SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)
Summary
TLDR本次演讲由Lexity的威胁情报负责人Tom AER主讲,深入探讨了名为Sharine的朝鲜威胁行动者如何通过巧妙的网络钓鱼技术,特别是针对外交政策领域的专家进行攻击。演讲重点介绍了社会工程和网络钓鱼手段,而不是传统意义上的恶意软件工作原理。通过分析攻击者的目标、手段和基础设施,以及分享实际案例,揭示了Sharine如何获取并利用电子邮件数据,以及这对目标群体意味着什么。
Takeaways
- 🔍 威胁情报专家Tom AER介绍了一个名为Sharine的朝鲜威胁行动者,专注于通过巧妙的网络钓鱼技术侵入外交政策专家的系统。
- 🎯 Sharine自2012年以来活跃,使用多种恶意软件家族,主要目标是获取用户的电子邮件,因为电子邮件中包含大量敏感信息。
- 💡 该组织通过社会工程和网络钓鱼技术,模仿目标人物的日常交流模式,以获取信任并最终实施攻击。
- 📧 Sharine擅长利用受害者的个人电子邮件进行攻击,因为许多专业人士将工作相关的电子邮件也处理在个人邮箱中。
- 🔗 攻击者使用各种策略,如假冒记者、研究人员或政府官员,通过建立对话和信任,再发送包含恶意链接或文件的电子邮件。
- 🛠️ 攻击者经常使用自己注册的网站或服务,如OneDrive或Google Drive,来托管恶意文件,并通过密码保护来避免检测。
- 🚀 通过与受害者建立长期交流,攻击者能够更好地了解目标并定制钓鱼策略,有时甚至在一个月后才发送恶意链接。
- 🔒 一旦设备被感染,攻击者会安装多个恶意软件家族,并且很难通过自动化解决方案彻底清除,通常需要人工干预。
- 🤝 与目标用户建立良好的关系并教育他们如何识别钓鱼攻击是减轻此类威胁的关键策略之一。
- 🌐 攻击者的目标不限于美国,也包括欧洲联盟国家和韩国,他们对这些地区的对朝政策和立场特别感兴趣。
- 📚 通过监控和分析攻击者的C2服务器,研究人员能够了解攻击者的操作方法,包括他们如何处理日志和帮助文本文件。
Q & A
Tom AER 是哪个公司的威胁情报负责人?
-Tom AER 是 Lexity 公司的威胁情报负责人。
SHARINE 是哪个国家的威胁行动者?
-SHARINE 是朝鲜的威胁行动者。
SHARINE 主要通过什么方式获取目标的邮箱访问权限?
-SHARINE 主要通过两种方式获取目标的邮箱访问权限:一是通过凭证盗窃,例如通过钓鱼链接诱导用户输入登录凭证;二是通过使用恶意软件,如键盘记录器或者针对Chrome浏览器的Sharp XT恶意软件。
SHARINE 攻击的目标群体主要是哪些人?
-SHARINE 攻击的目标群体主要是那些在外交政策领域,尤其是在朝鲜问题上有专业知识的专家,例如智库成员、大学教授、记者和政府机构人员。
SHARINE 为何对目标的个人电子邮件特别感兴趣?
-SHARINE 对目标的个人电子邮件特别感兴趣,因为个人电子邮件是人们分享最有趣信息的地方,尤其是在政治和非政府组织领域。
SHARINE 如何利用已经窃取的邮件数据进行进一步的网络钓鱼攻击?
-SHARINE 通过分析已经窃取的邮件数据,了解用户的交流内容和联系人,然后利用这些信息制作更具说服力的钓鱼邮件,以攻击不同的用户。
Tom AER 提到的 'baby shark' 恶意软件有什么特点?
-'baby shark' 恶意软件的特点是使用一种特定的VB脚本函数进行字母置换编码,它具有不同的功能,如执行侦察、下载和执行远程文件等。
SHARINE 如何避免被大型网络邮件提供商检测到异常活动?
