Botconf 2018 Wrap-Up Day #1

Here is my first wrap-up for the 6th edition of the Botconf security conference. Like the previous editions, the event is organized in a different location in France. This year, the beautiful city of Toulouse saw 400 people flying from all over the world to attend the conference dedicated to botnets and how to fight them. Attendees are coming from many countries like USA, Canada, Brazil, Japan, China, Israel, etc). The opening session was performed by Eric Freyssinet. Same rules as usual, no harassment, respect of the TLP policy. Let’s start with the review of the first talks.

No keynote on the first day (the keynote speaker has been scheduled tomorrow). The first talk was assigned to Emilien LE JAMTEL from the CERT EU. He presented his research about cryptominers: “Swimming in the Monero Pools”. Attackers have two key requirements: the obfuscation of data and to perform efficient mining on all kinds of hardware. Monero, being obfuscated by default and not requiring specific ASICs CPU, is a nice choice for attackers. Event a smartphone can be used as a miner. Criminals are very creative to drop more miners everywhere but the common attacks remain phishing (emails) and exploiting vulnerabilities in application (like WebLogic). Emilien explained how he’s hunting for new samples. He wrote a bunch of scripts (available here) as well as YARA rules. Once the collection process is done, he extracts information like hardcoded wallet addresses, search for outbound connections to mining pools. Right now, he collected 15K samples and is able to generate IOCs like: C2 communications, persistence mechanism, specific strings and TTP’s. The next step was to explain how your can deobfuscate data hidden on the code and configuration files (config.js or global.js). He concluded with more funny examples of malware samples that killed themselves or another that contained usernames in the compilation path of the source code. Nice topic to smoothly start the day.

The next talk was performed by Aseel KAYAL: “APT Attack against the Middle East: The Big Bang”. She gave many details about a malware sample they found targeting the Middle-East. The campaign was assigned to APT-C-23, a threat group targeting Palestinians. She explained in a very educational way how the malware was delivered and its behaviour to infect the victim’s computer. The malware was delivered as a fake Word document that was in fact a self-extracting archive containing a decoy document and a malicious PE file. The gave details about the malware itself then more about the “context”. It was called “The Big Bang” due to the unusual module names. Assel and her team also tracked the people behind the campaign and found many references to TV shows. It was a nice presentation not simply delivering (arte)facts but also telling a story.

Daniel PLOHMANN presented last year at Botconf the Malpedia project (see my previous wrap-up). This year , he came back with more news about the project, how it evolved during 12 months. The presentation was called “Code Cartographer’s Diary”.The platform has now 850 users, 2900+ contributions. The new version has now a REST API (which helps to integrates Malpedia with third party tools like TheHive – just saying). The second part of the talk was based on ApiScout. This tools helps to detect how the Windows API is used in malware samples. Based on many samples, Daniel gave statistics about the API usage. If you don’t know Malpedia, have a look, it’s an interesting tool for security analysts and malware researchers.

The next speaker was Renato MARINHO, a fellow SANS Internet Storm Center Handler, who presented “Cutting the Wrong Wire: how a Clumsy Attacker Revealed a Global Cryptojacking Campaign”. This was a second talk about cryptominers in a half day. After a quick recap about this kind of attacks, Renato explained how he discovered a new campaign affecting servers. During the analysis of a timeline, he found suspicious files in /tmp (config.json) as well as a binary file. This binary was running with the privileges of the WebLogic server running on the box. This box was compromized using the WebLogic exploit. He tracked the attacker using the hardcoded wallet address found in the binary. The bad guy generated $204K in two months! How the malware was detected? Due to a stupid mistake of the developer, the malware killed automatically running Java processes… so the WebLogic application too!

After the lunch break, Brett STONE-GROSS & Tillmann WERNER presented “Chess with Pyotr”. This talk was a resume of a blog post they published). Basically, the reviewed previous botnets like Storm Worm, Waledac, Storm 2.0 and… Kelihos. They gave multiple details about them. Kelihos was offering many services: spam, credential theft, DDoS, FFlux DNS, click fraud, SOCKs proxy, mining, Pay-per-install (PPI). The next part of the talk was dedicated to the attribution. The main threat actor behind this botnet is Peter Yuryevich Levashov, a member of an underground forum where is communicated about his botnet.

Then, Rémi JULLIAN came to present: “In-depth Formbook Malware Analysis”. In-depth was really the key word of the presentation! FormBook is a well-know malware that is very popular and still active! It targets 92(!) different applications (via password-stealer or form-grabber). It is proposed also on demand in a MaaS model (“Malware as a Service”). The price for a full version is around $29/week. This malware is often on the top-10 of threats detected by security solutions like sandboxes. Rémi reviewed the multiple anti-analysis techniques deployed by FormBook like string obfuscation and encryption, manually mapping NTDLL (to defeat tools like Cuckoo), check for debuggers, check for inline hooks etc. The techniques of code injection and process hollowing were also explained. About the features, we have: browser hooking to access the data before being encrypted, a key-logger, clipboard data stealer, passwords harvesting from the filesystems. Communication with the C&C was also explained. Interesting finding: FormBook uses fake C&C servers during sandbox analysis to defeat the analyst. This was a great presentation full of useful details!

The next speaker was Antoine REBSTOCK who presented: “How Much Should You Pay for your own Botnet ?”. This was not a technical presentation (though – with plenty of mathematical formules) but more a legal talk. The idea presented by Antoine was interesting: Let’s assume that we decide to build a botnet to DDoS a target, what will be the total price (hosting, bandwidth, etc). After the theory, he compared different providers: Orange, Amazon, Microsoft and Google. Event if the approach is not easy to put in the context of a real attacker, the idea was interesting. But way too much formulas for me 😉

After the welcomed coffee break, Jakub SOUČEK & Jakub TOMANEK: “Collecting Malicious Particles from Neutrino Botnets”. The Neutrino bot is not new. It was discovered in 2014 but still alive today, with many changes. Lot of articles have been written about this botnet but, according to the speakers, there was some information missing like how behaves the bot during investigation, how configuration files are received. Many bots are still running in parallel and they wanted to learn more about them. Newly introduced features are: modular structure, obfuscated API call, network data stealer, CC scraper, encryption of modules, new control flow, persistence and support for new web injects. The botnet is sold to many cybercriminals, there are many builds. How to classify them in groups? What can be collected and useful to classify the botnet?

  • The C&C
  • Version
  • Bot name
  • Build ID

Only the Build ID is relevant. The name, by example, is “NONE” in 95% of the cases. They found 120 different build ID’s classified in 41 unique botnets, 18 really active  and 3 special cases. They reviewed some botnets and named them with their own convention. Of course they found some funny stories like a botnet injected “Yaaaaaar” in front of all strings in the web inject module. They also found misused commands, disclosure of data, debugging information left in the code. Conclusion: malware developers make mistakes too.

The next slot was assigned to Joie SALVIO & Floser BACURIO Jr. with “Trickbot The Trick is On You!”. They performed the same kind of presentation as today but this time on the banking malware Trickbot. Discovered in 2016, it also evolved with new features. They gave more attention on the communication channels used by the malware.

Finally, the day ended with Ivan KWIATKOWSKI & Ronan MOUCHOUX who presented “Automation, structured knowledge in Tactical Threat Intelligence”. After an introduction and definition of “intelligence” (it’s a consumer-driven activity), they explained what is the Tactical Threat Intelligence and how to implement it. Just a mention about the slides, designed with a wrong palette, making them difficult to read.

That’s all for today, be ready for my second wrap-up tomorrow!