BSides LV 2023 - Proving Ground - Tuesday
Show transcript [en]
[Music] [Applause]
[Music] thank you [Music] thank you [Music] [Applause] thank you [Music] foreign
[Music]
[Music] baby you give me appetite don't leave me alone [Music]
[Music] I overthink it baby [Music] thank you [Music] baby [Music]
[Music]
[Music]
baby you'll give me [Music] fly [Music] baby [Music]
[Music] baby you'll get me you're with my appetite [Music]
[Music] oh oh [Music] foreign [Music]
[Music]
[Music] thank you foreign [Music]
[Music]
I'm moving up
moving up
[Music] foreign foreign [Music] [Music]
[Music]
[Music] moving up
Home Alone
[Music] foreign
[Music]
[Music] foreign [Music]
[Music]
[Music]
[Music] thank you some food [Music] foreign [Music]
[Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] thank you
[Music]
[Music]
foreign [Music]
[Music] thank you [Music] foreign [Music] turn it down [Music] foreign
[Music] foreign [Music] foreign [Music] foreign [Music] foreign
[Music]
[Music] foreign [Music]
[Music] thank you [Music] [Music] foreign [Music] thank you [Music]
[Music]
[Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] distance [Music] [Applause]
[Music] thank you [Music] [Applause] foreign [Music] foreign [Music]
[Music] you'll whip up [Music]
don't wanna overthink it baby [Music] baby you'll get me giving me some kind of butterfly baby [Music] [Music] but I don't miss you baby [Music]
[Music]
maybe you'll give me [Music] fly [Music] baby [Music]
[Music] maybe you'll get me by appetite [Music]
[Music]
oh oh [Music] foreign [Music]
[Music] all right [Music]
[Music]
foreign
[Music]
thank you
[Music] foreign [Music]
[Music]
[Music]
move it up
[Music]
[Music]
[Music] thank you
[Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] foreign
[Music]
[Music] thank you [Music] thank you [Music] thank you [Music]
thank you [Music]
thank you [Music] foreign [Music] [Music] foreign [Music] [Music] thank you [Music]
thank you
[Music]
[Music] thank you [Music] [Music] thank you [Music] foreign [Music]
[Music]
[Music] thank you [Music] foreign [Music] foreign [Music]
[Music] thank you [Music] foreign
[Music] [Applause] [Music]
[Music] foreign [Music] [Applause]
faster
[Music]
[Music] you're giving me wind away [Music]
[Music]
[Music] I don't wanna overthink it baby [Music]
[Music] don't leave me [Music] but I don't wanna jinx it baby foreign
[Music]
[Music]
[Music] oh [Music]
baby [Music] don't leave me alone [Music]
gently we in the rain there's some kind of butterfly baby
[Music]
[Music]
oh [Music] my God
[Music]
[Music] foreign [Music]
thank you [Music]
[Music]
thank you all right hello hello is this thing on can everybody hear me all right AV can we get a confirmation of mics please awesome hello everyone good morning yeah welcome to besides Las Vegas but he's stoked today um this is The Proving Ground area we've got some awesome information lined up for today I'll be your spiritual Guide Slash information Highway uh Jester so uh before we get going I want to get to a couple housekeeping items first we need to thank all of our sponsors of course our Diamond sponsor Adobe and then our gold sponsors Toyota Prisma cloud and Plex track of course without their support none of this would really be possible the other thing to remember
please silence your cell phones nobody likes the loud buzzing going off in the middle of presentation also since this is being recorded and streamed in some cases um we don't want to interrupt the the folks at home that are watching um during the Q a please make sure you pop up to the microphone here to use it otherwise we can't hear you and the folks at home can't hear you so please make sure you do that and use it um and then without further Ado I would like to introduce you to Yuval Zakaria to talk about the Enemy at the Gate detecting and stopping account takeover please thank you [Applause] hi everyone thank you for coming here
today my name is iuval I live in Israel Tel Aviv and my background is mostly from A200 intelligence in the Israeli Defense Force over the past two years I've been working for hunters and Israeli startup that builds a stock platform in this talk I'm going to introduce the account takeover research that we did in the team talk talk a bit about our team's unique approach provides some real life examples and share some Hands-On experiences so what's the problem and why is everyone talking about account takeover the three primary ways and which attackers access and organizations are stolen credentials phishing and exploitation of vulnerabilities according to dbir reports more than 50 percent of the attacks this year have
used stolen credentials for initial access which makes it the number one attack vector when talking about web application attacks the number are even higher 86 percent let's dive into some real world examples I'm sure you all heard about lapsos not so long ago lapsos had access to T-Mobile's Network by compromising employee accounts either by bangling credentials or through social engineering this gives lapsos access to T-Mobile's internal tools including Atlas a tool used for managing customer accounts through this employee account access the hackers were in a position to carry out same swap attacks where hackers reassign a Target cell phone number to a device under their control this allows for the interception of phone calls and text messages that can
be used to further break into a victim's account and also obtain two-factor authentication codes the hackers were able to still source code from a range of companies projects so that's just the group has done with Samsung Microsoft and glovance and this is not the end Google fi Bridge resulted from the hack on T-Mobile which impacted 37 million customers by exposing their phone numbers the attack was essentially an API scraping exploit allowing the attacker access to records of basic customer contact and profile information well that's not a big surprise um in major attack framework there are more than 50 references of different attack groups leveraging credential credential dust and as you can see the list of ridges is
