Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
tech_scareware_presentation.pdf
Search
hexadecim8
September 10, 2018
0
240
tech_scareware_presentation.pdf
hexadecim8
September 10, 2018
Tweet
Share
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
350
18k
Embracing the Ebb and Flow
colly
78
4.1k
Music & Morning Musume
bryan
39
5.5k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Typedesign – Prime Four
hannesfritz
36
2k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
The Invisible Side of Design
smashingmag
293
49k
Docker and Python
trallard
33
2.6k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k
Transcript
ANATOMY OF A MASSIVE MALWARE DISTRIBUTION CAMPAIGN A brief taxonomy
of SLOR Tools, Techniques & Procedures
INTRODUCTION Emily Crose Network Threat Hunter Ironnet Cybersecurity Twitter: @hexadecim8
SLOR …But also a malware distribution campaign
IT STARTS WITH A THREAD…
THE FOUR W’S What the fuck is this shit? Where
the fuck is this shit coming from? Who the fuck is doing this shit? Why the fuck is it doing this shit?
WARNING There will be swears in this presentation
Network active ping port scan URL Fuzzing Banner Grabbing passive
whois Centralops.net Domain tools Reputation checks virustotal registration pivoting RiskIQ PassiveDNS File Forensics file reputation file hash Sandbox analysis Hybrid-analysis
None
None
WHO TF IS DOING THIS? Cloudflare Range
None
None
EW . NO. W HAT THE F IS THIS??
None
HYBRID ANALYSIS
Links
None
None
None
None
None
What The Is This SHIT?!
• Auto-generated domains • A TON more domains with similar
looking documents to the original we found • The domains look like they’re being created and cached every day. • Same registration service • All whoisguarded • Documents which apparently aren’t malicious
THIS DOC HAS TO BE MALICIOUS RIGHT!?!
My research IP address
None
None
WAT DO?
FAST FLUX CAMPAIGN • Domains change rapidly • Malware is
delivered, delivery endpoints dissolve into the aether • Fairly good OPSEC to this campaign
CAMPAIGN EVOLUTION DGA Reasonable-ish 2nd level domain DGA evasion
None
ANYTHING IN THE C2??
EXTRA_TARGET_0.BAT
WHAT CAN WE DO? • Domain blocking? • It’ll all
be gone tomorrow • IP blocking • They change too frequently • Application whitelisting? • Sure, but what if it something changes again?
LESSONS LEARNED • ABC – Always Be Curious • Trust
your instincts • Be a good citizen • You may not always get the answers that you’re looking for, and that’s okay
MORAL OF THE STORY • “You can’t always get what
you want.” -Mick Jagger
CONTACT INFO • Emily Crose • Ironnet Cybersecurity • Twitter:
@Hexadecim8 • Email:
[email protected]