SlideShare ist ein Scribd-Unternehmen logo

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed

Als PPTX, PDF herunterladen
C
Cyphort

Cyphort Labs has discovered an extensive data theft campaign that we have named NightHunter. The campaign, active since 2009, is designed to steal login credentials of users. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype. Attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks.

Technologie
1 von 28
NightHunter: A Massive Campaign to Steal Credentials Revealed Cyphort Labs Malware’s Most Wanted Series July 2014
Your speakers today Nick Bilogorskiy Director of Security Research Shel Sharma
Agenda o What is NightHunter o NightHunter timeline o Dissecting the malware o Wrap-up and Q&A CyphortLabsT-shirt
We work with the security ecosystem ••••• Contribute to and learn from malware KB ••••• Best of 3rd Party threat data We enhance malware detection accuracy ••••• False positives/negatives ••••• Deep-dive research Threat Monitoring & Research team ••••• 24X7 monitoring for malware events ••••• Assist customers with their Forensics and Incident Response About Cyphort Labs
NightHunter – Name explained We called it NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
What is NightHunter? Campaign began 2009, still ongoing s Malware coded in .NET s Extensive data theft campaign using SMTP and more than 3,000 unique keylogger binaries s Steals login credentials of users, Google, Facebook, Dropbox, Skype and other services s At least 1,800 infections
NightHunter C&C protocol: poll question What do you think is the Command and Control protocol for updating of NightHunter? A HTTP B HTTPS C FTP D IRC E None of the above
NightHunter C&C protocol None! NightHunter does not use a command and control protocol. Instead each variant simply sends stolen data to the hard-coded email server. By using Email - it hides in plain sight as organizations beef up web anomaly detection
First variants of NightHunter appear Malware starts using AOL, Microsoft email servers Malware starts using mx1.3owl.com Starts using Comcast, Yahoo email servers Cyphort discovers NightHunter NightHunter History 2009 2010 2012 2013 2014
NightHunter Infections To Date There are at least 1,800 unique infections 3OWL Ieindia Drmike Hanco Gmail Comcast 1000 350 200 150 100* 60 Number of unique infections per email server
NightHunter Infections To Date Samples using Gmail servers 0 50 100 150 200 250 300 350 400 450 500 2013-07 2013-08 2013-09 2013-10 2013-11 2013-12 2014-01 2014-02 2014-03 2014-04 2014-05 2014-06 Count Time smtp.gmail.com
df Malware Architecture User Receives a phishing email with a DOC/ZIP attachment Stage 1 –EXE Decrypts the DLL from a resource section and loads it from memory Attacker Receives stolen credentials in the email server *Stage 2 – DLL Runs from EXE’s process memory and Sends out credentials via SMTP * Some samples did not need use Stage 2
NightHunter Delivery o Delivered mostly through phishing emails with DOC/ZIP/RAR attachments. o User gets infected by opening a malicious document with scripting enabled. o Emails were targeted towards personnel in finance/sales/HR departments
NightHunter Delivery Email subject /attachment names: • Jobs List • Inquiry • Order • PO • Purchase Order • Payment Slip • Reconfirm Pls • Remittance Payment Slip • WireSlip
NightHunter Data Theft NightHunter steals credentials for many services, for example: o Google o Facebook o Dropbox In addition they are interested in : o Bitcoin Stealing o Password managers o Firefox/Google Chrome/IE/Safari/Opera o Outlook o Pidgin/Trillian/Paltalk/AIM/IMVU o Various Games and Game Bots o Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander o Yahoo o Hotmail o Amazon o Skype o LinkedIn o Banks, and others
NightHunter Malware Components NightHunter is the name of the campaign. It includes more than 3,000 unique malware binaries, keylogger trojans including the following families: o Predator Pain o Limitless logger lite o Keylogger Logları (SlloTBan) o Spyrex o FEDERIKOs Logger o Unknown Logger Public o Aux Logger o Neptune o Mr. Clyde Logger o Ultimate Logger o MY Ultimate Jobe o Syslogger o Syndicate Logger
PredatorPain keylogger
PredatorPain keylogger www.predatorpain.com
PredatorPain keylogger
Limitless Logger keylogger www.limitlessproducts.org
Federiko’s Logger
NightHunter binary analysis Second level .NET assembly decoded and loaded from memory. Killing security products feature
Poll question #2 What is the purpose of string obfuscation in malware? A: Make malware run more efficiently B: For copyright reasons C: Deter reverse engineering D: Prevent static signature detection E: C and D
NightHunter binary analysis - .Net classes uses non-printable characters. - Here are 2 of the ten different string obfuscation techniques
NightHunter binary analysis It even steals credentials of Game Banks Steals data from various browsers
Conclusions 1. NightHunter is a major data exfiltration that went undetected for 5 years. 2. Enterprises should monitor SMTP and other protocols for data theft. 3. Intent of data collection is unknown; it appears campaign is building up a heap of stolen credentials to enable new damaging cyber threats. 4. Change your passwords frequently.
Q and A o Information sharing and advanced threats resources o Blogs on latest threats and findings o Tools for identifying malware
Thank You!

