Weaponized Open-Source Applications: Real-Life Cyberattack Scenarios

Welcome to my talk about open-source software weaponized as part of a compromise. Few things first. Uh I always tend to start my presentation especially as I work in accenture with disclaimer that uh this presentation solely is presented by me created by me and all the comments stupid jokes etc are on me. So if you are going to sue someone, sue me, not the accenture, please. All right. So who am I? So uh my name is Hoyan. I'm from Finland. Uh this is my third time speaking in Bside Stopp. Uh I have been working in the information security for almost 11 years. Uh mainly doing DFIR. Uh slowly pivoting to the CTI malware analysis. Uh my background I have a master's

degree in cryptography and information security. Uh and I do a lot of community stuff in uh Finland. So if you are ever planning to come to the Finland, I suggest for example participating in disobey which is a security conference uh or hell which is like like besides uh but we host it little bit more often. Uh I also have some military background so doing uh participating in logatils uh every year uh since 2018 and um well uh and and part of that the uh tweet there uh by Finnish defense forces I heard recently that it's the most polar social media post of Finnish defense forces ever. So I I wanted to add it to my CV

because why not. All right. So uh that's enough uh about me. So let's go to the actual topic today. So what we're going to see today uh first I'm going to introduce you the case where I got familiar with the malware. Uh then the actual malware analyszis and then a case summary. So what we learned from this case and what could be improved and so on. So let's start with the uh case introduction. So this case started around uh early December last year uh when the client engaged action to help them with the uh incident response case and I will walk you shortly through what happened actually. So basically it started with the threat actor forking the real key

pass uh software. So as you know keass is open source software. So this u source code is available and they can copy it make make their own version and publish it. So they did did that and added few extra features uh to the code uh which I will show you uh later on this presentation. Then they created a web uh fake website which mimics the real keypass website. So this is a type of squaded domain kickass.com where they were sharing their own version of tequilas and of course they wanted users to find their way to this website. So they started a advertisement campaign on Bing search engine and now the actual victim comes to the

play. So one of the uh employees of victim was uh using keypass on their daily operations. They were working in the social media team of the company. They were using the Windows Cortana search bar uh the search bar on on the uh top uh sorry bottom left corner of the Windows taskbar to search for keypad. And unfortunately the Cortana search bar also shows you as it doesn't show the real results but it also shows the uh ads which in this case were set there by the threat actor and they ended up downloading the malicious version of the uh of the key pass. The keep has launched this uh well it does several other things as well but it

launched this global strike beacon and later on the same day it was launched the threat actor uh started their manual operation on the client environment. So a little bit about the case. So the client had um Microsoft Defender for endpoint installed. uh the incident was detected quite like fast. So basically the first alert came 6 hour after the installation around 30 minutes after the manual operation of threat actor has started the MD alerted when the attacker executed another in instance of the beacon. So basically they were operating manually in the environment. They didn't use the initial beacon but they launched another process uh of cobalt strike which then was detected by the MDE. So the first execution was not detected by

the MD and the red actor had 30 around 30 minutes to play in the environment. So no detection or prevention of this keypass and based on my knowledge uh this uh keybas version can still be installed and executed on systems running MDE. Uh the binaries in this case were retrieved using the using the EDR but they are and were available virus total as well. So someone else had seen them as well and uploaded them to the virus total. So let's start uh the malware analyszis. So first of course I downloaded the uh executable uh the installer file of the kas and took a look how it looks. So first of all the binary is signed. So

the client actually said to us oh I can yeah all right you got it anyways. So uh the client said to us that this looks like benign binary because it's signed and it says on the company uh the uh original developer name of the ebass. But here are some things that are odd. For example, the company uh the publisher uh acom LLC which we'll discuss later on a little bit. But it doesn't sound the company that actually is releasing keypass. It's something else. So basically stolen certificate for uh doing the digital signature of the of the binary. So and also other thing is is funny that the name of the file was keep as 2.57