just getting longer and longer so what's the problem and why is it so challenging to detect we are well aware that the companies that we just saw their logos all utilize some form of identity provider while multi-factor authentication is highly recommended and useful it is not Bulletproof detecting account takeover during the initial access phase is indeed possible but it's not so easy whether it involves credential depth from the Dalk web social engineering or supply chain attack the attacker enters in the king's Rush the red carpet is laid out before them living Defenders with limited options however there are steps that can still be taken account takeover is more than just getting authenticated we divide it to
two different stages access acquisition and access Leverage access acquisition is often considered a singular event by visiting credentials and invalidating all sessions the attacker access can be blocked however incident like lapsos have taught us that insiders can hand delivered credentials to attackers enabling access without triggering fail login alerts requiring enumeration or generating failed MFA challenge alerts this allows attackers to bypass the traditional steps associated with account takeover even without reaching any accounts within the organization access leverage has become increasingly dangerous with the rise of single sign-on SSO and the identity services as they become single point of failure gaining access to an SSO or identity service authenticated account essentially grants the keys to the kingdom
in this talk we will explore one of the most interesting attacks witnessed this year within one of our customers environment we will cover both the access level leverage and access acquisition aspects explaining how every step within the kill chain can be detected let's see that in action it begins with when the attacker somehow gets John's credentials whether they have been leaked or purchased then they bypass the MFA and gained access to to John's Azure account afterwards they sent a phishing email from John's compromised email account to Sarah clicked on the malicious link and malware is installed on her computer this malware Stills or OCTA session cookie enabling the attacker to hijack the session and gain a temporary access
scheme to the company's AWS account in order to remain persistent in the network the attacker creates a persistent AWS access scheme allowing them to exfiltrate and manipulate data we're going to cover some detection opportunities for the techniques involved in this attack chain I will focus extends Beyond simply identify these techniques we will also talk about noise reduction methodologies for very well-known detection rules and avoid the issue of allowed fatigue lastly we will discuss the workflow for security responders during investigations let's begin exploring these detection techniques and strategies in detail the first step that the attack will perform is to log in using John's credentials since death Docker and Jones are now located in the same place and probably
not even in the same country we are supposed to be able to detect this using impossible travel rule also known as superhuman activity impossible travel is about detecting two consecutive logins from two different AP addresses by the same user user with the required traveling speed between them being impossible in the specific time frame impossible to ever May indicate the logins were not made by the same person therefore writing the suspect the user was compromised by malicious actor sounds easy right well apparently it's not so easy simply running this goal on one of our bigger customers logging logs a unified schema contain login logs from different data sources including identity providers homegrown application Cloud providers and basically any Sasa that you can
think about right more than 9 Millions alerts per one week that's of course not a number that any analyst talented and experienced as he is will be able to deal with in order to reduce noise and find a needle in the ashtray we need to understand the root causes for false positives and and identify common patterns so we can develop nozzle reduction methodologies without making significant compromise the first problem that comes to our mind When developing impossible travel detection is how not dealing with vpns not and proxies these tools are used legitimately in organizations to remotely log into different services as I mentioned earlier impossible travel is all about sales application login logs but what if we'll leverage gdr logs
to identify IEP addresses that are being used by a large number of users if more than let's say 10 endpoints with sensor is installed are being are seen behind an IP address on a regular basis we can assume these IP address is the office not or the company's VPN and therefore not generating an alert for it methodology reduces like 35 percent of the alerts continuing this line another common false positive pattern that we identified is IPS that are being used on a regular basis maybe it is not a company's VPN but hey what if I'm logging in from an IP address that is that has an EDR agent that is seen in the data every single
