So here's the second part of that serie on fraudulent domain monitoring and takedown.
Hope you'll enjoy :-)
vendredi 16 mars 2018
Par Cedric Pernet le vendredi 16 mars 2018, 10:03 - Cybercrime
So here's the second part of that serie on fraudulent domain monitoring and takedown.
Hope you'll enjoy :-)
lundi 5 mars 2018
Par Cedric Pernet le lundi 5 mars 2018, 11:39 - Cybercrime
I just published this one, on domain registration monitoring:
Next one should be published very soon :-)
Hope you'll enjoy :-)
lundi 11 décembre 2017
Par Cedric Pernet le lundi 11 décembre 2017, 13:54 - APT
We released a new technical paper about a known APT threat actor named "Patchwork".
Cheers ! :-)
jeudi 21 septembre 2017
Par Cedric Pernet le jeudi 21 septembre 2017, 12:39 - Malware
I have written this blog post in collab with my good friends Kenney and Lenart... ;-)
jeudi 20 juillet 2017
Par Cedric Pernet le jeudi 20 juillet 2017, 09:58 - Malware
Some days ago we published this blog post. It seems that some cybercriminals are heavily using it at the moment to spy audio conversations. I guess it's pretty interesting.
mercredi 22 mars 2017
Par Cedric Pernet le mercredi 22 mars 2017, 22:11 - APT
I've published a new blog post today on Trend Micro's blog. This is once again about some APT campaign, this time showing some of the new modus operandi from a threat actor named Winnti.
It is available here.
mercredi 14 septembre 2016
Par Cedric Pernet le mercredi 14 septembre 2016, 15:31 - Cybercrime
Hi all :-)
jeudi 8 septembre 2016
Par Cedric Pernet le jeudi 8 septembre 2016, 15:11 - Cybercrime
New blog post being released, entitled "The French Dark Net Is Looking for Grammar Police". Hope you will enjoy it ;-)
The french cybercrime underground is definitely surprising... ;-)
lundi 29 août 2016
Par Cedric Pernet le lundi 29 août 2016, 14:18 - Cybercrime
Last week one of my new blog post got released here. I hope you will enjoy it, especially the french ones interested in cybercrime ;-)
mardi 12 juillet 2016
Par Cedric Pernet le mardi 12 juillet 2016, 15:13 - Cybercrime
Please be advised I have published a new blog post entitled "French Dark Bets: Betting On Euro 2016"
French people in particular might be interested... ;-)
mardi 1 septembre 2015
Par Cedric Pernet le mardi 1 septembre 2015, 09:46 - APT
Following my first research paper about the Rocket Kitten APT threat actor, I have released another one, this time as a collaboration work with one researcher from ClearSky.
The blog post is here: Rocket Kitten Spies Target Iranian Lecturer and InfoSec Researchers in New Modus
The full paper is here: The Spy Kittens Are Back : Rocket Kitten 2
mercredi 3 juin 2015
Par Cedric Pernet le mercredi 3 juin 2015, 04:03 - Cybercrime
Here is another article I wrote, this time to try to raise awareness on some professional networks risks. Link is How to Spot Frauds on Professional Networks
Also, related, is this blog post I wrote: Reconnaissance via Professional Social Networks.
mardi 31 mars 2015
Par Cedric Pernet le mardi 31 mars 2015, 11:44 - Cybercrime
Here is the link to a new blog post I wrote with friends Kenney Lu and Dark Luo from Trend Micro.
It has several interesting aspects, in my mind:
Hope you will enjoy the read ! :-)
mercredi 18 mars 2015
Par Cedric Pernet le mercredi 18 mars 2015, 11:38 - APT
Here is my first research paper done for my new employer, Trend Micro.
I hope you'll enjoy it ! :-)
jeudi 30 octobre 2014
Par Cedric Pernet le jeudi 30 octobre 2014, 08:15 - Cybercrime
Well, as you probably know, I am french. Some of my friends do not agree, and say that I am not a real french, because I do not like strong cheese, I do not like eating ducks (in any way), and all wine tastes the same for me, in opposite to beer. Also, I hate european football, but loooooove american football, my favorite team being the Patriots from New England.
On the other hand, I must admit I have a little kink for american football team's jerseys. I already have one from the Patriots, yet I wanted one from the Miami Dolphins.
So here I am, googling to find a new jersey at an attractive price, in french language.
Using a simple request like "jersey miami dolphins pas cher" which means "jersey miami dolphins cheap" in Google, I get the following as first result:
As you can see, the first results are from "Google Shopping" and do provide links to legitimate websites like nike.com.
