The Inception Framework: Cloud Based Attack
Show transcript [en]
[Music] thank you um I'll try to keep you entertained on a Friday night I hope that this goes well um it's a smaller crowd so if you have questions just fill right ahead to just jump right in um I will open it up to questions at the end but um if you have something that you want to jump in right in the middle middle that's fine so start off with what is inception um last year around August we found a targeted attack that was done by what looks to be a nation state I I don't want to come out and say it was a nation state but it's likely there was a nation state attack and we called it
Inception because there's so many layers to this when we'd get through one layer we'd find there's another layer even deeper and as I go through this presentation I hope you you'll kind of appreciate why we named it this so based on information we were able to gather these are the targets not all of them but the majority of them fall right on this map in this region and you can see there's a very large cluster right over Moscow so this is who they were targeting and who their targets of Interest were also note the industries that they were after they were after government uh they were after embassies at a lot of those embassies were in the
mcow area um military Secrets they and then towards the uh end of the campaign we released this in we released our findings in December and within 48 hours they had shut the whole thing down but towards the end of this campaign they they were targeting the the world petroleum Council and the United Nations members as well now their attacks were typically started out with a fishing email but they were very specific fishing emails um if you'll look at these emails uh the one furthest on the left is a United Nations document and and it outlines an agenda for a meeting so you can assume the message be some to the extent of there's been an update to our
meeting please see the updated agenda with this attached work document you'd open the word document and they would exploit you and then it would show one of these documents not so that the user was not suspicious when word crashed right it would quickly launch another copy of Word and throw down these legit documents to kind of hide what they're doing on the background the one in the middle shows Russian leadership it was sent to Russian military personnel um the one down the bottom is a diplomatic car for sale obviously targeting a diplomat in that area which was Moscow this document over on this side is one of my favorites you can't see it but it
talks about diesel engines and it's a it's a customer product saying hey we sell these type of diesel engines here's our latest brochure and so we started looking at who would be a customer of this size diesel engine and we went to that we went to their site and try to find out information about these engines and it turns out that these are huge engines these are the kinds that are used in submarines and to start nuclear generators so these are the people those are the types of people that this document was targeting I say they were all very targeted documents we see this little this little lady here um she didn't seem to be such a targeted
document um just kind of talking about maybe future Miss Russia but uh effective nonetheless maybe they did know their Target and they they knew they'd be interested in such a thing but guys aren't the only one that were Su susceptible uh deal for Victoria Secrets was another attack they used and it also was successful so how the attack plays out is they send an email that has this attachment on it right the user clicks the attachment which is just Word document it exploited an exploit that came out last April almost a year ago now that um it'll they get a shell prompt and when they get shell access they do two things they drop a VB script
and run it and then they open that Decoy document so to show the user that VB script will then extract from within itself two different files one dll and another one is an AES encrypted file and drop both of them to this and then execute and put the dll in the startup that dll when it's run it's a polymorphed dll it's a using a type of Packer we haven't seen before it was unique only to these guys and it would every instance that polymorph D dll was completely different no matter what the underlying payload was it would inject into itself functions that were logarithmic or exponent functions and there were a lot of function trees that
were just Dynamic like the number of function arguments to these functions was different between each pack so the polymorphic pecker they used was really really quite sophisticated excuse me but nonetheless once it finally finished it thing it unpacked the dll in memory and that dll then would go find the encrypted blob that dll had the AES key for that blob decrypt it which was yet another dll and then load that into memory and run it which was that was the actual payload to this tool the whole chain here is just to get to this base implant the base implant then have the capability to call home say hey what do you want me to do and it would pull down
additional capabilities and run them as as the targets as the attackers wished um interesting to point out is everything below this red line only exists in memory there's no forensic evidence for these files so all you have on dis is an as encrypted blob which is good luck opening that and a polymorphic dll they did very they did a lot of work to protect their actual payload and hide what they're doing they didn't use a typ a lot of the typical malware tricks of you know trying to hide from a reverse engineer or using custom Packers and I think the reason that they didn't is because those tricks although they slow down reverse engineers and buy them time