day and what if I'm logging in from a phone from the office Wi-Fi if they be logged in is seen behind a computer that has an EDR agent installed all used to log in for to various SAS applications for a long period of time we consider it trustworthy and tag it as an organizational IP and if both IPS in the alert are trustworthy it is less likely to be a malicious tactile okay we progressed a little but we still have too many alerts that we can handle superhuman activity as you can guess from its name and to catch a human attacker understanding that this status is not aimedicated to catch compromised service accounts we decided to eliminate logins
from non-user accounts how can we identify these for example Office 365 provides user type in their login logs and therefore service accounts can be ignored with a simple SQL filter in Octa for example we can Target usernames per your the detection phase we use specific events that are only sent by services and tag these usernames as services for future usage then in the detection phase we can use this asset tagging to filter out non-human assets finally for the last reduction methodology one of the key questions we ask is does this traveler consistently travels between two specific coordinates when to establish a baseline of statistically significant travels involving two coordinate Spurs of locations for the same users
with the Baseline in place we can then detect any deviations from the established patterns when a user's travel behaviors significantly deviates from its usual pattern it rises suspicion and triggers an alerts through the combined implementation of noise reduction methodologies including identifying non-human accounts creating an organizational IP Baseline and filtering out rerouting tools we achieved a remarkable decrease in the number of alerts this reduction from Millions to just a few dozens allow security teams to efficiently handle and investigate the remaining alerts okay so what's next the attacker login to John's account without having to meet the MFA requirements but how is that even possible os2 and other modern authentication methods use identity provider like conjurative directory to enhance the
authentication security using MFA when the user authenticates successfully he's granted an access token but what about devices that cannot utilize 2fa think about the old printer located down the hall in your office for legacy devices and applications always to include the flow called resource owner password credentials robs this flow allows the device it allows the device to receive a token using only the user's credentials without the requirement of the fa for example if you're all printer needs to send you an email indicating it's out of ink it must connect to the Office 365 mail server via its authentication methods Azure active directory Microsoft enables the ropes mechanism for the SMTP protocol on The Office 365
mail server by default to provide a way for legacy application to adopt modern authentication without requiring developers to update the application itself exploiting this mechanism the attacker used John's credential to send and receive an email to send an email on his behalf bypassing the need for MF Authentication so how can we detect this Microsoft utilizes a user agent called bav to romps which stands for basic authentication version 2 results owner password credentials it is used to identify basic authentication from Legacy protocols well it is barely documented buff to rops is a mechanism developed by Microsoft that enables all applications relying on Legacy authentication to seamlessly switch to our student using gloves flow in real time
simply looking for this special user agent will provide a really decent and High Fidelity alerts but this is only a user agent how can we investigate this kind of alerts first we can correlate The Source IP with the EDR agent to determine if it is associated with known endpoints within our organization next we can analyze the previous Azure login activity if this device always uses a legacy protocol to authenticate it is most likely to be a bad practice than an attacker additionally we investigate the compromised email account for ending in the for any indicators of business demo compromise such as creation of forwarding rules or sending emails around the login time as a mitigation step consider applying
the block Legacy OS policy in conditional access policies this policy can help prevent further exploitation through Legacy authentication protocols okay let's recap what we had so far the attacker obtains stolen credentials and gains access to John's account they used an MFA bypass technique granting access to send and receive emails taking advantage of this access the attacker sends a phishing email to Sarah when Sarah clicks malware is installed on her computer this becomes the pivotal moment from access acquisition to access Leverage once the attacker has control over Sarah's account his objective is to gain access to valuable assets and maintain persistent if possible and what provides access to everything the identity provider now let's dive into the technique of
octo session hijacking which is a serious threat in this situation let's briefly go go over of how sessions are managed in Octa when a user starts the session in Octa a unique session identifier is generated and relevant information is stored both in the client side and the server side the session cookies contain session information required for Authentication during the SSO process the user's web browser sends a request to OCTA since the attacker has malware installed on Sirius computer he can steal the session cooking from the web browser and use it to hijack the session so what does it look like the session contains two main events in the initialization phase OCTA session starts and OCTA SSO login
