PG - OH-SINT: Merging OSINT Into RE Workflows to Simplify Analysis

hello hello can everybody hear me yeah we having a good b-size Las Vegas can I get a thumbs up a clap something anything yeah right on right CH cool quick reminder silence the cell phone nobody wants to hear your Awesome ringtone uh and then secondly really excited to bring up Nicholas Caroll here to talk about ENT merging ENT and re workflows to simplify analysis without further Ado Nick please come on yeah let's give a round of applause thank you very much uh my name is Nicholas Carroll I'm a former ciso now I am a manager of a team that specializes mostly in cyber threat intelligence defer and things like that uh we do fun stuff which is why I didn't want to be a ciso anymore so back to doing the really cool stuff there uh my team does a lot of different things and some of the things we run into is things that our sock analysts pick up from client environments they're not sure what it is they'll bring it to us and we try to figure out where to go from there this whole talk stems from one of those events where a sock analyst decided to ruin my Christmas uh you know it's it's always a holiday right it could never be like Monday at 10: a.m. that they come up with something fun it always has to be like right on top of a holiday uh we had an analyst get an alert uh and it didn't make sense to him uh and he's a good analyst so I was like well I'm going to trust you on that one right it was triggering for some sort of ransomware activity but it wasn't actually doing ransomware style activity in the environment it didn't match any known samples of malware for things that we had uh and so we were like all right well this is kind of fun let's start with what we have start pulling it apart and see where we can go from there my analyst in this one I'm going to shout him out real quick uh his name is Brian uh this was my malware Santa Claus and a lot of the stuff that I talk about here is my side of this perspective I hope one day I can drag him out and make him do a talk on his side of this whole thing uh because he does a lot of really good work on pulling things apart better than I do in the actual code uh whereas I do a lot more of the research side of house right so he decided that since he wasn't getting a holiday break uh he was going to make sure that I had something to do at my in-law's house while I was hanging out there so it's a classic story right user clicks on a link and they pick up something they shouldn't a user wanted a popular application in this case they had wanted OBS studio and so they went out and they found a link to click on uh when we went back through this campaign and we were kind of digging through where did it come from and how did the user even find the thing uh this case a lot of the stuff we found was malicious Google search ads were serving it up uh but this user had specifically gone to YouTube searched for a tutorial on OB OBS studio and then just clicked on the link in the description uh and gone to the first thing that was there and he picked somehow he picked a tutorial that had like five views so you know good job guy but while we are able to look at the Domain uh before we download things and figure out that that's not OBS Pro Studio's actual website the user just goes sees that hey this has got the logo that I saw in the tutorial and the tutorial said to go here so I'm going to click download and I'm going to execute the thing right this campaign uh was doing all kinds of stuff for all kinds of different applications too when we were digging through it they had OBS studio uh they had notepad++ they had uh click studio and a bunch of other really popular applications all in the same uh domain host like the root domain was ossn cool.com right they just changed the subdomain for whatever thing they were impersonating and they were serving it up all at the same time but all we really had was an alert that said ransomware that wasn't ransomware we had a domain and we had a file hash and that's about it right that doesn't really put us very high on the Pyramid of pain uh that puts us at the bottom with the stuff that changes too quickly to be useful for detection content engineering or doing anything super handy because the thread actor is just going to change the hash value and the domain and everything pretty fast right that's just the way it goes you know if we want to build detection content in it or figure out what we're looking at or where to go with this thing and make it useful we need to try to get up towards the top towards you know actual techniques or tactics or really dig into what the malware is doing uh and our systems are just not giving us any info the sandboxes are just kind of timing out or throwing a fit with it right we're not getting useful feedback from our own tool sets to pick this thing apart in a quick and easy way but what we do know by digging through the website is that the link does give some kind of malware right when you click download you do get some malware and when you try to execute it you get a thing that says you know notepad plus plus. exe or OBS studio. exe or whatever version of the thing you tried to download right it had that name and it looked like it was supposed to be that application and it would execute except by the time that we were digging through this thing because domain names hashes and other stuff changed so quickly the C2 went down and the project was pulled from the malware developer side right so we now had alerts for stuff that didn't make sense we had something that didn't match uh known hashes didn't match known info uh and we kind of got stuck right we had a little bit of info at least for the way that executed but it could no longer reach out and pull down anything from C2 it could no longer go anywhere right if we just had a kind of a piece of like like junk malware now uh but we knew we had something interesting so we didn't want to necessarily give up on it uh and we knew that most likely with one user gets it it follows because while our user found this beautiful YouTube tutorial and downloaded the thing from there what tends to happen is the users talk amongst themselves and so that YouTube tutorial or that thing that they found spreads around as people talk amongst themselves and share it and go oh man I found this great thing go here and do this right but we at least got a little bit of information out of here we got a user agent we got a second stage URI nothing that was functioning but with the user agent we were able to do a little bit of Open Source searching okay we turned it around because we