but the actual product version which is visible on the setup is uh one version before. So I don't know what the actor did. provided a mismatch uh version number there. But this is uh this is something this is a red flag basically uh and we need to analyze more what the uh actual installer does. But this installer is built with the same uh setup tool in no setup as the original version. So it's really easy to extract and see the contents what are the files inside of the setup because I believe that all of the files are not on virus total. So you could could not download them one by one. you have download the

bundle to analyze all of the files. So what I did then of course I wanted to go and compare them to the real version of the key. So what is different from the real version and what is the what is what are the same binaries and immediately on this uh I saw that most of the files installed with the uh keypass installer the latest version are the same except the keypass.exe.bin bin and sh instill.exe and this conf bin doesn't even exist in the real version. So these were definitely point of uh um interest here event what are these uh files doing and then I started the analyzis process and I will skip a little bit because uh I don't know how

people usually analyze malware but uh for me it's frustration of hours and then I finally get results and then then I go back to my analyzes notes and see what I actually found. So few moments later I will skip the part of frustration because I cannot fit that to the 25 minutes but the overview of file. So basically the keypass setup installs the three uh important files to the disk. So the mentioned keypass.exe shut.exe and conf.in. And uh these three files are definitely malicious and I will shortly explain what they are doing but the key.exe was net binary s institut.exe was traditional C binary and the conf.bin was encrypted data so it wasn't anything clear text you could identify what the

file is. Um the infection chain is so that the key pass.exe launches the sh institut.exe exe that decoups and executes the global strike beacon from the configuration file. And of course before going to the deco compiled code I want to show you how the program actually works. So it works sim it works like the real key pass. So basically the user can use it for their uh password vault. And this is a screenshot from my lab where I installed the version and created this uh passwords uh KDPX database.kdpbx to store my super secret passwords. Then I uh checked with the uh process monitor what's going on there and I saw that it's writing this suspicious file to the

app data local directory uh named three digits and KP of course I wanted to know what is there boom there is my clear text password so basically it's uh information stealer so it steals all the credentials stored to the uh uh key pass database and writes them to the file Let's take a deeper look how this actually works. So this main form class of the keypass.exe has actually almost 200 lines added. So there is some additional functionality which is not in the real keypad. And if we take a look uh what it actually does, it basically loops through the database and steals the uh important and relevant information there and in the end it writes them to the file which is located

in the user app data folder and names the file with three number uh three uh random digits uh AP. So we already knew that but it also has some other functions. So uh oh yeah one important point from this one there was this uh if uh if condition so if the user has eight or more password sort to the key as wault it will do the execution and write the files to the disk uh the passwords to the disk. So if the user had for example six passwords it never did anything malicious. So I just did well it's a joke but I don't I don't know if the client understood it but I said that if

you had less than eight passwords you're safe because it doesn't do anything malicious and you can continue using it as is. So the other other function is uh launching the sh instill.exe exe and it gives uh this um executable this kind of hexadmical uh parameter as well and it started with that one and it also sets a persistence for this executable. So every time the user logs on uh this executable is executed with this uh specific parameter which is this kind of like hexademical string. And my question was of course first of all what is this SH institutil exe actually what what what is it doing because it was visible on the real key version and also on the

malicious one and the other question was where is this hexademical string used. So what is sh instex? So in the real key mass it's the shell install utility. So basically it helps user uh to open the uh adpx files with the right click open with keypad. So basically it implements this and in the real version there is only two parameters there is install and uninstall. So it doesn't have this kind of worry uh parameter. So of course that was my point of interest when I went to the uh the compile code and see what it does. So I saw that in the main function, it first checks if the query parameter is given to this binary. If

the check is passed, it will load the content of the conf.bin to the memory and uh then use the parameter query key as a key for RC for uh decryption of the conf. BIN which is global strike beacon. uh then for the execution it doesn't launch it directly but it uses uh enum fonts uh white character API uh as a callback function. So basically it enumerates the fonts on the windows system and when it uh completes it doesn't return to the sh instill exe but instead launches the global strike big. The next step of course is to decrypt the actual content of the uh contact bin to see what what kind of cobalt strike it is and so on. And I'm very late