we're basically looking for something that looks unusual in the session for example the user agent the first step in our rocket session hijacking detection is to aggregate the events based on the OCTA session ID by doing so we can identify unique sessions and focus on the first session initialization event within our well-defined cell windows this allows us to pinpoint the start of each user's session next we examine whether there are multiple AP addresses Os or browser variations associated with each of the session ID to reduce noise and improve the accuracy of our detection we utilize the Livingston distance algorithm we don't want to alert every time someone just updates their Chrome version but we do want to alert if there
are significant differences in the user agent such as different OS versions this Livingston distance algorithm measures the similarity between different Os or browser evaluations by calculating the minimum numbers of operations required to transform one string into another by applying this algorithm we can better identify similar variations and distinguish them from significant differences that may indicate session hijacking attacks well in any octah hijacking successful attack the attacker is subject to the constraints of the stolen sessions both these situation and the resources accessible during the session if the legitimate user logs out or is logout logged out by an administrator and the session cookie is invalidated with that in mind following the successful hijacking of the OCTA session
the attacker establishes a persistent AWS access key that will later on allow him to exfiltrate and manipulate data the detection we are going to cover is to discuss covers both creation of new persistent access key and leaked credential usage the thing is that creation and usage of AWS persistent access key is very normal happens all the time so how does this detection work firstly we really Drive AWS cloudtrail logs and filter out IIM users this ensures that we focus on non-temporary users who have the ability to perform API actions we also exclude AWS internal IP address set since this internal IPS are typically associated with AWS services that are not indicative of external access additionally
we filter out requests that are sent from within a VPC by checking for a noun VPC endpoints this helps us identify requests originating from outside of VPC environment next we look for instances where an access key is used for the first time from a specific IP address although it is generally not considered as security best practice to use the same access keys from multiple new IP addresses there are legitimate situations where this can occur within an organization factors such as third-party Integrations or Services as well as a distributed Workforce may lead to access from various locations to distinguish abnormal usage from legitimate usage involving multiple APS we create a baseline using time series calculation this Baseline helps establish a normal
pattern of Ip usage for each access key and to alerts only when it deviates from the standard okay back to our attack scenario throughout this talk we have explored several critical detection opportunities and investigation workflows to detect both depths of account takeover we began by discussing the detection of impossible travel focusing on node reduction methodologies and avoiding alert fatigue next we talked about Asian MFA bypass techniques emphasize emphasizing the importance of Investigation workflow analyzing age logging activity and investigating business demo compromise we moved on to the access leverage phase where we explored the threat of OCTA session hijacking and its detection mechanisms lastly we examine abnormal usage of AWS access Keys establishing Baseline to identify potential killix and
unauthorized key usage as we wrap up this talk I want to leave you with three important points to remember first MFA alone is not sufficient to guarantee security it is crucial to implement effective detection mechanisms to identify both access acquisition and access Leverage even with MFA in place second data source correlation correlating data from multiple sources helps us reduce noise and provides a better contextual understanding of potential threats and lastly detection is just the first step an effective security responder log flow is essential to mitigate and respond to security incidents thank you very much for your time I will be happy [Applause]
hello thank you very much it's not often we see a female named Yuval it's awesome
thank you
[Music] thank you [Music] foreign [Music] thank you [Music]
[Music]
foreign [Music]
[Music] foreign [Music] foreign [Music] foreign [Music] thank you hello can everybody hear me yeah we having a good B size Las Vegas can I get a thumbs up a clap something anything yeah right on righteous cool quick reminder silence is cell phone nobody wants to hear your Awesome ringtone and then secondly really excited to bring up Nicholas Carroll here to talk about osint merging osint and re workflows to simplify analysis without further Ado Nick please come on [Applause] thank you very much my name is Nicholas Carroll I'm a former CSO now I am a manager of a team that specializes mostly in cyber threat intelligence D for things like that we do fun stuff which is why I didn't want to be a CSO
anymore so back to doing the really cool stuff there uh my team does a lot of different things and some of the things we run into is things that our sock analysts pick up from client environments they're not sure what it is they'll bring it to us and we try to figure out where to go from there this whole talk stems from one of those events where a sock analyst decided to ruin my Christmas uh you know it's it's always a holiday right it could never be like Monday at 10 A.M that they come up with something fun it always has to be like right on top of a holiday uh we had an analyst get an alert and it didn't
