Botconf Day 2 Wrap-Up

The second day is already over. Here is my recap of the talks. The first one was “Identifying malware campaigns on a budget” by Max “Libra” Kersten and Rens Van Der Linden. The idea was to search for malicious activity without spending too much money. Read: “using as few resources as possible”. The solution proposed must be scalable, reusable, and repurposable. From a budget point of view, it was based on Raspberry Pi 3B (~65€) + the cost of electricity and free software. In their research, they used a dataset of 500K malicious emails (that can’t be disclosed but the same applies to any dataset). They normalized the data then applied different modules to them:

  • The first module was used to check the email subjects and, using the Levenshtein distance (number of character changes), they found clusters of emails.
  • The second module was used on lure images (the logos used in phishing campaings to make the victim more confident).
  • The third one was focusing on URLs with passive reconnaissance techniques as well as active techniques.

I was a bit surprised to see the last slides… without really demonstrating the scripts they used (also, nothing was shared). Too bad, I was expecting something that could be reused (like a GitHub repo to clone). An interesting question from the audience: why not use Karton to automate these processes?

Max stayed on stage for a second (long) presentation: “See ya Sharp: A Loader’s Tale”. He explained his research about a specific loader: Cyax-Sharp. What is a loader? It is used to “load” a remote/local payload. It is usually encrypted, obfuscated, and has anti-debugging features. If classic malware samples are analyzed, loaders attract less attention and we lack reports but they are an essential stage in the infection process. The malware ecosystem lacks a naming convention and this payload can be referenced as “ReZer0” or later “Cyax-Shart. This is confusing. He reviewed some capabilities of the loader like disabling WinDefender, and anti-sandboxing techniques (searching for some DLLs). Then, how the configuration is managed. What are the changes over time?

  • The configuration changed: new features added
  • Sleep is configurable and message box can be displayed

Max gave some statistics about his research. He collected 513 samples. Process hollowing is present in 72% of cases. The remaining is spread across MSBuild hollowing, vbc, regsvc or direct launch
Persistence is used in 54%, based on scheduled tasks. Regarding protections, 79% had both enabled (anti-vm, anti-analysis). Payload families? 54% was AgentTesla, others

After a short coffee break, we were back with “Into The Silent Night” presented by Yuta Sawabe and Ryuichi Tanabe. If restrictions are lighter regarding the COVID, they are still some travel issues between countries, and the speakers were not able to join Nantes. They recorded the presentation. Silent Night is the new name of ZLoader. The goal of this research was to track C2 servers. In this case, a DGA is used and make the analysts’ life more difficult. They build a tracking system to collect data, extract threat intel and analyze the results. Silent Night is a modular trojan from the Zeus family, delivered via exploit kits, fake software, phishing, etc. Its C2 communications can be identified via /cp.php, /gate.php or /logs.
The process they used:

  • collect sampled (VT, any.run, Triage)
  • extract config via triage
  • calculate DGA domains
  • collect log files from C2 servers

Some results they shared:

  • 453 samples
  • 22 RC4 keys
  • Peak of Number of infections was in Sep 2021
  • Main country was US

When you know the DGA, domains are registered in advance and you can trace the future attack activities. 32 domains generated per day (not all of them used)

We continued with “A fresh look into the underground card shop ecosystem” with Beatriz Pimenta Klein and Lidia Lopez Sanz. This was interesting because I’ve no experience with these platforms. Where are cards sold?

  • Automated vending cards (AVCS)
  • Marketplaces
  • Forums & chats

They focused on the first type. But, how are they stolen? Via PoS malware that dumps from memory but skimmers remain a classic attack.CVVs are also known as “cards”: phishing pages, digital skimmers, leaks, info stealers. In the next part of the talk, they presented some card shops and compared them:

  • Brian’s Club
  • Legendary Rescator

By the way, the price of a cart can go from $3 to $269 depending on the country, the bank, the expiration date, etc. A lot of card shops are inactive because they organized their own closure, they have been seized by law enforcement agencies, or … exit scan (the most common one). It was interesting to learn that typosquatting is very common in card shops. They share the same cards and… deliver malware samples!

The next talk was presented by Dominika Regéciová: “Yara: Down the Rabbit Hole Without Slowing Down“. This talk was a review of YARA, performances, and changes. Dominika started with a quick review of YARA (who does not this tool developed by VT?). Writing YARA rules is pretty easy but when you need to scan a huge set of data (size or number of files), you’ll quickly face issues… like warnings from YARA or the required scan time. You’ll have to optimize the rules! The first optimization was to take into account “atoms” selection from strings. How YARA handles strings. Regular expressions are a common issue with YARA and may drastically affect the speed. The next issue was related to the “too many matches” problem. Dominika explained how to write better rules. She demonstrated the optimization with an example that was executed in 3 seconds instead of 45 mins (without optimization). If you’re interesting int this topic, have a look here.

