Threat Hunting and the Surfacing of Mexican Threat Actor Greedy Sponge

Jacob Lara and Greg in besides 2025. So guys, we have a tradition that that tradition is before that you start to share all of that information. Please take the messcalis aa shot of messcal. So please continue with the besides traditional.

So, thank you so much and we can start.

>> You got it. >> Yeah. There you go. >> Jacob wolf. So, we're gonna do it in English.

Thank you guys so much for having us here at Arctic Wolf. We're so excited to share this research that we have for you. We have a thread actor called Greedy Sponge, which we're servicing for the first time today. Jacob and his team have done a lot of excellent work on this research and so we're so excited to bring it to you to help inform the community. We're excited to be here with all of you because the cyber security is a wonderful community that's global. We're globally connected. We're here to make connections with you and we're here to expand our knowledge and share this with you so that you can protect your and also learn a little bit more about

the skills of threat hunting that you can apply in to your if you're a single researcher, if you're in a small company, mediumsiz, large company, everybody can start threat hunting. Okay, so a little bit about myself. I'm Laura Stratton. I'm the senior manager for the tactical threat operations team at Artic Wolf. And so what that means is we're on the front lines looking at all the telemetry coming in. We're the first to see incidents. were the first to be right there next to incident response. We collect intelligence of that. We take what happened in that incident, what can we learn from it, we turn it into how to be better next time through detections, through support, through changing, uh

configurations, through wall defenses. And so, um, some of my history comes from working with other companies. I worked for, uh, General Electric, uh, global team there, uh, tracking Russian threats. I've also worked at agencies through letter agencies uh national security agency for the US uh doing threat intelligence there tracking threats and I'm gonna go ahead and pass it to Jacob so he can tell you about himself. >> Hey so I am Jacob Ferris uh I am a principal threat researcher at Arctic Wolf as well. Um guess my background right now is basically writing threat intel reports. Um that's basically my full-time job right now. Um I've got a background coming from reverse engineering um for the Air Force uh in

USA that if that's not obvious. Uh and then I've worked for um General Dynamics as in their security operations center and also uh General Sock intelligence and then moving over to MSS uh work for NT which is NEPON telephone and telegraph. So I did a lot of thread intel tracking with them until I moved over to Arctic Wolf. Next slide. So my background originally was from classic sim uh analysis. So, taking a look at like Alien Vault logs um where you pass SIS log up into either Alien Vaults or like Arc Site um and sitting there for like 12 hours looking at different snort alerts or SIS log information that comes across and then trying to identify what is malicious and

what isn't. Um, I got to eventually graduate into an actual sock. Um, and uh doing dev sec ops and trying to actually build out better detections for uh for a single client, right? Because I was working for General Dynamics at the time uh in their sock and actually like improving one thing instead of just dealing with instant response. Um after a while I finally ended up at MSS's where you get to see real threat actors that are targeting multiple people instead of just one group. I think Laura's going to tell you a little bit more about MSS. >> Yeah. So, I want to tell you a little bit more about Arctic Wolf itself and the wealth of telemetry that we're able

to use for threat hunting. And so, MSS managed security services allows us not to just look at one organization but multiple organizations. So, immediately when we find something that looks anomalous, that might be malicious, we can look across different organizations, which really helps us identify what's going on because some customers may have tech stacks that include uh cloud integrations and identity integrations and detections as well as an EDR. And then you may have some clients that only have EDR. And so having the ability to use an MSS for your threat hunting is really really beneficial. That's how folks like Jacob and I can find attribution and we can identify a full attack chain when we publish these blogs

for you all in the community to use to bolster your defenses. It really enhances our telemetry and logs to be able to go across sources. So that's the story that we're coming from being able >> Yeah, I was I was going to say that also like with an MSS as opposed to just looking at like one person being targeted, right? Like if I'm a single uh company and I get targeted by like mouse spam. Uh I just know that I've been hit with mouse spam. As an MSS, we're able to look across multiple tenants and see that like a lot of people have been compromised or only specific groups are being targeted. So we can see like this

industry like this transportation industry is being targeted or like these ones are only going after government assets and like uh what type of information is being targeted whether it's financial or what have you as opposed our view is just expanded so much larger than a single tenant sock >> and then we can provide that information to you all which is really what we're here to do. So great thanks Jacob. So we're going to start off by talking about what is threat hunting. Threat hunting is ideally proactively looking for threats in your environment. As some of you have experience and may know that sometimes you do threat hunting after an incident happens. You're you're working for an organization, you have an

incident happen and you're trying to determine whether or not what happens, can we prevent it from happening again, right? It's essentially the backbones of threat hunting. But ideally, you want to get to a state in your maturity level of your security operations to be able to look for threats on a regular basis. Right? So it sometimes can reactive, sometimes could be proactive. And what we're going to talk about today is how do you come up with a plan for how you want to start your threat hunting? Uh what type of targeting should you be looking for? So, what type of research should you be doing? And then also, Jacob's going to go over every tool that

