Keynote

so welcome I'm super excited that we're all here this year is what our fifth year five years we haven't quite filled the room yet we're getting there but um this one give a quick update on status of things besides Charleston we are official 501c3 now or a federal 501c3 so we actually can take donations and then do things we've done our first training seminar which was just a few weeks ago and from I understand that was a huge success we'll try to do more things like that so if y'all can the email is on the website if it's not we'll make sure it's there please suggestions things we can do to bring in the area there's so many things

happening here but there's so few that are focused on security let's help these companies build secure applications and systems they depend upon us let's make it happen oh my thank the cops Charleston here if there's anyone from the college here thank you for aliens due this year this is awesome we like the opportunity to have real space and y'all can plug in your laptops there's plenty of power to keep going all day there is a free Wi-Fi I think it terminates here for 20 minutes or so like that so you have to keep clicking logging in but enjoy it my name is David Zenzi and those who know me I'm also DMZ Joshua and I started

besides a couple years ago and we're really pleased that you came out here today Joseph here has been kind enough to help kick us off and you can see as you talk about some infection stuff I have introduced himself mainly because he has a lot more slides about who he is and has been funny has and his company who has been a great sponsor of besides here and we're so happy to have him so welcome and

good morning yeah that's what I like to see so like Dave said my name is Joe cocky and I'm the vice president of threat research at a local company here in Charleston called fish labs if you ever heard of us where I take down a mitigation company we focus on cybercrime stuff and we pretty much remove it from the internet which is pretty badass right so I got a long history working in cybercrime so I was pretty excited when Dave contact me and gave me the opportunity to speak at these sites because I loved besides you know I've been to be sites all over the nation I've tried to go to b-sides internationally and it's a great

community of individuals so I'm happy you guys were here today too I have a long history in cyber crime like I just said in fact I started working on cyber investigations back in the 90s when I worked for an organization called the overseas security advisory council at diplomatic security at the u.s. Department of State and since then I pretty much been addicted in fact I didn't start in security as you guys pretty much know I started in computer science I started as a software engineer and pretty much like my other software engineers like kicked me to the curb because it kept on breaking their applications right anyone here break applications right so there's a pretty

much established name for it now right it's like computer network exploit you know computer network attack you know whatever quality assurance whatever you want to name it I like to fuzz things in fact I like to fuzz web applications a lot and I still continue to do it today so I enjoy that type of work however I'm really excited to see how the industry has pretty much evolved over the last 20 years since I started doing cyber threat investigations from then I went on and I continued my work and I spent a long career in US government essentially working on investigating cyber criminals in fact the last 10 years of my life before I came into the private sector

were spent in the FBI in fact I started off in the FBI worked in the cyber division and then I moved on to something called operational technology division and when I retired I was the technical director of advanced digital forensics at the FBI's advanced digital forensic program right so they have long titles in the FBI and a lot of bureaucracy if you guys haven't read the news so I retired from the FBI a couple years ago and from there I went out and I took a private sector job at a company called eyesight partners you guys familiar with eyesight partners anyone alright good so eyesight partners they're one of the first like cyber threat intelligence companies

which focuses on true intelligence collection methodologies and so pretty much I was the senior director of pet research for eyesight partners my job there was to pretty much collect unique cyber information that targeted our clients right I had some life changes decided I want to move on and me and my wife no longer wanted to live in the Washington DC area because it was becoming quite overcrowded and it was starting to become election season so I started looking for a job and my wife gave me two options she said go to the mountains or go to the ocean right and so I've been fortunate enough to fly in Charleston South Carolina and I've been here for a year and a half and I

absolutely love it if you look outside the ocean is right there right and you know setting the Hurricanes aside everything else has been absolutely wonderful right so today I want to talk about something which is overlooked besides and I forgot to say this I'm sorry so besides that government work and the work I did in the private sector I also got a long history in academia so I've been teaching at George Mason University for like the last six years the master computer forensics program there I also worked at University of Maryland University College working on their cybersecurity curriculum Advisory Board basically forming the curriculum necessary to shape the talented people who need to be in this industry and