-SHARINE 使用Sharp XT恶意软件作为浏览器扩展,从浏览器内部访问和窃取邮件数据,这样就能避免被网络邮件提供商检测到异常活动,因为从邮件提供商的角度看来,就像是用户正常访问自己的网络邮件。
Tom AER 认为一旦用户的设备被SHARINE感染,应该怎么办?
-Tom AER 认为一旦用户的设备被SHARINE感染,很难通过自动化解决方案彻底清除恶意软件,需要人工干预。他建议与用户紧密合作,建立关系,教育他们如何识别和报告此类攻击。
SHARINE 的攻击活动为何难以追踪和通知用户?
-SHARINE 的攻击活动难以追踪和通知用户,因为他们经常利用用户的个人电子邮件进行攻击,这些活动通常在网络之外发生,只有当用户在工作场所使用公共Wi-Fi时才可能被检测到。此外,攻击者会在受感染的设备上同时运行多个恶意软件家族,使得清除工作变得更加复杂。
Tom AER 提到的 'help.txt' 文件有什么作用?
-在SHARINE的攻击活动中发现的 'help.txt' 文件用于指导用户如何使用不同的攻击文件,以及这些文件如何相互链接。这表明恶意软件的作者是不同的人,而不是操作者。
Outlines
🔍 介绍与背景
视频脚本的第一段介绍了演讲者Tom AER,他是威胁情报领导,讨论了名为Sharine的朝鲜威胁行动者如何通过巧妙的网络钓鱼技术,特别是针对外交政策领域的专家进行攻击。他强调,尽管会议讨论的技术性内容很多,但他的演讲将专注于黑客如何进行社会工程和网络钓鱼来安装恶意软件。他还简要介绍了他所在的公司VX,以及他们如何通过监控客户网络来收集信息。
🎯 Sharine威胁行动者的目标与策略
第二段深入探讨了Sharine威胁行动者的目标、策略和使用的基础设施。Sharine自2012年以来活跃,使用多种恶意软件家族,主要目标是获取用户的电子邮件,因为这是分享最有趣信息的地方。他们通过凭证盗窃和恶意软件来获取用户邮箱的访问权限。此外,他们擅长利用已窃取的邮件数据来针对其他用户进行钓鱼攻击。
📧 钓鱼攻击的实际案例
第三段通过一系列真实世界的钓鱼攻击案例,展示了Sharine如何进行社会工程和钓鱼。他们通过模仿目标人物的日常交流方式,建立信任并最终发送包含恶意内容的电子邮件。这些攻击可能包括请求目标提交论文、组织会议或解决账户安全问题等,最终导致目标下载或打开恶意文件。
🛠️ 恶意软件分析与C2管理
第四段讨论了Sharine使用的恶意软件类型,特别是BabyShark恶意软件的变种,以及他们如何通过C2(命令与控制)服务器管理攻击。演讲者分享了他们如何与一个被攻击者使用的C2服务器的拥有者合作,以了解攻击者的操作方法,包括他们的日志记录习惯和如何使用帮助文本文件来指导用户使用不同的攻击文件。
🚨 防御与未来展望
最后一段总结了如何防御Sharine的攻击,并对未来的威胁进行了展望。演讲者强调,一旦用户被感染,就很难彻底清除恶意软件,需要人工干预。他还提到,用户不太可能改变使用个人设备处理工作邮件的习惯,因此需要改变的是防御策略,包括与目标用户建立关系,教育他们如何识别钓鱼攻击。
Mindmap
Keywords
💡威胁情报
💡社交工程
💡网络钓鱼
💡恶意软件
💡SharpXT
💡APT攻击
💡C2服务器
💡Baby Shark
💡威胁行动者
💡信息安全
Highlights
北韩威胁行动者Sharine通过巧妙的网络钓鱼技术,专门针对外交政策领域的专家进行攻击。
Sharine自2012年以来活跃,使用多种恶意软件家族,并且拥有无数的别名。
攻击者的主要目标是获取用户的邮箱访问权限,因为邮箱是分享最有趣信息的渠道。
Sharine通过社会工程和网络钓鱼技术,安装恶意软件来实现其目标。
攻击者通过长时间的建立对话关系,使受害者在不知不觉中点击恶意链接或打开含有恶意软件的文件。
Sharine擅长模仿受害者熟悉的交流模式,通过发送看似正常的电子邮件来建立信任。
攻击者会利用受害者的电子邮件数据来针对其他用户进行钓鱼攻击。
Sharine的目标群体包括智库、教育机构、记者和政府实体等。
攻击者偏好针对受害者的个人电子邮件,因为那里有最有价值的数据。
Sharine使用的一种独特恶意软件SharpXT,能够在Chrome浏览器中窃取邮件数据。
一旦设备被感染,除非进行人工干预,否则很难彻底清除所有恶意软件。
Sharine通过注册自己控制的网站来进行网络钓鱼活动,使得钓鱼链接看起来更加合法。
攻击者在C2服务器上实施了日志记录和IP黑名单策略,以避免被监测和干扰。
Sharine的恶意软件载荷通常是BabyShark恶意软件的变种,它通过字母置换来进行编码。
攻击者通过建立长期的对话关系,使得一次性的钓鱼攻击变得更加难以防范。
Sharine的目标是获取美国、欧盟和韩国对北韩政策的内部信息,特别是在谈判和划红线时的关键信息。
攻击者愿意花费时间建立对话,这种耐心在网络威胁行动者中并不常见。
Sharine通过社会工程学技巧,改变了典型的用户工作流程,使其攻击更加难以被识别。
攻击者通过发送看似无害的电子邮件开始,逐步引入钓鱼内容,最终导致用户感染恶意软件。
Transcripts
hi everyone uh my name is Tom AER I'm
the threat intelligence lead at the
lexity and today I'm here to talk to you
about a North Korean threat actor that
we call sharine um and it's about how
they basically compromise experts
particularly in the field of foreign
policy uh through clever fishing
techniques so a lot of the talks at this
conference are highly Technical and
they're about the in and ins and outs of
how malware works or like particular
exploits this talk does not touch on
those things ironic for a talk at a
conference called virus bulletin there
is very little discussion of viruses
instead we're going to focus on the
social engineering and the fishing that
these hackers do to install the malware
that ultimately is what they want to
do so a little bit of quick background
about the company I work for VX you
might be like hey how does Tom have
access to so much cool stuff um and so
to know that you've got to understand a
little bit about
VX uh the main reason you may know about
the company is from a memory forensics
perspective so the people who wrote the
vol ility framework primarily work for
vxi now we sell commercial Solutions
around that Sergey and volcano we also
do network security monitoring and
threat intelligence and the network
security monitoring part of the business
in particular has a reasonably good
customer base in the United States
particularly in the NGO sector so uh
think tanks places like that and the
stories I'm going to share with you the
examples I'm going to share with you
today come from our kind of monitoring
of customer networks engaging with
customers uh in that
space
but before we can get to the kind of
interesting fishing techniques the
attack is using um we've got to do some
kind of uh leg workor together so we're
going to talk a little bit about who the
attackers are what they want uh and why
they want it then we're going to talk
about the social engineering and fishing
techniques that the attackers use and
then there's a little bit about the
infrastructure some unique insights we
have had in the past in particular into
how the attackers managed that
infrastructure um some quick overview of
the malware and some Outlook and
thoughts about um what this kind of
means for people who are targeted by
this threat group so who is
sharine so sharp Pine sharp tongue you
may have realized that the agenda is not
the same as what I'm going to use in the
slides today and that's because in the
summer of 2023 my organization decided
to change all of these threat actor
names and so you can basically ignore
