2015 - Jim Slaughter - From Phish To Pwned Dissecting a modern phishing campaign...

cool right so if you ever wondered how to dress it to fishing campaign aka the things that's what we refer to as maybe tea when you stopped raining down about the reports then jim has floated all the way from Canada to help us out with this so I'll hand it over to Jim slaughter thank you

thank you very much coming really appreciated the afternoon slump what's happening levels are starting to dwindle to the cradlepoint so I'll start off

Southwest by day I am a cyber security analytics manager for a tier 1 national organization ok displayed with job title says what that really needs as I do about a malware analysis reverse engineering and I dissecting a lot of Christian campaigns imagine receiving an employer number let's if you say my job title a lot here drinking game previously I spent nine years of the enterprise blackberry breaking bad guy is bad code is a lot better than fixing at least the bad guys more Palomas takes for the last seven years I spent money when I some free time sort of tinkering hacking bulking up on my knowledge anyway I can doing Mallory coding and if you're really bored one night possibly

will drum now why I'm doing it for me it's fun I'm really passionate about this moving to the few carnivals from the audience one of the points about our campaigns are becoming consumed from in this goes for your average person homes right up through space and I think also defenders and the fair guys representation conferences like this they're every bit as an aside of the house I'll speak or with that later but this talk sort of teaching

so cetera regarding malware with financial plan now I'll preface that by saying I could have gone with some mind-blowing nation state sponsored

that would be duplication on my far play a lot of us have budgets to maintain connectors so also it's by far look at much more common than having it so the statistic kaspersky to start out for 2014 for all of their global operations we detected 22.9 million attacks using some sort of financial now if you can believe it that's actually decrease from the previous which I don't understand how they manage to do that but more importantly as germane to this topic seventy-five percent of that total is specifically geared towards stealing online banking credentials working for a financial services organization that is most concerned and Zoomer possibly that financial burdens or others that should be a very large

concern for you now there are you know as many families of this type of model where services guy but some of the more famous or Zeus carver dire credits products were never quest and cozy some of you may or may not be aware that a few of these immediately done on my law enforcement GAMEOVER Zeus being I guess the most high-profile now that being said the infrastructure for that was simple and traffic dropped off the face of the earth however the individual believe we have created azusa an order is still enjoying himself on the Senate Black Sea coast that will likely never be extradited to summer justice now that being said many of these malware family of structured using

an affiliate model the forementioned anal juice model person responsible simply just created anyone in the criminal underground if I access to that malware if they had spam bot and throw their own emails do their own campaigns and then you know with the rewards accordingly by paying dues the actual product either by you or by number of blocks that sort of thing so the benefits of this are much less exposure to be creative the malware honors all they do is well maintain the infrastructure while there is a Lewiston risk and Muslims reward excuse me the individual attackers plus delivering the attack much less still is required actually having to go in creating on these massive botnet infrastructures and

watch themselves

so for shadow I'd like to spend most my time today talking about writings my day job most of what is hitting us right now in the corporate space is directors will go through campaign from phishing email all the way up to the attachment downloader and followed through to its logical people so not only is it affecting my own institution I suspect most of you even if you don't recognize how to properly receive a drive next based

you typically in the course of a campaign six thousand emails / and he's going to relaunched

also as time has gone on that's really only been in the market for a year it's continuing to be adapted really quite definitely giving around some of the defenses in place these days so originally it was ascendant of malware chemical products also known as feed oh and we got depending on who's doing analysis sample or what threat intelligence provider you have it's really based on reference of you any of you are familiar with abuse seh trackers well as some of the malware families and they they call it evil with dried X victims almost entirely targeted for phishing emails anyone who the affiliate is those emails a very zombie not all of them are written by people that speak english as

a first language and some of the affiliates are based on other countries tired of the countries so for instance a month ago a big Intel peace one portion of the red x games going fresh so it's

target so in addition to fishing me now just about all the taxable some sort of attachment always a microsoft office excel spreadsheet so easily some office key techniques that other other games