Then, we had a talk provided by Alibaba Cloud: “Detecting emerging malware on cloud before VirusTotal can see it” by Anastasia Poliakova and Yuriy Yuzifovich. Why this research? Third-party validation has a cost (latency, costs!). Sometimes tools like VT give ambiguous results. Is a low VT score a sign of maliciousness? Also, many malware samples targeting Chinese customers are underreported to VT. To avoid these problems, Alibaba Cloud decided to start its own detection tool based on ssdeep… They explained in a lot of detail how to build a tool more efficiently than… VT! (that’s what they said). I had a discussion with other people about this and we all had the same feeling: Are they prepared a competitor to VT?

After the lunch break, we restarted with “Warning! Botnet is in your house…” by Vitaly Simonovich and Sarit Yerushalmi. For sure, I was curious about this title but it was not what I expected, however, the content was good. The research goals were: how botnets operate, for which purpose, and how it started.
The initial discovery was CVE-2017-9841 (target: PHPUnit RCE). It starts with a POST request and the return data is a PHP script with a system() and a curl + payload execution. The payload is “traber.pl” which install a Python script in a crontab. Python payload grabs a zip file, unzip it and executes the new Python payload “update.py”. This payload makes an HTTP request with a user-agent. In return, you get some JSON data. They found multiple bundles of files that targeted multiple vulnerabilities (RCE, RFI, …)
But what was the botnet purpose? To understand this, they created a honeypot and simulated a fake compromised host. After 1h, the attacker contacted the host. He added a second web shell, escalated his privileges, and got full control of the server. Third-party services were also used: GitHub & Pastebin to store more payloads. The bot was called “KashmirBlack”, why? It was the name of a git repo.
Later, they found the use of a dropbox account… and the associated token to access it.
Some numbers:

  • 285 bots
  • 480 attacks / day / bot
  • 140K attacks / day
  • 0.5% success
  • 1000 new bots / day

The next one was “How Formbook became XLoader and migrated to macOS” by Alexey Bukhteyev and Raman Ladutska. Here again, they were not able to travel and the talk was presented via an interactive Zoom session. Overview of the malware: banker & stealer malware. 100+ apps targeted. 6y old, 3000+ campaigns, worldwide targets. Now, called XLoader and targets macOS & Windows. First spotted in 01/2016, may 2018 last post from authors. In Oct 2020, XLoader was born. Formbook sales stopped and the XLoader model changed. They explained carefully how obfuscation is used to hide the functions and strings. More information is available here.

After the coffee break, Vasiliy Berdnikov and Aseel Kayal presented “SandyBlacktail: Following the footsteps of a commercial offensive malware in the Middle East”. This one was presented under TLP:Amber. Great reviews of the malware with plenty of details.

The next one was “Smoke and Fire – Smokeloader Historical Changes and Trends” presented by Marcos Alvarez. He started with a question to the audience. Many people know SmokeLoader but not many of us put our hands in the code. He did… intensively! His talk covered the findings and all changes across the years. But first, he explained with this loader is popular: Based on its simple business model, the cost, and complexity. Indeed it has many core features like anti-analysis, persistence, network & crypto features, payload injection, and extensions (modules). In the next part of the presentation, Marco presented all changes since 2011(!).

Why is it a successful loader?

  • Business model (direct with the author)
  • Cost
  • Complexity

Its core features are: anti-analysis, persistence, network, crypto, payload injection and… extensions (plugins) From an operational aspect: Initial recon + modules -> Data harvesting + infostealer -> Final payload (banker, ransomware, RAT).

The last talk was “PARETO: Streaming Mimicry” presented by Inna Vasilyeva. This was a sponsored talk but technical enough! PARETO is a botnet that infected Android devices (1M) to spook CTV apps. Inna explained that the malware mimics a streaming TV product to generate a higher price for ad impressions. This is achieved via the TopTopSDK. After technical details, she explained that a takedown operation has been started. Google and Roku were contacted as well as LE agencies.

This day ended with a round of funny/interesting lightning talks about the following topics:

  • ONYPHE (with a demo of a specific URL shown earlier today : /upl.php
  • Advanced Persistent Speaker @ Botconf and DESKTOP-Group status
  • Crowdsourcing the demise of Twitter’s business model
    • JusticeRage/twitter-blocklist
  • WTF VT?!
  • Should we care about formula injection?
  • Binary Analysis course
    • maxkersten.nl/binary-analysis-course/
  • Hunting with Nuclei
  • Iranian & Russian eCrime: It’s complicated
  • Yet another dev fail?
  • Botnet Tracker
  • DDX – Detection, Detonation & Config eXtraction
  • Where’s my botconf recording?

Day 2 is over, the gala dinner is over, it’s now time to get some sleep hours for the last day!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.