Connecting the dots: A beginner's experience of threat actor tracking - Keith Short

alright hey guys like the slide says I'm Keith I work at PwC and they're cyber threat intelligence team I've been doing that for about a year and a half now and I spend most of my time analyzing malware and tracking for actors which it's exactly what this presentation is all about so in this presentation I'm going to go through a few things so firstly I'm going to introduct introduce the idea of tractors a few key terms that you might hear for out the presentation define like why we do track for actors a little bit of background on what I did and my methods and using a real threat actor as an example and then going through the

methods of tracking how you can identify patterns and walks or patterns that I identified and then a few other tips that I learned in my first experience when I was tracking for actors and then we'll end with questions if we've got some time so right staying off what do I mean by a threat actor and when I say for an actor I'm essentially saying any bad person up to no good so normally when people say this they're referring to maybe cyber criminal gangs or nation-state hacking groups which are also known as a BTS or advanced persistent threats I've also done a little artist rendition of what the threats are like nowadays but might not react to her so the threat actor that I

tracked as part of this was called dark caracal they had quite a lot of activity last year and they were the subjects of a really interesting report by look out in the FF so if you want some more details about this for act I like that background attribution and who with who they were targeting then check out that report but for this I'm just going to kind of use them as a backdrop and show how you can track for actors by tracking them so why track for actors so basically the scenario is if you get an email through in your organization you get a phishing email then somebody opens it and now you've got their malware running on your

system the first things you kind of wanna know is who is behind this who are their likely targets and just here they like likely targets and what are the common sort of techniques that you can look out for and who do they have any repeating behaviors that you can look out for and then make sure the in their tracks so also the main point about three actor tracking is the fact that we want to have fun of cause cybersecurity is all about fun so that's another reason to do it so let's get tracking so the scenario was the around June 2017 we were alerted of an email but isn't the actual email right there that's just kind of a an idea of what

the email looks like because all phishing emails essentially look like this but the main points in that email were that there was a so the from address was a Jessica Koran and Maxwell group to a and also had an Excel document attachment so the main two things that want to focus on here and if we want to know more information about is thorax or I think the best place to start is by looking at that excel document and finding some things about it a quickest way to get more information out of this document is to they run in a sandbox or a virtual machine which is which is what I did in that situation so

I've got a safe environment setup where I've got the virtual machine that's disconnected for anything I care about I spin that up and I run the Excel document inside there and like a lot of common phishing documents it comes up with a warning to enable macros so I do that enable macros check all the activity that's going on and then see they drops out an executable file which I've put the hash there at the bottom there and once this executable file was dropped out it started to connect out the command and control server of the factor I pulled out a little bit of their communication there so you can use Wireshark to get this out and it's quite

basic to do and you'll be able to find a few more key bits and information so there we've got a URL at the top there where it goes - I knew get dot php' I've also got the domain name that's connecting out to which is ant max calm also weirdly when the command and control server the tracks are applied they send a little message at the bottom saying ok Bundick x3 244 which is also quite interesting and we're starting to get my dear of these unique behaviors that this tractor has so I note them down as good I didn't let these downs you going so another quick way to get in for me our file is check the metadata so if in

the executable file you can just in Windows right click it and look at the information in the case that I was talking about I look at it I find it signed it's time to a an actual person's name this Johannes krutov on it on the right here on the Left Ian and so I look at that and I think writes quite interesting as a person's name probably not a real person but interesting all the same and then looking at the document as well the metadata there shows that how the last author of alle and also in the strings of the file and these are like little messages that are embedded inside an executable you'll be

able to pull out you can also find again that domain that max calm so that after doing these two quick steps that's where you're just kind of pause and and do a stocktake and find out what have we got now so in our case we've got two files we have the Excel document and the act the executable we've got an email Jessica Quran we've also got a domain anchor max calm a URL and also some miscellaneous strings so like I showed you earlier in the Wireshark little short of a HTTP request we saw that okay bandit X and also in the strings of the file there was a debug path and debug paths are being little remnants of where

the flags are might compiled their malware we've seen that there's this files this folder here with the backup 2903 2014 so it's also quite unique so that's quite interesting so we pulled that one out and then we've got two names so far three names even so we've got the Jessica cram those in the initial email johannah's krutov that was signing it interesting and then the alia that's popped up a few times as well so then you ask yourself which of these that we know it down useful for tracking through our actors the hint is really all of them because they're all kind of unique in the case of this factor and things we can use to track them on also

a good tips to send these to your security team on your sock or something like that so that they can get these all blocked and they can look out for them in the future so that if you have been hit by this tractor then you make sure that you're shutting down any activity from now on but once you've done that we can get back to the fun stuff and start to find out a bit more that's best way to do that is to searching on Google or something like that just throw in some of the strings that we saw so like this okay bandik X we can throw that in and already we can see two links at the top there for

sandbox is an N and IVA at the bottom of another sandbox so we can actually open those up and see other samples of that malware running again in a different context also in hybrid analysis you can open this up and download the file so again you can continue this little snowball effect and then on the right also if you I also search for the D backup half of that about fold fold apart we saw earlier it's that's interesting so we've already got another few other sandboxes of the people of ever throwing this malware sample into and again like I say you can go into a hybrid analysis look at the indicators there or even download

the file itself and run it in your own environment that's interesting so we've got more samples possibly of the same four actor but more likely just the same piece of malware another interesting part I found there was that this D backup laughs also had again I've highlighted there the name Ally which is popped up twice now so that's quite interesting you starting to see a little bit of patterns in the malware which is quite cool so another way you can find out a bit more information about is to resolve these domains so domains can be resolved into IP addresses and then you can also use other services such as a passive total I think it's called a risk