make sense to him and he's a good analyst so it was like well I'm going to trust you on that one right it was triggering for some sort of ransomware activity but it wasn't actually doing ransomware style activity in the environment it didn't match any known samples of malware for things that we had and so we were like all right well this is kind of fun let's start with what we have start pulling it apart and see where we can go from there my analyst in this one I'm going to shout them out real quick uh his name is Brian uh this was my malware Santa Claus and a lot of the stuff that I talk about
here is my side of this perspective I hope one day I can drag him out and make him do a talk on his side of this whole thing because he does a lot of really good work on pulling things apart better than I do in the actual code whereas I do a lot more of the research side of house right so he decided that since he wasn't getting a holiday break he was going to make sure that I had something to do at my in-laws house while I was hanging out there so it's a classic story right is there a clicks on a link and they pick up something they shouldn't a user wanted a popular application in
this case they had wanted OBS studio and so they went out and they found a link to click on when we went back through this campaign and we were kind of digging through where did it come from and how did the user even find the thing this case a lot of the stuff we found was malicious Google search ads we're serving it up but this user had specifically gone to YouTube searched for a tutorial on OBS studio and then just clicked on the link in the description and gone to the first thing that was there and he picked somehow he picked a tutorial it had like five views so you know good job guy but while we are able to look at the
Domain uh before we download things and figure out that that's not OBS Pro Studio's actual website the user just goes sees that hey this has got the logo that I saw in the tutorial and the tutorial said to go here so I'm going to click download and I'm going to execute the thing right this campaign was doing all kinds of stuff for all kinds of different applications too when we were digging through it they had OBS Studio they had notepad plus plus they had click studio and a bunch of other really popular applications all in the same domain host like the root domain was ossnincool.com right they just changed the sub domain for whatever thing they
were impersonating and they were serving it up all at the same time but all we really had was an alert that said ransomware that wasn't ransomware we had a domain and we had a file hash and that's about it right that doesn't really put us very high on the Pyramid of pain that puts us at the bottom with the stuff that changes too quickly to be useful for detection content engineering or doing anything super handy because the threat actor is just going to change the hash value and the domain and everything pretty fast right that's just the way it goes you know if we want to build detection content in it or figure out what we're looking at or
where to go with this thing and make it useful we need to try to get up towards the top towards you know actual techniques or tactics or really dig into what the malware is doing and our systems are just not giving us any info the sandboxes are just kind of timing out or throwing a fit with it right we're not getting useful feedback from our own tool sets to pick this thing apart in a quick and easy way but what we do know by digging through the website is that the link does give some kind of malware right when you click download you do get some malware and when you try to execute it you get a thing that says
you know notepad Plus plus.exe or OBS studio.exe or whatever version of the thing you tried to download right it had that name and it looked like it was supposed to be that application and it would execute except by the time that we were digging through this thing because domain names hashes and other stuff change so quickly the C2 went down and the project was pulled from the malware developer side right so we now had alerts for stuff that didn't make sense we had something that didn't match uh known hashes didn't match known info uh and we kind of got stuck right we had a little bit of info at least for the way that executed but it could no longer
reach out and pull down anything from C2 it could no longer go anywhere right if you just had a kind of a piece of like like junk malware now but we knew we had something interesting so we didn't want to necessarily give up on it and we knew that most likely when one user gets it it follows because while our user found this beautiful YouTube tutorial and downloaded the thing from there what tends to happen is the users talk amongst themselves and so that YouTube tutorial or that thing that they found spreads around as people talk amongst themselves and share it and go oh man I found this great thing go here and do this right
but we at least got a little bit of information out of here we got a user agent we got a second stage URI nothing that was functioning but with the user agent we were able to do a little bit of Open Source searching okay we turned it around because we weren't matching on known hashes and VT was coming up empty buyer total was coming up empty we were able to take that little bit of info we had and we located a piece of research from a few months prior from threatmon they had found a brand new Steeler malware that was being advertised on Telegram and they posted their research in October and we stumbled across the