person. So of course I prefer to run things than write my own decrypto for the uh configuration files. So basically what I did uh if you ever done malware analyszis you are very familiar with dumping uh stuff from the memory to the disk for analyszis. So here's just walk through. So basically checking where the actual uh um content of the confin is written in the memory then waiting it to be decrypted and then dumping the decrypted version of the shell code to disk for analysis. And I as I already told it was cobalt strike and if you have ever done DFIR uh I guarantee that you are seeing a lot of cobalt strike. So this wasn't anything like surprising

or anything cool but uh this basically is day work if you are doing the FIR analyzing the beacons but let's take a look a little bit to the uh beacon configuration. So the cobalt strike beacons always have this license ID. So they are trying to say which license was used in the team server where this cobalt strike beacon was generated. In this case they're using license ID which is publicly attributed to black pasta. This is not attribution but I'm just saying that the black pasta group has been using the same cobalt strike license. Of course, it might be cracked version, but usually if you are looking at the global track licenses for cracked versions, it's something like 1337 or 1

2 3 4 or 666 or something. Uh, and in this case, it looks like a real license ID. Then if you look at the uh C2 domains, the callback domains where it actually calls, these are similar to the domains that Black has used in the in in their previous operations. So yet another strong well I wouldn't say strong but indicator leading to the Blackbusta ransomware crew. But I'm going to tell you why this case didn't look like ransomware or black pasta. uh at least what we we saw in the case. Uh the funny thing about the uh domains uh if you have been analyzing malware, you often see that the malware is using the same protections for their C2s as the

companies are using for their own websites. In this case as well, they were protected by Cloudflare. I'm very sorry if someone is here from Cloudflare, but I have had a lot of problems with you previously in takedown requests or getting more information. I'm just asking why are you protecting the uh criminal activity? Why are you protecting their info? All right, let's move on to the uh to take a look for the other artifacts related to this campaign. So uh first of all the drop site the keycash.com wasn't the only site they were advertising. There was several others and there are still several other sites. So here is the list I identified few months ago which were uh giving the same uh sharing

the same kind of uh binary. So they were not just using one domain because if one one is taken down then the other one can be used and so on. This was very effective back then because a lot of companies uh were searching keys from the bing and ended up downloading malicious version. Then a little bit about the uh digital signature. So like I said the company name Aarcom LLC does look a little bit suspicious especially we compare it to the real version we designed by the open source developer of the real keypass and I did some searches on the other LLC but I couldn't find anything else than two companies one of them is based in

Pakistan and one of them is based in Russia so if we think this is uh yet another ransomware campaign the companies are located in the countries which support a theory as well. Uh then the other uh thing if if I was looking if the same digital signature is used for other malware uh if we can find any any other binaries in virus total so if we can see any other campaigns or any other open-source software they have analized but unfortunately the only uh results were the uh key pass files which were analyzed in this presentation as well. uh the one another thing which are looking for is the uh debug uh debug files which are uh found from the uh

executables and they don't give that much information about the original developer but of course if we are seeing the same path in the future as well we can attribute the uh new malware to the same uh threat actor. The same threat threat actor had similar campaign last summer as well. So they were using the same beacon uh similar way to compromise systems but they were using different open-source software. They were using fake advanced well it wasn't open source software but different software they were using fake advanced IP scanner which I think wasn't that successful because typically the normal people working in the organizations don't use IP scanners at their work but in this case instead of

uh implementing the uh information stealer to the actual source code they were actually uh using DL site loading to execute the uh malicious version uh the uh cryptor of the strike but they using exactly the same beacon in this campaign. So let's move on to the case summary. So low confidence attribution to the ransomware group. We're not sure if it was a ransomware group, but there are a lot of things that suggest it was. Uh the weaponized keyboard key pass was able to steal credentials there and uh they were using malletizing and required user activity to launch this campaign. The biggest question of this case is why Windows 11 is showing demolicious ads in their uh Cortana searches and I don't

