In most cases, it’s a challenge to find out additional information about malware and its actions. Common sandboxes let analysts know only domain names or IP addresses with which malware communicates. But knowing where the malware came from or what data was stolen allows you to get additional information that can save the day. Not to mention discovering new malware samples in the wild, which sometimes goes undetected by AV solutions. Here comes open directories that you can explore with ANY.RUN malware sandbox’s tools.
What is an open directory?
Open directories are lists of direct links to files stored on the server. Opendirs are basically unprotected directories that are used to share numerous types of data: documents, pictures, videos, databases, and software.
Cybercriminals give us such “presents” as they leave open directories misconfigured. And they may contain a lot of information for our research. Access to important directories or files without restrictions provide data that has already been utilized by an attacker when formulating or conducting an attack.
There are several types of information that can be there: additional payloads, including ones from the other “projects” and logs, which can be used to analyze the collected data and estimate the damage
All stolen files are stored on the servers, where you can get into with the help of opendirs.
We would like to discuss 2 approaches with open directories:
- On one hand, open directories might be configured incorrectly or customized in a special way that can show the directory listing, that’s kept on a server without any protection. With this oversight, an attacker can potentially expose sensitive information.
- On the other hand, open directories could become a place to keep payload files or stolen information from the infected machines. And this is exactly what you can trace using ANY.RUN. Find where this data has gone, to what IP address, or determine the files that were stolen.
Generally, open directories contain a wealth of fresh samples and different IOCs. ANY.RUN’s users can research tasks that contain open directories, just find them by the “opendir” tag in the Public submissions. During your research, find the “Network” block, this tag is shown in the “HTTP Requests” section.
Use open directories to find the stolen data
Besides files analysis, with ANY.RUN you can add a URL address for direct downloading or browsing open directories and websites. The feature together with interactivity gives analysts the ability to browse, download, and run samples during the same task.
To demonstrate this functionality, let’s investigate the sample with the “opendir” tag.
The task already has a URL pasted and the “Internet Explorer” web browser chosen. Immediately we start to work with the virtual machine. The browser opens at the same time as the task started.
As you can see, there are quite a few executables in this open directory and you can download all of them during one task. You will not get confused with types of malware there, as all malicious processes are tagged in the process tree with detected malware family names. All the executable files stored here can be downloaded later as a payload into the infected systems by initial loaders such as malicious documents.
Let’s work with the r.exe file. The sample makes a network connection with a known threat – it matches Agent Tesla‘s Suricata IDS signature. Find the “Network” block and choose the “Connections” tab. Agent Tesla has been using SMTP’s 587 port for a long time already and often with broken encryption so it sends the unencrypted information.
We can take advantage of that mistake and look inside the “Network stream” by clicking on the packet in the “Traffic” column from the process.
We can take our chance – copy authorization information from the “Network stream” and try to log into the crooks’ account. Also in this stream, you see what information this trojan has stolen from the infected machines and has sent to the Command & Control server.
By going through the stolen information that is saved by malware in an open directory, it’s possible to find out how many workstations have already been compromised.
Have a look at this sample in action in the following video:
Use open directories to see the malware’s storage
Now it’s time to explore opendirs that can help us to trace where the malware is from.
The following task with the Formbook trojan can be useful for this matter.
Let’s take a look at the “HTTP Requests” section. There is a URL with the “opendir” tag. To get to know what is kept inside this open directory, we need to follow these steps:
- Copy the URL address paste it into the VM’s web browser using the“Remote ClipBoard”;
- Wait for the response from the server takes time;
- Explore what this directory keeps: archive files, scripts, Microsoft Office files, executable files, and nested directories.
And here it is – the file from our task! No magic, just ANY.RUN tools.
Are you curious about what else can be stored there? The hackers might have prepared loads of disgusting stuff, and right now we have an opportunity to find out their plans and possible attacks.
Let’s download any file and explore what it is. We’ve decided to unmask the “Document_001.xlsx” file. It looks like a malicious document and the most interesting is what payload it delivers to infected machines.
Just go around all the security measures, open the maldoc, and click on the “Enable Editing” button.
Apparently, this maldoc has macros that through the exploitation of CVE-2017-11882, downloads and runs the executable file. And it turns out to be the Lokibot trojan! The trojan was detected both by the network and the local signatures. If you want to get more details about this sample, watch the video:
All the mentioned tasks are available for your own research, just rerun them and start the analysis. But if you want to save time, we have prepared a video with examples that show open directories in all their glory:
Malware is a real issue in any company’s security and it’s great to have the advantage to investigate its background or intentions. We hope that now you can use open directories for these goals, and ANY.RUN will always be glad to help you.
Open directories occur as a simple mistake, but it can be turned into a vulnerability in the security of your organization. So, if you’re a cybersecurity specialist, be attentive enough and close the directories!