BSidesCHS 2018: Opening Remarks & Keynote by Vitali Kremez

we're gonna get started here this is our sixth year doing besides Charleston so I think it's safe to say that we've established precedent here and we're not going anywhere soon this is also probably the biggest one that we've had we've had a lot of people coming out especially our sponsors I went to go and through and check like just go through and list them off for you checkpoint flashpoint fish labs Presidio Soteria College of Charleston SecureWorks ever sec fox pick pen test fail jg design ZZ servers darknet diaries michael Eppolito yeah someone individually was like we need you to be in this community so i will donate money mint no starch press sparrow lockpicks 26 divine CHS InfoSec group cha ha node

SC reforge and rural tech fund now these guys were the ones that said you know we're going to give back into the community so when you're out there and you look at the sponsor tables if you're a decision maker in your business or you're looking for jobs go check them out and give them a really good chance at you know being a part of their team because those guys are the ones that are investing locally here in Charleston so that's really great I want to bring up Chris star here to do a little talk with about College of Charleston thank you very much for coming out guys

good morning my name is Christopher Starr I'm an associate professor of information management here in the School of Business at the College of Charleston Massa former chair of the computer science department I want to welcome you on behalf of Allen Chou Dean of the School of Business you might be interested to know that the School of Business has created the first technical department in in the school it's called supply chain and information management and it's delivering new levels of abstraction to undergraduates and graduate students in technology where we have courses that address security in its many forms as the levels of abstraction and technology continue to mature we'll see more of our business students come out of the College of

Charleston with technical proficiencies so that they can engage with you at levels that have been never seen before so I welcome you to Charleston the College of Charleston and the School of Business have a great conference hi everybody I'm Jeanie Rogers I run Fox pick if you don't know me hi did you know me welcome back we run the tape the lockpick village in the back after keynotes done we definitely are open come play kick learn how to pick if you haven't we also have a challenge it's three dollars cash five dollars cards the challenge all the proceeds go to HACC for kids and we will have prizes I don't know what the prizes are I think

sparrow lockpicks it is one of them but definitely come by play donate money learn new things and have a great time at the pond today thanks guys [Applause] there's also gonna be a CTF running at ten o'clock and there is a special challenge on your badge if you can figure out how to get to it and you play it there's also prizes for that so all you crypto guys that's a hint check it out so our keynote speaker here actually runs one of the most technical Mao reversing blogs on the Internet today he single-handedly has taught a lot of people how to reverse various samples from dry decks to Dayna bots and he he's gonna do a really great talk today so I

want to just without further ado introduce Vitaly our first keynote of the day [Applause]

good morning everybody it's definitely a pleasure and a great honor to to join in charlestown it's actually my first time in charleston well the first time I was talking to Paul actually one of my colleagues this flash point where it was invited I was actually felt like that's one of the conference I wanna be the one want to attend not only because of the new location but also of the caliber of researchers I've seen constantly from this area and from Paul and TJ and I'll be important quite closely investigate some of the most complex botnets in in the past so one of the subjects I want to talk about for for the keynote is just the charting of the next cybercrime

frontier or evolution of criminal intent just a quick background I work actually at flashpoint it's also one of them one of the sponsors of the event so I'm in director of research and I run a technical team at flashpoint so we focus on looking into various criminal and apt threats but also we look into on the ground ecosystem so part of my agenda is also to tell you more about what's the underground is and who the actors behind it and provide you more visibility into some of those communities but also chart chart and explain what's the current threats as we see them and it was the future would be in terms of them and it

will go through very specific case studies I previously worked at worked at the US government in a cybercrime bureau investigating some of the top criminal gangs so one of them is of course erotics was one of them but also many many others so come from the very technical but also very investigative intelligence background so it also helps in our work at flashpoint to do some counterintelligence and looking into some of the most protected criminal networks that we've been tracking so the content will be based upon some of the bullet points that I'm outlining is one of we're going to talk about the deep in dark web what it is and why it's so important for us to know and track some

of those communities also talk about the malware's toolkits we'll trace back the first of all the threat actors who will be looking into who the criminals behind the attacks we see in our networks or anywhere else but we also talk about the evolution from malware as a toolkit to malware as a service and then we call it cyber criminal corporate groups the groups are not longer script kiddies if you will but there are various Vista K the professional career criminals targeting us and essentially investing heavily into exploiting some of network access they obtain we'll talk about how the cyber criminal on the ground fuels some of the attacks that we've seen from the case study I have a trip

