SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)
Summary
TLDRTom AER, a threat intelligence lead at Lexity, discusses the tactics of a North Korean threat actor named Sharine, who compromises experts in foreign policy through sophisticated phishing techniques. The talk focuses on social engineering strategies rather than technical malware details, revealing how Sharine gains access to email accounts to understand geopolitical strategies. AER shares real-world phishing examples, the use of malware like SharpXT, and the challenges of detecting and mitigating such persistent threats.
Takeaways
- ð The North Korean threat actor 'Sharine' compromises experts, particularly in foreign policy, through sophisticated phishing techniques.
- ð Tom AER's company, VX, is known for memory forensics and offers commercial solutions around the Volatility framework, as well as network security monitoring and threat intelligence services.
- ð¯ Sharine's primary goal is to gain access to a user's mailbox to collect information, often using credential theft or malware deployment.
- ð€ The attackers are interested in uncovering the actual 'red lines' of countries like the United States, European Union, and South Korea regarding North Korea.
- ð§ Once a user's email data is stolen, it is repurposed to craft targeted phishing attacks on other users, leveraging the stolen information.
- ð¡ Sharine is adept at social engineering, understanding and subverting the typical workflow of their targets to make phishing attempts seem normal and urgent.
- ðµïžââïž The threat actor is known for spending time building a rapport with targets through email conversations before delivering any malware.
- ð Examples of targeted phishing include requests for conference submissions, organizing meetings, and writing papers, all leading to malware delivery.
- ð¡ The use of password-protected files on platforms like OneDrive has become prevalent to avoid detection by cloud providers.
- ð Sharine has transitioned from using compromised websites to self-registered ones to make their phishing attempts appear more legitimate.
- ð The malware payload is often a variant of 'Baby Shark,' a VB script function known for its alphabet swap encoding technique.
Q & A
Who is Tom AER and what is his role at Lexity?
-Tom AER is the threat intelligence lead at Lexity. He is responsible for analyzing and discussing threats, particularly focusing on the North Korean threat actor known as Sharine in the script.
What is the primary focus of Tom AER's talk at the conference?
-Tom AER's talk focuses on the social engineering and phishing techniques used by the threat actor Sharine to compromise experts in the field of foreign policy, rather than the technical aspects of malware or exploits.
What is the significance of the Volatility framework in the context of Lexity?
-The Volatility framework, which is a memory forensics tool, is significant to Lexity because the people who wrote it primarily work for the company. Lexity now offers commercial solutions around this framework.
What is Sharine and how is it related to North Korea?
-Sharine, also referred to as Sharp Pine or Sharp Tongue, is a North Korean threat actor that has been active since around 2012. They are known for using various malware families to compromise targets.
What is the main objective of Sharine when compromising a user's system?
-Sharine's main objective is to gain access to a user's mailbox, as emails are a primary source of sharing sensitive and valuable information, especially in the realm of politics and NGOs.
How does Sharine typically gain access to a user's mailbox?
-Sharine gains access to a user's mailbox through credential theft, often via phishing links that direct users to fake login pages, or by deploying malware that can steal credentials or directly access email data from the browser.
What type of targets does Sharine primarily focus on?
-Sharine primarily targets think tanks, NGOs, educators, journalists, and government entities, particularly those in the United States, South Korea, and European Union countries, who are involved in foreign policy and North Korea matters.
How does Sharine use compromised email data to further their attacks?
-Sharine repurposes compromised email data to craft convincing phishing emails targeting other users. By understanding the communication patterns and relationships between individuals, they can create more effective and personalized phishing attempts.
What is the significance of the 'Sharp XT' malware mentioned in the script?
-Sharp XT is a piece of malware that operates within Google Chrome or any Chrome-based browser. It is significant because it can steal mail data directly from the user's browser, bypassing some security measures.
What challenges do threat actors like Sharine pose to individuals and organizations in terms of security?
-Threat actors like Sharine pose challenges by using sophisticated social engineering techniques and relentless targeting. They can compromise personal and work devices, making detection difficult, and once a system is infected, it is unlikely to be fully cleaned without human intervention.
