0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/333 Thanks! 1 00:00:10,380 --> 00:00:11,609 Hi, everybody, how are you doing today? 2 00:00:13,590 --> 00:00:14,590 Welcome to 3 00:00:15,690 --> 00:00:16,589 yeah, whatever. 4 00:00:16,590 --> 00:00:17,590 So 5 00:00:19,350 --> 00:00:20,939 it's a pleasure having you here tonight. 6 00:00:20,940 --> 00:00:22,139 We're going to give you a give you a 7 00:00:22,140 --> 00:00:23,489 great show. Everybody around. 8 00:00:23,490 --> 00:00:24,569 Applause Come on. 9 00:00:28,400 --> 00:00:30,579 It seems I can swear, right, 10 00:00:30,580 --> 00:00:31,859 I can swear to you. 11 00:00:31,860 --> 00:00:34,099 Yes, swearing, yes, no, 12 00:00:34,100 --> 00:00:35,839 shut the fuck up. 13 00:00:35,840 --> 00:00:39,049 I missed my cue because all the so 14 00:00:39,050 --> 00:00:40,489 first of all, we want to apologize. 15 00:00:40,490 --> 00:00:42,559 There was a thing we discovered about the 16 00:00:42,560 --> 00:00:44,479 thingee and we had to change the name of 17 00:00:44,480 --> 00:00:45,709 the talk. 18 00:00:45,710 --> 00:00:47,479 Yeah, that's right. So if you have seen 19 00:00:47,480 --> 00:00:48,830 an early version of the plan 20 00:00:49,850 --> 00:00:51,409 that had a different title on it. 21 00:00:51,410 --> 00:00:53,509 And so what we're going to talk about is 22 00:00:53,510 --> 00:00:56,029 some some case that we analyzed. 23 00:00:57,320 --> 00:00:59,419 And while doing so, we figured that 24 00:00:59,420 --> 00:01:00,769 we were dealing with something much 25 00:01:00,770 --> 00:01:02,899 bigger. So originally we thought that we 26 00:01:02,900 --> 00:01:05,449 were looking at some industrial economic 27 00:01:05,450 --> 00:01:07,639 espionage attack and 28 00:01:07,640 --> 00:01:09,769 then later on it turned into 29 00:01:09,770 --> 00:01:11,989 a high 30 00:01:11,990 --> 00:01:14,299 profile, probably nation 31 00:01:14,300 --> 00:01:15,289 state. 32 00:01:15,290 --> 00:01:17,449 So we're going to finish 33 00:01:17,450 --> 00:01:18,949 at the end with attribution. 34 00:01:18,950 --> 00:01:20,959 But the thing is, attribution is really, 35 00:01:20,960 --> 00:01:23,029 really hard. You can't ever really 36 00:01:23,030 --> 00:01:24,499 tell who it is. 37 00:01:24,500 --> 00:01:26,329 So we're going to be very careful about 38 00:01:26,330 --> 00:01:27,349 our attribution. 39 00:01:27,350 --> 00:01:29,689 But we can sit, we can say at the very 40 00:01:29,690 --> 00:01:32,059 high likelihood this is a nation state. 41 00:01:32,060 --> 00:01:34,309 So we are not going to say this 42 00:01:34,310 --> 00:01:35,689 is a nation state attack, but rather this 43 00:01:35,690 --> 00:01:37,849 is a 99 percent point nine percent, 44 00:01:37,850 --> 00:01:39,079 ninety nine point nine percent a nation 45 00:01:39,080 --> 00:01:41,179 state attack, because we were just 46 00:01:41,180 --> 00:01:42,180 those kind of guys 47 00:01:44,720 --> 00:01:45,949 will go through this again. 48 00:01:45,950 --> 00:01:47,179 We'll get there if we can. 49 00:01:47,180 --> 00:01:48,799 So let's get started. 50 00:01:48,800 --> 00:01:50,629 I think it was against nation state or 51 00:01:50,630 --> 00:01:52,950 was by a nation state or what where? 52 00:01:54,500 --> 00:01:56,569 All right. So getting started. 53 00:01:58,550 --> 00:01:59,819 This is John Ungarie. 54 00:02:01,490 --> 00:02:03,229 First of all, there is the required sunny 55 00:02:03,230 --> 00:02:05,749 joke at this conference. 56 00:02:05,750 --> 00:02:07,249 It's just required, right? 57 00:02:07,250 --> 00:02:08,990 I mean, we can't go on without it. 58 00:02:14,790 --> 00:02:17,249 Told you he came over and said, 59 00:02:17,250 --> 00:02:19,199 Gary, I'm looking to slide. 