Wednesday, December 14, 2016

QuickSand.io Open Source version released

Today we are officially launching an open source licensed version of QuickSand.io - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo https://github.com/tylabs/quicksand_lite


In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection


  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails


XOR + ROL/ROR/NOT/ADD/SUB Embedded Executable Detection

  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails
  • PDF
  • TCP Streams data
  • Any non-executable file which may contain an XOR obfuscated exe

Executable Detection Target OS

  • Windows
  • Mac
  • Linux
  • VBS

XOR DB Cryptanalysis Attack


The XOR-DB functionality uses a dictionary of common XOR keys up to 256 bytes long - ascending, descending, algorithmic, cafebabe variants.


Web version

Our quicksand.io site runs the full version with up to the minute exploit signatures and additional trojan signatures.


Dependencies

Yara 3+ (searching via libyara)
zlib (deflate/uncompress)
libzip (unzip)


OS Compatibility

Designed for Linux and Mac command line. Windows is untested and not recommended for safe malware handling.


Download quicksand_lite Package

https://github.com/tylabs/quicksand_lite/releases/latest


Install Script - Dependencies for Mac/Linux

https://raw.githubusercontent.com/tylabs/quicksand_lite/master/INSTALL.txt

Build

cd quicksand_lite-1.01.001
chmod 777 ./build.sh
./build.sh

Coming soon


  • Python integration
  • More exploit and trojan signatures


Full Version and Commercial Licensing

Contact TyLabs.com


Demo


mac:quicksand_lite tylabs$ ./build.sh 

[sample with active content and shell execution]
mac:quicksand_lite tylabs$ ./quicksand.out AELM\ Entertainment\ budget\ and\ Attendance\ allowance.xls 
 -0> root {9}
  md5:97da0784fddfef932d7d31884f088b40
  sha1:da3a8d1ea5b245f612da17ec7b252c45fd75adae
  sha256:b0de26080a84ba0b15ea3f471fe6be5392efe770c53dbe5c0a8ed439b05731c6
  sha512:5ebdb3d9970ec301af369198afa3a98b74e67455e19997cce59a75fff9b849da4c9eb4fcf528b307dcb92497ffa2f8c2473dd66ba4823300ae63247867e2461d
  head:d0cf11e0a1b11ae1
  size:114688
  yara:exploits:warning_vb_macro
  yara:exploits:exploit_vb_execute_shell
  yara:exploits:warning_vb_autoopen
  yara:exploits:warning_vb_fileio
  structhash:z
  qsversion:01.01.001
  qstime:2016:12:14 17:52:32
  score:13
  is_malware:2

[sample with 4 byte xor key]
mac:quicksand_lite tylabs$ ./quicksand.out cafebafe.rtf 
 -0> root {6}
  md5:9725ebae48dd461f7a735c521dad2810
  sha1:6971b204485d6930aa791c3a79285f12e3764b49
  sha256:170a3e92343977a7463d2a60cb6625f53aeb0e6a68aee0805df0599f794bcd8e
  sha512:369e7f86a6d8f48e72f9edc883a21a8fcf1fcaa802fd272688f8d7eb0446888dd8870864ba9e87746c85a8addebae1bd083e027d519957d2dc0a3a20828e0088
  head:7b5c727420202020
  size:1298407
  yara:exploits:warning_rtf_embedded_file
  structhash:7wh9sJ0nLTfjJ45n6LU0rgOlK0fAafocfTCBt3POUO0VZaUnzDDiLhXphX4mCZUxN0UN9w1I2T
  qsversion:01.01.001
  qstime:2016:12:14 17:52:50
  score:12
  is_malware:2

  -1> xor {3}
   md5:0e3ae1ec3673a8b64e3b52eca0a7211d
   sha1:990a3401ed3fa122ec25324d7c1c8ad2a6e7d7a0
   sha256:281adc83803543b91d58be7bd374947b1b65dc9ae8b44db1014704adbd22b057
   sha512:4951a28d3016b6ef610bccae094e06eb530f1870751f7387599cd4ccc74c39bb1dc7d6d4e27f8a2405ac4d5c03fbb48e2152332c8dd0acbab6b53e6558ed9726
   head:b1e2c88aea9e9ade
   parentsha256:170a3e92343977a7463d2a60cb6625f53aeb0e6a68aee0805df0599f794bcd8e
   size:1298407
   yara:executable:executable_win_pe
   xortkey:cabebafe
   xorlen:4

