Reverse Engineering For Threat Intelligence

okay that's going now that that's that other way quick intro about myself mashaallah taco been working in incident response for a while hope you use now being for a while with Salesforce she said before that wasn't a part of the Commonwealth Bank of Australia flown all the way from Sydney and show you adjust for this hope you learn something out of this hope you enjoy this a bit about the presentation itself why exactly how I come up with this and what's the purpose operator why I'm trying to share with you be for smaller teams particularly in smaller companies or where the resources are not not really available for what the security teams to really spend time and money on

sort of intelligence struggle with with scaling their their day-to-day operations to a point where they've got something built up that can readily be used every day and the front one of main reasons I came up with this thing a couple of years back was to I liked building things on my own for for a very simple reason because when you're building stuff yourself it really is very relevant to what you do there today rather than going out there and buying a product or buying a service from someone which is more generic for obvious reasons they're caring to a lot of people this way you can really unity into a point where it's very relevant to

what you do every day so that's that's basically the brief intro to the to the actual as detection and the other reason why why I'm like besides he's always found these lights conferences very helpful in trying to get some stuff that I can literally use straight away so it's basically coming here learn stuff from other people go back and start using it straight away in a very very specific to my role most of the times so that's that's one of the reasons I really like and the only only thing that I asking you is try to share as much as you can basically the more we share with each other in the community that the stronger

we get the faster we learn things and collaboration really helps it has helped me a lot in the past and I really appreciate it if everyone keeps this window now before this turns into a TED talk let's get into it but control what we will see in this presentation specifically looking at binaries malicious binaries and trying to get usable information out of it it is very important especially if you're working a small team you don't have time and moreso times you're really easy doing stuff I think it's very important that you come up with a few techniques of your own we can going very fast grab all the usable stuff from the binaries for example and use them to protect your

organization this can get sued by targeting some very specific functions and once you've got that you can use all the information that gets tracked and put it into some sort of a database or thread and tell database basically that you can build over time and you can keep using that as anyone needed mmm all of that information that you gather can be used to build profiles which once you've got them to a point where they're pretty easy to use you can literally give them off the front line teams your swap teams or whoever you know do it does the first first first response and obviously once you've got something in place you can then share it

with the daughter organization different teams and go from there what of my slides are pretty pretty boring I haven't got any funny pictures or anything in there so I apologize for that but that times up probably even bleeds through them because I haven't got a lot of time but definitely feel free to contact me after or get in touch with maintain or something like that and now we're very happy to continue the discussions when you're looking at and by the way this is I'm just picking on some examples real world examples but it's quite easily can be applied to a lot of different things as well so don't think it's specific to what what you see

here it's just the techniques and once you've got those techniques you can scale them to two different levels and you can even court into different different types of attacks looking for malicious through malicious boundaries for example what we need to know before we can use that or building a profiles or database or whatever we're trying to achieve the theatre connection information is very important so that you know where all the traffic in might end up you can use some things like cookies to give you specific techniques that are being used by malware IP addresses ports pretty self-explanatory where you can build a list of why piece or a period of time where you can keep

reusing explore at least some time stealth techniques again is things you can you can document and whenever you see those same techniques being used different fair you can you can you can sort of make a connection there that there's some sort of code reuse happening or something collaboration between different different mal electricity anti detection techniques again is a very common one and encryption as well because a lot of malware nowadays uses encryption to decrypt the data before they send it back to their they see to thousands by knowing what type of encryption for example I you can start building a profile as well now narrowing it down getting to getting to a point where you really start

focusing on specific things to get get started these are some of the things you can target for example modules and specifically functions API calls just for just for the sole purpose of building some sort of database some of the common modules that we can target that that I like targeting the to get information really really fast when on it is one of them it will give you all of this all of these stuff that you can extract out of the binaries and then put it into some sort of database for for use later on or to distribute it to tier teams a quick example of what you can actually get by for an example targeting one of those functions which

is in this case internet open basically looking at that trying to see what will be loaded there in these these screenshots if you follow from one to two three you can see the source will be filled up at some point as you execute it with in this case in the user agent all of this stuff is pretty easy to track once you've got it and you can keep building it into your database for that particular family as you can see here the second argument of the actual function is supplying one of the CTO addresses before we go further just a quick example right just an example if you dealing if you're in a salt situation and you're dealing with a a

