Initial Access with Evil Calendar Files and GoPhish

Almost every time you sign up for an online event, you get one of those wonderful calendar reminders to set an appointment reminder. In this article we will take a look at using “evil” calendar .ics files in a pentesting or Red Team credential grabbing attack.

Crafting the E-Mail

The first thing we need to do is craft a Social Engineering e-mail to entice our corporate targets. Some may use cute puppy pics, or cat videos are always popular. As our pentesting target is a corporate environment, we will use what is near and dear to every worker – bonuses!

When I created this for a book chapter in my upcoming book, “Advanced Security Testing with Kali Linux”, I used GoPhish for the phishing management campaign. If you haven’t used it before, Gophish is a phishing framework that gives security professionals and pentesters the ability to perform live, real-time phishing attack simulations.

GoPhish is not necessary for our “evil calendar” test, but it is a perfect solution if you wanted to roll the test out to a large number of users. Honestly, you don’t need the calendar .ics file either, you could just used boobytrapped links or attachments in GoPhish for the same effect, but what is the fun in that?  

Installing GoPhish

Installing and using GoPhish is very easy. Though I just used it in a local lab, in a corporate test you would need to install GoPhish on a Cloud, VPS or other system with access to an e-mail server.

Download the latest release of GoPhish, extract it, and make the main gophish file executable. Once you run gophish, you need to open a browser to connect to the Web GUI.  

When you create a new phishing campaign, you first will create an e-mail template, target users & groups and a landing page, or the fake website that you will use to monitor who fell for the Phishing e-mail and who did not. Then setup your sending mail server in Sending Profiles. Lastly, start the e-mail campaign using the campaign menu.

E-Mail Template

Creating the e-mail template is where you will put your social engineering skills to the test. You want an e-mail that looks believable and have the greatest chance to have your target click on it. Some internal security testing teams may prefer to put a small hint in the e-mail that it is fake.

For the most part though, you want to make the e-mail as real looking as possible for a true test. Gophish allows you to import an e-mail to use as a template or you can use the HTML WYSIWYG editor included.

Good start, now we just need to add our evil calendar event. We can take a .ics calendar file and add a link to a non-existing server, as seen below:

As with any social engineering request, you would use wording that would entice the user to click on the link. I went with the totally innocuous “Evil Calendar Event”. Nobody would ever click on that. On second thought, trust me, yes, they would.

Now just add the Calendar File as an attachment to our E-mail in GoPhish. Again, you don’t need Gophish for this, it just makes it easier for sending large amounts of e-mails during a real test.  

When we kick off the GoPhish campaign, our targets get an e-mail that looks something like this:

Now the trap is set, we just need to have something to respond to the bogus “corporate_server\join_now” link when people click on it. Responder will work perfectly!

Starting Responder

Responder is an LLMNR, NBT-NS and MDNS poisoner, that will answer service requests for multiple services. What’s nice about it is you can set it to prompt users for a login prompt, when they try to surf to a non-existent network resource. This is exactly what we are using in our evil calendar file.

In real life, Responder would have to be running on an internal system, one already connected to the target network – say running on a drop box.

  • sudo responder -I eth0 -wb

This starts the responder service and it begins looking for service requests to poison. In our case, we want it to respond to any server request, where the server doesn’t exist, and prompt the user for “login credentials”.

Creds from Calendar Files

Now, back on the target desktop. When the calendar file is opened in Outlook, it looks like this:

When they click on the “Join Now” link, they will be given a Responder login prompt:

If they enter the credentials, we get them in plain text!

As seen below:

And that’s it! Our job here is done.

Conclusion

As mentioned, you do not need to use GoPhish for this, and you don’t really have to use a calendar event to do it. You could use any link, even one to the Browser Exploitation Framework (BeEF) if you wished.

And prompt them for their Facebook Creds, using the BeEF Social Engineering attack:

Though using the Calendar technique is a nice way to get creds if you know you will be onsite or have onsite access on a certain day.

For a lot more information on using Kali Linux as a security testing platform, check out my “Basic Security Testing with Kali Linux” book. For more advanced techniques, keep an eye out for my upcoming book, “Advanced Security Testing with Kali Linux”, available soon!