anybody who's in this industry knows there's not enough people in this industry in fact we have a critical critical crisis of talent in fact it's even harder for us down here in the south because we're not developing in my opinion the talent pool in this area the way that we necessarily need to develop people in this town pool we need cyber people like if you work locally you work in the south you work in the you know southern part United States you'll know that there's just some primary locations where you have to find in handpick individuals and pray that they relocate to where your company is at right you don't let him work remote and that's

a problem and I think that we need to rethink our strategy there overall today I want to talk about what a lot of people overlook and this is essentially the infection vector right and I spend a lot of time looking at infection vectors in fact when I was in the bureau I spent 10 years as the SME and maow reverse-engineering and when I was at George Mason I taught the marrow reverse engineering class for the graduate program and so I've got a lot of experience reverse engineering now where I love it but I don't love assembly and anyone who looks at assembly for more than like five years knows your brain kind of begins to rot right and you got

to start doing other things not only that but like every time you find out that you know you can break some like anti just assembly technique new malware payload comes out you gotta like start all over again in fact new malware payloads come out faster than you can reverse-engineer them and it's quite a problem right so after spending all the time looking at malware I decided to refocus like I wanted to say you know what how many people here know what cyber kill chain is Lockheed Martin does because they trademarked it anyone who knows about the cyber kill trade knows like the whole primary point of the cyber kill chain is to try to prevent the initial

attack right and pretty much it lays it out it's like hey here are the stages that the attack and so over at Fish labs we have this kind of mentality it's like why don't we do things proactively so that we can prevent attack altogether in fact what we call the beginning of attack is what a lot of people know as the infection vector if you can prevent the initial attack from happening then you can prevent all the badness from happening following the attack and that's a really important concept so instead of being reactionary it's important for us to refocus and say hey let's prevent that altogether right and let's get rid of it and if we can get

rid of it then we won't have as bad at it taxes we do so how many people know where 90% of all malware infections come from well it's not fair if you work for me thank you very much anybody else anybody else fishing it's absolutely true now here's the problem of fishing right everybody and and you guys can tell me it's true everybody pretty much takes fishing and the kind of stupid underneath the rug why it's been around for a long time fishing it's a security awareness issue you can't harden I mean it's actually a larger issue than you think right so you can't just like scoot it under the rug you can't implement some technology and

the reason why is fishing is not a technical issue fishing is a social engineering issue it's essentially an attack which tries to social engineer the person who sits behind the keyboard and while you can implement technologies to try to limit that attack you're never going to fully get rid of these attacks that happen on the zero day things are always going to get through the system right so 90% of malware infections start with fishing and fishing is 100% a social engineering attack going after the user behind the keyboard the user behind the keyboard is largely responsible for infecting the operating system of which they operate on right so why is that we've given them all the training that we needed to give

them we give them the computer-based training we give them InfoSec training we give them all the training that says don't click on the links but fishings not like that anymore and we have to stop thinking about phishing as that that clicking on the link program that we're going to implement security awareness training we're gonna get away from right everybody in the world has an innate psychologic response to information that's in front of them they want to say hey this is true I don't care who you are in fact it's studies have shown that one out of five phishing attacks that makes it to the end user results in a malware infection one out of five and you're

never going to stop all phishing you're never going to stop it from reaching your end users so do you want to take that chance do you really so how many people in here know about phishing like do you know about phishing or you know about phishing because I'd know about fish but I don't I didn't really know about fishing with the quotes until recently right so I'm gonna talk a little bit about what makes up a really advanced fishing campaign and I'm going to talk a little bit about some of the anti analysis techniques used in fishing campaigns and then more important excuse me more importantly I want to talk a little bit about investigative