he used for this research. Not every tool possible, every every tool he used for this particular research that is available to you all. Right? So, there's lots of tools that will become available to you as you work for a large organization, but today we're going to cover tools that are available to you today. What are some public open source tools that you can use to start threat hunting. Is there anything you wanted to add to this? >> So why do we threat hunt? So Jacob alluded to that. When you work for an MSS, you try to identify what the threat actors are going after. Is this an opportunistic uh threat? Is this a threat that's going over government

assets? Are they looking to gather information? Are they just trying to get money? Are they going for different sizes? Are they targeting the user base or are they targeting the actual devices? So that's a that's why we want to do it's important to look at why we do threat hunting because the goal here is to identify what is most likely to happen to you and what is most uh dangerous to happen. Okay, so this is my five-step plan. This is this was made by Laura Stratton. So if you take a picture, please put my name to it. This is coined. No, I'm just kidding. But this is really what we use as our process as a team. So any if

you're working by yourself, you're working in a small team or a large team. These are really the five things that you want to do when you start looking at how you want to thrive. You want to gather your information. When you gather information, you're identifying what's available to you. What log sources do you have? What information's available to you. For us, we have lots of telemetry, but for you, you may be limited to only having one log source, right? So if you know that's a Fortnet device, you may only have that log source available to you, which means you might Identify resources that go beyond the information that you have. So if you only have one type of log or two types

of log, you want to make sure you understand what resources can I extend to. Is there a place that I can go to on um open source that provides me a tool? Does my company have a tool that I can use to correlate information? Can I use a tool like OpenCTI or MIS to correlate data points off of several incidents or several um telemetry points? And then you go, okay, I know what I'm looking at. I know what I have available to me to use. Well, now I've got to conduct research. Research is a very, very big part of threat intelligence and a very big part of threat hunting. So, before you get started on a threat hunting

adventure or on a threat hunting team, know that research is heavily involved. There's so much information on open source available to you to be able to frame what the community already knows about this threat. How did they others defend it? So, if you're working in a banking uh industry, you want to talk to other banks regularly to find out what they know or, hey, we just got hit with this greedy sponge. Do you know anything about how they did this? Have you seen this fish before? Have you seen this file before? What are some things that you've seen? And then form a hypothesis. Is it how do we form? And we're going to talk more about the attack chain and how

you can use frameworks that are available to you to frame a hypothesis. You essentially want to tell yourself, hey, how do I think the threat actor got in and what do I think they wanted? Understanding what they want can help you build the path to get there. So if you know that they're looking for information, they're looking for money. They're looking to exploit users. Then it can help you identify where you need to look for that information. And then this again coined by Laura Stratton, make a plan, right? Because one of the most important things about threat hunting, I'll go ahead and tell you and Jacob will attest to this is sometimes it's really important to understand

where you stop. You may hit a dead end and go there's nothing more here. How many more resources and time do I dedicate to this threat? Sometimes you just got to know when to throw in the towel and move on. If you have a plan, you can set up regular checkpoints to say, "Okay, I couldn't get this data. I've reached a stopping point. Time to move on." anything you want to. Okay, so this is really what the process looks like, right? So when you're going through hunting, you may have one piece of information and then you can pivot. So if you have um for example, you have the fishing email that your user opened. That's a place to start. You know

exactly what URL that they were directed to. That's a good place to start. And then you can start pivoting and say, okay, well, what if what were they likely to do next? And then you kind of go down the rabbit hole, which Jacob is really gonna walk you through the rabbit hole, right? That is research. And you may get so many data points. You may find out like, wow, they were hosting on so many URLs and this is where that they were located. These were the different sectors that they were targeting. And then you get this huge conglomeration of of data points and you're trying to find out what can I gather from this. And so

you take that big group of data points and you start identifying even here you can start seeing the clusters, right? you start seeing mass activity in the center. So that may be a region, a location that you can start focusing on, maybe an ASN that has been um been used for these threats in this campaign that you can start focusing on and then you start feeding that information back through the pipeline, right? Because ideally you want to find out where that detection is. I know you have some more to add here. >> I mean there's the other direction too. >> Birectional. That's right. Yeah. So it's birectional because for us when you you're at a company you might have an