What strategies can be used to mitigate the threat posed by Sharine?
-Strategies to mitigate the threat include building a relationship with targeted users, educating them on the signs of phishing, and encouraging them to report suspicious activities. Additionally, closely monitoring and securing personal email usage on work devices is crucial.
Outlines
ð Introduction to Sharine: North Korean Threat Actors
The speaker, Tom AER, introduces the topic of Sharine, a North Korean threat actor group, focusing on their social engineering tactics to compromise experts in foreign policy. He highlights the group's use of phishing techniques to install malware, contrasting this with more technical discussions at the 'Virus Bulletin' conference. Tom's company, VX, is known for memory forensics and threat intelligence, with a customer base in the U.S., particularly NGOs. The talk aims to explore the attackers' motives, social engineering methods, infrastructure, and the malware they use, emphasizing the group's interest in political strategies and confidential information regarding North Korea.
ð¯ Sharine's Targeting and Phishing Strategies
This section delves into Sharine's targeting preferences, focusing on think tanks, educational institutions, and government entities, particularly in the U.S. and South Korea. The attackers exploit the common practice of using personal email for work-related communications, making it a prime target for their phishing attacks. The summary outlines the group's social engineering prowess, noting their ability to mimic legitimate interactions and build trust with targets over time before delivering malware, a strategy that sets them apart from other threat actors.
ð¬ Real-world Phishing Examples and Attacker Workflow
The speaker provides real-world examples of Sharine's phishing attempts, illustrating how they initiate contact, engage in seemingly normal conversations, and eventually lead targets to click on malicious links or open infected documents. These examples include organizing fake meetings, requesting papers for submission, and using social pressure to prompt immediate action. The summary emphasizes the attackers' patience and their ability to subvert typical user workflows to increase the likelihood of successful infections.
ð€ Countermeasures and the Challenge of User Behavior
In this part, the speaker discusses the difficulty of detecting and countering Sharine's attacks, especially when they target personal devices used for work. They point out that users are unlikely to change their behavior and that once a device is compromised, it is challenging to clean without human intervention. The summary stresses the need for a proactive approach, including educating users and building relationships to facilitate the reporting of suspicious activities.
ð ïž Infrastructure and Malware Analysis
The speaker shares insights into Sharine's infrastructure, including their use of compromised and self-registered websites for phishing campaigns. They also discuss the payload delivered by the attacks, which is often a variant of the 'Baby Shark' malware, known for its unique alphabet swap encoding function. The summary explains the malware's functionality and its effectiveness in evading detection by mimicking normal user activity within web browsers.
ð Conclusion and Outlook
The final paragraph wraps up the discussion by emphasizing the persistence and resilience of Sharine's tactics, highlighting their relentless targeting of individuals and the difficulty in detecting their activities on personal devices. The speaker concludes with the grim outlook that automated solutions are unlikely to resolve infections and stresses the importance of human intervention and user education in mitigating the threat posed by groups like Sharine.
Mindmap
Keywords
ð¡Threat Intelligence
ð¡Social Engineering
ð¡Phishing Techniques
ð¡Malware
ð¡Credential Theft
ð¡SharpXT
ð¡Advanced Persistent Threats (APT)
ð¡é鱌é®ä»¶ (Phishing Emails)
ð¡Red Line
ð¡C2 Management
ð¡Baby Shark Malware
ð¡Human Intervention
Highlights
Tom AER, the threat intelligence lead at Lexity, discusses the North Korean threat actor 'Sharine' and their tactics in compromising experts in foreign policy through phishing.
The talk focuses on social engineering and phishing techniques rather than technical aspects of malware or exploits.
Lexity's background in memory forensics and their commercial solutions around the Volatility framework are highlighted.
The company's network security monitoring and threat intelligence services have a significant customer base in the US NGO sector, including think tanks.
Sharine, also known as Sharp Pine, is a North Korean threat actor active since 2012, known for using various malware families.
The primary goal of Sharine is to gain access to a user's mailbox to monitor the sharing of sensitive information in politics and NGOs.
