severe than a 5Mbps HTTP flood, which is not necessarily true.
• For bandwidth saturation attacks, make sure your service provider can mitigate volumetric attacks that may saturate your bandwidth.
• For application attacks, deploy anti-DoS and network behavioral technologies on site.
• Next

Adversary Activity (Intelligence)

(1) https://hackerone.com/hacktivity/new
Latest vulnerability found

(2)

Internet of Things

(1) Shodan

• https://www.shodan.io/

Windows Registry Tools and Utils

(1) https://code.google.com/archive/p/regripper/downloads

Windows Prefetch Parser

Windows Tools and Utils

(1) http://www.nirsoft.net/utils/#system_utils

Packer Identification

(1) Javascript Packer
http://dean.edwards.name/packer/


(2) Yara Project

• Packers Detection Using Yara- https://github.com/Yara-Rules/rules/tree/master/Packers
• $yara -r $HOME/Tools/Packer/Yara/packer.yar <directory>  (-r, --recursive)
• 
  
• 
  

Researchers

1. Binni Shah ‏@binitamshah  https://twitter.com/binitamshah?lang=en

Vulnerability Database and Tools

1. https://vulners.com/

Malware Samples and Databases

1.  OPF format corpus. http://openpreservation.org/technology/corpora/ opf-format-corpus/.
2. Malc0de Database
• http://malc0de.com/database/index.php?search=
3. 
   

Botnet

July 2016

• 2016-07-09 --  Kelihos botnet Delivering WildFire Locker Encryption Ransomware. Kelihos botnet delivering Dutch WildFire Ransomware

Reverse Engineering Tools

https://www.pelock.com/articles/reverse-engineering-tools-review

Keylogger

• July 2016 -- New Keylogger on the Block. KeyBase is a commercial product (i.e. it is sold for money, which does not necessarily means that it is legitimate). The original homepage of the product was http://www.keybase.in/ (note that, despite the fact that the URL differs only by one character, it is not related in any way to the po
  pular public key store keybase.io). However, the project has been shut down due to its increased use by criminals. This move hasn't stopped the criminals from using the keylogger in their campaigns though. Even now (at the time of writing: June 2016) we are seeing new instances being distributed.

Windows Exploitation

1. https://github.com/enddo/awesome-windows-exploitation
2. mimikittenz

mimikittenz is a post-exploitation powershell tool that utilizes the Windows functionReadProcessMemory() in order to extract plain-text passwords from various target processes.mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

• TRACK2 (CreditCard) data from merchant/POS processes
• PII data
• Encryption Keys & All the other goodstuff
• 
  

Ransomware

Jul 2016

• 2016-07-08 -- Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains. The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. In a post to the company’s blog on Wednesday, Sucuri CTO and founder Daniel Cid claimed the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
• 2016-07-07 -- For the second time since June 1, the handlers of CryptXXX ransomware have changed their ransom note and Tor payment site. More importantly to those developing detection signatures and administrators, this update no longer makes changes to the file extensions of encrypted files. The new payment instructions, for example, point to a new .onion website on the Tor network, and the payment site is called Microsoft Decryptor. On June 1, the previous update was pointing to a site called Ultra Decryptor.
• 2016-07-07 -- New CryptXXX changes name to Microsoft Decryptor. Now an encrypted file will retain the same filename that it had before it was encrypted.
• 2016-07-07 -- New Locky variant – Zepto Ransomware Appears On The Scene.
• 2016-07-07 -- Satana, a new ransomware family that emerged in the past week, has copied some of its functionality from Petya and Mischa, two connected crypto-lockers observed over the past several months.
• 2016-07-12 -- Nukeware: New malware deletes files and zaps system settings
• 2016-07-12 -- Researchers create effective anti-ransomware solution

Malware Traffic Analysis (2016)

http://www.malware-traffic-analysis.net/2016/index.html
http://www.malware-traffic-analysis.net/2015/index.html
http://www.malware-traffic-analysis.net/2014/index.html

Cyber Threat Actors (2016)

Jul 2016

• 2016-07-08 -- Security experts from ProofPoint have spotted a new campaign operated by the APT Group NetTraveler that is targeting Russian and European organizations. NetTraveler is an ATP group first spotted by Kaspersky in 2013, when researchers discovered an espionage activity against over 350 high profile victims from 40 countries. The name of the operation derives from the malicious code used in the attacks, the surveillance malware NetTraveler. According to the report published by Kaspersky, the threat actor is linked to China.The NetTraveler campaign has been running since 2004 targeting Tibetan/Uyghur activists, government institutions, energy companies as well as contractors and embassies.
• 2016-07-08 -- Malaysia-based credit card fraud ring broken, 105 arrested
• 2016-07-08 -- Cisco's Talos research unit says it has found evidence of ties between operators of the Angler exploit kit and a group of Russians that used the Lurk malware to loot banks in the country.
• 2016-07-08 -- Dropping Elephant. Targeting Asia, Chinese Govt and Diplomatic Org, Foreign Embassy and Diplomatic Offices in China, including those of Pakistan, Sri Lanka, Uruguay, Bangladesh, Taiwan, Australia and USA.

• 2016-07-07 -- 

  Hacktivists from Ghost Squad Hacker group made revealed the identities of hackers affiliated with the ISIS cyber army called United Cyber Caliphate.

• 2016-07-07 -- 

   Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail. Documents used range from curriculum vitae, to invitations to social functions or conferences, to second hand car offers and even, in one case, a letter of instructions from a high-ranking official. Some were marked as “urgent”, “important”, “immediate action required” and so on. Other samples of the same malicious software were detected in Iran, India, Philippines, Russia, Lithuania, Thailand, Vietnam and Hungary. 

• 2016-07-07 -- 

    Cymmetria Research, which discovered the APT and today released a report on the attacks, calls those responsible for the attacks Patchwork because the group has piece-mealed computer code from sources such as open-source repository GitHub, the dark web and hidden criminal forums. Patchwork attackers are believed to be of Indian origin and gathering intelligence from influential parties tied to Southeast Asia and the South China Sea. Threat actors, Cymmetria said, were active during the Indian time zone. 

• 2016-07-06 -- 

    Clear links between Lurk and Angler.

• 2016-07-05 -- 

     Hacker Interviews – Billy Rios

• 2016-07-04 -- 

     Adwind RAT Spotted in Targeted Attacks with Zero AV Detection. According to the firm security company, the campaign was launched during the weekend and only targeted Danish businesses, but experts believe it could soon target other countries.

• 2016-07-01 -- 

     Over the course of the last year, ESET has detected and analyzed several instances of malware used for targeted espionage – dubbed SBDH toolkit. Using powerful filters, various methods of communication with its operators and an interesting persistence technique, it aims to exfiltrate selected files from governmental and public institutions, which are mostly focused on economic growth and cooperation in Central and Eastern Europe.