Anatomy of Cyber Crime Investigation

[Applause] it G oh you stole it hate these things in front of me uh good morning everybody hello anybody there I know the lights are bright and I can't really see you so I'm going to have to be a little bit careful um I was actually doing a presentation here last week and I had the whole stage so if I fall off if there's any medics in the house that'd be really appreciative uh I did a presentation last week to um professional accountants and uh if you've had any of my presentations before I always like to start with jokes the one last week for accountants was nice being a room where everybody counts trust me they don't get any

better with cyber security so why was the password lacking in confidence because it was insecure you can grown if you like last week we changed our password systems to have to have eight characters I chose Snow White and the Seven [Music] Dwarfs I used to do standup comedy now you know why I don't I also wherever I speak I always carry my little post that note it says on it do not swear here and it's always here I will do my best but the last I might relent a little bit so I think um Simons very kindly spoke a lot about me um we've been in arip for four years I have all these certificates um I

put those ones up I've got more but I put those ones up because those are the ones you have to pass exams for um head of cyber crime investigation for the police and he said I used to work for the national cyber crime unit uh and law enforcement and laterally the national cyber security Center at gcq so Simon is right I used to be a spy and still um maybe not radio came in though maybe somebody else um so the thing about me that's unique and it's not because I know every single happy hour in this island is that I've had experience of dealing with cyber crime I was involved in just about every single major cyber crime attack in the

UK for the period 2017 to 2021 so Vlad and I are good friends and I don't want to stand up here and completely disagree with him I'll say in certain matters he was right the thing that changed the UK to be more aware of in dealing with cyber security incidents is when they started to get the big hits so vlad's right I hope it never happens here but I think it's a wakeup call that will change how we deal with it vad works in the private sector and has to be a little bit political I can answer the question that was asked in relation to do we do enough and the answer is no my talk today should show

you why it's no because I'm going to do real examples the examples I'm going to be talk about today are things we've actually been involved in in this island everything's been anonymized you won't know who it is um but it's important you understand the types of things we've seen so anatomy of uh cyber crime investigation the structure of a cyber crime investigation really doesn't vary that much from investigating a murder we're still looking for means opportunity and motive so in cyers a motive e it's money Always Money always the end result is money it might start as cred harvesting but it's going to be money um means so we have some good a really good threat actors out

there and there are some not so good threat actors and some of the incidents I've dealt with on irland I got to say we were extraordinarily lucky that the threat actors didn't really have the means to follow through because in one it would have been absolutely devastating for the island and then the second one it would have been devastating on a worldwide stage because the company was a global one but the actors were not the best so we got lucky we don't always get lucky you won't always get lucky I always say three key phrases three key that's not easy to say three glad I'm sober three key phrases number one complacency is the enemy of good cyber

security never ever think it won't happen to you and that's really one of the things I want to point out of today so because or the start of an anatomy is what we take is a 4p approach which is pursue so we reactively and proactively investigate operations trying to bring people to Justice the big difference between investigating a murder or crime in this island and investigating a cyber crime is the chances of getting somebody in court for a cyber crime is nil so there are some stuff in Ireland where we've arrested people decent images of children that type of thing but a major cyber crime attack a major ransomware attack is coming from Russia or

one of those States um fraud probably Nigeria or an African State we're not going to be arresting those people so we have to think about it separately or differently so we also do prepare so today is where our claim that I'm preparing because I'm talking to you good people working alongside other entities on the island to do what we can to prevent or prepare for a cyber crime attack if you live in this island you know how well we prepare for hurricanes okay we've got an excellent um Hazard management team that do all of that how well prepared are we as an island nation for a cyber crime attack what if water desalinated water is attacked and goes what if electricity

goes that sometimes goes with hurricanes but that might be not too bad food distribution stuff's imported a guess it's imported ordered using a computer system what happens if that's taken out and we can't bring in food and we can't distribute it around the island what if we haven't got an airport would lack of an airport be out for a month be more or less impactive than a hurricane not looking for answers I'm raising the questions because they are concerns um protect again that's looking at um putting out preventative materials oh sorry protect and then prevent is is trying to um look to stop people becoming inide about crime thankfully on this island that is not an