the difference between the two they are
the same do not worry um and we can now
move on satisfi that that issue is
resolved so they're are North Korean
threat actor active since around 2012 uh
they use a swath of different maare if
you read the ap43 report there's like
100 maare families listed uh the most
common ones that we see are listed there
and they've got a numerous an
innumerable number of aliases just like
every other threat actor that people
talk about um yeah if you've read about
any of these Mal families or these
threat AC nams before you'll have a
rough idea of what I'm talking
about and for the particular stuff we're
looking at today um I think it's
interesting for any tractor to think
about what success looks like for them
and for this tractor success ultimately
looks like access to a users's mailbox
sometimes they'll go after other data on
the users machine but predominantly what
they want is the email because the email
is where people are sharing the most
interesting information with their peers
particularly in kind of politics and the
NGO space um and the way that they get
access to users mailbox is through two
kind of key things one is credential
theft so that's I send you an email uh
and eventually maybe there's fishing
link and that fishing link takes you to
a login page for some service whether
it's like your actual work email gmail
whatever it might be uh and then you
enter your credentials and heho the
attacker has access and that's becoming
less common for this attacker as a way
of doing things um maybe because of
adoption of tofa maybe for other reasons
um and the second kind of key way they
could do this is through use of malware
so they can deploy any number of malware
families uh and they could use like a
key logger to steal all of the users
passwords and they also have a very
clever piece of malware that works
within Google Chrome or any Chrome based
browser called sharp XT which steals the
mail uh from the context of the users
browser and the key outcomes for the
attacker are basically they want
insights into what the United States uh
some European Union countries and South
Korea are going to do regarding North
Korea so the types of people they're
targeting and the information that those
individuals hold is likely to be key in
times of like negotiations and red lines
so the United States might say one thing
in public about their particular stance
on what North Korea might do in one
scenario but behind the scenes the
United States might actually have like a
different Red Line like they say if you
cross this line we'll punish you but
actually the red line might be much much
deeper and the attackers are interested
in knowing what the actual red line is
not the one you
say um and the second unique outcome or
kind of thing that I don't think I
really hear a lot of other people talk
about is that having stolen one user's
mail data they are very good at
repurposing that mail data to fish other
users so by fishing one user they gain
great insight into what would make good
fishing material or compensation
material to attack a different
user and to really kind of hammer home
the like Publications you might have
read about the same type of thing there
are a number of those in the public
domain so from Google Mandan I think the
huness article on the left hand side
there uh is a really good example of
what you'll find if you find a user
who's been compromised this group um so
yeah I think there's a lot of previous
reporting you can get your hands
on sometimes we're able to gain insights
into the types of Target the group have
not just within our own customer base
but outside of our customer base um and
the data in this slide and the next one
comes from just one wave of emails but
we think it's relatively representative
of the types of targets that this group
is attacking so you can see
predominantly uh it's kind of think
tanks NOS on the left hand side uh the
next bar is education so there are
professors at universities who are
essentially experts in uh North Korea
and there are various kind of
journalists and government entities as
well and in terms of where those people
live a lot of them are in the United
States they're probably considered one
of the key kind of influences in global
politics regarding North Korea and then
there's obviously South Kore
uh which is probably also a very key
issue for the North Koreans and then a
smattering kind of countries around the
world as
well one thing that's going to come up a
couple times in this talk is the
differential between targeting a users
personal web mail and their corporate
accounts so many of you in the room
might think it's ludicrous that you
would use your personal email to talk
