LoL-Bins Behaving Badly - Andrew Costis

all right so i'm andrew costas i'm a fret researcher at carbon black my talk today is on logan's behaving badly um i just wanted to start by thanking all the b-sides organizers um and everyone that's been involved um and thank you for selecting my talk it's a great honor to be here um so good job everyone and like the venue but need a bit of air conditioning maybe for next year so a little bit about me um so um most of my colleagues know me as ac so i've been doing threat research um malware analysis for about four years um but i've been in the tech industry as a whole for about 17 years so

it's funny how i kind of got into it so my background is quite varied so i've done hardware to software to date center to field engineering technical support sysadmin kind of a bit of everything and just kind of being exposed to so many different technologies um has kind of helped me to kind of do more what i wanted to do um so yeah quite a varied background um i don't sort of do twitter um i am on twitter but i use it more for sort of research um so um looking at any new malware hashes that get posted or any of the av vendors or other researchers that might post some interesting information so i specifically work

in our threat analysis unit for carbon black so our um we have about a team of about 16 people and we're kind of scattered all over the world we're all remote so we're out of the 16 of us we're kind of broken into four focus groups so i work on a team of four looking at e-crime and commodity malware we've got other teams that do kind of internal support so building and supporting tools for us guys to use and we have an apt nation state team and then we have kind of more of a product um kind of focused team that are more experts at the um how the products work and that is a picture of my dog

showing no signs of reading practical matter analysis so quick rundown of the agenda so my plan is to kind of make a few definitions to anyone that's kind of not clear on some of the stuff i'm going to cover and then i'm going to actually step through some examples so i'm going to start off simple talking about some ransomware campaigns and families that i've looked at over the last six months and then kind of move on to some of the more advanced techniques banking trojans and how they're leveraging lol bins and if we've got time and please be nice if we do have time please ask me some questions i might have a clue how to

answer um so starting from lol bins and so what is a lol bin so living off the land binary so this is any um you know this is any application or binary that comes pre-loaded with whatever flavor of operating system helps if i click next why is that not working

laptops now it's a good start oh there we go yeah so living off the land um so these are binaries that come pre-loaded so common things such as powershell wmi um you know windows script in host and lots of others um there's actually some very unusual ones that you probably wouldn't even think to look at that are being used every day by malware actors really wanted to just mention um so there's a guy um that's based in norway um odd vamo he's done um not only a brilliant talk about the history behind how the term low bins first came about but he also manages and maintains a github project where it's basically an inventory of the different file names

for different windows um you know lol bins so highly recommend to check them out i've reached out to him because there was a specific malware family that i was looking at um and there was a particular lol bin um that it's not very well documented and it wasn't on his github page and he's super responsive so uh yeah if you have any if you encounter any lol bins in your day-to-day world i'd definitely recommend hitting him up i've got a powerpoint's going to crash on me [Music] so you didn't see that but i did actually have an error message pop up here

come on yeah it looks like my powerpoint has completely died so let me just restart this real quick apologies

oh

this is a good way of killing five minutes

okay maybe the clickers completely broken

okay let's try that um it seems to be lagging um somewhat so i'm just gonna try and um talk about what's on the slides before it crashes again um so another definition so commodity malware so most people know malware um when they talk about malware they typically think about apt um so advanced persistent threat but in actual fact um kind of first-hand experience is that apts aren't always as advanced as what people think so if anything they're more adaptive because they're very well financially backed they're very well highly resourced in terms of the people behind the apt campaigns and the nation state campaigns they're usually after a specific goal whether it's corporate espionage whether it's blueprints to the latest f-35

stealth fighter or whatever the case may be um there's enough um indications as to who the usual culprits are we're not going to go there so typically or if anything apt should probably be labeled as adaptive because they're designed to be adaptive and just kind of stay off the radar in the typical corporate environment in contrast to that and i've got another error this is not going well so in contrast to that commodity malware so that's pretty much everything else so most people think that keyloggers ransomware yeah this stuff's been around for years it's not that sophisticated in actual fact from what we're seeing um at least in our team is that sophistication level and

