Breaking The Ransomware Tool Set: When An Opsec Failure Became A Intel Goldmine

yeah my name is Nicholas caser uh come from Stockholm uh my big pleasure to be here in Munich first time so uh really enjoy the food and the beers fantastic like hopefully next time there will be B sides during the October Fest it will be cool to to be there but maybe I don't know I was joking around maybe everybody would be sort of hang over so uh maybe it's good at well I'm going to talk about um uh I do a lot of response uh I do Mal analysis and uh this sort of this comes from a real incident I did where where the threat actor had sort of messed up and how we can leverage that

both for for intelligence and then for for how to utilize that also in the incident response so I was called into this incident and was sort of this the threat actor hadn't sort of encrypted stuff yet but they're were on their way of encrypting and I got this temp this from from my colleague this is was an agent and was packed on who who sorry for the feedback the ones who who do malware analysis sort of a lot of malware are packed so you need to sort of unravel it to uh get sort of the content out of it and this was sort of packed in Deli which is a bit of a nightmare but though while I

was unpacking this this rat I found this very interesting string says h ttps and it was an IP address and it said list.txt and uh file upload like H this looks juicy but sort of you always need to be careful like is it like is it too obviously or could it be could it be something you know out of real interest you know yeah of course you need to memes uh so I I sort of downloaded the whole thing and it turned out to be be almost 5 GB of of threat actor tooling which was kind of interesting so this is sort of how it looked like so it was an open directory and and the rat sort of had

this capability of downloading more tools and then unpacking it itself so it's kind of like a modular but doing so also they forgot to to their own OBS so which kind of led me to you know let's download the whole directory and see what we can find and if you stick with me to end this was sort of actually led to some really cool findings and you I will show you some some tricks how we can leverage this stuff so let's but let's sort of let's just looking looking at at the the tools and uh they have one called avf something a they don't you know threat actors they don't really like antivirus Solutions so they have this kind of

tooling with these things what does it contain uh is has this kind of thingy and oops and it's a lot of you know how how to disable volume Shadow copies TR actors hate volume Shadow copies so ransomware actors what I thought was interesting about this one is that uh usually in ransomware we see this stuff built into them but they had sort of separate scripts so you know we got everything for free here and from a sort of also I was talking with silia here like as a detection engineering if you see these commands running you know that's probably you should call the instrument response immediately uh so I mean yeah any of these commands so

detection engineering is it's a very very good trigger for something bad is probably happening in your environment especially to see all of them coming that that's I would say 99.999999 something five Sigma true positive uh also found this thing here uh called def. vbe and vbe that's sort of a sort of a binary Visual Basic script and when you see stuff like this uh what do you do uh also nvu was one of the sponsors you Google it and see has DDR stens done something for this and of course he has so uh you just download this tool and it deop fiscated for you and uh but it's even more more disabling uh volume Shadow copies so so

I guess we will distribute this like afterward so you know this is more from the the Tex engineering point of view this stuff is sort of to keep an eye off and uh they also like stopping things this is also one of the things we see when you do ransomware uh investigations like let's say good is not not not the correct word let's say how you should do it before encrypting is you should stop things before otherwise things will break so usually also see this stuff built into the ransomware but here here in this case we had script as well so I mean for the thee engineering you know you know take this especially if they all come in a

row uh you probably have a visit from someone you know was not expecting I also found this tooling sort of so moving on to the next sort of folder this thing called clear look I never heard about this before uh so I mean what do we do we Google it and uh turns out the Dharma ransomware gang they like using this tool as as a as a tooling before en crypting what it actually does it sort of it locks the screen uh for the user but the activity can go on in the background so it's a way of sort of locking out the the any sort of interaction with the tool and uh I thought diing into this

one I thought it was kind of interesting what what can I found about this so what it actually does sort of I clicked on it and then you know it locks the screen and it put in a password okay you see you see the theen screen is in the background still but sort of if I try to do anything else just tell me I need a password so but you see there's like an in file there so if I addit this in file I could see like yeah I could sort of hack this little thing here so nichas was here was cre here instead of you know typing the password so that hm this is interesting you know I can interact

with this kind of screen locker and uh what else sort of yes it doesn't show that very clearly sorry about that down here it says password and it's some kind of a hex stringy so so what could that be well first this one was actually written in out to it which is interesting out to it is like an old compiler though that thing is actually coming back now it's sort of side note from this that we you know cuat has disappeared and and we have another gang sort of On The Rise called Dark gate and they actually they download how to it compiler on the computer before compiling the malware so that's the interesting part of being a malware

