And we are still in Strasbourg! The second day started with « From GhostNet to PseudoManuscrypt » by Jorge Rodriguez & Souhail Hammou. PseudoManuscrypt is a recent RAT spotted by Kaspersky in July 2021. It is widely distributed by fake applications, websites and malware loaders. It’s a fork of Gh0st RAT. This one is still relevant today. It became open source in 2008. Written in C++, it allows taking the full control of the infected host, persistent as a DLL. It has multiple features available via « managers » (shell, screen, video, audio, keyboard, …). Of course, when open-sourced, multiple forks will arise… They collected 22 forks and analyzed them. Example: Gh0stTImes or GamblingPuppet. PseudoManuscrypt is very active, and the botnet is growing as we speak. It is deployed via fake software. The infection path was described in detail, persistence, and configuration. The config contains the protocol (TCP/UDP), the ports, the primary C2, the fallback DGA seed, and TLD. Of course, they reversed the DGA. The communication protocol relies on the HP-Socket C++ framework. KCP Protocol for UDP with ARQ error controls (30-40% faster than TCP). Some plugins were reviewed (keylogger, proxy, or the stealer).
The second slot was assigned to Daniel Lunghi with «Iron Tiger Enhances its TTPs and Targets Linux and MacOS Users ». They have used multiple infection vectors in the past and started using supply chain attacks like the MiMi Chat app (See last year talk). This app is restricted to some countries (based on mobile number prefix) and developed by a company in the Philippines. The desktop app uses Electron framework. This framework has been modified (electron-main.js) to download malicious code. Packed using Dean Edward’s packer (link). It also targets MacOS (download rshell). How did they infect Seektop? Not sure today. They stole credentials from a developer and then accessed the development environment. Malware toolkits used:
- HyperBro: custom backdoor with multiple features
- SysUpdate: same, backdoor with many features
- Rshell: for Macos and Linux, backdoor tool
The next talk was «Ransom Cartel trying not to “REvil” its Identity» by Jéremie Destuynder and Alexandre Matousek. This talk was labeled TLP:Amber.
After the morning coffee break, we returned with «Yara Studies: A Deep Dive into Scanning Performance» by Dominika Regéciová (@). She already talked about YARA last year at Botconf. This year, she’s back with more performance-related stuff. Indeed, YARA rules are easy to write, but they can lead to slow scan performances. Dominika’s test environment was based on YARA version 4.2.3 and 22GB of data.
First optimization: Conditions are evaluated AFTER the strings definition part so all files will be scanned even if you add a condition like “filesize < 1KB”. Remove the string part and define everything in the conditions:
uint8(0) == 0x42 …
Second optimization: Try to find Powershell with carets (p^o^w^e^r^…)
$re = /p\^?o\^?w\^?o…
This will give a warning. Try this:
$re1 = /p\^?o\^?…
$re2 = /po\^?…
…
Instead of:
$re = { 44 (03 | 2E ) 33 }
use:
$re1 = { 44 03 33 }
$re2 = { 44 2E 33 }
$re1 or $re2
Sometimes less is more. Instead of “/.*\.exe/”, just use “.exe”. Also, try to follow the recommendations provided in warning messages. Dominika gave a lot of idea to optimize your rules. You won’t get 50% speed but, on big datasets, it could make the difference!
Then, Daniel Plohmann presented «MCRIT: The MinHash-based Code Relationship & Investigation Toolkit». Daniel is a regular contributor to Botconf. He presented his tool: MCRIT. The motivation was to detect code similarities in malware families. That’s the tool’s goal: analyze code sharing and 3rd-party library usage in malware. Looking for code similarities is not a new topic. A lot of existing papers have been released. MCRIT combines quasi-identical and fuzzy code representation. Block and function level similarities. Uses Hashmaps, LSH – Locality-Sensitive Hashing. Daniel explained how the tool works and performed some demos. Everything can be installed via Docker containers.
After lunch, we had «Operation drIBAN: insight from modern banking frauds behind Ramnit» presented by Federico Valentine & Alessandro Strino. Banking trojans is a hot topic these days. Web inject are used but less covered. The key feature of drIBAN was ATS (« Automatic Transfer System »). Some stats: 20K€ average amount, +1400 band accounts, +1500 infected customers. They focused on corporate bank accounts. The infection path is this one:
Malspam campaign (PEC) > Stage1: sLoad > Stage2: Ramnit >Stage3: drIBAN web-inject > Money laundering
PEC means « Posta Elettronica Certificata » (certified emails used in Italy). sLoad is a PowerShell-based Trojan downloader using BITS for C2 communications. Ramnit emerged in 2010 and evolved into a modern banking trojan. Web-inject development is a 24×7 job! Some TA’s used band accounts used for debugging purposes. They explained how Ramnit exfiltrates PDF invoices and replaces them with fake ones containing new banking details. They also covered how the web-inject works. Great analysis of the malware!
Then, Nick Day, Sunny Lu and Vivkie Su presented «Catching the Big Phish: Earth Preta Targets Government, Educational, and Research Institutes Around the World». This attack started with an email. They discovered a TONESHELL malware. As usual, a complete review of the malware was performed. Note that the infection technique was based on DLL side-loading. Interesting to learn that MQTT is used as a C2 protocol (MQsTTang malware).
The next talk topic was «The Case For Real-Time Detection of Data Exchange Over the DNS Protocol» by Yarin Ozery. This is not new but still used because effective. But also easy to spot:
- size of DNS req/responses
- Length of hostnames
- Entropy
- Traffic behavior
Yarin explained the technique implemented by Akamai to detect DNS tunneling. To be honest, this was an interesting research but way too complex to implement for regular organizations. Just keep an eye on the DNS traffic (site of TXT/A records and try to detect the top speakers on the network.
After the second coffee break of the day, Suweera De Souza presented «Tracking Bumblebee’s Development». What’s Bumblebee? Related to CVE-2021-40444 in September 2021 (mshtml). Delivered as a DLL and communicates with the C2 server via 3-letter commands like « sij » (Shellcode InJection) or « dex » (Download and EXecute). She explained how hooks are implemented to defeat EDR operations. C2 communications are using WebSockets, and messages are in JSON and RC4-encrypted.
The next talk was again from Max ‘Libra’ Kersten: «A student’s guide to free and open-source enterprise-level malware analysis tooling». What are the goals and expectations:
- It must run on a Pi3B
- 60 days retention period
- Run locally 24/7
- Respect the TLP
The pipeline:
- Don’t focus on manual analysis yet
- Rely on the community and pattern matching
- Understanding data does not require expensive hardware
- Scale by outsourcing
Max shared some resources that help to get malware samples: MalShare, Malware Bazaar, Malpedia, and Triage. He also mentioned a public platform to use YARA rules: Yaraify. For manual analysis, a lot of free tools: Ghidra, Cutter/Rizin, IDA Free, dnSpyEx, JADX, … Run tools headless and get notified via Slack/Discord/…
The day finished with a set of lightning talks. Some of them were really interesting, but I won’t cover them because some of them were TLP:Amber.
(Picture credits go to @EternalToDo)