Cashing out: tracking compromises to cryptomining

probably eight times a day to replace the light okay so my son we dominate [ __ ] Billy Bob computer because once again computer and we're to check policy of GPUs calls and it's like crazy because oh really so that when I go to look at the carbon talk about - acknowledged by the Cobra boxes to replay

pretty pretty interesting week considering its popped up again this recently so so doing caching and tricking to happen is is to Kirk enlightening so let's talk about this on the activity of a compromised websites and delicious redirects and it's linked to perfect so the method is becoming basically referred choice to catch

all right so here's a list of topics that we cover real quick in the next 25 minutes person to do who was talking I was quick that's my background that had a brief historical review of one of the highlights about very interesting in 2000 so few days ago go into explanation to compromise websites maliciously directors and Trevor distribution systems better understanding and the differences of them and I will go to attract nickname which also show some of this changes bad guys

it's only names William I murdered a detection engineer burger disconnect on the side Arastoo cyber defense in response and a longtime member of a lot of trust groups and securities like community slag groups emails over all passed over ten years specialized attracting and trending what was just what friends believe this this is actually my first pump in American soil Oxford oversees creative and if you want to contact me there's my email address and my twitter handle is anti-tax what

so a little overview of the talk takeover model so they come to you for a while it's when a kind of statement over one way or another in cybercrime and it's a big problem and it's touching everyone in this room and some manner there's a list of evidence but most successful times in history in fishing so everything and anything

do social security cards to anything in five passwords to the library like they want skimming and slighted total fraud this one's interesting this is I like anyone's ever had this besides myself someone pretends that

that was interesting and then this leads up to the upward trend legal criminal so in summer crime it says cyber criminals use every weapon that they can think of including take advantage of the world of bats

it's no wonder that they see places in crates doing all these duties

there's only experiment

we're going to go up in life so next slides it over some historic that's the interesting you don't have to speed this is a criminal fantasy for our pesky Superman there's a few that slight offense debug so there are different methods to get the CPU miners on your computer via various delivery methods but a notorious one being spread before as well as during the one I'm driving over via the shadow brokers you know police of other excellent text police is one called analysts and this planning about not did it user system and install CD minor and run it in the background process communicate with the command and control server to instructions and pull down with an actual minor and this was a big

deal kind of cost a lot of the she got there but this is something that I was turning so so they literally took advantage of bananas to start the difference computers my narrow always made the choice to the threat actors that's really do too what they didn't buy with different capacities welded illegal goods and services so moving on next we're going to go over the invited but that's called slide and review which have different groups actually were in charge of those but very similar weapons just like the class was utilizing the eternal blue explains by ASAP shadow brokers next was the seal uh it's a money campaigning that's very sophisticated compared to the previous ones so it was utilizing multiple

effects for dates including the eternal do two weeks plus of tension stress and top that Mary Clarence so there's a lot of it was to jump through for this particular department which made it very interesting to us and another two numbers one of the big moments of the think about nets that are going around switch gears to the brother so damages so going times they they released the JavaScript snippet realize our code and assigned out that down and you could click on your website and it was looking I was really offended to edit ads those subscribers on your age have agree and let your computer feel a little like a little bit funny Cruz but unfortunately

overnight bag I found out that you know they could use this and set up shop in do mass ejections and compromise all the websites and it's a compassionate bill no so whatever next is after the crypto community weren't the biggest thing that just happened on the way traveling to Iran Arizona of us there was a Drupal get into all those who follow researchers know and it's a mass exploitation of approval which is open-source and so that's affecting a lot of people like about 4,000 to 6,000 sites of these stuff and lattices checks on it and I mean that's what's so funny about this is we pick the topic you know a while ago that nobody liked that the

design groups and I have no one here sighs I was like okay so another we're up to speed on so they observe threats about the Great America let's go order actually some of our tanks and delivery guys so first one's gonna be talking on ice website slash talking about him this is always been a problem another there's been a vulnerability by ground catch the scruple akin to spoke about content management systems and in general people in general set up the website and forget about it for five years or even its novelty so a lot of these early were addressed in low Magento and those are some of the favorites in those communities they also like to use : abilities and plugins

select WordPress plugins or any kind of plugins that people company's resources don't have control so the traffic method with this is straightforward it's an injection method top of my websites that's one of the methods it was described earlier

instead of going for to belike sienna high traffic websites and getting a lot of the servers on there I suppose that's what they actually built a Cabana to just put it everywhere so the next thing is a scamp's and so everything has that's how no matter where we go right everything is just answering your face YouTube as a little video stuff of that rotates in the guise of death you know statuses incidents and a crazy right so what they do is they usually put just a little JavaScript like he was just about back to the pleats attraction Ranger just redirect and it's also known as modernizing and that's where most men with that but that's just ads on the

page you go to [Music] you know something you don't want so they had the elected they look to deliver with this London because he knows no background process

it's only like to do a lot of redirection and start doing a background process we have no idea what's going on once you certain area computer can't go I mean I think probably my stuff so another thought that is excellent it's and this is interesting because if you can be attention to what something new design some security stuff I think it's are actually still being used ever this is something that so what they did was it took in prioritizing me and a lot of it is not the United States and other countries that have private buyers you know they're not sharing with and wonderfully exclusive was cost a lot of money to do that and the delivery about that is they