they're also very loud and say hey I'm trying to hide so they they did this route instead to not raise suspicion upon themselves so the base implant when it would call home here's the kind of information it would it would send home on the on the far left is a basic what we call a survey data it would Beacon this back home say things like computer name username is he an admin in um it would also send home the language of the machine the language of the user and just that's I think those were just to kind of verify that they're hitting the target they suspect they are with that information calling home then if they
thought they were interested in that Target they would send task the target to do two new things they task it to do a complete durw walk and give me domain information for that user then if they felt like they were still interested in that Target then they'd advance to the third and final stage that we saw which way they they'd start to pull back the list of software the complete device list of the machine and they' start pulling back PDFs P PowerPoints excels what are documents from the target so it's clear that they were after Espionage they weren't after any kind of sabotage we didn't we didn't witness any at least but they were clearly looking
to steal information from their targets and they were very cautious of who they were taret targeting they would only expose or use these tricks on targets they knew they wanted during during the course of this investig we tried to fish them right we tried to set up these and tried to get them to Target us to see what they would do and I could never get them to bite so they were very good at making sure they hit who they thought they were trying to hit now how it talked home was really interesting for me because this is not something you typically see in malware rather than you know opening in Explorer or using a
socket what it did is it mapped a webd drive right so like if I did a net use on the machine you'd see a webdb drive out to the cloud and that through that drive it would send up a file or retrieve a file because you use a web dab Drive the connection doesn't come from the malicious process the connection comes from the system itself furthermore it's Microsoft doing it right you just say oh I've got a NP Drive write this file to the drive and the system will go send the data up to the cloud for you it's very slly a lot of ab products aren't looking for this type of traffic now the webd provider they used
is cloudme which was something I had never heard of before they are a Russian um or a Swedish excuse me cloud provider uh that's probably why I didn't hear of them because I'm not I'm not frequently in that area but how they designed the malware that's not hardcoded in fact it could be changed and it could have been changed to any one of these providers that uses webdav so it could have talked to any one of these and you know the mailor could interchangeably set up if we look at it I can show you exactly where this is the configuration section every one of the payloads we saw was almost the same except for one section
which is the config which was hard baked in it that's really small but the config outlines the URL to talk to which is the top one says basically cloudme the username the password and then the paths of where to set survey data down and the path of where to get my next tasking assignment from and then when it writes files to the cloud it has this last section that says use one of these extensions when you write the file so that if I was to casually browse cloudme I would see all these files that look like a text file a wave file right they cloudme just throws this icon up for you guessing based on the extension really
all those are is that survey information that I showed you before but encrypted and set on the cloud so that's kind of how they they hide this fact that they're there so we observed them and because every time I get a hold of a sample I could see from that sample the username and password that they were using so I wrote a python script to to check Cloud me and say with this see see what gets uploaded and see if they're tasking this guy see what they're doing that exchange and I started to build a collection of these but then I started seeing something strange happen in some cases they would drop this secm executable on
their target and I looked at that executable and I started taking AP part and I recognized it immediately as a Chinese piece of malware a known AP set from long ago and I was and it's not particularly advanced piece of malware in my mind but compared to the Inception setup it's it's like like miniature right it's it doesn't have a lot of these awesome capabilities it's loud it's obnoxious and it just doesn't make sense to load a back door on a system when I already have this really cool sophisticated back door like why would I set this really noisy odd one down is it the Chinese like experienced group teaching a younger group are they kind
