Hansa locktime excel file (x-post danknation)

Someone posted this as a link in another thread. Looks like LE swapped out the .txt locktime file with an excel file intended to leak the users IP. The switch was brought up a few days ago here.

Full write-up is below: https://www.reddit.com/r/DankNation/comments/6pi0et/dont_open_the_xlsx_locktime_file_beacon_image/

What's interesting is that there is NO macro code. The vulnerability is simply forcing the client to load an image from a remote server in France (controlled by LE no doubt).

Any vendor who viewed this file without whonix/tails should clean house immediately.


Comments


[16 Points] SpecialAgentDildo:

If you didn't hate Microsoft already....


[9 Points] lovelylittlegangster:

Finally I got hold of one of these files!

Here's a wireshark screenshot showing just opening the file in libreoffice connects to the remote IP:

https://anonimage.net/db/full/tFRz4cBaEM.png

I would advise vendors to only open this file on a Qubes VM routed through Tor as that is 100% safe, Tails may also be safe but someone would need to test it to confirm.

Windows, Mac or any non-Tor linux distro is NOT safe from this beacon.

Plea to vendors: can a few of you message me your whole http:// string so I can check whether they are individualised to each locktime file or they are all the same? At the moment I only have access to 1 file so I can't check this myself. This is my PGP key if you want to keep it from public view:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFhRkncBEACo7PkBXpiRGDqOrteC0lBG54wxGyUP2xYTmyHB/d2ovC3Y9GAk
lG9utCRA1K0TgwtVtiIcX1FFoL46pibp30/s/7rBn5XsKQYEtM6pqfiOz/QOQyME
sFsP4lv1nZfjuiKz9OHMGeUwWrrqI4DyK7mqlykNZcOifyB4vuOyaB5iHRzUzEUU
+9ZtZY2DrRLlZq/ti5jOzMNw5IQVYZ/fNe0u0P7dTFlW1N9iCB9sfxiO+I5Lm9bk
SxafqWUoSsm0YUZ/fdUx7Uo1dsw/8OEgkYWs2ZnLwgPQ0oknCdEGunHSo+Tv2Xjp
rKatSNZg0qbjFuqZIHp9ueITa4IpoJ8Fs7qcnOv9EETWw9BEqrl+CGVevyaeSYTW
jp/6SPNW/ZgDGzjruSStcrpmR08uMh0kqNSrtHj/VdrvH1xHxTYOTwPvpTek4p6M
fz80PiHw5O45sKv5wd9fAfLfJH9Kw3u45GdcKPS0bqLacbX+bkJucEn1QYpCM/AH
Vu0YzQsXVA1DkWYO8BeTbjR9gh1JFahfZ/5KwCYOqtlYaqNdegszDPURS2140H86
YdJmM8HC5LITd6x8+G7cWMPAuxH/XgEPHGnh0kxZCIu0Q5lJCGVc4tOQHrC78ViG
0WykfUaE6MVt1Q88jbL1DmFB+DXKrzEsRlyRe7Lb9pHH0+BXZQW4CHLpFQARAQAB
tERsb3ZlbHlsaXR0bGVnYW5nc3RlciA8bG92ZWx5bGl0dGxlZ2FuZ3N0ZXJAbG92