issue I've come across and long may it continue I think most of the people who would know how to do this are fortunately on the right side of the fence or what I call the right side of the fence and doing good rather than bad so um go through that so we have four typical investigative phrases in cyber crime investigations acquisition so this is the same as a crime scene we're trying to find um evidence there's a theory called loats which is every contact leaves a trace and it's the same in cyber as it is in the real world so in murders we might look for microscopic DNA we might look for microscopic fibers on something some

exchange of forensics and it's the same in cber we just looking for the breaks so we look initially when an incident is reported to logs and I'll explain how this works when I give you an example how we did it the goal is to evidence is to is to gather as much evidence without altering the crime scene so we photograph everything we record everything we take extensive notes and then we recover the data oh sorry go back so I didn't realize I did that so then recovery so this is not recover this is not helping your entities recover from Cyber attack that's on you this is about recovering the data from the servers or hard drives

so we're looking for logs um carve files slack space stenography file residue cash sech history in our world it's possible to get convictions without the Smoking Gun windows is great at remembering things it remembers everything in fact if Bill Gates had a penny for everything a Windows machine remembers he would be oh yeah know he already is sorry um and we have things called jump files so jump files tell is that somebody did something so we've we've we've dealt with cases where people have gone to prison because we've we haven't been able to say oh we found this thing but we found what had happened and that's enough because we we are cor experts and we can

prove what we did to quite a high standard um analysis then so we carry out analysis of the um factors we get in and then presentation so I've been through all of

this so when we get our analysis this is how it's presented in front of us so this is one host so 1,173 th000 artifacts for us to look through and as you can see it's divided up into different areas I haven't expand expanded any of those this is act an actual investigation yeah so how many emails are the 1,200 230,00 and communication so we do word searches we look for breadcrumbs we look for throwing signatures across it to see if we can identify what we need to do the connections what connections between files and then in cyber forensics itself so this includes uh networks Network forensics so we last year we saw a lot of um click on the link and you click on

link you came up with this particular page it's a credit Harvester if if you think it looks like flow's log on page that's because it is if you look down where the yellow box is it says it's been pulled down from Flo's web page itself so the actor here didn't have to create anything they just pulled down the faon from the web page of the company who had it small scale de digital devices um storage media code analysis we do um if we get mware we decompile trying to see what it is trust me there are far far better people in around this audience to day one sat in the front r at this and I

will ever be but we do it to see if we can find stuff uh and then we debug it so this is actually an executable that um we came across on the system so we looked to see where it was you see you can break it down to see exactly what it does so we can analyze quite quickly what the threat is so what we looking for oh lastly presentation so we have to present this mostly to court director public prosecutions is here so he likes us to present this in a case that not only can his uh loyers understand but more importantly the jury can understand in preparing these reports it's really easy to be look how clever I am and as I'm

not very clever I tend not to do that I like to keep things simple and try to explain to the court no this is this is exactly what happened or this isn't happened because this is what I've done and what we're looking for really I'm trying to move on quickly because there's quite a lot to cover and I don't want to interrupt your coffee break but I am going to talk to the end because then Simon's idea of asking me questions about partner tickets won't ever come into it so we're looking for ttps tactics techniques and procedures they're key to understanding and and ioc's indicators of compromise why are they key well for me in prepare and protect they are key

because we want to share that information with entities in the Ireland and say hey this is what we're seeing at the moment these are the attack vectors we seeing and this is what you can do to prevent them however nobody tells us anything so you know we can't share anything I will today of ones who picked up but generally speaking nobody reports anything that happens in this island to us as I said we can't get the people in court but the small medium Enterprises on this island I say there are there were because they don't exist anymore because they fell victim of business email compromis and they lost the business because of the amount of money

involved in it that could have been preventable by having a better cyber security network than we do and this is what I'm this is what I want to present to you today to say look this is what will actually happen I'll show you some videos if you're technically minded you might say you I've seen that before if you're not it's probably going to scare The Living Daylights out of you because it is scary stuff but it is real so key for us are these techniques and stuff so tactics we've seen locally we've seen vulnerabilities being attack particularly Legacy software that seems to be something see a lot of um as I said systems never forget anything and