60 00:02:19,200 --> 00:02:20,279 You have to enact it without my 61 00:02:20,280 --> 00:02:21,419 permission because he said there have 62 00:02:21,420 --> 00:02:22,709 been too many Sony jokes. 63 00:02:22,710 --> 00:02:24,419 It's now old news. 64 00:02:24,420 --> 00:02:25,830 And I had to fight him over this one 65 00:02:27,430 --> 00:02:28,439 of us. 66 00:02:28,440 --> 00:02:29,440 So 67 00:02:31,230 --> 00:02:32,849 they started these really are these 68 00:02:32,850 --> 00:02:34,829 really sort is out there ready to get 69 00:02:34,830 --> 00:02:36,899 your complaints, abuse responses, needs 70 00:02:36,900 --> 00:02:38,489 for help, whatever it is you want to do. 71 00:02:38,490 --> 00:02:39,490 Thank you. 72 00:02:40,320 --> 00:02:42,479 Tillman is basically 73 00:02:42,480 --> 00:02:44,579 very, very humble and it's not up to you. 74 00:02:44,580 --> 00:02:46,019 But that's beside the point. 75 00:02:46,020 --> 00:02:48,109 It's very, very humble and you'll see 76 00:02:48,110 --> 00:02:49,799 it in a second way. 77 00:02:49,800 --> 00:02:51,389 And he basically says he's a reverse 78 00:02:51,390 --> 00:02:53,099 engineer. It's called strike, which is 79 00:02:53,100 --> 00:02:54,359 true enough. 80 00:02:54,360 --> 00:02:56,459 Um, I'm required 81 00:02:56,460 --> 00:02:57,629 to put a few titles up there. 82 00:02:57,630 --> 00:02:59,959 So I removed my entire bio I 83 00:02:59,960 --> 00:03:02,249 CEO of material, which is a startup. 84 00:03:02,250 --> 00:03:03,689 I'm chairman of the board of the Israeli 85 00:03:03,690 --> 00:03:05,639 CERT, which is 86 00:03:07,320 --> 00:03:08,759 kind of handled this presentation, this 87 00:03:08,760 --> 00:03:10,559 instant response. 88 00:03:10,560 --> 00:03:12,869 And it's some things over 89 00:03:12,870 --> 00:03:14,289 there which happened or didn't happen, 90 00:03:14,290 --> 00:03:16,529 whatever. So Dielman, it's 91 00:03:16,530 --> 00:03:17,489 not about pizzas. 92 00:03:17,490 --> 00:03:18,419 That's what you should know about him 93 00:03:18,420 --> 00:03:19,889 before we get started, that his bio. 94 00:03:21,120 --> 00:03:22,709 And I'm a dancing snob. 95 00:03:22,710 --> 00:03:23,869 I dance West Coast swing 96 00:03:24,930 --> 00:03:27,029 now to the topic at hand. 97 00:03:27,030 --> 00:03:29,169 This is the story, the back story. 98 00:03:29,170 --> 00:03:31,619 It was on a dark leaked 99 00:03:31,620 --> 00:03:32,999 April night. 100 00:03:33,000 --> 00:03:34,409 And I'm getting this phone call from a 101 00:03:34,410 --> 00:03:35,699 guy, a really, really nice guy who 102 00:03:35,700 --> 00:03:37,679 understands security and all completely 103 00:03:37,680 --> 00:03:40,109 different things. And he says, Guddi, 104 00:03:40,110 --> 00:03:41,849 somebody just tried to attack us. 105 00:03:41,850 --> 00:03:42,809 It looks like an empty. 106 00:03:42,810 --> 00:03:44,009 Are you interested in that? 107 00:03:45,690 --> 00:03:47,879 No. So he 108 00:03:47,880 --> 00:03:49,469 started selling it started by just 109 00:03:49,470 --> 00:03:51,389 basically saying, send it over to me. 110 00:03:51,390 --> 00:03:52,379 Let's see what's going on. 111 00:03:52,380 --> 00:03:54,419 And you'll see in a second how it worked. 112 00:03:54,420 --> 00:03:56,489 And that's why where I started 113 00:03:56,490 --> 00:03:57,929 looking for somebody to help us handle 114 00:03:57,930 --> 00:04:00,119 it. Technically, we have our people, 115 00:04:00,120 --> 00:04:01,959 but is very volunteer oriented, 116 00:04:01,960 --> 00:04:03,809 eventually found Tullman. 