the advanced level of commodity malware is actually improving somewhat over recent times um generally speaking you know not just ransomware but even banking trojans uh looking for specific um targets they're looking to kind of infect as many systems as possible if we're talking about ransomware or maybe just a specific company if we're talking about banking trojans um but either way there's a very um on a technical level while the motives and the intent might might be slightly different um there's actually a very close technical overlap between the two for example malware you know nation state malware often uses low bins as does commodity malware they both use obfuscation methods they both use ways to hide

themselves from people like me in terms of anti-analysis um you know sandbox escaping or whatever so um just to kind of clear up any issues with with those um so next big buzzword for has been around for the last couple of years um so if anyone hasn't heard of mitre attack um i hate to tell you may have been living under a rock um but really really helpful um so effectively it's a knowledge base of adversary behaviors so um historically if we kind of so there's a model that a guy created david bianco back in 2013 called the pyramid of pain recommended to check it out but at the bottom you have iocs now iacs i'm not

saying a a pointless or they have no they serve no purpose but in the age of emote and i know um the keynote you know with emote was mentioned the reason why emote specifically gave a lot of the blue team a headache a big headache was because i o scenes were changing all the time this is very very difficult to keep track of when you have hundreds of thousands if not millions of samples and hashes that are changing there are only valid ones and then you know have a very short shelf life or low ttl if you like so enter the mitre attack framework so it's effectively a knowledge base of behaviors so rather than map into iocs

which expire very quickly you can kind of abstract that at a higher level and not just from a blue team but also for red teaming pen testing adversary simulation and just basically using the framework to kind of um you know measure your security measure your effectiveness perform gap analysis and so on and as a quick example um this is just a slide taken from the mitre framework and i know i'm sure some of you here have seen this before but you know this is just one of the uses so from a researcher's perspective it's quite useful to be able to compare different apt campaigns and looking at the behaviors that they share and what's common because that might help to kind

of track going forward that may help with hunting and you know other reasons as well so you know mitre attack is not a bullet proof silver bullet kind of approach to this is going to fix everything um but if you haven't um you know encountered it as yet you know definitely check out their website there's some really good information um fundamentally how it works is um the column headers if you like at the top represent the um the goal of the attacker and then the cell underneath each column represents the tactic or technique used and their website's great because you can obviously drill in and get specific examples of um you know exfiltration c2 or lateral movement examples and so on

so touchwiz we're still working so that's good so we're going to move on to some quick um examples of um ransomware so we're going to start off with some simpler examples so this particular ransomware campaign came out a couple of months ago bought down some government um agent uh not agencies um government kind of um services um across north america um it's quite an interesting example so most of most ransomware that i've personally dealt with um is written in dot net um this is actually written in go language um so we i'm not saying that we're seeing a huge uptake in uh malware written in go um but it was probably one of the first

go written or coded ransomware strains that i've personally encountered so that's quite interesting this particular ransom note was quite interesting as well because after four days it was prompting the victim to make an additional ten thousand dollar demon on the after the fourth day and for each day thereafter so again like the psychology behind ransomware but digging into this particular sample um doesn't take long to kind of see some common tactics and techniques delivered so at the top we've got the process so we've got basically the executable that spawns command prompt which spawns net and it basically does a net use this is not so common this is quite an interesting command because it basically just disconnects all map

network drives so typically ransomware has worm um kind of capability built in so ultimately if we you know if um you know common aim for the malware offer is to kind of infect and spread because ultimately if they can infect more people then there's more chance that they're going to receive payment right so so this command is quite unusual for a regular user to run and so just by knowing the attack id which is in green so attack id t1126 it falls under the defense evasion column if you like and then it's network share connection removal and there's a whole load of other information about this particular command as i say i'm going to start

simple um but these these are quite you um these aren't unique um to to ransomware but these these are just very common commands lol bins that i see um very very often so again um sc.exe does a stop but actually stops 180 something services all in one go so you actually see if you're monitoring um you actually see 180 odd command prompts all spawning and each individually doing a stop of whichever service name and included in that was a pre-compiled list of services not just anti-virus but also backup disaster recovery virtualization sql microsoft exchange load of other services to just try and stop it as stop all those services running as quickly and possible it's a common tactic um for