malware campaign a new malware campaign for example e usually what will happen is it will come through as the first protocol would be some sort of document or usually the first page malware that's get dropped onto your computer will be executed at that point it will go ahead and try to get the second second stage or the final payload which is the actual malware most of most of our teams struggle with that situation where they've got this first stage malware but the focus is on getting that downloader URI and then blocking it most of the time and a lot of things end up using sandboxes for cloud-based Sam boxes and stuff but the problem with that usually

is that level of control you've got on those send offs is very minimal and usually what happens is if they're got say for example five different you are eyes in there the first one executes and goes out and tries to fetch the second stage or the final payload and that's the only URI you capture and a lot of frontline teams sort of grab that and take that as the main chain block it and it's it's pretty useless really that the whole exercise because the entire campaign will have multiple your eyes multiple different downloaders for the product for just in one campaign and if we're just looking at one of those your eye for the second stage download or

blocking it it's not going to do much real at that point in time either you know you've got your own hand boxing and while in which you completely control and you're able to trigger it multiple times and capture everything but even then it's really not that much use because what you really want to be focusing on is the second or the final stage payload which requires human beings basically because you'll have to go in there and manually extract the entire c2 list and more than malware today come loaded with things right look the latest example the latest sample of fimo tactical rabbit would have anywhere between 45 to 60 IP addresses for c2 connections and

any sandboxing environment if not controlled completely will not even give you anything so just a quick intro about that before we move on and also keep in mind on our touch this on this letter on once I finish as well the goal here really is to automate all of this in the end we should be able to understand it completely once we've understood it the goal is to automate all of it so that we don't have to manually do it all the time but to do that to get to that stage it's very important we understand what's happened he this is another function we can target and this is once you've got a list of these functions to target you

can literally do it within minutes and it will work pretty much all the time HTTP or one request you can see again it's the similar situation like the slide before you can look at the arguments the source and the destination look at the memory dump of it and just wait for it to execute and you will completely load everything that's that's in the argument that's put on putting the argument by the malware offer and you should be able to look at it in the memory dump and also on the stack so if you look at the memory down fast you can see the actual get request is forming now and you can read the entire request

there once you've got that happening in the membrane over there on the blue side you can see the same thing will end up in the stack as well this is another function into the queer URL this basically will put the IP address and the entire URL structure together just before that reaches out to the e to the C - and this is where it all comes together so internet canonicalize URL is where you can see the entire URL now formed with the HTTP and everything in there and the other thing you can see clearly is now that has been passed on to the first argument this is again something that's interesting because if you look at the

actual argument the second argument in there you should be able to see a cookie value which is literally all the information that the malware has extracted from the computer encrypted it and is about to send it back to the C - well it will be decrypted once you've got stuff like that and that's again just an example you can document that in all threat Intel database and attribute it to a specific malware family and you basically bit-by-bit just building your database to a point where it gets really interesting and very useful from a threat Intel point of view these are some of the other modules that that I like to target these are pretty obvious

what they do basically just before it downloads the payload this is again an interesting one because it's like I said most of the malware have started using the encryption to communicate back to the city servers now this is a subset of the the routine for encryption so basically we're targeting the add the p32 module and all the functions below there we can see what kind of encryption the Mellow is using how that is important for why that is important for us is because for example just an example off the top of my head if you look at a malware family which has been using rc4 for encryption before and so starts to use a yes you've got a big

leap there for Ted Intel point of view and once you capture that information and put it in your database you've got a big big bullet in your new profile for that malware family these these slides are just us going through the complete encryption module based on the functions that are shown before and as you can see this is this is pretty standard so the only thing one of the most important things that you can grab out of this is the type of encryption being used so as you can see here this function CP hash data and just just say with me there for a sec we need to know the CSP that's being used here the cryptographic

service provider and as you can see the RSA head up an argument to so we we know that this is this malware is using an RSA public key for encryption the private key obviously is at the c2 and this is just going through the routine completing it the last bit of course is destroying the hash that was first created but you can it this is what it should look like in the end where you can see all of the tar up there ends up encrypted and if you look closely encrypted pitties the cookie value we saw earlier and this is what you would see if you were for example monitoring the C to communication on say Wireshark

or something like that so you you've got the best the only thing you'll see everything we've seen before we start that your loss you won't have access to it's very helpful in understanding how it actually works because now we actually know what CSP is using what type of encryption is being used nope we can also see what is being encrypted but the trick to that is once you got to the point where you know the exact functions that you want to target you can start focusing on the copy function which would give you the source address of the memory of all the stuff that is about to be encrypted and will also give you the destination

