Sunday, August 10, 2014

Countering darknet tracking docs with Cryptam (and yara)

We've been keeping an eye on the big conferences going on this week - Blackhat/Defcon/BSidesLV and noticed an interesting presentation at this years Defcon "Dropping Docs on Darknets: How People Got Caught".

We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.

Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document  or within an RTF file.

rule openxml_remote_content
ref = ""
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"

$a = "" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase

all of them

Cryptam results on the Poc here with the openxml_remote_content rule detected.

No comments:

Post a Comment