Credential theft and malware deployment are the two key methods used by Sharine to access user mailboxes.
The attackers aim to understand the strategies and red lines of the US, EU, and South Korea regarding North Korea.
Sharine is adept at repurposing stolen mail data to target other users, making them highly effective at social engineering.
The talk provides real-world examples of phishing attempts, including targeting personal webmail over corporate accounts.
Attackers subvert typical user workflows, understanding and mimicking the daily operations of their targets.
The willingness of Sharine to invest time in building a conversation before delivering malware sets them apart from other threat actors.
Examples of social engineering include organizing fake meetings, asking targets to write papers, and using compromised websites for phishing.
Lexity has been able to insert itself into phishing conversations and even engage with attackers to gather intelligence.
The use of password-protected files on platforms like OneDrive has become prevalent to avoid easy detection by cloud providers.
A unique insight into C2 management by Sharine was gained when Lexity was given access to a compromised server, revealing their logging and ban list tactics.
The payload delivered by Sharine is often a variant of the 'Baby Shark' malware, characterized by a specific VB script function.
SharpXT, a browser extension malware, allows attackers to steal mail data by bypassing web mail provider detection mechanisms.
The persistence of Sharine in targeting individuals and the difficulty in detecting infections on personal devices are highlighted as significant challenges.
The importance of human intervention in remediating infections and the need for a change in approach to deal with persistent threats are emphasized.
Transcripts
hi everyone uh my name is Tom AER I'm
the threat intelligence lead at the
lexity and today I'm here to talk to you
about a North Korean threat actor that
we call sharine um and it's about how
they basically compromise experts
particularly in the field of foreign
policy uh through clever fishing
techniques so a lot of the talks at this
conference are highly Technical and
they're about the in and ins and outs of
how malware works or like particular
exploits this talk does not touch on
those things ironic for a talk at a
conference called virus bulletin there
is very little discussion of viruses
instead we're going to focus on the
social engineering and the fishing that
these hackers do to install the malware
that ultimately is what they want to
do so a little bit of quick background
about the company I work for VX you
might be like hey how does Tom have
access to so much cool stuff um and so
to know that you've got to understand a
little bit about
VX uh the main reason you may know about
the company is from a memory forensics
perspective so the people who wrote the
vol ility framework primarily work for
vxi now we sell commercial Solutions
around that Sergey and volcano we also
do network security monitoring and
threat intelligence and the network
security monitoring part of the business
in particular has a reasonably good
customer base in the United States
particularly in the NGO sector so uh
think tanks places like that and the
stories I'm going to share with you the
examples I'm going to share with you
today come from our kind of monitoring
of customer networks engaging with
customers uh in that
space
but before we can get to the kind of
interesting fishing techniques the
attack is using um we've got to do some
kind of uh leg workor together so we're
going to talk a little bit about who the
attackers are what they want uh and why
they want it then we're going to talk
about the social engineering and fishing
techniques that the attackers use and
then there's a little bit about the
infrastructure some unique insights we
have had in the past in particular into
how the attackers managed that
infrastructure um some quick overview of
the malware and some Outlook and
thoughts about um what this kind of
means for people who are targeted by
this threat group so who is
sharine so sharp Pine sharp tongue you
may have realized that the agenda is not
the same as what I'm going to use in the
slides today and that's because in the
summer of 2023 my organization decided
to change all of these threat actor
names and so you can basically ignore
the difference between the two they are
the same do not worry um and we can now
move on satisfi that that issue is
resolved so they're are North Korean
threat actor active since around 2012 uh
they use a swath of different maare if
you read the ap43 report there's like
100 maare families listed uh the most
common ones that we see are listed there
and they've got a numerous an
innumerable number of aliases just like
every other threat actor that people
talk about um yeah if you've read about
any of these Mal families or these
threat AC nams before you'll have a
rough idea of what I'm talking
about and for the particular stuff we're
looking at today um I think it's
interesting for any tractor to think
about what success looks like for them
and for this tractor success ultimately
looks like access to a users's mailbox
sometimes they'll go after other data on
the users machine but predominantly what
they want is the email because the email
is where people are sharing the most
interesting information with their peers