techniques used in cyber threat intelligence I want to talk about investigative techniques to go after the actors associated with cybercrime and trying to make big impacts into the economies that essentially make up these Kremp these criminal infrastructures right so largely there's two types of fishing in my opinion there's what's called consumer focused fishing which goes after your consumers and then there's called something called spear fishing which goes after your employees and pretty much spear fishing is unfortunately synonymous with something called a PTA and nation-state in fact there's a clear delineation between spear fishing advanced persistent threats and nation-state activity alright and unfortunately because a lot of us don't really delve in that area there's the big confusion right spear

fishing definitely delivers these advanced persistent threats spear fishing is definitely used by nation-state actors however that's the own that's not the only type of spear fishing how many people here know what business email compromise is whaling CEO scamming CEO no CEO impersonation that's a spear fish right in fact that's not even a really technically complex crime it's basically a social engineer attack an impersonation of a high-level figure but that's spearfishing but I wouldn't say that's nation-state I would even say that that's advanced persistent threat I just say that's an attack against your employee base which is what spear fishing is so my point here is that there's a large percentage of there's a large percentage of activity that falls

within this domain right if you think about it everything from banking church and activity everything from scamming and impersonation advanced persistent threat nation-state activity it all begins with the same infection vector right phishing now how many people here get phishing training fishing training how many people here get fishing simulation training there's like the annoying email or they try to like get you into clicking the link yeah it's painful that's less than 1/8 of the room quite literally so think about it less than 1/8 of the room focus this is on this problem and it's a huge problem so it is true about fishing and I'm going to focus first on consumer focus fishing the largest percent of fishing

is all financially incentivized in fact a large amount of fishing is all built upon credential theft so if you actually get fish with a spam lure then the whole focus there is to steal your account credentials and that's something that's tried-and-true and is probably not going to change any time in the future however there are things that we are seeing trending over the last couple of years for example while the banking industry or the financial sectors are largely the number one the one number one target we've seen a large-scale increase in the number of targets against cloud sharing file-sharing social media web mail and the reason why is because there's this thing called account reuse right how

many people have a yahoo account well no now right so so but if you had a yahoo account ever then you got a problem because you could be honest when I ask this question because I do this as well how many people use the same username and password in multiple locations yeah exactly so if I fish your account credentials in one location then you know what I'm gonna do I'm gonna try it on a financial institution because I'm hoping that you are going to use that same account credential for your online banking and when you do I'm gonna go steal all your money well not me baby me I don't know the cyber criminals right so ok so where are

all the targets right this is a big thing so over the last couple years largely phishing targeted the United States why because the United States is the white whale financial right it quite literally is and we all know that however because we've been so because we've been so overloaded with fishing tax in the last couple years there's been shifts to other parts of the world right no longer is the United States just the mega capital of fishing there are other places that are being fished pretty intensely in fact China has a 400% increase in fishing attacks this last year that's four hundred percent and that's probably because China is trying to do more essentially trying to work with private sector

outside China's walls right it also opens them up to a lot more attacks so how many people here want to learn how to start a successful fishing campaign all right I'll give your names and numbers for the FBI afterwards please so let's start with this how many people in your pen test yeah I love pen testing I love hockey I'm sorry same thing so if you pen test if you're truly trying to break down an organization then the first thing you're gonna do is you probably want to see how vulnerable they are and so you're going to start collecting information about that and I got to tell you pen testing today is a lot different than past pen testing 20

years ago now there's all kinds of tools technologies platforms that you can use to do pen testing there's a lot of expensive classes at blackhat that no one can really take unless they're millionaires so there's a lot of great free tools right in fact I've got one up here how many people ever use the email harvester before yeah I'll need your names to please so if you ever use the email harvester before you know that you can point it out into Maine and the result of the action is essentially going to give you all the exposed email addresses and this is how easy it is to collect email addresses how many organizations have email addresses out

there of their staff members all of them it's everyone's like I don't know maybe yeah so as fact and one of the primary points of BC's like the impersonation scams we were talking about is the ability to define high-level members of your organization and then find their email addresses then use that email address spoof to email other people it's basically what I'm saying here is it's easy to collect email addresses how many people have registered domain right I have like 30 or 40 no I'm saying hold like 100 so when you register a domain you've got to use an email address right so basically think of all the locations on the internet where there's email addresses forums I