about work stuff however for a lot of
the targets of these attacks that is not
the case that that is actually the
status quo so particularly uh if you
you're a person who is a professor at
one University you also hold a board
position at another place you you end up
having like five or six emails related
to your work and what you don't want is
to log into five or six places so what
these professors and these other kind of
professionals and experts do is they try
to manage all of their email in one
place which is their personal email and
log into their work email as little as
possible and sharine are very good at
taking advantage of this so once they
figure out like someone's my work email
might be T Lancaster of alex.com but if
they figure out that my personal email
is like I don't know T Lancaster h.com
they'll Target that preferentially uh
because ultimately that's where the best
data
is so I uh I said at the start of this
talk that this talk is primarily about
social engineering and fishing um and so
that's what we're going to come on to
now um and I think this is is a topic
worthy of discussion because vity tracks
a a number of different th actors
Distributing like different malware and
some of those Thors are very high
sophistication some of them very low and
when it comes to social engineering uh
Shar Pine are relatively good they're at
the top end of the spectrum I would say
whereas other tr actors might have the
best m in the world but if they can't
convince the user to install it or if
they don't have an exploit they're out
of luck um and basically what I would
just it boils down to is that sharine
subvert a typical user work flow so they
have a real understanding of how the
people they're targeting work on a
day-to-day basis and these people are
typically uh so a typical scenario for
somebody who might be targeted is they
might receive an email out of the blue
this is not this is something that would
happen to them every day they'll receive
an email out of the blue from a Webmail
account and that they'll say hey I'm a
journalist working at this uh newspaper
I'd like to get interview you on the
subject of North Korea China relations
and that is a normal thing to happen to
them and so the target might reply and
say oh yeah sure I would love to do the
interview um and then they might say oh
I'm going to ask you these questions and
they sh send them the questions document
which is going to contain the questions
that I'll ask you during the interview
and all of this is normal and so the
target is quite happy to open the email
and the attackers understand
this and the reason they understand this
is because they have been doing this for
a long time they've read a lot of email
between these people and so they
understand what the conversations look
like uh and they're able to take those
conversations and basically replay them
back to a different user uh and get
success and unlike a lot of attackers
the final point is that they're willing
to spend time building a conversation so
if you ever talk to a user about what
fishing looks like you might often say
oh you'll receive an email and it'll
contain a suspicious link but what you
won't say is you'll talk to this person
for a month and then at the end of that
month they will send you a suspicious
link nobody is taught to identify
fishing that that
way so uh in the top left of my diagram
here I've got the attacker and in the
top right I've got the
Target and this is just one example of
how it might look this isn't how it
looks every time and in some of the
examples later we'll have cases where
the attackers didn't wait for so long um
but this is something that can genuinely
happen so the attacker can send an email
on day one and it contains no malicious
content whatsoever it just says hello
I'm looking to make a contact and so on
and so forth the target replies the
attacker replies this can go back and
forth for a while we can talk about
different things and then eventually the
hook is that they're going to send some
fishing content uh and the result is
that the user either has to log into a
service uh which is a fishing page or
they have to open a file which contains
malware those are the two kind of end
games but that that might take a long
time to get
to and what they've done very well is
they've got these two kind of fishing
principles that I think are kind of key
to their operations and I think a lot of
attackers are very good at the second
one so I think in the previous slides
there was an example of like you've got
to respond to this RFQ it's like a you
have to do this now and so a lot of like
commodity spam is very good at making
people people feel time pressured into
responding to a fishing message but what
