Botconf 2023 – Day 2 Wrap Up

Jorge Rodriguez (Twitter: https://twitter.com/JR0driguezB) and Souhail Hammou (Twitter: https://twitter.com/Dark_Puzzle)

PseudoManuscrypt is a spyware forked from Gh0st RAT. The entry point is most of the time a fake cracked software. After being downloaded and executed by the victim, the malware will download a PNG and a HTML file in the temporary folder of the user. Then, it will decrypt them to unveil two shellcodes that will be used to enable persistence. After forcing a reboot, the malware is installed permanently and will allow the attacker to steal the clipboard’s content, to steal cookies and credentials, to intercept cryptocurrencies transactions, etc.

Daniel Lunghi

Iron Tiger in an APT active since 2010. Their methods have been evolving over the years, from exploiting CVEs to spear phishing campaign, but also weaponized documents. Their last attack method was to attack the supply chain of certain software to infect their victim’s computer. The first software hit was MimiChat, a Chinese chat application attacked by an injection of obfuscated JavaScript code in an installation file. Some other companies from Southeast Asia have been hit, as Youdu and Wazuh for example. These code injections allow to download other malwares like HyperBro for example. From there, the attackers can steal passwords and data, and they are probably not the only one to use these kinds of tools to achieve their goal. They also used a lot of stolen signing certificates from some company to impersonate their malware as a legitimate software. Their targets are mostly in Southeast Asia, but they also attacked German, French an US companies.

Dominika Regéciová (Twitter: https://twitter.com/regeciovad)

Some YARA rules are slow if they are poorly written. In numerous cases, those can be upgraded to execute faster and save time especially when the files to scan are big or numerous. The first optimisation rule given during the talk is to avoid declaring strings in specific cases, for example if the file size is checked. Indeed, if the strings are declared, the whole file will be scanned anyway. If not and if only the conditions are written, the files that does not fulfil the requirements will be excluded from scanning. Also, YARA is slow when checking if characters are absent and is slow with alternating characters of strings. To speed up the rule, it is better to write two strings to match (or more if needed) until the warning is not there anymore. Finally, some special characters are to be used sparingly or even not used at all. “*” for example can cause YARA to slow down, so it is better to look for “.exe” than “/.*\.exe/” when checking the extension of a file for example. Overall, one must be careful about the warnings YARA outputs because they are relevant and allow better speed in general.

Daniel Plohmann

MCRIT[1] (MinHash-Based Code Relationship & Investigation Toolkit) is an open-source solution for code analysis and especially similarity analysis. Most current solutions are proprietary and are only working on 1:1 comparison. MCRIT allow the user to have multiple comparison and transparency on the code. Therefore, some families of software can be found, and the new ones can be sorted quickly. The software uses MinHash to compare files, which does not work on large files but well on light files. This solution also allows to spot the unique chunks of code in a file, which can be useful to track the upgrade made over time by the attackers. The tool is available as a web application but also as an IDA plugin.

Federico Valentine (Twitter : https://twitter.com/f3d__) & Alessandro Strino

DrIBAN is an Italian banking trojan used to steal money by hijacking ongoing transactions. The malware is sent in a PEC[2], a “certified” mail format that allows attacker to have more credibility and less surveillance. Once the malware is executed on the remote computer, the DNS cache is inspected in order to determine if the device has access to corporate account or not. If yes, Ramnit, an old yet modern banking trojan is used to hijack the transactions that are superior to 20k€. The malware will then deflect the money to fill a mule banking account in order to do money laundering and theft. During the transaction (~2 days) the documents produced by the bank will be modified so the client does not notice that the transaction is being corrupted. An estimated 1.5% of the clients of the banks that were attacked were determined to be victim of this trojan. The harm could be up to 50M€. The mule network has been disbanded afterwards and it seems that the money was mainly flowing through Russia.

Nick Day, Sunny Lu and Vickie Su

Earth Preta is a Chinese APT that went on large scale phishing campaigns lately. The emails sent were filled with Google Drive links leading to malwares. The present malware was TONESHELL, a recent one. The targets are mainly hit by cyber espionage and the hackers group use mostly open-source tools. Several countries in the world are hit, but the main victim was Australia and other countries in Southeast Asia. The TTPs of Earth Preta evolved a lot but they now mostly use a standalone exe file that downloads a DLL file after execution. In the past, they also used fake extensions or weaponized documents for example. To confuse the analysts, they have been obfuscating the code in their malwares. The exfiltration mainly used cURL or WinRar. The group Trend Micro[3] has found hints about the authors of the malware by modifying the Google Drive link and by looking for the parent execution of the file that caused the malware to infect the targets computers. The suspicious files were mostly archives with “INetCache” as a name and weighed more than 500kB.

Yarin Ozery

This talk is a use case of detection and prevention of DNS exfiltration. Indeed, attackers sometimes use a self-registered domain name to send data inside DNS packets. To resolve this problem, there are two solutions based either on traffic detection or payload detection. To detect this kind of exfiltration, Akamay used a machine learning based solution that will trigger a block and an alert to the SOC if too much information were sent to a single subdomain. The limitation of this solution is that it triggers a lot of false positives, it does not cover encrypted DNS exfiltration and does not work if the exfiltration is used on multiple domains.

Suweera De Souza

Bumblebee is a malware reported for the first time in 2022. This file downloads a DLL that will, after unpacking, allow to communicate with a C2 sending 3 letters strings that represents commands. This malware uses the Boost library from C++. The main DLL of Bumblebee looks legitimate, but one can find a setPath function to detect that the DLL is related to Bumblebee. Furthermore, this malware hides under a routine service to look clean. The messages sent to the C2 are under the JSON format an encrypted using RC4[4]. The data sent are for example the browser history or the ID of the victim. The tasks that the C2 can give are various, from shellcode injection to DLL injection, download and execution, data exfiltration, install to allow persistence but also silent clean etc. The malware uses libspice which is also used in other malwares and in video games cheat software. The main entry point is mostly spamming campaign.

Max Kirsten  (Twitter : https://twitter.com/Libranalysis)

This talk is about beginning in reverse engineering and stepping up by using free and open-source tools, a good way for students and startups to begin. The main advice from Max is to not focus on manual analysis and to rely on the community to ask for help. Using websites like Malshare, Malware bazaar, Malpedia or Triage can be useful to stay up to date with malwares and be aware. It can also be interesting to store malware samples and to build a database with metadata about malwares and campaigns. Using YARA rules is also important, and Max recommend automating the analysis when possible. For manual analysis, tools such as Ghidra or IDA are good. The main idea of the talk is to not reinvent the wheel and rely on the support of the community and the already existing tools.

[1] https://github.com/danielplohmann/mcrit

[2] https://en.wikipedia.org/wiki/Certified_email

[3] https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

[4] https://fr.wikipedia.org/wiki/RC4