particularly in kind of politics and the
NGO space um and the way that they get
access to users mailbox is through two
kind of key things one is credential
theft so that's I send you an email uh
and eventually maybe there's fishing
link and that fishing link takes you to
a login page for some service whether
it's like your actual work email gmail
whatever it might be uh and then you
enter your credentials and heho the
attacker has access and that's becoming
less common for this attacker as a way
of doing things um maybe because of
adoption of tofa maybe for other reasons
um and the second kind of key way they
could do this is through use of malware
so they can deploy any number of malware
families uh and they could use like a
key logger to steal all of the users
passwords and they also have a very
clever piece of malware that works
within Google Chrome or any Chrome based
browser called sharp XT which steals the
mail uh from the context of the users
browser and the key outcomes for the
attacker are basically they want
insights into what the United States uh
some European Union countries and South
Korea are going to do regarding North
Korea so the types of people they're
targeting and the information that those
individuals hold is likely to be key in
times of like negotiations and red lines
so the United States might say one thing
in public about their particular stance
on what North Korea might do in one
scenario but behind the scenes the
United States might actually have like a
different Red Line like they say if you
cross this line we'll punish you but
actually the red line might be much much
deeper and the attackers are interested
in knowing what the actual red line is
not the one you
say um and the second unique outcome or
kind of thing that I don't think I
really hear a lot of other people talk
about is that having stolen one user's
mail data they are very good at
repurposing that mail data to fish other
users so by fishing one user they gain
great insight into what would make good
fishing material or compensation
material to attack a different
user and to really kind of hammer home
the like Publications you might have
read about the same type of thing there
are a number of those in the public
domain so from Google Mandan I think the
huness article on the left hand side
there uh is a really good example of
what you'll find if you find a user
who's been compromised this group um so
yeah I think there's a lot of previous
reporting you can get your hands
on sometimes we're able to gain insights
into the types of Target the group have
not just within our own customer base
but outside of our customer base um and
the data in this slide and the next one
comes from just one wave of emails but
we think it's relatively representative
of the types of targets that this group
is attacking so you can see
predominantly uh it's kind of think
tanks NOS on the left hand side uh the
next bar is education so there are
professors at universities who are
essentially experts in uh North Korea
and there are various kind of
journalists and government entities as
well and in terms of where those people
live a lot of them are in the United
States they're probably considered one
of the key kind of influences in global
politics regarding North Korea and then
there's obviously South Kore
uh which is probably also a very key
issue for the North Koreans and then a
smattering kind of countries around the
world as
well one thing that's going to come up a
couple times in this talk is the
differential between targeting a users
personal web mail and their corporate
accounts so many of you in the room
might think it's ludicrous that you
would use your personal email to talk
about work stuff however for a lot of
the targets of these attacks that is not
the case that that is actually the
status quo so particularly uh if you
you're a person who is a professor at
one University you also hold a board
position at another place you you end up
having like five or six emails related
to your work and what you don't want is
to log into five or six places so what
these professors and these other kind of
professionals and experts do is they try
to manage all of their email in one
place which is their personal email and
log into their work email as little as
possible and sharine are very good at
taking advantage of this so once they
figure out like someone's my work email
might be T Lancaster of alex.com but if
they figure out that my personal email
is like I don't know T Lancaster h.com
they'll Target that preferentially uh
because ultimately that's where the best
data
is so I uh I said at the start of this
talk that this talk is primarily about
social engineering and fishing um and so
that's what we're going to come on to
now um and I think this is is a topic
worthy of discussion because vity tracks
a a number of different th actors
Distributing like different malware and
some of those Thors are very high
sophistication some of them very low and
when it comes to social engineering uh
Shar Pine are relatively good they're at
the top end of the spectrum I would say
whereas other tr actors might have the
best m in the world but if they can't
convince the user to install it or if
they don't have an exploit they're out
of luck um and basically what I would
just it boils down to is that sharine
subvert a typical user work flow so they
have a real understanding of how the
