Recently I setup a bunch of apps to assist with malware analysis and realised that I didn't want to expose the applications to the internet directly and wanted a layer of authentication in between my applications and the internet and a reverse proxy was the solution is settled on.  Using OpenResty and Keycloak I was able to setup a single entry point for my web applications and have it serve as an authentication point before traffic is passed on to my apps preventing people from accessing them without first authenticating. Any requests to the sites will be redirected to an authentication portal where the user then signs on and then is redirected to the application.  Disclaimer : this guide is intended as a demonstration only and not intended for production systems. Prerequisite:  Ubuntu 22.04 Application(s) to redirect your traffic to Step 1 - Installing OpenResty

I came across a sample recently that looked interesting because of the number of steps in the infection chain and the use of PowerShell to inject shell code into an existing legitimate process so I though I would have a go at analysis. For this analysis I will go as far as I can using just static analysis and fall back to dynamic analysis when I hit my limits. The initial payload is a PDF file which I will take a look at now.

  Gootkit continues to target Australian companies with sites still live as of the time of this post. Searching for an Australian company name and the words "enterprise agreement" will often lead to a result on the first page containing a link to a malicious site which will often then have a fake forum with a post containing the link to the malicious download. I managed to get a hit after trying a few different random companies names. The forum site with the malicious link will only be redirected to upon first visit otherwise the user will be redirected to a normal looking blog post. Clicking the link leads to the download of a zip file which contains a JavaScript file. Upon first glance the file appears to be benign jQuery. When compared with the official library it is almost identical except some additional lines have been added at a few locations. After extracting and prettifying the code we can see a bunch of variables and what looks like a de-obfuscator function. Using S...

MikroTik RouterOS is a powerful feature packed software router that is pretty widely used across the world. I have been meaning to setup a honeypot and there has been a large number of high volume DDoS attacks involving compromised RouterOS routers so this seems like a good candidate for a first honeypot.   In order to setup the honeypot I span up 2 cloud instances one for RouterOS and the other to capture logging. To setup the logging machine I span up a Debian machine and then started on deploying RouterOS. I couldn't find any information on how the routers were being compromised but there was rumours of a vulnerability that was being exploited so I decided to use a slightly older RouterOS version at the time, RouterOS v6.42rc52. RouterOS Setup To install RouterOS on the GCP you can navigate to the software\downloads page on the MikroTik website and from there expand the "Cloud Hosted Router" tab where you find VHDX images available for download. Once downloaded the im...