MSS you might have all those data points and you're trying to find out well what's the root point of compromise what was the initial reason um how they got in where was the where was our defenses lacking where was our gap >> yeah like sometimes it can be overwhelming starting over here on the right side where you have a million data points and trying to reduce it down to one that was one of the main points of this like after like generally from a single company you start at the one point and you're like oh I got a piece of malware fishing email, what does that actually look like? What can we identify some infrastructure on the back end and

try and identify like what else might be coming or where else they're they're attacking. But from like the MSS side where you have like so much information, you generally start all the way over here and you're trying to figure out what are these smaller clusters that I can dig into and then where can I find out important information, right? Like what can I write a detection off of? what can I say like this is a specific individual and that's coming down to a single point and so thread intel is all about pivots. >> Great. So this is really the process that uh we follow over and over again. As you can see there's a lots of like

flowchart here of like yes this is the case and so we're going to do that. But it all starts with an initial finding. It starts with some anomalous piece of information. It starts with malicious incident starts with an an email. It starts with a um an unauthorized sign in. Um everything starts with an initial finding and then what we want to do is investigate the victims. In your case, it if it's a single organization, it might be like which users were impacted here, which endpoints were impacted here, which devices were they what were they connected to? What do they have availability to? If you're in the case of an MSS, it might be like, hey, I want

to know is this is this localized to a particular sector? Are they only going after banking information? So therefore, all of their lures are for you and the users to go ahead and sign in to your banking information that's not that's already been taken over by the threat actor. Um, and so investigating the victims is important to understand the scope and the breadth of what you're looking for. Um, it can help guide where the next pivot point is. It can help guide what resources you use as well as who you who you collaborate with in the next phases. Um, and then we're going to talk more about identifying the attack chain, but you really want to identify

which source you have and where in the That is got that next. And then do you have any network IoC's? You're going to follow this. I'm gonna let you talk about this part because it's very specific. Is it just me? Do you want me to share this guy? >> We've been cut off and only have one. >> No, I think the battery ran out on this one. So Generally my process over here as soon as you've actually identified where you are in the attack chain you need to figure out whether you've got network IoC's or not. If you don't have any network IOC's you're going to have to take a look at your binaries and

actually try and pivot through those until you do have network IoC's because one of the key points of threat hunting is to identify a group or a campaign. So you're trying to identify like an entire entity as opposed to just your one individual item. So network IoC's are one of the best ways to do that because you can identify actor infrastructure. Um so I really really really want network IoC's so that I can say oh what is the other infrastructure they're using either for C2 or delivery um or even like actor on keyboard accessing systems and then I can pivot that to new binaries and do that in a cyclical fashion where I say oh this is their

delivery infrastructure what's the new stuff that they're actually putting out and then what are the new C2s that they're utilizing and that goes on and on and on in a cycle until you have a fairly big like we from uh previous slide. Um if you don't have any network IOC's again you get to use Yara you get to go through different uh OSN uh tools you can use fires total to do those pivots depending on what your like binaries or ELF uh files look like and try and find new information but it's always this cyclical thing of trying to expand that graph as large as you can as long as they're actually related um followed by sticking out to an output

which in our case is a blog or some sort of detections right? Like you might not think it but whenever you publish something uh even if you haven't written any detections, somebody else will write detections on the things that you publish and it will stop people for at least a little while. >> And one of the great things that about network IoC's and why they're so important is that's really how you can identify earliest on in the attack chain. The earliest indications are going to be network IoC's. And so they're the most valuable things to share with others if you're in the middle of something that's happening that's very relevant and timely. Network IoC's can give you that very first

initial access. A lot of times uh companies and will have the ability to just be able to block malicious uh network IoC's and stop activity that way in the future. These also the downside is they change all the time, right? So they're on a rotating basis. So network IOC's can be really really beneficial to to uh scope and to pivot off of, but they do change frequently. So we're going to talk more about how we deal with when an a network IOC changes, how we pivot from that. Okay. So, but where do I start? Where where is a good starting point? I've never done thread hunting before. This is my first time really exploring that.

I find that it's most beneficial to work from a framework. We have a couple there's several several available frameworks. Some of the most common ones we use Arctic wolf of course MITER attack framework. It's important to try and use a framework because it's common language in a community. Having common language is golden. It allows you to communicate with other organizations and you're speaking about the same you're speaking essentially the same language even across the globe, right? You can go all over across the globe and they're going to know, hey, this is what a normal attack chain looks like. This is what normal MITER works works like globally. This is just an accepted framework. And so it's important to get

familiar so that when you're working with others, sometimes you may have to work with other countries. You want to know how to talk to them in a in a way that everyone knows exactly the type of information you're talking about. So reconnaissance, weaponization, those are things that highly evolved security teams will take a look at, active researchers will take a look at, but the real meat and the real meat and potatoes, the real action happens between delivery, exploitation, insulation, and command and control. This is where you're going to be catching incidents. This is where your evidence is going to come from. This is where your detections are going to be deployed. The goal is of course get as

