Botconf 2018 Wrap-Up Day #2

I’m just back from the reception that was held at the Cité de l’Espace, such a great place with animations and exhibitions of space related devices. It’s tie for my wrap-up of the second day. This morning, after some coffee refill, the first talk of the day was performed by Jose Miguel ESPARZA: “Internals of a Spam Distribution Botnet“. This talk had content flagged as a mix of TLP:Amber and TLP:Red, so no disclosure. Jose started with an introduction about well-known spam distribution botnets like Necurs or Emotet: what are their features, some volumetric statistics and how they behave. Then, he dived into a specific one Onliner, well known for its huge amount of email accounts: 711 millions! He reviewed how the bot is working, how it communicates with its C&C infrastructure, the panel, the people behind the botnet. Nice review and a lot of useful information! The conclusion was that spam bots still remain a threat. They are not only used to drop spam but also to deliver malware.

Then, Jan SIRMER & Adolf STREDA came on stage to present: “Botception: Botnet distributes script with bot capabilities”. They presented their research about a bot that it acting like in the “Inception” movie. It was about a bot that distributes a script that acts like… a bot! The “first” bot is Necurs which is has been discovered in 2012. It’s one of the largest botnets that was used to distribute huge amount of spams as well as other malware campaigns like ransomware. The explained how the bot behave and, especially, how it communicates with its C&C servers. In a second part, they explained how they created a tracker to learn more about the botnet. Based on the results, they discovered the infection chain:

Spam email > Internet shortcut > VBS control panel > C&C > Download & execute > Flawed Ammyy.

The core component that was analyzed is the VBS control panel that is accessed via SMB (file://) in an Internet shortcut file. Thanks to the SMB protocol, they get access to all the files and grabbed also payloads in advance! The behaviour is classic: hardcoded C&C addresses, features like install, upgrade, kill or execute, watchdog feature. Interesting, the code was properly documented, which is rare for malicious code. Different version were compared. At the end, the malware drops a RAT: Flawy Ammyy.

The next tall was “Stagecraft of Malicious Office Documents – A Look at Recent Campaigns” presented by Deepen DESAI, Tarun DEWAN & Dr. Nirmal SINGH. Malicious Office documents (or “maldocs”) are a very common vector of infection for a while. But how do they evolve in time? The speakers focused their research on analyzing many maldocs. Today, approximatively 1 million of documents are used daily in enterprises transactions. The typical infection path is:

Maldoc > Social engineering > Execute macro > Download & execute payload

Why “Social engineering”? Since Office 2007, macros are disabled by default and the attacker must use techniques to lure the victim and force him/her to disable this default protection.

They analyzed ~1200 documents with a low AV detection (both manual and in sandboxes). They looked at URLs, filenames time frames, obfuscation techniques. What are the findings? They categorized documents in campaign that were reviewed one by one:

Campaign 1: “AppRun” – because they used Application.Run
Campaign 2: “ProtectedMacro” because the Powershell code was stored in document elements like boxes
Campaign 3: “LeetMX” – because leet text encoding was used
Campaign 4: “OverlayCode” – because encrypted PowerShell code is accessed using bookmarks
Campaign 5: “xObjectEnum” – because Macro code in the documents were using enum values from different built-in classes in VBA objects
Campaign 6: “PingStatus” – because the document used Win32_PingStatus WMI class to detect sandbox ping to and %userdomain%
Campaign 7: “Multiple embedded macros” – because malicious RTF containing multiple embedded Excel sheets
Campaign 8 “HideInProperlty” – because Powershell code was hidden in the doc properties
Campaign 9: “USR-KL” – because they used specific User-Agents: USR-KL & TST-DC

This was a very nice study and recap about malicious documents.

Then, Tom Ueltschi came to present “Hunting and Detecting APTs using Sysmon and PowerShell Logging”.  Tom is a recurrent speaker at Botconf and always presents interesting stuff to hunt for bad guys. Today, he came with new recipes (based on Sigma!). But, as he explained, to be able to track bad behaviour, it’s mandatory to prepare your environment for investigations (log everything but also specific stuff like auditing, Powershell modules, script block and transcription logging). The MITRE ATT@CK was used as a reference in Tom’s presentation. He reviewed three techniques that deserve to be detected:

  • Malware persistence installation through WMI Event Subscription (it needs an event filter, an event consumer and a binding between the two)
  • Persistence installation through login scripts
  • Any suspicious usage of Powershell

For each techniques, Tom described what to log and how to search events to spot the bad guys. The third technique was covered deeper with more examples to track many common evasion techniques. They are not easy to describe in a few lines here. My recommendation, if you are dealing with this kind of environment, is to have a look at Tom’s slides. Usually, he publish them quickly. Excellent talk, as usual!