bot which is a banking Trojan in the case we also talked about the the college actually works and how this groups look within from our perspective as we've been tracking them and we'll talk about specifically trig BOTS and their structure then we also discussed what some of the newer tactics we've seen on the crime and digital crime system we'll talk about how the criminals employing for instance methods to steal proprietor intellectual property algorithms and also source code and emergent acquisition data for insider trading specific to the gozi is a V botnet and it will also talk about the new modules actually from trig bot trick but just released a new module hunting for point-of-sale terminals

through the LDAP so we'll talk about that but also talk about the account checking activity and what why does white mean so much for us to track those big beaches of the day and making sure we always change our passwords I've also talked about the key takeaways of course and what's the future and what's next on the crime ecosystem so what's the day cyber crime is and in terms of our visibility flashpoint how we track criminals so what happened it in in current in 2018 the criminals are most sophisticated than ever the cax are more well orchestrated and the groups are definitely more advanced than they ever were back in the early days they were just deploying malware

and toolkits but no longer that's the case they also rely on a robust cyber criminal infrastructure to support them an ecosystem so for example not only it's not all it's not a job of one person any longer to to deploy tax but it's it's a corporate structure where every criminal place their role in that and also they collaborate together on various beaches as we talk about the trig bad case and again very sophisticated monument moving capabilities the criminals learn how to do fraud finally from back in the early days they didn't do how to do men in the middle they didn't know how to sneak traffic and they just really relied on some password stealing malware it's not

longer the case and also the skill operate led to the big data problems so criminal is currently amassed huge botnets and they definitely looking into providing the most bang for the buck in terms of this botnets they're looking into finding the most juiciest once wants the cap access to internal networks they want to have access to point-of-sale terminals that's the key value assets for them and for them as the Bachmann's are so big and the date of the day accumulate is so huge it means that they really need a better data science on their backends to index them so think about the criminal groups right now they're really like many startups because we kind of analogize some of

these QT companies might be defining the operations as security companies like or anti security companies employing different affiliates and also running operations very smoothly so that's the state of the crime and again it's no longer focused on just financial institutions now larger lots of other companies are affected including law firms in health care because of the fact that they still Harbor valuable information and assets that's still valuable to criminals in the nation-state groups and it's also the underground ecosystem plays well into that it's so important to realize that this actors do not act an isil in isolation oftentimes they learn from each other along the tricks and sharing methods and methodologies so to target us so we'll talk more about this use

cases as we go along so before we will start looking into this I want to just give a primer on a deep and dark web it's essentially depend our weapons it's essentially a term and essentially a way for us at flashpoint to track some of those on the ground ecosystem communities and the way it's also why it's so important because they serve as venues for criminals and different groups to exchange information ideas think about our input set communities that we have they also have their own and tying forsook communities and they share ideas the methodologies have taught to target us so that's why that's important for us to look into them and study them and because we can

glean a lot of insights into what the future might be in terms of the attacks and the sophistication ecosystems so generally like we say what's the deep and dark web we don't refer to surface web we don't meet we don't refer to Twitter we don't refer to anything on Google you can find through Google engine we refer to something that's protected either through vetted accesses you need to have some human ecology human assets to get in Princeton you to convince the criminals that you are not a criminal actually another researcher not a law enforcement officer so and take some time and practice and government used to do a lot of that is called kind of like intelligence

operations getting access to criminal communities staying close to them as we can gain intelligence and writing essentially Intel reports but also providing visibility into the most sophisticated the deep in dark web if you use tor browser it's called a dark web it requires specific software think about ITP onion that onion web sites that's when we call dark web when we say Deep Web we mean the forums and specific communities that can be accessed through a normal browser behavior however they require specific either in byte code or knowing the administrators or the bad guys to back to to provide you access so you need to bypass the virtual bouncers to get into some of those communities

and that's when we call so there's a difference and we essentially we've seen the most interesting communities the most interesting targeting we've seen in all the groups will be track of trig bod ride X Zeus all of them have roots ending in the other underground ecosystem it's actually fuels not only it serves as a platform for them to getting to know each other but also to platform to do we sell their goods so that's why it's so important but it's also pretty hard to get access to that and maintaining that because it requires you to be part of the click of criminals who very alert to being surveyed by one force and other individuals so it's

