PG - Bestsellers in the Underground Economy - Measuring Malware Popularity by Forum - Winnona DeSom

welcome good morning welcome to be sighs Las Vegas you're in the we're in the right track okay I think we're improving friends I'd like to thank our sponsors and especially our inner circle sponsors Crito stack and Val ml and also Amazon blackberry and the NSA three of them so I know okay anybody who supports us we love them no matter what please cell phones this is being streamed please as a courtesy or speaker please check your cell phones are set to silence I will run the microphone to everybody who wants to give talk and will speak it up or will repeat the question so that we can record it for the streaming and recording audience all that said dad let

me introduce our speaker who is Wynonna this hombre that's it good okay she's a asian-pacific threat intelligent researcher at the recorded future focusing on chinese underground hacking and communities and Eastern Asian cyber espionage campaigns for those who don't know there's a wonderful book called the tribal hackers and she's in it by the book read the book okay she is one of the world's best information security professionals so did that build it up for you all right okay so once again proving ground whanoa this hombre

every one I don't know if I'm one of the world's leading InfoSec people but I'm gonna give it my best shot today how about that so hi guys welcome to proving ground my name is Winona before we get started I would like to shout out the b-sides organizers thank you guys so so much for allowing me to speak today and also I'm so excited for the rest of this conference thank you also to my mentor Russell he's over there in the back he really helped me guide this presentation through from its raw thoughts to what it needs to be so a little bit more about me I'm a threat until researcher at recorded future I focus on a lot of

things in the Boston area with regards to security and if you like what you see in this talk follow me on Twitter or don't it's your choice I will say that before we get started a lot of gifts are in here a lot of thoughts are in here the thoughts are mine the gifts are not and if you are interested in this research in general I actually wrote a paper on this you're more than welcome to check it out in more detail there okay so why do we monitor criminal underground forums to begin with there's quite a few reasons especially if you are in threat Intel like I am for one it's a pretty good indicator that your

company has been breached if your information or your company's information ends up being sold on these marketplaces the second is that some of these individuals will be egotistic enough to announce that they are going to target a specific company before it occurs but my favorite reason is primarily by analyzing certain tools in the way they're talked about online you can figure out how these shifts in targeting and tools are occurring on the criminal Underground when talking about monitoring shifting tools of course there are quite a few questions that aren't really answered at the moment that I wanted to tackle for one what is the most popular mower just in general what do criminals usually talk about the

second refers more to ransomware it's kind of in vogue lately and how how much hype should we believe in so how much talk or how much chatter on criminal underground forums does rent we're falling too and then one of my personal favorites is what actually causes malware to rise and fall in popularity like these people on the underground forums are people like you and me so what causes them to prefer one type of malware over the other all of these are interesting questions and they all fall under a single umbrella of sorts which is how can we primarily translate something in the realm of cyber threat intelligence like form underground monitoring into something that's actionable for

defenders and red teamers alike before we get started in the research however there are a couple misconceptions with regards to the criminal underground and one of them is that deep and dark web is kind of the big the big thing to talk about and in reality criminals operate pretty much anywhere on the internet where they can talk to one another it's all the internet it's all cat pictures it's all places where we can call us and talk talking about these underground forums however they are similar in a number of ways for one you have vendor to by our conversations and buyer to by our conversations so you have vendors putting out sales posts and people commenting on the sales post hey

what's it like to install this can I get a free copy in exchange for a review when you're talking about buyer to buyer you also have hey I found this news article somewhere how legit is this piece of malware or where can I find this particular piece of ransomware so I took all of these discussions and questions and correlated them together based off of what type of malware they were talking about and between the dates of May 20 18 to may 20 19 that was about 4 million posts so like I said before because all the underground forums are composed of various sources I did use a bunch of open web dark web third party

chat applications etc to find these posts and when it comes to actually categorizing them based off of you know nicknames various names in different languages when you're talking about malware categories and malware families I analyzed 61 categories and over a hundred thousand now where family names on these I got from my company recorded future we have a lot of this sort of data so when it comes to the data set and the definitions within the data set you'll notice here that the definition of malware that I used is not really what malware is when it comes to the generic naming so this encompasses more than just trojans and ransomware it also encompasses things like Kryptos which

takes a piece of malware encrypts it or packs it such that it's fully undetectable by antivirus that's not necessarily malware but it's talked about similarly on these forums so i included that same with things like exploit kits when it comes to the particular forum conversation I included things like the repost of security articles because people tend to get inspiration or discuss different types of malware in the comments and then some spam posting because vendors like to post advertisements for them now we're pretty much wherever they can there's a couple insights that I could glean from this data the first one is malware mentions just across the board all forums the second one is by language and the third one is

that initial question that I found the most interesting what causes malware to vacillate and popularity based off of real life or forum events so let's start with malware mentions overall let's start with the big stuff when it comes to category so one of the questions that I had was about ransomware it does look like we should believe the hype in some regard ransomware was by far the most talked about malware category on underground forums the next being krypter like I said which wasn't really technically malware and it's in its own definition and then Trojan web shell etc but the interesting is the interesting thing is excuse me when you look at family results only one of these are ransomware