117 00:04:03,810 --> 00:04:05,609 And that's when I asked him for his help. 118 00:04:05,610 --> 00:04:06,689 And he was. 119 00:04:06,690 --> 00:04:09,049 Yeah, look it over, right? 120 00:04:09,050 --> 00:04:10,289 Yeah, pretty much. 121 00:04:12,150 --> 00:04:14,139 And we didn't find much at first. 122 00:04:14,140 --> 00:04:15,140 I'll let you take that one. 123 00:04:16,890 --> 00:04:18,838 I missed that part, so we didn't find 124 00:04:18,839 --> 00:04:20,699 much at first, we didn't find much at 125 00:04:20,700 --> 00:04:22,859 first. So somebody came to me and 126 00:04:22,860 --> 00:04:24,869 said, hey, we need some help with the 127 00:04:24,870 --> 00:04:26,189 technical analysis of this thing. 128 00:04:26,190 --> 00:04:28,469 So I'm always 129 00:04:28,470 --> 00:04:30,899 interested in new stuff, in challenging 130 00:04:30,900 --> 00:04:33,269 stuff. So I took a look and 131 00:04:33,270 --> 00:04:35,459 it was very, very weird because 132 00:04:35,460 --> 00:04:37,319 everything started with a spear fishing 133 00:04:37,320 --> 00:04:38,459 campaign. You guys familiar with 134 00:04:38,460 --> 00:04:39,569 spearfishing? Right. 135 00:04:39,570 --> 00:04:41,819 So there was a targeted, 136 00:04:41,820 --> 00:04:43,889 manually specially crafted email that was 137 00:04:43,890 --> 00:04:45,629 sent to this victim organization that he 138 00:04:45,630 --> 00:04:46,739 was talking about. 139 00:04:46,740 --> 00:04:49,019 And that email 140 00:04:49,020 --> 00:04:51,149 had an Excel document attached to 141 00:04:51,150 --> 00:04:53,369 it. And the text was 142 00:04:53,370 --> 00:04:55,439 designed in a way to trick the user 143 00:04:55,440 --> 00:04:57,629 into opening the the Excel document. 144 00:04:57,630 --> 00:04:59,909 And, of course, the document, 145 00:04:59,910 --> 00:05:01,109 when you would open it, would drop the 146 00:05:01,110 --> 00:05:02,619 payload. So that was the thing. 147 00:05:02,620 --> 00:05:03,029 Right. 148 00:05:03,030 --> 00:05:04,079 And he was bored by it. 149 00:05:04,080 --> 00:05:05,469 He said, well, it looks interesting. 150 00:05:05,470 --> 00:05:06,659 I'll get back to you. 151 00:05:06,660 --> 00:05:07,959 It was basically the beginning of it. 152 00:05:07,960 --> 00:05:08,389 Right. 153 00:05:08,390 --> 00:05:10,649 And I didn't for 154 00:05:10,650 --> 00:05:12,839 a long time, for about a month in 155 00:05:12,840 --> 00:05:14,369 which we worked other cases. 156 00:05:14,370 --> 00:05:15,809 And then things started to get 157 00:05:15,810 --> 00:05:17,669 interesting. And that's where we go into 158 00:05:17,670 --> 00:05:18,569 our story. 159 00:05:18,570 --> 00:05:19,570 So. 160 00:05:21,400 --> 00:05:23,049 Before we begin even tonight, but, you 161 00:05:23,050 --> 00:05:24,399 know, that's the biggest argument 162 00:05:25,870 --> 00:05:27,429 to Monday night head, should we call this 163 00:05:27,430 --> 00:05:29,769 an appetizer? Not because some 164 00:05:29,770 --> 00:05:32,109 of this is really low level salad. 165 00:05:32,110 --> 00:05:34,599 This is really advanced and is everything 166 00:05:34,600 --> 00:05:35,859 we see out there from the Chinese, for 167 00:05:35,860 --> 00:05:37,929 example, and APEC, is it advanced? 168 00:05:37,930 --> 00:05:39,009 Is it a buzzword? 169 00:05:39,010 --> 00:05:41,079 So this is honestly the biggest 170 00:05:41,080 --> 00:05:42,789 time waster in preparing this stuff was 171 00:05:42,790 --> 00:05:45,289 an epiphany. Is it an epiphany or not? 172 00:05:45,290 --> 00:05:47,139 So that's the beginning of our story, if 173 00:05:47,140 --> 00:05:48,069 it's an appetizer or not. 174 00:05:48,070 --> 00:05:49,240 And are we going to talk about it? 175 00:05:50,470 --> 00:05:52,629 So maybe we need to give some to provide 176 00:05:52,630 --> 00:05:54,399 some context for this picture here. 177 00:05:54,400 --> 00:05:56,319 The interesting thing is that this 178 00:05:56,320 --> 00:05:58,029 spearfishing campaign that we initially 179 00:05:58,030 --> 00:06:00,339 looked at was 180 00:06:00,340 --> 00:06:02,829 relying on user interaction. 