Activity Summary - Week Ending on 9 November 2023:
- Red Sky identified 27,472 connections from ‘new’ unique IP addresses
- Hetzner Online GmbH hit 130x
- 29 ‘new’ Botnets hits
- macOS Malware
- r2 Platform
- 70 German municipalities
- S_it
- India - Education
- Suffolk Co NY
- Who’s in Charge ?
Red Sky Alliance Compromised (C2) IP’s
162.55.84.100 was reported 130 times. Confidence is 100% ISP: Hetzner Online GmbH; Usage Type: Data Center/Web Hosting/Transit: Hostname(s): static.100.84.55.162.clients.your-server.de; Domain Name: hetzner.de; Country: Germany, City: Gunzenhausen, Bayern |
IP |
Contacts |
162.55.84.100 |
80 |
4.227.184.194 |
68 |
34.208.56.37 |
53 |
13.214.38.161 |
50 |
3.19.58.18T00:00:00 |
40 |
On 8 November 2023, Red Sky Alliance identified 27,472 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.
Malware Variant |
Times Seen |
sality |
24442 |
corkow |
1545 |
shiz |
1535 |
sykipot |
370 |
wcry_ransom |
293 |
Top 5 Malware Variant and number of contacts. Sality and Corkow has consistently remain the top variants. |
Red Sky Alliance Malware Activity
For a full black list – contact analysts: info@redskyalliance.com
Red Sky Alliance Botnet Tracker
On 8 November 2023, analysts identified 29 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).
First_ Seen |
Botnet Attribution |
Infected Host’s IPv4 Address |
2023-11-07T16:40:22 |
HTTP proxy|port: 80 |
8.219.72.100 |
2023-11-07T16:40:20 |
HTTP proxy|port: 80 |
8.219.103.148 |
2023-11-05T01:20:21 |
HTTP proxy|port: 80 |
8.219.110.105 |
2023-11-01T19:20:44 |
HTTP proxy|port: 3125 |
58.147.189.114 |
2023-11-04T12:20:25 |
HTTP proxy|port: 8080 |
85.117.58.226 |
Keylogger IOCs available upon request.
MALICIOUS CYBER TRENDS:
macOS Malware - 11 Ways to Tweak radare2 for Faster and Easier macOS Malware Analysis. SentinelLabs recent eBook on how to use radare2 (r2) for macOS malware analysis[1] focused on providing analysts with a series of guided use cases for typical tasks like string decryption, anti-evasion and automation. Aimed at those seeking to power-up their macOS malware analysis skills, the guide contains lots of tips on using r2, but mostly focuses on working through malware samples exemplifying typical challenges. In this segment, Sentinel analysts look at lowering the learning curve and supercharging productivity for those new to or recently converted to using the r2 platform. While the default settings in r2 may be fine for basic reverse engineering, there is a lot of simple customization we can and should do for a better malware analysis workflow.[2]
Explore and Change the Default Theme - Environment is everything when you need to concentrate and focus, and nothing contributes to this more than the UI appearance and theme. Fortunately, r2 comes packed with a bunch of themes built in which can also be customized, so you don’t need to worry about downloading or installing third-party plugins or code. First, we’ll see how to explore the available themes, then we’ll see how to set that as the default theme for every launch. On the r2 command line, type eco , then a space, then tab. You’ll see a list of the built-in theme names.
Explore how the different themes look by typing the name of the theme after eco , hitting return, then executing pdf, x, or V to see how it looks. Rinse and repeat till you find one that you like the look of.
eco monokai; pdf; x
Once you have your chosen theme, the next step is to make it the default theme. Exit r2 or open a separate Terminal window and use the following command line to create or append the config file at the default location ~/.radare2rc. I used ‘smyck’ here, but change to suit your preference.
cd; echo eco smyck >> .radare2rc >> .radare2rc
After executing the command, quit and restart r2 to see the change. The prompt can be customized within the chosen theme. Play around with different foreground / background color combinations with variations of:
ec prompt white green
ec prompt cyan darkgray
Turn Off the Jokes! You may or may not enjoy the “fortune cookies” that appear on each launch of radare2. Some can be funny, others less so, depending on your taste. Be wary that if you’re sharing screenshots of your r2 sessions either publicly or privately, the ‘jokes’ may cause offense to others if you inadvertently capture them. We can turn them off with a simple command added to our config file.
cd; echo e cfg.fortunes=false >> .radare2rc >> .radare2rc
Turn On (and Off) the Comments! r2 comes with some built-in help for new reverse engineers or even experienced reversers who are learning a new architecture.