have to get a hold of like a so it's not president you know they have to explain created like a landing page which reads your computer and I delivered something so they have options in this at this point they didn't do just a gentleman and a background process earnest with the redirection or they didn't hold out a binary just like collects plates in days if we're going to do whatever kind of numbers another interesting thing with this [Music] is there's a lot of the eerie traffic filtering and stuff going on which is like why certain parts of life or research enemies can see the United States but it work don't come from like a oxygen China or something like that read

this to you so they have a lot of options with us so that's why it's still on that abuse today not only that it's helping their reading big ads completing it rich Krypton lightly type of things that people are clicking on this we're didn't react creatively so that just send so redirected to another point - group of the same routine you know so next is email and it's coming in spam and they need a lot over 2 so this is also going into the direction very similar you know that's when you click on a link for whatever kind of spam to get and there's a reaction that happens with malicious redirects my expert execute back-end and you've gone on with your

day where they make money off your cpu so real quick I'm going to go through an investigation to know that everyone's kind of caught up with some of the methods you need there's a ton about its anything

so investigation here this would be something in sitting around know where it goes off and you're like oh and over the steps here it's just investigating method so you're gonna get an alert of some sort or blog or something about Senate employment all the source intelligence and at that point you're going to start a virtual machine start your analyst you know this bundle monster into Gmail says that are very important then you're gonna grab the malicious content you can start documenting you know indicators in English months and then you can move on and reverse the code especially the point minors is select opposite of code that methods differ about this there's tons of them you go

and get publicity a ton of just a tongue is once one person gets an ID and a cherry someone's going to take it for did you know like a branch and she may want to make them and that a definitely new rule so you take like Sarah Connor or some sort of rules bro were monitoring this and anyone happen to like the tracking you want to track these and you want to track these guys right here if you don't I just continue to you know play black hole all day and so here's a come in like Leonard dressin

so it's a little bit of nastiness great I think if you guys can see I'm color blind when I did put a rectangle into 20 seconds reading top left so that is kind of an indicator of scenes and Exploited days it just tells me you know here's some JavaScript that's obfuscated here's a certain encoder you know or how its period of used which happens to be right off the bat just as I seen this many times and I never know topic is from Java JavaScript officer Peter calm so it's something that's where it is the sad part is it's really hard to be able to be on the same website there you know actually put a little work into it but

initial a before it weapon investigation so here's the point my interaction part two or just one in the show you know it's rather large and is rather large and you know this is nice so this is what that looks like computers love this this is not very good readable right like at all so you can you know be able to speak this particular section and I'll give you a little bit of breadcrumbs that you can use to do not find out where that guy is well it's not gonna do the whole the whole today have lost this time at the bottom of the judgment you can see the heck stop here in JavaScript functions appear and there's a very

recognizable assumption please highlighted on screen female so any time I see that I can really say is not sure what people change that the constant level of dependence produced in debugging in heaven a good time I wrote the steps out so if people are not familiar with how to do this you can do it really quickly without having to do any coding now I mean is a few things and you're on your way to finding out the bad guys so here's these steps that I played out and so you can although you know Chrome it's kind of really good at developer tools you can do in Firefox as well we're going to take that whole

JavaScript all that stuff that I showed you which is it's rather large and you're gonna take that you're going to put it in you know Swit it you go the castle dialog piece of in developer console in chrome and peace then or will paste the modified we're going to take that output and you can put it in a file and to make it more convenient people because it's all of its it's a mess you can rent a beautifly which is the only way that our eyes can see all this madness and this is what it looks like at the end here so we just ripped in now we're finding the address of the thread after that to be injected

right there bottom so you can you know depending on where you know who got infected where your company this is like key information to Adam if you're going to be like a law enforcement bulk or something like that or you can report to them but you know one arrow it was that's what this is address corner you're not gonna get any information shut down and unfortunately that punk with a torso down the minor still goes and now whatever still making money so my personal preferred method is to let's let's get something someone involved that actually do something it see what happened to the website a compromise when today so coming from that's going to some

tracking and training and this is a very important thing about correctly training love notes and compare different utilizes like most city so in the beginning that first slide in the point - Krypto there's the bar underscore section that's highlighted you can use a tool you can use those tool right here and you get more courage than you can see just that little string encoder we have a 500 and some websites that to this day have this minus four but there needs to be had about four thousand and so this is kind of like one of the folders campaigns that I ran through you know that's what was recently but I'm already at the word about this one so if

you can use this tool in the sensations start you know you can sign up for an account you can pull in you can pull in like all these indicators and put it into whatever tracking platform that views and definitely Amiens in this next part which is a lot of stuff so on the left you can see this is mess by the way and these are tags and on the left there's a lot of the campaign's to fit all that on the screen there's a lot more but that's all the clean liners scripts and stuff that's happening today that experiences old stuff all the tremens community agrees it's just a really good tool to have if no one

it's like threading a leader sharing platform and you can sync up with your buddies to build trust and start sharing so as you see starting to think you're gonna love the TARDIS to know that in there but there's a ton of debris right after is different finders being used all these are going through you know for my narrow just that one with the ransom but you can also have to be on her so if you got something so if you have something that you want to know teeth in household you could do that have stuff that can be to play protocol sorry - Eric Medlen and so that that that's a real quick investigation that's pretty

much all that I have up there I talk way too fast started over being nervous and misunderstood but if there is any questions you can talk now ever after I'll be around also there's an expert in fish as well so was willing to talk about all this stuff

you