181 00:06:02,830 --> 00:06:05,559 And that's why there is 182 00:06:05,560 --> 00:06:07,119 I think the guys called Dave over there. 183 00:06:07,120 --> 00:06:09,399 So, you know, other people, they they 184 00:06:09,400 --> 00:06:11,199 they use zero day exploits or something 185 00:06:11,200 --> 00:06:13,689 like that to break into 186 00:06:13,690 --> 00:06:16,019 a target machine and then they deploy 187 00:06:16,020 --> 00:06:17,020 there. 188 00:06:17,520 --> 00:06:19,719 They're the back door tool on there 189 00:06:19,720 --> 00:06:21,159 and steal information or something like 190 00:06:21,160 --> 00:06:23,469 that. This particular threat 191 00:06:23,470 --> 00:06:25,989 relied on the user clicking, OK? 192 00:06:25,990 --> 00:06:28,599 And I mean, if you do that, then 193 00:06:28,600 --> 00:06:30,309 all the technology up there, like 194 00:06:30,310 --> 00:06:32,199 firewalls, antivirus and so on, doesn't 195 00:06:32,200 --> 00:06:34,429 help much, you know, if they click. 196 00:06:34,430 --> 00:06:35,949 OK, so going on from there. 197 00:06:35,950 --> 00:06:37,659 Yeah, we saw spear fishing message. 198 00:06:37,660 --> 00:06:39,309 That was the first one. 199 00:06:39,310 --> 00:06:40,509 Hey guys, whatever. 200 00:06:40,510 --> 00:06:42,579 Here's the message. Next message. 201 00:06:42,580 --> 00:06:44,559 Hey, guys, I'm sorry. Here is the next 202 00:06:44,560 --> 00:06:45,669 message. 203 00:06:45,670 --> 00:06:46,929 Hey, guys, I forgot to follow again. 204 00:06:46,930 --> 00:06:47,930 Here it is. 205 00:06:48,740 --> 00:06:51,009 Now, that's 206 00:06:51,010 --> 00:06:52,389 one of the reasons John basically told 207 00:06:52,390 --> 00:06:53,589 me, forget about it, man. It's not 208 00:06:53,590 --> 00:06:55,719 interesting. Maybe these guys are smart 209 00:06:55,720 --> 00:06:57,129 or not. We'll get to that. But that was 210 00:06:57,130 --> 00:06:58,029 just plain weird. 211 00:06:58,030 --> 00:07:00,189 We just don't see that kind of thing. 212 00:07:00,190 --> 00:07:02,349 Or maybe they just wanted to wanted 213 00:07:02,350 --> 00:07:03,639 to target to become really, really 214 00:07:03,640 --> 00:07:05,889 curious about that file. 215 00:07:07,480 --> 00:07:09,249 We can all psychologically, I'm not an 216 00:07:09,250 --> 00:07:11,649 expert. It could possibly be that 217 00:07:11,650 --> 00:07:13,159 I would pass spam filters. 218 00:07:13,160 --> 00:07:14,679 It could possibly be that's how they gain 219 00:07:14,680 --> 00:07:15,939 interest from the users. 220 00:07:15,940 --> 00:07:17,649 It could possibly be they are just 221 00:07:17,650 --> 00:07:19,689 really, really bad at operations. 222 00:07:19,690 --> 00:07:21,789 Regardless, this is the beginning 223 00:07:21,790 --> 00:07:22,790 of what we saw. 224 00:07:23,530 --> 00:07:25,629 So just to get a little bit of a hint of 225 00:07:25,630 --> 00:07:27,489 what we're seeing up to now in December, 226 00:07:27,490 --> 00:07:28,779 there have been several complaints that 227 00:07:28,780 --> 00:07:29,780 we have had 228 00:07:30,970 --> 00:07:32,289 some sort of coverage into. 229 00:07:32,290 --> 00:07:33,429 Not everything is covered on this 230 00:07:33,430 --> 00:07:35,529 timeline, but there 231 00:07:35,530 --> 00:07:37,599 is more than just the original 232 00:07:37,600 --> 00:07:39,729 company that's adjacent to defense and 233 00:07:39,730 --> 00:07:42,189 aerospace in Israel that we saw. 234 00:07:42,190 --> 00:07:44,289 So starting with that fiction vector, 235 00:07:44,290 --> 00:07:45,759 we've got the spearfishing. 