address of where it will end up after its mean encrypted so that's that's useful to see what kind of encryption happened create process is a very simple function that pretty much everyone knows about once you've targeted this everything that will be created will will you will be able to see it for example in this malware you can see it's changing firewall rules so basically you probably can't breed it down there but it's literally just opening up the firewall for it for the malware to allow connections back this is another example of a different man where same thing create process we've targeted that we know that it's opening up our shell once it's called PowerShell people run other

commands other processes on the computer again this is all the stuff that we can take documented and store in database we're building all the intelligence around these Melo families but the NSA API you can use it in a twisted kind of a way to to to see what's happening and again just an example in this case email is reaching out to a geo plugin dotnet they've got a plug-in in there that what it literally does down down at the bottom what it really does is goes out to Matt's mind and you have the IP of the Machine this is one of the most common techniques used by malware authors to to learn where their victims

are and then from there on it's the possibilities are there's quite a few different possibilities where you can well if you if you're a Russian for example you don't want to target Russia you can do that or you basically can geo target through all your victims for the entire campaign but then again we we literally just attacked we literally just target that ticular DLL there and we've got the result white file is another one this particular slide probably not that useful because the encryptions already happened by this point I'm ice more so to just demonstrate once we've targeted this particular function we can see everything that has been written by the process to the to the disk and this is

just an example of a ransom note being written and this is just before it actually gets written to your disk gathering intelligence so this is this is the second part of the presentation where yes we've done all of this we know the basic list of function that we want to target every time we we're looking at a binary once we've got all of that stuff what else is there that we can actually extract out of it and be a little bit more creative and use it to build our profiles which can then be used by body by our teams and front lines in this example again we targeted functions that we've talked about before but you can see that it's reaching out

to that IP there which is running a script and by copying hoping the actual URL in there putting it in an actual browser we can see how they are creating an ID specific to your machine this is the ID that will be used to identify the victim by the male actor later on where they can go okay and they've got thousands of this by the time they're done with the campaign right and this is how they will identify for example if they're if they're asking for ransom payments this is a way of identifying where is it coming from so that they can unlock that the interesting bit here is not just a mechanism but if you go bit

further you able to just from all the information we extracted on the binary the hard-coded in front information from there we can reach to the the admin panel for the campaign so this is literally what the guy who was running the campaign on the other end he's using to track his effectiveness once he's logged in there he will be able to see all his victims she will be able to say all of his IDs that he's created for the victims and also all the private Keys and it's pretty comprehensive the way it's been set up so that they can run a campaign really really effectively now hypothetically at this point in time not that anyone will do that

not that we would do that but we can hypothetically run just a simple Nessus can on that right and you will find a lot of stuff if you were to do it the access you could get and a lot of these things are built pretty solidly but ironically the security of them is pretty low yeah so basically the the potential there is quite quite unbelievable once you get to this point now again not that you do it but if you were to do with and she were to get access to this the stuff that she would see will be interested or basically you'll have all the properties so if he were to do it not that you would you would be able to

basically completely decrypt the entire campaign and we were talking Parana thousands hundreds of thousands of computers but more importantly you can you can well-known technical side see how these things actually operate use that information and build something very specific to that campaign which can use for as long as these things are there which will be there for a long time not that you would do that another tool that I use quite often is show them and you see it a lot of the stuff that I've used here is three open source or very cheap so showdown is free to use and you can do a lot for your talent but every now and then I think it's a black black

father sale they do every year where you can get a lifetime membership for five dollars which if you haven't got it I mean might as well that's the puffy in a bit definitely get it once you've got it you can you get API access you get I think you get ap access with free accounts as well but the number of queries you can run is a lot more with with a paid subscription just like these we quickly had a look at on short and once you move into shorter show down territory a lot of interesting things start coming up which we'll have a quick look at very soon so the ports be some of it is pretty obvious some of it is

useful in the sense that when you start building a profile and I'm talking about hundreds of IPs over a period of time you'll start seeing similarities there and why is that important I'll show you so here's here's the thing hi a lot of this infrastructure you see used by these campaigns for the final stage no we don't care about them macro based or Dockers and JavaScript and all that this is the actual binary action happen one in the end of them in their campaigns a lot of this infrastructure when you start looking at it at scale once you've been working on these techniques for a while and you built a bit of a database and then you look at those in this sense

