BSidesAugusta 2018 - Paul Melson - Hunting APTs and Script Kiddies with Beer Money

thank you thank you so so the the the title is intentionally vague but hopefully a lot of fun and I plan to deliver on all three of these things but so today I'm going to be talking a little bit about a research project that I've had going for about the last year well first why don't I talk a little bit about myself because that's you know I think how you're supposed to start a talk so anyway I'm Paul Nelson I work in cyber threat Intel and in custom detection at Target this is my fourth time it besides Augusta and you know thank you to to the the volunteers that put the event on and all of you that come out

this is one of my favorite conferences and so thanks thanks for that so you can follow me on twitter at p Melson you can follow my project then I'm going to be talking about today scum BOTS on Twitter at scum BOTS and if you want a copy of the the code that I used to do this work you can pull it out of my my github repo so a little bit about the premise that the the research is based on so backing up a little bit everybody kind of has a understanding of what magic file numbers are right that you know the first few bites of a file will tell you kind of about the file and

what it does and in particular that Windows binaries or PE format files I'll start with MZ or in hex it's for d5a and so that's a useful thing for being able to identify that a file is in fact a Windows binary and this this started as a little bit of homework during my day job to just you know hey what does it look like when a PE file gets encoded and shoved into into like a word document and what are some of those encoding schemes and so I've been playing with with and tracking you know malware families and binaries for a while and so I decided you know I had this malware zu if you've been to any of my previous

talks you heard me talk about that and so what I did was I just ran some some basic bite extractions over that entire zoo and what I discovered was there's really only it turns out like nine unique bite preambles there are ways to make more but really in the wild there's only about nine unique bike preambles that uniquely identify a PE header because 45 a as a byte sequence happens like all the time in the wild for lots of reasons right if you were to just say hey this file has the bytes for d5a in it that wouldn't be particularly interesting to you but if we could expand that out a little bit more maybe

maybe we could detect the presence of PE files and that's really the genesis for this work so I started playing around with some encodings and so this is basics t4 on the Left that's decimal encoding which if you've ever played with with byte strings in.net dotnet will do this to you done that also has this horrible mode where it will intermingle decimal and hexadecimal because it hates you I um and so I was playing with some of this work and what what what put me on the path to this this research project was well Twitter right and so I'd been playing with some of it I tweeted out some of the stuff I just showed you

about base64 encoded PE headers and Xavier Martens at who's one of the sands ISC handlers did a little blog post about it and at the end which is cool like that's fun at the end of it though he mentioned and I'm adding these to my pastebot scraper and I went you're what now so and I did a little homework and it turns out that pastebin everybody familiar with pastebin.com right so I pay spins a free anonymous like yo copy paste and there are a number of others out there and those could be interesting future research projects I suppose but so it turns out that they sell access to their scraping API like they actually will let you give

them some money and you can get all the pastes off paste-like as they happen in real time and basically what they do is they let you whitelist one IP and you can beat that API up to a particular rate limit I think it's one per second which is usually plenty so from from Xavier's icy post I got this idea and I built this project that I'd call narc or scum BOTS because that's what I called the the Twitter bot because narc was already taken and this is the architecture it basically basically consists of sort of three components there's a scraper there's a parser and processor for the scrape data and then there's a post processor that does some

interesting yeah it does some some some enrichment some analysis and then it and then it labs through the world about this thing I found and the reason that I called the title tracking script kiddies and a PT's with beer money that is because all in that paste bin lifetime so by the way like if you're interested in doing this research keep an eye out they put it on sale I got mine for like 20 bucks lifetime unlimited single IPA like it's like probably the best deal going in like you know raw data for Intel sourcing so pastebin Pro Licence 1995 and then 1t 2 micro at about 936 a month to run the scrapers all in a year