close to delivery as possible. But oftentimes, depending on your tech stack, you may only see uh exploitation and installation or you may be just catching the the C2. So, it really depends on what your tech stack is. Jacob's going to give you some examples of what you might find at delivery, exploitation, installation, and command and control. Um do you want to give a few examples? >> Um well coming from delivery you're always getting you're generally coming through fishing right and mouse spam. Um installation is your malware actually hitting a system and uh trying to like find out where you can pivot from that. Um command and control is going to be your network indicators going out. But

one of the big things you'll notice whenever you're doing thread hunting is you're almost always just moving one stage to the left or right on the cyber kill chain. Like whenever you find malware on your system through installation, you're then going to start looking for, well, how did they exploit my system or how did they do the delivery? And then you're going to go out in the other direction saying like, what are the command and control servers that are actually being accessed? Um, you are rarely going to be hopping, you know, all the way across to reconnaissance from installation and saying like, who scanned me and now how did it get on my system? Um, so

following a cyber kill chain is a really good process for um for choosing your next step and where to look >> and it's always okay to go backwards, right? So sometimes you may get alerts on command and control and you're like, well, what do they go what do they go after first? Like why did they set this up? They must have something that they want to send over. Um, so you can always go back to installation. Well, can I find the piece of malware that's been deployed? And if I can find the file on binary, how can I go use these tools that Jacob's going to go over like virus total and such to use the open source

information to find out what's going on with that binary. So you don't actually have to have any reverse engineering skills. You don't have to have experience doing reverse engineering to do threat hunting, right? This is available to everyone because so many out there in the community have already done that work for you. So more than likely if you've seen a binary it's already uploaded a virus total and you can identify the components other C2s that are available >> or on Twitter and somebody else already at this point I guess. >> Yeah. >> All right. Now we're gonna get to the exciting parts where Jacob's going to tell you all about the open source tools that are available to you.

>> Oh, you want the clicker? >> Yeah, >> I like the clicker. >> All right, so the primary tool that I probably use is Virus Total as far as stuff is concerned. Um, you can get incredible amounts of network telemetry uh and relationships. Also included is like all the binary associations um and then being able to pivot off of any dropped files. Plus, they have sandboxing built in. I don't know that there is any one larger open source of information. I'm standing not in front of a monitor. Um, if you're looking to pivot via network information or network telemetry, Showdan is incredible. Uh, they've done an excellent job of actually, uh, logging services, giving you some

historical record of what was hosted because a lot of times you're looking at stuff that was maybe only alive last month as opposed to today. Um, Census does pretty similar stuff. Um, they are also an internet scanner. They are scanning everybody trying to figure out what services are going on um on any ports and then actually uh logging those for you. So whenever you are trying to identify uh infrastructure, you don't have to just go off of IP addresses. You can go over unique things like SSL certificates um or even like hashing a HTTP body. Uh Zumi also does the same thing except they have an even larger uh historical access. So Census has recently put a

wall over almost all of their information that's useful for pivoting on which is a huge pain. Showdan a while ago put a payw wall behind uh over a lot of their information. So Zumi is Chinese and they for some reason don't have a pay wall probably because they want to harvest all of our information for accessing them. U but that doesn't mean their information isn't useful. So uh I use these guys uh almost daily trying to hunt down what or delivery infrastructure is actually related and then trying to pull out new binaries through those relationships. >> Um yeah, you want to do the where it starts? You want me to do? >> Um no, I want you want to cover where it

starts. >> Okay. So, um where do I actually start whenever I'm looking for information? A lot of times for me that starts from a single incident. I'm almost acting like I'm doing an incident response engagement from logs. I'll get a binary that alerts um as malicious and then I'll start running off on sandboxing that uh and then pivoting on any of the indicators that are uh that are spit out. Um but maybe you don't have binaries. Maybe uh maybe you don't have snort logs that are popping up for you because you are a college student and you're not actually looking at corporate logs, right? Uh how do you even started on looking for stuff. So, Virus Total

actually has a lot of searching options for you. Let's say that you wanted to find something specifically from Mexico. You could look up Virus Total submitters and documents being submitted by them with exploits from very specific times that have positive values. And all of a sudden, you have a lot of things to look into and start trying to identify threat actors that are specifically targeting your region. Um, yeah. Also, you can hit all of those other sources that I talked about earlier, census, showdan, zumi, and you can do complex queries to actually identify infrastructure. A lot of people have already done that work for you. If you go out to GitHub, DRB- A or RA for the