almost like a Intel operation that we have so why do you thread actors need the dark web per se it's just really important for them it's not only exchange of ideas the exchange of products it's also marketplaces and recruitment it's also training professional development and of course financial services and it is like sounds like business for them and in fact it's very similarly framed as it is and essentially the dark web is still up to this day is one of the most important nexuses like back in the government days when I used to work on cases we used to always have a chrome deeper investigation of target Beach we knew that the common angle was always been

the dark web or the dark web marketplaces so it's always has been hidden from our visibility hidden from our view so this presentation I want to unveil some of that but also connect back with some of the cyber sophistica cyber criminal groups that we've been tracking of so and yet again so threat actors must communicate they must coordinate they must learn a recruit buy and sell and as I mentioned earlier it's no longer a lone wolf operation but rather orchestrated and well-funded enterprise and also those communications from our perspective provide unique visibility and unique visibility into the indicators of compromise and as also the tactic techniques and procedures that would use to attack us so in terms

of threat landscape of actors just want to briefly outline that so we separate into kind of like kind of five different buckets we know we have hackers or you know communities of individuals who of course file bugs and you know do responsible disclosures there's somebody who's not necessarily following that there's a white hat black hat actors of course or individuals there's hacktivists hacked hackers for cause they're upset about something they just they want to want to use the cyber as a means to essentially explain or you know essentially get their point across we have criminals who of course open times we classify them as financially motivated so they are intent is really extract more value in money and assets

from their attacks we also have nation state actor groups be teams as we call it it's nation state state groups there are just competent then the open towns get caught we sometimes see blogs written about them we oftentimes think about them as quite noisy and that's some of this groups I reminds me of there's some of the Russian nation state groups are not quite quite quite fitting the way vina actually Nations they'd be teams and of course the cap nation state a teams the groups that have invested lots of money in assets and oftentimes they have quite quite a large backing from the government to you to deploy zero-days and exploits very sophisticated very quiet you never see

much of that so but again yet the now we're in our course the view there's a steel actors who try to buy to pass to somebody else right so we call it the false flag operation too but it's something just I want to outlying and have that perspective as we go along the presentation so wouldn't we talk about the criminal deep in dark web system I want you to think of this as a four different steps and four different ways to categorize some of those communities because on the ground system while it's you and massive it still can be separated into four logical groups as I look into that once called group intrusion groups so specific communities focused on

intrusion aspect of that where criminals can sure hacking tools and toolkits essentially have to target us but also they can you find people we like breach actors who can deploy their method deploy their tools they can hire them to compromise networks we also have data markets those are the communities where they can sell the stolen data to and they can find potential buyers and of course affiliates that can be engaged with and also be kept shopping some of this area some lets communities relate to a facility shopping of the dark web if you will so they speak and promote some of the services sold on the underground yet again it's very important when you look into

sophisticated groups do because different times rely on shoppers to either buy their stolen goods and or you know essentially services so it's very important entry shipment every shipment is a very important aspect to because we shipment allows them to to cash out some of the digital proceeds and move money from different jurisdictions and it's quite what why do methods doing it on the ground as we call it so from the intrusion aspect I want to just describe you this is back in the early days there was a malware called spy I you might be familiar with and this is kind of like you can find advertisement of somebody selling new malware kids or new malware force for

sale or new loaders and you krypter x' credentials data stealing malware traffic you can buy some traffic for your malware if you're running of course maybe some sophisticated SEO operation to exploit kids you can procure spammers who can distribute spam and those generally those that the community is falling to that intrusion category bucket when we call it when we discuss them the second type of communities I want to talk about it's they fall into the data markets in the products services they've been offered as stolen credit card data it's thrown count data stolen essentially authorization checkers account credentials anything else that they can extract from form grabber or some type of like login credential stealing malware and

those are communities that can actually focused and resell this data to the highest bidder but also to the criminals who can use this data and go shop around so that was critical for for them and that's how the only gun works the retractors are aligned on the data markets to upsell their data another aspect when you look at the underground is in those specific immunity is mapped to those categories is the shopping area and those are these services as offered the criminals one of the services is called : services for instance you can hire a criminal to call into the bank account and impersonate a victim for $15 they can call in and provide any female or male voice and try