Then, more interestingly, I get results from Google Image. The first image shown, on which my mouse pointer is, leads to a domain named maillot-foot-nfl-nba.com.
Following this link, I get a nice page from an online store showing me the jersey of my dreams:
At this point, there are several little details which should raise suspicion for anyone:
Clicking on some of the general pages of the web site is quite instructive. In the middle of the description for shipping, written in french, some spanish can be seen: "Aceptamos Visa, Mastercard, Paypal y tarjeta de crédito!" ...
There can only be one conclusion to all of this: this website is fraudulent, selling counterfeit products, and no one should buy products there.
Now if I come back to my Google research, and look at the Google image links on the right of the one I followed, the domains are:
By carefully watching these websites (except for forschungsinfo.de, which to clarify is a real site which has just hosted links to a fraudulent one, and the link has been removed), we could come to the same conclusion: counterfeit products are sold there.
Now one might think that these websites are build up by isolated fraudsters looking for easy money. The reality is a bit different, and that's why I am blogging, I wanted to bring some more insight to this kind of fraud and raise some awareness for people on Internet.
For starters, once again if you look carefully at all pages from such a website, you can find something more interesting than spelling mistakes: links to other websites.
Reading the "shipping info" from boutiquesprofr.com for example, the first line mentions that "sacmiumiu.com offre la livraison gratuite" , which means that "sacmiumiu.com offers free shipping".
Why the hell is a website called sacmiumiu.com mentioned in the shipping info of boutiquesprofr.com (which by the way means "prostorefr.com") ?
Well, the reason for that is that fraudsters do not build a single website to sell counterfeit products. They do build LOADS of different websites. You might think it takes a lot of time to do it, but it takes less than one or two hours to do. These fraudsters do use websites templates, which they just slightly modify from one site to the other. From the single sentence found on boutiquesprofr.com, we can expect it to use almost the same template as sacmiumiu.com.
sacmiumiu.com does not exist anymore, yet just by googling this name you would find interesting stuff : ads for it in guestbooks showing links to other counterfeit products websites, etc... Looking for it on archive.org, a website which shows past versions of websites, you would even find that the website has indeed been transfered by judge decision to Louis Vuitton because it was selling counterfeit products.
So, with few googling and wise use of archive.org, we already found out that our guys from "boutiquesprofr.com" were somehow connected to "sacmiumiu.com".
What else can be found ?
Let's go back to the first website I found, maillot-foot-nfl-nba.com.
At the top left part of the website, a logo from the company "NEW ERA" is visible. Let's be a bit clever and use it to find other websites which contain the exact same logo. To do that, we can save the logo from maillot-foot-nfl-nba.com and then submit it to a Google Image search. By doing that, Google will show us all referenced websites which contain the same picture :
Note: what you do not see in the screenshot is the fact that Google Image offers results showing images which are "close" to the image you submit. We need to focus on the exact same image, to avoid false positives. Moreover, if the fraudsters took the image from a legitimate website and did not modify it, we will get false positives we need to remove from the analysis.
Once again, the results are quite interesting: we easily fall on several fake products sellers.
This provides us a very easy method to group fake websites.
Ok, what do we know now ? We know that there are hundreds of websites selling fake products, using more or less the same templates and techniques.
How about having a look at the people who register these domain names ?
Let's have a look at the Whois information for our favorite website, maillot-foot-nfl-nba.com.
Registrant Name: mingsheng zheng Registrant Organization: zhengxiansheng Registrant Street: haikoulu10 Registrant City: haikou Registrant State/Province: hainan Registrant Postal Code: 570100 Registrant Country: CN Registrant Phone: +86.13800000000 Registrant Phone Ext: Registrant Fax: +86.13800000000 Registrant Fax Ext: Registrant Email: firstname.lastname@example.org Admin Name: mingsheng zheng Admin Organization: Admin Street: haikoulu10 Admin City: haikou Admin State/Province: hainan Admin Postal Code: 570100 Admin Country: CN Admin Phone: +86.13800000000 Admin Phone Ext: Admin Fax: +86.13800000000 Admin Fax Ext: Admin Email: email@example.com
Once again, this really does not look like Whois information a legitimate merchant would use: the phone numbers seems to be fake, and the e-mail address is on gmail.com, yet this is very interesting for us in terms of investigation.
