- SOCKSESCORT LOGIN 2019 INSTALL
- SOCKSESCORT LOGIN 2019 FULL
- SOCKSESCORT LOGIN 2019 SOFTWARE
- SOCKSESCORT LOGIN 2019 WINDOWS 7
So the cyber criminal started to install “Firefox”, then “Chrome” and CCleaner (to erase the evidence). Less than 24 hours later, the honeypot was infected by another attacker. Here is a list of commands performed by the attacker: It helped us to follow what the attacker did: Commands performed by the attacker See below for a sample of the data which was sent back by the CnC: Error “405” sent back by the CnC This is very useful when you don’t have a keylogger installed on your honeypot. It is also interesting to note that the IP was hosting a lot of phishing websites: Virustotal pDNSīy analyzing the traffic sent and received by the Dexter sample, we saw that the CnC was not answer properly and surprisingly it sent back the keylogged data! The CnC was flagged 6 months ago as an “Alina” panel: cymon.io report The cyber criminal connected to a FTP to download the Dexter sample (and other tools). We confirmed that the infection vector was a brute force attack on RDP. The attacker installed a 6 months old “Dexter” variant: Seen on VirusTotal 6 month earlier
Infrastructure – reloaded Infrastructure reloadedīy moving the honeypot to the US we took the opportunity to add incident response capability with GRR (remote memory dump, remote file extraction…). We then figured out that our honeypot was hosted in a country that implemented “Chip & Pin” ( Wikipedia EMV) a long time ago! So our best choice would be the US, we then moved the honeypot there. We left it to run for 2 weeks but we didn’t have any successful logons (at least we removed the problem with the Morto Worm). Then we looked at the security features of RDP, and we found that Morto was not able to log in on RDP with NLA enabled (see here for NLA details: Microsoft msdn NLA). We then changed our credentials to pos/pos.Let’s check our list of words first to avoid the one tested by the Morto Worm. That was our first fail as this was not the kind of binaries that we are interested in. More information can be found on the internet here: Microsoft Worm:Win32/Morto.A or here Trend Micro – Threat encyclopedia. A really old (2011) worm that is still active, that is basically after the successful infection brute forcing RDP to try to infect a new host.
A successful connection through RDP on our honeypot! But after analysis, we identified that the binary pushed on the honeypot was in fact the “Morto” worm. First infectionĪfter 3 hours, we got a hit. The goal of the setup was to mimic an actual POS and to fool cyber criminals. The website selling the leather and fur items We created a fake website hosted on the same IP, pretending to sell leather and fur items. We enabled RDP (TCP port 3389) with weak credentials (admin/123456).
SOCKSESCORT LOGIN 2019 SOFTWARE
We installed a POS software (it doesn’t matter which one).
SOCKSESCORT LOGIN 2019 WINDOWS 7
Our setup was based on Windows 7 (32 bits).