of working together like I didn't understand why why why they would do this and then I started to look at the cases of where this was being dropped and I noticed pattern in the survey files in the cases where the secm was being dropped the the survey was saying it was running out of the one of these processes in the cases where it wasn't being dropped this this is a typical place where the malare expects to be running from but down here below I don't know if you can read this it's oie right or run d32 so what they were able to figure out based on where the process was running they could tell this this is
a this is a researcher onto our Trail this is a researcher looking at our stuff when there was a researcher onto them they would drop a piece of Chinese malware oh we're the Chinese look at who we are that was that was my first clue that these guys are a little on top of their game right they know what they're doing they know how to play with us and I thought okay this is little cat and mouse game you're on right you're on so we started to collect a number of samples and we we gave a number of account information and we sent this we reached out to cloudme and told them hey your service is being used by this AP to
attack these large organizations would you be willing to share log data for these accounts who's logging in we'd like to find out who the attackers are that are tasking these machines luckily cloudme was willing luckily for us cloudme was willing to share and work with us they they worked to shut down the accounts and they worked to provide the logs to those accounts that we specified but furthermore they said that's also matching a pattern of these 100 some odd other accounts that you didn't list so it revealed to us that these guys are huge but and when we got the logs back we got the IPS and it was easy for us to tell who's a victim IP versus who's an
attacker IP based on user agent and what actions what commands they used right and we get all these IPS but it turns out there was over a hundred IPS that the attackers were using and it was crazy because the attackers would would connect to cloudme check a few accounts and then connect from a different IP check a few more it would just bounce through these IPS like just jump every hour or so it would jump to a new IP but continue talking as if it was the same connection and we're like whoa these guys got this massive Network it's like it's probably just tour no none of these IPS lined up to be a tour IP we're like
well is it some kind of proxy service they're not proxy IPS they were not any kind of service or known proxy or open proxy that we could find like well what is this I mean a lot of them were in South Korea does that mean anything cuz the the rest of them were all over but there was a good portion that centered around South Korea so we started to do just a light forensics on the boxes and it turned out they were all embedded systems they were all embedded systems that these guys have compromised and they were using them to cover their tracks right so to Cloud me it's like oh these are just a bunch of Home user IPS
these all belong to just user router IP addresses it looks perfectly legit for a user to log in sync a file or two and shut it down it was like whoa these guys are oh like I thought I had them and then no all I get is a bunch of these router boxes so the good news for us is though we were we were able to identify a customer of our at Blue Co and we reached out and asked for permission and we were able to get access to one of these devices so I get telnet or SSH access to one of these boxes and I look you know I do a PS and I do a net stat
and right away something looks rather fishy this it's really small but it says tail Dash the process called tail Dash has a port open yeah I don't think tail should be listening on any port right that that's shady of itself furthermore the process tail is running out of SL temp I'm like yeah this is wrong this is my guy right here but then I'm like how do I get an executable off this router I can't just stick a USB drive in it um maybe I could just SCP it to myself no this router is an embedded Linux it's not got the full Suite of things right it's like busy box even that SL down it
doesn't have SCP I'm like well what about FTP uh tftp um can I like Echo it to a terminal and just cut and paste uh no that doesn't work I oh or netcat doesn't even have netcat I couldn't even Echo it to a terminal and there's like the- e option to escape the character so it doesn't beep and do funky stuff no that won't work I'm like great find this super cool malware and I can't even copy the file off the router like how dumb do I feel right so if you guys got a cool answer for this I'd love to hear it afterwards I came up with one but I don't think it's the most elegant so if you got
something better I'd love to hear it what I ended up doing is I compiled a new version of buzy box that had D that that had netcat in it w g wgat does that make sense WG the file down to the router and then run that just to nitat my the malware off the router even then my pains weren't over because the router runs myips right right who the last time I reversed myips assembly was like in college because I had to like myips myips is it's horrible but anyways I took it apart got it out and found out that's exactly what I thought it was it's a backdoor proxy on the router it listens on a port for encrypted session
that the router the teer will connect on that Port say hey open me up a proxy to this address and then it would proxy traffic through the router and that's how they were masking their identity so to kind of back up and get the big picture of what we know so far right the victim connects to cloudme to get its commanding to command get its command of control cloudme is connected to by this one of these huge internet of themes that have been hacked and I thought I got netstat logs I can see who's connecting to those routers well all of the connections to those routers come from one of four servers that were all