C2 Intel feeds, they have a ton of census searches that are already pre-built for you to look for SL certificates, uh, like Joff 3, JARM hashes, like any of those things that are built around even like the C2 frameworks. So like you can identify a large majority of like Havoc servers that are online at any point in time, Demos, Mythic. And while a lot of these are being used by pentesters, a lot aren't. A lot are being utilized by malicious actors, nation states, so that they can stay under the radar because something that everybody else is using is also very difficult to give attribution to, >> right? Because the goals of the threat actor is to look as much like normal

activity as possible. Um, I just wanted to know also that uh virus total is very common for organizations to have higher licenses for virus total and that way you can practice out writing your own YAR rules and seeming to identify which strings are actually successful in looking for malware out in the wild which can then translate to helping find malware within your environment. The other thing I want to note is that Showdan while some of those features are behind pay walls uh we use shdan all the time the public and free open version of shdan to identify which of our customers have infrastructure exposed to the internet. A lot of times when you're when you're deploying a new device or

you're doing a setting up the IT services for a new company, it's very common for uh those organizations to have publicly exposed IP addresses. So, it's it's good routine practice uh for an organization to just go ahead and check their public IP infrastructure across Showdown to see if they have been um if they're vulnerable to new vulnerabilities that have been exposed and just to identify a good starting point for where thread actors are likely to target. >> Yeah, this this type of stuff is one of my favorite ways to actually pivot into thread actors. We have gathered a lot of net flow information. Um, and we'll actually identify jump hosts off of people that are utilizing C2

infrastructure. And then you can almost always figure out who are the pentesters and who aren't based on the hosting infrastructure they're using. A lot of times they'll use um like like the domains they register actually registered to the uh the company of the pentesting. And so you can pretty quickly start ruling those out. And whenever you have that net flow data or ISP level information, you can start identifying where thread actors are accessing the C2s from because a lot of times they aren't using VPNs or tour. They're actually standing up like their own servers inside of Digital Ocean. They're standing their their own stuff up inside of Alibaba. And if you have access to that, you can actually see uh

when they're accessing things. So how >> now for the good stuff, >> which you've all been waiting for. >> How did I find Greedy Spong? So, Greedy Sponge started with an incident. Um, and I'm going to walk you guys through all of the steps that I took going from the initial finding of binary um on a single tenant uh identifying the infrastructure that was actually used for delivery uh fishing and uh for C2. Uh and then what I think is the actual intent for uh for the group involved. >> You can tell a lot by intent by how things are executed by who's being targeted, where the targets are happening. We learn a lot about intent.

>> So I initially found a weird binary called chunka.exe. That was >> Oh, the chunk love. Oh boy. This is where it starts. >> So this was seen on just one of our tenants here in Mexico. Um, and it was reaching out to uberrunplay.com. I actually found this back in I initially saw uberrunplay.com back in like 2022. Um, but there weren't a ton of samples up on virus total at the time. Um, but whenever I went to the C2, it told me to [ __ ] off. Um, and I took that. >> As you can see, our our famous sponge right here. This is why we call it greedy sponge because the most famous sponge on the planet was used by the

threat actors. >> So >> against us. >> So it's pretty unique uh JPEG. Uh it had a fave icon of Mr. Burns up there. So uh I felt like there was something that was fairly easily trackable or at least unique about the C2 infrastructure that we could actually go after. Uh this is no longer used because I published a blog two years a year year and a half ago um about uh this same thread actor um before we decided that we needed to name them because I thought they were just a one. Um so my process for all this looks very similar to uh the flowchart that we had earlier. I found an initial sample, uh,

grabbed the binary, found new C2s, found the domains, pivoted off of those, pulled new samples from the C2 infrastructure, from that delivery infrastructure, um, and got a nice little feedback loop. The new samples were actually being released like monthly. New MSIs were being generated every other day and being sent to tenants. We were also able to pivot over through net flow information to identify victims here in Mexico. Um find the actor jump post that they were accessing everything from u and then pivot through who is data to find the the fishing infrastructure. So on the initial binary um I took a look through virus total I was able to identify it was uh identify as alore uh

which happens to be true but you always want to double check that we also had this identify on our own internal yard scanning infrastructure but it's always good to validate through multiple sources. Um so how does that uh rule actually trigger? So mainly you see things like name socket get full string um in the original alore samples you would see um the alore remote string actually uh exists inside of the binary that was not really the case for this. In fact we really only saw a handful of these strings. So I dumped all the strings because I wanted to figure out what it actually was if it was alore or not. And I really don't like reversing deli but

we got there. Um, so we found a handful of strings that actually do match, but we found even more that don't, and none of these are in English. Uh, and it's, uh, fairly interesting to see, uh, malware not written in English and having unique strings built out inside of it. So, we need to start hunting for all of these samples. So the binary also had very unique um metadata inside of it. So they were using this create upr uh uprps wind service string inside of their metadata for every single one of their alor rats. Um that has changed. Uh they did updates after we published stuff about them. Uh we can still pretty easily find them