mean who is your organization's website basically the whole point is it's easy to collect email addresses but now you've got email address what do you do with it how many people know what a fishing kit is all right so basically it's like this from a technical standpoint it's easy to make fishing kit basically you go to your target website you do file save as and make sure that you take all the assets with you right and basically what you've done is you've saved an HTML page that looks like that son now there's two parts of a fishing kit there's something called a scam site which targets the brand and what you're trying to scam there's something called

a mailer which you're going to use to do what up mail things because it's called a mailer so once you get that site created which looks like your target brand then what you're gonna need to do is you're need to post it somewhere all right you're gonna be put it up online somewhere and largely when you put it online you have one of two options the the illegal option and the slightly less legal option right so basically you're going to compromise probably some type of content management system maybe WordPress because we're pres is highly highly highly vulnerable is there anybody here it works your WordPress okay good we're good we're good so WordPress it's got a lot of

vulnerabilities we see it being hacked almost every day in fact a lot of content management systems have vulnerability as you see it once they become compromised then you can upload stuff to that website right so you're basically putting content on a website that doesn't belong to you or if you don't go that route there's something called bulletproof hosters right you just buy it probably buy it with stolen money and you know what it's bulletproof so why not use it right so if you don't want to go through that whole process then you go get that once you get it up and running you're gonna want to use this mailer alright and basically the mailer is a

web form probably written in PHP maybe ASP or some like crazy language like you know Python or something go maybe but basically it's an interface it allows you to create a message and the whole point of this message is to try to social engineer users back to your scan page right so whenever I use this mailer I'm going to send this email out to all the collective email addresses now you're probably thinking well how are you gonna route it right how you gonna send all this email traffic so the going rate for a compromised email server right now is about four dollars it's unfortunate it is true but for four dollars you can get some SMTP pop and

you can just push your mail through at your heart's content and once that gets blacklisted you buy another one for four dollars and here's the sad reality though is if I send out tens of thousands of messages all I need is one person to fall for my scam and my SMTP server has been paid for think about it four dollars think about how much money I can drain your bank account of I mean it's not all it's not it's easy math so we all know what phishing is I mean I don't have to tell you I'm gonna use PayPal because PayPal gets fished a lot right so PayPal you guys seen an email like this before

looks like PayPal smells like PayPal you look at the HTML code you know it's not PayPal right in fact if you click on the link don't click on links there's your security awareness training then you're gonna go to this website and you know what this website looks like PayPal you know it smells like PayPal it looks exactly like PayPal in fact once you log in you might actually be on PayPal website because what's happening in the background is once you put your credentials in notice the URL which is not PayPal once you put your credentials in then it's going to repost those credentials back to you PayPal website and the action that you see is going to

be synonymous with your experience at PayPal except in the backend I've just thrown your credentials and I've mailed it to the mule account and now I'm collecting all the same I'm gonna reuse it over and over and over again easy stuff right so hmm in addition to compromising websites there's also this other thing right that's in that scam site and it's called a web shell basically what we see a lot of these scam sites is that once we identify excuse me once a attacker is compromised a website they don't want to have to recom premised it over and over and over again they just want easy access so a lot of the times with these scam kits

we'll see something called web shell that exists and the web shell is a URL address accessible to the machine it's basically a large PHP script that gives them full access to the server and I'm talking about command line access to everything outside of the web route it's basically a web interface to the compromised machine and if they're storing credentials locally this gives them a vehicle to download information from that web server and we see these web shells a lot all right so you're thinking to yourself man I want to do this scam it sounds easy right well I'm gonna tell you how so how many people think that the majority of phishing kids come from the dark market well how many