thing in December right and this thing if you've seen I heard this name recently it blew up in like February and was like everywhere for a little bit still pretty popular but they found a beta version of it from the developer posted and they did some basic research on it and they had a little paper for it that they published in October and so we were able to at least take this information and start going further and expand our search right we were able to feed off of what they've done and what we knew to start carving out for more information to see if we could find hey that C2 went down but there's still active stuff out
there right there's got to be something we can use to build our materials and put things together and finding this piece of information and putting it together with what we had gave us our o moment right that moment where we were able to go oh okay now that we've seen this before or at least we've seen that someone else has seen this before and we have a general idea of how it used to function we can take that feed it back into our research and kind of troll around a little bit using the information there we found the active co2s so the one we originally found had been abandoned but we at least knew you know some
information about the server and how it was operating and from the report from threatmon we knew the types of Uris and ports that they were expecting on the C2 we punched that into shoden and we found some servers and we found some active ones yay from here we were able to start kind of pulling things together and making heads or tails of what we had found and really piece things together into something that worked for us for detection content right we were able to get fresher samples than what was in the threatmon report because we were going out to the active C2 and pulling stuff down we were able to pull that apart to an extent
and actually analyze how it was functioning so we could write better detection content based on updated versions of the malware and how it operated even if you changed the C2 or the hash so we noticed that you know the HTTP user agent it was using to communicate hadn't changed the actual back Channel it was used into the C2 hadn't changed we were able to actually generate some detection content and key off of there but one of the other really nice things we found in researching this and having this o moment is we had the name of the malware right and threatmon didn't come up with that name themselves that is the name the malware developer chose for this
particular Steeler and that was the name that they had for all of their information about that particular stealer so we were able to take that information and go out and basically find the malware developer which was really really handy because it turns out if you go out and actually do some searching outside of just trying to plow through the code on something sometimes the malware developers will tell you how things work and we'll look at that in a second but yeah definitely uh you know what one of the things that I run into with the guys that I have that do re a lot is they get really hung up on the code the code they
have in front of them is the golden key to everything it must be the golden key it's the one thing they want to focus on and the problem is is that when you get into modern malware you get into a lot of obfuscation techniques and it becomes very frustrating sometimes to pull apart the code to get something meaningful from it or it's written by somebody who is not you know English as a native language so you wind up seeing a lot of Russian terminology used for variables and things that you know I'm not a Russian linguist at all none of my guys are right so it kind of frustrates us and puts us in a weird spot
so one of the things that I've been encouraging my re guys to do and anyone else who's in this kind of workflow is to think about your processes and the people that are working on them and explore around just the piece of code in front of you actually look out to the world for what's posted and see where you can go from there and what you can Garner because you can cut down on your analysis time when you find good information about that piece of malware right either prior research or just what is out there from the malware devs themselves because they like to talk sometimes it becomes like typically a lot of the re guys I know they go through a very
linear workflow of pulling things apart bringing in outside research like ocean it kind of makes it a more cyclical piece so if you think about like the threat hunting life cycle uh it's very much just a bunch of cyclical processes that feed back into each other right we've got our thread Intel which goes into the sock the sock does beautiful things with it and either they come out with something on the side that needs a sea cert or they come back with just a little bit of cool information that we can turn into detection content spread across everywhere share as a sigma rule yada yada right but it feeds back unto itself we actually take these workflows and
instead of just being like I'm going to give you this piece of information you're going to search for it and then the workflow stops you want to actually feed it back in and that's what we do in a good front hunting life cycle and it's the same kind of thing we can do if we're bringing research more or outside Research into reverse engineering where we can stop and pivot and bring things back in and kind of get it going into a cyclical approach uh there's a really good paper from a Spanish University on a systemic approach to malware analysis I've got the actual citation there because I'm going to steal that our Graphics real quick that way I didn't