of this cost me 132 27 as I was saying there's somebody in the audience before I started talking that's a whole lot less than I spend on beer in a year so so a little bit about the architecture so paste theater is the actual scraper this was kind of fun to have to play with this I originally started with the design where I was going to do it all in Yarra because Yara's awesome and discovered that in order to get like really really fast reliable like hunting times right so the initial scraper I decided could accept a high degree of false positives if as long as it was you know catching stuff that was probably

interesting and shoving it into a queue and and we could determine later asynchronously if it was really interesting and so so instead what you'll find is it's just a bunch of raw Python string matching there's just optimized for speed I don't use Yara or anything like that but it's pretty it's pretty human readable code if you check it out so evaluates the the pastes I did a little bit of tuning based on size and type because paste bin will try and parse those the pastes for you and tell you what language they're in and if it doesn't know that's usually pretty interesting and sometimes even when it does know also interesting also you know if it's if it's you know Meg's and Meg's

it's probably not malware and also if it's you know like 12 bytes it's definitely not gonna be more right so so download some interesting raw pastes fast text search and anything that's that that's useful or might be interesting we save it base jumper because the the the first thing I started messing with was basic ste for encoding and I'm bad at naming stuff so base jumper just validates for the the detected encoding type so it looks like base64 is it really basic ste for you know strips out white space and delimiter kind of cleans it up decodes it to a PE file and if it you know and if it's all successful right it cleans

up all the raw the raw leftovers I co-opted a project that was written by Brian wall called BAMF detect a lot of the code contributed to this was also put together by by Kevin Breen so vamps detect is an open source Python framework for doing malware analysis and really its primary function is stripping configs statically from known malware families right so if I know this is a this is this particular family of malware I know where to go and what to do with the bites to tell you who it's re gonna call out to what you know what its configuration settings are it's a decoder so I just forked this for my own purposes because that way I didn't have

to write the whole thing from scratch and I could just add functionality as I went because it was had a modular design so BAFF detect will identify whether or not the PE file that I found is malicious if it knows what is we rip that out and hand that off in JSON format which was another thing that made vamps detect really nice is all the output was in JSON it's a real easy to handle and then that passes it off to narc so narc actually is what calls BAM detect pull see to out and JSON it moves any any files that we don't identify though go in a research folder which is fortunate for all of you because that's

going to actually be more of what I talked about in a little bit so we checked the c2 against the API P info as I showed you in the diagram log some some information about that c2 like geolocation the IVAs n numbers things like that upload the sample to virustotal and then comment on the the virustotal upload so if you ever see the stuff that comes off the bots and go search that hash on virustotal you'll see that the bots has also gone out and commented left the c2 positive ID I'll where because we got the c2 out so and then we tweeted out because you know why not and then clean that up so that's

basically the framework that's how it works this is scum bot and if you go check him out he's constantly dropping Docs on was I drop docs on scumbag scumbag BOTS and rats so mostly it's just an ongoing feed of malware I found on paste bin so so cool right like I built a thing that will find malware and tell us about it when it happens on paste bin the time cycle is start to finish usually usually just a few minutes from when the pace gets uploaded to the time that it hits Twitter and virustotal which is kind of cool not the best if you're a bad guy but that's kind of the point so but

that's cool that that's cool that I wrote a bot that will tweet this stuff out but what could we do with that data in aggregate and how often does you must be asking yourself how often does this happen Paul the answer is all the time so today I have I've collected about 14,000 known samples and 20 out of so I've identified 20,000 suspicious pastes about 14,000 known malware samples out of that that the bot is processed on its own so we have a pretty good data set from which we can actually do some do some additional analysis right so here's a here's a pie chart that kind of shows you the the in coatings that I'm

detecting some of these are skewed a little bit just by timing because you know I started with it with a handful with hex and base64 or decimal and binary and have kept iterating adding things like compression and other forms of obfuscation as I find them and learn about them so some of these haven't been in the data set for a full year you can see bad guys like to like to do things like add you know well hey if basic c4 encryption is good double base64 encryption must be better so we had somebody try that at least a handful of times X encoding base64 base64 encoding hex it's all you know it's just how many