analysis you know you need to look into this old old stuff as well because the threat actors love to use this but it is compiled in outo it and uh there's actually this sort of decompiler so this one called my outo 2xe I can actually decompile the code and get it in clear kind of clear text so it looks like this and uh if we start looking at this there's something very interesting up here we have something called constant Crypt key I am Mr Ed exclamation mark what could that be H yeah uh the thing is string encrypt that is actually an rc4 encryption so this is the rc4 key that's built into this tool so if anyone get

sort of get sort of hacked by this one you can grab that hex code uh what from in the password rc4 decrypted with the I Mr Ed uh so if anyone you know runs into Dorma it's how how to unlock this screen also I found this kind of Easter egg it says Easter egg function and a lot of hex code so what could this be that h i mean it's there so I'm I'm curious let's see and uh I put it into to uh cyberchef which is a fantastic tool from the NCS UK uh and like if there's anyone here aspiring to become a malare analysist I would say like cyberchef and learning regex that's

like reg is this kind of old wizard I'm 45 so I'm becoming like one of those old Wizards thingy that sort of you can do a lot of magic with so with some some regex and some uh some cyber Chef we can actually figure it out sort of okay yes sort of decrypt this this hex codes and it says so actually if I type in Michelangelo into this sort of clear lock thingy it will actually give me back combat cold cut so if as as a as a feedback if I put in Donatello it gives me bosan NOA Sharin NOA does it ring a bell for someone if I put in Splinter it says kab

banga uh so that developer actually really really enjoys Ninja Turtles so this so there an Easter egg even like even you know Ransom actors seems to have humor uh mov onwards I found this this file as well Elsas do exe does it look like Elsas yes Elsas there's a little H hint up there clear log by exacer 01 and it's in Russia if you Google this you end up on this this forum uh where try to sell this tool and Google translate can do this so it is it it is actually like a tooling that clears the log and what it does is sort of uh it creates these VBS scripts and then clear the logs also a a kind

of I mean this is prone to to uh false positives but still something to keep an eye on as a detection engineering like if this this command start start running probably something is happening in the environment a bunch of these files they were now we moving on to the rest of the files uh they were actually protected by by uh password C files and sort of without knowing the password can I still figure out what files are there and the the the answer is kind of yes and I'm going to show you that little trick I figure out if you look on a on a on a zip file it actually has this kind of crc32 hash

which is more sort of uh hash for file Integrity so it's a kind of a md5 is thingy so it's not like academically correct but it's you know it's a you know certain thing sort of gives a hint a high sort of probability hint if you combine it with a file size and with the the file name and if they all three match up I'm quite convinced it's the same file so I can actually do that uh so if I do hash sort of if I sort of what I did is sort of I I Google this hash and and this tooling and then I compare the hash crc32 and if I get the same I know I have the same

file so then I know that's that's the tooling what I did is I did is kind of oneliner so I iterated through all the all the files that were were were uh zip encrypted and sort of getting the file name the file size and the CRC 32 hash and and this by doing this I could uh figure out all the tooling without actually knowing the password uh sort of so yeah it's even though yes with metadata alone we can figure out the tooling though if we move into the more let's say juicy part of this during the incident I I was uh the thing I was investigating was called uh was an agent and the agent was

actually called yeah this installer.exe so it has two these two binaries in the same folder called agents I start looking at at the first one so when I say agents is it this one no it's not uh sorry uh the first agent though uh the one called installer that was the one I I found in environment and I was actually known by virus total but sort of by having the sort of installation package I could install it on on the on my own investigation system and then generate all the ioc's from it soort of so I got this this sort of framework but didn't need to reverse it I could just install it and see what it

does which sort of yeah this was stuff in the environment so that's sort of ioc generation uh though the other one uh the other agent what what could that be like cuz we we because I was working in this incident and the ransomware or the threat actor which was most likely a rans actor they hadn't managed to get rans yet so we were like you know just in the sort of pre rans stage uh they had this other thing called agents we haden't seen it in the incident but it like if it was sort of placed next to this this one we had in the in the incident it looks a little bit too interesting to leave alone so

start looking at it and if I put it into virus total it gave me as four hits from minor well I had M but that's theistic one so is this is this Mal or not like four out of 60 something it's something in between like it's it's more likely to be false positive so what is it uh but looking at it you know just running it see what it does install all this stuff H so it's still like yeah what is it it doesn't make any well it is some kind of agent but is it malare is it not the thing is it is this thing it this program so it's a remote access tool called in