[sample with 256 byte xor key + rol 5]
mac:quicksand_lite tylabs$ ./quicksand.out test2.doc 
 -0> root {7}
  md5:5fecc4c4479c32e31da84939ae9be618
  sha1:0582e3f991cd2c5340caf9263c1fa52037903ea9
  sha256:ae7b64f301a1281e71c261531cd7dc279240e6c4b1d2d5cccd4b2d03aebb3d1e
  sha512:009bd4dd17fde834a93993f9178c59107134ca6cc0c232e9f36c5255f05863e2ae78c3ab7bb2321e4b759bd240a412fb7cddf0db03b765586ebd7564f3bd8cc3
  head:d0cf11e0a1b11ae1
  size:343040
  yara:exploits:exploit_cve_2012_0158
  yara:exploits:warning_vb_macro
  structhash:zPj
  qsversion:01.01.001
  qstime:2016:12:14 17:53:14
  score:23
  is_malware:2

  -1> xor {2}
   md5:ca1a8b2c459e65a5acd1d27325641ce9
   sha1:c70f343c69b707f98ca947edc8f1098a3f0f7f77
   sha256:eaa2a02d5c7e89ba19055a1a7b2a53bec0fc2062b256ee050fbeb051e6e8986b
   sha512:2ab8172b11807e40c567517b6d7d464586d4006c209f6e48cf49ceb0222a649ccff47fb7de473600d4ca2e2f8d275a5f54705a09b5f7ca88fab208bf4bf18519
   head:d030ef1d5d4ae018
   parentsha256:ae7b64f301a1281e71c261531cd7dc279240e6c4b1d2d5cccd4b2d03aebb3d1e
   size:343040
   xortkey:00fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a09f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a090807060504030201
   xorlen:256

   -2> rol {2}
    md5:25324b386571448ac1cb50cc73e016cd
    sha1:94c173f3c676b0d398b2be6b1b94fb6038c33c02
    sha256:5ddab6dee79478389d7c06d31fc238ba7b01d6d08dd181dea7e99a816ed38e30
    sha512:abc932d09df4abd7c9b62a78a2beb78f19cd7920568f9e7dc14a7f4e1ec4516e2ae108495d8d9257591a903dc6bc19f7b256637598d6b0373b7a2aac9a394f59
    head:1a06fda3ab491c03
    parentsha256:eaa2a02d5c7e89ba19055a1a7b2a53bec0fc2062b256ee050fbeb051e6e8986b
    size:343040
    yara:executable:executable_win_pe
    rol:5

mac:quicksand_lite tylabs$ 



Tuesday, December 13, 2016

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and QuickSand.io.

PDFs


Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.

Results

PDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and QuickSand.io for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.


Cryptam and QuickSand.io for documents


Both  Cryptam and QuickSand.io will parse all the various streams that can occur within an Office document such as Word, PowerPoint or Excel plus interchange formats such as RTF and mime MSO xml.

Results

Scores of over 0 but under 10 indicate active content such as Macros or ActiveX controls- again don't trust active content from unknown sources or in emails. Scores over 10 usually mean a Macro executes a shell command or a CVE-20XX-XXXX known exploit was found.

Cryptam and QuickSand.io for all non-executable files 

For non-executable files - documents, PDFs, images, TCP streams - Cryptam or QuickSand.io attempt to find obfuscated embedded execuables - Windows, Mac, Linux binaries or VBS scripts. Both tools attack the XOR and ROL/ROR/NOT obfuscation using different cryptanalysis techniques and may get different results. Generally, the final results should be very similar between the two tools - if you do find a sample which returns different or no results in one tool but a positive malware in the other, please let us know.

Results 

For PDFs and non - documents, Cryptam and QuickSand.io will only report if an embedded executable was found - a score of 0 on a PDF only means no executable was found - you'll still need to check the PDFExaminer results for PDF specific exploits. For Office documents, a score of 0 means no known exploits or embedded executables were found.


Errors and Feedback

Contact us if our tools may have missed something and you think a sample is bad, or if we detected something as bad that's actually safe.


Coming Soon to a Command Line Near You

A portable C command line version of QuickSand.io, for free, with no web or internet dependencies.
We'll tell you where to find it on GitHub and how it differs from the full commercial version in the next post. Crack some of those pesky 256 byte XOR keys without uploading your secret stash of APT malware samples to us.


Monday, November 7, 2016

QuickSand += structhash

We are pleased to announce version 2 of QuickSand.io's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the structhash can allow you to track exploits from the same author or exploit kit and reduce your workload attributing samples to campaigns automatically.

Recent APT 28 / Sofacy group / Fancy Bear attacks used the CVE-2016-4117 exploit, looking at a known sample from Palo Alto's Unit 42 report on the "Dealer's Choice" campaign:

DealersChoice.B: SHA256:af9c1b97e03c0e89c5b09d6a7bd0ba7eb58a0e35908f5675f7889c0a8273ec81 structhash is gV9m3kqVr5qe7FY



We can then search for QuickSand structhash gV9m3kqVr5qe7FY:



We then find the second sample sha256: cc68ed96ef3a67b156565acbea2db8ed911b2b31132032f3ef37413f8e2772c5 which also has the structhash of gV9m3kqVr5qe7FY.