something that you've probably forgot about is sat there as a legacy is is a legacy entity and it's been caught it happened to the government in in February um that is actually a good story because the government sock which is 247 picked it up almost immediately and stopped it spreading but it was Legacy software it was just stuff that was shouldn't have been there but it was when I talked about means motive and opportunities vulnerabilities are are the opportunities and they're either infrastructure based or the People based but if you think about it logically they're all people based because people do the infrastructure third party vulnerabilities we talk about what we see a lot of is social engineering

leading to exploitation that's becoming very key in our modern world and then we have stupidity we have gross stupidity and now we have WTF I will say that sometimes I think we look at this and say how could they do that I'll ask you at the end when I go through my second example of you start at the beginning saying how could they do that but then when you find out and investigate the circumstances you kind of think okay you'll know more when I explain it more so I thought to start looking at vulnerabilities I doing my own Wii vulnerability scan so I was looking for um particular ports I was looking for drop bear SSH because I know that can be

vulnerable not always but it can be uh so I ran this scan and this is what I got this IP address it's got drop bear 0.46 is the version 0.46 is way down the list and there 17 non vulnerabilities doing some more investigation into it I can see Port 403 is open port 53 is open port 53 is UDP being open is not good and my video we'll show you why it's not good likewise 403 403 is open um but that's not good and the last one is the um the default gateway this is not me being clever because I'm not clever this is me just using Google and Google tells me that the default passwords is admin

admin so I stuck the IP address into the browser bar and there it is obviously I didn't do admin admin as that is illegal I really didn't because I would never have been caught but morally it wouldn't have that well with me what's the chanes that that is sitting is admin admin too much yeah probably I'll never know so third party vulnerabilities then so we talked about people being doing stuff with infrastructure and they create vulnerabilities what about people who are not your people third party vulnerabilities move it last year I think was last year 22 uh this year crowd strike we were talking about that in the green room yesterday how many people woke up to

this yeah I think a lot of people went back in aers and that was the result and what about the stuff that came in in the first one was that ever really removed I don't know I'm not in charge of that thankfully so some details of Investigations we've been we've been involved with so first one is a good and bad story bad because it happened good because of this so we had a detection um on dark Trace saying this has contacted this URL it needs investigating so as part of the acquire stage we acquired the pcaps for it and the pcap said this I'll point you to the bits that are more important which is there so um API V1

with a long name there are bigger experts in this room than I am but that is probably not good and indeed it wasn't there was also a DNS sorry a UDP get request further down the pcap so when I pulled down what that did I got this so hopefully most of you have looked at the equals equals at the end and said that's base 64 John if you haven't the equals equals at the end means it's base 64 encoded so I decoded it because even I can do that one and you get this and down the bottom you get tm. PS1 now that isn't good because basically what it's dropping is shell commands schedule tasks lots and lots of

scheduled tasks one of the other things we found in this investigation was this and I have to confess I had absolutely no idea where it was it wasn't coded in base 64 so it took a lot longer to decode but even when I got to this stage I was completely lost as to what on Earth this is i' never seen it before in my life Adam probably knows where it is but he's far cleverer than I am I also found this and this is a good thing so it's looking for and xiy for all those names so at this point in time I consider that I've got actual ttps something to work with so now I'm going to do something

incredibly technical I mean John Harmon level of technical ability I used Google and the answer was in Twitter I only went into it now because I had firm stuff to go on if you if I put down what is Lo and loads of zeros together with the previous one even chat GPT would have went um but knowing where it is so now I know I'm dealing with vipers soft yeah that's really really useful because somebody's probably done some research on this and they have um so long have I got there not long this is basically how it works dropping power shell commands speaking to the C2 and um a lot of not so good stuff uh but

by now we had the um we' recovered the hard drive from the box so we we could see everything it was doing because it had been decoded on the box which which helped us the other thing that my investigation or somebody else's investigation is all those zeros is a thing called bite mapping uh so bite mapping is quite a complex thing to do and it's about obfuscating what they're doing um and if the dart Trace hadn't picked it up we'd never have picked it up because the level of obfuscation of the code it was carrying and that's where it looks like in the technical side of stuff is basically a bite array and it's looking