kind of counter ir so trying to um make you know make people's well our lives difficult essentially um but again the attack ids in green so service and you know services stop um disabling them security tools very common to ransomware um again um kind of not going to go too much in depth but webt util so again it's a low bin that comes with windows has been around for years effectively used to clear the windows event logs um really really common um technique used in ransomware um again another counter ir technique um bcd edit so ransomware typically doesn't want you to recover your system so how it will do that will do it will basically disable the

automatic startup recovery and repair screen so that the next time windows boots up it's kind of game over so again attack ids in green indicator removal on host in other words indicator being the artifacts of the windows event logs um and a common one um is obviously inhibiting system recovery and that's really um which you'll see shortly but that one pops up a lot another strain of ransomware so this kind of cropped up at the start of the year very very similar to wannacry and not pecha so it contains the eternal blue um exploit embedded in it uses a pool of onion addresses kind of fairly fairly normal for ransomware again drops of window shadow copies so really

kind of typical and how it does that is it has a visual basic script and it executes that which then executes wmic which then executes the delete shadow copies the shadow copies are there um for legitimate reasons as part of windows system restore and also your third party backup applications will use um shadow copies um if you're using snapshot provided type backup technologies um so again you know common common way of just trying to clear clear down the system hide all the evidence as quickly as possible and move on to the next victim so kind of going through this exercise with a few more samples with specifically ransomware you can kind of see in you know build your table how you

want or you know this is kind of a way of just showing you um the usefulness of the um you know of the understanding of the mitre attack framework and how the lower bins fit in so as you can see and i've just kind of mapped like i don't know five or six or seven ransomware families and you can see highlighted in green you know inhibiting system recovery is quite common theme amongst malware ransomware rather um but also you know understanding the common lobe bins that keep cropping up will help you to kind of zoom in within your network whether it's from a detection standpoint or whether it's from a hunting standpoint you know you

can start to look at okay why do why is that user that's in finance running bcd edit or why is this user running you know sc commands or whatever you know out of hours or whatever so the idea is to kind of use your own kind of intelligence to kind of perform gap analysis understanding um doing you know evaluating your assets um obviously your defenses and there's loads of ways that you could kind of use this to kind of measure you know in terms of count priority you could start using it to tag things and that's just all from a you know a free framework that you know has been around for the last couple of years

so moving on to a couple of banking trojan examples so this particular banking trojan nanocore um has actually been around for a couple of years so this was quite interesting because it used quite an old oldish 2017 i believe the cvu for microsoft office equation editor so the equation editor um is something that comes shipped with microsoft office and has done for quite a few years but specifically what was interesting about this was it hides itself as a jpeg file rather it downloads a jpeg file but it's actually a pe file or executable file the pe file is actually compiled with a piece of third-party software called auto hotkey i don't know if anyone's familiar with auto hotkey but basically

it's used for creating aimbots um for gaming um other legitimate users as well like you know for example if you wanted to demonstrate stuff without a click of a button you can pre-program it through macros from my understanding and so this this particular executable was embedded using um third-party software and you can actually it basically comes with a compiler where you can compile an executable so this particular campaign had multiple levels of obfuscation um and part of that um was a low being embedded within one of the scripts and there was a load of base64 encode in and there was they were actually using a lot of the libraries that come with auto hotkey um

to do all the obfuscation but essentially what it's actually looking for is a hard-coded um path to the dot-net framework folder within the windows directory and it's actually calls out to a tool called red jsm so red jsm is assembly registration tool um and it's basically used to compile net framework type binaries effectively.net code right um so once that red jsm ran this particular code it was then it then kind of proceeded to the next stage which was to install the remote access trojan and it you know persisted through the registry and it set up a key logger and it was storing its own database in the temp directory um for anything like copy and paste and anything um

copied or even typed from the user's end would be set would be saved cached and then sent back through the c2 another one that i was looking at just uh about a month or so ago so er sniff again isn't anything new it's been around for a long time it was formerly known um as a different actor or group if you like behind it but the co the source code behind it got leaked um and then it got forked and then it just became er sniff quite a few years ago but this has been doing the rounds for a long time um they're they're very much active they're um kind of up in their game all the time