The Rustam Mirkasymov’s talk was the last one of the first half-day: “Hunting for Silence“. There was no abstract given and I was thinking about a presentation on threat hunting. Nope, it was a review of the “Silence” trojan which targeted financial institutions in Ukraine in 2017. After a first analyze, the trojan was attributed to APT-28 but it was not the case. The attacker did not have the exploit builder but was able to modify an existing sample. Rustam did a classic review of the malware: available commands, communications with the C&C infrastructure, persistence mechanism, … An interesting common point of many presentations for this edition: slides usually contained some mistakes performed by the malware developers.

After the lunch break, the keynote was performed by the Colonel Jean-Dominique Nollet from the French Gendarmerie. The title was “Cybercrime fighting in the Gendarmerie”. He explained the role of law enforcement authorities in France and how they work to improve the security of all citizens. This is not an easy task because they have to explain to non-technical people (citizens as well as other members of the Gendarmerie) very technical information (like botnets!). Their missions are:

  • Be sure that guys dealing with cyber issues has the good knowledge and tools (support) at a local level (and France is a big country!)
  • Intelligence! But cops cannot hack back! (like many researchers do)
  • Investigations

Coordination is key! For example, to fight against child pornography, they have a database of 11 millions of pictures that can help to identify victims or bad guys. They already rescued eight children! The evolution cycle is also important:

Information > R&D > Experience > Validate -> Industrialize

The key is speed! Finally, another key point was to request for more collaboration between security researchers and law enforcement

The next speaker was Dennis Schwarz who presented “Everything Panda Banker“. The name is coming from references to Panda in the code and the control panel. The first sample was found in 2016 and uploaded from Norway. But the malware is still alive and new releases were found until June 2018. Dennis explained the protections in place like Windows API calls resolved via hash function (obfuscation technique), encrypted strings, how configurations are stored, the DGA mechanism and other features like Man-in-the-Browser and Web-Inject. Good content with a huge amount of data that deserve to be re-read because the talk was given at light speed! I even had no time to read all the information present on each slides!

Thomas Siebert came to present “Judgement Day”. Here again, no abstract was provided but the content of the talk was amazing but released as TLP:Red, sorry! But, trust me, it was awesome!

After the afternoon break, Romain Dumont and Hugo Porcher presented “The Dark Side of the ForSSHe”. The presentation covered the Windigo malware, well-known for attacking UNIX servers through a SSH backdoor. Once connected to the victim, the bot used a Perl script piped through the connection (so, without any file stored on disk). The malware was Ebury. They deployed honeypots to collect samples and review the script features. The common OpenSSH backdoor features found are:

  • Client & server modified
  • Credential stealing
  • Hook functions that manipulate clear-text credentials
  • Write collected passwords to a file
  • From ssh client, steal only the private key
  • Exfiltration: through GET or POST, DNS, SMTP or custom protocol (TCP or UDP)
  • Backdoor mode using hardcoded credentials
  • Log evasion by hooking proper functions

Then, they reviewed specific families like:

  • Kamino: steals usernames and passwords, exfiltrate via HTTP, C&C can be upgraded remotely, XOR encrypted, attacker can login as root, anti-logging, victim identified by UUID.
  • Kessel: has a bot feature: commands via DNS TXT an SSH tunnel between the host and any server.
  • Bonadan: bot module, kill existing cryptominers, custom protocol, cryptominer

From a remediation perspective, the advices are always the same: use keys instead of passwords, disable root login, enable 2FA, monitor file descriptors and outbound connections from the SSH daemon.

The day ended with the classic lightning talks session. The principle remains the same: 3 minutes max and any topic (but related to malware, botnets or security in general). Here is a quick list of covered topics:

  • Onyphe, how to unhide the hide Internet
  • Kodi media player plugins vulnerabilities
  • Spam bots
  • 3VE botnet
  • VTHunting
  • MISP to Splunk app
  • Anatomy of a booter
  • mwdb v2
  • TSurugi / Bento toolkit
  • A very funny one but TLP:Red
  • We need your IP space (from the Shadowserver foundation)
  • Evil maids attack (hotel room) -> Power-cycle counts via!

The best lightning talk was (according to the audience) the TLP:Red one (it was crazy!). I really liked, a simple Python script that can detect if your computer was rebooted without your consent.

That’s all for today, see you tomorrow for the third wrap-up!