you'll start seeing similarities most of this infrastructure for example being used for this particular campaign has this in common so all those that was being used for distributing this final payload have this vulnerability in common so it starts to build a really really clear picture as to what's really happening behind the scenes obviously they're not paying for the service they're just using these most probably not not the same actors but they're leasing these from some other actor who's already popped these based on vulnerabilities that you can see and once you start building this profile you'll see similarities are pretty pretty scary they're they're always the same role ability a lot of times you'll see a lot of fun ability but there will

be a couple that are there common across the entire infrastructure now this is the VT graph tool and this is where it gets really interesting from a point that where we actually manually doing that bit instead of doing it every time we can literally just grab a couple of them not worry about the other sixty chuck it in there start expanding on that and I think with a free account you probably limited but if you've got a paid account which don't think is a lot considering what you get out of it you can expand and scale on so this is just a few seconds of work once you've got it why is this interesting and why is this

useful because of this you can literally download the entire hash list for the entire campaign and this will take you just a few seconds so we've come from point where our frontline teams were focusing on downloader dropper type malware which is pretty like you know a couple of your eyes in there doesn't helps anyone there's thousands of them you block a couple on your perimeter they go to the other way the campaign itself will have hundreds of emails with completely different links we've gone from there to the final payload the actual malicious binary we brought we grabbed one IP C 2 IP from there chucked it in there and we literally were very close to grabbing

the entire campaign and from experience these campaigns sort of laughed anywhere between 40 48 to 72 72 hours and that's a really really good result for such a short period of time and once you've automated this it will take just a couple of minutes so you've literally taken all of that work shut that out automated it brought the whole time frame down to a couple of minutes and it's happening in the background all the time and this will take care of the entire campaigns for at least a couple of days it doesn't change you can also download the IPS so you don't have to go and download different samples from the same campaign to cover that entire thing

just keep scaling it and you'll see you'll see that you can get pretty much the entire campaign hundreds of IPs within a few seconds and if you blocked it you can pretty much just move on at that point and do something else other than you know spending time on this a lot of people ask at this point hey how much you're blocking your IPS what if you block some stuff that's actually legit so we've demonstrated before in a couple of slides that most of this infrastructure is pretty vulnerable anyway - I want my users to be visiting those servers within the next 42 hours even if by any mistake I've done that the actual the actual binary being

served is not malicious but really I Pauline care that point on [Music] and is if you see I don't know if you can see but one of the IPS is actually highlighted so this is the same IP from the same sample that we looked at but we were able to grab it manually and as you can see without actually having to go through the entire sample entire binary and manually grabbing everything it's already there that's just like between is 30 seconds paint it once you've scaled it to the max this is something what the entire campaign looks like at this point I'm pretty pretty confident I can give it to my second option of wherever does that blocking

and all that low quality stuff move on and this literally takes not more than a few minutes get this is the big we're pretty much done grabbing the entire content yeah expand it all the way now automation is another thing that we're pretty big at my my place of work because we're a software company we've got access to a lot of Engineers once you've done your research once you've actually done the hard work at that point in time I firmly believe that you should be able to automate it there's no point keep repeating the same thing over again every time how do you automate it there's many ways and this is just an example you I'm sure will come up with

better ways of doing it this is a really simple thing a very simple yeah our template on Morris total as you can see I literally just grabbed a few strings put it in there you can put in different stuff in there other than strings make it really specific to that that particular family but this is just an example once you've done this it's pretty specific the only thing that can happen other than getting the same exact binary every time is someone reusing the code and changing it a little bit to create a new handle but it'll still be very similar this is just based on my rules a quick retro hunt so basically if you come in

the morning the campaign started last last night you can do it for the last 12 hours we have everything in there give it to your team that does all the blocking and stuff and move on at that point I'm don't and don't spend any more time alone you have the option of downloading the top 25 or top hundred or whatever basically you cover the entire campaign and you have the option of grabbing all these different formats just another example this time we picked Rick Bach as you can see doing all the stuff we did before while we're analyzing the actual binary you can grab a couple of c2 in from a c2 ip's there and expand and scale pretty