ZWx5bGl0dGxlZ2FuZ3N0ZXIuY29tPokCOQQTAQgAIwUCWFGSdwIbIwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEJ4a9siG7HL9cjMP/2zvbY2dlpBM9vn0K8fK
FZW20SX0mDZhxwjuJBgNsZB/F3SF8Vej8q7V9vw+GJEbklqruGMA6kjVOTfaoLe8
PM1MnRABpEJeTyScVhSBbTFJScFi/+cuP7mFFm+5aR9aGGdJKzlix3j4OMYX92TE
jMOWHMDpWm9sHQP+Ae88qYIJXmJXKtWMjVRAXKlSf//SZfDAnB/ozOUCJtyHzxo1
kyRXPYfbo2yZK7qS3yNtlipcnvNE7j6NNSOWWWFMevmJXGukDzO5Wu6z+j84vk2l
uT7SJGgNEuttp2gFzp+acrbzUx17p3i36JhIiUbXkaRGpNFb7rB0XKD0r961HjGL
zhfTFBqc+uokV1u7rd1l2Vs6Y4uMr+m35R4kPMmRU9xW+vWPwP4miyDw9at9Wozx
yDBNB2kPtj4bf3h9suHj4ml7uNVNQ7IXoJE8oK4gmKVDATVijclhsqqz1uRyV2l5
oEyQFD/6kf1iilXpxuUNLh/VcJqzHDe/sWpJrE0F6DokvfmSvBoaxZ9LPOV+ivqP
HmAcysXSvV6GCJyktQ9kizNrTuxrAa55ovWgghGTjs5dKX9SyI2SXNYE/q0uiI9+
FgVsbHHrKGXw1i12Mu7XMJcOmmDNSd3Ovzkp3MKn4Gqc1NPSiOsSIn4Y2et9Ny7D
PnRJJ0giuaLYFrHUv2eWfW6muQINBFhRkncBEADwqfQxzBkWqHINS03vKSQKBGQS
Mg0Q1ZjDSJcNyr4ZAWIywly6w27TbT1/Yr+JShw322Ssoz5UPbcqd7OLTopXI5ga
fTrNRrK8D7dF8i7IJQhDB7hT4L9d4vw3DbQ3ZSlTtFuWk/x5LKmlF4VrRc5PaNe8
suiSBQPlM24b20S3yftJecF21g7QGZvVaHBfyYOYm8Mk+sOhZ7B6w1S7Biui2Lv8
yvRvNbT3LRtRo3CUpaHuNaYQcmzu//IsU4QEeGhGoriKZO30eSC6GrJZ0b598gVP
mXpLnKYMSh074a8x1pA9tvXKFDKCyxPVHtNMYcnAzZ6UDcPiu++JfV/XYx0sA4ss
bI1Og0Lk68nMdfAuiM5MN69z3/OqjvKBMw68kjICRlFE1wFMnCGsKmq/IwfKG4is
875H4R4OB+fQjpNQbcEEoqPTljckX568iexXRtfbjh5x/vg5SKq0w2CqzWMgIUwY
MkpcLWRGF7NPUeaeYX2BrQXTLtDuxioo13gDoZuOKwyaXTfdtQLqaxK3uyZnQLOF
zRD8lxRZFYfjSbVx1mMt1fKon3/q2qfrAlxKQpjSxVVIKIbQ4C5ZKMFWafcilgmj
vyqa489SgxLs2ai9rddj9jdaX3Pxb/kdpFUsUkYlZdWSUVbE/OHKaVpZ9bmhfWze
+izFq+ZHcadMUnGeMwARAQABiQIfBBgBCAAJBQJYUZJ3AhsMAAoJEJ4a9siG7HL9
+WQP/Ruxn5BdFcroJD4P70bpOa8XidW+OmJuoGbCF6SdFJxlSFfoha+emV39u6bu
LURGKBbV3Aa5R2QSKE1a33/krzvDY3IyB1y+bsHluTcvxb5j0yrI7d6UzFzQzUwJ
MRpAWcEa5Muq0jDMdqxEhnst+Dyn/zBA4drx1ib/ryO7rfFS3SDjUpEw8WCBWlYr
1UX4AbwI/Y0vWhGLZMUyQmiieD+wtLXpaPlP/QXKPKlPjBzOsych0M6K/OKEaJ/2
JVm25wXvcYt9KicSHimgTGYyaq/taLFLuSoW87ie4NNYSdFIHACP/wsZNba20fLv
CGKP8K6Cw5Ysi33erubyRWvfBW4jMZtBclWWhdZBA5ego2THxPmnYYak5+UlhAVY
Nk3uH2X9wkTH7GICiUyYFb/zvclPdJSavNcVzbO+gJ/jmTBzmHvl2BISLzdYcn/t
d1FBFG4enVyrN169Urll5zlR0TAFK7NFpjw+DBvARW5qjG3MRsdjZAI9Vn9z8Nh+
retg4pZfHugW2ris2Dm2HywJ7+5pJJrhJIDhJO9aW9Vukj1hNLk2Y1GljqcQEUZ1
1LE0JEXm6V8RN70sdf/rqfcim3ZNPJ4x5Bq8dEZII4xCgoiQY/aWJLisKQ4uQ9/V
la+lcJxMMf72ZfKeH5Vay3xSIQg7w8qtXwHdaDZPdday/OH6
=J4Tv
-----END PGP PUBLIC KEY BLOCK-----


[5 Points] lamoustache:

Hi,

Can someone send me a copy of the file please?

