Discovering C&C in Malicious PDFs with Obfuscation, Encoding & Other Techniques

hello guys welcome aboard and thank you thank you thank you for joining us my name is felipe pierce i like this guys in this picture by the way yeah yeah yeah yeah so my name is philippe peters i've been working as a principal security engineer and security research at supernovation super innovation it's a brazilian company and the focus in uh exponential growing and to give a awesome experience to the developers guy you know and the peoples and i am a security research and instructor that's a hacker secure or hacker security wherever and uh this company is responsible to provide some courses of the uh you know fantastic and uh about the red team blue team and a purple team

and another different courses right so i am hacking is not a crime advocate it's a awesome awesome awesome project and the the idea in this project and to you know to try explain more about this kind of concept and this culture because hacking is is not a crime exactly haki it's a mindset hacking in uh you know it's a lifestyle and it's about creative mind right so that's our idea about this project and i'm a part of the staff team of the deaf group in sao paulo and as you can see i love to be part of the many different communities because i believe this it's very very very important to be part of this community because you can share

the knowledgement you can share you know the different subjects and topics you can give the uh the knowledgement you can receive as well so uh and i'm i've been served as a professor in some universities here in brazil and some colleges like afiyapi and mckenzie and university this kind this name of this university and i am founder and instructor of the the principal the main course in in hacker sake the name it's more analysis fundamentals right so here my contact is in twitter and telegram and this is my email if you'd like to send me a message to talk with me you know to share acknowledgement i i really appreciate and it's the project that i am

participating this is my home page in my web page right so here's some open source project projects that i like and i will explain more about the orosec program and here i am i've been working you know in another different projects like reach it's open source to allows you to create and store and share how to make securely and some formulas right in another project spigo it's another open source platform it's a framework based on server driven ui that allows teams to make a change to native mobile or web application it's very very interesting in another one it's a charles it's another open source tool that are deployed quickly continually and securely all the teams

simultaneously validate different hypotheses with a specific groups of users right so here we can find another presentations or talks that i did in some events and another in here some articles that i have been published if you'd like to see right so let's talk about our summary or our agenda right so first we understand who is a thread because i would like to put all those in the same page right i think it's very important and after that we gonna talk about more analysis and we we need to understand we go to uh understand about the structure of the pdf we are i will do the demo in the end of this this explanations in the end if you have

any questions i may hope to answer to you right so who is threat it's very important thing here because in security we have many different explanation or you know about this uh word a simple word right so i like to i just chose one of this right based on according this is all right so thread is a definition has a potential cause of the incident that may cause arms in the system and organization and here we have interesting points maybe threat can be it's a software attack or a theft of intellectual property intensity path of sabotage or or no and information distortion are example of the information security threats as hazut most of the many organizations

chose active freddie hunting to practice to defend their organization from the network uh no threat so that's a good point here so maybe you can think now so philippe so actually the threat it's almost everything maybe as of course related to a softers or attacks of course we have a physical attack as well so in this case is almost different but in the end of the day the concept is almost the same right we need we the attacker will uh you know attack something a softer or a people right that's a important thing here so so the first step when i when i need to when i will execute some uh analysis the first idea i have of course the

asynchronous simple i because i don't know if malicious not right so i have a sample and i need to analyze this and the first step and the first idea is to identification stats because i have a sample i don't know if it's malicious or not i don't know if he's a malware or not or it is i don't know it's document malicious or not so this is a simple definition right malware it's a malicious software then maldot is a document malicious so when uh when i did identify this sample i can choose what the best method that i will apply in this binary for example this file right so i will use an static analysis

for dynamic analysis right this is just a concept after that i will prepare a report because this is a very important step because when after this the iso fitted this analysis i can prepare a report because of course this is part of our job like all part of the room of this the analyst or the treaty hunter or something like that so this report i can present to my manager to my tech lead or you know whatever but i can uh explain all those steps that i have that i executed when i made this analysis right and but philippe if i have a report what can i do with this information so the next step

it's very important because i can improve the defenses mechanism because the end of the day when you have or when you do these analysis you can improve your defense's mechanism because you will discover what kind of the steps or way the attack can use in your environment so if you see that attack maybe using the bypass technique to you know to export your firewall for example you can uh do different uh you can improve the better configuration you can use another different or the best practice you can uh see the configurations on the settings you are tools that you use or the product that you buy for example right so after that you can create the