people they're targeting work on a
day-to-day basis and these people are
typically uh so a typical scenario for
somebody who might be targeted is they
might receive an email out of the blue
this is not this is something that would
happen to them every day they'll receive
an email out of the blue from a Webmail
account and that they'll say hey I'm a
journalist working at this uh newspaper
I'd like to get interview you on the
subject of North Korea China relations
and that is a normal thing to happen to
them and so the target might reply and
say oh yeah sure I would love to do the
interview um and then they might say oh
I'm going to ask you these questions and
they sh send them the questions document
which is going to contain the questions
that I'll ask you during the interview
and all of this is normal and so the
target is quite happy to open the email
and the attackers understand
this and the reason they understand this
is because they have been doing this for
a long time they've read a lot of email
between these people and so they
understand what the conversations look
like uh and they're able to take those
conversations and basically replay them
back to a different user uh and get
success and unlike a lot of attackers
the final point is that they're willing
to spend time building a conversation so
if you ever talk to a user about what
fishing looks like you might often say
oh you'll receive an email and it'll
contain a suspicious link but what you
won't say is you'll talk to this person
for a month and then at the end of that
month they will send you a suspicious
link nobody is taught to identify
fishing that that
way so uh in the top left of my diagram
here I've got the attacker and in the
top right I've got the
Target and this is just one example of
how it might look this isn't how it
looks every time and in some of the
examples later we'll have cases where
the attackers didn't wait for so long um
but this is something that can genuinely
happen so the attacker can send an email
on day one and it contains no malicious
content whatsoever it just says hello
I'm looking to make a contact and so on
and so forth the target replies the
attacker replies this can go back and
forth for a while we can talk about
different things and then eventually the
hook is that they're going to send some
fishing content uh and the result is
that the user either has to log into a
service uh which is a fishing page or
they have to open a file which contains
malware those are the two kind of end
games but that that might take a long
time to get
to and what they've done very well is
they've got these two kind of fishing
principles that I think are kind of key
to their operations and I think a lot of
attackers are very good at the second
one so I think in the previous slides
there was an example of like you've got
to respond to this RFQ it's like a you
have to do this now and so a lot of like
commodity spam is very good at making
people people feel time pressured into
responding to a fishing message but what
commodity fishes are less good at doing
is making people feel comfortable about
responding to that uh and by engaging in
that conversation first the attackers
are able to make people feel not only
comfortable but feel like they have to
do it
now and so now I've got a series of
examples of Real World Fishing examples
from this group that hopefully
illustrate the points I've been trying
to
make so we'll start with the simplest
possible case which is uh sharing a
document so um the fonts a little small
so I'll just kind of explain what's
happening in the emails um on the left
hand side the attacker sends an email to
the Target and it says hello did you
receive my email from three days ago and
the the gotcha is that there was no
email three days ago uh this is just to
see if the person is willing to reply
and then in the second case the uh in
the second uh screenshot the target has
replied and said no I didn't receive
your email what was it about uh and then
they say oh sorry here it is again and
they create an email that looks like
it's being forwarded again and it
contains a link to one drive which is
hosting the maware file and this is the
kind of simplest rules that the
attackers will
use stepping things up to be a little
bit more maybe maybe you think it's kind
of lame that's not what he described I
think this is more along the lines of
the type of thing you might have been
expecting so in this case the attack
opposes as a researcher at the kinu
which is the Korean Institute for
National unification Korean Think Tank
that's focused on making sure or trying
to make uh unification happen in Korea
um and they say hello I would like you
to submit to an upcoming conference this
is a real event that's happening uh
please could you uh give me an idea of
the paper you'd like to submit and
you're abstract and the target replies
and says hey yeah I'd like to submit and
so on and they have a little bit of a
conversation and eventually the target
says oh what would you like me to submit
about what topics you need
covered and the attacker says thank you
so much for accepting our invitation
we'd like you to choose your Pap's topic
but please review our guidelines and
code of ethics and they are once again
hosted on one drive with a password this
time and generally the password protects
the content on the uh the one drive or
whatever it is has become much more