have to reinvent my own because I am known to be lazy and one of the things that they bring up in their stomach approach to malware analysis is the issues around specimen obfuscation and having to deal with a restricted execution environment right actually having to bring this thing into some sort of VM sandbox you can't just run it on anywhere or you're going to get ransomware everywhere on your network right you have to put it into its own little cubby and play with it in a safe space or risk real issues but the biggest thing here is that specimen obfuscation it becomes a really chaotic thing to try to pull things apart when the malware developer has
purposely just dumped a plate of spaghetti in front of you right in their paper uh they actually are pulling apart multiple samples as you know proof for how to use a systemic approach malware analysis and one of the things they run into is debugger checks right that's super common now for a lot of malware a lot of malware these days it's a VMware it's debugger aware it's pumped they're taking garbage data it's just a bunch of extra zeros throwing them at the end of the file and pumping it out to make it look huge on disk so if you try to upload it to something like virustotal it won't execute we've had a couple of samples that have been
over a gig my favorite one so far when we unpacked it it was 99 gigabytes showing up on disk which in my mind I was like what what happens if I unpack this thing on a computer that's like a hard drive is full does your malware just not work right so you wind up in this situation where you're trying to dig through all of this junk that's making it problematic and that's where documentation comes to the rescue malware these days tends to be done as a service because everything has to be a service or a subscription even malware and when you make things a service you have to provide customer service and customer service means documentation and
training so if you get a little bit of information IPS domain names malware names anything like that you can kind of start building off of for your searches you can take that information out to Telegram and tour in other places and start finding the documentation from the developers with radamantis dealer they've got beautiful documentation that tells you exactly how the whole thing works from the server side to the end of the infection the whole thing put together so you can figure out exactly what settings you need when you're building this thing out there and it's just on the open open internet for anyone to go get right it's not really hidden that much so we can actually use the documentation
provided by the developers who will sometimes tell you things like hey here is how I'm telling if you're running me in a VM environment right I'm looking for two CPUs or less I'm looking for the screen resolution I'm looking for weird usernames that typically show up in sandboxes I'm looking for these running process names and you can bring that back to your frustrated malware researcher who's smacking his face against the code as hard as he can to try to make something make sense and go okay just change the settings in the VM environment and suddenly we can bypass this whole thing the other nice thing that you can do sometimes is you can go out and find
stuff that's really hot fresh now right like before it's off in you know a CSA advisory or a Sans storm cast or anything like that you can find new samples so let's do a really simple hunt together all right uh this is one I ran across a few months ago and it was hilarious to me because like the same day I posted at Twitter like three other people stumbled onto it like the same time it's like all right cool who gets to claim it Mystic Steeler I just went to shoden and I typed in the word stealer not every ocean hunt has to be super complicated some of them can be really silly simple and still get great results
because with just the word stealer I was able to find some title pages in the HTML code that said stealer and when we went to them it was a Mystic Steeler login page which now gives us IP addresses for c2s which we can turn around into virustotal and find where our relationships are and we can find the actual files that are communicating with those ctus so even if the c2s are recent and they're not getting good hits for like your network security clients or anything like that you can come through and at least see hey I've got some really nice fresh stuff here that I can use and same thing right that one's you know
they've they've uh updated Mystic Steeler it's not as easy to find but there is one and I recorded this one uh recently so if you wanted to you could just go open showed it on your phone right now and type in stealer and there is one that will show up in work right it's called easy stealer and it's not very well put together but there's no blog posts on it right now really there's I think I found a single tweet and the Tweet wasn't anything around you know Steeler or anything like that right the Tweet was just like hey somebody recently posted on a hack Forum that they're selling a new golang stealer called easy stealer that was the tweet
well if we go out to shoden and we type in Steeler we get a Russian IP address and those are great because that's where most of the malware comes from these days so we can go here and see that we've got Port 3001 open and on Port 3001 is an HTML page and it's a login page for a thing that says in its title easy stealer
yeah it's it's right there right and I mean honestly they could come up with better naming for these things a lot of these devs when they first make these things for some reason default to just calling it stealer and not like using something better but you can go out and find the dashboard straight off ashoden for the C2 and this one's not fully functional because it looks like most likely someone has recently bought the source code and is using it so it's just kind of there and it's not ready to rock and roll quite yet so this one is very fresh and ready to go like I said anybody today in this room go make your blog