to access the bank official to pass the transaction so criminals still need some of that to bypass some of the anti-fraud measures that we find ourselves with ecommerce website deployed and also in to detect browsers and a screenshot there is an anti detect browser plot that was sold in underground for $5,000 allows two criminal groups such as trig but many others to essentially do account takeover fraud successfully but is of course there's also tradecraft tutorials will share methods and exact tactics one of the interesting quote from a criminal I was actually reading lately was on they explained to two to each other and explained to how the best approach targeting or hiring your other mules for the operations and they would

say politeness is Steve's main weapon you should be polite but all should also be firm when calling you mules and you should remember that you know you and we Americans they refer to this thing differently and you should not only send them emails as violative of like drop shipping projects but also try to create a healthy working atmosphere to make sure the photo works so it's kind of an interesting insights you can glean just by looking into some of those communities and the aspects of them and the fourth is just three shipment and this is kind of something that very critical and they're important for you to understand because we shipment plays into mule recruitment handlers copy

writing projects translation draw projects and a screenshot showing you the staff control panel this is the panel when the criminals are interested in cashing out their big botnets they would essentially have also job recruitment scams and the tree but actually does it and many other banking malware too they ask for mules to get work from home job different times ask people to receive wires into from the company from Craigslist so if you are ever I've been asked to receive a wire on from Craigslist never do that because you can down you can be duped into the Bikram scam and also ask a the scammers themselves they also once they get their mules and get their victims they would

put their information into drop control panels so they can control how much this mule ships how much money do they actually launder for me how much how successful they are for us and again call circle and services to if you ever have difficulties with you mules and if you don't speak English well the criminal is also relying on some of the criminal groups in the u.s. to to call the bank accounts and just make sure to unlock some of the fraud and just be successful so yet again that's another aspect of on the ground which is critical for you to understand as we move along and this is the basis of primarily of the prison that I'm looking

into the paradigm of the crime system that we're going to be talking through so before we start looking into some of the current or sophisticated groups of the future it's good to step back to step back and look into the malware of the past so back in the early 2000s I would say when you look at this sophisticated malware they trace back to 2000 actually quite it's quite new when specific to the banking malware side it's only first attempts been made and one of the most prolific malware was called at a time called pinch if you might be familiar with a develop of one of the Russian actors and the criminal form he was caught but they developed a spy

module this is screenshot of how this malware looked like so the criminals at the time they can buy this specific software and be successful in doing some basic fraud at the time actually the banks were not too sophisticated they didn't know much about the crime systems as they did as they do now there's no sophisticated man of the middle attacks back then just basic ordering Jack capabilities were the criminals could essentially subvert money and move money from bank account to another one just pure by this malware another malware you might be familiar with it's called Bank batch hags door limbo this is the malware of the past that it was super important for the evolution however they

just been just software so we've just been selling a software package so when you buy that they'll give you a source source code you compile the source code and you can for attacks it hasn't been a loan sustained operation because it's you know the the botnet wrote malware developer we still relied on them to deliver a new source code if it fails so it's also not very reliable it's not sustainable to do major major a crime so from 2006 to 2010 that's the rise of the financial you crime that's what is Zeus banking malware appeared and it was altered by Russian national under the alias Slavic so at that time it's the original cybercrime kit as we know of and this is

kind of the root of many many other kids that emerged later in the days that we still track on top up to this day one of the interesting things this is kind of a know anyone who can run attacks and it's no longer they sell malware as a software package they sell you support system that give you essentially turnkey solutions so give you specific instructions that help you to set your malware and the server they help you to bypass certain you know anti filtering they help you to monitor the botanist to make sure it's healthy so it's actually they took dick model to next step they say okay we've been quite successful with just software but we want to get

going to the next level which would be just provide more support to some of the sophisticated groups so they can be more successful in the fraud side at the end of the day what they care a lot about making more money so in that that's what's the software turnkey solutions to allow that and Slovak was the originator of this model he spent so much time looking into some of the sophisticated attacks he'd been recruited one of the top teams and underground he was looking for the best fraudsters he was looking for the best spammers to join the team to to also provide more visibility to him and build his own and from that standpoint did bunch of other new malware emerged