236 00:07:45,760 --> 00:07:47,859 So the doctor sent a specially crafted 237 00:07:47,860 --> 00:07:49,139 email. We saw that one. 238 00:07:49,140 --> 00:07:50,350 Right, was very sophisticated 239 00:07:51,370 --> 00:07:52,779 now. 240 00:07:52,780 --> 00:07:54,759 So we don't disturb me. 241 00:07:54,760 --> 00:07:56,859 So next up, we had 242 00:07:56,860 --> 00:07:59,499 a macro enabled dropper. 243 00:07:59,500 --> 00:08:01,690 Anybody since the 90s have seen a macro 244 00:08:02,980 --> 00:08:04,449 enabled dropper out there. 245 00:08:04,450 --> 00:08:05,949 We've seen a few, but it's not something 246 00:08:05,950 --> 00:08:07,479 that happens a lot. As John just said, we 247 00:08:07,480 --> 00:08:08,529 usually use of unknowability or 248 00:08:08,530 --> 00:08:10,689 something. Next up, the 249 00:08:10,690 --> 00:08:12,519 user needs to abort. 250 00:08:13,630 --> 00:08:15,729 Next up, the backdoor is deployed to 251 00:08:15,730 --> 00:08:17,859 go into all that. It's pretty cool. 252 00:08:17,860 --> 00:08:20,199 And then it downloads and installs 253 00:08:20,200 --> 00:08:21,789 yet another version of itself as a 254 00:08:21,790 --> 00:08:23,440 service for, for instance. 255 00:08:24,610 --> 00:08:26,589 So this is an example of what the XO 256 00:08:26,590 --> 00:08:28,329 looks like. You can see it was Tullman 257 00:08:28,330 --> 00:08:29,829 took the screenshot because German up 258 00:08:29,830 --> 00:08:31,359 there to the giveaway. 259 00:08:32,770 --> 00:08:34,989 Um, this is an example of 260 00:08:34,990 --> 00:08:37,058 Allure and Excel that was sent. 261 00:08:37,059 --> 00:08:38,589 We just want to give you guys immediately 262 00:08:38,590 --> 00:08:39,969 some of the information. 263 00:08:39,970 --> 00:08:41,769 Um, if you look closely, 264 00:08:42,789 --> 00:08:44,529 it might look like it's Austrian. 265 00:08:44,530 --> 00:08:46,269 We don't know it's allured. 266 00:08:46,270 --> 00:08:48,519 We are guessing it's aimed at German 267 00:08:48,520 --> 00:08:50,769 language entity. 268 00:08:50,770 --> 00:08:53,349 We know it's a defense related, uh, 269 00:08:53,350 --> 00:08:55,539 entity, but we can't tell if it's 270 00:08:55,540 --> 00:08:57,429 Austrian or German or anything else. 271 00:08:57,430 --> 00:08:59,589 Just the lure to open the 272 00:08:59,590 --> 00:09:01,929 document is apparently 273 00:09:01,930 --> 00:09:02,930 Austrian. 274 00:09:03,770 --> 00:09:06,019 So largely, yes, so so 275 00:09:06,020 --> 00:09:08,179 the way this works is when 276 00:09:08,180 --> 00:09:10,969 the user first opens the Excel document, 277 00:09:10,970 --> 00:09:12,739 they see the picture from the previous 278 00:09:12,740 --> 00:09:14,899 slide. There are they are asked to 279 00:09:14,900 --> 00:09:17,089 enable macros or to allow macros to run. 280 00:09:17,090 --> 00:09:19,009 And then they do that. 281 00:09:19,010 --> 00:09:21,259 The payload gets deployed and the macro 282 00:09:21,260 --> 00:09:23,239 also switches to another worksheet, I 283 00:09:23,240 --> 00:09:25,549 guess is the term and this is the 284 00:09:25,550 --> 00:09:27,439 decoy worksheet that they're presented 285 00:09:27,440 --> 00:09:29,269 with that's displayed to the user. 286 00:09:29,270 --> 00:09:31,549 And obviously, as you pointed out, 287 00:09:31,550 --> 00:09:32,629 I mean, it's in German language. 