prevalent for the thr actor and I figure
that's because they were being kind of
thwarted by attempts by Microsoft to
detect their M on one drive and other
platforms so now they simply password
protect it meaning the cloud providers
are unable to um easily detect their M
being hosted
there possibly the best example I have
is an example where the attacker
proposes an inall life Meetup between
the attacker the Target and a third
party so in this example the attacker
says hello I am a government official at
the embassy of South Korea in Washington
DC and our Target also lives in
Washington DC but does not know this
person and they say I'd like you to
organize a meeting they're asking for an
introduction because they know that our
Target knows another person who is
visiting Washington CC from South Korea
this is a relatively informed attacker
here who wants to organize a fake in
real life meeting between these three
people and asked for a proposal of a
date they exchange a number of emails
over a course of a week maybe more and
they agree a time and a place for this
in real life meeting to take take place
and you might be wondering how they can
convert this into a malware infection
and just one day before the meeting the
attackers say oh oh by the way uh could
you p uh here's the list of the other
people that will be attending the
meeting uh please click on this Google
Drive Link uh which actually I think the
font a little small but it's not hosted
on Google Drive at all it's hosted on
attacker infrastructure in this
case but in this case the attacker has
done something fairly outlandish I could
never have guessed that an attacker
would ever try to organize an in real
life Meetup to facilitate a fish the day
before and by doing it the day before
they really make sure the attacker has
to click it I mean the the target has to
click it that day because they need to
know the information before the next
day and because there's no malicious
content in any of the emails leading out
to this we only are able to kind of
piece this back together on the final
fish so on the final day we're able to
find the fish but then all the stuff
coming before we're completely blind
to another example of a kind of uh
technique that we've seen use more than
once is asking people to write a
paper so in this case the attacker says
hello I'm a researcher at the sang
Institute which is a Korean Think Tank
and says could you please write a 1,200w
piece for our website on China and North
Korea relations and they set them a
deadline by which to do
so and because this is this is not an
out of the ordinary request these
experts are frequently asked to give
opinion articles for various news
outlets um and so that is exactly what
the target does the Target spends a few
hours writing a long long winded opinion
piece about the current state of China
North Korea
relations and sends it to the
attacker and the attacker says thank you
before publishing on this on our website
I'd like you to review the comments I've
made on your document uh could you
please review them and then once more
you guessed it it's a one Drive Link and
the one Drive Link has a password and
within that is the
malare so to recap the kind of workflow
that the attackers have here they ask
the user to do something they would
usually do for work they maybe engage
them in a little bit of conversation
beforehand the user does that thing and
then the user gets something back from
the attacker and that thing uh is the
malware and essentially often it's a
document but there are other formats
used as well but essentially all that
stands between the user being
compromised and not is the enable
content bar in Microsoft
Word so all the examples so far took
place with real users but in some cases
vity has been able to insert itself into
the fishing conversation and try to get
fished
ourselves so because of the uh kind of
workflow that this attacker and some
others use if you identify the fish
early on it's kind of disappointing
because you don't get any malware which
is maybe what you're interested in and
so in those cases we will often ask the
users who are targeted to actually
follow along in the conversation and
engage with the attacker until they
actually give them the malware but
sometimes the users are not confident
with that and they don't want to talk to
a hacker is kind of the way they're
thinking of it and in those cases
sometimes we say okay well if you don't
want to talk to the hacker perhaps you'd
be willing to introduce them to us and
we'll create like some kind of fictional
identity either at the organization or
on web mail and that's what we've done
here and here we're talking to Melanie
who is the attacker and Melanie says she
works for NK news which is a North
Korean specific News website and we've
been talking for Melanie for a while now
and eventually she says there's kind of
a security problem with the NK news
accounts which we've told her we
have uh and she says you need to
register your IP to keep your account
secure by visiting this link and the
Curious Thing here is that the link that
she sent is to the real NK News website
but it's just a 404 because this page
doesn't exist so we kind of play along
we say oh Melanie this link doesn't
exist and she says oh sorry I didn't
mean to make a mistake here's the real
link and then link number two uh is the
one for that fishes for your NK Pro
credentials now unfortunately in this