people here know what the dark markets are yeah everybody who read about them on the news but I got news for you majority of phishing doesn't actually occur in the dark market in fact there's some percentages of that curve in the dark market and it's true you could go to the dark market and you can make purchases and buy these phishing kits but here's the thing is the dark market has a large barrier to entry right so the number of people who actually shop or the number of people who go to the dark market is really small and the number of those people who actually shop in the dark market is really really really small so if you're selling a fish

get in the dark market then your core your core target audience is like this big right and you don't want that you want to make money so why put in the dark market especially if these phishing kids on average only go for like one to fifty dollars if you only sell three of them then you made like a hundred dollars it's not a lot of money right I mean so what we're actually seeing is that we see more and more of these scams being distributed via Media right you guys familiar that Twitter github Facebook Facebook you know it's a beautiful platform for the distribution of information so what we see is we see a lot of these guys

hosting Facebook sites or other social media sites which basically describe the phishing scam and give you everything that you need to actually use this information in the phishing scam and you know what the target audience is a lot larger because the barrier to entry in Facebook is a lot different than the barrier to entry in the dark market in fact if you look at these three sites here what you'll notice is that the numbers equal forty five thousand plus people and this is only three out of thousands of web pages and here's the thing about these social media sites tells you how to use it gives you the files even gives you email addresses tells you how to compromise servers in

fact more and more what we're seeing is we're seeing things like all these Facebook hosted sites telling you how to use these scam pages telling you how to compromise and collect these credentials telling you how to sell these credentials and then we're seeing more and more instruction and here's the big payoff right instead of just like posting these things out there and letting you figure it out they've got phishing Academy one on one pretty much hosted on YouTube right in fact you could go to youtube right down learn how to use a DDoS tool you can learn how to use a fishing kit you can learn how to hack I mean there's all kinds of things out there that are done

in the sense of knowledge right so basically they laid the groundwork for you they put all this stuff for you to utilize and they also give you instruction they tell you how to compromise servers they tell you where to host it to tell you how to work the scam and you're probably wondering how do they benefit what's the benefit from all this and so I'm going to talk about this in a little bit detail because I'm you get a little bit I'm gonna get a little bit technical when I start talking about the phishing kids whenever they do this they largely embed deep with inside the code of the fishing kit a backdoor and so they're relying on the

fact that every one of the people who redeploy their fishing kit and use it that that that backdoor essentially we'll tech will take the credentials that are collected and also send it to the author so if I write a fishing kit and ten people use it they're pretty much my army for collection and they don't know it but those that count credentials are being shipped to me as well and I'm gonna take everything that they're doing for me as my army and I'm gonna I'm gonna box it up and I'm gonna sell it and I'm going to use it and that's how they're getting that's how they're getting all that count credentials they might not even deploy these biscuits

anymore they just rely on the young people who want to do this stuff as the individuals who are going out and compromise the credentials for that so you're thinking about this man how can we combat this problem right and so one of the things that I've focused on is this ideology of incident centric versus actor centric investigation right so how many people here working Incident Response Sox anything like that so Incident Response is pretty much a reaction right in fact the cyber kill chain is a reactionary point so basically something happens then we do something that is a reactionary stance and what we want to do is we want to be proactive right and it takes a mindset

change it's saying basically instead of starting with the incident let's start going after the actors who are responsible for a lot of this crime alright and instead of working from the ground up you work from the top down and if you start managing monitoring these individuals for putting this out there then we can disrupt essentially their economies and that's what we're trying to do fish labs is disrupt their economies and let me give an example I like threat actors I follow threat actors almost every day I've got a lot of Investigation experience so it's easy for me to track these guys yeah but guess what they use Facebook so it's easy to track them down anyway and I got

to tell you fishers have the worst operational security I mean they're the worst online and most cyber criminals are I mean there's a joke that I have told the floor it's like do you I mean it's it's crazy stupid how how done some cyber criminals are but let's talk about this guy so I'm gonna talk about this one individual that we track right and he's a pretty prolific fish kid author he does stupid things and then think about this from a forensic stand put right so in his kids he has all these characteristics which are we utilized to tie his activities together such as renaming the infrastructures with special characters or special folder names such as going

