- Summary
- Introduction
- Perfect Smoke and Mirrors of Enemy: Following Lazarus group by tracking DeathNote campaign
- RAT as a Ransomware - An Hybrid Approach
- A dissection of the KmsdBot
- Security Implications of QUIC
- You OTA Know: Combating Malicious Android System Updaters
- Digital threats against civil society in the rest of the world
- Cyber Swachhta Bharat- India’s answer to botnet and malware ecosystems?
- Syslogk Linux Kernel Rootkit - Executing Bots via « Magic Packets »
- Read The Manual Locker: A Private RaaS Provider
- The Fodcha Botnets We Watched
- References
Botconf 2023 – Day 1 Wrap Up
Introduction
Patrick Penninckx, Head of Information Society Department from the European Council, introduces edition 2023 of the Botconf, underlining that Europe started to take care early of cybersecurity, and is working with 180 countries on this problematic. By analogy with the political construction, it is highlighted that nothing is possible (in Cyber) without a community (in this context the audience of the Botconf).
For the 10th edition of the Botconf, Éric Freyssinet gives a few figures: workshops were followed by 75 participants this year, 400 people spectated Botconf talks. The sponsors are bringing 45% of the budget.
Perfect Smoke and Mirrors of Enemy: Following Lazarus group by tracking DeathNote campaign
Seongsu Park, Lead Security Researcher in the GReAT team of Kaspersky (Twitter: https://twitter.com/unpacker)
After a quick history of the Lazarus group, a focus is made on DeathNote (this name is from the library used as a payload: dn.dll / dn64.dll). Throughout the years, the group improved, using regular techniques (remote template injection, DLL side loading) but also integrating methods making the comportment detection harder (deciphering of code or configuration with keys sent during the execution, which makes a sandbox evaluation useless) or reducing the vision of the deployed infrastructure (multiple levels for the C2 servers: 1st stage as a proxy, 2nd stage for the operator).
RAT as a Ransomware - An Hybrid Approach
Nirmal Singh, Avinash Kumar, Niraj Shivtarkar from the ThreatLabZ team at zscaler
Zscaler gives a ranking of the most common RATs: RemcosRAT, LimeRAT and AsyncRAT are the firsts. A first illustration of this type of malware is realised with VenomRAT, derived from QuasarRAT. Stealth is one of the main ideas when using those, with a longue execution chain: CHM file, then VBS script, PowerShell script and finally a PE executable file coded in .NET. The encryption keys are shared with Magnus Ransomware. A second illustration is relying on Anarchy Panel RAT, having similarities with DcRAT. The ransom message is from the imgurl website, but these code chunks are from OpenSource softwares.
A dissection of the KmsdBot
Larry W. Cashdollar (Twitter: https://twitter.com/_larry0) Allen West (remotely) from Akamai SIRT
Larry introduces himself saying he’s been working for 22 years at Akamai and that he is now CVE Numbering Authority (“CVE CAN”) since he reported numerous of them. In the context of the development of a honeypot the team found a new malware type relying on a file named kthread, kthreads or kthreaddd depending on the versions. A controlled infection in a Docker container made possible to find some network characterization. The malware is coded with Go but many bugs led for the botnet operators to lose their network several times for a long period of time. The recommendations for setting up a honeypot is to have a SSH service with a root account protected by a weak password.
Security Implications of QUIC
Paul Vixie, AWS Security
A simple observation is made here: protections brought to the users against the authoritarian political regimes is also an asset for the Cyber threats that are using the same tools to break the detection of the protection tools. For example, the DoH protocol (DNS over HTTPS) is hiding the contacted domain names.
You OTA Know: Combating Malicious Android System Updaters
Alec Guertin (Twitter: https://twitter.com/guertin_alec) and Łukasz Siewierski (Twitter: https://twitter.com/maldr0id), from Google
An android phone implies so many actors that there is a risk of an ill-intentioned participant introducing officially or less officially some undesirable functionality in the origin system of the phone. MalwareBytes already published in 2020[1] some examples of these introductions that are sometimes strongly protected by an analyse but still considered by Google[2]. MalwareBytes also published in 2021[3] the example of a device includes advertising fraud. The analysing tools from Google BTS (Build Test Suite) are covering the updates of 3 billion devices and more than 170 firmware.
Digital threats against civil society in the rest of the world
Martijn Grooten, from Internews
A quick overview of the information warfare is described: scam, theft, modification and disclosure of documents, spywares, mercenary etc. Citizenlab is a good source to keep oneself aware of the threats on journalists for examples (ex: QuaDreams[4]), as also OCCRP (ex : Team Jorge[5])
Cyber Swachhta Bharat- India’s answer to botnet and malware ecosystems?
Pratiksha Ashok (PhD / jurist) (Twitter: https://twitter.com/Pratiksha_Ashok)
India got it’s first CERT in 2004. The Indian government is fighting the cyberthreat by giving away free tools[6] and alert sheets on common threats[7]. The pros (defence of the population and proportionate response to a war act) and cons (disloyal intervention in the economy) of the Indian government’s actions are to be taken into account.
Syslogk Linux Kernel Rootkit - Executing Bots via « Magic Packets »
David Álvarez Pérez from AVAST (Twitter: https://twitter.com/wormable)
By hunting malwares on VirusTotal, David found a new Linux rootkit. The module hides himself, hides his network communications and some folders based on prefixes. For this last point, the technic was taken from Adore-NG[8]. Some illustration code from a French university course is also in the malware (!). An embedded instance of Udis86[9] is used to put hooks when necessary. The functionality of magic packets is brought with some Netfilter rules that reacts to specific values to size to respect etc. To be stealthier, some HTTP requests from Mozilla or Apache can be simulated.
Read The Manual Locker: A Private RaaS Provider
Max ‘Libra’ Kersten, from Trellix (Twitter: https://twitter.com/libranalysis/) author of DotDumper[10]
An RTM locker analysis, sold on forums by the RTM group, is presented. The process of encryption was however not disclosed (left as an exercise for the reader). Technical article and samples will be released soon on the Trellix blog and on VirusShare.
The Fodcha Botnets We Watched
Lingming Tu, from 360 (Twitter: https://twitter.com/turingalex)
Fodcha is the second most heavy botnet nowadays according to 360s measurements. Mirai is fourth. Fodcha is a relatively recent botnet (2022) that expands thanks to the exploit of CVE. Fodcha has some common ground with Mirai but also some differences (the usage of TLD OpenNIC as a C2 for example). Fodcha is relying on XXTEA and ChaCha20 algorithms for example. The hunt of the Fodcha botnet is done two ways: contacting the C2s via the botnet protocol or bots farming.
References
[1] https://www.malwarebytes.com/blog/news/2020/07/we-found-yet-another-phone-with-pre-installed-malware-via-the-lifeline-assistance-program
[2] https://bugs.chromium.org/p/apvi/issues/detail?id=19
[3] https://www.malwarebytes.com/blog/news/2021/04/pre-installed-auto-installer-threat-found-on-android-mobile-devices-in-germany
[4] https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/
[5] https://www.occrp.org/en/storykillers/israeli-disinformation-expert-linked-to-faked-bank-accounts-in-serbian-smear-campaign
[6] https://www.csk.gov.in/security-tools.html
[7] https://www.csk.gov.in/alerts.html
[8] https://github.com/yaoyumeng/adore-ng