CascadiaJS - Raiders of the Javascript-based Malware

Transcript

1. R a i d e r s o f t

   h e J a v a S c r i p t - b a s e d M a l w a r e P r a n s h u B a j p a i ( @ a m i r o o t y e t )

2. 1 2 3 4 AGENDA Introduction RAA Ransomware Cryptojacking Conclusion

3. I N T R O D U C T I

   O N ~#whoami↵

4. About us Pranshu Bajpai

5. Ransomware & Cryptojacking (2018)

6. ELEMENTS OF A RANSOMWARE Initial Entry Encryption Secret Demand Ransom

   File Encryption 1. Infiltration 2. Acquire Key 4. Demand Ransom 3. Encryption

7. R A A R a n s o m w

   a r e A ransomware written entirely in JavaScript

8. 1 2 3 4 5 ABOUT RAA RANSOMWARE

9. IOC Indicators of Compromise

10. PROCESS GRAPH Process Created

11. DIVERSION Wordpad shows the following “error message”

12. NETWORK ACTIVITY DNS Requests

13. RAA CODE ANALYSIS

14. RAA CODE ANALYSIS

15. RAA CODE ANALYSIS

16. RAA CODE ANALYSIS

17. RAA CODE ANALYSIS

18. RAA CODE ANALYSIS

19. RAA CODE ANALYSIS

20. 1 2 3 4 5 RAA CODE ANALYSIS Quick Summary

21. C r y p t o j a c k

    i n g Unauthorized covert cryptocurrency mining

22. 1 2 3 4 5 ABOUT CRYPTOJACKING “Bitcoin made ransomware

    possible; Monero made cryptojacking possible”

23. EXAMPLE OF JS-BASED MINING 23

24. EXAMPLE OF JS-BASED MINING 24

25. SYSTEM IMPACT

26. EXAMPLE OF JS-BASED MINING

27. DEOBFUSCATION

28. CRAWL RESULTS Identified 212 websites involved in cryptojacking – Pornography?

    Business? IT? Malicious? – Use the FortiGuard web filter categories: • https://fortiguard.com/webfilter/categories Script to resolve websites to categories

29. QUESTIONS DURING ANALYSIS CRAWL THE WEB publicwww nerdydata censys OBFUSCATION

    UNAUTHORIZED VALIDATE – Some websites are now unavailable – Some websites have since cleaned the source code

30. 1 2 3 4 5 6 CONCLUSION

31. T H A N K Y O U ! Pranshu

    Bajpai Twitter: @amirootyet