through and renaming the files with special file names which makes me which makes you easy which makes it easy for me to identify his kit more importantly and a lot of you guys know this that hackers like to tag within their source code but when you do that pretty much you're tagging all your capabilities and if I want to track you across multiple kits then now I've got the signature that I can track you with it's easy to do this kind of stuff because I mean they do that they make it so blatantly obvious more important this guy he has a Facebook page you could go to it right now you could download this information not only does

he give you a scamming kit he gets you via mailer he gives you even email addresses that you could start to utilize he's like yeah more importantly easy training right who doesn't like training so he pretty much says not only am I gonna give you everything that you need to start with I'm gonna give you free training he's like here here's my stuff it's pretty badass here's who I'm targeting you go compromise this site and when you compromise the site here's how you use the kit that's it and that's all you got to do and then just wait for all those account credentials to come in and then when you get him you know where

to sell him right and so he does all this but unfortunately for him like I said he's got really bad hopsack and how hard truly is it to track individuals like this let's take a look at this guy so he's got YouTube sites every site that we go on Facebook YouTube social media Twitter github these are all these are all characteristics of a tracking right so this individual here he has a username when he posts these YouTube videos you go back to his Facebook site you look at all the activity same individuals we see the names we pull the names out and what we find is of those is this hacking profile launch is not too clever and then because he's

got bad OPSEC he also logs in with his true identity right so it let me give you a key if you're gonna do hacking campaign don't go there with your true identity right so once we see this we can start tracking all this stuff together we say hey we think we know who he is in fact thank you Facebook we know who you are right not only do we know who you are we know who your sister is we know where you went to high school we know where you live I mean we know your activities because guess what your Facebook generation guy your millennial we know where you are because of all your social media activity right so now

we know who you are and what we're doing the track track track track track track because when he comes out with something new we're gonna be on top of it right away and this is what I mean by actor centric centric tracking we know what he's doing we know there will be incidents we'll manage those incidents but in the same time we want to focus on the actors right we want to take out their infrastructures to make a huge impact into the cyber crime economies so fish kits are pretty advanced and if you don't have you've never seen a fish kit then I'm gonna give you some of the details on how they operate from a

tactical standpoint so most fish kits use email that's not a lot I mean it's just in there in fact most fish kits are written in PHP because PHP is a free processing language but we see a little bit nowadays of some fish kits being written in ASP why I don't know I thought that was a dead language but hey whatever so mostly PHP right so what you'll see here is in this PHP basically this is a the information that you're trying to collect from each of the users that they're trying to scan and you can see here it's like it's got information like the username password took in you know maybe some geographic information where

they came from refers whatever and they use email as a vehicle to collect the account credentials however we take those down a fish we work on taking down the mule accounts right so let's say for example you keep on creating your Moodle account so we keep on taking them down they get frustrated and so what we've seen is we've seen this little shift in the way that they collect these account credentials we've seen it move from traditional email communication to other tactics such as this pretty much which is storing the information directly on the top of my server remember I told you earlier that they push these things called the web shell directly into the

compromised site they can go back later on and use the web shell to collect all the compromised credits or what we've also seen is we've seen posts to URLs so now that are using refer logs right so basically what they're saying is hey I'm going to take all the count credentials I'm going to drop it into the URL and then I'm gonna collect it out of the referrer log from wherever whatever website I have access to the referrer logs so I mean it's easy to do that it's it's question mark and then whatever is after the question mark right inside report inside port 80 the other thing that we've seen is we've seen this weird

shift we've seen this weird shift using IRC channels jabber based communication so now whenever you whenever it collects that Cal credential they're popping up a jabber message so they've got some IRC server somewhere we're basically there every time they're collecting cred there's a message that pops out with that credential information right which is kind of ingenious I mean except that if someone else gets to usually a password they can jump on there and collect it as well maybe even you know change the password I'm just saying so you're thinking oh these HTML pages like they're not really complemented complicated but I'm gonna tell you they're extremely complicated with a lot of conditional logic in fact if you look