288 00:09:32,630 --> 00:09:35,029 So we kind of know that the target, as 289 00:09:35,030 --> 00:09:37,379 is probably German speaking and 290 00:09:37,380 --> 00:09:39,049 there there's also a military context. 291 00:09:39,050 --> 00:09:40,609 OK, moving on. 292 00:09:42,230 --> 00:09:43,230 This is you. 293 00:09:43,880 --> 00:09:46,009 That's me. OK, so those of you 294 00:09:46,010 --> 00:09:48,169 are familiar with the with 295 00:09:48,170 --> 00:09:50,329 the open XML, 296 00:09:50,330 --> 00:09:52,669 the office open XML document format. 297 00:09:52,670 --> 00:09:55,069 That is the default document format. 298 00:09:55,070 --> 00:09:57,899 Since I think Microsoft Office 2007, 299 00:09:57,900 --> 00:09:59,959 if I'm not mistaken, know that 300 00:09:59,960 --> 00:10:02,089 these documents are really zip 301 00:10:02,090 --> 00:10:03,019 files. 302 00:10:03,020 --> 00:10:04,129 Right, zip archives. 303 00:10:04,130 --> 00:10:06,349 And as with any 304 00:10:06,350 --> 00:10:07,999 other zip archive, you can extract that, 305 00:10:08,000 --> 00:10:09,139 you can extract the files from the 306 00:10:09,140 --> 00:10:10,669 archive and this is what you get when you 307 00:10:10,670 --> 00:10:13,069 list the archives content from the 308 00:10:13,070 --> 00:10:15,859 original spearfishing attack. 309 00:10:15,860 --> 00:10:17,989 And we highlighted some of the 310 00:10:17,990 --> 00:10:19,999 more interesting entries for you. 311 00:10:20,000 --> 00:10:21,589 Let me start at the bottom here. 312 00:10:21,590 --> 00:10:23,779 So there's a directory called 313 00:10:23,780 --> 00:10:26,179 the Pops Document Properties. 314 00:10:26,180 --> 00:10:27,979 That's where all the metadata is stored, 315 00:10:27,980 --> 00:10:29,869 like who created the document, when was 316 00:10:29,870 --> 00:10:31,819 it created, when was it last edited and 317 00:10:31,820 --> 00:10:33,379 stuff like that. 318 00:10:33,380 --> 00:10:35,929 And that's all in this caudate XML 319 00:10:35,930 --> 00:10:37,789 file over there. 320 00:10:37,790 --> 00:10:40,219 And then the macro is 321 00:10:40,220 --> 00:10:43,249 in the first red line Excel 322 00:10:43,250 --> 00:10:44,419 Vrba project. 323 00:10:44,420 --> 00:10:46,099 I mean, the macro language for Microsoft 324 00:10:46,100 --> 00:10:48,349 Office is visual basic for applications, 325 00:10:48,350 --> 00:10:49,609 as you guys know. 326 00:10:49,610 --> 00:10:51,079 And that's where the macro is stored. 327 00:10:51,080 --> 00:10:52,759 It's in binary form. 328 00:10:52,760 --> 00:10:54,829 So it's not like readable code, but 329 00:10:54,830 --> 00:10:57,349 you can easily convert it back into 330 00:10:57,350 --> 00:10:58,400 the original macro. 331 00:10:59,780 --> 00:11:00,859 So where is the payload? 332 00:11:00,860 --> 00:11:02,929 The payload obviously is in the third 333 00:11:02,930 --> 00:11:05,119 read file, their Excel custom property 334 00:11:05,120 --> 00:11:05,339 one. 335 00:11:05,340 --> 00:11:07,819 But then again, it's 336 00:11:07,820 --> 00:11:10,099 encoded. What the macro does is it 337 00:11:10,100 --> 00:11:12,229 loads this file on this property, which 338 00:11:12,230 --> 00:11:15,049 is a property of the document, decodes 339 00:11:15,050 --> 00:11:17,269 the payload, drops it to a file 340 00:11:17,270 --> 00:11:18,569 and runs it. 341 00:11:18,570 --> 00:11:20,809 OK, so that's where all the all 342 00:11:20,810 --> 00:11:21,810 the meat is. 343 00:11:23,020 --> 00:11:24,129 All right, so 344 00:11:25,210 --> 00:11:27,399 one of the first things I 345 00:11:27,400 --> 00:11:29,469 guess most analysts do when they deal 346 00:11:29,470 --> 00:11:31,749 with something like this is they look at 347 00:11:31,750 --> 00:11:33,939 information that statically available, 348 00:11:33,940 --> 00:11:35,919 you know, I mean, you can as well put the 349 00:11:35,920 --> 00:11:38,169 document in a in a sandbox and open 350 00:11:38,170 --> 00:11:40,359 it there and watch it 351 00:11:40,360 --> 00:11:41,319 drop its payload. 