IQ now you can use to see the history of domains and where they've been pointing to so in this example at the top bank max was pointing to that IP address but we also see the history of the IP addresses as well so we've gone from one thing and then to the next thing and then we're starting to find more that might be connected to this fact so once you've got all these things it's always good to keep a track of what you've got so the best thing to do here is map out I find the easier if I can visibly see what I've got so far is everything I've talked about so far I've mapped out

there on the right I've done that in multi go there's other services you can use as well so see map tools is a good open source one that you can use you can also do it in PowerPoint and even mspaint if you're really feeling dangerous and the I'll be quite an interesting task if someone can map out our actors infrastructure and mspaint I'd like to see it and I might buy you a drink because I'd be impressive but once you've got this you want to find out more and the best way to find out a bit more about all of this is to take what you've got and then pivot on to more stuff as a picture of some people

pivoting there so yeah so what so how can you pivot and what are things to pivot on so like I showed you earlier domains into eyepiece these iPS can be turned to hashes using services like passive total does a bit of that and also if you're lucky enough to have a paid version of virustotal which maybe some people might you can also find more hashes that way like I showed you these unique strings that we found like the string in the in the HTTP request and the debug paths you can just do web searches for these and find other samples also for email addresses and those signer names those unique names we saw earlier you can do a web search for

that and find more information as well as you doing this obviously continue to keep track of these indicators in multigo or your mapping software of some sort and just keep the snowball effect going and you eventually get so many different indicators or mapping together I have an entire graph and you would start to feel exactly like this and you don't know what's going on anymore so I when I was doing this those going to get into that point because I was finding so many samples and everything was just connected that I kind of found that I wasn't figuring out very much so in that point I had that point the best thing to do for me was just have a cup of tea sit

down and kind of mother over and analyze it in your head then and yeah yeah and find out what's going on so but at that point as well it kind of makes me feel good because you've gone from two things initially to a big web of stuff but like I say sit back and look at it and kind of analyze it in your head and you'll start to figure some stuff out so some of the patterns that I saw after after doing all this we're quite interesting and it's quite cool it's one of the first things was that remember there to 2017 email that we saw earlier it have a Jessica Koran and then going back I was

finding more samples of malware I found that again there was another malice sample same sample but older from 14 was signed by the same name Jessica Koran which is quite interesting a bit weird so they're either repeating names or their uninventive or what I'm not really sure it sounds interesting so another example is what is that this Ali kept popping up again quite quite a few times so I did a web search for the malware a few times and I found a website of a hacking group that was selling malware the exact malware that I'd been analyzing being sold by this guy called Prince Ali which was interesting and it makes sense because if he's producing the software then of

course his folder structure might be in the malware itself but also interesting that in the document we saw earlier was also had this author name in it which seems a bit strange because it could mean that not only is he just produced a piece of malware he might be producing a document used for fishing as well so he might be carrying out fishing attacks or something like that so it could be these not just so the fact it might not just be using this guy's malware might be using him to create entire campaigns for him possibly so once you've got this and you wanna wrap up and start to track the fracture into the future then just

establish a few methods that you can track them behind the scenes for you automatically so things you can use face they're Yarra rules you can also set up Network signatures if you want to know more about this stuff Googler or talk to me afterwards because the lots talk to you to talk about in a lot of these things also DNA DNS alerts are good because it means you can either set these up on your own or the bf service on the Internet to do it where whenever the main changes to a different IP you know about it you can also set up Google search alerts as well so for the strings we saw earlier and these unique names

that seem to you're repeating itself a search alert for that and then if new sample comes up then you'll know about it straight away and just keep checking up often so little tips and things like wish Adam has started is that you've got to automate the boring tasks of the star I was doing this all manually throwing into virtual machines but automatic sound boxes can do this quite quickly and also scripts can be used to pull out the certificate information as well so just work on automating and making easier for self and also ask her around so like I said at the start there was a report that was released about this at the same time as I was tracking it so

would have been nice to have connected with the people who are researching it ahead of time we could have compared notes and stuff like that so that's quite interesting so and a lot of the time when you're doing this you won't realize that it's quite right widespread you might be looking or less than thinking why is no one looking at it when really they are just behind the scenes so it's good to reach out so to summarise essentially throughout the tracking I pulled it down to three main things which is collect the initial indicators from the sample you're starting with pivot off of these domains to IPs and and such like I showed you earlier and then profit once you've got

the detection rules in place you'll be able to see them when they're starting to do stuff in the future and now you know if fraktur you know the patterns of the behaviors and you're kind of the expert and now you can impress people so when they get a new email in from the same tractor you can go oh I know this one that's a blah blah and they'll be really impressed hopefully anyway so yeah so that's about it for today I went for a bit a quick went through it a bit fast but if you want me to talk about any other details in a bit more detail then come and catch me later or email me or get me at my

Twitter haven't tweeted anything but that's how you can contact me so thank you very much [Applause] it's a question