• Return from FOR610 Class: Returned from a FOR610 class in London last week.
• Key Tip for Students: Keep an eye on "strange" API calls. In the Windows ecosystem, Microsoft provides many API calls to developers. While using an API doesn't always mean malicious code, some may be misused.
• Hunting Rule for Malicious Scripts: Search for the ctypes library. It allows Python to call functions in DLLs or shared libraries.
• Malicious Python Script Example: Spotted a script using UuidFromStringA() function which converts a UUID string to binary format. A Python script contained an array of UUIDs that, when decoded in raw bytes, was injected as shellcode.
• Shellcode Details: The shellcode was a CobaltStrike HTTP x86 beaconing to hxxp://182[.]61[.]60[.]141:6666/tFl6. The code was decoded with a simple loop and injected in memory using UuidFromStringA().
• Conversion Technique: Easy to convert a binary file into an array of UUIDs by reading shellcode in 16-byte chunks and interpreting each as a UUID. This technique was used by the Lazarus group in the past.
• Author and Contact: Xavier Mertens (@xme), Xameco, senior ISC handler and freelance cyber security consultant. PGP Key