So, by doing some reverse whois researches, we can find 23 domains, additionally to maillot-foot-nfl-nba.com, which have been registered by firstname.lastname@example.org :
Oh my, our friend "capsshopnet" has counterfeit stuff in french, spanish, and german, what a great linguist, this might explain all the spelling mistakes on these websites ;-)
What about the hosting ? Well, maillot-foot-nfl-nba.com is currently hosted on 188.8.131.52, which belongs to:
inetnum: 184.108.40.206 - 220.127.116.11 netname: SUN-HK descr: Sun Network - DataCenter Service TRANS ASIA CENTER, KWAI CHUNG country: HK admin-c: DA179-AP
Let's look at some Passive DNS information. Which other domains have lead to this precise IP address currently or in the past ?
The results are other counterfeit products websites (except for kkk345.com which is about pornographic stuff)
kkk345.com www.kkk345.com www.gorras-obey.com gorrasbaratas.com www.gorrasbaratas.com maillot-pascher.com www.maillot-pascher.com zapatos-baratas.com www.zapatos-baratas.com www.maillot-foot-nfl-nba.com www.kkk3.org
Now let me please represent all this data in a structured form (click to enlarge):
I will end this blog post here. I just wanted people to be a bit aware that the underground of counterfeit products is huge, and that few minutes of investigation can lead to the discovery of a complex web of Internet websites run by fraudsters.
One might wonder about the number of people involved in that kind of fraud. There are probably several people to register the websites, several people to build the content (and we can be pretty sure some other people are selling the web pages templates), to handle the orders, to manufacture the products (probably hundreds/thousands of people here), etc.
I stopped my investigation at this point, because it was done on a rainy night at home. A lot is uncovered here: I did not look for every domain whois, I did not look for all the hosting data and IP ranges, I did not really search for any real person attribution.
By digging more on all these data, we could probably find much more fake products websites and persons involved, but once again, my goal here was just to raise awareness on a kind of fraud and describe it a bit.
So what have we learned here ?
Thank you for your reading, this was some kind of fun post blog I've done in a hurry last night. See you soon ! :-)
mercredi 11 septembre 2013
Par Cedric Pernet le mercredi 11 septembre 2013, 07:13 - Malware
Two months ago, I released a YARA rule and an IOC rule to detect some generic folder dumps files. It has been proven useful in the real world, showing that it is possible to detect some attacks on a host with very easy rules.
Today I had another detection idea, as basic as the previous one. It is based on my experience in malware analysis and incident response, so I hope it will be helpful to other incident responders, especially when they work on APT attacks.
As you might know, some malware, in addition to every malicious activity they can provide, do deactivate the anti-virus running on the system. Usually, these malware are easily noticeable because (once depacked) they show strings which are known anti-virus processes names.
Some examples are:
These malware do usually know between 10 and 40 processes names that they absolutely want to kill.
Therefore, the idea is to try to detect any binary which contains these processes names.
I looked a bit around and found that Jerome Athias had released a "killav.rb" script in Metasploit. He provides us with 579 different processes names, all related to security tools and anti-virus products.
I asked Jerome and he kindly allowed me to use that list to build the YARA rule I was thinking of (with a bit of Python, it would have taken too long by hand of course).
The rule is built so that it will be triggered if 4 or more strings are found.
Please feel free to tweet me (@cedricpernet) or e-mail me any missing process name (there must be plenty) and I will update the rule accordingly. Also, if it triggers false positives, do not hesitate to reach me.
The YARA rule is here.
jeudi 29 août 2013
Par Cedric Pernet le jeudi 29 août 2013, 09:44 - APT
On a recent blog post, Claudio Guarnieri analyzes an APT attack campaign launched by the "Calc Group".
This group of attackers used the soon-coming "G20 Summit" to spear phish their targets. which are mostly financial institutions and governments. The attack in itself is really not sophisticated, it is just made of an archive file (.ZIP) containing a malicious executable file (.EXE).
The names of the zip files are:
These archives contains the following files:
One might be surprised that people really do open such zip files and click on these executables, but believe me, some people still do. Once again, it shows us that it is not necessary to deploy brilliant strategies to infect people with targeted malware.
Claudio makes a great analyse of these attacks in his blog post, so I won't write about it and let you read it instead. Now what I wanted to know was what happened next. I was especially interested in the second attack, because it had been submitted to Virus Total (VT) from France.
To summarize Claudio's analysis, the attack scheme goes like this :
This last point is very important to me: what malware is downloaded, and why? (the "why" can be expected though...)
To quote Claudio, "these samples are just an initial stage of a larger suite of malware, possibly including Aumlib and Ixeshe, which it will try to download from a fixed list of URLs embedded in the binary".
Luckily enough, the second stage malware was still available and I could download it for analysis. It turns out that it is not an "AumLib" or an "Ixeshe", but a variant of a less known malware, called "Bisonha" by the malware researcher's community.