case we don't actually have a
subscription to NK news so we cannot
continue playing along uh so we simply
tell her that when we open up the page
uh it says that the page is malicious
like you know that Chrome this is an
unsafe website uh page and we say oh
maybe you should scan your website uh
and Melanie says don't worry about that
that's okay just send me your username
and password and I'll sort it out for
you uh so if all else fails the
attackers are perfectly happy just to
ask for your username and password and
presumably they do this on the basis
that they've been successful with it at
least
once in terms of infrastructure uh there
is kind of a broad summary that I can
give you which is that in the past they
often use compromised websites to
particularly for the fishing campaigns
I've described whereas today often
they're using websites they've
registered themselves and I figure this
is mainly around making their fishes
look better so that the URLs that the
users see if they were to look at them
look close to real
organizations so those are some of the
organizations uh that they kind of
impersonated recently in the bottom
right so they're a mixture of us Korean
and uh educational and news kind of
organizations but looking at that older
cluster
um we have kind of one interesting story
to share which is around C2
management so I don't know how many of
you work in the kind of or how many of
you have ever tried to tell somebody you
do not know that their website is
compromised but generally is a fruitless
task because you will tell them that
their website is compromised and they
will assume that you were the one who
did it somehow and therefore they will
not engage with you but in 2019 we tried
our luck and we contacted a large range
of compromised websites explaining that
their websites were compromised and in
use by attackers could we help you clean
it up and we struck gold in one case the
website owner looked us up figured out
we were probably legitimate and gave us
root SSH access onto their web server
and we were able to basically do
whatever we wanted for a period of
around a month and then and then we
cleaned it up after that and we notified
everybody we could see was compromised
through that particular compromised
website um and there were a few
interesting things we learned about the
way the attackers did stuff on the C2
that maybe worth
sharing so the first is around logging
so if you're a threat researcher and
maybe you interact with c2s every so
often I think this is like an
interesting thing about what even a
relatively low technical skill thre
actor is doing regarding logging of
requests to their C2 so let's say it's a
WordPress site and they've compromised
suite.com WordPress content and they'll
have all of their files buried like five
directories deep and if you make a
request in that root directory they will
just log your request your IP and your
user agent and put it in a file and what
we would see them do is periodically
they would review that file copy lists
of ips from it and add them to the ban
list and if your IP or user agent got
added to the ban list no matter what
your request you were given a for for
and so it was a way for the attackers to
try and stop people monitoring their
activity and the second thing that I'm
going to use in the slides there's more
detail in the paper is around help. text
so what the attackers would do is
because it's a compromised website they
would upload a zip file for every attack
so they were going to fish a virus
bulletin for example they would create a
folder called VB and in VB they would
dump VB do zip they would unzip it and
then they would be all of the files that
they were planning to use in that
particular
campaign but the interesting aspect at
least in 9 is that each zip file
contained a file named help. text and
help. text explained to a user how they
would use the different files and how
they're all meant to link up um and to
me this strongly suggests that the maare
author is not the operator which is like
an interesting thing to know uh in terms
of this type of
thing there isn't a lot of time for
malware talk we're 25 minutes in but
we'll do a little bit and so you might
be wondering what is the payload
delivered uh and more often than not it
is a variant of what is called the baby
shark malware which is documented by
palto in
2019 and although it has given kind of a
name and description in that paper in
practice the industry uses it to
describe any malware that uses this
function uh so it's a VB script function
that uh does an alphabet swap um and
those scripts have varying functionality
sometimes they perform some
reconnaissance on the host sometimes
they simply download an execute a file
they do it using different mechanisms
but generally speak it seems to me that
the industry has settled on this
decoding mechanism means baby Shar which
is fine by
me and I think it's actually quite a
clever piece of encoding in terms of how
it does the work so it's got that
encoding function it's got a big blob of
text and it executes the blob of text
which could contain anything um but I'm
not really sure if there's any other
attacker who is doing this particular
type of encoding so if you take the
string hello world I think it's worth
explaining how it would work it
transposes it into a matrix uh which can
be of any size uh but in this case they
chose length of