for the bite so it deploys it this end it's looking for the same bite array in the C2 and once it has it it decodes the code onto the machine and runs the schedule tasks um this is some of the stuff we found it was doing so it was looking for Bitcoin it was trying to steal Bitcoin from your wallets and it was also trying to steal passwords from your passwords I say that's all it was doing and and knows a little bit of a low level thing because yeah it might have not been detected and it might have done a whole lot worse but that's what it was actually doing um I went through actually all I

tried to find all the Dooms and all the the XR y um and found this one so this is really what it says as well so when you went into that particular page somebody had already compromised the C2 and put that warning up there it wasn't me although i' admit that I can't spell diarrhea either I just think it's a little better than that and as I carry a little sign that says don't swear I think I would have probably said something other than puppets so I'll prove it's not me so that is uh that was our technical investigations any questions about that one before I move on to the other one not parking tickets all speeding tickets

is anybody heard about array before Adam is it something you've come across before yeah is there a MIT signature for it no or not the b r stuff no wouldn't really consider okay so Adam Pennington from miter he's one of our key speakers tomorrow very well worth listening to and I'm not saying that because he's sat in the front row he's uh genuinely an excellent speaker and we we're fortunate enough to have him again social engineering we have a problem on this island with social engineering uh they came in compass very kindly sorry Anon yeah enger te yeah yeah you can ask at the end if you want this one okay let me in case I run out of time okay thanks

so the cman compass ran an article a couple weeks ago um we've had a big issue with WhatsApp scams and people giving away the verification code even although the text they get says do not share this with anybody else we've seen a lot of it because a lot of people fell for it and a lot of people sent money so the more the threat actors see it's working the more the the more they targeted so we saw a lot of it and one of the things I said is I love this island for what's called C and kindness I think it's a fantastic thing I I've worked in London where I don't even cross the road when it's the the green

sign because it's like people would still run you down and here they'll startop for you so I love it but we're overly trusting we're overly um Guided by this can't happen this can't be bad which leads to my second phrase which is trust nothing verify everything that is key we are over trusting social Engineers know that and social engine ering is quite sophisticated and it's looking at the um the human instinct of trust you know I can tell I'm not really clever there's a flaming thing in front of me goodness me and I got my no saring because I nearly said something else soci happens because the human instinct of trust cyber criminals have learned carefully

worded email voicemail or text message con convince people to transfer money um through fishing research cyber criminal no the CEO is traveling an email is sent to a company that looks like it came from CEO slight discrepancy in the email address but the spelling in the CEO's name's correct um urges the person to transfer money and they do and they lose it it's happened on this island it's happened a lot on this island and I keep saying if somebody sends you please I've changed my banking detail to the US don't just go oh okay verify because they probably haven't so a few days later the CEO realiz and they've been targeted so what happens if somebody

believes an email and they click on the link

you're about to witness firsthand how quick and how easy a hacker can compromise your computer and infected with Trojans and ransomware the purpose of this video is to show you from the attacker perspective what they see and what they can do on the right hand side here is our victim's computer it is a fully patch and updated Windows tin system as you can see security Center shows no actions are needed all green check marks and this is running Windows 10 professional uh uh 20 H2 which is the most upto-date version the attacker is running C Linux which is here on the left hand side the Hacker's already been configured and is waiting for a connection back the hacker has sent an

email to the victim as seen here and the victim is simply going to click and run what is attached here which in this case is a Word document now the victim computer here is running office 2021 as seen here also so fully updated and patched and on the left hand side here if you keep an eye on it you're going to see what's going to happen as this office document opens up now stuff just started happening on the left hand side here and you can see down in the bottom left corner here this is the IP address of the victim and if the attacker runs the command ip config you can see that they are seeing the exact same IP

address and host name of the system so the attacker has successfully gained access to this computer through a Word document and there were no alerts no detections whatsoever that's how easy it is now the next steps that the hacker will need to do is to be able to maintain access we call this persistence and then they also need to get their ransomware on the computer so the hacker has written up some commands here that they're going to go ahead and paste in to the command prompt here they've got access to and this is downloading all of these different files and once these files finished downloading they're this is going to allow the attacker to maintain their