Compare the default display of the pdf command:
You will likely not want comments on all the time, as they can be distracting, but it can be really useful to turn them on when you come across an unfamiliar instruction or operand. Sentinel added a couple of aliases to our config file that will allow us to use the commands “$conn” and “$coff” to quickly toggle comments. Add the following commands to the .radare2rc file, and restart r2.
$coff='e asm.describe = false'
$conn='e asm.describe = true'
Indent Code Blocks for Better Visibility - radare2 helps reverse engineers to visualize control flow and in a variety of ways, one of which is by allowing the indentation of blocks in the disassembly to show nested code. By default, this is turned off and all blocks appear at the same tabular offset, as in the example below.
Sentinel makes it easier to quickly visualize the relationship between blocks of code by turning code indent on.
You could make a pair of aliases to toggle this setting as we did with comments, substituting the value ‘true’ with ‘false’, but for my part I never see a need to turn it off, so I just add the following to my config file.
cd; echo e asm.indent=true >> .radare2rc >> .radare2rc
Make r2’s Help More Helpful - Help in r2 is summoned with the ? command, but it can be tough finding what we need sometimes. It would make life easier if we could easily grep all the help for a search term of interest. To do so, add the following code to the .radare2rc config file:
(help x; ?*~$0)
Now, restart r2 and load a binary, say /bin/ls for simplicity. Now compare the output of searching for help on the keyword ‘crypto’:
A macro to make searching the help doc easier
Our macro is just a shortcut for ? followed by a wildcard and then grepping for our search term, but it’s a lot easier to remember .(help <searchterm>). Note that for multi-word search terms, you must escape any spaces in the search string.
.(help hexdump\ columns)
Spaces in the search term need to be escaped
Set the Block Size - Block size is the amount of lines r2 prints out with commands like px. By default it’s set to 0x100, but sometimes that’s not enough to see everything of interest. The block size can be changed within a session on the command line with b <size>, e.g.
b 0x200
Use the previous macro to get more help about block sizes
A simple alias in our config file is useful for printing out extended block size in one shot:
$x='b 0x200; px'
Sort and Search Functions By Size, XREFS & Other Criteria - In radare2, afl and afll are the go-to commands for viewing function information, but we sometimes want to tailor the output for specific items of interest. Here’s a few different ones I use to help me narrow down various bits of code that might be of interest. The first two have a dependency on another alias, $fcol, which simply prints out the column headings for the subsequent output from afll:
$fcol='afll\~:0'
Top twenty largest functions in the binary:
$top20='clear; $fcol; afll \| sort -k 3 -nr \| head -n 20'
Top twenty functions with the largest number of XREFS:
$topX='clear; $fcol; afll \| sort -k 14 -nr \| head -
Functions related to swizzling in Objective-C binaries (shout out to LaurieWired’s recent talk for this idea):
$swiz='afl\~exchangeImplement; afl\~getInstanceMethod; afl\~getClassMethod; afl\~setImplementation'
Print out the functions of interest in a Go binary, ignoring the boilerplate imports:
(gafl; afl | grep -v vendor_golang.org | grep -v runtime | grep -e main -e github | sort -k 4 -nr)
This time we used a macro rather than an alias. Either will work. Note that with the macro, you don’t need to escape special characters like the pipe or tilde symbols.
Print Calls to and From the Current Function - Understanding the relationships between functions is crucial to discovering malicious behavior and honing in on parts of a binary we want to use for hunting and detection.
To view all the calls to a current function, the r2 command axg will give a nice graphical view all the way back to main. To view the calls a function makes, use pifc.
If we find these obtuse r2 commands difficult to remember, then of course aliases are our friends:
$callee=’axg’
$calls=’pifc’
However, exploring the nuances of ax and pi through ? and our .(help) macro will return dividends. We can gain a better understanding of the overall structure of a function with the following macro, which prints out a useful summary of information.
(metaf ; afiq; echo XREFS:; axg; echo INSTR:; afist; pds)
Edit and Test Yara Rules Within radare2 - If you have a local YARA file, you can edit it from within r2 from the command line like so:
!vi <path to yara file>
From here, add or adjust existing rules, save and quit out of the text editor, then call it on the currently loaded binary to test the file against the rules:
!yara -fs <path to yara file> `o.`
The r2 command o. serves as a reference to the currently loaded binary and is useful in a wide variety of aliases and macros. Let’s define an alias and a macro for the above.
$rules=!vi <path to your yara rules file>
(yara x; !yara -$0w <path to your yara rules> `o.`)
After restarting r2, we can now edit our YARA rules from within r2 with the $rules command. We can call our rules on the currently loaded file with .(yara f). Try .(yara m) and .(yara s) and note the differences.
