BSides Sofia 2025: Weaponized Open-Source Applications: Real-Life Cyberattack Scenarios

All righty. Thank you very much. Uh, so I was supposed to be the last speaker between the uh good talks and beers, but I now I'm between good talks and lunch. So I don't know which one is better. But um Oh, sorry. I took the uh this one. I wasn't supposed to take it. I'm stealing everything. I see. So uh sorry. So uh I'm going to talk to you about open source software uh weaponized as part of the compromise and my talk will be from defensives perspective. So I am a defender blue teamer uh DFR specialist mware analyst and so on. Uh so this will be from a real case I was dealing with previously. I will walk you

shortly through the case first and then I will let you know about the details about the malware. But first of all, I like to start my uh Oh, it's asking for permission. Oh, I don't need that one. Yeah, I'm happy with this one. All right. So, first I will start with disclaimer. So, I work in a big company. We have 800,000 people working for Axenture and we have good lawyers. So I always want to say that I if I say something stupid, tell stupid jokes or anything else, the all the expressions are my own and all the comments are my own. So don't blame Axenture. If I tell you something stupid, blame me. It's on

me. Purely on me. So uh my name is Yuo Yaoen. I have been working with the Axenture for the past three years. I have been doing 11 years of cyber security mainly DFIR malware analysis. Uh I have a background uh before Accenture I was working for Finnish government uh NCSC Finland and uh before that some consulting as well. Uh I have a master's degree in uh information security and cryptography and even though that it says cryptography I'm not that good in mathematics. So uh got it true. Uh one thing I want to mention is disobey. So if you are ever planning to come to Finland, you should uh come in February because we have the

hacker conference um in Helsinki. We have around 2,500 people attending the conference. Good talks. For example, Chris Kubeka was there a few years ago giving a keynote. So a really good place to be if you if you want to participate there there. Uh but that's that's uh about me and let's move on to the actual agenda. So like I said, I'm going to walk you through the uh case first. uh how we came up with the case, what is the story behind it. Uh then I will move on to the malware analysis bit. I will go through the malware analysis chain and then some lessons learned from the case and uh other stuff as well. So uh this case took place in

December last year uh early December, late November I think it started. I was pulled to the case to do the malware analysis bit of the case and and figure out the timeline as well with the uh rest of the team. Uh I'm not going to mention the client and I'm not going to show you all of the juicy details because I don't want anyone to realize which company this was but this was his organization in Europe and uh quite big one. So overview of the case. So threat actor forked uh open source uh code of the keypass and weaponized it with malware. And I'm going to explain how they did it and what kind of changes they made to

the code. Then they created a fake website where they were sharing the sample. Uh this is uh one of the websites they were using keygas.com and there are several others. I will show uh a bit of them later on but uh this was the one they were using in this case and then they created a malwareized campaign on Bing where they were advertising this fake website. What happened in the organization? The user they they had keypass in the organization. So it was allowed software. they were able to use it on their daily basis. So they were storing all their company uh credentials to the keepers vault. So they were using it. The victim was using Windows 11

system. So he was trying um he or she was trying to find the uh keep pass from the system and used the search bar on the uh left um bottom corner and the Windows 11 Cortana search bar uh returned first result was the real application which was installed on the system and the second one was the fake website on Bing. So Cortana shows you the uh Bing results as well. So instead of clicking the first one, they clicked the second one and ended up to the fake website where they downloaded the malicious version and compromised their system. I will shortly tell you more about the malware but basically the ultimate end of the malware ch infection chain was

global strike beacon which was then used for manual operation against this organization and I will in the end of the presentation tell you more about the manual operation as well so in high level the case was like this and let's now look at the more detailed facts about the case. When we got the case, it started with the detection. So the client had um Microsoft Defender for Endpoints E5 license. They were using it and it detected uh cobalt strike, but it didn't detect this malware. They detected another instance of cobalt strike in their environment where the investigation started. It had really short time. So the first alert came after 6 hours of installation. But 6

hours is still a much to do for the threat actor. in six hours you can do a lot in the environment and 30 minutes after the model operation so the impact wasn't that big and I I will tell you later on uh how big it was uh and uh in this case we retrieved the binaries uh from the system using the MDE uh but they were also available on virus total not all of them but some of them and uh if if you're interested to walk through the mobile analyst chain you will you I can deliver you the samples or you can download them from virus total as well. So now to the interesting part the

malware analyzis. So first of all this uh keypass installer which was downloaded from the website was named as keypass uh 2.57 setup.exe exe and it was built with the inno setup which is the same method as the real keep pass uses for building and if you can see there is like uh all the information uh oh here so all the information here is like uh the do Dominic uh Rachel who is the original creator of the key pass and so on so everything here looks kind of legit except the uh publisher of our which I will discuss more late later. Uh a few things I want to highlight. Uh they made a mistake. So they forked uh previous version of the