access by uh every time even if the computer gets restarted in this case what they're doing is they're uh backdooring the Google Chrome and now they just made the uh executable uh and all of the things they just downloaded hidden so it's much harder from a forensic perspective to be able to find it and now they are starting to download the malware all right now at this point uh it looks like actually there was a mistype here let me go ahead and correct the spelling here it is now called this's try that one more time there it goes s all right that's running now so now what I wanted to show is how the persistent connection works

and also what the attacker can can have access to so in this case in the documents you can see there's some documents here there's a you know file called bank account number with the bank account amount keep keep that in mind because what we're going to do here is we're going to just double click Google Chrome to simulate uh the other back door firing off and as you can see it did it's coming over a different connection and then you're going to see Google Chrome will open up normal so no popups no warnings nothing at all that would give an indication that there was a problem as you can see secy Center still says all is well and

we'll go ahead and minimize this and we'll go back here to Google Chrome and it's Google Chrome you know so if we do a Google search on let's say you know cars everything is running as intended now this is a little bit slower system which is uh one reason why it's running a little slow doesn't have many resources it is a virtual machine but as you can see it is Google Chrome it it it is returning what you would expect to see if you did a Google search on that and if you close out Google Chrome we still have the connection now what I wanted to show you was if we go into let's change the

directory into the documents we can see everything that's in the documents here and the attacker can simply do something like this and now they they can read all the contents in the document as well so and the victim is no wiser that something has happened that there's something on the system or someone on the system watching so at this point we've got the ransomware started it is running in the background the ransomware is going to be doing a few things it's going to be grabbing username and passwords out of memory scraping a pro process called Elsas it's going to uh start vulnerability or excuse me uh uh Port scanning it's going to look for other

systems on the network it's going to look for systems on other networks and then it's going to try to do some uh lateral Movement by connecting into those other systems using the credentials that it was able to get from this system this system is joined to a domain so this does simulate a business uh computer in a business environment with multiple systems um and there are some exploits that it's going to try as well so it goes on quite a bit there um because he's he says the ransomware does stuff it's kind of not correct the ransomware is something different he's running scripts that's going to steal everything so he this guy is a security

expert this is quite sophisticated where document it didn't come up as a macro it's done from a word on 403 the net cap was running and as soon as the document was clicked hopefully you saw the bad actor had immediate access so it's now going to get persistance it's going to get um migrate across your network and eventually it's going to drop the malware then that might not be today it might not be tomorrow it might not be next month they'll probably be running something called um emotet and trickbot and trickbot goes back to the C2 with everything you doing passwords in plain text because it's basically a glorified key logger so they're going to

sit there so when they put in the ransom demand they know what you're worth because they've been stting your network seeing how much you're worth so he waits a little while for the ransom where to deploy imagine having Google Chrome as persistence and their back door told you port 53 being open is not a good idea and that was the one the net cat was listening in yeah so every time even if we detected that initially he off fiscated the Google Chrome back door really well I've looked at this in more detail I've got the scripts for it the alisation is great we wouldn't find it you wouldn't find it man it's always going to be

there Google Chrome every time somebody goes on Chom the back in scary I think it's scary anyway um the other thing the actor wouldn't have done is the wind of um it's not cat it's typ in in command stretches so the wind of typed out the the file because that would have left something for digital forensics to find they would just have taken it they would have cured it they W geted it I can see RJ at the back is is squirming by the fact he used copy and paste rather than right the script that does the copy and paste for him I I hear you on that one I was surprised but I think he's I think the this chap who's

very very good at what he does I think he was trying to say show you that even if you haven't got any technical knowledge if you have the script all you need to be able to do is copy and paste how hard is that even I can do that but he waits a little while before the ransomware deploys so I thought I'd show you what ransomware actually deploying looks like this is lock bit done this on any desk on their um remote oh sorry their um online desktop um I'll say go when I C when I press the button the go is when I run the executable you will see some of the command lines coming up on the right