commodity fishes are less good at doing
is making people feel comfortable about
responding to that uh and by engaging in
that conversation first the attackers
are able to make people feel not only
comfortable but feel like they have to
do it
now and so now I've got a series of
examples of Real World Fishing examples
from this group that hopefully
illustrate the points I've been trying
to
make so we'll start with the simplest
possible case which is uh sharing a
document so um the fonts a little small
so I'll just kind of explain what's
happening in the emails um on the left
hand side the attacker sends an email to
the Target and it says hello did you
receive my email from three days ago and
the the gotcha is that there was no
email three days ago uh this is just to
see if the person is willing to reply
and then in the second case the uh in
the second uh screenshot the target has
replied and said no I didn't receive
your email what was it about uh and then
they say oh sorry here it is again and
they create an email that looks like
it's being forwarded again and it
contains a link to one drive which is
hosting the maware file and this is the
kind of simplest rules that the
attackers will
use stepping things up to be a little
bit more maybe maybe you think it's kind
of lame that's not what he described I
think this is more along the lines of
the type of thing you might have been
expecting so in this case the attack
opposes as a researcher at the kinu
which is the Korean Institute for
National unification Korean Think Tank
that's focused on making sure or trying
to make uh unification happen in Korea
um and they say hello I would like you
to submit to an upcoming conference this
is a real event that's happening uh
please could you uh give me an idea of
the paper you'd like to submit and
you're abstract and the target replies
and says hey yeah I'd like to submit and
so on and they have a little bit of a
conversation and eventually the target
says oh what would you like me to submit
about what topics you need
covered and the attacker says thank you
so much for accepting our invitation
we'd like you to choose your Pap's topic
but please review our guidelines and
code of ethics and they are once again
hosted on one drive with a password this
time and generally the password protects
the content on the uh the one drive or
whatever it is has become much more
prevalent for the thr actor and I figure
that's because they were being kind of
thwarted by attempts by Microsoft to
detect their M on one drive and other
platforms so now they simply password
protect it meaning the cloud providers
are unable to um easily detect their M
being hosted
there possibly the best example I have
is an example where the attacker
proposes an inall life Meetup between
the attacker the Target and a third
party so in this example the attacker
says hello I am a government official at
the embassy of South Korea in Washington
DC and our Target also lives in
Washington DC but does not know this
person and they say I'd like you to
organize a meeting they're asking for an
introduction because they know that our
Target knows another person who is
visiting Washington CC from South Korea
this is a relatively informed attacker
here who wants to organize a fake in
real life meeting between these three
people and asked for a proposal of a
date they exchange a number of emails
over a course of a week maybe more and
they agree a time and a place for this
in real life meeting to take take place
and you might be wondering how they can
convert this into a malware infection
and just one day before the meeting the
attackers say oh oh by the way uh could
you p uh here's the list of the other
people that will be attending the
meeting uh please click on this Google
Drive Link uh which actually I think the
font a little small but it's not hosted
on Google Drive at all it's hosted on
attacker infrastructure in this
case but in this case the attacker has
done something fairly outlandish I could
never have guessed that an attacker
would ever try to organize an in real
life Meetup to facilitate a fish the day
before and by doing it the day before
they really make sure the attacker has
to click it I mean the the target has to
click it that day because they need to
know the information before the next
day and because there's no malicious
content in any of the emails leading out
to this we only are able to kind of
piece this back together on the final
fish so on the final day we're able to
find the fish but then all the stuff
coming before we're completely blind
to another example of a kind of uh
technique that we've seen use more than
once is asking people to write a
paper so in this case the attacker says
hello I'm a researcher at the sang
