Botconf Day 3 Wrap-Up

Here we go with day 3! In the morning, there are always fewer people due to the short night. The gala dinner is always a key activity during Botconf!

The last day started with “Jumping the air-gap: 15 years of nation-state efforts” presented by Alexis Dorais-Joncas and Facundo Munoz. Does “air-gap” means a big castle in the middle of the Internet? That’s the image that usually pops un in our minds. They covered malware targeting “protected environments”. Such malware implement an offline, covert communication mechanism between the compromised systems and the attacker. Think about “Stuxnet”. They found 17 families of such malware and, as usual, attribution was not easy, sometimes controversial. They are two categories:

  • Connected frameworks (with a connected side and an air-gapped side). A classic approach is initial compromise (spear phishing) and a weaponised USB stick is used to reach the air-gapped side. Results are stored back to the USB drive hopping that the user will connect the USB back to the connected side. Another technique is to write commands from the C2 on the USB drive.
  • Offline frameworks (no Internet connectivity). A user must “import” the malware

Automated execution is the most effective technique to launch the malware, for example via LNK remote code execution. In the case of non-automated execution, the main techniques are:

  • Abuse of Windows auto run
  • Planting decoy files to lure victims
  • Rig existing files with malicious code

They reviewed some well-known malware sample and explained the techniques used to interact with the air-gapped systems. To exfiltrate data, they used modified directory entries to hide the content on the USB drive. By example, if you create an invalid directory name, Windows will ignore it and it will be hidden. Another technique is to hook some file-related API and when a specific file is used (ex: Word document), data is appended to documents. This is how the Ramsay malware works.
How to defend against those types of attacks? USB drives is the key element. So, disable/prevent usage at much as possible. When you can’t, disable automatic execution, sanitize USB drives before inserting them in the air-gapped system.

The next talk was presented by Eric Freyssinet: “A vision on Cyberthreats”. There were already talks in the past about the French law enforcement services. Eric today presented a picture of what he’s doing with his team and the challenges they are facing. Years ago, fighting cybercrime was a niche but today, it’s a key element. A keyword mentioned multiple times was “together”: “we have to share together, we have to talk and act together”. A cyberspace command has been created to not only fight cybercrime to also to be present on the Internet and offer services to citizens, such as a 24×7 chat. About the cyber threat landscape, in 2020, there are 100K cases (+21% over 2019). In Q1-Q2 2021, +38% over 2020!. Mail challenges today are fewer data available in cleartext. more and more data to process, cloud environments, and more to come! Criminals also evolve very quickly: “Crime as a Service”, more and more facing open cyber-criminal ecosystems.

After a welcome coffee break, we attended “Detecting and Disrupting Compromised Devices based on Their Communication Patterns to Legitimate Web Services”, presented by Hen Tzaban. This was a remote presentation because the speaker was not able to join us in Nantes. Hen is specialized in data analysis. Today, enterprise protection switched from a blacklist system (too complex to manage and prone to issues) to behavioral monitoring. In the past, look for IOC and block bad IP/domains in proxies/firewalls. Today, it shifted to user behavior because criminals use sites like Twitter, Google, GitHub, Pastebin, etc. Legitimate services! For example: the malware HAMMERTOSS uses Twitter. Akamai developed a framework based on PSD (Power Spectral Density and Neural Networks model. The goal is to detect compromised hosts inside the enterprise. For example for DNS traffic: beaconing, multi-stage channels, and DGA are common techniques. Hen explained how they implemented this technique at Akamai.

The next one was “ProxyChaos: a year-in-review of Microsoft Exchange exploitation” by Mathieu Tartare. Except if you live on a small island, you should be aware of this massive issue. So big that FBI decided itself to clean up infected systems. Quick overview: It’s a suite of vulnerabilities:

  • ProxyLogin
  • When chained, pre-auth RCE
  • On-premise Exchange 2013, 2016 & 2019 are affected (not the cloud version)

It started in January 2021, before being reported to Microsoft, which decided to release an out-of-band patch. In March 2021, mass exploitation started. How does it work? They use CVE-2021-26855 then install a WebShell (ChinaChopper). The name of the webshell is controlled by the attacker, so attribution is easier. What appended in the wild? More than 10 APT groups used this vulnerability. Multiple actors could be on the same server at the same time. Pre-auth means a huge amount of scans. Hafnium was the first group to use the vulnerability. Mathieu reviewed multiple groups’ activities. Matthieu also reviewed “ProxyShell”. The exploitation is a bit different but very similar to ProxyLogon. Vulnerabilities are exploited in chain and a malicious PST file will be used to drop the webshell and more fun happen.

Then, Eric Leblond presented “Suricata and IOCs” (in preview for a workshop in 2023?). After a quick introduction to his company (Stamus Networks) that develops Suricata. Some advanced features were covered by Eric: IPrep, Lua scripting support and dataset. The concept is list matching on sticky buffer keywords. By example:

alert http … (http_user_agent;dataset:isnotset,official_agents;)

You can also use IOC matching with datasets. Here is another example:

alert dns … (dns.rename; dataset:isset,ioc_d,string,load ioc_domains.lst;)

Dataset can be modified on packet path, for example, build a list of HTTP user agents seen on the network! You can also combine datasets. Ex: build a set of UA agents but not for the site from Alexa1M. To improve the integration of MISP and Suricata, a tool has been developed by Sebdraven: IOCmite Concept: improve the integration of MISP & Suricata. MISP > IOCmite > (stocket) > Suricata

After the lunch break, Souhail Hammou presented “Privateloader – The malware behind a havoc-wreaking Pay-Per-Install service”. PPI services monetise wide distribution of malware. There exist public and private PPI services. Once the malware is installed, the loader sent back info to the C2 server for “accounting” purposes. Then the “customer” is billed based on usage. The “PrivateLoader” was detected by Intel471 in 2021. It is developed in C++, uses HTTP for C2 communications and is heavily maintained. Main distribution channel is malicious websites delivering cracked software. The loader has a core module which disables some security features and grabs its configuration. One of the information retrieved is the geographical location. Based on it, different payloads will be sent. It can also target specific hosts depending on a “profile”. Two types of payloads can be downloaded: PE files and browser extensions (for Chromium). Payloads are delivered through Discord URLs. Installed payloads list is sent back to the C2 server. What about tracking PrivateLoader? They created fake bots but “passive” (to not ring a bell) and analyzed the malware dropped on victims.

The very last talk was “Qakbot malware family evolution” presented by Markel Picado Ortiz and Carlos Rubio Ricote. This was the second talk about Qbot. They spent a lot of time analyzing plenty of samples. Qbot has many versions! They showed the multiple changes found in the code. After reviewing the version changes, they gave some statistics about affiliate IDs, versions, and timestamps to visualize who used which version in time.

What about this 9th edition of Botconf? It was so great to meet people in real life! There was 300 attendees coming from almost all continents, avibrant and diverse community. As usual, they already announced the 10th edition that will be held in April 2023 in Strasbourg! Kudos to the crew for this awesome event!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.