source code 2.56 and renamed this to uh 2.57. So there's a version mismatch in the actual file and what it is saying it it is another thing uh which I already mentioned is is the uh inner setup which is built the same way as the legit one which makes it really easy to extract. So basically it's very easy to see what is inside these installer files and you can see the hashes and so on. You can compare them to the real one and which was done in this case as well. So what I did next was to compare the real legit key pass to this version I downloaded from the wake fake website. And as we

can see here many of the files have the same naming convention and even same u hash values and u the comparison is done here. So we can see that all the other files except these three up there keypass.exe conf.bin and sh institutil.exe exe match the real version. So the client actually thought that because of the uh malware was signed and it had all the uh legit files there as well and the naming convention was real that this is actually a real version and and something else has happened because MDE didn't identify this as a malware. So uh looking at this my question was was like what are you what are you three files and these files are the ones that

I went uh for manual analyszis what they do and what kind of functionalities they have but first I of course want to uh uh take a little bit analyzes how the infection chain is and I'm not going to through this my tryh hard session with uh taking time to analyze the malware But I will show you how the infection chain goes. So basically the keypass.exe was the launcher. It executed the sh institut.exe which then decrypted and executed the conf.bin. And uh the installer like I said it writes several files to the disk and most of the files are uh the same as in the real version. But these three malicious files uh the first one is uh written inn net. Uh the

second one is u common C binary and the last one is encrypted data which after decryption becomes a CSB conon. Of course when you are dealing with malware I tend to run it every time and try to functionalities out especially as this was mimicking the real keepa. So this is a screenshot of this specific malicious version. I created my own uh database there. Uh put there some passwords, some uh websites and notes and then execute uh then uh on the background uh take took a look with promon what it does and this specific file actually brought uh brought to my uh caught my attention. So it is actually writing a file under the app data local directory with uh some uh

digits and KP and I was super interested what is this file? What it does? what it contains. Is it the additional payload or something else? Nope. It's actually the clear text dump of my passwords. So here you can see all of my passwords and uh which I had stored. Uh please don't use them. Uh they might work. So uh but anyway, so these uh were in the uh so this is the functionality of the keeps as well. So it actually steals your credentials which are stored to the uh keep wa. Of course, we want to know how this works and why it works, why it does it. So, let's take a look to the decompiled

code. So, um it's the binary is kind of big. For example, the main form uh has uh almost 17,000 lines. So, it's time consuming to go through the malware line by line. So, I I'm not going to bore you and show all of the code. But here are some picss from the code I want to show you. So for example uh the main form has addition uh 192 lines more than the original one. So there is some added functionality. And what this functionality actually does it basically loops through the open database and writes the account login name password website and comments to a memory stream. And this is by the way interesting. If the password wa has

eight or more passwords, it will proceed with writing the file on the disk or something else. So if you are storing less than eight passwords, you can use this on your daily operations. Then it writes it to the file which I mentioned previously. So the KP file under the app data/lo uh it's a random uh three number digit. So basically every time you execute it it might be different. Uh so it's it's not a good uh IOC for example uh to identify just based on the file name. But of course the uh regax might work. Then the other stuff it does. So basically it's creating this kind of lounge parameter for the sh instutil and

the launch parameter is hexademical string uh which is built in the uh main form class of the keypass.exe. After that that uh query string is passed to the uh sh institut.exe which is then launched with it and executed in hidden mode. So the user cannot see any comment lines popping up. It's running on the background. And it also sets a persistence for sh in utility.exe to ensure that every time the user log on or the machine is rebooted the shins.exe will be executed. So my question was what is this sh instill.exe? Uh I was I wasn't too familiar with keass before this case. Now I know the internals quite well because I have been learning the u real

version as well. So basically this sh instut exe in the real keypass it's installs the shell install utility. So basically helping out the windows user so that you can open the keypass uh vault using the windows explorer and typically it only has two parameters. So it has install and uninstall. So it doesn't have this query parameter. And of course the next question is why is there a query parameter which is passed from the key pass. Oh wrong direction. Uh here we go. So I went to analyze the uh statically the sh institut.exe and here's the highlights of the analyszis. So basically the main function checks first if the binary has been started with the query parameter.