it's I have to say that it's reasonably simple and it's effective despite the fact that it's been going on since the dawn of the Internet email it still works

so speaking of a great edge beyond the concept at its center point beautiful once that package is installed on to a user system that's the semaine becomes each within that basically identified to its command and control host and if our authors want to track a particular instance to one of their affiliates

fairly sophisticated set the so they essentially run like any other software services organization they log bugs they fix folks attract users of there

so once that happens and someone was unlucky enough to be a victim dried X installer they have a system of what they call web injects that will then either metal or man in the browser victim so once this happens the series urls is stored in weapon jacks for a particular instance banking shopping paypal if the user goes to one of these URLs then bot knows to intercept all to the browser redirect it to the site of their home somebody in the inner end that Ava's persons not trying to login to do some sort of financial utility let's stop it redirected any circuit current goals the user is usually then just punted or shunted thinking of credentials and

incorrectly or sent to take page while people on fashion when that happens there's fairly sophisticated set the money mules central one of the money through few different accounts usually in places that western the western food system races

so the rice game have learned from previous lahtinen takedowns another recent one their command control structure is much more ism resilient than even either rules and keeping in mind to the GAMEOVER Zeus Ram took massive or needed effort from law enforcement all of the european union or north america and firm a few other places quite honestly often something wrong but they managed to do

in doing so I think these guys learned that they had to make their own systems even harder to get down you with that Courtney than ever so in doing so they've created a system where the person on the end of the box offered in the utility to control plot net is three or four laterz removed from which makes it incredibly difficult track and even it could that's only one instance so the top layer infrastructure so again the person that is able to sit at a box at a terminal they're going to be behind

you in full crew poster so if somebody like your robe eh just nearly impossible to get at and then later right so the secret structure is set up a little bit like this you have your victim who's become infected sufficiently now they unfortunately clicked on the attachment that run the attachment so the attachment will call out and they will download the Driving's executable on their system that download site also then becomes the first layer of command control which will then VPN connection to the next layer so that's one more the attacker makes extremely difficult even at this stage to then start identifying where the command may be compromised host just randomly someone at this point

oh sure sitting between that

now this is one model in some of the actual more complex and difficult to start tracking that so after all that long preamble

the internodes every day every day using this as top suppose yes he's really particularly sophisticated in terms of fishing so any one of you it holds the social engineering tool kit far better examples these are all perfect in jail so this is a common one you've received some sort of an order details you customize Oh every day people would go I am an ordered a talking

and it doesn't take anything to because humans are naturally curious and obviously something because it

you even simpler this one is showing that there's well I guess the newest builder notes 40 grand that's what large so whoever got this is obviously going to go for you trying to better not was going on and click on this button on this fine whether or not again so the next physical 1 i'm going to show you is a little bit more involved it's part of an amazon scan and this one

in that they use live links than actual redirect to the real Amazon site so if you're looking at this even if you're smart enough that you can take your doubts hover over the way and see that it's actually going to Amazon instead of you know somewhere in Russia then it makes it that much more believable still there's the attachment and it's an impressive-looking attachment looks perfectly officially set

unfortunately just to both all of these right x emails have some sort of the macro depending on who's the perfect angle send email karlax has horrifying the feature for somebody that's actually be building construct the animal link one ascii character time trying to

you want to slap them from it in your life miserable for we shake their hand for Discipline national beach so the college view presentation interesting point in that organization

most of this wouldn't be a problem although some of the some of the attachments the gang is smart enough to actually say tera macros up please switch on there's many many many layers of subversion social engineering taking use so if our hapless victim put Sonny attachment it opens it they will be sorely disappointed because they get a lot of absolutely a big blank screen within word unfortunately wow it looks like nothing is happening the macro in the background exactly so

so if if any of you do this at all or want to do with office mouths mouths scanner even though that product is getting a bit long has been updated for some time attackers realize much like anyone works a large organization the fact that compatibility wounds so they make macros essentially backwards compatible which is fantastic because you don't have to do any tricks stuff take them apart so you run off estas scanner on on this delicious attachment you will see that it actually find stuff number weird why they take these names but just they're not the commentary sure