though. Uh and that was these two were some of the key pivots. >> Um Can you go back one second? I just want to point something out. So, if you're new to threat hunting, one big red flag that you're going to see is if the file is not signed, that's no no bueno. No bueno. We want to check that out. We want to take a good look at it. >> Yeah. Um, so whenever I pivot on that string, all of a sudden, we found 44 different samples of the same alore. Um, and even though these down here don't say alore, they most certainly are. you can go through and find uh and then we started

pivoting. So now we wanted to see what all these were reaching out to. They happened to be reaching out to the same C2s at the time, but they did have uh a special structure. We found relationships to zip file. Uh somebody uploaded a zip file with uh with the actual MSI inside of it and we were able to find the full attack chain. So the zip that uh is being passed most likely through mouse spam. We don't have the email, but I don't know why you would be sending a zip file for somebody to execute through any other means. Um came with this structure. Um they're asking you to install a uh a sip plugin.

Um this right here is actually just chrome, like Google Chrome. It's a Chrome proxy. Um and they give you instructions to go ahead and install my malware. >> Um And as you can see, um, this is not written in English. It's in Spanish. And so that gave us another reason to believe that this targeting was also in Mexico or another Spanish speaking country, Latin America or Spanish country over Europe. But we wanted to sometimes you can just identify some things about targeting just based on how the threat actor is operating. They're not trying to blend in into the US. They're not trying to blend into English. So that gives us a little bit information on targeting there as well.

So, what does that MSI do? Um, it really just holds the uh the malware. It has a this MSI has a config that you can actually dump and it uh it has a prerequisite of running an internal binary that is packaged up inside of the MSI that isn't the the primary installation. Um, that happened to be this ADV uh.exe in this case, though they have been changing it quite rapidly. over time. I think uh at the time that they were still doing this binary uh there were like almost 150 MSI samples on virus total that were easily uh trackable. Um so like they were fairly um fairly widespread. Oh yeah, it also likes to clean itself

up. So we have file deleter over here. Um so after it actually runs itself, it cleans up any of the uh scripts that are run internally. Um and that binary wasnet. Uh so we get to look at like every different language in this. Um so it runs in inn net. Uh has a local client side check to make sure that it's actually being run from Mexico. It checks the client's IP address, the IP info um and makes sure it's in Mexico before it even tries to install uh before it tries to download the next stage um in the kill chain. Um, and interestingly enough, the user agent that they decided to use inside of the

net binary is the same user agent that Alicor uses. I don't know why you would duplicate another malicious user agent um for your installation process. Um, other than I guess verification from their server side, but they're doing all their verification client side. So, uh, that I feel like was a pretty interesting find early on. So then they end up downloading uh the next stage from manslap.com and we get to look at the binary. So this is it uh in or at least this is one of the functions inside of IDA pro um just showing that we have like a pagato.ext which is one of the unique functions uh built in and they're literally just doing a copy paste. You

can see the control V um and that's one of the commands that they can put inside. They also have like several other functions uh easy to find name ones being able to identify um so you can identify the different targeted banks that they're actually going after based on the strings uh of the function names. Um and this is what the actual uh these are a grouping of the images that they will actually uh use for popups. So this is part of alor rat. This is the client side. Um, they'll actually force these to pop up whenever the uh the victim browses to any of the banking websites. So, not only are they trying to steal credentials

uh v the standard notion of stealing them like off of safe locations on the system, but they are getting two-factor authentication sent directly to them by forcing these popups on victims and having them enter that two-factor authentication. Um, so how do we actually track this? So if you want to find new binaries, you can write uh Y rules. So I found that hunting for their actual uh unique they had some a couple unique strings in the net downloader that led to several new samples. Uh this was actually the code that did a uh a decode just a B 64 decode on um on the downloaded zip file for the final payload for the AL format.

Um and then we had we can actually search for just their custom functions inside of ALORT. So we got a few different ways that we ended up uh throwing these on virus total and our own on our own internal scanning uh process so that we could identify new samples. But we can also hunt in uh in network infrastructure. So we saw the giant Spongebob meme. That's what I'm actually searching for here is they had a unique uh HTTP body response that was uh was opening bob.jpeg as the background. Uh and so I hashed that. Yeah. So I hashed that looked for the uh the HTTP body hash up here. Um, and it turns out we

could dump their entire hosting infrastructure because it's a unique cache. Um, now we only dumped 12 results from here. And it turns out if you look for the fave icon as well, we got 14 results. So we got a decent number of uh C2 just from hunting on uh like the hashes from the fave icon and from the body. It turned out there was a ton of IP reuse. All of the fishing infrastructure was hosted here. We had 14 different domains that were associated with just that one IP address. Um all of these were delivery infrastructure and these were C2. Um so uh or I guess command and control for Alor. So they obviously had