Basic Malware Analysis: Malicious Data Mining E-Mail Attachment

Malicious E-mail Message

Oh look, an unsolicited incoming Fax Report. Odd it is a fax transmission, but our company doesn’t even have a fax server. But it is on 2013 Recruitment Planning – I better open it!

Corporate networks are being slammed with e-mails like the one above. Looks innocent enough, but if a user did indeed open it, the malicious attachment that anti-virus didn’t detect would scan the victim’s hard drive for data and upload it to a malicious server. All undetected by the unsuspecting user.

I have seen several versions of this same attack in the last week. So let’s take a closer look.

When these attacks first started, only 2 anti-virus engines would detect the attachment as a malicious file. AV engines are catching on to it now and are detecting it as a generic Trojan. As a matter of fact, if I try to open this message today, I get a message from Microsoft Mail that the attachment is malicious:

Infected with unknown virus

So let’s take a closer look at one of these “Incoming Fax Report” attachments.

*** WARNING: Never open suspected malware on a live, network connected system. In this example I use a sandboxed virtual memory system running with very limited network capabilities. ***

The attachment, once unzipped, shows a PDF icon, but this is no PDF file. The file has an .exe extension meaning that the file is an executable and not a text file. So how can we take a closer look at the program to see what it does?

The program Dependency Walker will show us what functions that the program uses and will give us a clue as to what the program actually does. If we run Dependency Walker we can see the .dll files that the program calls and what main functions it uses:

Kernel32 Functions

Okay, it may not be very clear from the Kernel32 side, but you can see this program uses functions like CreateFile, DeleteFile, GetCurrentDirectory, GetEnvironmentVariable. It is definitely poking around the file system.

And if you look at the functions under Wininet.dll you see a whole bunch of FTP commands:

Wininet32 Functions

Any guesses on where this is going?

Now that we have a general idea of what it could do, let’s execute it in a controlled environment so we can see what it actually does. We will want to know what registry settings it touches, what network communication is attempted and as much about the running processes as we can obtain.

For this we will use the following programs:

REGSHOT

Regshot is very easy to use, just download and run it. You then have three options. 1st Shot, 2nd Shot and Compare. Simply select 1st Shot to get a baseline look at your registry. Then Run the suspicious program. Next hit 2nd Shot to capture any changes made to your registry.

Regshot

Finally select Compare to get a report of any changes made:

Registry Modifications

PROCESS MONITOR

Process Monitor is a bit more involved. Basically after you run it, you need to turn off capturing (File, then uncheck Capture Events) and clear the cache (Edit, then Clear Display). Leave the capturing off until you are ready to fire up the malware. Then turn capturing on and execute the malware.

Process Monitor

Let it run for a few minutes then you can turn off capturing so you don’t fill your system memory up with process captures.

Then finally we need to Filter for our suspicious file. So select Filter, then Filter again. Then select Process Name from the first drop down box, Leave “is” in the second box, then pick the filename of the file you want to monitor in the third box:

Process Name

Then just click “Add” and “OK”.

You can now view all the process information that is related to the malicious file.

You can further filter the data available for the file in question by using the 5 select boxes on the menu:

Process Monitor filters

With these you can view just registry activity, processes, file use activity , network use, etc.

If we look at our malicious file with Process Monitor you will see that the program searches your entire drive for user files, installed programs, security programs and patches, Installed FTP programs, file manager programs and even remote storage clients (like Dropbox).

Process Monitor Scrrenshot 1 Process Monitor Scrrenshot 2 Process Monitor Scrrenshot

WIRESHARK

Finally we want to see what network activity the virus initiates. Simply have Wireshark running before you execute the program.

Wireshark Malware Traffic

As you can see, as soon as the malware was executed, it immediately tries to connect out to a malicious server.

ANALYSIS

As you can see if a user is duped into allowing the malicious e-mail attachment to run, a basic analysis of the file shows that it is a data miner trojan. It searches your hard drive for all data that could be of interest then tries to send it out to a malicious server.

Of the three different samples obtained. All were similar in that they claimed to be a fax report from an internal fax server. Some looked much more believable than others. All three had an executable attachment that was masked to look like a .pdf file.

All three searched the hard drive and registry for pertinent information. And all three connected out to a suspicious server address. The funny thing is that when all three were run through the Who-is Database, all three domains pointed to the same server!