virtual private servers rented in the cloud uh none of those we reached out to the providers asked for information they weren't willing to share anything about their customers so this is is their huge Network that we've devised and I don't even know what's on this half of the field over here right I just know it stops there somewhere they could have four or five more layers I don't know but it's it's just interesting to see how strong and how big their network is right so I'm thinking okay so I've got control of one of these devices and I can see the traffic going through it what if I made that guy a double agent every time he was tasked to go somewhere
everything he doing send me a peap copy of wherever he goes right so you always hear about nation state spying on the little guys this time it's the little gu spying on the nation state I kind of I I get giddy even talking about this now because it's just kind of cool just to think ah this whole campaign and I'm watching the whole thing go by so I knew all the connections to cloudme were encrypted and and so that I didn't expect to see anything there but I was wondering what else would I see and what I found out is they had some rented email servers whenever they'd spend to send a Spam they'd connect to the rented email
server through their Internet of Things Network and then send out the email so I could get a wire shark capture of every attack email that went through my one particular router so here's here's an example of one of those um I've blotted out who the target was but uh other than that I it was pretty cool I could see the attachment I could see who they were targeting this one was after uh who is this one after I don't see it readily um but yeah I I was able to see who it was I was able to see who their email servers masquerad as and they would masquerade as as common UK customers right so they were they were
faking sandg group.co do or saggroup.com by using the domain SG group.co for somebody in the UK that address makes sense so they were they were very good at spoofing who they were trying to Target and who they were coming from now as I was listening in on their Network like this I saw a lot of emails that match this setup with the word document attached that exploited but then I started to see some emails that didn't match this pattern I saw a small little oneliner email no attachment it's just like hey your whatsa app is out of date or you know get the latest whatsa app it works for iPhone Android blackberry and Windows phones and then a link I'm like okay
yeah it's a fishing link well let's see where it goes I have the link and it takes me to BBC no no that's not right something's wrong here so I read it again it says works for iPhone Android and blackberry and Windows phone so what if I change my user agent to Android and click that link what happens ooh I get an Android APK like okay okay what if I change my user agent to iPhone I get an iPhone Cydia package change my user agent to Blackberry oh I get a Blackberry installer I'm like okay change my user agent to Windows mobile it takes me to BBC nobody has a Windows mobile phone come on why waste your time writing malware
for it so looking at that link it's actually a bitly link it's it was a bitly link that had this kind of pattern that is it went you to this IP address and the URL had two things in it it had a Target identifier to uniquely identify this email so the attackers could know which ones worked and then an action code and the action code was either 743 which means serve the WhatsApp app that I got or 124 which means serve the malware disguised as a Viber update or another number which meant serve the fish MMS fishing content um the MMS fishing content would look would look something like this it would take you to this page that showed
a tele provider's logo and then a password block and says get MMS if you put in the password and GMS it would get you the malware but um what we also found is they had logos for all these different car carriers so what we presumed this was was an MMS fishing they so they'd send a message to the Target saying you've received an MMS message that's too big for your inbox right go to this link and download it your password is X and then you go to that link and it would show you your carrier's logo because they could figure out you know who they were targeting so you'd see a Sprint logo or whatnot and
you'd enter your password and get and get nailed with the malware so they had a fish MMS or SMS fishing C excuse me MMS fishing campaign as well now here's the cool thing about bitly right it keeps statistics about links it keeps who the user is that submitted these so when I looked up the user I saw that he had over 10,000 links made on his site since July of 14 and this was in November when I looked this up so 10,000 links in that short of time and they all appeared to go to BBC right we all know what they were really doing on the back end furthermore though bit.ly will also tell you how effective