post about easy stealer and beat like crowdstrike or somebody else to the punch before they get there but you can take this address for this dashboard you can plug that back into virustotal or whatever your repository of choices right and you can see what files are communicating with it to get fresh samples and this one will pop over there
a few vendors have picked up on the IP address right not everybody but a few but there are some files when we go to relations on this one and one of those files is basically the actual source code from the developer that you buy when you go out to the dark web forum and buy easy stealer someone uploaded it to VT right before the post was made on the hacking Forum advertising the thing for sale which means there's a good chance the developer might have done it to themselves as they tend to do uh so this one right here easy64.exe wow great great way to obfuscate your name on this one caught you a little early we have the same
thing with radamanthus there were a bunch of samples that were just called rad.exe really early on and when we were digging through it later on I found a telegram post from the malware developer of radamantis who said hey if you're buying please stop uploading the virustotal so is that warning there but this is a
friend so it's a great piece to actually go out and pull apart and get some good detection content out of it especially because you can get good detection content out of it without really having to do a whole lot of extra effort because once again the developer has made a nice little website where you can go and you can look up how the thing works what you need to do to set it up everything you need is on this page just on the open internet for anyone to go and get and read because they're providing excellent customer service to the people who buy it and the people who now have to research it and pull it apart right and again there's
that easy x64.exe that is actually the piece of code that you get from the developer to set up and run your own server for this dealer and it's just on virus totals if you've got a virus total account you can just go get it for yourself without even having to pay so really easy to incorporate these things into your re workflows there's really simple tools for a lot of the stuff we got only a couple minutes so I'm going to Sprint through them right a couple of things that I like to do when I'm trying to bring this stuff together or go out and find stuff to incorporate and pull back our research here dark web search engines onionland
torch these are great problem with this is a lot of stuff that's on the dark web is super ephemeral uh you find it once and it's gone kind of thing right if you've got some cash to spend I would highly recommend that you look Instead at maybe getting something like SOS intel if you've got really Deep Pockets you can get reported future uh I don't have really Deep Pockets personally so when I do my personal projects I use SOS Intel they go out they search everything they cache it all from telegram from the dark web lots of really good stuff and they've got a researcher account that's super affordable other things you can use obviously
shoden right but don't just stop at shoden because not always we'll show it and find it a lot of people have picked up on what the scanning IPS are for shoden and therefore they block shoden but they don't think to block everything because there's far too many scanning search engines at this point in the world so you can go out and check the other databases it census that binary Edge at Zuma Etc right go out and kind of poke through all of them binary Edge right now it doesn't show up on uh shoden but if you type in Steeler to Binary Edge you'll find Cube stealer which is another newer one that you can pull apart for fun
other handy tools URL scan if you want to go to a web page like a you know C2 page that you think you found and you're just trying to do it quick and dirty you can pop it into URL scan which is basically a web page sandbox security Trails is beautiful uh it's IP and DNS history there's a few other tools like complete DNS and things like that that do it personally I found security tutorials tends to have the most complete database so we can go out and find say previous DNS names that someone might have been using or IP addresses that might have been tied to that DNS in the past other fun things DNS twist DNS
twist is a great tool to go grab from GitHub to use to find potential typo squatting domains because a lot of these things tend to come off of you know typo squats of popular applications so you can go ahead and set that up and roll outside of that your classic tools like Wireshark and map and foca and that's it hopefully you guys get to have your own o moments doing ocean with malware [Applause]
um where do you go to find these tools if you're new to things like um scent and stuff like that uh so Google is your friend for a lot of this stuff uh shockingly you know most of it's pretty well documented there's also a couple really good GitHub repos where you can find stuff here uh deep dark CTI and a few others if you go out to GitHub actually have pulled together some nice starting points uh for you to go out and get either information on stuff that's on the dark web where to go and get it or get tools uh you can find a few start.me's as well for ocean items those are really good starting points so
[Applause] all right
[Music] foreign [Music] foreign [Music] foreign
[Music] foreign [Music]
[Music]
[Music] foreign [Music]
[Music] thank you [Music]
thank you [Music] all right [Music]
[Music]
[Music] thank you [Music] foreign [Music]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51