weren't matching on known hashes and VT was coming up empty fire total was coming up empty we were able to take that little bit of info we had and we located a piece of research from a few months prior from threat they had found a brand new Steeler malware that was being advertised on Telegram and they posted their research in October and we stumbled across the thing in December right and this thing if you've SE heard of this name recently it blew up in like February and was like everywhere for a little bit still pretty popular but they found a beta version of it from the developer posted and they did some basic research on it and they had a little paper for it that they published in October and so we were able to at least take this information and start going further and expand our search right we were able to feed off of what they've done and what we knew to start carving out for more information to see if we could find hey that C2 went down but there's still active stuff out there right there's got to be something we can use to build our materials and put things together and finding this piece of information and putting it together with what we had gave us our o moment right that moment where we were able to go oh okay now that we've seen this before or at least we've seen that someone else has seen this before and we have a general idea of how it used to function we can take that feed it back into our research and kind of troll around a little bit using the information there we found the active c2s so the one we originally found had been abandoned but we at least knew you know some information about the server and how it was operating and from the report from threat we knew the types of Uris and ports that they were expecting on the C2 we punched that into shoden and we found some servers and we found some active ones yay from here we were able to start start kind of pulling things together and making heads or taals of what we had found and really piece things together into something that worked for us for detection content right we were able to get fresher samples than what was in the threat report because we were going out to the active C2 and pulling stuff down we were able to pull that apart to an extent and actually analyze how it was functioning so we could write better detection content based on updated versions of the m and how it operated even if you changed the C2 or the hash so we noticed that you know the HTTP user agent it was using to communicate hadn't changed the actual back Channel it was using into the C2 hadn't changed and we were able to actually generate some detection content and key off of there but one of the other really nice things we found in researching this and having this o moment is we had the name of the malare right and threat didn't come up with that name themselves that is the name the malware developer chose for this particular Steeler and that was the name that they had for all of their information about that particular Steeler so we were able to take that information and go out and basically find the malware developer which was really really handy cuz it turns out if you go out and actually do some searching outside of just trying to plow through the Cod on something sometimes the malare developers will tell you how things work and we'll look at that in a second but yeah definitely uh you know what one of the things that I run into with the guys that I have that do re a lot is they get really hung up on the code the code they have in front of them is the golden key to everything it must be the golden key it's the one thing they want to focus on and the problem is is that when you get into modern malware you get get into a lot of obfuscation techniques and it becomes very frustrating sometimes to pull apart the code and get something meaningful from it or it's written by somebody who is not you know English as a native language so you wind up seeing a lot of Russian terminology used for variables and things that you know I'm not a Russian linguist at all none of my guys are right so it kind of frustrates us and puts us in a weird spot so one of the things that I've encouraging my re guys to do and anyone else who's in this kind of workflow is to think about your processes and the people that are working on them and explore around just the piece of code in front of you actually look out to the world for what's posted and see where you can go from there and what you can Garner because you can cut down on your analysis time when you find good information about that piece of malware right either prior research or just what is out there from the malware devs themselves because they like to talk sometimes it becomes like typically a lot of the guys I know they go through a very linear workflow of pulling things apart bringing in outside research like ENT it kind of makes it a more cyclical piece so if you think about like the threat hunting life cycle uh it's very much just a bunch of cyclical processes that feed back into each other right we've got our threat Intel which goes into the sock the sock does beautiful things with it and either they come out with something on the side that needs a seert or they come back with just a little bit of cool information that we can turn into detection content spread across everywhere share as a sigma rule yada yada yada right but it feeds back unto itself we actually take these workflows and instead of just being like ah I'm going to give you this piece of information you're going to search for it and then the workflow stops you want to actually feed it back in that's what we do in a good thr hunting life cycle and it's the same kind of thing we can do if we're bringing research more outside research into reverse engineering where we can stop and pivot and bring things back in and kind of get it going into a cyclical approach uh there's a really good uh paper from a uh Spanish University on a systemic approach to malware analysis I've got the actual citation there because I'm going to steal their Graphics real quick uh that way I didn't have to reinvent my own cuz I am known to be lazy and one of the things they bring up in their systemic approach to malware analysis is the issues around specimen obfuscation and having to deal with a restricted execution environment right actually having to bring this thing into some sort of VM sandbox you can't just run out out anywhere or you're going to get ransomware everywhere in your network right you have to put it into its own little cubby and play with it in a safe space or risk real issues but the biggest thing here is that specimen obfuscation it