As you can see, the structhash can be a powerful tool to group maldocs by campaign. When you are viewing QuickSand.io report, click the "root" stream to find the structhash and search for more samples from our sample set here.

Tuesday, September 20, 2016

QuickSand.io In Depth - Part 2 The Reports

QuickSand.io Reports

Today we're going to dig deeper into the QuickSand.io document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.



Header

The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker.


QuickSand.io Report Header

Streams

The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have executables.

The distribution item in the root can be very useful. The X's indicate the part of the file where an embedded executable exists. 0 is for null sections, F is for FF sections, 1 is for high entropy areas, and A is for ascii sections such as most of an RTF file.

We are also working on a structural hash structhash of the file which can help find samples from the same attacker or exploit kit.


QuickSand.io Streams section

DOCX Files

For docx files you'll see the hierarchy of files within the zip,  and embedded OLE files or high entropy data is analyzed for embedded executables as well.





Macros and No Embedded exe's

A lot of the new macro malware won't have an embedded exe, using the distribution results below, we   can see the file is mostly null blocks "0" and does not have enough entropy to have a built in EXE.


XOR

The XOR section shows the xorkey for cryptanalysis found keys, or xortkey for a key dictionary result.


XOR block

ROL

The Rol section shows the bitwise rol used. You can click the sha256 link for a hex dump of the section, and click (str) for the extracted strings. 

Rol/Ror block


Dropped Files

The dropped files section is similar, click the number (1) to see the hexdump and (str) to see the strings. The strings section can help to get a quick ID of the trojan or find some unique strings for a quick Yara rule.

Tip: hex dumps can be converted back to files: # xxd -r webhexdump.txt > malware.virus

dropped file hex dump


dropped file extracted strings

JSON

The bottom of the page has links to a JSON version of the report and a JSON of the submissions (date, original filenames).


Thursday, September 8, 2016

QuickSand.io in depth

In addition to our Cryptam tool. We created QuickSand.io, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.

Exploits

Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need PDFExaminer.com for that.

Finding Embedded exe's

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths


Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}
  md5:112c64f7c07a959a1cbff6621850a4ad
  sha1:e7f7f6caaede6cc29c2e7e4888019f2d1be37cef
  sha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
  sha512:45e7807bc0ed6b8ab6ecf458c34edebb8781ed928e0b0649d73cf0d981513113160afc3c1dee5cd290a0053357d155fe1b129d342fc2d1072bcb039e972cc61b
  size:367631
  yara:exploits:exploit_cve_2015_2424
  score:30
  is_malware:2

  -1> xor {3}
   md5:31e676fd243e031170be515987784883
   sha1:69b22e4bd485f4486cf0f16aa4f894acb530b6f8
   sha256:a78eb148cd918b0e3e31a42dcfa3eaade731d9c2a935120d2b05428df06f78a0
   sha512:dd8e5bb444269ab4a3bca4c9754d931c7d70c462b5523e98d4dd5124d8196ada9f3e2675bf077998332de04e625c4e3f61b8b63341d58e614aa8d2e52213e17f
   parentsha256:9e5fbd79d8febe7a162cd5200041772db60dc83244605b1ff37ef8d14334f512
   size:367631
   yara:executable:executable_win_pe
   xorlen:21
   corky:5cf193921cad62018eb1cf638f3f7eacecb041d240

More to follow.

Thursday, July 14, 2016

Document Malware XOR distribution or dial M for Malware

We took a sampling of 5448 recent malware documents with an XOR encoded executable detected by Cryptam. Normally we spend most our time looking at APT samples with 256 byte keys, so the recent results which include quite a bit more crimeware lately were surprising.

26% of samples where encoded with the 1 byte key 0x77, followed by 11.6% 0xFD, and 6.5% 0x6A. In total 59% of samples had a one byte key.
We tried to look into the significance of this high a rate of 0x77. In ASCII, 0x77 translates to a lowercase 'w'. 7 is the country code for Russia, and decimal 77 would be an M in ASCII. According to Wikipedia, during World War II in Sweden at the border with Norway, "77" was used as a password, because the tricky pronunciation in Swedish made it easy to instantly discern whether the speaker was native Swedish, Norwegian, or German.
7.6% of samples were encoded with variants of 0xCAFEBABE, 0xBAFECABE, and 0xFECABEBA. 10% of samples were 4 byte keys.
Only 21% were 256 byte keys. Of those, 42% are an incrementing pattern 000102030405... And 16% are the opposite decreasing pattern FFFEFDFCFB...

As always, you can submit your suspicious documents for analysis with Cryptam here.