hand side ignore those Focus your mind on the left hand side on the word documents and the jpegs and watch for them to change because the moment they change is the moment they're encrypted we've uh we got 10 minutes to run this haven't we keep your eye on the left hand side oh where's it gone had they done it already oh there we go give it boom 2.13 seconds 2.13 seconds to encrypt everything on your system and in that 2.13 seconds it Sears for backups it's turned off your AV and it's done a couple of other things and if you click on the top part which is the ransom note built into this one is first

executables so as soon as you click on the ransom note before it opens the ransom note it deploys some more executables and then you end up with this and you popped and unless you've got really really good backups you're not going to get everything back and they will have stolen key details from you key data from you so how easy is it to get the email stuff done so this is an email I got from the man sat at the back of the room um hey John he uses hey a lot could you send me those key findings and the vulnerabilities you found on C you see I can share with Dennis then Dennis is

here I think is what's for c um we need to get diving again buddy which we do thank you and have a great day if anybody's received an email from RJ that is yeah that's really good that's so I'm going to sit at that and the bottom part is sent from Outlook by iOS um if Bo was in here he'd be saying oh that's really I can get after that one if you weren't in these talk yesterday he is here yeah you're sitting there going oh hey that's great information for me Isn't it and it is this is really good so I'm a veryify everything type of guy so I go on to the web page and there he

is that handsome hunk of a man [Laughter] and further meet the partners because I couldn't just give it to RJ alone James had to have some of it as well so in actual fact that's not an email from RJ it's one ey crafted using social engineering on his Facebook profile he talks about diving all the time diving I went up to one of the staff here who's dealing with this yesterday and say oh did you get that email from RJ so thank you and have a great day on the bottom of the email so I can use it to mimic what he is the days of bad grammar the days of badly worded emails gone actors are sophisticated and they

craft emails like that to overcome your Natural Instincts to saying is this actually from RJ so Dennis there isn't really a CU vulnerability that was little joke way way and Dennis there are well I haven't found them if they are and one of the other things I do I would do as a bad actor I would look on the web page to see what the email configuration is em Lake actually do a really good job with this because oh sorry back um oh that five comes up later so the technical people amongst you are now saying yeah John that's great you've crafted an email but can't go anywhere and as it was it can't so I've got to break into emake

system which I hope is difficult for Bo I bet he would get in for me it's too difficult but look M Bar Lake b a r instead of b r and it's mine I bought it I bought Ember lake. KY for $69 us now I own the domain I can set up an email exchange I can send our email how many people would notice the difference between the E and A in emake I suspect none of you particularly if I crafted it to make it look as if it was RG that is a level of social engineering we are seeing that is a level of social engineering that is getting people to click on links and I've shown you in the

video what happens when you click on links I did negotiate with RJ yesterday how much I was going to send it for I started at $200 he started that I'll punch your lights out and as he kicked me in the face and nearly Mur me we were diving once I went with his idea and didn't sell it to him so I'm uh um and this is the thing I was talking about so they do really well because they don't have anything on their website that says emails they say oh no no you contact us all right I've got seven minutes left and probably about 10 minutes worth of work um so if you're an accountant you

understand assets liability income and expenditure and that's really important if you ever get hit by a ransomware attack so um I wrote this quite a while AG go because I've given this presentation last week and I had this really great idea going onto a site called ransomware live which talks about ransomware amounts and it shows you the conversations they have uh John Harmond swine did a video on it in YouTube two weeks ago so he kind of stole my thunder um so this is where at the point in time I did it I changed so as of yesterday there have been 51333 victims of ransomware worldwide 4,719 this year so this is where I find it

difficult to not swear this is black matter the one of the the one of the biggest ransomware groups in the world so if you contact them they start with hello and welcome to black matter how can we help you like a flaming it help desk

sen your demanded price for it you will get the decrypting tools your data back so they've got 1.5 terabytes of your data people have played hard B with them in the past and said oh no you haven't got the data these days they have that data and they will publish it so um going down the page you got a discount 10% for early payment 25% off the BTC transaction really good business people um our idea was 500,000 but maybe we can negotiate a million an actual fact The Ransom was 15 million and it was negotiated down to 13.5 million the encryption files don't decryption files don't work like encryption encryption takes two .1 seconds decryption has to go every