different times consider eight through it trying to beat the detection and the answer is as long as we know to look for the obfuscation in the first place then we can kind of touch it and handle it and see if you know see what falls out the other side so it's a malware stats the vast majority of what I find on paste bin is enje rat also sometimes called blotter bhindi by some of the some of the AV firms but still seeing a significant amount of nanak or revenge there's a good amount of meterpreter venom loader out there so and but there's just a whole mess of other things that are out there agent Tesla has started to creep up I've

caught some cobalt beacon so that's not as skinny land as maybe MJ rat is so maybe maybe we'll talk about that a little later where are we seeing see - Netherlands is number one the reason for that is not because the the Dutch are necessarily notoriously evil it's because lost Oasis has all their a SNS based in in the Netherlands and lost Oasis is a hive of scum and villainy my if you you're not a researcher and you just have to defend a network I would just go pull the lost oasis ASNs now and block them at your edge router right like there's nothing Goods going there and nothing Goods coming from there sorry lost oasis but it's true and about 50%

of the Swedish stuff is relaxed VPN so there's you know these aren't necessarily indictments of these countries or and certainly not good for attribution what they're really good for is telling you where a couple of the shady or ISPs in the world are so to that end you know here's here's the ASN so you can see Telecom Algeria lost Oasis is of course a big one so so some interesting stuff Saudi Telecom port Lane digitalocean I'm you're all shocked they made the list and then another thing that's a really really common piece of kit is they'll use domains or fqdn s4 for c2 so yeah the host that lost Oasis but they'll use free tier dynamic dns for

some of this so these are these are second-level domains that by frequency D DNS is definitely the number one but we've seen quite a few and this list so this is like the top 10 or whatever but this list is pretty long and basically if there's a if there's a dynamic DNS domain out there I've seen malware use it for c2 so that's another thing that I think you should do if you don't know that you have a business case for for dynamic DNS in your environment go get a list of the names kill them all at the edge or the very least go hunt them and you're in your proxy logs because there's probably interesting stuff in

there okay so that's cool I ran some stats that's neat but what's interesting that is is if we overlay those because there's a couple of clear winners across the top I'm gonna actually use those stats to put together what I would say is an aggregate set of TTP's right so we could describe a typical actor without really knowing anything about any of the actors specifically just by observing this behavior at a particular slice in the kill chain right so if you pause and think about this as we're observing an attack in its stage state right so stage two malware is is set up on paste bin for somebody to come get after something happens in their

environment and then there are later actives and objections once command and control is established and the bad guys got access to the environment so we're looking at a very specific slice of the kill chain as we're scraping here but it's interesting because we can still build out some specific list of tactics that we know that they use on average right so does a stage on paste bin that's kind of the point of the exercise but basic ste for encoding NJ rats free free tiered dynamic DNS hosting with no IP and they probably host that lost though ASIS right and so what we have here is a set of TTP's that describe as far as I can tell probably a couple

hundred individuals and really if you if you take this set of TTP's do start doing a little bit of homework and start looking around what you'll discover is there's a handful of we'll call them hacker boards on is it is it deep or is it dark web if it's just if it just has a password and Google can still scrape it that's just the that's just the deep web right I forget anyway so on some hacker bulletin boards where you and I can go you will find people basically passing around how-to kits and and software on how to do this so this is data and what I do for my day job is I do thread

intelligence so we have to turn that data into intelligence right because you know I'm not done with graphs so one of the things that's interesting is is that I tracked the users that upload the pastes a lot of these are anonymous which you know isn't helpful but when they're not anonymous that's like super helpful because even if this doesn't uniquely identify the individual it tells me somebody with the you know control over this account this person did these actions and so by overlaying you know the pasted key with the fqdn extracted from the situ tied to the IP tied to the family of malware tied to the user just created a basic table in a

