Sunday, August 10, 2014

Countering darknet tracking docs with Cryptam (and yara)

We've been keeping an eye on the big conferences going on this week - Blackhat/Defcon/BSidesLV and noticed an interesting presentation at this years Defcon "Dropping Docs on Darknets: How People Got Caught".

We noticed Adrian Crenshaw's @irongeek_adc demo track.docx included some external images which were used for tracking TOR users out-of-band in MS Office.



Scanning within the content of a OpenXML docx file is a good use for Cryptam's Yara integration, so we created a quick Yara rule to detect the use of External images in the way used in this presentation. It will also work on some variants of this technique, such as embedded a docx within an OLE document  or within an RTF file.

rule openxml_remote_content
{
meta:
ref = "https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Crenshaw"
author = "Malware Tracker @mwtracker"
date = "Aug 10 2014"
hash = "63ea878a48a7b0459f2e69c46f88f9ef"

strings: 
$a = "schemas.openxmlformats.org" ascii nocase
$b = "TargetMode=\"External\"" ascii nocase

condition:
all of them
}

Cryptam results on the Poc here with the openxml_remote_content rule detected.