get rich or die trying - · pdf filepowerpoint presentation author: mark lechtik created...
TRANSCRIPT
![Page 1: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/1.jpg)
Get Rich or Die Trying
![Page 2: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/2.jpg)
Lead Threat Intelligence AnalystCheck Point Software Technologies Ltd.
Speakers
Security ResearcherCheck Point Software Technologies Ltd.
@_marklech_
Mark Lechtik Or Eshed
@EshedOr
![Page 3: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/3.jpg)
Intro
![Page 4: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/4.jpg)
Trigger
![Page 5: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/5.jpg)
• APT campaign against Saudi Arabia
• Industrial espionage before Aramco’s IPO
• A new campaign against the global energy sector
Speculations
![Page 6: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/6.jpg)
• Who is the attacker?
• What are his targets?
• Why focusing on Aramco this way?
• How is he working (modus-operandi)?
• Which instruments and tools are used in this campaign?
• Does this incident require an immediate intervention?
Investigation Goals
![Page 7: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/7.jpg)
Digging Deeper
![Page 8: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/8.jpg)
Phisihing Mails
from Aramco
Attacker Infrastructure Al-Khalaf
Investment Group
• Investment company based in Saudi Arabia
• Site was compromised to host malicious executables
• APT Targeting Saudi Arabia?
1020
30
40
50
0
-10
-20
-30APT Meter
![Page 9: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/9.jpg)
Phisihing Mails
from Aramco
Attacker Infrastructure Al-Khalaf
Investment Group
• Investment company based in Saudi Arabia
• Site was compromised to host malicious executables
• APT Targeting Saudi Arabia?
1020
30
40
50
0
-10
-20
-30APT Meter
![Page 10: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/10.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
• “Legit” file hosting service
• Hosted most of the samples related to this campaign
• Generally, hosted a vast amount of malware
• Affiliated with hackforums.net
![Page 11: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/11.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
- Executable packed with a custom packer
- After unpacking, we get a binary with obfuscated strings
![Page 12: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/12.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Partially Obfuscated
![Page 13: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/13.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Partially Obfuscated
Hmm…
![Page 14: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/14.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Partially Obfuscated
Decryption Routine!
![Page 15: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/15.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Partially Obfuscated Deobfuscated … What is this malware?
![Page 16: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/16.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Looking at the deobfuscated strings we see that the malware is…
![Page 17: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/17.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
Attacker Infrastructure
Looking at the deobfuscated strings we see that the malware is…
![Page 18: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/18.jpg)
Netwire’s Business Model
![Page 19: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/19.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
NetWire RAT
Attacker Infrastructure
Attacker held VPSs in various countries from which he operated the Netwire servers
![Page 20: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/20.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
NetWire RAT
Attacker Infrastructure
Attacker held VPSs in various countries from which he operated the Netwire servers
1020
30
40
50
0
-10
-20
-30APT Meter
![Page 21: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/21.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
NetWire RAT
Attacker Infrastructure
• Yet another custom packer…
• This time the unpacked payload is a VB6 compiled binary
• Seems to be some kind of info stealer
![Page 22: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/22.jpg)
Stolen App Credentials
![Page 23: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/23.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
NetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 24: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/24.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
Victim Data
NetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 25: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/25.jpg)
ISR Stealer’s C2 Server
![Page 26: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/26.jpg)
Version Artifacts
Same binary version info across all ISR Stealer samples…
![Page 27: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/27.jpg)
Version Artifacts
Same binary version info across all ISR Stealer samples…
1020
30
40
50
0
-10
-20
-30APT Meter
RPTRidiculous
Persistent
Threat
![Page 28: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/28.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
Victim Data
NetWire RAT ISR
Stealer
Attacker Infrastructure
• Guess what … custom packer.