good word you know you know the cyber threatening talent can build it it's very interesting because so if you have a small company maybe it's impossible if you create the cyber threat intelligence but today we have many uh different softwares or open source products that can help you to build it you know and why you can create or why you you could create the sabbath threat intelligence because if you learn how this behavior of the attacker of course you can prepared you can prepare more your defenses you know the mechanisms this is a very important here and of course because the cyber threats or the you have a straining cyber resilience resilience we have we need to have this

because during our presentation now probably we have another guy another attacker or a 30 actor creating a new different attack using a different techniques right because of this we have this life cycle not like cycle but the cycle of the attacker phase right so you can use in this method let's talk about statistical so what is a static analysis so it's very interesting usually this is the first step that the analyst using because usually the statistical describe the process of the analysing a program code it means you have a code you can analyze all those parts of this code if part of this code is malicious or not or you can analyze the structure of this code if in this

inside this code we have a structure if this instructor has called some function for example you can find a dll uh what function this this dll is calling inside the system operation for example and the program itself doesn't run at this time right of course the paint of the program that you can be used but usually it's this this this method it's more safe right because as i mentioned it doesn't run at this time you using um like a manual command to try to understand of this code right and when you talk about the dynamic analysis it's another part another different method usually it's based on solely on behavior it means in the interaction that the mower has

when it's executed or made of our or more dock in this case uh this analysis also known like a runtimes it means you as a crypto mower inside a controller environment right or not controller environment you can use an asm tools or product maybe you can as a put this mower inside this this product this code not called this tool you can analysis of the behavior inside this contract environment right so it can be easily automated there is main sites today that already perform analysis of this malicious artifact right so using a small concept called syn box it's similar you have a virtual machine and we always put this model inside this virtual machine and

after that we will see while those behavior this malware has inside this virtual machine right so let's uh let me see here yes we have before talk about the the physical and logical structure i would like to share something here with you about the faces because it's important if you remember in the beginning of this presentation i talked about the initiation step right so the idea here is to try to understand about this point so here i have many artifacts right i have an amazon i have view invoice i have a linux i have a pdf this is a folder not a file and i have here repeal docs so and so i have many different five years

with different extension so what this what come on what comment i can use here to try and find any uh information about this file so i think many people know about this file command right so i can execute my ma file command to try identify what this sample is right so here i have an amazon microsoft words right 2007 let me try looking inside another for example view it's a different view it's a pdf file right so let me see here about the linux dot text maybe it's a text so in this case it's not a text it's a l5 so it's it's different here because i have a another uh you know interpretation here so let me

see another file resume about pdf it's a pdf perfect so let me see here uh in a windows if i have another here i have a simple file simple so here i have a pe 32 executable right so as you can see here i use it with the file command we have a identification process but i have we have here some inking point because i have i has equipped here file linux dot text but actually is not a text file right it is a file so how it's possible because nearly we need to understand about the base that's my point here when you execute this file command in this case file determine the files type but

what is the actually the correct information that these commands are using when they secluded in your environment so here is the manual i know probably you don't like to read the manual not not only in the linux platform but you don't like to read any different manual i don't like by the way but i think i suppose that you don't like right so but here we have important information to understand the basis right here we have important information so let me explain more about it the mesh key tests are used to check for file with data in particular fixed format so probably we have a specific form specific format to try to find or to understand what kind of file is

it's not of course not based on the extension right and here we have the exponential this value has a magic number here is the key right so all or all those file has a magic number right so this magic number right started in particular place near the beginning of the file that tells the unix operation system that file is a binary executable so here we have a simple and very important explanation so all those file has a matching number right and all those magic number are stored in particular plates near the beginning so but how it's possible to understand more dates so here i made this very interesting thing to try explain more about this magic number for

you right so i downloaded the file commands not actually not file command i downloaded the database responsible to offering this information to the operational system of course when you have any in the in the unix platform as you can see here in my machine i'm using the this um this binary it's compiled inside the the system operation of course in my case i here i downloaded this this source code and i search and i download the database of the file command right here so let's see very interesting information here let me looking looking more inside the javascript so here we have the file of the javascript of course and we have the definitions some definitions important