If that check is passed, it will load the content of the file conf.bin into the memory and uh stores it to the variable. Later on there is this uh RC4 uh key creation process which is uh where the uh query parameter is passed and then later on the uh conf.bin pin is decrypted using that key um with RC4. Uh then it will execute the payload and the execution is kind of well this is known for red teamers but for me this was kind of new one. So basically they are using enum fonts uh wide character API with a callback function pointing to the start of the shell code. So basically when the Windows enumerates the fonts on the system, it will return

to the shell code instead of the main program. So they were trying to evade uh detection by using Windows native APIs for uh executing the shell code without using like stuff like uh where they jump the code to the uh shell code when it would be more easily detected by the EDR or AV. I'm lazy. Uh so I saw this and I thought that I don't want to start implementing the same RC4 myself. I want to do it easy way. So how can I get my hands to the actual shell code? So I went to the dynamic analyszis. So basically run and dump uh run the binary and dump the memory. So here's how I did

it. So basically very basic stuff if you are familiar with malware analysis. So just like set break points on debugger and then go to the memory section and dump it to the file and this is exactly what I did here. So I managed to write the u shell code to the u disk and like I said before this was cobalt strike and often when we do dfr we always see the cobalt strike. I'm getting bored to the cobalt strike. Please come up with something new because like every time we are seeing it, APS use it, uh ransomware groups use it, everyone uses uh cobalt strike. So it would be nice to see some else other C2 framework in the future as

well. So uh basically yeah running uh against the uh few common uh cobalt strike beacon pauses. uh I figure it out that it's using the same license ID than Blackbusta ransomware group has used in the previous uh ransomware attacks. So like uh very light attribution to ransomware here because you know license ids uh when you uh crack the software you can define the license ID you can use whatever you want there. The common ones are like 1, two, three, five, uh, four, five, six, six, seven and and, uh, 1 337 and 666 basically. So, uh, but this is this is not like some let's speak. This is something else and loot legit one. But, uh, of course you have

to remember that you can basically generate the license ID in global strike. The other thing is the C2 domains. So, uh, here are the ones it was using. So it was using sinit.com and tele digital and these two domains are similar ones that the blackbusta is using. So another attribution to the blackbuster group uh still a very uh light one but u low confidence one and these were protected by our favorite one cloudflare and I was working before for NCSC Finland and back then we were doing a lot of abusing and take down requests to different vendors when we were seeing C2s and every time it was cloud Cloudflare we had really painful time in head because they are they were

really bad at responding or take down requests and usually they respect the privacy of the end user and uh for malware I cannot understand this but I heard good news few weeks ago from my ex-colague that they are getting better and they are actually doing something for the takedown requests but anyways so many um rand u threat actors use cloudflare uh to protect their actual infra and set it behind the cloudflare. So of course this gave us some osent leads and I was keen to find more campaigns related to the same threat actor or similar malware or something else. So I was like going through the uh what we have and for example the keycast.com

uh based on the h uh html 40 ssd search uh pro u brought me back lot of other domains that were used to deliver the same malware and it would be super interesting to see how much this malware has been downloaded from the sites but I I don't know that but at least they are doing a great job of creating new uh typos squatted domains where they share this malware And I assume that these are part of the similar malvertising campaigns as well. The next one was about the uh certificate. So the digital signature of the EXE files. So like I mentioned in the first uh the name of the company that had uh synced this binary was acom

LLC and that's one of the OS and leads I was using. But if we compare it to the real one, we can see that they are using the open source developer uh signature here and it's totally different. And this should like ring some bells when you're installing software from untrusted sources that if the signature doesn't match the original creator of the program, it should be uh alerted somewhere. So how about this ARCOM LLC? So this company uh came uh back with multiple results when I was uh doing searches on it and I found two companies with that name and one of them is based in uh Utskista Utsbakistan and another one is Russian company. So this also

supports the theory of of ransomware group operating from the eastern Europe uh using uh these stolen signatures or even companies that are made uh to create signatures. Uh these kind of companies do not have business but they usually been used to do some malicious malicious uh for example by global strike licenses and etc. Unfortunately uh well I was looking of course the uh uh finger uh thumb print of the signature uh of the digital signature to find out if there is other malware signed with the same certificate to identify if they have another campaigns another malware camp uh targeting uh some other open source software but unfortunately virus returned only these samples which were related to this campaign uh when I was

doing the presentation so hopefully uh if If they reuse this digital signature, I will get an alert and I will see if they are using uh that to sign another malicious programs as well. Then of course the uh debug file paths. So basically when you compile a code it it will uh implement the uh debug path of the PDP file to the code. And these two binaries both had uh PDP paths. uh the path is on the F drive work where key pass uh 2.56 but unfortunately I couldn't find any malware that was using for example well the F work is kind of generic so it brings a lot of false positives but like with the full path under the keypad I

