☣️ THE DAY I BECAME “BUG HUNTER”… ACCIDENTALLY! 🐛

⭕️DISCLAMIER
None specified name of vendor nor plug-in has been disclosed to this article and the sole purpose is to enlighten the readers to be more cautious on what they download and use for either personal or business cases. “Human knowledge belongs to the world! –antitrust”.

ONCE UPON A TIME
Last year there was a vulnerability with a risk score of 6.1 (medium) that affecting JQUERY that could lead to CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)).

CVE-2019–11358 — jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

However, this is boring story to begin with!

As a Security Intelligence Analyst, I always “hunt” for the low hanging fruits as the CTI platform should already covered the “high” threats. This includes web browser plug-ins that can bypass end-point security controls (EDR/EPP/DLP) and even Firewalls.

Until one fine day of curiosity to scrutinize the most used web browser extension by both students and professionals in which I will not disclose yet on this article due to TLP: Amber (restricted to participants’ organizations only) until they acknowledge the report I sent to them with “thank you” and instead will just code its name as “Lola-ly”.

This “Lola-ly” is being suspected as a Trojan that “Keylogs” everything a user types to check the structure of the English sentence and provide corrections.

🚦THE “ENUMERATIONS”
And so, I started carving the associated files from the web browser plug-in to enumerate obfuscated strings and possible lead to the suspicion if assumed culpable of the said behavior.

Tried to check the #hash if it’s already been known for any IOCs from VT.

Further investigation using different #FOSS tools to satisfy the “curiosity”.

Seems it is connecting to at least 70+ domains and spawning different file types.

📭THE FILES
There were 15 files retrieved but one stood out that capture my eyes.

With the help of the awesome mouse clicks on the “Vulnerabilities”.

💀THE SUSPICIOUS BEHAVIOR
I raised a “call-a-friend” from Joe and gave me this TTPs that made me smile 😊.

💡CONCLUSION
When an itchy mind Security Intelligence analyst craved for curiosity to unfold the limit of their job scope, gem is found.

For the defenders (SecOps/IR), security architecture/engineering, policy makers (GRC), and leaders (CISO); the Cyber Threat Intelligence (CTI) program should not be limited to their job scope but also “Red Teaming” your arsenals acquired to protect that protects the endpoints from unknown threats. This is the dark-side of the Technology where the “Right People” and Process fills the gap that truly achieved the defense-in-depth.

Cybersecurity awareness should also evolve technically so end-users will understand the risks into broader perspective, not just in theory.

🙏ACKNOWLEDGEMENT
-
Joe for cool Sandbox
-Reverse Engineering Malware Linux Distro
-Malware Capability Tool
-Virus Total

To God Be The Glory!
✠✠✠

Cyber-security is not a Job, calling!