Lastly the e-mail addresses in all three seemed to be in a somewhat alphabetical order. This seems to point to a botnet type control system going through a list of e-mail addresses, breaking them down into a groups and sending them one of the malicious e-mails.

CONCLUSION

These type of automated phishing attacks are becoming very common. The best line of defense against these attacks are vigilant users who question unsolicited e-mails, especially ones with attachments. Blocking incoming and outgoing IPs from unneeded locations and ingress and egress filtering is paramount in stopping these attacks.

Network Security Monitoring with full packet capture will also help to find what, if any, data was actually compromised if the attack is a success.

This was just a very basic analysis of this malicious attachment. Want to take a closer look at these techniques and learn a whole lot more about malware analysis including advanced techniques? Check out Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig.

“It was Just a Virus” – Full Data Breaches through Malicious Attachments

Process Monitor screenshot 3

If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”

I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.

Basically a corporate user would receive a crafted e-mail saying that they have receive a fax from their internal fax server. Sure enough the attached file would have a pdf looking attachment. But once the “attachment” is executed, the user gets a whole lot more than a fax.

The “.pdf” file is actually an executable malware file using a PDF logo as an icon. The file executes a data mining attack that searches the hard drive for personal data, browser caches, system files, registry settings, installed applications – including FTP and security programs, remote access programs, file manager programs, web site authoring software, and even clients for remote online storage.

Once it gathers this information, it tries to connect to a foreign server to upload the purloined data.

So should these attacks be considered as “just a virus”, or should this be considered a full data breach?

All the elements of “being hacked” are present. Private data files, including password files and databases could have been obtained. And then the information is sent out of the network to a remote hacker’s server set up to receive the info. Malware is already running on the system, so how hard would it be to use the system as a persistent backdoor into the corporation?

And lastly, these evil infiltrators are coded to bypass anti-virus and firewalls – only 2 AV companies detected one of the malicious executables I examined as containing a Trojan. And since the program connects back out to the malware server from your system after executing, your firewall does not block it.

Sure most companies consider that they were hacked when their server has been compromised, but what if a top engineer who kept classified research information on his system or an IT administrator of a secure facility allowed the phishing e-mail to run?

And how would these people even know that private data was sent out from their network if no network security monitoring was in effect? Would they just write off the attack saying, “It was just a virus…”?

Long gone are the misspelled fake looking social engineering attacks. E-mail attacks are getting much better, they look professional and are believable. Especially when your company uses some of the same software that the e-mail is pretending to be (like an incoming fax message).

Employees need to be warned about malicious e-mails and that they try to replicate legitimate communication. That if something looks or feels suspicious, that they should not run it and contact your support department.

Sure this will probably mean more calls to the data center, but if you can catch these things BEFORE they execute, you can take steps to protect your network. Especially if you find out what servers they are trying to connect out to as you can block the address so others who aren’t as vigilant will be protected too.

US Gas Pipeline Companies Currently Under Major Cyber Attack

Natural Gas Pipeline companies are currently facing a major targeted phishing attack from a single source according to the Christian Science Monitor. The attacks that seemed to have begun in December 2011 have caused the DHS to release three amber alerts, and the ICS-CERT team to release an incident response report on Friday:

That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.”

The incident response report explained that an analysis of the attacks shows that attacker was using a “spear-phishing” technique:

Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source. It goes on to broadly describe a sophisticated “spear-phishing” campaign – an approach in which cyber attackers attempt to establish digital beachheads within corporate networks.”

Natural Gas companies in the US and Canada seem to be the focus of the attacker and according to the article, some of the intrusion attempts may have been successful:

Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign.

Spear-phishing is an attack where the attacker researches certain individuals at a company using both online public and private resources. Public corporate news is analyzed, as well as individual’s social media sites, like Facebook and LinkedIn. The information gained is them used in a social engineering attack, usually a specially crafted e-mail that contains malicious links or attachments.

When the target runs the attachment or clicks on the link, remote access to the target’s computer is obtained or the attacker could harvest credentials or other pertinent information.

It is too early to tell who is responsible for these intrusions, but with the current concern of SCADA and public infrastructure attacks, it will be interesting to see which country or entity is behind this attack.