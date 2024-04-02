



Have you noticed that you're responding to an alert that one of your employees has downloaded a malicious version of Advanced IP Scanner? Are you a system administrator or IT professional who has downloaded a malicious version of Advanced IP Scanner? This has become quite common as people want to download tools to. However, threat actors are hosting very convincing malicious versions and are being discovered through malvertising (e.g. malicious ads such as Google Ads). Now let's say you want to dig deeper and retrieve the file yourself, but you are facing some issues, such as:

I deleted the file that the employee downloaded The URL I clicked redirects me to the actual Advanced IP Scanner website I tried to get an ad to pop up on Google Search but it doesn't work

I was dealing with this exact scenario recently and the method I chose to use was to fool the site into thinking it was coming from a Google ad click. I chose this method mainly because it seemed to be the only way to get the initial file at the time. The original file no longer existed on the user's machine, but he still wanted to analyze it. However, when you visit the malicious URL, you see that the website redirects you to the genuine Advanced IP Scanner website, so you decide to try tricking it. (I'll explain later that this wasn't necessary and that I took it too seriously.)

The site used in this scenario is [.highlight]hxxps://advanced[.]IP scanner[.]Ko[.highlight] (Do not visit this particular link).

As mentioned earlier, I would like to retrieve the original file so that I can analyze it. My purpose in analyzing this file is simply to see what it does. Do you want to reconnect to the C2 (command and control server)? Will it reduce persistence on the host and allow threat actors to connect to the system? Or will more malicious code be added after the file is deleted? Does it try to steal user credentials from the host? These are the basic questions we want to answer in our analysis, but we need a file to do this.

So let's grab it. Let me show you what happens when you get there. In my case, I am redirected to the legitimate Advanced IP Scanner website instead of the malicious website.

Be careful with canonical URLs. However, the fake website looks the same.

Well, why not Google it? Maybe it's possible to display ads?

No, in this case you will get a legitimate site. (Previous malvertising campaigns have allowed us to spoof the URLs displayed in ads, but this time we verified by visiting the site.)

I still want this website to appear as if it came from a Google ad click and display a malicious website instead of the legitimate website. I need to get a malicious download, what should I do? Well, my first thought was to see what happens when I click on an ad on another legitimate site. What type of cookie or header data is applied to tell a website that it came from a Google ad click?

In this case, I opened the browser's developer pane. [.highlight]F12[.highlight]clicked on [.highlight]Communication network[.highlight] I clicked on the tab and clicked on the ad to return to the legitimate Advanced-ip-scanner.com.

It helps you find relevant network elements in the developer pane and track the headers you need to edit.

After a few pokes, I realized that the top result was the one I wanted to investigate further. Click on this result and see what you get.

Scroll down and you will see [.highlight]request header[.highlight] The following line will appear:

Now, let's go to Postman and give it a try. For those unfamiliar, Postman allows developers to make HTTP requests and test API responses. This way, you can freely edit the headers, provide cookie data, and see what kind of response you get from your website. Create a new GET request in Postman, [.highlight]refer[.highlight] Header with value https://www.google.com/

Use Postman to connect to the malicious site by setting the referrer header to Google's referrer.

Let's see if this works.Let's hit it [.highlight]send[.highlight].

This image shows the raw HTML response when visiting a malicious site with the header set.

That's a thing! You can see some references in the screenshot. [.highlight]advanced-ip-scanner.com[.highlight] But that's because the attacker cloned the site verbatim. There are slight differences in the resulting pages when you connect with and without referers.

So at this point I would like to find the download.i'm gonna [.highlight]Ctrl+F[.highlight] words [.highlight]download[.highlight].

Look! Let's access the following directory. [.highlight]Advanced IP scanner[.]com/download/[.highlight].

There's that too. Now, before you do a little research, remember when I said earlier that this wasn't even necessary, and that I thought about it too hard.

Well, only the main page turned out [.highlight]advanced[.]IP scanner[.]Ko[.highlight] Redirect if the referrer is incorrect.All I had to do was add [.highlight]/download[.highlight] This will allow you to see open directories with and without referer headers. But hey, hindsight is 20/20.

Let's do a little research.I found it [.highlight]ipscanner.txt[.highlight] It's interesting mainly because of the naming convention. [.highlight]dl.php[.highlight] and [.highlight]dwnl.php[.highlight] It's probably related to downloading logic, but I'm not sure [.highlight]apps2co.php[.highlight] For now, let's take a look [.highlight]ipscanner.txt[.highlight] beginning. So let's check it out.

This is a Base64 encoding, commonly used by attackers to obfuscate code and make it easier for executables to bypass security controls.

Although it may not be immediately obvious, this is very interesting because it is similar to Base64 encoding. Let's decode it. Off to Cyber ​​Chef! For those unfamiliar, CyberChef is a great web-based tool for data analysis. It helps decompress, decode, and decrypt data and is a great Swiss Army knife for cybersecurity professionals.

That's interesting. The image above shows the original output. [.highlight]ipscanner.txt[.highlight] My decoding method is shown in the top right corner, highlighted in green. I'm just applying From Base64 to decode the text. You can see the output at the bottom right. It's an executable file.

An easy way to tell that this is an executable is to check that this program cannot run in DOS mode. Near the top of the output.it's a clear sign [.highlight]. exe[.highlight]. You can download this in several different ways. At CyberChef[出力を保存]You can save it as a file by clicking the button (the little floppy disk icon above the output). [.highlight]. exe[.highlight] And then there's the malicious executable. But I would like to explain it another way.

Download the raw Base64 to your VM (virtual machine). [.highlight]. TXT[.highlight] Create a file and use certutil to decode it using commands. [.highlight]certutil -decode source destination[.highlight].

In the screenshot above, I am simply running [.highlight]certutil -decode raw.txt decoded.exe[.highlight] against [.highlight]raw.txt[.highlight] This contains the original Base64 and prints it like this: [.highlight]decoded.exe[.highlight]. Certutil is often used by threat actors in exactly this way, [.highlight]. exe[.highlight] This typically causes most EDR products to create an alert because it is removed from the encoded data on the target system.

I got the file!I also used [.highlight]Get file hash[.highlight] Take the SHA256 hash and compare it to the hash originally referenced in all triggered alerts. The result is the same, confirming that there is a malicious file.

Now, however, [.highlight]/download[.highlight] directory? Well, as it turns out, I was trying too hard again.

Click . [.highlight]apps2co.php[.highlight] The links on this page provide the decoded [.highlight]. exe[.highlight]. And when you compare that hash with the alert's original hash and the decoded hash, you get [.highlight]. exe[.highlight] Get the same hash.

(At this point, this is a blog about static and dynamic malware analysis, so I won't go into it any further. But I hope you enjoy reading this article as much as I dig deep.)

Investigative theory dictates that when investigating an alert, you should formulate answerable questions that are relevant to the situation. The question I asked myself that started me down this rabbit hole was, “What does this file do?” To answer this question, my original intention was to download the original malicious file so I could analyze its behavior. This not only helps you understand what the files are doing, but also helps you dig deeper and make sure your host is clean.

A fun and informative blog that shows how security analysts can retrieve original files when a malicious website is set to redirect them as a way to hide from security personnel. I hope the content was informative.

Thanks to my colleague Jai Minton for digging into this with me. For more of his insights, check out his blog here.

A version of this article originally appeared on Medium.

Sources 1/ https://Google.com/ 2/ https://www.huntress.com/blog/analyzing-a-malicious-advanced-ip-scanner-google-ad-redirection