spreadsheet and then did what all good thread Intel analysts do and import it into multigo and what was and I'm you know and I'm just gonna yada yada over this but basically what I discovered right is is that there's an overlap at both the user and the infrastructure layer for every family of malware that I've been able to track right like that for all of these commodity rats like revenge and Nanak or and NJ rat and extreme there's somebody playing around with with both there's overlap across all of them so that's potentially interesting because if nothing else what it tells you is is that there's some level of connectivity in the community and availability of these tools so what

else can we do because like I said I'm not done with graphs pew-pew maps right so so another thing I did is I wrote some some basic Python to you to take the extracted c2 information that I'm recording and turn it into KML files which you can then upload to the Google Maps API and it'll generate a cool little map like this this one's not especially useful but it's just kind of neat to show off that I can do it based on the the geoip mapping so there's nana core there's dart comment you know which is interesting right because all of a sudden is you get into the rarer stuff now we're probably talking about a much

smaller subset of actors and we're starting to see some geographic concentration right so one of my dark comet actors is got some tie to Brazil weather that's where they're targeting or where they're operating hard to say for sure but definitely there's some connection there similarly throughout Europe and a little bit of Africa but I would say that those geo concentration suggest there's maybe a half-dozen actors and at least one or two of them really care about about Brazil so and then this is cyber gate same thing concentrations in Europe and and Brazil and I'm guessing if we go back here we can you know probably find those lines in that multigo graph as well all right so that's

the end of the of the the commodity malware stuff let's talk a little bit about some of the more interesting stuff that the bot hasn't pushed out to Twitter so anybody familiar with a descriptor or you just krypter or we say it I mean you know what this is so II just krypter is a is a site that sells obfuscation services for Windows executables you take a Windows binary you give this dude some money I believe that he takes Bitcoin in eagled like all good legitimate software vendors and and you can submit a file for crypting and he will then return to you of yo your same program but now obfuscated so antivirus can't find it and I stumbled

on he just crypt there because it turns out that when there sir they post the error page to paste bin ostensibly for support purposes right the post failed so a copy of the post goes to paste bin do you see what I see in the post body you get a copy of the would be bad guys malware before it's been packed hex encoded posted to paste bin and this has happened several hundred times over the year that I've been observing it so II just krypter is actually just leaking on obfuscated malware right back out to paste bin for us almost like they wanted to help so let's see MSF venom so Metasploit venom Venom's just a loader it's a lightweight of

loader for a portion of Metasploit framework and does the does it's basically obfuscated shellcode loading it's kind of a pain to reverse and there's a there's a ton of it I stumbled on it by doing some user pivoting at one point and discovered like hey there are all these little 4k like files getting uploaded and they all have basically the same import table they call kernel32.dll and process at the specific offset and then something weird the timestamp right so when you compile a program there's a spot in the PE header where you can put the timestamp that the purpose for where the date/time stamp field in the PE headers so that you can identify when

the the program was built I would say that for a large portion malware that's just that that's garbage data and this is no exam no different right in this case the the timestamps are all bogus and like set way way in the future I'm not sure why venom does that I'm not sure that the attackers that use it know that it does that but you know makes for a real easy Yara rule so so I wrote this yarder rule and use this to kind of hunt around and the stuff that I had extracted and pulled down and what I found like I said was it was a couple hundred of these across lots of different counts and anonymous uploads

and started mapping these and found some some pretty interesting stuff I don't know like like it's it's hard to go down the the next set of rabbit holes and I'm a little cautious to want to do that publicly just because you know yes it's an available tool right like everybody who's got a cally box has venom what happens next with venom is really based on you know what you do with the with the shell of the shellcode payload you so really the next piece of this would be to do a bunch of sandbox runs but I saw a bunch of weird stuff like like call-outs to like you know Comcast and Cox cable and like home class stuff you