your links are being clicked on and by which countries so I also bitly provided me statistics about how big this campaign is and who they were targeting now this map's going to be slightly skewed because if you click the link from your Sprint phone it's going to go through your carriers location right so like Russia is is a lot lighter because Russia doesn't really have that many carriers located in Russia a lot of them are in the UK but they provide services to Russia so the IPS are kind of being going to be skewed for mobile but it gives you still a rough idea of of who's clicking their links and that they are effective at least to some so let me dig
into the malware a little bit the Android malware uh it disguises itself as a [ __ ] up uptate as soon as you run it then it shows you this nice little screen and then disappears and in the background it's installed itself as a background service it starts up every time the phone starts up it is able to pull your location your contacts it's able to record audio it's able to look at phone logs MMS logs the record audio is creepy man it's like just turn the mic on for 10 minutes tell me what I hear and leave right they had location information so they could be like oh look he's at location X we're really
interested in location X turn on the mic all right turn it off we're good so they could do some really creepy things and even more is the malware was very Sly about how it would call home what it would do is it would go look for a Tumblr blog and it would look for a user's blog and read his blog post this blog is some gu was the post and it starts out fine but then there's you I don't know if you can read it but this whole blog right here is just a bunch of gibberish if you look at the source code it's wrapped in HTML tags and the Android phone knows to look for those
tags decrypt the data in between those tags which is actually command and control information so this blog post says your real command and control server is located at X please use this address and these passwords to talk to the command and control place so really what would happen is that was just the first tier it would redirect them to a a hacked website which then they would use to use to Comm you know use a a path that the the user of that website doesn't know about to communicate what they want the Android malware to do and it would check not just one blog post but it would check one of a number of different P places to
get its configuration information so you would have to block this you would have to block every one of those blog sites yeah good luck blocking Tumblr not having somebody plane and then a if you could block their hack sites but if you blocked a hack site they could just put a new hack site up and a new blog post telling the malware to go to the new hack site so it was really easy for them to change where the commander control was in case they get caught or the site gets they they get found out on that hack site they can just throw down a new hack site and change where the malware communicating really kind of a Sly
design I really it's kind of impressive so the iOS malware was also interesting uh it did require the phone to be jail broke which I mean to us in the US it's like who who jailbreaks our phone but it actually is more common outside the US to jailbreak your phone than it is in the US but anyways so the Android the iOS malware wasn't as rich as the Android malware but it is still could pull your basic iTunes information you can pull your contacts Hardware information about the phone look at your SMS messages call out calendar that sort of thing now when you root your Android phone Android IO or excuse me when you root your iOS phone iOS is really just
like a support of OSX right and so OSX still has some root in BSD and so when we root it it Cydia allows you to install Debian installers and that's what a Cydia package really is it's just a Debian package so the malware this is the breakdown of the malware um really all the control section is is just telling the dean package how to install it and what to do once it's the files are dropped and this is actually the files that get dropped to dis so there's a Skype app that gets dropped a binary called comms Vib and then another Debian package D.B so if you start to look at this the the post
install information is basically just say hey once you're installed change comm's Vib to executable change its owner to will which is the root user on iOS and then run it so that and all comm's Vib is is actually just a small little script that says sleep for 10 seconds and then install the Deb d Dean package so we look at the Deb D Dean package what's inside it well again we got another uh post install and we have this a Comm Apple tour pist file and then a c binary file two other little files by it so the post install this time after you copy those files down uh change this binc file to root owner make
it executable uh change the permissions on the tour Apple P list and then remove the the comms file that I'm running right now now remove the Debian package so it's just cleaning up the first mess and then installing this mess now if you're not familiar with window with Mac OS or iOS this launch Damons pist a pist is like a dictionary for apple and that launch Damons is basically the directory where you put things you say hey I want this to run in startup and so we look at that and sure enough that's what it says it says Hey run user bin C on Startup run it load every time the phone reboots run this program in the background now