in a very similar model the spy I of course which has also been run by Russian National who has also been arrested but in Atlanta Georgia currently Cara burg - those are the just names of the malware that emerge following the Zeus model with an interesting thing on the ECAM system was that everybody was looking out to Zeus as the golden standard of how to do attacks and how to do financial fraud and how to do sophisticated malware so that's still up to this day that's a very important aspect of their operations and this is very critical whenever you analyze I think about the attacks of tomorrow or future you should remember that they have roots in the

past and some of the actors we see today are still very well connected to the top criminals of the past including Slavik himself so from 2011 till now actually we have malware's a service as a way to do a crime fraud so back then back then there was a loose peer to peer group they refer to himself as a business club they actually took the next level of approach to the crime system they decided to we're not just not going to be even do malware turnkey solutions we're actually going to be working with exclusive group of people or criminals we're gonna be very successful rather than selling the malware and forms an underground it's cut it's kind of like

it was a pain for them the reason why because there's so many unhappy customers requires so much support it requires so many so many unhappy buyers plus the law enforcement was looking into them so they realized instead of doing that why would you just work in a closer group of people at the time actually Slavic leaks the Zeus toolkit two point two point zero point eight point nine on one of the forums and releases all the rights to spy I won't accuse of competitors and and pretending to be he's going away from the crime system but in fact is he's not only was not going away but he formed a very close group of people was called Zeus

peer-to-peer who they worked with the child essentially on big fraud at that time also another group emerged was called boo got if you might be familiar with Booga traces traced back to dry decks actually group Deford radix became the phenomenon in the most sophisticated banking model whereas we know of was called group owed Booga they called it himself also World Bank Center they kind of create themself own groups they're kind of like interesting models they're not just the malware model not only as not even a turnkey model but they call himself a club that's meant to make money and the way they work make money is the targeting the financials and corporations and many many other all of

us essentially so for them it's and yet again deployed amounts so much higher than they ever were they realize new potentials do you essentially steal more more data using the file using the malware and essentially be successful and and that's one the time the first time the business club introduced also cryptolocker which was the first real ransomware as we know friends were the servants back then also ransomware was never been a ransom as a service it was just similarly like a tool and malware you be deployed in that case they realized to squeeze more value from their botnets they just need to slovak realize he'll push the cryptolocker unwanted infections which was also caused lots of lots of actually

confusion lots of disagreement amongst the criminals themselves because at that time they also thought that ransomware is an ethical dilemma and it shouldn't be deployed into action because it kills the good parts they can be used in financial fraud kind of an interesting nugget from that but that's one the first time the actual first real scalable ransomware was emerging another way it's just yet again it was another way to monetize infections so dire which is now we call shriek bought group did clearly they're all connected not only by based on infrastructure but the actors too and radix they also learn from slavic business club and the reason why they learned from business club because they've been customer service is

peer to peer actually and the reason why it's so important for us to think about the past is a predictor of the future if you look into you from which which ecosystem they emerged so the current attacks they also still up to this day traceable to one single important individual under the name islamic at the time he was actually also outed by the the Department of Justice and the FBI and is still after these days a three million dollar bounty so if you ever find him in Russia somewhere you can make a lot of money he actually likes to sale and he likes uh you know because he's known mentioned and somewhere south of Russia so it still to this day he's

probably one of the most successful cyber criminal lords of the past that because even the money but also the impact he laughed on the other crime groups and it was another thing is like this that time another model was emerging as we researchers write blogs and think about talk discuss how criminals essentially target us there by Mao analysis or recently released some information we also criminal so no copying actually and looking into us to an extent they start very inquisitively looking into what researchers have been doing and essentially looking reading the blocks diligently as as we all do and essentially providing methods and actually providing some anti research methods and improving their security at that time also this is peer to peer the

reason why it's called Zeus beauty peer it's an in fact partially because of the protocol they used they decided to go away from one single server a single point of failure whereas one single back-end the model we would call every single time because susceptible to takedowns and you can always think all that but they're like okay we're gonna build a peer-to-peer protocol so think about the Katori ins well think about the BitTorrent we would use clients or y2p protocol so essentially we would would you be at least we send a message across the chain of appears so the one force would never know where the actual back-end is because they all can only distribute through second-tier proxies

