Unencrypted malware, the invisible threat

Good day to my presentation. The uncrypted malware, the invisible threat we have named it. And now I will tell you what I have in mind. First of all, a little about me. I am a computer enthusiast. Since I sat for the first time for a long time on a computer and I still continue to play with such things from I come from the system administration, I was a CIS admin for 4 years, more specifically in the cyber security, the cyber security sphere. When I started doing this thing, I realized that this is a completely separate universe and that I had to start from the beginning. I would like to say that I am the manager of the Bulgarian

company "Klonastamos Networks" which has Bulgarian roots. Here they mentioned that during the first presentation there was an opinion that there should be more products with local origin and this is exactly the product. I just put it as an example. Stamos Networks develops cyber security platforms, intelligent platforms and is very engaged in open source community. There is Github repo, there are 25 different projects in cyber security at the moment and actively Some of them are actively being developed. Anyone who wants to learn more can go to the GitHub repo to get to know it. So, what are we going to talk about today? We will talk about malware, illegal code, how the initial breach happens most often, what we expect to happen, what actually

happens. what is the behavior of the modern malware since yesterday, since today and probably since tomorrow. We will do hunting of such network activity and we will try to make some proposals for protection and training as well. The initial breakthrough, as we can see from this graph, the phishing has become dominant and will probably dominate the future for a simple reason. It is aiming at the weak link in every organization, this is the rear-end aircraft. There is always someone to click somewhere, to open something that is not necessary and from there a walk in the dark begins. Over 70% in 2022 of the attacks and techniques used was phishing. Phishing, to add that when it is said phishing, people

imagine some imitating website that will steal your passwords. This is only one part of the whole concept. We can have fake emails, we can have fake ads, fake websites, fake software. Everything that can be imitated and to mislead the user for the legitimacy of the source can be misused with it. Windows remains for a number of reasons. The most widespread, the most... the main target, and because of the fact that it is the most widespread, some would say because of other things, such as the reputation of exactly this operating system, but this is another topic. Microsoft is constantly trying to fight bugs and vulnerabilities that are constantly coming out for Windows. Their last hope is that they

will block VBA macros in Microsoft Office. Which will hardly help for the same reasons and many others. This will probably only apply to the latest version of Microsoft Office. exploits are constantly coming out and so on. Here I like to show some examples of phishing. An email that I even took out these examples quickly while I was doing the presentation. This is an email from my bank that I want to click somewhere and it is a legitimate email that took me about a minute to confirm that it is really My bank sends it, not someone who represents it. An even more striking example is the withdrawal in a zip file, which is encrypted. A zip file that the

bank sends every month. You can make a calculation how this technique can be exploited. One of my favorite examples is an email from the National Welfare Agency, where they are fining us with a sanction if we don't open an uploaded file, which is not recommended. In this line of thought, banks and state institutions use communication with uploaded files, which is exploited by people and malware with bad intentions. To look at the life cycle of such a malware code, virus or whatever it is, quite trivial. As we can see, a file must be filled in the victim's device. Then his first task will be to ensure persistence, that is, restarting, if the system restarts or be excluded and then included, i.e. to

be passed on through the algorithm until it is completed. And what is most often the case is that the initial infection triggers some additional download of in the second stage of execution of additional binary files, executable files with another kind of more sophisticated malware, which can actually reach the ultimate goal, which can be data exfiltration, theft of passwords, personal data, Ransomware and hacking. What do you remember? Botnet, Crypto-diggers. What are the examples we have seen? Can you imagine what an organization can do? A criminal or an individual who has been caught illegal access to the system or to the information of the organization. From there you can go on the lateral and so on. The most accurate example

from a long time ago was a small coffee shop that got some attachment, you click and everything got infected with the network where there was sharing, sharing, sharing files. Of course, there is no backup. As we said, there is always a second stage. Download, after the infecting, there is also a filtrating of data, downloading of additional archives with executed files or directly on executed files. There may be a lookup, that is, Mover tries to understand where he is, for example, what is his IP address, geolocation and so on. Now, the interesting thing here is that when it comes to command and control servers or storage for additional storage of this second stage, most of the communication is done unexpectedly, maybe

non-crypto channels, legacy protocols like HTTP, port 80, no problem, everything is in plain text, you can go and nothing can stop it. Post, get, applications in plain text. My colleague Bozankov said about base64. In the beginning, how an IDS is executed. Here we will show with B64 encoding. Here we will show that we can catch this with an open source instrument. An open source instrument like Suricata, which is an IDS/IPS engine. I like to show this picture to everyone who has never heard of Surikata. This is exactly what Surikata does. It listens to network traffic based on the rules that are previously included in NGN. These rules already describe attacks that are known, it can produce logs that are counted information

for traffic. It is important to say that the SORICA is not only IDS, it is also NSM, that is, it can do network security monitoring, that is, it can work without rules, it will produce logs for every flow, for every protocol, so called protocol transactions and this is very useful. Here is how a log looks like, generally speaking. We have the name, the protocol source destination addresses IPs ports application, the level of what happened, there is some download, what is this file and so on. Here, it is not visible, but this is the same window, but in a tablet type. Here we have on port 80, clear text, as We have download and upload, so we have

some kind of infiltration of information. Here we have Base64 open source. We have an alert with some kind of encode executable download in base64. And we have a alert. Here, up here, this is base64. When we decode it, we get that this is a clean executable file that has passed in pure text. through HTTP, clear text protocol. When we talk about non-crypto traffic, which proves that malware is very well used, it can abuse public resources Any type of service is observed almost constantly. I mean, services like Google Drive, Dropbox, any kind of food, hosting services, public services, just keep such executables and sit there if they need to be downloaded to the second stage. Second stage - download.

are left unnoticed. They can be downloaded millions of times before someone stops them. Here we have an example from Dropbox. It is online at the moment. We had a hard time downloading it to Sandbox. Here we see VirusTotal telling us that the file is definitely a virus or a trojan. What can we do in this situation? Well, many things. All of them are possible from the descriptions. There are more. Some of them can be made in a certain topology, some not. But from the point of the network, The easiest way is to put an IDS intrusion detection system or IPS intrusion prevention on the traffic path and to inspect it in real time. Of course, this can be

automated later, we can imagine these how can we automate the logs we receive and to receive in real time information about such traffic that is done in literally pure text, passes through the network and nothing stops it. Here I try to remind myself quite often of the 12 true network RFC 19-25 They always hang for the blue team and the red team. Why did we discuss this issue? Why does malware prefer this way of communication? I mean, ClearText, port 80, HTTP. It just has to work. And that's it. Port 80 will always be open. We can't forbid it. Every old idea will be proposed again. For the same reason, MOLA will be misused with these

personal communications. And now we will use the suricate for some practical examples. The suricate in the form of a silks. This is Open Source Distribution based on Docker. It works on all the most popular Linuxes. Very easy installation that is interesting for him to see more. Here I have prepared Docker, which I am starting. The example we will see is one of Mower Traffic Analysis. This is a vendor or sandbox. It is more of a vendor of such detonations in a malware in an isolated environment and analysis of traffic. Here we have a fake Google ad that sends us to a fake a false CPU ID page. This is a software for the identification of the processor, overclocking and such

things. And here when we click on the installation of this program, malware comes with it. And now we will see... Just a moment, I have a technical problem. To kill me. The risks of live broadcast, the virtuals crashed. The idea is that whoever wants to see and we will continue to do it. We will continue without this, we will leave a little with the time. Now the next talk with a little acoustic taste follows and then we will make lunch. There are sandwiches that he wants in advance, for sure. Two minutes until we start the next talk.