single file individually and you have to script it to do it and it takes months and months and months so even paying 13.5 million you're not getting your business back anytime soon some of the other negotiations this one didn't do too well one or two million they got it down to 1, 775,000 I don't know who this one is but they're a Brant negotiator they got it from 4 million to 150,000

so the social engineering life cycle investigation the hook the play and the exit I'll come back to that later this is an investigation we did on Ireland so it starts out with um somebody get a message on telegram from her and iitu so the person did due diligence so the company exists it's a huge Japanese cryptocurrency firm huge Asen doing a lot of worldwide trading the people exist these are real people and remember the name moik because it comes up again a little bit later on so for months and it is months these characters engaged with a victim doing social engineering and other things the victim work for a financial company the negotiations were saying

come and work with us and you get lots and lots of money they wanted to make money for the company the financial house of course they didn't want to make money for the customers but they wanted to make money for themselves so they got this um this is not the one this is a different one of used because again I want to nanom it so the the Isabella is not on kman but we have a strong track record so this is the start of and it is months and months of negotiations and they eventually arrange a meeting and they send them this link to the meeting you click on the link and they got this

access restricted so they can get into the meeting so they've got the hook can get into the meeting oh I see it seems your best in Europe even though they were best here which is weird um please troubleshoot this and click on this link so the following conversation is a real conversation I've I've cut it down quite a bit sorry the file ask me to run a script I'm not comfortable doing that good start could we just use Google Hangouts or Zoom several weeks later seems that the script sends IP requests check it and try again sorry for the inconvenience keeping them ongoing uh I can copy and paste my IP for you if that helps by now they're

thinking I want this business can I do anything give my IP address are we not good so what I can do with an IP address for vulnerabilities uh yeah send it over they actually were not interested in the IP address yeah send it over I'm not going to do anything with it they send it over uh Miko and I are already in the meeting so they're use using the name of the other person as well we're here waiting for you please come in um do you need my browser version I can send that over as well and and Bo again is sat the back going oh great he's about to reveal his browser n does

hey it's still not working this is a few weeks later can you still not get into this meeting I'll try again no it's still not working and my customers are about to have a 25% Improvement in their bitcoin price is there any way you can fix it and no requirements in the meeting please join us waiting for you now to join script sends requests to the service support team is all good I ran it and it's still not working maybe because an issue on your side I'm not sure can we try Google Hangouts yeah we can I'll send you a request on Google Hangouts and we wait 15 minutes if you look at the cycle then

you've got identifying the victims Gathering background information over months engaging the target spinning a story taking control of the interaction I think I've shown who controlled that interaction expanding the foothold executing the attack disrupting businesses and siphon and data and then removing traces of malware and covering tracks so this was the actual script I won't go into it too much um basically it's an apple script so the perpetrators knew the person was using a Mac how did they know he was using a Mac social engineering um we did follow the money it is in the millions however I knew who this was as soon as I saw this social engineering changing it from bitco to ethereum this

is Lazarus this is North Korean State actors and this is the particular group of Lazarus most closely associated to the North Korean government this money has almost certainly been used to develop the nuclear program I think I was the first to discover I might not have been but slow M come up well so that was a gra slow M come up with it a few months later saying Yep this is definitely North Korea and it is so this is another one and my time's up and I'm going to leave you with this one this was somebody else's response and the third phrase is so the the chap himself so I should have said the guy who was the victim for this one

got the script and this is the failing if you like so if you go the stupid or very stupid months and months you can see why this person thought it was good so I don't think they were stupid I think they were very stupid I think they made a mistake because they thought they understood what the script said so my last phrase is if in doubt don't do it so for all Cayman Community for all users of computer systems for all admins for all cesos for all you people here complacency is the enemy of good security cyber security trust nothing verify everything if in doubt don't do it but please please please and I'm going to have to rip this up come up

with the last three thing the last three lines of this because when asked to do the script the person said go [ __ ] yourself thank you very much for listening enjoy your coffee