Institute which is a Korean Think Tank
and says could you please write a 1,200w
piece for our website on China and North
Korea relations and they set them a
deadline by which to do
so and because this is this is not an
out of the ordinary request these
experts are frequently asked to give
opinion articles for various news
outlets um and so that is exactly what
the target does the Target spends a few
hours writing a long long winded opinion
piece about the current state of China
North Korea
relations and sends it to the
attacker and the attacker says thank you
before publishing on this on our website
I'd like you to review the comments I've
made on your document uh could you
please review them and then once more
you guessed it it's a one Drive Link and
the one Drive Link has a password and
within that is the
malare so to recap the kind of workflow
that the attackers have here they ask
the user to do something they would
usually do for work they maybe engage
them in a little bit of conversation
beforehand the user does that thing and
then the user gets something back from
the attacker and that thing uh is the
malware and essentially often it's a
document but there are other formats
used as well but essentially all that
stands between the user being
compromised and not is the enable
content bar in Microsoft
Word so all the examples so far took
place with real users but in some cases
vity has been able to insert itself into
the fishing conversation and try to get
fished
ourselves so because of the uh kind of
workflow that this attacker and some
others use if you identify the fish
early on it's kind of disappointing
because you don't get any malware which
is maybe what you're interested in and
so in those cases we will often ask the
users who are targeted to actually
follow along in the conversation and
engage with the attacker until they
actually give them the malware but
sometimes the users are not confident
with that and they don't want to talk to
a hacker is kind of the way they're
thinking of it and in those cases
sometimes we say okay well if you don't
want to talk to the hacker perhaps you'd
be willing to introduce them to us and
we'll create like some kind of fictional
identity either at the organization or
on web mail and that's what we've done
here and here we're talking to Melanie
who is the attacker and Melanie says she
works for NK news which is a North
Korean specific News website and we've
been talking for Melanie for a while now
and eventually she says there's kind of
a security problem with the NK news
accounts which we've told her we
have uh and she says you need to
register your IP to keep your account
secure by visiting this link and the
Curious Thing here is that the link that
she sent is to the real NK News website
but it's just a 404 because this page
doesn't exist so we kind of play along
we say oh Melanie this link doesn't
exist and she says oh sorry I didn't
mean to make a mistake here's the real
link and then link number two uh is the
one for that fishes for your NK Pro
credentials now unfortunately in this
case we don't actually have a
subscription to NK news so we cannot
continue playing along uh so we simply
tell her that when we open up the page
uh it says that the page is malicious
like you know that Chrome this is an
unsafe website uh page and we say oh
maybe you should scan your website uh
and Melanie says don't worry about that
that's okay just send me your username
and password and I'll sort it out for
you uh so if all else fails the
attackers are perfectly happy just to
ask for your username and password and
presumably they do this on the basis
that they've been successful with it at
least
once in terms of infrastructure uh there
is kind of a broad summary that I can
give you which is that in the past they
often use compromised websites to
particularly for the fishing campaigns
I've described whereas today often
they're using websites they've
registered themselves and I figure this
is mainly around making their fishes
look better so that the URLs that the
users see if they were to look at them
look close to real
organizations so those are some of the
organizations uh that they kind of
impersonated recently in the bottom
right so they're a mixture of us Korean
and uh educational and news kind of
organizations but looking at that older
cluster
um we have kind of one interesting story
to share which is around C2
management so I don't know how many of
you work in the kind of or how many of
you have ever tried to tell somebody you
do not know that their website is
compromised but generally is a fruitless
task because you will tell them that
their website is compromised and they
will assume that you were the one who
