Upgrade to Pro — share decks privately, control downloads, hide ads and more …

tech_scareware_presentation.pdf

Avatar for hexadecim8 hexadecim8
September 10, 2018
0
250

 tech_scareware_presentation.pdf

Avatar for hexadecim8

hexadecim8

September 10, 2018
Tweet

Featured

See All Featured
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.7k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.8k
Side Projects
Avatar for Sacha Greif sachag
455
43k
Information Architects: The Missing Link in Design Systems
Avatar for Michelle Chin soysaucechin
0
770
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
180
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
190
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
3
99
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
96
14k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
77
5.2k

Transcript

  1. ANATOMY OF A MASSIVE MALWARE DISTRIBUTION CAMPAIGN A brief taxonomy

    of SLOR Tools, Techniques & Procedures

  2. INTRODUCTION Emily Crose Network Threat Hunter Ironnet Cybersecurity Twitter: @hexadecim8

  3. SLOR …But also a malware distribution campaign

  4. IT STARTS WITH A THREAD…

  5. THE FOUR W’S What the fuck is this shit? Where

    the fuck is this shit coming from? Who the fuck is doing this shit? Why the fuck is it doing this shit?

  6. WARNING There will be swears in this presentation

  7. Network active ping port scan URL Fuzzing Banner Grabbing passive

    whois Centralops.net Domain tools Reputation checks virustotal registration pivoting RiskIQ PassiveDNS File Forensics file reputation file hash Sandbox analysis Hybrid-analysis
  8. None
  9. None

  10. WHO TF IS DOING THIS? Cloudflare Range

  11. None
  12. None

  13. EW . NO. W HAT THE F IS THIS??

  14. None

  15. HYBRID ANALYSIS

  16. Links

  17. None
  18. None
  19. None
  20. None
  21. None

  22. What The  Is This SHIT?!

  23. • Auto-generated domains • A TON more domains with similar

    looking documents to the original we found • The domains look like they’re being created and cached every day. • Same registration service • All whoisguarded • Documents which apparently aren’t malicious

  24. THIS DOC HAS TO BE MALICIOUS RIGHT!?!

  25. My research IP address

  26. None
  27. None

  28. WAT DO?

  29. FAST FLUX CAMPAIGN • Domains change rapidly • Malware is

    delivered, delivery endpoints dissolve into the aether • Fairly good OPSEC to this campaign

  30. CAMPAIGN EVOLUTION DGA Reasonable-ish 2nd level domain DGA evasion

  31. None

  32. ANYTHING IN THE C2??

  33. EXTRA_TARGET_0.BAT

  34. WHAT CAN WE DO? • Domain blocking? • It’ll all

    be gone tomorrow • IP blocking • They change too frequently • Application whitelisting? • Sure, but what if it something changes again?

  35. LESSONS LEARNED • ABC – Always Be Curious • Trust

    your instincts • Be a good citizen • You may not always get the answers that you’re looking for, and that’s okay

  36. MORAL OF THE STORY • “You can’t always get what

    you want.” -Mick Jagger

  37. CONTACT INFO • Emily Crose • Ironnet Cybersecurity • Twitter:

    @Hexadecim8 • Email: [email protected]