becomes a really cha chaotic thing to try to pull things apart when the malware developer has purposely just dumped a plate of spaghetti in front of you right in their paper uh they actually are pulling apart multiple samples as you know proof for how to use a systemic approach to Mal analysis and one of the things they run into is debugger checks right that's super common now for a lot of malware a lot of malware these days it's VM aware it's debugger aware it's pumped taking garbage data just a bunch of extra zeros throwing them at the end of the file and pumping it out to make it look huge on disk so if you try to upload it to something like virus total it won't execute we've had a couple samples that have been over a gig uh my favorite one so far when we unpacked it it was 99 gigabyt showing up on disk which in my mind I was like what what happens if I unpack this thing on a computer that's like a hard drive is full does your malware just not work right so you wind up in this situation where you're trying to dig through all of this junk that's making it problematic and that's where documentation comes to the rescue malware these days tends to be done as a service because everything has to be a service or a subscription even malware and when you make things a service you have to provide customer service and customer service means documentation and training so if you get a little bit of information IPS domain names malware names anything like that that you can kind of start building off of for your searches you can take that information out to Telegram and tour and other places and start finding the documentation from the developers with ratam mantha stealer they've got beautiful documentation that tells you exactly how the whole thing works from the server side to the end of the infection the whole thing put together so you can figure out exactly what settings you need when you're building this thing out there and it's just on the open open internet for anyone to go get right it's not really hidden that much so we can actually use the documentation provided by the developers who will sometimes tell you things like hey here is how I'm telling if you're running me in a VM environment right I'm looking for two CPUs or less I'm looking for the screen resolution I'm looking for weird usernames that typically show up in sandboxes I'm looking for these running process names and you can bring that back to your frustrated malware researcher who's smacking his face against the code as hard as he can to try to make something make sense and go okay just change the settings in the VM environment and suddenly we can bypass this whole thing the other nice thing that you can do sometimes is you can go out and find stuff that's really hot fresh now right like before it's off in you know a cisa advisory or a sans's stormcast or anything like that you can find new samples so let's do a really simple hunt together all right uh this is one I ran across a few months ago uh and it was hilarious to me cuz like the same day I posted at Twitter like three other people stumbled on it like the same time it's like all right cool who gets to claim it Mystic Steeler I just went to showen and I typed in the word Steeler not every ENT hunt has to be super complicated some of them can be really silly simple and still get great results because with just the word stealer I was able to find some titled pages in the HTML code that said Steeler and when we went to them it was a Mystic Steeler login page which now gives us IP addresses for c2s which we can turn around into virus total and find where our relationships are and we can find the actual files that are communicating with those c2s so even if the c2s are recent and they're not getting Good Hits uh for like your network security Appliance or anything like that you can come through and at least see hey I've got some really nice fresh stuff here that I can use and same thing right that one's you know they've they've uh updated Mystic Steeler it's not as easy to find uh but there is one and I recorded this one uh recently so if you wanted to you could just go open showen on your phone right now and type in Steeler uh and there is one that will show up and work right it's called easy stealer uh and it's not very well put together but there's no blog posts on it right now really there's I think I found a single tweet and the Tweet wasn't anything around you know Steeler or anything like that right the Tweet was just like hey somebody recently posted on a hack Forum that they're selling a new goang Steeler called easy stealer that was the Tweet well if we go out to showen and we type in Steeler we get a Russian IP address uh and those are great because that's where most of the malware comes from these days so we can go here and see that we've got Port 3001 open and on Port 3001 is an HTML page and it's a login page for a thing that says in its title easy stealer yeah it's it's right there right and I mean honestly they could come up with better naming for these things a lot of these devs when they first make these things for some reason default to just calling it Steeler and not like using something better but you can go out and find the dashboard straight off of shin for the C2 and this one's not fully functional because it looks like most likely someone has recently bought the source code and is using it so it's just kind of there and it's not ready to rock and roll quite yet so this one is very fresh and ready to go like I said anybody today in this room go make your blog post about easy stealer and beat like crowd strike or somebody else to the punch before they get there but you can take this IP address for this dashboard you can plug that back into virus total or whatever your repository of choice is right and you can see what files you're communicating with it to get fresh samples and this one pop over there a few vendors have picked up on the IP address right not everybody but a few but there are some files when we go to relations on this one and one of those files is basically the actual source code from the developer that you buy when you go out to the dark web forum and buy easy stealer someone uploaded it to VT right before the post was made uh on the hacking Forum advertising the thing for sale which means there's a good chance the developer might have done it to themselves as they tend to do uh it's this one right here easy 64.exe wow great great way to obus skate your name on this one caught you a little early we had the same thing with ratam manthus uh there were a bunch of samples that were just called rad. exe really early on uh