when i execute the file command and this file command looking inside the database to try find the magic number of the javascript file for example let me put here this information i will copy here and i create in this simple simple file here pdf pdf dot text right and i will right here and i will put the information in tomorrow now actually we do the different i will put just a mouth right and i will save and i you look the pdf right actually it's a text as you can see here right is a text but now you change this information in the beginning because i learned now oh i read i i i i read now this

uh in the ma of the file that all those file has a magic number in the beginning the particular place right in the beginning of the fight so i will say here and denote when i execute the file take a look what happened this is a of course the text but in this case the matching number it is next identified by node.js script take a look i will change another thing here i will put just a simple sign over here and i will save again and let's see what happened it's a python street very interesting so let's change something here it's a pdf move to pdf on the file and i say more the pdf figure

yeah let me change here the privilege to pdf right and let me look again it's a pdf right so let me call python here i have three affiliates here and we have a syntax wrong before because it's not a python right it's very interesting because it's not a python but if you see in the beginning so let's see here cut python take a look here there's some regex ah because of this because i put here the magic number as you can see we have a different hero different information like uh similar reacts you can have a reaction you can see the informations here that you can use here for example let me copy here and i will

change one more time here right it's a python i will cut here and probably you see

in this case it asks e i think it looks very interesting it's in this case it's different because probably we use just just only like a policy inside of the database right now the police actually it's one of those rules i think it's better this group right so let me change the last the one more and the last time here um oh yes but here i will put the percent pdf because this is our challenge here today and now you say here and let's see what happened whoa it's a pdf dark man but in the station it's a python so all those so i did it during this presentation basically let me talk with you i did it during this

presentation because you need to understand all those bases as i showed during this presentation you see here uh we saw here actually the file or the identification step it's very very important right because you need to understand inside of the file probably you know about the file command but the idea is here is it's try to you know explain you what how it's important to understand all those things right because for example let me share my screen one more time with you here so let's let's look inside this one more time here i think you know but probably so maybe some people don't know right here let me look inside this mod here we have

here another interesting interesting very interesting information here uh okay wolf's format or in this case the imagine the mesh with assets are used to check for fires with data in particular fixed form right i read a red red the canonical the canonical example of this binary is um binary executable compilot program because it's inside of the system approach right and h dot out file boots format is defined in elf dot h here's another format and possibly as a good doc h in the standard included directory so let's see because here i am i can see i will copy this format right so let's see if you let me return our yes locate this file let's see

so this binary actually it's included it's in this path user include l right are you ready are you read here take a look what is important here this file i think you can react with it this file defines a standard health times so take a look what is important inside this file right so this file define the standard of types structures and markers right so here we can find the correct destructor of the help file if you wrap below if you see here you can see the the number of the beats use it write the words the words text words and here you can see the interesting form information the elf file headers i know

this presentation it's about pdf but take a look about the man or the information that we founded and then we found it inside the map the elf file header okay this is the file the elf file had this appears at the start of every elf file it means appears at the start whatever start that is in the beginning of the elf fire what started in what start in the beginning in this case we have in the beginning of the l5 we have a 60 bytes right of beats in this case and you have a this is structure 60 bytes right and the first array of this bytes is called e ident and you will find the magic number and other

informations inside this 16 bytes will you find all those informations you see so magic number and others information what kind of information you can see here let's see okay this field is fields in the e ident array you will find you identity you can find the file identification byte the first is zero the second file hidden file it's e the third is l in the four it's f i will show you another thing for you here let me open this file linux 32 right and let me using file i use a file right and if i use here x uh xd 32 linux right okay no it's not me knows not you know [Music]

so take a look here the four bytes the first is zero the second is e in this case it's e here as you can see but the third it's l it's l here right and four it's l you see

you can see so that is important you need to understand this because i read the amount of the file and i reached and i found many informations in part of the structure of the file but if i didn't read if i didn't read this information inside the map you know how it's supposed to understand the basis of course i need to run i need to study i need to to read actually i need to study about all those pages it's a main point here when you talk about the marinades when you talk about the red teams fantastic uh defense team like a blue team or freddie hunting teams or sock teams or whatever things you need to understand