and then to the main drop location and then all stood the back end so it's very hard to do that and it's provides more resiliency for them so the criminals also realize you have to stay more successful even by and large when you think about the e-crime system think about this is a cat-and-mouse game because as we deploy methods and protections like for instance on a good side the criminals that try to be a stick at us to stay ahead of us essentially try to subvert all those methods so it's it's still out this day to cat mouse game when you think about them so moving to the present day and we know this is gone Slavik disappeared

from the undergone or from and also from our view as well he's no longer this shadowy figure that we know of yeah the Zeus buta peer was taken down and by law enforcement the some of the malware from past disappeared but we have a new two new groups emerged and actually even more three groups I would say main ones dried extra BOTS and gozi is a B which is also an older malware so this groups are very selective and we still not know what don't know really what Slovak is doing up to this day but very interesting if you if you ever find a crime come across of him so let's talk about the trig BOTS and we'll talk about

the tree but is the current malware that's you can see in your networks day in day out with a motet which is another malware it's very active now so what's interesting about that a botnet value model is for them as we talked earlier is what they deal with the criminals they deal with essentially a big data problem so they amass so many infections so many data so they cannot really reliably tell like how can they be you know such a find the good information they actually employ the same similar methods they discussed building they're only elasticsearch cluster for example look professional DevOps to make sure they can scale their operations and just be successful it's no longer just the

PHP scripts and they also deploy MVC mod models as well Model View controller so the old PHP SQL injections don't work on their backends for example so they become more successful but also their back-end are really so focused on indexing data and making sure the criminals can find the most valuable assets immediately and that's when they started trunk crawling or looking for information we call it high-value targets it's no longer our machines to be of the highest interest to them but with the biggest thing interest for them is the corporate networks environments with direct access to payment networks like sweet gate waves gateways ATM environments point-of-sale networks as I mentioned earlier but also lots of

Hospital clinics legal institutions ransomware of course in many many other things so in those hb2 is always become high-value targets they get hit with the most sophisticated I've ever seen that's when they oftentimes you see the group's capabilities and there were deploy different modules once identifying and those machines of interest so for many cases in that those cases trick but is only the first stage of the multi alone attack were they were deployed on malware and be successful as such and those groups also feeding to you the Russian ecosystem as I discussed earlier on the ground ecosystem so the originated from the same deep in dark web community where they recruit people to help them with this injection of data

so for example if you are good scientist data scientist there's a demand for you on the dark web because criminals definitely need more data science support and their botnets as well as they need better spammers too but but that's how this ecosystem fits into their own models they use it to put in recruit and also sell the data on the dark web and yet again this is it's all the idea of squeezing every single dollar euro from from from the bots and it's again come going from the HVT model and you know men in the middle attacks so which was traditional focus of this groups that they've been focusing so much and targeting banks and essentially looking

into financials but now they've been also looking into expanding that and I'll talk more about three very specific use case and what this group was doing and again they've been focusing big data and thinking about how they can find the most interesting information quickly immediately and reliably and again it's not it's becomes logic it becomes a little bit different from the malware as kids tomorrow as a service they rely on operators de Lyon actors still logging to net to those backends in search for data they rely on Beach criminals to essentially get access through their high-value infection get into the network's you know move laterally and deploy different different different tool keys for example and yet again it's

another way for them to monetize and it's another way of evolution of this group and this is how the typical group of trig but when you think about them and this is actually kind of very similar to what they have actually now so at the top of the group there's always a kingpin or group of key actors and essentially the operations look like literally like business operations sort of think like small startups it's no longer the groups are supported by one key individual in undergrad who is so impactful or a group of actors who are very very successful at convincing new newcomers to join their clique it has to do with the professional eyes and those

are guys have career professional career criminals so this was how the corporate structure looks like they rely on botnet masters Daman to manage their installs to manage their bots and essentially to look them to make sure the infections are good they maintain a steady rate of new inflow infections they also make sure there's no researcher infections and clean from a V antivirus bots as well the ulcer line financed finds since Finance is huge for them because they're lying fraud operators and money meal actors to help them the money across the chain search for trig but stealing the bank credentials it's only one first step in a long way of cashing out than making money so they

still rely on and different group of actors to do that they have product management support they have a dedicated krypter while the criminal actor who is able to make sure the malware is everytime bypassed at least 30 different antivirus solutions and that requires them decrypted and encrypted anyway that pack the malware so it looks different every single time it looks new and it's undetectable to the anti viruses they also rely on BOTS developers loader developers and exploit Rd kind of research and development QA like for example before the trick but we drops the new module or the deploy a new module the open time tests for a month to make sure the module works as it