they have heavy anti-analysis which makes my job hard and they have rapidly changing c2s one particular day i was looking at a new sample that to the best of my knowledge no one else was looking at um i was quickly able to get onto the admin dashboard of the c2 unfortunately it went offline very quickly but it's interesting to see um obviously the the facilities behind the c2 um controller so obviously they've got a dashboard for their clients how many clients are infected probably os flavors the modules that they can load because banking trojans are typically very modular obviously users so if they've got you know a team of people that need access to this admin console and and probably

other settings as well for frotalin so again this particular sample so when the executable runs um typically it will execute run dll32 which then executes cmd then powershell then csc then cv tres so i'm going to go into a bit of detail about that so run dll32 so it's a legitimate process so it typically spawns um you know exported or shared dlls it's very very common what's not so common is when you see something like a shell exec run dll highlighted in red so basically what that's doing is it's basically um so it's kind of like a common way um to kind of create a back door if you like through a powershell um output and then

kind of triggered through cmd but then indirectly through run dll um this is actually quite common for products like cobalt strike and um powershell empire as well but obviously if you you know again if you kind of are responsible for looking at your low bins in your estate then you know run dll-32 activity don't overlook it because you can um obviously do a lot of damage so again um attack id run dll-32 next ones that i mentioned was csc and cv tres so csc is a is the c-sharp compiler so kind of similar to the red jsm that i mentioned um so this is quite interesting so csc.exe and cvtres.exe cv tres was actually not listed on the

github page that i mentioned um before so that's what prompted me to hook up with advermo um who's kind of looking into it as well with me at the moment but what's kind of interesting is um again files were pulled down um through a remote web server and then they're effectively built on the fly um typically you know kind of unusual to be maybe not unusual but you know potentially to be building out um and compiling um you know net code or c sharp code from you know the windows temp folder that may or may not be usual in your environment but it's something to think about um typically if you're a developer you might have visual studio

you may have a path where you're going to save all your you know your projects and so on so again this isn't like a silver bullet but it's hopefully helpful to kind of see where malware and how malware is using the lol bins and it raises questions so kind of going back to the ransomware table that i produced you could produce something very similar as well um and the last example is um one that cropped up um earlier this year so uh schleyer so this is something that got picked up um around last year now our fret research team is kind of a funny story behind this so um one of one of my colleagues

is a very keen um beer brewer and in the states and he was just kind of browsing around some forums and then on his mac and he was presented with some kind of obviously you know quite well kind of legitimate looking adobe flash player update which obviously kind of saw it as a bit of a red flag and this is how um we started tracking um slayer because um actually turned out to be quite a relevant piece of mac malware and how it works is um essentially there's um multiple hijacked web servers serving up ads and fake adobe installers and whatnot those would come in different forms typically dmg files but other files like zips and isos

and package files and some of the samples not all would also include a crypto mining element to it as well but this particular campaign was quite interesting because it used multiple layers of obfuscation so it would unpack and then it would um create it whatever it unpacked into a hidden file then it would um download something else and and repeat and repeat um interestingly um these these particular samples were also signed by apple developer ids like actual developer ids so we got onto apple and fortunately they got taken down but what's kind of relevant to this is a lot of the tools used lol bins also apply to mac as well so of course we mostly think about the windows world

um but you know xxd so um this tool was used um to you know perform the you know the attack and what the malware you know how the malware played out also you know open ssl uses curl um uid and there was also some other script as well called the security off trampoline which actually we had to reach out to mitre attack for because there wasn't even a ttp for that because it was quite a new technique specifically targeting max but kind of interesting because you know you don't always think about max or your mac user estate but you know again looking being able to look at the behaviors um kind of allows you to kind

of start building questions of you know should again should that finance should that guy working in finance have access to xxd and should he be using it and so on so kind of similar scenario but rather than building a table you can start to use the attack navigator and actually start mapping to the different you know techniques so again you can even if you have no knowledge of mac or even if you've got a small mac estate you can use this information to start looking at perhaps the key columns on this table and then decide to you know maybe you want to focus in on script execution and applescript or whatever the case may be

you can use that approach you can use the table approach for the ransomware table i showed you but the whole idea is don't underestimate um the lobins um they are being used all the time um at least from what we're seeing um and obviously you know mitre attack is your friend so if you haven't heard of it check it out and um that brings me to the end of my talk so apologies for the technical problems um we made it um any questions if you don't ask me now feel free to grab me outside [Applause]