much in the similar fashion and you get everything in there again we've got all of that stuff very interesting to see how they're actually serving the buyers this is something that you'll put in your second tell database so you can profile them that's pretty much it before I finish off a quick note on how to automate it because a lot of people come afterwards and ask me that sounds pretty cool but how do we do it starting from the reverse engineering part and going all the way to threaten tell I'll quickly give you an example of how I do it you can use that or you can change it basically there are ways of automating

the reverse engineering bits you can write plugins in Ollie for example or if you feel like we just use wind evil where you can literally set conditional breakpoints and keep it going and print all the output using mana or just to win debug into text files you can pass those text files using your API so you can you can you can check them on virustotal whatever hits you get based on that you can either create rules that you can say or you can literally just program it in a way where it's downloading everything that I showed you to download by itself once it's all done you can then the output you can and a put all the scripts

on github from here this point on you can grab there and for example if you company's already using a threat Intel platform like Fred connect or otx or something you can pause those files threaten that has published their own api's and photo documentation on how to parse it once you download it all that stuff onto your box you can pass it using your third Intel platforms format and literally upload all of those indicators into your account from that point on if you've got integration with your scene or Splunk the scripts are bought on on github are working with fred connect and Splunk so basically you can pause all the rest of dump it in thread connect in your community once

it's all there you can link it up with Splunk and if you never see any heat on that on your spark instance you can take actions and again if you've got an automatic automation engine there once you get a hit on this plunk you can take actions on it so basically it's possible to automate the entire process of where we started from up until when we finish and the only thing you need to do is every now and then check in for changes in the actual code and incorporate that back into your interest rates and that's pretty much it that's the conclusion conclusion is pretty much everything I just talked about and thank you and

if you need any references the first three are pretty obvious these ones are detailed articles that are published you literally put my name and the name of the family in front of it and you'll you'll get a hit on Google on the actual detailed articles any questions yep just like with spice I agree with you though you've written and using doesn't make any difference have you throwing a little try to encourage them to medically softly make assessments themselves by saying the malware or sophistication this can even get them sort of realized the person right the identification of the training code are they yes there is there is big and I used to actually want you to talk

about it with internally with my teams they used to have a section on the code reuse that's really helpful because you can see the similarities between you know there's only one good malware written four years ago and then everyone's just latched on to it pretty much and every now and then you see some leak source codes and a lot of people use that as well the only reason I haven't boddyhm in there now is because there are pretty solid products are available out there that do it for you basically it's much faster and then the entire sort of healing has been to make it really simple for the front lines you don't need to be a reverse engineer to

do all of this stuff as long as we do the work and we give you exact things for example all those functions just talk at them you get you get to this point which is pretty advanced but to answer your question yeah that's that's definitely there the other thing we try to do is let you guys sort of explore a bit more Neil definitely find a lot more things different things than I have in the past and then quick story for example sometimes I I I once found a piece of code that was using very similar code that I'd seen before and when I looked more and more into it it was a really complex setting that layered it pretty

good I found a scribe handle in there which belonged to an actor I'd see before and he was tracked all the way back to Turkey I think memory but yeah that kind of stuff you definitely won so I really good point just have a look at it see what else you can see Excel yeah look it's it's one of those things right I try to keep it very generic too because most of this is stuff that I can do it at my home I don't need the might of my billion-dollar company to accomplish all this right because not everyone has the same resources so it's literally like just a quick G sheet for example where

you've got different tabs for different families works but yeah if you've got some platforming which is more complex and more expensive it'll be better Excel works fine because at the end of the day you just need to be able to do a quick cat on that tried or quit sorry a quick grip on it and see if you've seen something like that before CSP is work fine sorry sorry for her really basic and favorite yeah it works

now it's just of a particular sample or a family

I'd like to say you really depends on my daughters when they come to stop me for doing stuff but I think there's no real set in stone so everything really but what really works good is if you if you track it based on time but may experience is of seeing most campaigns last 48 hours before they start changing so if you are doing a retro you can go back 48 hours then most problem give me the entire thing and the final fail or the actual list of like these procedures they don't change that much because they don't really need to I if they've got like a hundred IPS they'll don't do the job for the next two days so it's a bit

of a hidden mist pop yeah time is what I'll go for okay cool thanks guys if you ever end up in Australia please give me give me a shout join me on LinkedIn we're doing a/b slides in Sydney on 7th of September this year nice time to be in Sydney springtime everyone's invited if you do end up there let me know I'll definitely show you around so thanks again [Applause]