with iOS you unless with with rooted you have to have some kind of way of monitoring this but you typically aren't looking at your system process or what threads are running right so this is hiding in the background where nobody's going to see it unless they're really trying to find it and sure enough we look at file C and it is it's a moco binary it would work on um interesting enough it was compiled it doesn't show you there but it was actually compiled for iOS 7 and later so we can tell they were targeting newer iPhones you had to have at least a seven or newer for it to work but it did work on the 64-bit so it
worked on the really new stuff and then just in passing we'll talk about the Blackberry malware when I saw I was like Blackberry who writes malware for who uses a Blackberry anymore right like I don't see these things very often and I it took me a little bit to to get my head around reading the malware reading just reversing a Blackberry app in the first place um it didn't have as many features as the others it was really Slim um pull account information what it really could do is it could pull complete Hardware information I mean it could pull stuff down to the temperature of the phone in your pocket why the attackers cared how
to hot your phone is I don't know maybe they wanted to know if you were inside or outside so they knew if their missile would hit you I don't know but they could pull such things and they did they pulled the temperature of your phone they pulled address book carrier information and the list of installed apps so just kind of I never actually saw this one attached or used but they had the capability whether they ever found a Target that had a Blackberry I don't know so as we started finding these malware pieces they had a lot of little tricks in them though that you know once I saw the sscm file that that Chinese malware
I knew that these guys were Sly and as we started to find artifacts you know typically as a reverse I'm looking for these artifacts at Clues to see who's behind this but when I know they're throwing things in there to throw me off I have to double I have to second guess every clue I see now because did they throw that in there on purpose or was that in there to throw me off and sure enough there's a lot of so the iOS malware it had the compile path and in the compile path shows the username of John clerk I could believe that that's plausible but um the Blackberry malware had inside of it it used a string as
kind of a key token that was God Save the Queen like yeah I think that one's in there as a fake right I'm just going to put God Save the Queen in there because I'm so patriotic I I don't I think that's in there just kind of throw us off in the Android malware you would see some strings that are um I think that one's farsy so Arabic do they have Arabic developers working on this and then again in the Blackberry malware in another spot there was Hindi characters so they have Hindi UK Arabic and Chinese like just getting to trying to figure out who's behind this was really kind of shady I don't know if
I can believe any of those tricks uh another one is they used this really long stre string which looks like a keyboard smash to generate a hash for a password and based on that keyboard smash the characters that are there it tells me that they had a US keyboard so right like the the carrot the dollar sign the hash those are only on the standard keyboard layout for a us or a US international keyboard maybe that's a clue maybe not I don't know these ones I all kind of had a throw out I I just couldn't put any any trust into them but were some clues that I felt like I could get so with the cloudme accounts and I
could see when tasking was when they put up a task for their malware I could see what time of the day that was put there and I kind of gathered that information for the periods of time and I noticed it corresponds to about an 8 Hour window I'm like okay well what 8 Hour window does that what time zone does that 8 Hour window line up from like 8 to 5 and it turns out that that time that would line up with gmt2 which is this red time zone right here um also we'll just keep that in mind we we'll come back to that also when they would a task their malware that the name of the file would be like
11239 dobin and then later we'd see when that's like one one two three I guess nothing comes after 11 one 31. bin and so they were kind of incrementing their files each time they do a tasking now I didn't have privilege to all their accounts but I check one one night and then check again the next night and see how much that number is incremented and I'd be like okay so over that 24 Power 24-hour period it looks like they tasked 100 different samples so that means they've got at least a 100 different active targets they're working where they're working at this moment every day right by the time that this thing was over that number was up almost to 10,000
that's how many different taskings they've done with their malware over those few months like these guys were serious and because I knew they were targeted that meant they weren't just hitting everybody but they had that many specific targets that they were actually able to get what they wanted from or at least get in on um did I say everything on that slide I think so um also there were some other similarities um kasperski so we we correlated with kasperski we shared our notes before we released public and kasperski was kind enough to say you know what this resembles one of our previous campaigns that we discovered called Red October and we look and there are some there are some key similarities