should so there's also there's a development cycle that go through some of those groups that we might not see because we are still too focused on the email attacks or something bad but our visibility allows us to really outline that and one of the interesting things one of the three topics someone talked about from trick bot and what's the future of those type of attacks we've seen it's that the cold zombie passwords or account checking activity those big botnets become essentially huge not only quarters of the valuable information but I can also use a sax or essentially bodies - even for attack so in this case when we talk about the trick but they've been also deploying a module which is

called back Connect proxy and it's all fueled by big breaches of the day as you read any news about LinkedIn breach or Yahoo or any other one that lately even Facebook you think about what's the effect it would have on in Chrome systems because the reason why it's they would use the same passwords that in emails from LinkedIn breach and they would simply add it to their account check in proxy and it would try to see if it's possibly ever been matched in some other services this is again another way for them to monetize the infections and this has to do with the big data because they have so many different valuable credentials that have

been callosum to be very successful and its affect all of us all of us it's to the level of we we all have the counts and we only task and compromised or compromised where our accounts been affected by some of the bigger breaches of the day so that's what the criminals been doing and it has been exploited in a very automated way so that's what they do pretty much automatically and this is what what I call their trick but that connect proxy module it's used to it's used for two things one is allows the criminals to back connect to the compromised machine essential is the machine will call back their back-end they can hop into the

Machine and do account takeover fraud log in to the session of the bank and just wire money through the mule accounts but I didn't what they've been doing is they've been essentially diffusing this module to you and using your machine and your IP if it's good enough it's if it's not and any spam lists they would use this machine to launch attacks or against against multiple websites essentially we help them to identify good logins and credentials and the way it works you essentially get affected by trick but the trick but identifies you to be a machine of interest or machine that they would decide to deploy this back connect module once they deploy that connect

module back connect module will connect to another server that they control of similar is part of this model they receive a commands and essential receive a proxy list and you see the and we see the target list as well so if in tampa new one you if you're researching yourself and you have in your own lab to do mal reverse-engineer which we pod oftentimes you would see suspicious traffic going to some third party social media sites but that's one you know that you've been infected by the trick body back connect module instead again another way for them to monetize their infections this is kind of a the ecosystem around that what another interesting aspect of trig BOTS and what

we've been tracking also and that end was the special access by LDAP enumeration so when we when criminals also realized that getting access to corporate environments allows them to deploy similar methods that the pen testers would use the right teamers would use essentially like I remember back in my days the one of the first thing you would do when you are in the corporate environment you want to dump the lightweight directory protocol access so you want to see there's an XML configuration saved from the corporate environments so that's what criminals been doing they developed a very specific domaine dll 3-2 dll module which is meant to be essentially once infected they wanna numerate what are their

accesses and connections that machine might have so includes group XML su parses XML files the stored on the account account domain controller again very very smart way of monetizing their infections just be thinking beyond financial fraud so and actually there's a very interesting exploit actually been developed on top of the LDAP enumeration by one of the researchers Sean Matt health that you can definitely look into that because they'll Deborah still up this day one of the top sources for great corporate asset information it's yet again they're learning how to exploit corporate accesses another week ago actually we've seen a new module emerged which is called PBS Fein 32 and what the idea for that module was to as

the holiday season approaches the trig bug group also matures and they've been looking into machines with point-of-sale terminals or machines that have any point of sale software installed on them and this is kind of an Ida Pro image of reversing this malware as you would see they're looking for the POS devices or machines that we have POS names and groups we look for machines they have cash registers micros POS terminals installed and that's yet fits into the model of the new evolution of the e crime they no longer interested in just stealing my order or day of data they want to parse their infections for suitable targets or high value targets be called HVT out of this day we still

like not sure what the final module that we deploy or was defined a point-of-sale malware they would deploy but still actually very recent very fresh we're still investigating that angle and it's meant for actually target breaking water read merchants and retailers similarly similarly like click target so yet again and now that they another way for them to look into their infections and approach them from a data science perspective and sale what else can we extract what the value we can get from them and in this case with the holiday season approaches they also time it very perfectly as in the US and many other countries there's a holiday season and we can all gonna go shopping and tree