Empfohlen

Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malware
Cyphort
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus Dissected
Cyphort
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
Cyphort
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting Cryptowall
Cyphort
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
Cyphort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
Cyphort
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick Bilogorskiy
Nick Bilogorskiy
 

Empfohlen

Dissecting ZeuS malware
Dissecting ZeuS malwareDissecting ZeuS malware
Dissecting ZeuS malware
Cyphort
 
Zeus Dissected
Zeus DissectedZeus Dissected
Zeus Dissected
Cyphort
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
Cyphort
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting Cryptowall
Cyphort
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in Cybersecurity
Cyphort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
Cyphort
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick Bilogorskiy
Nick Bilogorskiy
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
Cyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
EC-Council
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
Marci Bontadelli
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
Thomas Roccia
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
NCCOMMS
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
NCCOMMS
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
雅太 西田
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
Cyphort
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
Balaji Rajasekaran
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
RSIS International
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
RSIS International
 

Weitere ähnliche Inhalte

Was ist angesagt?

MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
Cyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
EC-Council
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
雅太 西田
 

Was ist angesagt? (19)

MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
CSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael NarezziCSF18 - Guarding Against the Unknown - Rafael Narezzi
CSF18 - Guarding Against the Unknown - Rafael Narezzi
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 

Ähnlich wie Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed

A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
RSIS International
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
AshishDPatel1
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
RSIS International
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
Inderjeet Singh
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
Harshil Barot
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Ethical hacking is a based on computer hacking
Ethical hacking is a based on computer hackingEthical hacking is a based on computer hacking
Ethical hacking is a based on computer hacking
sxkkjbzq2k
 

Ähnlich wie Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed (20)

A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Cyper security & Ethical hacking
Cyper security & Ethical hackingCyper security & Ethical hacking
Cyper security & Ethical hacking
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
 
hacking
hackinghacking
hacking
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)Common Cyberthreats and How to Prevent Them (2019)
Common Cyberthreats and How to Prevent Them (2019)
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
AtlSecCon 2016
AtlSecCon 2016AtlSecCon 2016
AtlSecCon 2016
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Ethical hacking is a based on computer hacking
Ethical hacking is a based on computer hackingEthical hacking is a based on computer hacking
Ethical hacking is a based on computer hacking
 
Session Slide
Session SlideSession Slide
Session Slide
 
31.ppt
31.ppt31.ppt
31.ppt
 

Mehr von Cyphort

Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort
 

Mehr von Cyphort (20)

MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 
Mmw anti sandbox_techniques
Mmw anti sandbox_techniquesMmw anti sandbox_techniques
Mmw anti sandbox_techniques
 
Mmw anti sandboxtricks
Mmw anti sandboxtricksMmw anti sandboxtricks
Mmw anti sandboxtricks
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
 
Malware Most Wanted: Evil Bunny
Malware Most Wanted: Evil BunnyMalware Most Wanted: Evil Bunny
Malware Most Wanted: Evil Bunny
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
If you have three wishes
If you have three wishesIf you have three wishes
If you have three wishes
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the T
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing Keynote
 
