9. Overview
• 9 Different Countries
• English & 3 Other Languages
• Occurring year round
• Attacks
• HTML Forms & Malicious Attachments
• Links to Malicious Sites
Tax Scams Gone International
13. Impersonating Tax Seminars
IRS: Tax and Payroll Updates for 2016
Reminder: Annual Tax Update
Handling Federal and State Tax Levies With Ease. Register Now!
Sample Subjects
14. Attacking SSH Servers
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts
15. Collaborating with Level 3
SSHPsychos
ACTION TAKEN:
• Engaged Level 3…
and other providers
• Sudden Pivot
• Null Routed
• Call to Action
• Effectively Limited
18. Drive-by Download Attacks
• The act of downloading something unintentionally,
usually malicious
• No need to click to download
• Malvertising is a common vector
22. What is an exploit kit?
• A software package designed to exploit vulnerable
browsers and plugins
• Blackhole was the first major exploit kit
23. Monetization of Hacking
There are three main payload types:
• Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents
• Bedep
• Miscellaneous
• trojans, keyloggers, spyware
24. Taking a Close Look
• Deep Data Analytics July 2015
• Telemetry from compromised users
• ~1000 Sandbox Runs
• July 2015
• Angler Underwent several URL
Changes
• Multiple “Hacking Team” 0-Days added
• Ended with tons of data
25. Detection Challenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detection <10
• Encrypted Payloads
• Using Diffie Helman Encryption for IE Exploit
• Unique to each user
• Domain Behavior
• DDNS
• Domain Shadowing
• Adversary Owned Domains
• Hard Coded IP
29. IP Address / ASN Relationship
Angler HTTP Requests by Provider July 2015
30. Shutting Down the Source
• Partnered with Limestone Networks
• Angler Infrastructure
• Level-3
• Magnitude and Scale
• Collaborated with OpenDNS
• Visibility into DNS Infrastructure
35. Overview
• Notorious ransomware
• Version 1 first seen in 2014
• Distributed via Exploitkits and Phishing Emails
• Fast Evolution
CRYPTOWALL 4.0
36. File Encryption
Temp.
AES256
key15/10/07 12:39 <DIR> .
15/10/07 12:39 <DIR> ..
15/10/07 12:36 78,971 1.jpg
15/10/07 12:39 154,330
2.jpg
15/10/07 12:36 123,240
3.jpg
…
1.jpg
RSA public
key
random.xyz
Encrypted
AES256 key
Other data
Encrypted
1.jpg
Temporary AES key can only be decrypted with the private RSA key
37. Network Communication
Initial announcement to C2
C2 Server ACK
Send PubKey, TOR domains, PNG wallpaper
Request PubKey, TOR domains, PNG wallpaper
Operation successful. Files encrypted. Done.
Verify PubKey and start encrypting files ….
CryptoWallMalware
CommandandControlServer
C2 Server ACK
38. Excluded Local Regions
• CryptoWall 4 checks local region settings with an
undocumented API Call
• Following regions are excluded from infections:
• Russian
• Kazakh
• Ukrainian
• Uzbek
• Belarusian
• Azeri
• Armenian
• … other Eastern Europe countries
43. Sam Sam Targets Healthcare
• Exploits Jboss Vulnerability
• Moves Laterally
• Targeted Across Organization
• Used recently against multiple hospitals
47. Summary
• Exploiting Network Vulnerabilities
• JBoss
• Laterally targets multiple systems
• Payment is in Bitcoin
• Obtain Private Key via Blog Comment
48. Smoke & Mirrors
Rombertik
• Multiple layers of obfuscation
• Hooks into user’s browser
to read credentials & other
sensitive info
• Propagates via spam and
phishing
49. Hard to Detect
Anti-analysis1
User downloads
packed executable
Packed Executable performs
excessive activity to flood
tracing tools.
Performs series of checks to
make sure environment is
safe for it to proceed in.
Decrypts unpacking shellcode
to memory and executes.
Rombertik
ACTION TAKEN:
• Identify malware
• Encourage best security practices
• AMP, CWS, ESA, Network Security, WSA
50. Hard to Kill
Launches copy from
desired location.
Preparation is complete.
Persistence2
Checks to see if executable
is in desired location, copies
to desired location if not.
Decrypts executable.
Unpacking shellcode
11111111110000000111111110000000000110100
0000000000000000000111111000000111111000000011111111111100001010110
000001111100000111111111111100000000111111000001111111110101101011
000000000011111000000000000000000000111111111100000000000010001100
100000011111100000000000000111111000000001111111111111010010110
000111100000000111100010010
Executable launches self
again and overwrites new copy
with unpacked executable code.
Rombertik
51. Software Integrity & Nasty Surprises
RombertikMalicious Behavior3
Compute 32 bit hash from
resource, compare values.
If values do not match,
encrypt and wipe
victim’s data.
If values match, inject spy
code into web browsers.
Send intercepted data
to web server.
Unpacked executable
001101001100010
101100101101011
001000110010100
101101001001010
110010110101001
011010001011010
110101101001000
100100010101110
010100101101010
011101011100101
010010010101100
101110000011
11110001110011
1110001111001111
0000011000000
000110010000000
010001100000110
101101100111111000
0000000011
11000000000001
11000111110001
110001110000001
00111100000001110
001001111111110
110000000000110
=
http:// http://
52. Angler Exploit Kit Evolves Again
• Parameter Changes:
• New Gate
• Registered Domains