did it somehow and therefore they will
not engage with you but in 2019 we tried
our luck and we contacted a large range
of compromised websites explaining that
their websites were compromised and in
use by attackers could we help you clean
it up and we struck gold in one case the
website owner looked us up figured out
we were probably legitimate and gave us
root SSH access onto their web server
and we were able to basically do
whatever we wanted for a period of
around a month and then and then we
cleaned it up after that and we notified
everybody we could see was compromised
through that particular compromised
website um and there were a few
interesting things we learned about the
way the attackers did stuff on the C2
that maybe worth
sharing so the first is around logging
so if you're a threat researcher and
maybe you interact with c2s every so
often I think this is like an
interesting thing about what even a
relatively low technical skill thre
actor is doing regarding logging of
requests to their C2 so let's say it's a
WordPress site and they've compromised
suite.com WordPress content and they'll
have all of their files buried like five
directories deep and if you make a
request in that root directory they will
just log your request your IP and your
user agent and put it in a file and what
we would see them do is periodically
they would review that file copy lists
of ips from it and add them to the ban
list and if your IP or user agent got
added to the ban list no matter what
your request you were given a for for
and so it was a way for the attackers to
try and stop people monitoring their
activity and the second thing that I'm
going to use in the slides there's more
detail in the paper is around help. text
so what the attackers would do is
because it's a compromised website they
would upload a zip file for every attack
so they were going to fish a virus
bulletin for example they would create a
folder called VB and in VB they would
dump VB do zip they would unzip it and
then they would be all of the files that
they were planning to use in that
particular
campaign but the interesting aspect at
least in 9 is that each zip file
contained a file named help. text and
help. text explained to a user how they
would use the different files and how
they're all meant to link up um and to
me this strongly suggests that the maare
author is not the operator which is like
an interesting thing to know uh in terms
of this type of
thing there isn't a lot of time for
malware talk we're 25 minutes in but
we'll do a little bit and so you might
be wondering what is the payload
delivered uh and more often than not it
is a variant of what is called the baby
shark malware which is documented by
palto in
2019 and although it has given kind of a
name and description in that paper in
practice the industry uses it to
describe any malware that uses this
function uh so it's a VB script function
that uh does an alphabet swap um and
those scripts have varying functionality
sometimes they perform some
reconnaissance on the host sometimes
they simply download an execute a file
they do it using different mechanisms
but generally speak it seems to me that
the industry has settled on this
decoding mechanism means baby Shar which
is fine by
me and I think it's actually quite a
clever piece of encoding in terms of how
it does the work so it's got that
encoding function it's got a big blob of
text and it executes the blob of text
which could contain anything um but I'm
not really sure if there's any other
attacker who is doing this particular
type of encoding so if you take the
string hello world I think it's worth
explaining how it would work it
transposes it into a matrix uh which can
be of any size uh but in this case they
chose length of
three uh and if you go down the columns
you can see it's spelling hello world
and then it simply joins The Columns
back up horizontally uh and that's how
you get the string on the right which is
the encoded text and it performs the
reverse operation the other
way and beyond that what you get is
quite a lot of different malware that is
too much to describe in one talk suffice
to say that when we investigated one
compromised device in 2022 we found five
different one line of scripts all of
which was like completely different
which is download to aimed to download
and execute some remote content uh Miss
Daisy and then sharp EXT which is the
most important one from my point of
view uh so sharp EXT really helps them
actually achieve their goal so they want
to steal mail data uh and sharp EXT uses
the unique position of being an
installed browser extension to do
that and essentially what it means is
when the user opens their browser and
they have this m installed
