$30 off During Our Annual Pro Sale. View Details »

CascadiaJS - Raiders of the Javascript-based Malware

CascadiaJS - Raiders of the Javascript-based Malware

https://www.amirootyet.com/

Some modern malware are designed entirely in Javascript and executed using the default Windows Script Host or within the user's browser. In this talk, we discuss the design, operation, and implementation intricacies of Javascript-based ransomware and cryptojacking malware.

Pranshu Bajpai

November 16, 2018
Tweet

More Decks by Pranshu Bajpai

Other Decks in Technology

Transcript

  1. R a i d e r s o f t

    h e J a v a S c r i p t - b a s e d M a l w a r e P r a n s h u B a j p a i ( @ a m i r o o t y e t )
  2. 1 2 3 4 AGENDA Introduction RAA Ransomware Cryptojacking Conclusion

  3. I N T R O D U C T I

    O N ~#whoami↵
  4. About us Pranshu Bajpai

  5. Ransomware & Cryptojacking (2018)

  6. ELEMENTS OF A RANSOMWARE Initial Entry Encryption Secret Demand Ransom

    File Encryption 1. Infiltration 2. Acquire Key 4. Demand Ransom 3. Encryption
  7. R A A R a n s o m w

    a r e A ransomware written entirely in JavaScript
  8. 1 2 3 4 5 ABOUT RAA RANSOMWARE

  9. IOC Indicators of Compromise

  10. PROCESS GRAPH Process Created

  11. DIVERSION Wordpad shows the following “error message”

  12. NETWORK ACTIVITY DNS Requests

  13. RAA CODE ANALYSIS

  14. RAA CODE ANALYSIS

  15. RAA CODE ANALYSIS

  16. RAA CODE ANALYSIS

  17. RAA CODE ANALYSIS

  18. RAA CODE ANALYSIS

  19. RAA CODE ANALYSIS

  20. 1 2 3 4 5 RAA CODE ANALYSIS Quick Summary

  21. C r y p t o j a c k

    i n g Unauthorized covert cryptocurrency mining
  22. 1 2 3 4 5 ABOUT CRYPTOJACKING “Bitcoin made ransomware

    possible; Monero made cryptojacking possible”
  23. EXAMPLE OF JS-BASED MINING 23

  24. EXAMPLE OF JS-BASED MINING 24

  25. SYSTEM IMPACT

  26. EXAMPLE OF JS-BASED MINING

  27. DEOBFUSCATION

  28. CRAWL RESULTS Identified 212 websites involved in cryptojacking – Pornography?

    Business? IT? Malicious? – Use the FortiGuard web filter categories: • https://fortiguard.com/webfilter/categories Script to resolve websites to categories
  29. QUESTIONS DURING ANALYSIS CRAWL THE WEB publicwww nerdydata censys OBFUSCATION

    UNAUTHORIZED VALIDATE – Some websites are now unavailable – Some websites have since cleaned the source code
  30. 1 2 3 4 5 6 CONCLUSION

  31. T H A N K Y O U ! Pranshu

    Bajpai Twitter: @amirootyet