• Unpacked version contains .NET binary
![Page 29: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/29.jpg)
Decompiled Code
![Page 30: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/30.jpg)
Hawkeye Features
• Stealing Keystrokes
• Stealing Clipboard Data
• Screenshots
• Dedicated Stealers
• Minecraft
• Steam
![Page 31: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/31.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
…
Victim Data
NetWire RAT ISR
Stealer
HawkEye
Keylogger
Attacker Infrastructure
SMTP
FTP
HTTP
HawkEye
Victim’s Machine • Server in attacker’s possession
• Compromised Server
From: Attacker
To: Attacker
![Page 32: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/32.jpg)
SMTP C2 Channel
SMTP chosen as C2 Channel
SMTP credentials
encrypted with AES +
Base64 encoded
AES Key
AES Key: “EncryptedCredentials”
![Page 33: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/33.jpg)
SMTP C2 Channel10
20
30
40
50
0
-10
-20
-30 APT Meter
ALPTAbsolutely Ludicrous Persistent Threat
![Page 34: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/34.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
……
Victim Data
HawkEye
KeyloggerNetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 35: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/35.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
……
Victim Data
HawkEye
KeyloggerNetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 36: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/36.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
……
…
Victim Data
HawkEye
KeyloggerNetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 37: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/37.jpg)
Al-Khalaf
Investment Group
Phisihing Mails
from Aramco
DirectLink.cz
……
…
Victim Data
HawkEye
KeyloggerNetWire RAT ISR
Stealer
Attacker Infrastructure
![Page 38: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/38.jpg)
Findings
![Page 39: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/39.jpg)
Modus-Operandi
![Page 40: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/40.jpg)
Malware products from
infected machines
Modus-Operandi
![Page 41: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/41.jpg)
Figuring who he attacks and why
Harvesting emails
Modus-Operandi
![Page 42: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/42.jpg)
Attacking via genuine email address (compromised)
Low-quality of phishing
Modus-Operandi
![Page 43: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/43.jpg)
Attacking via genuine email address (compromised)
Low-quality of social engineering
Use of multiple email accounts
![Page 44: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/44.jpg)
Living on the edge
Modus-Operandi
![Page 45: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/45.jpg)
![Page 46: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/46.jpg)
• S.O
– Abuja, Nigeria
– Moto: “Get rich or die trying”
– Estimated age is 27-28.
Meet the Attacker
![Page 47: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/47.jpg)
Meet the Attacker
![Page 48: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/48.jpg)
• Over 6,000 email addresses targeted in a single campaign.
• Over 4,000 distinct corporates and organizations, including some of the largest organizations world-wide.o oil/gas sector
o car manufacturers
o Banks
• Dozens of distinct machines infected with Hawkeye solely, some can be attributed to 7 recognized companies.
Some Statistics
![Page 49: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/49.jpg)
Where is the Money?
![Page 50: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/50.jpg)
![Page 51: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/51.jpg)
Wire-Wire: Stealing in the daylight
![Page 52: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/52.jpg)
Aftermath
![Page 53: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/53.jpg)
• APT? … NPT!
Insights
![Page 54: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/54.jpg)
APT Meter
• APT? … NPT!
Insights
1020
30
40
50
0
-10
-20
-30
NPTNigerian Prince Threat
![Page 55: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/55.jpg)
• APT? … NPT!
• A noisy campaign without unique OPSEC methods completely undetected by AVs for over a month.
• The threat actor was able to establish a big operation (almost APT like) and cause damage, using very little skill
Insights
Before … Now
![Page 56: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/56.jpg)
• Part of the (malicious)-as-a-service ecosystem.
– One of many actors of the same kind
• Requires the attention of security vendors & law enforcement
• The threat actor is still free, active and using the same infrastructure.
Insights
![Page 57: Get Rich or Die Trying - · PDF filePowerPoint Presentation Author: Mark Lechtik Created Date: 12/11/2017 10:28:41 PM](https://reader031.vdocuments.mx/reader031/viewer/2022030403/5a794f2e7f8b9ac53b8d2b63/html5/thumbnails/57.jpg)
Thank You!