Paul Burbage - Illuminating Malware Adversaries with MalBeacon

hey good morning hackers my name's Paul Burbidge and today I'll be presenting on illuminating malware adversaries with Mal beacon really excited to show you a passion project that I've been working on for over three years now so let's go and dive in a little bit about myself on May malware researcher and my passion in the field is taking a look at those malware families that utilize a PHP web application and finding vulnerabilities within them I'm a drummer and of course like music and I was active duty marine 2004 to 2008 any devil dogs in here yeah all right simplified brothers certify good to go how about uh the other branches army I know armies oh there's

my whole Navy Air Force nobody who am i leaving out space force no way all right thank you service feel free to reach out to me on the the Twittersphere there I'm at hex lakhs alright so we'll go over our agenda for today I'll discuss what I foresee is the you know a problem within the the Maur ecosystem it's far too easy for anyone to go out and grab a malware kit and utilize that to breach an organization to understand how the system works I'll briefly touch upon what is stored cross-site scripting and then dive into the system itself how we're able to inject payloads within our situ and receive those callbacks from the actors as they log in to administer

those botnets briefly touch upon the other legality concerns with this system and then also have some case studies to present to you finally wrap that up with a conclusion and Q&A so I said earlier you know it's far too easy for anyone to go out to the Internet whether that be on the open Internet or within these vetted forms and acquire malware kids not only for purchase but they're some of them can be you know obtained for free and and opinion the current attribution for this is one-sided it's you know typically guru by infrastructure as well as similar tools techniques and procedures or share malware code so we need to have better attribution you know to defend our

networks and one way that we can do this is to beacon adversaries as they utilize their malware command and control briefly just touching upon what is stored cross-site scripting cross-site scripting in general is just whenever a web app vulnerability allows an attacker to execute script it's actually the most common web app vulnerability today even more so in marci to write because those Maurer kits they're not going to go through hopefully the rigorous testing that a legit software company would be going through stored cross-site scripting is persistent so we can store our payload usually in the database but it can also be stored you know within a file on the web server or within session information so whenever that data is

stored then presented to the the web application user in this case it's going to be the malware actor who's conducting those campaigns and it's not sanitized properly on the output of that so it renders either HTML or JavaScript and although it is possible to inject JavaScript into these malware c2s for this particular system we're solely using benign image callbacks and I'll discuss that here in a little bit as we discuss the legality concerns so to understand what a malware situ is command control I like to think of it having two interfaces so all of the infected computers typically communicate through what you can think of as an API commonly referred to in the underground finagler as the gate and then the the

adversary is able to control those computers issue commands or received exfiltrate data you know from those infected computers through the advent interface for this system we're solely inserting beacons through the the situ API so the gate as if we were in affected computer as that administrator the malicious adversary logs in they might be greeted with a screen like this so this is a screenshot of form book malware as you can see down at the bottom there's two lines indicating that he has two victims some of those fields indicating like the machine name so that particular field might be one of those fields that are able to be injected with HTML callbacks let's dive into the

system itself so again we're using stored cross-site scripting to insert baked beacon payloads and we can do that via two methods manual insertion where we actually write a fake bot to check in with the situ and we also can utilize an automated sandbox to run you know several samples through and I'll go over what that looks like here in a little bit and then when that callback occurs whenever the you know the malicious individual logs into this situ we're just going to receive that image request and log everything I'll go over what this looks like so the manual injection method this requires us to you know analyze the situ source code so we have to have a copy of that right fine store

cross-site scripting flaws within the code and not only that but reverse engineer the bot check-in protocol to write a fake bot to insert that beacon so the pros is you know it's very sniper like precision which you know leads to a I be all that great but with the cons of that it's very time consuming and as you can imagine if the the malware family is under you know constant development you have to go back to the drawing board and reverse engineer that Bower to rewrite the at the bottom code but we also have the automated method show hands who here has heard of kuku sandbox cool quite a few of you for those that don't know is

it's an open source software written in Python it just allows you to execute malicious samples within average virtualized environment right so what we did with cuckoos that we've monitored the the dol that gets injected into the malicious process as that malware samples ran and in the event that say the the malware sample says give me the machine you know machine name or the username that I just infected we hooked that API call and we're able to tape the response to that with our beacon injection payload so that from there I'm one of the artifacts that are again submitted up to the situ and then hopefully it's vulnerable distort cross-site scripting you know the malware actor logs in and fires a call