352 00:11:41,320 --> 00:11:43,059 But you can take a look at the metadata 353 00:11:43,060 --> 00:11:45,639 first. And this is what's in the core 354 00:11:45,640 --> 00:11:46,779 XML file. 355 00:11:46,780 --> 00:11:48,219 So you can see there and we added the 356 00:11:48,220 --> 00:11:49,749 indenting for better readability. 357 00:11:49,750 --> 00:11:51,969 It's usually not indented, but you 358 00:11:51,970 --> 00:11:55,509 can see there there is a creator 359 00:11:55,510 --> 00:11:57,789 XML tag and that contains 360 00:11:57,790 --> 00:12:00,549 the handle woolen hat 361 00:12:00,550 --> 00:12:02,559 in it leetspeak. 362 00:12:02,560 --> 00:12:04,869 OK, and it was also last modified by one 363 00:12:04,870 --> 00:12:06,069 hat. And when was that? 364 00:12:06,070 --> 00:12:08,649 It was created on April 20th 365 00:12:08,650 --> 00:12:10,899 3rd and it was also last 366 00:12:10,900 --> 00:12:12,939 modified just a few hours, about two 367 00:12:12,940 --> 00:12:13,629 hours after that. 368 00:12:13,630 --> 00:12:15,969 OK, so what we have, unless 369 00:12:15,970 --> 00:12:18,189 this information is spoofed, what 370 00:12:18,190 --> 00:12:20,259 we have here is an indicator as 371 00:12:20,260 --> 00:12:22,509 a hint about when this attack 372 00:12:22,510 --> 00:12:24,609 took place or when it was prepared 373 00:12:24,610 --> 00:12:26,199 if we are to believe this information. 374 00:12:26,200 --> 00:12:28,029 OK, so this is interesting. 375 00:12:28,030 --> 00:12:30,909 And later on, you will see 376 00:12:30,910 --> 00:12:33,039 how we use this kind of information 377 00:12:33,040 --> 00:12:35,739 to find other related campaigns. 378 00:12:35,740 --> 00:12:37,599 OK, so this is all statically available 379 00:12:37,600 --> 00:12:38,600 metadata. 380 00:12:41,420 --> 00:12:43,729 This is the custom property 381 00:12:43,730 --> 00:12:46,759 file that stores the payload 382 00:12:46,760 --> 00:12:49,039 and you can see this is Unicode 383 00:12:49,040 --> 00:12:51,109 or white character encoding, so 384 00:12:51,110 --> 00:12:53,579 every other byte is zero byte. 385 00:12:53,580 --> 00:12:55,039 But if you look at the at the right hand 386 00:12:55,040 --> 00:12:56,569 side of this text, you can see some 387 00:12:56,570 --> 00:12:57,589 integer numbers there. 388 00:12:57,590 --> 00:12:59,869 So you can see the first number is a 77, 389 00:12:59,870 --> 00:13:01,039 the decimal number. 390 00:13:01,040 --> 00:13:02,520 Then comes a 391 00:13:03,620 --> 00:13:05,539 pipeline type character and then the 392 00:13:05,540 --> 00:13:07,669 second number is 90, and 393 00:13:07,670 --> 00:13:09,889 then the next number is 144 and so on. 394 00:13:09,890 --> 00:13:12,019 So if you take these numbers and 395 00:13:12,020 --> 00:13:13,639 convert them into the corresponding 396 00:13:13,640 --> 00:13:16,129 binary values and the binary byte values 397 00:13:16,130 --> 00:13:18,079 and write those to a file, what you end 398 00:13:18,080 --> 00:13:20,239 up is what you end up with is 399 00:13:20,240 --> 00:13:22,549 a an executable, a 400 00:13:22,550 --> 00:13:23,509 file. 401 00:13:23,510 --> 00:13:24,510 OK. 402 00:13:26,630 --> 00:13:28,369 So this is the relevant part of the 403 00:13:28,370 --> 00:13:30,439 macro, as I've told you, 404 00:13:30,440 --> 