Posts

Successful 4624 Anonymous Logons to Windows Server from External IPs?

Image
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624.


If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation.

The reason for this is because when a user initiates an RDP or SMB connection, the con…

New Pyrogenic JAR-Based Malware Campaign - Indicators of Compromise

Image
A new JAR-based phishing campaign has been seen delivered to Australian companies with the intent of credential stealing Office 365 account passwords as well as passwords stored in the browser. This campaign appears to have first occurred late September 2019 - November 2019.

Initial Infection
This campaign is delivered via a phishing email to corporate account users with an image of a PDF file which contains an embedded hyperlink
If a user clicks on the image of the PDF they are taken to the first C2 domain - in this instance it was to https://caygionghocviennongnghiep1.com/FRA.html which resulted in a download of the malicious JAR file 'BankPaymAdviceVend_LLCRep.jar' to the downloads folder:



User interaction is then required in order to execute the malware. Once execution occurs, the following process chain occurs where javaw.exe is spawned.


The javaw.exe process is stopped in memory and two DLLs are dropped into the AppData/Local/TEMP folder, loaded and then deleted.
sqlite-3.8.11…

Malware Analysis: Slingshot APT
 Exposed From 6 Years of Hiding

Image