all those bases right people right so let me turn here my presentation right let me return here the structures right so let's talk about the physical and logical structure about the pdf usually we have a four parts the header usually it's very common in whatever binary we have a body we have a cross reference table and we have a trailer right so this is the main implied part of the pdf in the beginning of the file we have a version number right and you have uh objects you have a images you have a cross reference table this is a location of the object inside it in the file because it's random right the access and we have a trailer it's a

location of the certain objects inside the board it means you have a mainly body and you have many objects inside this body and all those all those objects is or are in this case are reference one and another right so let me show you the demo to you so i use here um some tools to help us in in this demo i do as a pdf id it's very too it's created by dj stevens right and i was equipped with linux i if you see here the first information that um we found in this demo as you can see here we found the header as i mentioned the instructor right so the second information here we found the

15 objects right so we have an 15 objects and of course we have a and this is the same 15 right so maybe you have here not made you have to end extremely because we have a two extreme and here we have a cross reference table and if you see here we have others important information of course all those informations are inside the dda steven's blog right you can find all those explanation more inside at the the blog page of the day students right but here they slash or slash phase is slash encrypted slash objects streaming slash javascript here we will find interesting informations all those informations are inside this mainly part of the pdf so here i have an

important tip for you probably when ddh steven created this tool he studied a lot about the pdf structure and of course he analyzed it probably many hours and he found many information inside this this uh samples yes and when probably of course i'm you know supposing because i'm thinking the idea of the basis right so all those slashes are informations inside the main employer the main object and these tools only just will possible to create it because probably the dds even the main creator right not knew about how this tool works right or not tools but how this pdf works it's the main point here right so let's continue to see here and we have here one page and we can see

here we found five javascript inside the pdf and we have an open action opening actually it's a very interesting point here if you read in the website if you if you read of course you will see the open action is responsible just the the the user don't need to click main times in the pdf file when you have this open action inside the pdf the only action that user needs to do is download the file for example from the email if user receive an email and click in this pdf and download it in in for example in the machining in the bitman machine or in the in their own machine because they have this this file has an

open action when the user download this file this file will execute this open action in this case it was a good something inside the pdf right so i can suppose of course it has an open action and it have javascript inside the file and this file just have an only page and we have some information crypto probably it's malicious but i don't know exactly what is malicious but it's malicious i was equipped after that the pdf part and it's another tool created by the dj stevens i i set the the run because i would like to see all those information inside this pdf and here i will explain something to you as you can see here the header

and after that you can see here the object the object one and here we have object one say catalog and here we can see the referencing this is here's a very interesting point because the object one is referring object two of the three object four object five six and seven right and uh what this means in this case what is what you know here it's interesting point do you remember when i i explained about the structure if we have we have the object the body inside the board we have objects reference or inside or located inside the file right so many many times many times no but all those files or those objects are reference one another as i will show

you here so take a look in object one we have a javascript and we have an open action oh let me return here we have an object in this first step we it's an open action is these open actions after this action executed in the bitman machine is executed or will be as equipped at javascript so here is a evidence that is malicious because the user when downloaded the file after that is will be executed open action and after that is uh will be as equipped with the javascript right so let's continue to see so okay we have an object two three four five and take a look here let me return one more time here because i have here

another information important information here okay take a look here object four in this case object 4 references uh object 8 and 9 because the e4 we just have an object 1 and 2 7 but now we have an object 8 and nine two more objects right so let's continue object six four and here we have another reference object seven we have another reference an object thin and inside the objecting we have a javascript you see okay so and here let me put in object nine take a look what happened here we have an object four because you know one of these one another one of the another we have this reference between this the object

and here we have another reference 11 object 11. so we have a beginning this is the one object and now we have the one until 11 right but when we executed the pdf id do you remember how many object we have inside this file 15. you don't need no don't forget this right here take a look we have the object 10 inside objecting we have an object another reference object 12 right and we have over here we have a javascript okay take a look here in object 11 we have oh here we have another information different contain contains a stream so probably we have something inside this stream right and when we have this flag reflect the

code because we need to decode the information right and here we have a length it's it's like a a size of this this kind of string right so maybe when you see here the size it's a small okay and in inside of object 12 we have another reference in object 13 and inside it is object 13 we have what a javascript so let's continue to see what happened in here take a look contain streaming object 13 and you have the same flat the code but here we have a big big size 31 5 3 1 one is a big a big size right so here maybe i need to looking more deeply right so okay and we have another object 14