this what you will see that it's for defender and exercise in frustration what they have done is named every very variable and every function using sometimes when they do this what you end up getting is huge point of circular logic so you see I want to know what I you peeled open order to find out with you guys I need to know that Lionel's a function and returns values best upon

it's just it's insanely frustrating so if you have time then decrease the show and relative the butter or you can lose

here despite the fact that they're using first name very cool functions they still actually have to play by the rules the operating system the show function Cleveland there so I sort of short-circuiting the logic even narrow down what it is the prompt you do they even if you're lazy sometimes think i am is just right after

and what you end up getting so cool when an executable call initially calm / 42

they also do something else that a lot of now we're actors won't do is have a custom injury so this does if you're a researcher flopping around house view sometimes you have a URL that you can actually get a sample from and if you use something like curly W get flags and put that in you will fit the reason being they have the configuration setup ticular user agent will be allowed to connect with the site and so and you can eventually figure it out but if you're just somebody the ticklers have a lot of time or resources there's kind of fed up with it and so on the flip side of this just gives you something to look for in your

mom's everybody here has a blogging platform right right if you know what you're looking for a user even is a fabulous thing to look at if you potentially think somebody under system is infected with something nation so

this is the main garden section most of the time everything that it needs to mess around with in it will drop a dll that chiquito take a quote from injecting to explore you can see so once that's done will detect whenever you run any of the major or popular web browsers that are out there so i eat firefox chrome doesn't matter that see it will be watching maybe screw so think i mentioned before

rajesh be on the look is essentially just a mexican table so when the victim

we'll see chase of mine I don't work for them so whether it's chase online bank it shows up in there congrats we'll be watching for it and if you browse to it little intercept the traffic steal your credentials and empty air

nearly at the end literally but I'm going to kind of climb up onto my ship box for a minute so one of the reasons that I didn't talk was that I work in a corporate ladder I have what in my immediate department want people to understand security important as all of you do as practitioners you actually do this on databases now standing one level above you unless you work at consultancy are going to teach it your company or the department or whether you're serving two particular business area and it's been my personal experience a lot of the times they don't quite get seriously security when they have or when they should be so sort of their area of expertise focused

on bottom line or availability it can be difficult I think sometimes investors should be the fact that in this data control shift on that unfortunately indicates something like target event Madison where host sometimes the events some Pyro's that's a problem I think somebody said it makino wonderfully this morning that occasional soft skills are required by teaching us necessarily practice that there is nothing I would love more than to sit in my desk in the t-shirt that has a certain compliment tells you the many ways I will not put you but unfortunately for occasionally I have to suit up and go top agent you tell them you know they have problems and fix them everybody just so that's

something that I really hope anything already that this particular threat in effect anything so especially the fishing numerous studies there's always going to be one always going to be one person that looks on always going to be some willing to give the handsome lunch on your paper you just have to be prepared you're the point I kind of want to drive home Mac at this is that security is a lot more than just a penetration tester so you know a lot of one of the talks are sort of bent in that area but there are other aspects their eyes the defender wall and a lot of fun can be had off the back taking our sample person

why are you it's not just all the fun toto she might be lucky it's they loved your days so you know they're there is room in the security champion for all of it and definitely people are looking for that skill set so those are the two points that I really wanted everyone so some of the tools the tree here sure REM nuts especially Lenny seltzer Santa's dude has an entire linux distro has every possible hurry tool that you can imagine under the Sun crammed into this marvis job super easy to use super simple to get it doing this and also whether you do malware analysis or not just to be tech or you want to find

out of your hands great way to figure it out they set it up or if you don't want to all the trouble calm

fabulous

straight they just ours

so top of my head don't think so

what's that you know

yeah I know it's just I mean got the guys that love to stuff

until they're forced to do so why

so chance quotes ever helped the samples he's hard to get ahold of me you have a couple gift of projects

questions

it's the last thing I will say I really want to thank each other's writing organizing this experience set time in here and also you

you