uh the extension will log into their
Gmail as though it were in the browser
it will read all the email as though it
was inside the browser and send it to
the attacker and so the key thing here
is that one of the main things that
stops these attacks from being
successful is that the big Web Mail
providers whether it's Google AOL
Microsoft are looking for kind of
erroneous patterns in terms of activity
to use this mailboxes and then they can
alert those users about suspicious
activity but by doing it from within the
context of the browser extension um the
attackers are able to kind of just
completely remove all that because from
the big Web Mail providers point of view
it just looks like the user is accessing
their web mail from the correct IP using
the correct user agent uh and so it's
relatively good at avoiding that kind of
detection in terms of uh the Outlook and
what people can do to identify this uh I
have a couple thoughts so I think um
people talk about APS advanced
persistent threats but sharpan sharine
might not be so hot on the a but they
are very hot on the p uh so they are
very good at taking a Target figuring
out who they talk to uh who they already
know who they don't know so they can
figure out who to impersonate when they
talk to that person um and they target
those people again and again
relentlessly and maybe you think none of
the examples I showed you in terms of
fishing emails are like going to fool
you but if you receive three of those
three times a week or like you receive
three emails a week like that for a
whole year eventually one of them is
going to slip through the cracks
especially when you consider that this
is quite close to a normal interaction
for these
people um and there are very few threat
actors that we know about that take time
to invest in a conversation before
delivering any malware most direct
actors are just happy to send the
malware straight away or after one or
two messages there's only maybe I can
count on one hand the number of tracks
as we track that would do uh 10 12
messages before sending an email we
targeting users personal devices in
email makes detection difficult um so a
lot of the times we'll find an infection
from this group amongst our customer
base and when we Trace down the root
cause we'll figure out that the user
used the personal web mail on their work
laptop and so we had no visibility of
any of the emails we just see the malare
that ends up and we have to retrace all
of the fishing that took place
before um and even more difficult on
personal devices so sometimes uh the
entire activity takes place off network
but then the user comes in uses the
guest Wi-Fi in the work setting and then
gets picked up that
way and this makes it difficult not just
for us but for governments who are
actually wishing to identify and notify
users as well so if you think about like
NCSE in the UK uh trying to notify
various North Korea experts is that type
of problem is also more difficult and
this is a real risk in sectors where
personal use for device use for work is
common um you might think think it's
like you think the users should change
but if you're working in security and
you still think the users should change
I've got bad news the users are not
going to change uh you just have to
change your workface to try and deal
with it
um and essentially once a user is
compromised with relatively firmly
believe that no automated solution will
fix things so uh most of the time the
users that get compromised have some AV
installed and maybe the AV just hexs
four of the seven malware families which
would be a not bad result the problem is
that there are still three mware
families remaining the next day the
attacker will just go and install three
more and keep a very high number of ma
families running concurrently or running
on like a schedule each day to download
a new payload and we think it's very
unlikely that once infected a machine
will ever be truly made clean without
human Intervention which is excellent
from the attacker's point of
view and essentially the only way that
we've really been able to mitigate this
is by working closely with users so
often the specific users is they get
targeted are targeted again and again
and we're able to build a relationship
with them explain what this looks like
make it make them feel comfortable
reporting it things like
that all right that's all I have for
today thank you for your
[Applause]
time
5.0 / 5 (0 votes)
Lesson 5 – Cybersecurity and Hacking
The State of Cybersecurity – Year in Review
Risk-Based Alerting (RBA) for Splunk Enterprise Security Explained—Bite-Size Webinar Series (Part 3)
From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou
36 Weekly Review
Volexity - Business Model Canvas