the last then maybe or almost the last right and because we have a 15 objects inside here and we have here the object 15 okay so we need to see more deeply of the 13 object right so next step next next step here we use a good a pdr pica it's another tool actually this tool is not from the diva but it's another very interesting tool i will basically hear the comment i will execute i will collect the output of this sample all those information because i will structure this information here i and i will uncompress all this information inside this them dot text right okay i was equipped this so now we need to

see what information we have inside this them and take a look what what we will see here i can see all those information and take a look here here we found the first technique used by the attacker so here we can see the javascript hopeful stated so what what the next step i need to do the state of this information but here the attacker pulls this technique right so i will see here some informations i will i see some parameters that the attacker used in this demo and this case so i will cop the code and i need to of course this also states this called it to try find some information right so i will set

this uh file in html why simple because when we execute any web applications usually they're using the javascript and html and css and something like that right so i found here the evo parameter and i will using this evil parameter to try the software skate this code right so basically i will see inside this parameter and i will change to the document writer right because of the point right actually because i do need to i view the idea here is to try rate what information can find inside this javascript obfuscated right so take a look what happened here it's very very nice what happened here so after that i gave the privilege access to to access this

information of course and i will exclude this payload.html so take a look now what happened here in our demo wow i will show you how you found the var a variable payload as you can see here we found a payload right so what what means exactly in this case we found here a payload malicious so first of all we have a pdf file inside the pdf file we have an open action this open action after that will uh execute the javascript these are scripted to us what of skating inside the javascript has a payload payload is responsible to you know load this payload inside the vehicle machine and this code is responsible to call reverse to call back

to the cnc and this case right so now we have a payload responsible to you know load this information or or to download the information to download this information inside the bitmain machine and this payload in this case this payload as i'm showing to you which will be responsible to call to the cnc from the attacker or the thready actor so now i could to finish my analysis but here we have interesting point if let's suppose if i have the payload i you know i can try to find this uh iep responsible to this attacker right so after that what i see so let's see what kind information i can try and find so i see here

some information right like a a percent here and some numbers maybe so the next step i created another file here right i called it real payload perfect and i would generate i i copy and paste all the information inside this file and i using the the set to cut this percent here because my idea is to try to clean the file take a look at here the the var you know the parameter and i cut some information and here i cut many others uh like a slash like a percent and i copped this information and i arrived in a unicode hold here so now i have this unicode code it's another technique because the attacker in this case

it it's of course it's it's um it's not new but it's old uh the unicode code based on issue uh ucs yes actually it's yes yes no ec2 you says yes so it's unicode it's basically two bytes different of the ste is because it's very common now so uh this is here it's very interesting so let's i i use in many linux platforms so i will see now another platform mozilla in a windows machine to show you so here we have the same code right so we have a key all those percent here i need to cut that i did in the linux machine right so i cut this information and here i have the

pure uh you know pure unicode so after that so do you remember i have i had a javascript of stated i just obfuscated this code and after that i generate a payload this payload i found the unicode codebasin in uct in in c2 sorry and inside this information i generate a next file docker binary using this tool mozilla right so after that take a look what i did i using a short search it's another tool provided by dj stevens i use a put an extra file my file that i generated here in this case and i called http protocol and take a look here what i found basically i found the cac from the attacker

you see this attacker was in this case in estonia iraq right so now we finish our presentation and i will show you here my contacts again on the social medias and just to finish the presentation so we let me talk with you we we had a fast as simple because we have a fitted file so we found a javascript inside the pdf file we have an open action we had an open action inside this this file this pdf had an open action and this open action called a javascript the javascript has or had in this case um uh just off stated inside this javascript looks skate we have a payload this payload it will be download another bitman

machine right and this payload has a only code right it's it's old of course but it is another technique and and after that i generate um extra binary right and after that i use a chore to collect the http protocol to find the cac up from the attacker in this case a command in control right responsible to set or to send this attacking to the vital machine so we finish our presentation if you have any questions so please let me know i am available to you thank you one more time for stay with me during this presentation so again if you have any question i am available available to you