segmented their infrastructure into different groups so they could update them independently and they do update them independently. Uh but they all use the exact same hosting provider. uh they decided to exclusively use host wins hosted in Dallas Texas. >> And why did they do that, Jacob? >> I don't know, but >> we think we might know. >> Yeah. So, generally, if you're trying to steal from somebody, you don't want your infrastructure to be accessible by the uh law enforcement agency. So, if you're trying to rob from people in Mexico, you would probably want to host your infrastructure in uh in a country that does not have the best relations with the law uh between law enforcement

groups. So, with their infrastructure being in Texas, the FBI wasn't really going to look into any of the um the victims here in Mexico and uh Mexican law enforcement is not going to have any jurisdiction to actually go look at the C2 infrastructure hosted in the US. But and we found that all of the domains it seemed were actually registered for Mexico. So even though they are they were hosted in Texas, if you look up the domain registrations, uh they had a local like a contact country of Mexico. Uh a couple of the early ones were Russian hosted. I don't know if they were trying to look for bulletproof posting early on or if they were trying

too hard and decided that it was easier to just post in Mexico instead, but um now you can still search through who is information uh and look for things that are uh domain registered with a contact uh city of Nova Leon and that still pulls up all of their C2 infrastructure. Um, we also, like I told you before, we had ISP level uh net flow data. That net flow data showed a lot of victims, especially uh exclusively in Mexico, but we also saw um RDP access to all to several of the command and control servers uh from Starlink and from Starlink base stations in Mexico. So, not like if the threat was using Starlink like in the US, you would

assume that you would see base stations in the US that would then turn around and access US servers. But we see all of that access coming from uh geoloccated uh Mexico stations. So from that we have pretty from that plus the language um plus the targets we have a pretty good idea that all of this is uh is Mexican instigated. So we have a Mexican thread actor that is targeting Mexican uh industries. And then I published a blog about all that information uh about a year and a half ago and they stopped doing anything. Uh all of a sudden we stopped seeing Alorat pop up on a lot of our clients. We stopped seeing C2s being

updated. We stopped seeing MSIs being uploaded to Virus Total. It seemed like they had gone dark. Um and we're only one company. So that means either every antivirus company uh and EDR product decided they were going to start including all of our detections or all the IoC's that we put out or uh the thread actors started actually read our blog too and they decided they needed to change things u but after about six months we got another chunka um so we had another different client get compromised um and we found chunka.exe appear on their system. Uh, also that's the same as one of the old C2s that we saw previously that was identified through network pivots.

Um, they did decide they wanted to update their zip infra uh zip section. They are still using a chrome binary. Um but they are no longer uh alluding to sitar um and uh the was it IMSS like the Mexican social security system uh on installation. >> Yeah, they had expanded. >> Um they also were really good and they decided to move all of their geo fencing to client or to server side. So now instead of having the client check if it's in Mexico, they actually um check whether the IP address is accessing the delivery infrastructure is coming from Mexican IP address. And I had to jump through some proxies in order to get the uh next payloads.

And we can see that it does actually also still hit trainer.com. They updated the endpoint from license.ext to Z1. text uh for uh pulling the next stage of the payload. Um but these payloads Oh, and they updated the strings for all of their functions. They decided they since we were doing all of our detections based on a um a less than sign with a with a bar, they changed everything to um to squiggles in order to name their functions. and they decided to actually offiscate a lot of their older functions. Uh you can actually trace back when they started uh updating all of this. So after we released information about this actor a year and

a half ago, uh they obiscated all their functions, but they are not obiscating their new functions. So any new functions they're putting in like it was definitely like just a one time stamp. We are going to do an update try and try and hide what uh how they were detecting us and now we're going to go about business as usual. Um so same thing you can see inside of Alor this is actually a secondary uh delivery function inside of Alor before they were delivering a chrome uh just a chrome plugin that was related to banks but it basically told them not to go to specific banks or not to uh told them not to proxy certain banks.

So, they weren't going to try and steal from that. I'm guessing they had issues with uh with actually being caught going through them. But now, instead of delivering a uh a Chrome plugin, uh they are downloading binary and executing that which happens to be um system BC. But whenever we're hunting for them now, now we updated our um our string our user agent to hunt for the Alakor user agent which uh most people that use alakore change that user agent. These guys have it. Um and this detects almost exclusively on uh on greedy sponges samples. Uh we also now look for uh for their unique strings uh that they've updated. You can actually use this exact

same Y rule, but drop out the uh um squiggles and just search on the strings uh like these specifically prepended uh function names and you will pull up the like new binaries that might be a little bit more robust, but it could also give you a little bit more noise if you were hunting for these guys. Um so yeah that secondary infection uh is system BC and I think that's the first time that we are seeing them use a paid commodity malware and I think that's the next step up in this actor where before they were using all open source tools um they were only delivering via mouse spam and uh most of the most of the things they were doing