Running YARA rules against the loaded sample
Query VirusTotal about the Current Sample - Once you realize how easy it is to call external command line utilities from within an r2 session, multiple possibilities for faster and easier workflows open up. Perhaps one of the most oft-used tools for malware analysts is VirusTotal. If you have the VT API tool installed and in your PATH, it’s very easy to integrate this with r2. Again, a simple addition to our config file is all that’s needed:
$vt=!vt file `o.` --include=meaningful_name,tags,popular_threat_classification,first_submission_date,last_submission_date
You can modify what to include to suit your preferences per the VT documentation.
Get results from VirusTotal within r2 session
Check Code Signature of Current Sample - One final tip for anyone that struggles to remember all the various ways to check whether a sample has a valid code signature, whether its notarized and whether its been revoked by Apple…put it all in an alias and run it from within r2!
$codesign='izz~Developer ID; !codesign -dvvv -r - `o.`; !spctl -vvvv -a -t execute `o.`'
Conclusion - Working with r2 can be daunting at first, but the platform is built on simplicity. Thanks to its integration with the command line, with a few customizations, radare2 can be quickly turned into a powerful platform for malware analysts. There are also many plugins for radare2 to augment it with various external decompilers, including Ghidra, work with frameworks like Frida, and (of course) work with AI chat bots. If you enjoyed this post and haven’t yet checked out the ebook, A Security Practitioner’s Guide to Reversing macOS Malware with Radare2, you can find it here: https://www.sentinelone.com/resources/a-security-practitioners-guide-to-reversing-macos-malware-with-radare2/ This free PDF resource covers lots of recent macOS malware and walks through example cases of common reversing tasks, all in radare2.
GLOBAL TRENDS:
Germany - Massive ransomware attack hinders services in 70 German municipalities. A ransomware attack this week has paralyzed local government services in multiple cities and districts in western Germany. Early on 30 October, an unknown hacker group encrypted the servers of the local municipal service provider Südwestfalen IT. To prevent the malware from spreading, the company restricted access to its infrastructure for over 70 municipalities, primarily in the western German state of North Rhine-Westphalia. The attack left local government services “severely limited,” the company said in a statement posted on a temporary website, as its main site is inaccessible following the incident. Nearly all town halls in the region were impacted by the hack.[3]
On the day of the attack, the administration of the German city Siegen canceled appointments with citizens since the majority of its IT systems were shut down. As of the 31st, most of the administration's online services remained unavailable. The websites of the city administrations of Wermelskirchen and Burscheid are also down on November 1st. "Due to the disruption, we have no access to all applications running via Südwestfalen IT," a Wermelskirchen spokeswoman told German media. This affected the city’s finances, residents, cemeteries, and registry offices. The affected administrations that publicly discussed the attack said that, even though their online systems are down, they are still offering in-person services to citizens. Their internal and external communication, including email and phone services, are mostly nonfunctional.
German police and cybersecurity agencies are investigating the hack and working to restore services for city administrations. “But we can't tell our customers anything specific, that puts a lot of stress on people,” a Burscheid spokesperson said. The timing of the attack is particularly sensitive, according to German cybersecurity experts, as local governments typically perform financial transactions at the end of the month. Payments like salaries, social assistance, and transfers from the nursing care fund may be hindered by the attack, the experts said.
Germany's Federal Office for Information Security (BSI) told Recorded Future News that it is aware of the security incident and is in contact with the affected service provider. However, it cannot comment on further details as the investigation is still ongoing. German prosecutors participating in the investigation told local media that they are currently working to determine the extent of the damage, which services were impacted, and who was responsible for the attack. They expect a "complex and lengthy investigation."
India - The education sector has emerged as the most targeted industry for cyber attacks, accounting for more than 7 lakh detected threats in April-June 2023, according to a study. The substantial number of attacks underscores the increasing vulnerability of educational institutions to cyberattacks, the study said.[4]
The manufacturing industry stood second, reporting 3.29 lakh threats, and was followed closely by professional services with 3.28 lakh threats, the study by malware analysis la, SEQRITE Labs stated. These numbers indicate that cybercriminals are diversifying their focus, targeting a wide range of sectors with malicious intent, it highlighted. In the education sector, the most prevalent threat was identified as W32.Neshta.C8. This malicious software has proven to be a formidable adversary, posing a significant challenge to educational institutions. The manufacturing sector grappled with PIF.StucksNet. Professional services faced a similar threat landscape with Trojan.KillAv.DR.