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials Revealed

  • 1. NightHunter: A Massive Campaign to Steal Credentials Revealed Cyphort Labs Malware’s Most Wanted Series July 2014
  • 2. Your speakers today Nick Bilogorskiy Director of Security Research Shel Sharma
  • 3. Agenda o What is NightHunter o NightHunter timeline o Dissecting the malware o Wrap-up and Q&A CyphortLabsT-shirt
  • 4. We work with the security ecosystem ••••• Contribute to and learn from malware KB ••••• Best of 3rd Party threat data We enhance malware detection accuracy ••••• False positives/negatives ••••• Deep-dive research Threat Monitoring & Research team ••••• 24X7 monitoring for malware events ••••• Assist customers with their Forensics and Incident Response About Cyphort Labs
  • 5. NightHunter – Name explained We called it NightHunter, because of its use of SMTP (email) for data exfiltration. Email is often overlooked, so it can be a more stealthy way of data theft, akin to hunting at night.
  • 6. What is NightHunter? Campaign began 2009, still ongoing s Malware coded in .NET s Extensive data theft campaign using SMTP and more than 3,000 unique keylogger binaries s Steals login credentials of users, Google, Facebook, Dropbox, Skype and other services s At least 1,800 infections
  • 7. NightHunter C&C protocol: poll question What do you think is the Command and Control protocol for updating of NightHunter? A HTTP B HTTPS C FTP D IRC E None of the above
  • 8. NightHunter C&C protocol None! NightHunter does not use a command and control protocol. Instead each variant simply sends stolen data to the hard-coded email server. By using Email - it hides in plain sight as organizations beef up web anomaly detection
  • 9. First variants of NightHunter appear Malware starts using AOL, Microsoft email servers Malware starts using mx1.3owl.com Starts using Comcast, Yahoo email servers Cyphort discovers NightHunter NightHunter History 2009 2010 2012 2013 2014
  • 10. NightHunter Infections To Date There are at least 1,800 unique infections 3OWL Ieindia Drmike Hanco Gmail Comcast 1000 350 200 150 100* 60 Number of unique infections per email server
  • 11. NightHunter Infections To Date Samples using Gmail servers 0 50 100 150 200 250 300 350 400 450 500 2013-07 2013-08 2013-09 2013-10 2013-11 2013-12 2014-01 2014-02 2014-03 2014-04 2014-05 2014-06 Count Time smtp.gmail.com
  • 12. df Malware Architecture User Receives a phishing email with a DOC/ZIP attachment Stage 1 –EXE Decrypts the DLL from a resource section and loads it from memory Attacker Receives stolen credentials in the email server *Stage 2 – DLL Runs from EXE’s process memory and Sends out credentials via SMTP * Some samples did not need use Stage 2
  • 13. NightHunter Delivery o Delivered mostly through phishing emails with DOC/ZIP/RAR attachments. o User gets infected by opening a malicious document with scripting enabled. o Emails were targeted towards personnel in finance/sales/HR departments
  • 14. NightHunter Delivery Email subject /attachment names: • Jobs List • Inquiry • Order • PO • Purchase Order • Payment Slip • Reconfirm Pls • Remittance Payment Slip • WireSlip
  • 15. NightHunter Data Theft NightHunter steals credentials for many services, for example: o Google o Facebook o Dropbox In addition they are interested in : o Bitcoin Stealing o Password managers o Firefox/Google Chrome/IE/Safari/Opera o Outlook o Pidgin/Trillian/Paltalk/AIM/IMVU o Various Games and Game Bots o Filezilla/Flashfxp/CoreFTP/SmartFTP/FTP Commander o Yahoo o Hotmail o Amazon o Skype o LinkedIn o Banks, and others
  • 16. NightHunter Malware Components NightHunter is the name of the campaign. It includes more than 3,000 unique malware binaries, keylogger trojans including the following families: o Predator Pain o Limitless logger lite o Keylogger Logları (SlloTBan) o Spyrex o FEDERIKOs Logger o Unknown Logger Public o Aux Logger o Neptune o Mr. Clyde Logger o Ultimate Logger o MY Ultimate Jobe o Syslogger o Syndicate Logger
  • 22. NightHunter binary analysis Second level .NET assembly decoded and loaded from memory. Killing security products feature
  • 23. Poll question #2 What is the purpose of string obfuscation in malware? A: Make malware run more efficiently B: For copyright reasons C: Deter reverse engineering D: Prevent static signature detection E: C and D
  • 24. NightHunter binary analysis - .Net classes uses non-printable characters. - Here are 2 of the ten different string obfuscation techniques
  • 25. NightHunter binary analysis It even steals credentials of Game Banks Steals data from various browsers
  • 26. Conclusions 1. NightHunter is a major data exfiltration that went undetected for 5 years. 2. Enterprises should monitor SMTP and other protocols for data theft. 3. Intent of data collection is unknown; it appears campaign is building up a heap of stolen credentials to enable new damaging cyber threats. 4. Change your passwords frequently.
  • 27. Q and A o Information sharing and advanced threats resources o Blogs on latest threats and findings o Tools for identifying malware