have answer to this and I'm once again I'm sorry if you work for Microsoft but you can ask this internally why we're doing this. This allows attackers to do lot of stuff for the regular users. uh and then we come to the impact and uh as I said no ransomware in this case so I have to prepare you for the disappointment of the century so let's repeat no lateral movement no ransomware no additional malware deployed and only he pass credentials were compromised so what did they do they got credentials and as I said this person working in the social media they launched a crypto scam website. So they got access uh to the uh to the

keep uh credentials. They read the credentials and after that uh they got detected. So they had to pivot from their initial access now somewhere else. So they had the access they were kicked out but they still had the credentials. So what they did they created NFT themed website with the uh client uh they they basically used the client's uh like u website to do that. So basically they copied the uh graphical interface the website like the layout and created own website uh where they actually implemented this kind of crypto uh wallet stealer. So if you browse the site uh and run the yawatas script and you have session open to for example Coinbase or something it will steal your

uh cryptocurrency there and then they promoted the website using the victim social media. So as I said they stole the credentials they had access to a Twitter account which had over a half million followers. So the read was really big on this case and it actually was in the news in the country where this actually happened as well. So they potentially I haven't followed the cryptocurrency um uh the uh wallets so I don't know if they actually succeeded stealing money but there's a big chance they did. And my one one of my biggest W is that if the MDE did not detect the uh another big launch in the environment would the incident have led to

ransomware and I don't know I can of course speculate that it could have led but in this case the uh Microsoft detected the uh beacon and and the uh incident was contained. So what are the lessons learned from this? uh in this case we were actually faster in the malware analyszis than uh doing the forensics. So when we uh actually got the laptop of the user and did the imaging process for it we already had completed the model analysis. So we exactly knew what happened in this case and what is the chain of infection. Uh of course we had to verify those from the disk as well so that we can see the drop sites and so

on. uh the credentials for the social media were shared among the social media team and of course they didn't have MLA. So when the threat actor got the uh credentials they were easily able to log on to the social media and use Twitter account as they want. And of course the last one should the users be able to download software from internet and this is like a continuous discussion with multiple organizations. Why the users are not provided with the software they need to use? Why they have to go online and download the file and why they are able to install those. So should the for example application white listing or something be implemented in the organization.

And this ends my presentation. So, thank you very much. And if you have any questions, I'm happy to answer.

>> All right, there's one.

>> Uh, so what tools I use for analyzing? So I'm heavily relying on IDA Pro still even though that it's very expensive. As long as Action pays my license, I'm happy. But I'm I'm thinking to move to some something more less expensive. For example, the uh binary ninja, I have really good experience from that. on the net side I think I was using uh I spy instead of dspy and uh then some like Microsoft native tools like from internals for the synch check and the uh of course the INODB it's an open- source uh like uh extraction tool for the indo uh DB um world tools but that's about it and of course x64 DBG

for debugging there's There's another one. >> Do I know why MD failed to detect that? >> This is actually this is the time I'm giving this this presentation and I've been always asked that and I'm still investigating that part. I don't know why. I don't know the answer but uh it's interesting like why it didn't identify the cobalt track injected to the uh to the uh SX is deal. All righty. There's one more. >> Sorry, I I cannot hear you. Can you come forward?

>> That used to be my pseudo name. So, there's a story I can tell when we have pints about this, but it's now burned. So, I cannot use it anymore. The second second question.

>> So, so can we go? So, what responsibilities who has >> the wonders? Uh, in this case, you mean like Microsoft or Cloudflare? >> Yeah, that's that's a great question. I think

I think Google is nowadays really good at blocking molly ads. There is not many of those but being no. So I think they should be responsible for that. But that's my personal view. I will unplug my computer. I will come there so we can continue. It's really hard to hear.