Cracking Password Protected Payloads
The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus.
? Malicious RTF document found hosted at:
http///5.39.217.221/win/document[.]doc
SHA256: c657570d8bd13c9435548efe83087568b7a83e8bf968d7384fab1037a8612e75
IOC extracted from sample: https://t.co/RV23JyT3tM— InQuest (@InQuest) February 18, 2021
Another one of these research experiments is the mass curation and description attempts of password-protected documents, zip archives, and pdf user-passwords. This process is being completed with an automated john-the-ripper dictionary and brute force cracking attack on the files found to be protected. While the InQuest Deep File Inspection platform has a dictionary list of the most common malware passwords, in order to update its contents to include emerging campaigns, encrypted files from various data streams are passed through the automation. This research complements two important use-cases in the security space. For one, as part of our harvesting malware at scale through InQuest Labs and various data streams, we brute force files in an effort to gain access to otherwise hidden malware. This technology aids proprietary threat intelligence with insight into emerging threat campaigns, new TTPs, and evolving malware families. Secondly, as part of our email security solution, we analyze the full context of the email (body, OCR, etc) to identify passwords that can be used to peer into the encrypted layers. This dynamically produces a password list that can be used to decrypt and analyze protected attachments. The following details an approach to crack some document-based passwords and some insight into the findings of performing this action at scale. While not to spill the beans on the entire pipeline, the demonstration will occur here with a single occurrence. The following zip archive is encrypted and consequently, there are no detections on its contents. VirusTotal. 94bd6a4edc46a3aa6749b8374ca2cb04. These type of files can be curated with a Yara rule similar to:
rule Password_Protected_ZIP
{
strings:
$zip_encrypt = {50 4b 03 04 ?? ?? (01 | 09)}
condition:
$zip_encrypt at 0
}
Quite often, attackers include the decryption secret within the email body and coerce the recipient to decrypt the archive, document, pdf, etc. The following steps detail how to use john the ripper to brute force the password.
Zip2john
# zip2john Ginny_CV.zip > Ginny_CV.hash
ver 2.0 Scanning for EOD... FOUND Extended local header
Ginny_CV.zip/3c31bb37840e2413d56aec6497cf8f17a03dfd919713142a0937cbc2ce864fda PKZIP Encr: cmplen=28292, decmplen=73216, crc=2EE8B059
Running the extracted hash with a custom word list quickly finds the password (myresume)
# john --wordlist=inquest.lst Ginny_CV.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
myresume (Ginny_CV.zip/3c31bb37840e2413d56aec6497cf8f17a03dfd919713142a0937cbc2ce864fda)
1g 0:00:00:00 DONE (2021-02-26 17:20) 1.265g/s 6656Kp/s 6656Kc/s 6656KC/s myria216..myresume
Office2john
Looking at this file sourced from InQuest Labs— fbd407f2d47cb2614ce32a70c8983ba2
office2john.py fbd407f2d47cb2614ce32a70c8983ba2 > fbd407f2d47cb2614ce32a70c8983ba2.hash
The password 2020 is cracked nearly immediately.
# john --wordlist=inquest.lst fbd407f2d47cb2614ce32a70c8983ba2.hash
Using default input encoding: UTF-8
Loaded 1 password hash (oldoffice, MS Office <= 2003 [MD5/SHA1 RC4 32/64])
Cost 1 (hash type) is 4 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
2020 (fbd407f2d47cb2614ce32a70c8983ba2)
1g 0:00:00:00 DONE (2021-02-26 18:23) 11.11g/s 770133p/s 770133c/s 770133C/s 221195..19901
Use the "--show --format=oldoffice" options to display all of the cracked passwords reliably
Statistics
Here are the top 20 passwords that were cracked that were not already included within the first-stage decryption password list. The iterative curation of that list provides some insight into emerging threat campaigns utilized password protected payloads
# cat john.pot | cut -d: -f2 | sort | uniq -c | sort -rn | head -20
283 mise
222 decreto
18 00134
12 sang1701
10 bhs
9 1
8 2020
7 5658
6 ms1234
6 Memphis
6 6181
6 5403
6 1234
6 010819
5 PORTUGAL
5 mufia
5 5236721
4 jes2020
4 Jacob
4 3287
Throughout this experiment, countless instances of PII have been uncovered in addition to the malicious files we were searching for. Ultimately, it is recommended to use strong passwords while encrypting any type of sensitive information