To bypass anti-virus and IDS/IPS products, it is downloaded "upside down" (the first byte becomes the last byte, etc.) and written locally as a regular executable once it is downloaded successfully, then executed.
The file shows a "Java" icon, to try to look more "legitimate" to users. At the time of writing, the sample I downloaded had not been submitted to Virus Total, so I did. The detection rate for this sample is 12/46.
This malware has no persistence mechanism (the first stage downloader makes it persistent), and once executed starts communicating with an IP address 18.104.22.168 on port 443:
GET /300100000000F0FD1F003746374637433731333433363334333600484F4D45000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070155736572000000000000000000000000000000000000000000000000000000000000000000006444000000000000000000000000000000000000000000 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: 22.214.171.124 Connection: Keep-Alive Cache-Control: no-cache
As you can see, the network traffic is on port 443 (HTTPS) but it is definitely no HTTPS traffic, rather hex-encoded data:
0000000: 0000 0000 f0fd 1f00 3746 3746 3743 3731 ........7F7F7C71 0000010: 3334 3336 3334 3336 0048 4f4d 4500 0000 34363436.HOME... 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000050: 0000 0000 0000 0000 0007 0155 7365 7200 ...........User. 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000080: 0064 4400 0000 0000 0000 0000 0000 0000 .dD............. 0000090: 0000 0000 0000 0000 ........
My reverse engineering rockstar friend Fabien Perigaud had a closer look at the malware and provided me with more information:
Offset: 0x4: RAM size in kilobytes
Offset: 0x8: Hard-drive ID, xored with the machine name then hex-encoded
Offset: 0x19: Machine name
Offset: 0x59: Operating system version (in malware author's writing)
Offset: 0x60: Number of processors
Offset: 0x61: User name
Offset: 0x81: A unique identifier (probably used as a campaign identifier?) - Here it is "dD" but other two characters identifiers have been witnessed in the wild.
The commands which can be sent to the malware are sent in answer:
3004: File writing 3005: File reading 3006: Writing and execution of a file 3115 : provide a shell 3222 : write a new ID in %APPDATA%\recycle.ini 3223 : auto deletion of the malware 3224 : update
This quick analysis shows us that no matter how deep your knowledge is about an attacker, you're never safe from seeing him change his methods completely. That is why APT attacks attribution is such a hard task.
Thanks to Fabien, Jesse, Brian and Ned for the help while writing this small post ;-)
EDIT: (2013/09/04) Satnam Narang from Symantec just posted interesting material about the same APT campaign. You can read it here. In few words, Poison Ivy RAT is also in the game ;)
vendredi 5 juillet 2013
Par Cedric Pernet le vendredi 5 juillet 2013, 07:47 - APT
It has been a long time since I last wrote in english on this blog. The main reason is that I think there are not enough french ressources on Internet regarding APT, malware, incident response, and cybercrime, which are my favorite topics, as you might already know.
I therefore decided to publish in english language only when I thought the post was worth being shared widely.
But let's get right to the point of this post. Working on quite a number of APT cases recently, I noticed that the attackers often dump huge folders to a text file.
From the attacker point of view, it is just executing the "dir /s" command in a cmd shell, which lists folders recursively. The attacker usually redirects the output of the command to a file, doing it this way:
dir /s > 1.txt
The file is stored temporarily until the attacker decides to collect it, and deleted afterwards. The attacker may also not care (or forget) about it and leave it on the file system.
Forensically speaking, the deletion of this file is not a problem, as long as it is not rewritten, it can always be found.
From a detection point of view, it is very interesting to try to find these "folder dumps" on systems, as a possible indicator of compromise.
One has to be careful (as usual in incident response) to check that no legitimate user has generated this dump.
Now, one problem is left to detect these files: the operating system language. If you do incident response only in one country, no problem: usually you only need to check for dump files in your language, and in english (some users, no matter in which country they live, do always use english). Now if you do international incident response, you need to detect more languages.
I created a YARA rule and an IOC rule to detect these dump files in english, french, and german (Hello and thanks to my friend Axel who provided me with german dumps).
These rules should work on english,french,german Windows2000,ME,NT,Server,XP,7,8 systems. I did not check dumps for older systems.
comment="a YARA rule to detect dump files created by APT attackers"
$eng1="Volume in drive" wide ascii nocase
$eng2="Volume serial number" wide ascii nocase
$eng3="Directory of" wide ascii nocase
$eng4="<DIR>" wide ascii nocase
$eng5="File" wide ascii nocase
$fr1="Le volume dans le lecteur" wide ascii nocase
$fr2="du volume est" wide ascii nocase
$fr3="pertoire de" wide ascii nocase
$fr4="<REP>" wide ascii nocase
$fr5="fichier" wide ascii nocase
$de1="Volumeseriennummer" wide ascii nocase
$de2="<DIR>" wide ascii nocase
$de3="verzeichnis von" wide ascii nocase
$de4="Datei" wide ascii nocase
(all of ($eng*)) or (all of ($fr*)) or (all of ($de*))
And here is a link to my IOC file.