buddies are already looking for machines that have POS terminals installed so that's the future would be and and that's how we essentially track this group by looking to the modules in Reverse and then another very interesting group I want to discuss with you it's called we call them go Z is FB but it's also has roots into going back to 2007 to the 76 service developed by one again Russian national Nikita Kuzmin and the reason why this group is so interesting because they arrival in sophistication in maturity of trig BOTS and they also run a very similar corporate cybercrime ecosystem and they essentially what they've been interestingly targeting to be targeting the provider intellectual property

documents mergers and acquisition inside a trade and as the way the crime system matures as the way the future holds for us as we as also as the way we move away from tangible assets to intangibles more and more the cloud storages and many many other ways to store our data the criminals are hunting for some of those assets in that Pacific instance they've been looking for essentially law firm networks where the documents of letters of intent emerges an acquisition data so they can essentially use it for insider trading and not only permits a trading we also have some visibility into some what they've been doing is back in Russia they would stand out but for example a

high-frequency trading account and they were trade the stolen information for the GoSee is a big botnet or somehow procured some other means to essentially to to cash out by a stack manipulation very interesting way of doing fraud very interesting novel ways of maturing beyond the malware kid models the malware is a service and in white our intellectual property the reason why is pretty simple because at the end of the day when you think about when you tasked with defense of networks when you're a defender one of the most high-value assets and if you go to the Intel team you ask see so it's oftentimes lecture property the traits of these the secret sauce that what makes the company be in

the business but the criminals are hunting for that they also realized for example in many ways in this case that oftentimes third party risk or thinking about the law firm networks or gateways to some of most protected clients that they might have so thinking about beachy beaches and accesses as gateways to another accesses that's another way of thinking about beaches because which is only the beginning of another longer attack they can use to target more sophisticated you know networks or get even deeper into environments yet again that's something important to keep note of here just I want to show like a few screenshots of some of the malware that we've been looking into the size of be again used

Ida Pro in the first payment screen screen image you can see it's loader module they would actually call loader DLL the second module is called essentially Klein DLL but you can also see that internally the cold arm feel over yet again malware for analysis from anyways for me is provides additional Intel assets until value to glean to learn more about the criminals and pretty interesting group and something to look forward to because of their very specific targeting of intellectual property assets going beyond and extended beyond just financial or legal sector or anything else yet another another way for them to plug into the crime system and actually what they've been doing with the with the stolen data

they would also hire and to set up their own offshore accounts where they would use to generate accounts activity and move it across and cash out very interested in very sophisticated yet again so at the end and the closing of my presentation keynote is I would love to talk about the state of the cybercrime and what is actually is next back in the early days we've seen that that we deployed malware as toolkits we deploy malware the criminals deployed malware has turned turnkey as solutions they deploy different other means to target which is very automated but also not too sophisticated and as the industry matured as the financial industry for example they elevated their standards and essentially they can

detect those basic attacks but easily what happens is the criminals move to the corporate cyber criminal groups the corporate cyber criminal groups are those are the ones I mentioned earlier trick bought dry decks go see is OB those groups that requires coordination of both an hour and there sophisticated actors involved it's no longer actors like you know criminals sitting in the basement and hacking into different environments it requires them to have an office space open times and oftentimes run their business operations as an actual business as a small startup so that's what's critical to know yet it's more expensive for them to build and maintain but the persistence and the long-term effect and success of them is

is so much visible and so much more so much better than just simply deploying malware and toolkits and networks of the past so so that's what the mature and yet again one of the interesting things is we also have seen the trend of or rather the trends are moving away and criminals realizing the Kyah values from the intellectual property theft thefts of data that is not obviously monetizable but can be using other means for example insider trading and high frequency trading based on the stolen information so that's the future in others the future is of course getting getting more and learning more from the defenders like we talked about the LDAP enumeration generation technique the

trig BOTS uses it's very common phantasm tasks that they learn from the presumably from the white cats so yet again and that's where the future goes from the crimes and sophistical groups no longer they rely on one individual to do them it's a corporate cyber criminal infrastructure and if you think about them if you really want to think about hackers you have to think like that and to truly beat them you have to be ahead of them and learning about them as they look into us we should be looking into them and studying them because that's the only way for us to approach the crime thank you [Applause]