so this is the top ten in terms of family and a majority of them are Trojans or remote access Trojans so what's causing this disparity this is a really interesting way to pull apart the data and looking even further into it when I looked at the top 150 only 11 of them were brand name ransomware or just names of red somewhere in general so I looked a little bit deeper into the actual contents of every post mentioning ransomware which was a lot and I found that about 50% or greater than 50% of these ransomware related posts were general asks on both the vendor and the buyer standpoint so what that means is as a vendor I you know I maybe made

something that encrypts a bunch of files and I go hey I don't really know if this is ransomware I don't really know what to call it but I'm gonna put it out there sell it for like two US dollars let me know what you think there's also a bunch of people that will grab a bunch of more open-source ransomware or lower-level ransomware and bundle it all together and sell that and then from the buyer side this is one of my favorites people are looking for any ransomware at all so they're interested in ransomware but fundamentally don't know where to look they don't know who the big buyers are they don't know what is the good

read somewhere out there this is one of my favorite post kind of down here where they're saying oh yeah I'm like a big vendor but I'm interested in dabbling in either gang crab or any ransomware and they'll trade you I guess MDMA or cocaine for it so like your upper of choice kind of a weird barter but I guess that's that's what happens down here let's so now that we have the overall picture let's dive into what happens by language and I've had a couple of people ask me throughout this research project why why separated out by language right there are some underground forums where you could go in pretty much any language some people will interact with each

other using Google Translate for example but I've done a couple different pieces of research where I've compared different language forums where the majority of the posts in a forum are of one language or another made for specifically either Russian or China or Portuguese speech uh speaking individuals and within each of these forums if you compare them across the board they come from very different backgrounds the forums are organized in completely different ways and a lot of the individuals that frequent these forums have very different origin stories so what I wanted to look at is if that was reflected in terms of what malware they were interested in and when I look at the data it does seem to be

that way so this is just a quick example that I lay out in the paper but when you're looking at mobile malware on different language forums it's incredibly prevalent on Chinese language forums this is not it's simplified so it's not including Cantonese or Taiwanese but when you look at English language forums only - which are two of the three original ones before are in the English top ten and then you look at Russian forums and there's no mobile malware to be found in the top ten so that's actually pretty interesting I will say that there were some overarching similarities across all forums regardless of language for one in every language analyzed in the top ten

there were now our families that were over three years old so things like MJ rat which has been like open source around since 2008 kind of really really old malware and they're still popular which suggests that there are individuals out there that are still using these families of malware to successfully in fact victim hosts which means that their victim hosts out they're still vulnerable to really really old malware like MJ rat I'll say that there were also some dual use tools in the top ten so things like Metasploit john the ripper hash cap things that your everyday red teamer would know about are also being traded or shared or discussed on these criminal forums form

specific malware are things like forum spammers and then gang crap for those of whom don't know what gang CREB is it's an incredibly popular piece of ransomware only found on one Russian underground forum until the namesake vendor for gang crab ransomware also known as gang crab retired in June so from May to may what was super interesting about gang crab is every language forum was talking about it either in Hey look at this news article about gang crab or hey I've heard about gang crab where can I find it so that kind of leads pretty interestingly into the correlations between malware and real life right so going back to the the original bar graph kind of with the the

families you have by type a majority of them are remote access trojan you have spy note again which is that Android malware gang crab the ransomware NL Brut which is a brute forcing tool and then X remember which is a forum spamming tool when you separate all of these out by growth the super messy graph but bear with me you see some really interesting spikes and valleys in terms of what is being talked about by month and so what I was able to do is every time there was a spike in a particular piece of malware I went into the forums in which that spike occurred and analyzed what exactly they were reacting to on those forum comments or

or message boards and what I found were three primary correlated events for this this year at least so one is just being a good malware vendor so just providing the basic feedback the community engagement and I'll talk a little about that later the sale of malware in sets so like bundling thing it's a lot like I said before kind of a buy one get one free situation and then the distribution of cracked malware or what I affectionately like to call malware piracy so moving on to being a good malware vendor um there were three big events that were associated with this kind of grouping on this is something that gang crab as I show here was really really good at so

they would advertise regular updates to their software because you want people to continue continue using it you want people to make sure that they're still interested in the malware you want to do some bug fixes you want to develop this as a professional business person the next was real world news articles usually in the form of advertisements like this image shows here this is a really good review by security weekly saying that gang crab is now the most powerful threat of its kind whether directed at a single or an organization like what kind of software gets a review like that right then finally you have things like community engagement and customer service so interacting with your buyers

saying thank you when someone posts a positive review answering some frequently asked questions so on so forth all of these when done correctly usually resulted in a rise of chatter around that malware in general the next thing was malware sold in sets so what I mean by this is somebody will take a bunch of roundup excuse me malware across various forums maybe some open source ones bundle them all up and sell them there's a couple reasons that references would spike here for one it's search engine optimization in its most basic form if you search for any of these four pieces of ransomware this sales post will come up but the other thing is that sometimes these bundles