three uh and if you go down the columns
you can see it's spelling hello world
and then it simply joins The Columns
back up horizontally uh and that's how
you get the string on the right which is
the encoded text and it performs the
reverse operation the other
way and beyond that what you get is
quite a lot of different malware that is
too much to describe in one talk suffice
to say that when we investigated one
compromised device in 2022 we found five
different one line of scripts all of
which was like completely different
which is download to aimed to download
and execute some remote content uh Miss
Daisy and then sharp EXT which is the
most important one from my point of
view uh so sharp EXT really helps them
actually achieve their goal so they want
to steal mail data uh and sharp EXT uses
the unique position of being an
installed browser extension to do
that and essentially what it means is
when the user opens their browser and
they have this m installed
uh the extension will log into their
Gmail as though it were in the browser
it will read all the email as though it
was inside the browser and send it to
the attacker and so the key thing here
is that one of the main things that
stops these attacks from being
successful is that the big Web Mail
providers whether it's Google AOL
Microsoft are looking for kind of
erroneous patterns in terms of activity
to use this mailboxes and then they can
alert those users about suspicious
activity but by doing it from within the
context of the browser extension um the
attackers are able to kind of just
completely remove all that because from
the big Web Mail providers point of view
it just looks like the user is accessing
their web mail from the correct IP using
the correct user agent uh and so it's
relatively good at avoiding that kind of
detection in terms of uh the Outlook and
what people can do to identify this uh I
have a couple thoughts so I think um
people talk about APS advanced
persistent threats but sharpan sharine
might not be so hot on the a but they
are very hot on the p uh so they are
very good at taking a Target figuring
out who they talk to uh who they already
know who they don't know so they can
figure out who to impersonate when they
talk to that person um and they target
those people again and again
relentlessly and maybe you think none of
the examples I showed you in terms of
fishing emails are like going to fool
you but if you receive three of those
three times a week or like you receive
three emails a week like that for a
whole year eventually one of them is
going to slip through the cracks
especially when you consider that this
is quite close to a normal interaction
for these
people um and there are very few threat
actors that we know about that take time
to invest in a conversation before
delivering any malware most direct
actors are just happy to send the
malware straight away or after one or
two messages there's only maybe I can
count on one hand the number of tracks
as we track that would do uh 10 12
messages before sending an email we
targeting users personal devices in
email makes detection difficult um so a
lot of the times we'll find an infection
from this group amongst our customer
base and when we Trace down the root
cause we'll figure out that the user
used the personal web mail on their work
laptop and so we had no visibility of
any of the emails we just see the malare
that ends up and we have to retrace all
of the fishing that took place
before um and even more difficult on
personal devices so sometimes uh the
entire activity takes place off network
but then the user comes in uses the
guest Wi-Fi in the work setting and then
gets picked up that
way and this makes it difficult not just
for us but for governments who are
actually wishing to identify and notify
users as well so if you think about like
NCSE in the UK uh trying to notify
various North Korea experts is that type
of problem is also more difficult and
this is a real risk in sectors where
personal use for device use for work is
common um you might think think it's
like you think the users should change
but if you're working in security and
you still think the users should change
I've got bad news the users are not
going to change uh you just have to
change your workface to try and deal
with it
um and essentially once a user is
compromised with relatively firmly
believe that no automated solution will
fix things so uh most of the time the
users that get compromised have some AV
installed and maybe the AV just hexs
four of the seven malware families which
would be a not bad result the problem is
that there are still three mware
families remaining the next day the
attacker will just go and install three
more and keep a very high number of ma
families running concurrently or running
on like a schedule each day to download
a new payload and we think it's very
unlikely that once infected a machine
will ever be truly made clean without
human Intervention which is excellent
from the attacker's point of
view and essentially the only way that
we've really been able to mitigate this
is by working closely with users so
often the specific users is they get
targeted are targeted again and again
and we're able to build a relationship
with them explain what this looks like
make it make them feel comfortable
reporting it things like
that all right that's all I have for
today thank you for your
[Applause]
time
5.0 / 5 (0 votes)