don't normally see that with people establishing situ or running pen tests so I don't know if it's I don't know if it's like lower level bot activity or or if it's like people screwing around what they're like you know staging this stuff on their own home networks it was a it's a definitely an interesting piece of kit that I found out there so so now I want to pivot to kind of the next gen of the the research that I've been doing and and that's really been around hunt PowerShell so everybody everybody get a chance to check out Dave Kennedy's talk this morning so I love I love watching Dave Kennedy talk he's he's right about

most of the things yes to say about about defensive operations and detection and how we can level our game up but a lot of the stuff that he was showing off around around PowerShell is stuff that most definitely used in the wild and pastebin is no exception so so I started playing around with code that would just find interesting pieces of PowerShell and let me know when when I was up against you know some some PowerShell that might do some things that malicious PowerShell would do right so system convert that's the library that does the string conversion so that's everything from raw to bei 64 2 hex encoding to Unicode encoding right but but that tells you we're

transforming the the value of a data right this is not a thing that your sis admit I absolutely have to write like they like if this is a legitimate like administrative PowerShell script like you're not likely to see this from base64 string you know I'd say about half the time you know obfuscation isn't always bad but it's usually interesting new object system IO that's just saying you know hey I'm gonna I'm gonna I'm gonna write a file or open a file or declare not only files but certainly if you've got a PowerShell script that wants to write a file like say a PE binary that we decoded from base64 you're gonna see some system i/o objects in their system

net if I want to use any of the functions like download string or HTTP request to go pull something else from somewhere else and then system reflection assembly name man this is this one's hot because you know the thing your your system is really not doing your system is really not hot patching dll's on your mail server so a system reflection assembly name is for reflective reflectively loading like bytecode into into memory now there are like really legitimate reasons to do this in in net and things like that but this is just this is one of those features of PowerShell that like makes it really powerful but really I see this used almost exclusively by bad guys every

time I found this it's been shady so I did some hunting and you know as as i promised i promised skitty's so these it is let's start there in addition to its PowerShell some of this stuff will also flag interesting visual basic code and so I've found some some heavily obfuscated this is like 80s encrypted basics before encoded malware packed away in the and and all these interesting and strange comments this would have been really really annoying to reverse by hand but fortunately he did such a nice job commenting his code I don't know can you guys see the link to his YouTube channel where where where he was kind enough to to provide instructions on how his his krypter

worked for dropping malware so it made my life a lot easier this dude still like totally active like as of like last week which is fantastic so okay so so I promise kiddies I also promised a PT's so I don't know if you would agree that Finn 7 is or is not an apt I mean if they were I guess maybe it would have called them a PT 7 I think the name was taken but everybody everybody knows Finn 7 now right like they're they're not quite fancy bear famous but they're getting there one of the biggest you know financial attackers sometimes also called carbon AK and a few other they have some spider name

that CrowdStrike gave them to but so here's a timeline anyway of Finn's Evan activity using using paste ban so they ran for actual campaigns that we could observe over the last year where they leveraged paste bin so one they they ran tiny matte so tiny med is as a PowerShell micro meterpreter implementation anyway - tiny met campaigns won back in July of last year and then won in August of this year they also ran DNS messenger campaign in in October of last year if you're interested in the details on DNS messenger that one actually there are a couple of really good write-ups and I think the best one I've seen on is the one that the Talos team did so if you

google Telos DNS messenger you get a good write-up on that Maldek campaign and basically how they were using paceman by the way as they were they were staging malicious PowerShell scripts for loading stuff and then they were calling out to those from there mal docks I could be wrong but I want to say DNS messenger might have actually been a dde auto attack so and then and then and then of course you know we wouldn't we wouldn't be able to call him carbon act if they didn't actually use carbon act still every once in a while so so back in just this last previous month in September they ran a carbon at campaign where they staged the payload