admin before this incident I never heard about this Tool uh uh and that tool actually was created by a guy called Steve wisman but it passed away like 5 years ago six years ago so this sort of tooling still like lingers on on internet just keep on living but are being abused Now by threat actors and sort of what we're seeing also is that um threat actors they start using legitimate remote access tooling instead of rats because it's not malware by by by say uh and and sort of we have seen like Splash Dash we've seen team viewer other stuff like that as well so and yeah in this case you know because there's like

there's no development which this kind of dead remote access tool it's just be very efficient as as a as a rat more or less and uh yeah I installed it and and the interesting part here we're doing like this downloading this this agent and analyzing it on the side we could generate all the ioc's like okay this is the IP they look talking to this is we could actually by doing so we actually identified the threat actors backup door into the system which was undiscovered yet so by doing doing this sort of failure uh with the OBC we could actually find their backup way into the system so we could kick them out probably didn't understand how we found

them but uh by doing you know by they left their tool on open directory and uh I did this kind of little bit this is my little bit sort of 15 seconds of of Twitter Fame I did this list of remote access tools that are are abused by by uh threat actors so I just made a big list and sort of it was picked up by a bunch of people and uh the the people at the what's the name again sinak they did this a really good blog post based on that and I think that's sort of something as a community we could sort of it would be cool to have this kind of list of remote access

tools that are abused by by threat actors so I think there someone else you know interested in doing this research you know please reach out though you can actually do some more clever things with this with this sort of Discovery and uh this is how the panel looks like for the int admin so this is the the thing you greeted with the threat actor had as a their sort of C2 back end and the once who attended the oint there's a fantastic tool called Showdown you can uh if I just type in the IP of this this uh remote admin tool I sort of this is sort of a strategy I do as a m analyst is when ICI to Pivot

into discovering U other sort of infrastructure from the threat actors they put it into the to to Chan I like okay is there anything that's unique with this one compared to anything else and uh if you look down there it says set cookie I aore session and IIA stands for ink admin so what I could do then is I I just put it in as a search in Showdown set cookie I session ID and then I got all the C2 uh there are probably there 190 now when I did this one uh this this slide this like a week ago or something there probably a few false positive ones here uh I guess there you know some

legitimate cases where they use still an admin I would guess 70% of them are proper C2 stuff so and any if you have an environment you're your surveilling and if I'm talking one of this IPS I would you know definitely look into to that uh thingy and see okay hm I probably probably there's an incident going on right now looking at that other at that look like that H what can we do with this first of all as a if there's any web developer here like this is beautiful isn't it it's it's web development 101 uh back from the '90s but you see there's a browse thingy there where you can upload files and and

and thingy though you can leverage showan in a you know quite clever way here because when you when you look at one of these Pages what Chon does is actually it gives a hash out of the page of a how this how this the structure of the page and it hashes it so I can search for identical Pages which I did as well and I get for this one I get eight hits and this one I would say 100% sure this is bad stuff so talk talking to any one of these IPS that's definitely definitely bad things going on summary so are we on time quite quite good yeah uh one of the things I do as a reverse

engineer is like I try to figure out the weaknesses in the in the stuff they build uh because they are prone to to do sort of stuff uh they need sort of speed cuz if you look on the rware actors they they they encrypt a lot and by doing so they need a lot of automation by doing a lot of automation they also stuff becomes repetitive and then by doing as I did like with with the hash for instance there you can figure out he what's their stuff as well so that's like Leverage that that why while they use this kind of automization that can be actually used against them so that's sort of one of the

takeaways and they we have this kind of TTP which you know they they love use the tooling they could used one set of tooling and start repeating it so building on detection engineering I think is super important here because by doing so we they catch stuff yeah I I I work at at the sock in Stockholm and we sort of Leverage that thing for instance script engines reaching out to the internet we we do find a lot of interesting stuff there for instance so uh that's another you know key takeaway here like detection engineering you know catch this stuff early on finally like the blue team always win so that's sort of we we we about we're won against the

threat actor here that the customer never get Ransom word so I thought that was a win for the blue team so with that said any question and thank you very much for 10 perfect thank you son okay cool we have actually five minutes for questions any questions let me step a bit back to see you

