Upgrade to Pro — share decks privately, control downloads, hide ads and more …

tech_scareware_presentation.pdf

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for hexadecim8 hexadecim8
September 10, 2018
0
250

 tech_scareware_presentation.pdf

Avatar for hexadecim8

hexadecim8

September 10, 2018
Tweet

Featured

See All Featured
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
3k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
Faster Mobile Websites
Avatar for Dean Hume deanohume
310
31k
Visualization
Avatar for Eitan Lees eitanlees
150
17k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
Avatar for Aleyda Solis aleyda
2
9.5k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
Avatar for Kenny Baas-Schwegler baasie
0
450
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
275
41k
Jess Joyce - The Pitfalls of Following Frameworks
Avatar for Tech SEO Connect techseoconnect
PRO
1
64
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
1
810
B2B Lead Gen: Tactics, Traps & Triumph
Avatar for Sophie Logan marketingsoph
0
53
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
470k

Transcript

  1. ANATOMY OF A MASSIVE MALWARE DISTRIBUTION CAMPAIGN A brief taxonomy

    of SLOR Tools, Techniques & Procedures

  2. INTRODUCTION Emily Crose Network Threat Hunter Ironnet Cybersecurity Twitter: @hexadecim8

  3. SLOR …But also a malware distribution campaign

  4. IT STARTS WITH A THREAD…

  5. THE FOUR W’S What the fuck is this shit? Where

    the fuck is this shit coming from? Who the fuck is doing this shit? Why the fuck is it doing this shit?

  6. WARNING There will be swears in this presentation

  7. Network active ping port scan URL Fuzzing Banner Grabbing passive

    whois Centralops.net Domain tools Reputation checks virustotal registration pivoting RiskIQ PassiveDNS File Forensics file reputation file hash Sandbox analysis Hybrid-analysis
  8. None
  9. None

  10. WHO TF IS DOING THIS? Cloudflare Range

  11. None
  12. None

  13. EW . NO. W HAT THE F IS THIS??

  14. None

  15. HYBRID ANALYSIS

  16. Links

  17. None
  18. None
  19. None
  20. None
  21. None

  22. What The  Is This SHIT?!

  23. • Auto-generated domains • A TON more domains with similar

    looking documents to the original we found • The domains look like they’re being created and cached every day. • Same registration service • All whoisguarded • Documents which apparently aren’t malicious

  24. THIS DOC HAS TO BE MALICIOUS RIGHT!?!

  25. My research IP address

  26. None
  27. None

  28. WAT DO?

  29. FAST FLUX CAMPAIGN • Domains change rapidly • Malware is

    delivered, delivery endpoints dissolve into the aether • Fairly good OPSEC to this campaign

  30. CAMPAIGN EVOLUTION DGA Reasonable-ish 2nd level domain DGA evasion

  31. None

  32. ANYTHING IN THE C2??

  33. EXTRA_TARGET_0.BAT

  34. WHAT CAN WE DO? • Domain blocking? • It’ll all

    be gone tomorrow • IP blocking • They change too frequently • Application whitelisting? • Sure, but what if it something changes again?

  35. LESSONS LEARNED • ABC – Always Be Curious • Trust

    your instincts • Be a good citizen • You may not always get the answers that you’re looking for, and that’s okay

  36. MORAL OF THE STORY • “You can’t always get what

    you want.” -Mick Jagger

  37. CONTACT INFO • Emily Crose • Ironnet Cybersecurity • Twitter:

    @Hexadecim8 • Email: [email protected]