again so and here's here's how the the stagers look so from basics before string just like I showed you that's how we caught it that h4 si is anybody I got giveaways so you can have your choice if anybody knows what h4 si is in base64 I'm gonna have to come up with easier questions it's fine oh yeah uh nope oh no tea no TV QQ is MZ that's too easy h h4 SI is a gzip header so anytime you see a base64 string that includes h starts with h4 si you're gonna have to decompress the the contents of it and so so I did and then you you know find some other stuff in both the both the the

tiny matte and the carbon ak campaigns they used a loader that used this from base64 char array that's not a that's not a reserved word that's just a variable name they picked so that was a that was interesting for helping tie that back together and then in those they they they also just hex encoded the the PE file so so hunting the you know so the same stuff that we're using to find commodity level malware sitting out on paceman same tactics basically get us the view of the pros - so okay I did promise apts right and we can we can argue about whether you know how a copy kittens are in the in the realm of apts

but but they are government backed so operation wilted tulip was was an attack committed by an actor called copy kittens I'm not I'm not super big on attribution deconfliction so yada yada yada it's Iran so here's a timeline of activity and I want to be clear the the the existence of this stuff on paste bin this was an interesting lesson for me as far as as far as I can find I reached out to basically anybody who talked publicly about about wilted tulip and and and the folks at clear sky were really fainted did a big write-up on it they were they were super helpful about with with trying to deconflict some of the stuff that I found and observed and

to be clear nobody can tell nobody nobody ties paste bin to the actor so what I'm what I'm tracking here is copy kittens kit from the wilted tulip operation probably being passed around by responders or researchers so so blue team don't upload the virus photo blue team don't post a pastebin right because well because I saw I see you so but this is this is a whole series of kind of activity and it suggests that you know as we as we move into early 2018 and and you know that that really is the last of it in February 2018 that I observed but that that means either people we're still continuing to find and respond to

pieces of that operation and pass that information around or you know or there were you know III I struggle to explain exactly why it was there and and not because I don't have theories but because I want to be real cautious about what I what I put out there in terms of guesswork versus what actually happened but what I can confirm is that these files are definitely known and identified as being part of part of that operation so here's kind of what the kit looked like so highly obfuscated backticks which are like PowerShell no ops makes it a real pain in the butt to read but it's pretty easy to kind of cut out I

don't see him in the room but hopefully maybe later Dave Kennedy will will actually watch this talk because he talked about you know how much fun he had breaking up and reordering strings to hide payloads in his talk this morning but that doesn't really work if what we're looking for is small byte sequences pre encoded right so yes this is not super easy to put back together but it wasn't super hard either but we still detected it right that's still a PE preamble right there TV QQ like you can't miss it so those are the mg bytes at the beginning of the payload and and of course so operation wilted tulip the final payload for that what they were

using to establish foothold was it was COBOL beacon because that's what all good attackers use these days I'm told so I'd actually want to thank Ryan who just happens to be standing right here thank Ryan for his his help in Ryan did a ton of research on Cobalt beacon config extraction so actually as of this morning you can go out and download the the Baffert detect modules off on my github repo that include a cobalt beacon config extractor for for HTTP works all versions so thanks thanks to Ryan for that okay let's try the giveaway thing again can anybody tell me how you can tell the difference between a licensed and unlicensed version of Cobalt beacon

it's super funny no guesses what's that oh no you can't see it on the screen it's on the next slide in the back

yep yeah so so yeah here let him take his pick so yes what the guy in the gentleman in the back was was describing is that yes what what cobalt what cobalt sorry does to beacon when it's built without a licenses they stick the AI car string in it which ironically doesn't get detected as much as you would hope since that's literally the purpose of that string is like every standard antivirus engine in the world is supposed to alert when it sees that string and and then most of them don't which is you know at least not when it's put at the end of a PE file like this but this is this is a fun piece of kit