back to us as far as who's utilizing that I'm our c2 so the pros of the the automated injection is that it's very scalable right we can you know scale out our sand boxes to pump hundreds if not thousands of samples through it's cool that is not affected by malware changes one of the case studies I'll go over cake pot info stealer one of the families that were susceptible to this method the it was under active development and the authors were changing the the bot check-in protocol usually about once a month or so even though they were changing that and we had manual injection you know BOTS we could still get beacons out of that with

fresh samples just tossing them into our automated sandbox hook there so it does cast a wider net and it's more or less like a spray and pray method which can lead to upset concerns why is that well best-case scenario that a malware family is not susceptible to beaconing that c2 is just going to drop the the malicious West the bots request but uh worst case scenario we submit a beacon and it's not rendered properly you know it's not rendered as HTML there they would be able to see that callback you know to our system with our domain information and whatnot so obviously a operations security concern let's go over the receiver so as the as

the river is just receiving these image requests essentially just logging I'm doing that is just everything cool with a projector alright the way that we're doing that is just some htaccess trick so any type of image request comes we redirect that to a PHP script and then log everything when I was first looking at this I was really surprised about how much information you can get out of just an image request it really opened my eyes up to all of the information that say like an advertisement company was recording on each and every one of us so what do we get from that we get the source IP address the HTTP referer feel probably the most interesting this is

going to be the the URL where the adversary is currently logged into being the the c2 URL and some of the manual injection methods we're able to submit a UID this is really cool when some of the malware families they might have multiple proxies in between what the infected computer communicates with and what the administrative you know malicious individuals logging into so we're able to see beyond that whole proxy infrastructure to the actual back-end c2 then with some of these you know a free HTTP proxies some people think that it might be you know hiding their true IP address they actually submit a proxy header within that same request so if we see that we log that

the true IP address of individuals you know allowing those free proxies and then the user agent of that request of course all these can be forged but if the user agents true that's hot tells us quite a good deal you know good deal a bit of information about our adversary everything from their machine architecture x86 64 bit whether or not it they're coming from a mobile device their operating system and even their web browser preference so the system the receiver information and then from there just replies back with a 1x1 pixel why do we do that because as long as it's properly rendered within the situ we didn't want to mess any of the HTML

formatting up so just by delivering a 1x1 pixel that image is rendered and hopefully the you know the malicious adversary looking at their situ is none the wiser that an image request is actually occurring on that screen and then probably one of the coolest things I was talking to some some folks three or four months ago and they had said dude why aren't you why aren't you setting in a persistent cookie in that reply that way if you know as long as it's the same browser session and we set like a crazy expiration date for that cookie you know several years out they can change the c2 URL the domain and we still were able to group that to the

same adversary and even with even if the same adversaries utilizing different now we're families right and that's exactly what I implemented so our clustered one month of data here and this is a chlorine of the unique cookie IDs with the c2 domains and what was really cool is that we were able to group 134 domains which is essentially tracking that back to one thread actor hurt so pretty cool information and again this was multiple you know domains and different malware families so this particular group is very busy so we should probably touch upon the of the legality of utilizing this it actually went through several rounds with EF f or the Electronic Frontier Foundation and I

wanted to get their opinion you know what's what's the bounds as far as doing this within malware c2 and the the word that I got back from them is long as you're not doing any type of execution which in this case would be JavaScript it's fair game you can do benign image callbacks which is pretty cool to hear and this is no worse than as utilizing images right I bet if each and every one of us pulled up our phone and looked at some of the you know the raw text or source of that email there's you're going to find these image callbacks you know for opening emails and whatnot since we're not doing JavaScript there's no authentication

bypass writes we're not doing any type of cookie stealing and it's a privacy respectful right so these beacons are solely submitted through the infected computer protocol up to the c2 and you know casual people just browsing the internet they wouldn't be trippin these beacons you know by ordering stuff on Amazon or whatever good to go dive into some of the the case studies here so blue live I believe calls this group air nine and Cisco talis group calls at ta five four five and again I've been in this data for over three years back in January of 2018 this particular group they were utilizing the online or spam bots to send malicious emails with Canada Post zip attachments the zip

contained a VBS script which is a malware family called arse VBS so once that malicious are once that a victim clicks on the VBS script within that zip reaches out to the sea to hear that admin interface pictured right and it asked to see to what additional Maur would you like me to download and execute we call this a loader by the way these campaigns they were loading a banking Trojan that targeted Canadian financial institutions customers as well as zero evil stealer zero evil stealer also AM our family written by the same author as ours BBS loader in Russian underground forums pretty cool call back on this traced it back to a dedicated server window server nonetheless and UK