The SEQRITE’s Threat Report also highlighted other notable sectors under attack. Government entities faced 22.6 lakh threats, followed by the automobile industry with 144.4 thousand threats, and hospitality & healthcare with 13.7 lakh threats. The BFSI sector, IT/ITES, power & energy, and strategic &public enterprises also reported significant numbers of detected threats.
Another report by Internet safety company Happinetz stated that about 88% of parents surveyed fear early access to inappropriate content on the internet for children. On the other hand, 55% of 1,500 parents surveyed across 30 cities in India frequently hear about incidents related to unsafe internet involving children, reflecting that the internet does not discriminate when it comes to adult content. The survey revealed that parents are actively engaged in monitoring their children’s online activities. Between the ages of 5 and 9, 63 per cent of parents frequently engage in conversations with their children about content and internet choices. Additionally, 56% of parents in the same age group actively keep a watchful eye on their children’s online interactions.
US - The former IT commissioner for the Suffolk County Clerk’s department did not alert county officials that the computer network in the clerk’s office was responding to a “radical malware attack” until eight hours after he was alerted. The Center for Internet Security (CIS) sent an email at 3 a.m. on 8 Sept. 2022 to the clerk’s then-IT commissioner Peter Schlussler alerting him to the attack, but Schlussler did not share that information with Suffolk IT leaders outside of his office until after 11 a.m.
“A 30-minute call was held with … [Schlussler] at 7:12 p.m.,” an excerpt of the report the Press reviewed states. “On the call, it was discussed that their Cortex client alerted to malicious activity on one of their domain controllers, quickly followed by alerts on additional systems within the environment. By 11 a.m., the entity had completed a full network isolation.” The exchange was the first confirmation of the cyberattack that forced all county departments to work offline for nearly six months between September 2022 and February 2023. Schlussler had been put on leave since questions were raised about whether he properly acted on warnings that the clerk’s office was at risk of being hacked. The former IT head argues that he first alerted the county to the attack.
An investigation of the cyberattack concluded that cyber criminals entered the county’s online system through the former county clerk’s IT environment in December 2021. About eight months later, the hackers found credentials that gave them access to the larger county IT environment, and the cyberattack occurred about two weeks later. The hackers, known as BlackCat, demanded $2.5 million in ransom to give the county back access to its networks.
Officials had also blamed technical vulnerabilities on Christopher Naples, a former information technology deputy commissioner who was arrested in 2021 for allegedly installing hidden computers in the Riverhead-based clerk’s office in a scheme to mine bitcoin — the process in which cryptocurrency transactions recorded — and Schlussler, who officials said failed to catch his deputy’s alleged scheme or the ensuing cyberattack partly done in the deputy’s name. A computer program security flaw known as a “Log4J vulnerability” also helped get the hackers in the door, according to the report from Palo Alto Networks Inc., one of several companies hired to help in the aftermath of the attack. A second probe by TracePoint also found the hack originated in the clerk’s office, officials say. Suffolk authorities have said they are working with the FBI in continuing the criminal investigation into the cyber attack, considered one of the largest on a municipality in the nation. The Republican-majority Suffolk County Legislature’s Cyber-Attack Investigation Committee has featured multiple appearances from Schlussler, who has filed paperwork indicating he is seeking to sue term-limited outgoing Democratic Suffolk County Executive Steve Bellone for defamation after Bellone blamed Schlussler for not stopping the attack in time. “While we await Schlussler’s latest frivolous claim, we continue to eagerly await the day in which he finally appears for a deposition because his alternative set of facts will not hold up while under oath,” Marykate Guilfoyle, a spokeswoman for the administration, said in a statement shared with the Press.
In addition to the lag in alerting other county officials to the attack, the CIS report also states that Schlussler acknowledges he told CIS he believes the hackers gained access through the clerk’s public-facing Horizon environment, which other forensic reviews have also concluded. “The biggest takeaway is that Tracepoint believes there were multiple actors involved at various times, as unauthorized activity is observed all the way back to December 2021,” the CIS report states. “Unfortunately, it’s unknown exactly when the BlackCat team specifically first accessed this network.”
[1] https://www.sentinelone.com/resources/a-security-practitioners-guide-to-reversing-macos-malware-with-radare2/
[2] https://www.sentinelone.com/labs/11-ways-to-tweak-radare2-for-faster-and-easier-macos-malware-analysis/
[3] https://therecord.media/massive-cyberattack-hinders-services-in-germany
[4] https://kashmirreader.com/2023/11/02/education-sector-emerges-as-most-targetted-sector-for-cyber-attacks-in-apr-jun-study/