at this one right if you look at this there's a lot that goes into protecting the infrastructure for example if they're spearfishing some users that work a specific company then one of the things that they might do is just only allow access from those IPS that come from that company footprint right this is quite literally the definition of conditional logic it's basically saying if this IP is one that I'm interested and collecting information from give it access otherwise send it to Google or Disney or Microsoft or wherever or maybe even just give it back a 403 making maybe the user doesn't even know it exists this is essentially called geographic targeting and it's a problem

right especially if these kids have all this geographic targeting logic built into them and we see that a lot if it's a Spanish based fishing kit then why do in beacon countries need to access it if the targets are all located in South America so other than traditional logic they still use a lot of htaccess files right and I love htaccess files because it gives me a ton of intelligence information it gives me information not only about the target but it gives me information about the who the target has seen before right if you scroll through these htaccess spouse has all this commenting in there right I love the ones where they keep their they're

tracking the silence guys who are tracking them right look at it so the criminals are tracking the guys who are tracking them and that's ingenious right that basically says oh these criminals are aware that they're being targeted by these security researchers at this company so one of the things that we do to try to identify fish kids that are hosted online is look at a lot at refer logs right in fact we asked our clients to give us their refer logs and what the referrer log has is it has a request to a corporate asset which usually should come from corporate URL however if you see for example logo got gif being asked to accessed from cheese comm

then you're probably thinking yourself why is my logo being accessed from this website right and this is called refer detection however what we've seen a lot of lately is that instead of accessing these globally accessible assets inside of HTML pages we've seen logic being built directly into the kit to evade all that right either they'll drop the individual assets locally into this cam kit what we've seen is they actually embed that information directly into the PHP so encode base64 drop the gif directly into the code now they don't have to deal with a local asset during the interpretation of the PHP page it's loading it's faster there's no global access to any assets it's self-contained

no referral logs so we've seen this being used over and over and over again now it's not it's also not that simple how many people delve in obfuscation and encryption I do I love me some encryption all right so you should encrypt everything and what we're seeing is we're seeing a lot of these authors do that right so they're going through and they're encrypting encrypting encrypting encrypting right so I just talked to you a minute ago about backdoors and I'm gonna give you an example so when one of these threat actors actually puts out this fishing kit right they're gonna leave the fish kit in plain view because they want the person who's going to deploy it to

modify it to meet their needs however don't forget that they put a backdoor in the kit right and the whole idea of the backdoor is embedded as deep as possible so they never find it and they don't know about this additional communication channel so if we look at this kit will you do code inspection what you'll immediately notice is that there's an F right right in PHP which is like it included right so you're looking at it and you're saying hey what's that including and when you look at the file that includes that looks familiar right that looks like a jQuery library but think yourself why do I use PHP to include the jQuery library when I can

just include it with a script tag with all the other script tags so you kind of get interested or if you're a security researcher you get interested you want to dig in so you start looking at this and then all the way at the bottom there's another include inside of this so basically this files including another file and guess what that files off you skated right in fact I look at it and I'm like oh look at all that beautiful code it's gonna take me forever to look at that but once you do it once you Diop you skate that whether you do it with some type of deification tool or you manually do it then you're gonna find this

embedded code and what we're seeing is we're seeing that this embedded back to our code is essentially collecting the same information that the other users are collecting so there's a whole other communication channel that exists inside of this code oops so now think about it our Radek it I get people to deploy my kit I hope that thousands of people deploy my kit and now I have an army of people deploying my kit who are collecting credentials for me right I don't even need to collect credentials creating a fish kid is not illegal that's like crazy malware is not illegal like you're not using as long as you don't use it right so if you create it