better hi thank you for the talk uh did the threat actor uh became aware that you uh downloaded their tools uh I don't think so but I mean now I've been talking about it publicly now they probably know so so like I'm just guessing uh we don't know actually who the ransom actor is uh though the thing is like I think this is like a mid threat threat ransomware actor so let's say let's say we have 100 100 or let's say we normalize it to 100 threat actors I think this is like Place 67 or you know it's on the it's not like the worst one not the best one but it's like below average uh so they might have you know

seen seen this talk and figur it out but I don't think they figured out when when we did it sort of maybe one more one more question there there ah so thanks thanks for the for the great presentation uh now that you mention it which would be the what would be the worst screw up that you have seen like the the worst RoR worst screw up oh well I mean okay let's we actually did a case quite recently and they it was a lock bit and they're still using lock bit 2.0 and doesn't make sense to me you're like cuz they have new ones I'm glad they do cuz they screw up uh but yeah

otherwise I've seen like uh I've seen like like one of the cases I ear on uh they had they started using ad defined and they like they was typ you could see in the command light they were typing Adine something something something after like 10 tries you could see Adine death as help so like they don't know their own tooling that's also like one of the things uh also like you know they yeah we have seen like when they actually R somewhere the first server they R somewhere is the server they sit on so only one server get around somewhere and the rest is left alone so they kind of go off their own Branch as

well so uh and that's also like I hope like one of the takeaways from from this talk and if you saw my colleague Alexander as well like like do a lot of screw-ups and that's sort of we as Defenders can leverage that's against them and also like take away this let's say like for instance crowd strike make this sort of more like villain picture sort of threat actors I think that's a bit wrong cuz they're not like cool people they are you know bad people doing bad things to to to know other one so by you know showing this I think you know we maybe can take AIT bit of away of that aura of them being kind of cool

villains yeah a good question was was a question uh thank you for the talk uh I just have this silly question so do thread actors like reuse the Mal the ransomware uh they in all like do they reuse the ransomware software and if so like is the decryption process like do they like for every victim do they change it slightly or like how does it work well it it depends on the cuz we're up in like x amount of 100 different threat actors now so it depends Case by case uh I mean usually like the ransom itself if this belong to a family that doesn't change too much over time but there's so many of them now and also we

have this kind of more as a service model so for instance lock bit it's they they just buy the ransomware uh they the sort of so one Lo lock bit incident is probably a complete set of other people than the first one because they just buy they buy sort of the the dump site uh service and the ransomware so yeah but yeah if we move aside a little bit from like tooling yeah of course there's a lot of reuse of tooling they they have this kind of they learned a set of tooling and they like to reuse it because they need to move fast so they use what they custom with so um thank you for the talk um just

maybe a quick question and in such situations when where maybe you you're facing a bit more advanced F actor or they do maybe some anti- debu anig and you're going to be stuck with um you know it's bad but you know you don't know the details how do you approach that do you decide that only like a report your ioc's in a in a way even though these are not like you don't have really clear evidences of what there yeah sort of yeah it happens several times like I I get stuck it's so obfuscated and so much un debugging uh being like okay I just run the stuff and see what happens and you know remove all tooling and have like a

let's say like a system without any tooling run it and do memory memory frantics on it correlated with other other telev like the question was more related to if you decide to disclose the information that you know to help prevent it you actually you could lead into them knowing that you know you you're you're you're actually debugging them so how do you approach that do you decide to go and disclose the information or do you keep it until you you know dig deeper until you find something do you have a time Li yeah we when we in incidents which usually like they are ransomware or about to be ransomware or have a threat actor in the environment and as a

maral analysist it's more like being like you you just need a triage so let's say C2 I would say it's the most important I I give that immediately to the instent response team so we could block it so uh and then I don't understand maybe the whole mechanics of the malware but I have enough for them to stop for to stop the the the intrusion so yeah I I always give away the stuff immediately so very short congrats with the case it's probably was the P Rom group they funny guys and they also um into Terminator because a lot of Easter eggs but my question is um as you um download the all the tools all the list of the

tools have you see any legitimate tools that they used yeah yeah I mean they did like um there was a bunch of uh like seven6 was there uh there were mod kind of call it some tooling to see how much dis utilization was used uh there were a couple of ones as well you know all they Google Google Chrome they had as well like they need like a spare web browser so they had this kind of bunch because the rat itself could sort of download additional things to it so so that yeah we both both mostly bad but a few good ones as well okay awesome thank you very much thank you very much