were not involved in them actually spending money on uh on doing this these campaigns they were trying to do everything as cheaply as possible. Um so they must be making enough money that they can now buy malware to send to important compromises. Uh they also changed their installation chain for the secondary infection is far more complicated or far more advanced. Before it was literally just an installation of a Chrome proxy or Chrome plugin. Um, but now it actually uses a CMSTP bypass, which is an exploit that allows the uh the binary to be run as uh as an elevated user. Uh, you can actually find the uh like the exact binary or tool they're using at UAC bypass CMSTP

on GitHub uh for the exploitable uh GitHub repository and uh from there as opposed to loading up the default uh payload they have the payload loaded up uh into the resources. Um this is a reuse of the same net downloader that is utilized in um in the MSI file except that it points to system bc instead of so uh new domains same provider everything's still being utilized by uh or being hosted on host winds in Dallas Texas. You can see the old campaign stuff has overlapped here with this domain which impossible to read on the screen but the IP address overlap happens here and in a couple other areas. Um and so we can actually see all

this new infrastructure as uh as this older stuff is taken offline. So even though the IP addresses change uh domain registration uh remains very very similar um and IP reuse uh happens across shifting campaigns. So generally you will see older IP addresses be updated with the new C2 before that new C2 domain gets a brand new IP address. Um so how long have these guys been around? So the oldest payloads that I could find contacting their C2 started in July of 2021. So at least four years. Um back then they were literally just sending you alorat in your email. They did not have uh any MSI uh files. Uh it may I don't know how they were packaging

it inside of the emails, but they were just directly delivering you um alor. They finally updated their lure in December of 2021 um and established that create up uh UPRPS uh metadata inside of the binaries which makes them very easy to trace back through probably like a threeyear period. Um but then obviously that was extremely successful. So one one of the things we've noticed with thread actors is they they're only going to update their campaigns when they have to. If they're being successful with their targeting um and with uh extracting funds from the groups they're targeting. If they're a financial actor like these guys, then they're not going to update anything. There's there's no reason to evolve. So for about two years

or a year and a half, they were able to run on just uh just alakor rat with uh a specific lure and they started adding this.net downloader for getting the alor rat delivered in August of 2023. uh January of 2024, we released uh a blog whenever I was still working under Blackberry before we got acquired and all of a sudden they shut down everything and they were offline um for at least one month before we saw binary updates. But we really didn't see the campaign truly shift like these are more like follow on or like continuence of this previous campaigns that were still going on. We saw a real update in November of 2024. So they took like half

a year to actually sit down and update all of their infrastructure um or at least like that delivery chain, add in the UAC bypass um and uh and start delivering everything in a much more advanced fashion.

So they target everybody. I think they really just target Mexico. Like if you are a business in Mexico, they're going to target you. We saw I I saw fishing pages for a MMA studio um for it was like elite sububmissions.com and like it was literally just advertising for uh an MMA fight um that uh that they were fishing. Uh we see tons and tons and tons of transportation and agriculture. Um like Terracea is is targeted extremely regularly. Um, pretty much any truck company that is in the US is targeted or sorry that is in Mexico is is hit um by these guys and we can actually track that fishing infrastructure through the who is registration information

um and see new uh new domains pop up every single day. Uh the organization is physically motivated. Uh I don't know that uh I have not seen anything of them actually just trying to uh steal information to get into like social media accounts or uh or do espionage. They're they're purely physically motivated and trying to steal your banking credentials. Um they're located in Mexico since we found they are only Spanish speaking. Uh all of the targets we've identified are in Mexico. There are a few C2 that have who is information located in Colia, but none of those have been accessed from non-Mexican locations that I have seen. All of the C2 is still located in Texas and um

being accessed by Mexican victims. Um and they're they're doing a banking trojan. Um their capability has really exploded over the last four years, right? Um going from basically something that a high schooler can do to um I guess something that in five years another high schooler can do. Um because everything's gotten easier. But um right, we've seen them iterate year over year um adding new uh new capabilities for their delivery infrastructure and trying to anonymize themselves to some degree. Um they they do take the time to offiscate their who is information uh with like they they are using privacy who is uh services in order to register these domains but they have unique identifiers inside of those um that we

can track uh they they are fishing they have custom.net net code. So we know that they can program to at least some degree. They are updating Alicor. So for some reason they can program in more than one language. Um and uh and they're starting to use commodity malware. So they're plugged into the um like to these nefarious systems, right? They can at least get on hack for and they're starting to be built into the black uh the black hack community. Um yeah, [ __ ] you. What questions?

Aluna speakers. >> No. So, Jacob, thank you so much for all that information. It's great for us. Jacob, >> now we know what happen if we execute Shankladox X in our systems, you know. So, thank you so much, Jacob. again that was a very very interesting information that is our last conference. So

[Music] Kevin Alunos.