S3E2: Hacking Tracking Pix & Macro Stomping Tricks
State of the Hack
English - February 10, 2020 18:00 - 42 minutes - 29.6 MB - ★★★★★ - 28 ratingsTechnology News Tech News fireeye mandiant cybersecurity malware hacker Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
On today's show, Nick Carr and Christopher Glyer break down the
anatomy of a really cool pre-attack technique - tracking pixels - and
how it can inform more restrictive & evasive payloads in the next
stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to
explore one such evasive method seen in-the-wild: Macro Stomping. And
we close the show by deep-diving with Matt Bromiley (@_bromiley) on
critical vulnerability we've been responding to most in 2020 - and
what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email
tracking pixels. We break down how these legitimate marketing tools
are leveraged by attackers looking to learn more about their planned
victim's behavior and system - prior to sending any first stage
malware.
We break down the different variations on these trackers for both
benign and malicious uses. For examples of each style of tracking
pixel, see Glyer's recent tweet thread
(https://twitter.com/cglyer/status/1222255759687372801). We talk
through additional red team operators' responses to how they use this
technique in their campaigns today - discussion sparked from this
great offensive security discussion
(https://twitter.com/malcomvetter/status/1222539003565694985). This
trend of professional target profiling - drawing both inspiration and
specific tracking tools from the marketing industry - is highly
effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes
the same end goal as email pixels - and how it can share information
about the current version of Microsoft Office on the potential
victim's system. Similar to execution guardrails, this Office version
information for Microsoft Word or Excel could be used to deliver
malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office
versions. We discuss VBA macro stomping and file format intricacies
that require attackers to understand the version of office a target
may be using, in order to create evasive spear phishing lures that may
bypass both static and dynamic detections. Rick Cole joins us to talk
through an active attacker using macro stomping for evasion - both
p-code compiling and PROJECT stream manipulation. Rick walks through a
brief overview of the technique and a particular financial threat
actor who loves macro stomping as much as they love Onyx. Rick
co-authored a blog on the topic
(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-bril
liance-in-the-visual-basics.html) and has an excellent tweet thread
linking to other research
(https://twitter.com/a_tweeter_user/status/1225062617632428033).
Finally, we're joined by a surprise second guest! Matt Bromiley drops
in to discuss FireEye's efforts to respond to the critical Citrix
vulnerability, CVE-2019-19781, that went public on January 10, 2020.
Matt helps us break down some of the activity we've seen since then,
including distinct uncategorized clusters of activity for NOTROBIN,
coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in Managed Defense, Matt's been
working with the team to release several blogs, defender tips, and
tools on the vulnerability:
• Matt and Nick published an initial blog on the topic – detailing
exploit timelines, evasive attackers, and resilient approaches to
detection
(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patc
h-promise-it-will-be-200-ok.html)
• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN
and the concept of exploit squatter's rights in the blog with the
titl