first off these fishing documents look fairly similar the one is the one on the left is from Red October and the one on the right is from inception campaign right same kind of here here's a diplomatic car now that's not a strong indicator because it's easy for me to take somebody else's malware repurpose it for my uses and send it out um there were also some indicators like they used this particular string to key where the Shell Code was in the in the document and that particular string was the same for both Red October and um Inception and then there was some code shared between them which was used for compression that looked exactly the same
same kind of function argument and and the code library is the same now that's not all three of those aren't really the strongest indicators but they are pretty strong indicators furthermore if we
remember
e
e
e
e
e
e
e
e
e
e e
down it was it was pretty easy to detect when that's dropped that file deletes itself did I kick something out or should I use this okay yeah it was pretty easy to detect when you knew you had it when it runs it deletes itself so you have a small window to hit it but virant AVS should be able to catch that and the thing is I don't these guys aren't active anymore right like we were watching their things and like I said 48 Hours within the release of the report they shut it down a lot of the malware was still calling home but nobody was answering and even the proxies even the the router I saw no
more traffic through it anymore so they were they were very cautious and we knew once we released they'd probably shut down we knew that they were so risk at first that that was that was their Forte um there were the email server domain names those three domains we could have tried to SN hold them but um no we didn't um I think part of it is once so I'll get to your I got another question um once we discovered the mobile malware it was on their server and so we did hit their server server to download that mobile malware and to get those list of carriers and we did that on a Friday they noticed our traffic and shut down
the mobile server that weekend so at that point we knew we we tipped the hat that we are on to them and now they know it and so we knew we really should release soon and and so we did and that's about the course of action that within a week or two we released our our paper at that point so yeah I mean they're watching it's it's hard to to to watch them without tipping the finger that were onto them do you have a question yeah like how did you discover them now did the client call you did you notice it in a sensor so we we noticed it in in a sensor and um it was actually we were
watching for that exploit we knew that exploit come out in April we knew it would be a Hot Topic so we were seeing who was using that particular exploit looking for documents that had that signature it was an O uh overflow I don't I can't give you the details 17 61 then the other question is you you started seeing documents uploaded to Cloud did the client ask you to like intercept those documents so that down it's it's kind of a hard topic like I see stuff going up but it's encrypted it's all encrypted unique to that guide right and in fact what we found out is so there there was a a username and password for each malware and then it
had a path for upload and a pathw for download and we kind of ass figured out or assumed or concluded that the same username and account was used for each Target F like business but different paths were used and different encryption keys for different targets within that business so a lot of times we'd be able to see a document going up but we wouldn't have the key to that document um in fact I never actually was able to get or see anybody's PDFs or word docs decrypted um did your C ask you to stop that so none of we we reached out to any of our clients that we knew had this but um we also are privileged to samples
that are not necessarily within our Network and that's where a lot of these samples came from so there's cases where they're not our customer it's kind of hard to reach out to hey I'm a C I'm a you know I I'm a selles guy from blue coat I think you've got malware and you need to turn this off they're not going to believe my email so it's hard to reach out to people that aren't directly my customers but where they were our customer we tried to reach out to
them uhhuh yeah and that's kind of fuzzy yeah a reli point no okay no um it in and of itself we couldn't really trust it at all um because there was the other factors that kind of hinted that way we thought maybe maybe we could trust it but you're right that's totally not something I can rely on at all in an episod Hinds think could have yeah I could have been a little bit more cautious hitting their server to pull down the mobile malware um it's kind of a tradeoff though um you have to hit it one way or another to get get the cont otherwise if I never would have hit the server I
never would have hit got any of the mobile samples so it's a trade-off of do I want the sample and try to play it slow because if I play it slow and try to play it cautious I wouldn't maybe they would find me still and I wouldn't get as much data and we went rout is we want to try to harvest as much as we can as quick as we can and even then we weren't done harvesting before they shut us down is there a you describe what methods that they were using detail to try and detect you no I don't know we just assumed I don't know for sure how they detected us I'm
assuming they looked at their access logs and they noticed that somebody from not Russia was there that's my guess I don't know for sure and and the you know to me am I still being reported sure please