couldn't find any other versions of keypadass which would have been uh weaponized with with similar techniques but I managed to find another campaign and and this is by the way uh only public blog post related to this kind of uh the same threat actor. uh but trustwave had released last summer in June uh a blog post about the same group using same uh CS beacon same watermark and same uh TTPs while creating the uh malware but instead of using keypass or other popular software they were using fake advanced IP scanner and I don't think that this malware actually is that often used in the organizations I don't think why for example HR or social media

person would download this one uh software and run it in the environment. So I don't think this was so successful as the key pass one but anyways instead of actually putting the malicious code to the program they were using DL side loading. So uh creating uh this malicious DL which was loaded from the same directory and then it did the same thing decrypted the blop and injected the uh cobalt strike beacon to the process. So case summary and lessons learned. So first of all uh few things I want to mention uh from the case. So it has low confidence attribution to the ransomware group. Uh the keypass was weaponized with password stealing capabilities as well not just the beacon and they were

using moverizing and request user activity. Like I mentioned before uh the user was using the Windows 11 Cortana search uh to end up to this web page. And my question is why Microsoft is showing this malicious ads on Cortana? We don't want them. No one wants them there. I know that they're doing business, but I would it would be enough if they're showing them on Bing, but not on the actual operating system. And if if they continue doing this, I assume that there will be more campaigns like this, it will be very effective against people who are not that savvy with it. For example, in this case, the person who got compromised was working in the communications social

media team of the company. Lazy. I'm lazy as well. Yeah. And now we come to the impact of the case. And I have to prepare you for the disappointment of the year.

No lateral movement, no ransomware, no additional malware deployed. Only the key pass credentials were compromised. Crypto scan. So what actually happened after the manual operation? They came in uh late in the evening. First thing they did, they read the credentials from the app data local KB file. They stole the all the credentials in that uh file and like I said the victim the user was working in the social media social media department. This is related what happens next. So they got detected after that. So they were kicked out from the environment. So they have had to move their tactics like change them in on the fly. Their goal was to do something but now they cannot do it. So

they have to do something else which came up to the crypto scam. What they did they created the fake NFD themed website with crypto stealer. So basically this uh fake website was uh the theme was of the victim. So it was looking like it would have been created by this organization and they were saying that hey we have this exclusive NFTs come and buy them before they run out. And then when you went to the site there was this uh uh crypto stealer JavaScript highly offiscated by the way but it was there and it tried to steal your uh cryptocurrency from your wallets if you had a session open on the same browser. Well, how they managed to get people to

their website? They had the social media credentials. So, they were using the client's social media to promote this website. This client had 6,00 followers on Twitter. So, it was very good campaign and and it reached many people. So, I don't know the impact for the uh third party victims who visited that site. if they had bitcoins, they might not have anymore. And my biggest what if here is they did something that wasn't that interesting, the crypto scam. But my what if is that if they were not caught by the MD? Would this incident have led to ransomware? Because there is low confidence uh attribution to ransomware group. And to be honest, I think they did would have uh executed ransomware in

this environment, but they didn't have time to do lateral movement, enable the persistence in the environment and so on. So they had to move their tactics. So what are the lessons learned from this case? In this case, we actually did the malware analysis faster than forensics. We never before we had the laptop we already knew the uh how the computer was infected because we got the binaries from MD we saw the infection chain we knew the facts. So it was really easy to do the forensics. So that is like why you have to always do malware analysis as well if you see malware uh which is related to the uh incident. Of course, if the client would

have used MFA in their social media, they would have not been compromised by that. Their social accounts would would not have been compromised. But instead of using MFA, they were using Keep as vault with all the credentials there which were stolen in this case. And of course, the third one is why social media team or HR or anyone should be able to download applications from internet and run them. Why should they need that functionality? We cannot always blame the users. We have to do something to make their life well I wouldn't say easier but more safe so that they they know where they can download the software and they cannot download it elsewhere. And of course the

Microsoft thing why are you doing it? I don't know. I I really want to want to get an answer. Why are you showing the u the u malicious ads there? One last thing before I end. So this is my first time in Bulgaria, Bulgaria. I have never been here. Uh my colleague work lives here. So I wanted to visit him. But the original reason was uh Vangalis took us from Greece. He he actually told me I should uh put a CFP here and come to talk here. And he said to me that he will be here today. He will try from Greece to see my talk. Uh if I submit and get accepted. He's not

here. I I asked him yesterday where you are. I'm in London. I forgot. Like, dude, come on. Yeah. All right. Anyways, my name is Yua and I thank you very much. If you have any questions, I'm happy to answer them.