and you don't use it it's not legal so that's not the only way in fact what we've seen is we've seen a lot of different application methods inside all these kits and I'm gonna refer to this one because essentially when I was doing a lot of malware stuff there's something exists called a file type mismatch and a lot of you probably know about it it's basically whether the file is like you know malware TMP and instead of a TMP file it's like an exe file because the file signature shows that it's a PE instead of it being a TMP and that's just an example no self-respecting malware authors gonna name their malware malware also it's just saying that so

let's talk about this you see this right this includes a PNG file however when you look at the actual file it's not a PNG file right it's not a graphics file it's a PHP file so once it's included with PHP we include then it's parsable its interpretive all right and so we go through the same methodology well actually this one's created by a free online tool so we know we can do if you skate it quickly so we use that tool of D off you scan it and what we find is another level of occupation right how many people here know what Packers are Maori Packers ok so just like with malware packers there is no rules on the

level of encryption and obfuscation you can put it in place alright you could pack a file with a packer with another packer with another packer at some point you're going to be limited by execution time same thing goes with a fish kit you can obviously get a fish kit and then re off you hit it again and then really skated again use multiple off eustachian methods we just multiple decryption methods it doesn't matter you could go through and you could go through and do file renaming of all your assets within your code so that you get that gobbledygook Campbell back like naming convention no one knows exactly what your variables are doing you could do all that because

in the end it's all gonna be interpreted by the computer and it's supposed to be machine readable all right once we D up you scape this then we're gonna find that backdoor we're gonna see it it's gonna be there it's gonna be available for you right so in this instance specifically we see this backdoor actually sending more information to some credential account someone that's not the only vehicle to obfuscate information right how many people play around with gif images anybody access information you know ok so you guys know about gif exploits so there's a huge gift exploit out there right now so basically the gift exploit is anything after the file signature can be executed

largely and what we're seeing is we're seeing a lot of what those those web shells that I talked about earlier being embedded directly into gif files so these gif files if you look at it has a legitimate signature meaning that it's got a dot gif extension right it's legitimately a gif file however after that file signature we see PHP code embedded directly into the file right and a lot of the times what we're seeing this done for is to hide the web shell directly in the site outside of this is the system administrator view so if I'm a system administrator I look at a file dot gif file signature looks the same good that's an image I don't need to

worry about it but if I access this on a page on a lamp stack via this URL it's gonna interpret this H this PHP code and it's gonna serve back this web shell to me which gives me access to the box so this is pretty ingenious I mean I love it I mean I love the level of obfuscation and that the attackers actually used to hide their activities I mean this is stuff that RIT is really interesting to me so my whole point here is that phishing largely is a what a lot of people think is a lower level crime is I think a lot of us has to reconsider what it actually is considering the fact

that 90% of most malware infections start with phishing campaigns just like this and it's not hard essentially to get to end users with the spam lure right one out of five people who are presented as spam lure are going to click on a link or go to a website right they're going to present themselves for infection and then based upon the survey of this room even less than 1/8 percent of this room get actual training to combat or identify what is actually a fish and what is not fish right and I'm not talking about click rates or anything like that I think spam is amazing and beautiful and is probably that one of the best ways to social

engineer people into falling for some type of malware infection I'm talking about actually training people to understand what this attack scenario looks like and how serious it is right without spam 90% of those advanced malware campaigns that we all track and target and love and look at won't exist right not only that but spam phishing as a entry into the threat campaign is becoming more and more fans it's becoming harder and harder to identify and attack and look at all the information that's actually going on so with that that's all I got for you this morning right and I want to say number one thanks for all the conference organizers for allowing me to come out

and talk to you I realized we're going to talk about some really great advanced topics today as we go through the day I hope you keep in the back of your mind is this something that could have started with phishing right because my whole point here is to impact the economies of cybercrime by taking out the infrastructures and the actors who are largely responsible for focusing for causing all of this damage right so with that if you guys got any questions let me know I'll be around for a while I appreciate like I said the conference organizers for a lot of me to speak I appreciate the call of Charleston for hosting us and I hope you guys have a

wonderful day here at besides here in Charleston