And with a little help from my friends, I might be able to update these files with other languages. Please feel free to send me "dir /s" dumps in other languages, I'd gladly integrate it into these detection rules.
vendredi 29 mars 2013
Par Cedric Pernet le vendredi 29 mars 2013, 14:06 - General
Rather than spending time adding links on the right side of this blog, I thought I might just provide you with a part of my RSS feeds.
For those who know me, you know that part of my personal technological watch is done via Twitter. I twit a lot, and use Twitter as my first source of information when it comes to staying up-to-date with cybercrime/DFIR/malware etc.
Yet I still run a RSS reader somewhere in one of my virtual machines, and sometimes fall on nice articles before they're twitted.
So here is my RSS feed for "computer forensics". Feel free to include it in your own RSS reader. There might be some old dead links though.
jeudi 20 mai 2010
Par Cedric Pernet le jeudi 20 mai 2010, 08:35 - Cybercrime
In brief, a carding forum is an Internet-based forum where carders are getting in touch, doing fraudulent business, exchanging stolen credit card/credentials, information, tools … One could think that such dark places would be hidden deeply on Internet, but some are very visible. You could also think that such forums would be highly secured, but sometimes they’re not. Well, carders.cc was as visible as vulnerable, it seems.
Anyway, back to our story. The hackers, naming themselves "happy ninjas" (and we all know ninjas are stronger than pirates...), managed to get access to all the data from carders.cc. Amongst these data were stolen banking credentials and credit card numbers from victims, but also, what interested me most, data about the carders themselves. They published some of these data on a public server. (I caught it just by reading some tweets…)
Numerous articles have already been published about the case, but I didn’t see any about the specific point of interest for me: the 3726 unique e-mail addresses of the members of the forum.
Seeing all these complete e-mail addresses, I asked myself some questions :
• Do the fraudsters have favorite e-mail services?
• Do the fraudsters use more gTLDs or ccTLDs?
• Do the fraudsters use only generic webmail providers, or do they also use specific providers? Maybe even corporate addresses?
I quickly started to parse and analyze the data, and the first results were there.
TOP 20 DOMAINS USED BY THE CYBERCRIMINALS (click the image to zoom)
From the 3726 unique e-mail addresses, there were 349 unique providers.
Carders.Cc is a German forum. Therefore, it is not surprising to see three German domains (web.de, gmx.de, hotmail.de) as being the most used provider. We can assume that if these people use a German e-mail address on an e-mail forum, using sometimes German nicknames, chances are that these cybercriminals don’t use proxies and browse the forum using their real IP address. This supposition has been confirmed by the happy ninjas :
“Sure, some of you maybe always used a proxy... Most of the administrators and moderators didn't. Did you?”
The first anonymous e-mail address provider is mail.3dl.am, ranked 12. This website garantees that your IP addresses are never logged when using their services. Sounds like a bulletproof webmail system.
Immediately following 3dl.am is owlpic.com, a temporary e-mail system. This allows people to register on the forum using a one-time e-mail address.
The 300 domains after the TOP 50 have been used less than 5 times, and 230 domains have been used in a single way. Some corporate companies are used. They are probably compromised accounts. This is interesting, but you will have to find them by yourself : for confidentiality purposes, I am not copying them in this document.
Now about the TLDs used:
TOP 8 TLDs used by the fraudsters (click the image to zoom)
We see .de is almost twice as much used as its follower, .com. Then it decreases quite fast.
Amongst the TLDs there are some ccTLDs which are quite surprising to witness here : .AM (Armenia) , .AI (Anguilla), and .MU (Mauritius)
.AM appears 67 times. The reason is the use of a mail.3dl.am free anonymous e-mail service in german language.
.AI appears 27 times, being used for hush.ai service.
.MU has been used 18 times for the domain kuh.mu, currently down.
I stop my little analysis right here, since I have already spent too much time on it yesterday night ;-)
Let me finish with some axes of researches:
• IP addresses. There are thousands of IP addresses linked to the fraudsters. It would be very interesting to have some statistics on these.
• Passwords. Cracking the passwords could provide us with funny statistics about most common passwords used, their length, their geekness, and so on… ;-)
Have fun ! :-)
« billets précédents - page 1 de 3