so so and not paying for a cobalt strike

so ok um so I but there's more cobalt beacon and like I said cobalt beacon is the is the stuff of apt so so as part of this research and then with Ryan's help we went back and like back hunted all this stuff that I'd captured with scraper and found a bunch more cobalt beacon and now if if you upload if you upload cobalt beacon in just an encoding format that the bot recognizes like I will talk to you and send your stuff up to virustotal so if your pen tester don't staged on pay spin anymore because I will tweet you out like I did to these folks so more pew-pew maps this one's kind of

interesting though so so I don't know if I have an apt here or not let's let's play a game shall we so I don't know if you can read this so there's an IP address up there 54 not 174 anybody know where that's at who say who said Amazon give that give that nice gentleman and give away yes so that's Amazon but tsk - green energy com it turns out was registered with namecheap and it is not it is not the property of TSK gmbh which is an energy company based in in europe but but boy it sure sounds like them doesn't it so but i so apt or not apt not so I I agree right like so Namecheap

hosted on Amazon something you don't know is that this is a licensed version of cobalt beacon something else you don't know is that when they set up the domain they they configured it to use Amazon's name server so they knew when they registered the domain they were gonna hang out in Amazon so everything about this says I was paid for like with a legitimate credit card so I don't think that's an apt I think I think we caught a red team test that looks kind of I was trying to look like an apt so that's fun but those yellow dots up there you want to guess what the yellow is unlicensed cobalt beacon and it's all hanging out

in Japan on different ISPs so so that's fun so I can't say conclusively that that's an apt but but it's definitely definitely a lot shadier than then that one turned out to be all right what else empire agent so everybody familiar with PowerShell Empire I see a ton of empire agent now now that I know to look for it so PowerShell Empire agent looks like every other base64-encoded PowerShell script when you first see it you decode the first round and you come up with this and it will make a call out to a dropper that's totes legit you see that coming off of your network one of the so what what this is though is this is just

a staged dropper this isn't the actual bot Empire agent is is a PowerShell bot and so if this had actually been able to run to completion and pull down admin get dot PHP admin dot get dot PHP is an encrypted payload with the actual PowerShell in memory resident bot in it which this then decrypt with the IV and all the rest of that it's not it's really not too bad like you you kind of follow me on Twitter if you're curious about how to pull the rest of this apart I've tweeted out about a couple of these I found before but basically you you pull the file down using W get you got to recreate the cookie and the user

agent get that down fire up PowerShell and you'll put the put the the key bites in run it through decode it and then you get the rest of it the best part about what comes out the other side of these though and I should have made a slide for it I'm sorry is that camelcase is the next version of this which includes the static user agent string that it uses to fake this so the user agent string if you look up there you can you can find the you know look for Mozilla up here up above and that looks normal case but the final version that has the continuous ongoing beacon will incorrectly camelcase the Mozilla user

agent string for PowerShell agent so if you're hunting for PowerShell agent on a network go look for for miss miss cased Mozilla and you almost always come up with that so so this fun this is some of the places they hit it around the world yeah that you know see two in the seychelles see two in Bulgaria and Romania and so totes legit okay and finally a PowerShell meterpreter I just put these together this morning so PowerShell meterpreter is the thing I've been playing with as well this is another piece of kit that Dave showed off some of the functions of the this performs in his and his talk this morning so the PowerShell meterpreter

dropper and looks just like every other obfuscated powershell script you can't really tell going in that that's meterpreter but using some of the same up you know using some of the same byte recognition stuff we're able to identify that you know hey this is this is something we should take apart we get in there's h4 si again so you know it's gzip compressed you have to pull that apart so it's a few rounds it's kind of a pain but I've managed to automate this and just added this functionality to the bot like a week ago so so I went through and like you know pushed like another 40 or 50 of these back out uploaded them all to virustotal