Thanks


[4 Points] elfer90:

anyone have a copy of the file? i want to check it out


[3 Points] sharpshooter789:

According to whois the IP is located in France. It belongs to a VPS company Aqua IT https://www.lavavps.lt/.

inetnum:        217.182.159.32 - 217.182.159.63
netname:        OVH_134643531
country:        FR
descr:          Failover Ips
org:            ORG-UAIP1-RIPE
admin-c:        OTC2-RIPE
tech-c:         OTC2-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
created:        2017-03-16T19:06:01Z
last-modified:  2017-03-16T19:06:01Z
source:         RIPE # Filtered

organisation:   ORG-UAIP1-RIPE
org-name:       UAB Aqua IT Paulius Masiulis
org-type:       OTHER
address:        Tuskulenu 23 - 29
address:        09218 Vilnius
address:        LT
abuse-mailbox:  lavavps@gmail.com
phone:          +33.860942166
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2015-07-13T15:52:03Z
last-modified:  2015-07-13T15:52:03Z
source:         RIPE # Filtered

role:           OVH Technical Contact
address:        OVH SAS
address:        2 rue Kellermann
address:        59100 Roubaix
address:        France
admin-c:        OK217-RIPE
tech-c:         GM84-RIPE
tech-c:         SL10162-RIPE
nic-hdl:        OTC2-RIPE
abuse-mailbox:  abuse@ovh.net
mnt-by:         OVH-MNT
created:        2004-01-28T17:42:29Z
last-modified:  2014-09-05T10:47:15Z
source:         RIPE # Filtered


[3 Points] mejuwi1:

More reason for every "new feature" announcement to be put through a stress test by the general public (ie the users of DNM).

People would have immediately called out the need to download order history. I guess it makes sense for larger vendors but no one should really download any file off a hidden service. If it can't be viewed in the tails browser window with the slider set all the way up, then it should not be opened for any reason whatsoever.

LE is right on top of this shit, gotta stay careful out there...


[2 Points] defcon_guy:

It's called a honeydoc. It was in the Defcon 22 "How Tor Users Get Caught" talk.
https://youtu.be/7G1LjQSYM5Q?t=1679
https://github.com/jqreator/honeydoc


[1 Points] TILYouLoveDrugs:

Anyone noticed how quiet it got around here in the past day or two?


[1 Points] shennagigans:

Would someone feel like explaining how you can analyze a file to find this stuff?


[1 Points] FbisGaY:

If they bust in your door, you should act like a mental retard. What would they do? I mean like really, really retarded. I am sure no judge or jury would believe you are capable to do shit like that. Its not impossible, people can fall down the stairs and shit, am i right


[1 Points] lmaouzz:

It was so strange so i opened it using text editor, but nothing showed so i simply deleted it. Do you think I'm safe?


[1 Points] Big_Boy_Stacks:

Opened the file accidentally instead of saving it. Kept it in protected mode, and was using vpn. Do the image trackers still connect in protected view/mode?

Do I need belize and lube?


[1 Points] _Dreadz:

yea metasploit will allow you to create a payload now that can infect the victim from them simply hovering over the link they dont even have to click it anymore. when you hover over a link and it gives the description is where the attack happens and the majority of people will hover a link to check where it leads to


[1 Points] _Dreadz:

funny thing too is i wanna say something like this was included in one of the Shadow Brokerz leaks ( the exploit )


[1 Points] opiateconnect_:

I'd say right about now every vendor who downloaded the locktime files is shitting bricks.