so the Canadian sir guys were pretty interested in receiving that bit of intelligence for the second case study this is an ongoing threat out there on the internet so what the bad guys do they'll take a look at popular crypto coin wallet software they'll copy that site stand it up advertisement advertise it like on crypto forms or just rely on you know search engine optimization for unbeknownst victims searching for that software will get you know sent to the the bad site downloads malware in this case back in September of 2018 they were downloading k-pot info stealer it's a Russian info store sold in again the Russian underground forms the k-pot by the way is the Russian word actually

pronounced Krotz it's the Russian word for mole some pretty cool callbacks on this chasing back to a VPS provider in Russia so this not only works with commodity Maur malware that's you know sold or traded in the underground this has also worked with its persistent threat groups back in January of this year a piece of mole-rats malware came across my desk so this is one of the ones that I tossed into the automated sandbox and you know it was able to hook some of the functions of the data that was exfiltrated from that VM and got some callbacks on it this was one of the malware families too that had multiple proxies in between the infected nodes

and the actual maurer c2 and when we get the callbacks again with the HTTP referer field were able to see that true admin interface that they're utilizing to you know to control their botnet some pretty cool you know attribution callbacks on this one again mole rats being attributed to the gaza cyber gang and the beacons were geo-located back to the gaza strip so pretty cool attribution there another cool thing with this particular beacon was that it was utilizing the the user agent twos and in order to get that admin interface screen to show up to access that admin interface you had to set that as a user agent so that was kind of like a unique

hard-coded artifact and by searching that particular user agent string across social media profiles may or may not have found a couple people attributed to this brute just wanted to briefly touch upon the you know current statistics I've been running the system for a little over three years we've enumerated twenty seven thousand unique IP addresses from attackers and the amount of beacons that we receive close to three hundred fifty thousand now are see two unique domains or IP addresses a little over thirty two thousand so it's just been a really fun project to work on it's kind of a perfect marriage or three-way even between you know my passion for doing our analysis web app vulnerability assessment and what's the

third one so in conclusion you know I really want to scale out the sandbox system right run you know hundreds but maybe thousands of samples through everyday you know from there when we receive those beacons you can then go back and target that particular malware family to write the the actual you know manual injection boss by reverse engineering that particular situ protocol and then clustering out the beacons if anyone's in select data science I really like to talk to you about you know how we can cluster that information to attribute that and start grouping these threat actor groups I think that's probably one of the cooler aspects of this particular data set and then extend support with the sandbox

other operating system our everything from you know Mac Maurer to Linux Android this goes on so currently right now as you can see down at the bottom right of the screen it's a bit Lee short URL if you want to get access to the data it's just an account or the short URL goes to a Google Form not a rickroll or anything I just request some information to verify you know who you are just to make sure I'm not giving out accounts to bad guys but it allow you to search the data set if you're interested in that and I'm currently working on like feed and an API for people to maybe write like a mouse eco transform

something like that that's about it thank you wrap that pretty quick any questions concerns gonna go yes sir

initially I didn't really go into so the question was what's been the hardest part of this whole adventure its kind of kind of had my hands tied behind my back with the feedback that I got from the e FF initially I wanted to do full JavaScript injection which as you can imagine you can get a lot of information just by a JavaScript inject have you if anyone has ever taken a look at the the browser exploitation framework you can do everything from request webcam access and take pictures of people you know behind their computer as they utilize malware see - there's a company off the top of my head called session cam so if you load their JavaScript it records in

real time a video of what everything that's occurring within that web app on that screen I wanted to do stuff like that but yeah unfortunately only benign images but still a good bit of information that you can get I'm slowly doing a benign image callbacks any other questions or concerns yes sir

right yet yeah that's a good point so it's all a matter of excuse me sourcing of that particular Mauer so the the Mauer that I'm where I'm getting it is from public repositories like virustotal and whatnot but you make a good point so there there has been some work done I think they call it like deception technology right so you for example like you have a decoy document on a window share within your organization that calls out in the event that that's that documents opened no business purpose for anyone to be accessing that so if someone breaches the organization and you get a call back from that particular document that's a pretty good sign that

you have someone inside your network yeah that's a little more along the same lines but this this is a little bit more proactive in that we're you know going after live malware samples in the wild yes sir yep can either confirm nor deny that's a good question