I've been playing with it I think a couple went out this morning as a matter of fact this is this is stage 3 so you actually start to to get a look at what the what the PowerShell actually does so anybody recognize what what that code is trying to do and what that last base64 encoded string is gonna be you better get got a guess so that's basic sorry yeah so what do we what do you think we're doing in memory what um in that case it's it's not actually an op sled although protip if you're looking for knob slides and basics before they look like they look just like they do everywhere else it's like all A's so if

you see a big string A's and base64 that's nulls so I've been staring a lot of base64 it's starting to speak it so so in this case though it's shellcode and this is the actual basics before encoded meterpreter shell code this one is reversed TCP shell and what it's doing is it's invoking it as you said in into into memory in this case I think it's kernel32.dll I think that's up above in the script but so what you get out if you decode that base64 is this block of hex and you'll just have to take my word for it but this one would have called out to 192 168 1 2 29 on port 80 but because it's you know

because that reliable shell code imprint that we can get from playing with an interpreter it's not hard to go through a series of e's find the particular byte offsets and encoding patterns and automate decoding these so that's what I've been doing for the last you know a week or so playing with this trying to hunt and automate you know daxing more of the bad PowerShell so the other day found this guy he looks like so many others that I see and you know nothing unusual there decode it the stage one so this is what it looks like when you do that first round of decoding and you know again nothing super weird if you look in the upper right it's gzip

encoded we're kind of expecting that it makes sense we get to stage three and they look same thing we're trying to inject into memory but oh that's cool it's gonna call out and download something over HTTP that's pretty sweet staged on imager that's awesome so I wouldn't like so like an excited kid on on Christmas morning because my Christmas is probably much worse than yours as I'd say aloud it sounds like I went out and I pulled the file down but I was I was totally expecting to find like like an FC ofc e8 or a DB BD like yeah 32-bit or 64-bit you point of reference for some shellcode and I didn't find it what I found was as

described in the URL a PNG file so somebody was saying hello so so I think at some point I must have I must have gotten ahold of somebody something in the middle of something and I don't I I don't know if this was meant for me or someone else but but I'd like to think that this is some Red Team trolling back against someone and if you did this and you saw it you know please hit me up on Twitter I'd love to hear the back story and if you're a bad guy laughing at home well good well played good burn all right that was my talk thank you for listening

okay I've got one last giveaway so whoever has the first question can get a book red shirt in the back and your question

yeah so mostly right so what I get is I get I get code and tools so I'm looking at coding tools and then hoping to kind of look at so the idea is to go from from code sets and tools to infrastructure and hopefully based on the connection of those two things maybe identify an actor based on that I didn't I didn't start out trying to track a PT's it just you know kind of they just kind of showed up in the mix and I thought it was interesting cool any other questions yeah

so the the question from the audience was do I track how many how many of the pastes are set to auto delete yes I do so one so for anonymous pages as you may be aware right they they can set an expiration and I do record that so so ones that are being used for testing seem to last about 10 minutes to an hour and ones that seem to be part of an actual attack that they don't want to be out there for long periods of time will typically be a day to a week is about is about what I see I haven't done I haven't actually done a full set of analysis on that that's just casual

observation but if you if you messaged me on Twitter I'd be happy to just share the data with you around that cool anybody else in in the back you're gonna have to shout or use them yeah use mic yeah hide sorry I could you can you a little louder into the mic um so you know it varies widely right like the the primary automate there's so much out there that I you know I don't have time to file abuse reports I there is a family of malware I'm playing with right now that actually does does uniquely register each piece of malware and have a way to report abuse I'm thinking about adding that but by and large what

happens is they get their stuff uploaded to virus total and and posted to Twitter and you know unless there's something especially concerning or egregious in which case then I might reach out but that's only if I happen to catch it all right all right

so the question was do I do anything to obfuscate my IP when I'm downloading stuff yeah I use a combination of things I'm yeah I tell you about it in the hall but there's the it's not hard most it's pretty rare to see something that's actually IP or geo locked and that that's holding a next stage but yeah I have ways around that but but you proxy changed the IP in the you know in the the cloud hosting service or you know tor they're usually one of those three I haven't had anything where I couldn't get to it all right well if that's if that's it but that's it thanks [Applause]