would include complementary tools so what I mean by this is war zone rat which is a proprietary piece of malware would usually come with a krypter that was built specifically for that rat so if you wanted to use a krypter and a malware combo you know that these two would work the best together and then things like X rumor which like I said was a forum spammer when paired with a captcha breaker like X evil you could spam forums pretty efficiently because you knew that even if there was a captcha involved you can just use that tool in conjunction with the forum spanning tool and then finally you have things like cracked malware and so just

delving into a little bit more what I mean by malware piracy when you have a piece of software say like office 365 usually when you open it you have a little window that pops up that says hey just to make sure you're a verified buyer put in your license key please that thing happens all the time in proprietary malware as well so when you buy something from a vendor they'll usually give you a key you could put that in it'll ping something back to the vendor saying hey this person has activated their malware so when I say cracked versions of malware somebody has gone in and similarly too when you try and buy a pirated version

of office 365 which I would never ever recommend to anyone piracy is no joke kids you the person who has cracked that version of Office 365 has found a way to either replicate the software in an almost indistinguishable way or find a way to circumvent that license key check so it's it's precisely the same thing with proprietary malware the interesting thing about malware piracy is how it interacts or how it affects the vendor so this timeline here is kind of cool it's about as the alt which is one of the top ten malware families it's a proprietary stealer or it was until gays or soga zorp was a cracked version of azor alt and you see that there's a little

spike here when gazorpazorpfield released updates to their stealer to differentiate themselves from the pirated version so why would you want to buy this pirated version which may be cheaper but doesn't have these new updates so you have a bump in supply and then a bump in the updated version then after some dispute which you see in like the tiny little boxes over there the original author actually shut down their service so they decided that they would shut down their proprietary version of malware and then the cracked version of the updated version of malware gets released online and then you see a massive spike again so it's an interesting vendor to vendor battling it out situation when it comes to malware

piracy so we've learned a lot about malware today is this actually a risk to my environment so why or how much should I care about this and so based off of how old a lot of the malware is how a lot of them aren't really effective without a delivery vehicle because these are all commodity pieces of malware it's usually going to be of a lower threat to a company and but because it is commonly used it's commonly discussed commonly bought and sold it is going to be hitting a company environment with higher frequency or at least I can assess that with with a moderate degree of confidence I will also say that in some cases these at

least the eight of the top ten have been reported on in the wild and some of them are jumping off point for higher impact campaigns in conclusion I want to say a couple things the first one is just individuals who buy and trade Malheur and who deploy malware are individuals and they lose interest in malware they gain interest in other malware and so the landscape is going to change it's definitely not something that's static if you look at this graph over here which is January to July I did a little bit of a data update the top 10 is very different here there's six of the original top 10 and then they're also in completely different orders now except

for NJ rat which for some reason is going to be popular until the end of time there's also because there's dual use tools commonly discussed on the underground forums it's really essential for people who are defending an enterprise to understand the red team that they either interact with or to understand red teaming tools in general if you don't know what your red team might be using a cyber criminal could be using that exact same tool and also finding baselines against different actors are important because they focus on different malware especially if you understand where your threat landscape lies in terms of the attackers so for example a company in Japan might be more worried about Chinese cyber criminals

whereas a company in Ukraine might be worried about Russian cyber criminals etc but overall I really hope that people could use this report as a baseline for patching and what I mean by that is in in the paper at least I try to answer this overall question by doing a couple specific things after finding the most commonly discussed malware you're able to actually figure out even just based off of news reporting what delivery vehicles are associated with these pieces of malware so what exploit kits are being used what kind of fishing tools are being used and then prioritizing patching against the vulnerabilities that are utilized by these delivery vehicles and with that that's that's the end of my presentation

and I'd be happy to take questions so thank you guys so much for being out here yeah no worries so as for cost I didn't factor in cost mainly because I'm not an economic an economist but it's also more difficult to factor in who's actually buying because there is that discrepancy really between the people who are willing to discuss whether they've bought it or what they're interested in so really this is the closest methodology that I've been able to find when it comes to people interested in now where is the discussion but to be clear you're right I didn't factor in cost because I have no idea if people are actually buying the malware

so usually when it comes to persistent sellers I will say that that's usually someone advertising one form of malware and providing regular updates so one of the reason why Gannon crab was so consistent was because they provided updates up to like what five point something so just providing that regular sense of hey this is new this is still something that you should be interested in but you are absolutely right usually if somebody doesn't provide those regular updates they usually fall out of out of common references um with regards to Cobalt strike huh Oh could you repeat the question oh me oh oh his question was have I come across many cracked versions of cobalt strike and if so do I

think it's malware do use that cobalt reg is actually not something that I've found very often in terms of sales posts but I will say that it's also not my area of expertise in terms of cobalt strike in general unfortunately but I do know that there are quite a few reports on those types of altered software of cobalt strike being found in the in the wild and if you want to talk after I could definitely send you towards that report

no I have not but that would be a really interesting take on that uh the kind of continuation of this report that's a really good idea thank you oh oh we're done I'm available like outside if you want to keep asking questions but thank you [Applause]