{"id":1253,"date":"2020-12-11T09:00:00","date_gmt":"2020-12-11T09:00:00","guid":{"rendered":"\/cybersecurity-blog\/?p=1253"},"modified":"2022-12-21T06:52:01","modified_gmt":"2022-12-21T06:52:01","slug":"open-directories","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/open-directories\/","title":{"rendered":"Cybersecurity Treasures in Open Directories"},"content":{"rendered":"\n

In most cases, it\u2019s a challenge to find out additional information about malware and its actions. Common sandboxes let analysts know only domain names or IP addresses with which malware communicates. But knowing where the malware came from or what data was stolen allows you to get additional information that can save the day. Not to mention discovering new malware samples in the wild, which sometimes goes undetected by AV solutions. Here comes open directories that you can explore with ANY.RUN malware sandbox\u2019s tools.<\/a><\/p>\n\n\n\n

What is an open directory?<\/strong><\/p>\n\n\n\n

Open directories are lists of direct links to files stored on the server. Opendirs are basically unprotected directories<\/strong> that are used to share numerous types of data: documents, pictures, videos, databases, and software.<\/p>\n\n\n\n

Cybercriminals give us such “presents” as they leave open directories misconfigured. And they may contain a lot of information for our research. Access to important directories or files without restrictions provide data that has already been utilized by an attacker when formulating or conducting an attack.<\/p>\n\n\n\n

There are several types of information that can be there: additional payloads<\/strong>, including ones from the other \u201cprojects\u201d and logs<\/strong>, which can be used to analyze the collected data and estimate the damage<\/p>\n\n\n\n

All stolen files are stored on the servers, where you can get into with the help of opendirs. 
<\/p>\n\n\n\n

We would like to discuss 2 approaches with open directories:<\/p>\n\n\n\n

  1. On one hand, open directories might be configured incorrectly or customized in a special way that can show the directory listing, that\u2019s kept on a server without any protection. With this oversight, an attacker can potentially expose sensitive information<\/strong>.<\/li>
  2. On the other hand, open directories could become a place to keep payload files or stolen information<\/strong> from the infected machines. And this is exactly what you can trace using ANY.RUN. Find where this data has gone, to what IP address, or determine the files that were stolen. <\/li><\/ol>\n\n\n\n

    Generally, open directories contain a wealth of fresh samples and different IOCs. ANY.RUN\u2019s users can research tasks that contain open directories, just find them by the \u201copendir\u201d tag in the Public submissions<\/a>. During your research, find the \u201cNetwork\u201d block, this tag is shown in the \u201cHTTP Requests\u201d section.<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    Use open directories to find the stolen data <\/strong>
    <\/p>\n\n\n\n

    Besides files analysis, with ANY.RUN you can add a URL address for direct downloading or browsing open directories and websites. The feature together with interactivity gives analysts the ability to browse, download, and run samples during the same task. <\/p>\n\n\n\n

    To demonstrate this functionality, let\u2019s investigate the sample with the \u201copendir\u201d tag<\/a>. <\/p>\n\n\n\n

    The task already has a URL pasted and the “Internet Explorer” web browser chosen. Immediately we start to work with the virtual machine. The browser opens at the same time as the task started.<\/p>\n\n\n\n

    \"\"\/<\/figure>\n\n\n\n

    As you can see, there are quite a few executables in this open directory and you can download all of them during one task. You will not get confused with types of malware there, as all malicious processes are tagged in the process tree with detected malware family names. All the executable files stored here can be downloaded later as a payload into the infected systems by initial loaders such as malicious documents.<\/p>\n\n\n\n

    Let\u2019s work with the r.exe file. The sample makes a network connection with a known threat \u2013 it matches Agent Tesla<\/a>‘s Suricata IDS signature. Find the “Network” block and choose the “Connections” tab. Agent Tesla has been using SMTP’s 587 port for a long time already and often with broken encryption so it sends the unencrypted information.<\/p>\n\n\n\n

    We can take advantage of that mistake and look inside the “Network stream” by clicking on the packet in the “Traffic” column from the process.<\/p>\n\n\n\n

    We can take our chance – copy authorization information from the “Network stream” and try to log into the crooks\u2019 account. Also in this stream, you see what information this trojan has stolen from the infected machines and has sent to the Command & Control server. <\/p>\n\n\n\n

    By going through the stolen information that is saved by malware in an open directory, it\u2019s possible to find out how many workstations have already been compromised.<\/p>\n\n\n\n

    Have a look at this sample in action in the following video:<\/p>\n\n\n\n

    \n