CascadiaJS - Raiders of the Javascript-based Malware

Slide 1

Slide 1 text

R a i d e r s o f t h e J a v a S c r i p t - b a s e d M a l w a r e P r a n s h u B a j p a i ( @ a m i r o o t y e t )

Slide 2

Slide 2 text

1 2 3 4 AGENDA Introduction RAA Ransomware Cryptojacking Conclusion

Slide 3

Slide 3 text

I N T R O D U C T I O N ~#whoami↵

Slide 4

Slide 4 text

About us Pranshu Bajpai

Slide 5

Slide 5 text

Ransomware & Cryptojacking (2018)

Slide 6

Slide 6 text

ELEMENTS OF A RANSOMWARE Initial Entry Encryption Secret Demand Ransom File Encryption 1. Infiltration 2. Acquire Key 4. Demand Ransom 3. Encryption

Slide 7

Slide 7 text

R A A R a n s o m w a r e A ransomware written entirely in JavaScript

Slide 8

Slide 8 text

1 2 3 4 5 ABOUT RAA RANSOMWARE

Slide 9

Slide 9 text

IOC Indicators of Compromise

Slide 10

Slide 10 text

PROCESS GRAPH Process Created

Slide 11

Slide 11 text

DIVERSION Wordpad shows the following “error message”

Slide 12

Slide 12 text

NETWORK ACTIVITY DNS Requests

Slide 13

Slide 13 text

RAA CODE ANALYSIS

Slide 14

Slide 14 text

RAA CODE ANALYSIS

Slide 15

Slide 15 text

RAA CODE ANALYSIS

Slide 16

Slide 16 text

RAA CODE ANALYSIS

Slide 17

Slide 17 text

RAA CODE ANALYSIS

Slide 18

Slide 18 text

RAA CODE ANALYSIS

Slide 19

Slide 19 text

RAA CODE ANALYSIS

Slide 20

Slide 20 text

1 2 3 4 5 RAA CODE ANALYSIS Quick Summary

Slide 21

Slide 21 text

C r y p t o j a c k i n g Unauthorized covert cryptocurrency mining

Slide 22

Slide 22 text

1 2 3 4 5 ABOUT CRYPTOJACKING “Bitcoin made ransomware possible; Monero made cryptojacking possible”

Slide 23

Slide 23 text

EXAMPLE OF JS-BASED MINING 23

Slide 24

Slide 24 text

EXAMPLE OF JS-BASED MINING 24

Slide 25

Slide 25 text

SYSTEM IMPACT

Slide 26

Slide 26 text

EXAMPLE OF JS-BASED MINING

Slide 27

Slide 27 text

DEOBFUSCATION

Slide 28

Slide 28 text

CRAWL RESULTS Identified 212 websites involved in cryptojacking – Pornography? Business? IT? Malicious? – Use the FortiGuard web filter categories: • https://fortiguard.com/webfilter/categories Script to resolve websites to categories

Slide 29

Slide 29 text

QUESTIONS DURING ANALYSIS CRAWL THE WEB publicwww nerdydata censys OBFUSCATION UNAUTHORIZED VALIDATE – Some websites are now unavailable – Some websites have since cleaned the source code

Slide 30

Slide 30 text

1 2 3 4 5 6 CONCLUSION

Slide 31

Slide 31 text

T H A N K Y O U ! Pranshu Bajpai Twitter: @amirootyet