Skip to main content

Posts

Showing posts from 2016

QuickSand.io Open Source version released

Today we are officially launching an open source licensed version of QuickSand.io - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo https://github.com/tylabs/quicksand_lite


In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection
WordExcelPowerpointRTFMime MSO xmlEmails

XOR + ROL/ROR/NOT/ADD/SUB Embedd…

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and QuickSand.io.

PDFs
Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.

ResultsPDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and QuickSand.io for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.


Cryptam and QuickSand.io for documents
Both  Cryptam and QuickSand.io will parse all the various streams that can occur within an Office document such as Word, PowerP…

QuickSand += structhash

We are pleased to announce version 2 of QuickSand.io's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the …

QuickSand.io In Depth - Part 2 The Reports

QuickSand.io ReportsToday we're going to dig deeper into the QuickSand.io document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.



Header The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker.



Streams The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have…

QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.

Exploits Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need PDFExaminer.com for that.

Finding Embedded exe's XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths


Example odd xor length: This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out ma…

Document Malware XOR distribution or dial M for Malware

We took a sampling of 5448 recent malware documents with an XOR encoded executable detected by Cryptam. Normally we spend most our time looking at APT samples with 256 byte keys, so the recent results which include quite a bit more crimeware lately were surprising.
26% of samples where encoded with the 1 byte key 0x77, followed by 11.6% 0xFD, and 6.5% 0x6A. In total 59% of samples had a one byte key. We tried to look into the significance of this high a rate of 0x77. In ASCII, 0x77 translates to a lowercase 'w'. 7 is the country code for Russia, and decimal 77 would be an M in ASCII. According to Wikipedia, during World War II in Sweden at the border with Norway, "77" was used as a password, because the tricky pronunciation in Swedish made it easy to instantly discern whether the speaker was native Swedish, Norwegian, or German. 7.6% of samples were encoded with variants of 0xCAFEBABE, 0xBAFECABE, and 0xFECABEBA. 10% of samples were 4 byte keys. Only 21% were 256 byt…