00:13:32,929 you can easily convert the binary 405 00:13:32,930 --> 00:13:35,179 object back into the VBA 406 00:13:35,180 --> 00:13:37,489 code and this is the relevant 407 00:13:37,490 --> 00:13:39,919 part of that. You can see it splits 408 00:13:39,920 --> 00:13:41,569 the text and reads from the property 409 00:13:41,570 --> 00:13:43,699 thing with the character, and 410 00:13:43,700 --> 00:13:46,129 then it does start to use a profile 411 00:13:46,130 --> 00:13:47,989 to so to the user's profile directory and 412 00:13:47,990 --> 00:13:48,990 assist. 413 00:13:49,730 --> 00:13:51,799 And and 414 00:13:51,800 --> 00:13:53,959 then runs it by calling shall 415 00:13:53,960 --> 00:13:56,279 execute with open parameter. 416 00:13:56,280 --> 00:13:58,099 Okay, so this is how the payload gets 417 00:13:58,100 --> 00:13:59,100 involved. 418 00:14:00,420 --> 00:14:01,739 All right, so now we know 419 00:14:03,660 --> 00:14:05,669 how the infection is carried out, there 420 00:14:05,670 --> 00:14:07,439 is this document you asked to click, OK, 421 00:14:07,440 --> 00:14:09,599 I want lawmakers to run and 422 00:14:09,600 --> 00:14:11,729 then shall execute 423 00:14:11,730 --> 00:14:13,529 runs the drop payload. 424 00:14:13,530 --> 00:14:15,629 So what's in the payload? 425 00:14:15,630 --> 00:14:16,949 What is the payload? 426 00:14:16,950 --> 00:14:18,989 And what you can do is you can load that 427 00:14:18,990 --> 00:14:21,119 up into, like, either pro or, you know, 428 00:14:21,120 --> 00:14:23,249 your your preferred reverse engineering 429 00:14:23,250 --> 00:14:25,319 tool. And take a look at the structure 430 00:14:25,320 --> 00:14:26,789 of the data that's in there. 431 00:14:26,790 --> 00:14:28,799 And this is what you see here in this 432 00:14:28,800 --> 00:14:30,629 colored graph. So at the beginning, you 433 00:14:30,630 --> 00:14:32,789 see this this green stuff there, 434 00:14:32,790 --> 00:14:35,009 that's C standard library code. 435 00:14:35,010 --> 00:14:37,559 So that stuff like, I don't know, like 436 00:14:37,560 --> 00:14:39,689 like malac or, uh, 437 00:14:39,690 --> 00:14:40,079 I don't know. 438 00:14:40,080 --> 00:14:41,939 Right. Or send or something like that. 439 00:14:41,940 --> 00:14:44,339 So the basic basic low level API calls 440 00:14:44,340 --> 00:14:45,359 right. 441 00:14:45,360 --> 00:14:48,059 Then the blue stuff is code 442 00:14:48,060 --> 00:14:50,189 that relates to code that has 443 00:14:50,190 --> 00:14:51,629 been written for, for this binary. 444 00:14:51,630 --> 00:14:53,729 So that's the actual code with 445 00:14:53,730 --> 00:14:55,319 the functionality of this thing. 446 00:14:55,320 --> 00:14:57,689 And then Ingrey, you have constant 447 00:14:57,690 --> 00:14:58,019 data. 448 00:14:58,020 --> 00:14:59,429 So in the beginning, there is this little 449 00:14:59,430 --> 00:15:01,589 gray piece of hardware 450 00:15:01,590 --> 00:15:03,929 that contains strings, hard 451 00:15:03,930 --> 00:15:06,269 coded strings, as well as space 452 00:15:06,270 --> 00:15:07,799 for function pointers. 453 00:15:07,800 --> 00:15:10,229 So we will on one of the next slides, 454 00:15:10,230 --> 00:15:11,369 we will talk a little bit about 455 00:15:12,420 --> 00:15:14,639 how API calls are resolved, 456 00:15:14,640 --> 00:15:16,919 which means the code generates function 457 00:15:16,920 --> 00:15:18,689 pointers, the function pointers are 458 00:15:18,690 --> 00:15:20,609 stored in this area, and then you see 459 00:15:20,610 --> 00:15:22,679 some more code blue stuff and then 460 00:15:22,680 --> 00:15:24,929 you see some other gray areas for 461 00:15:24,930 --> 00:15:26,669 for other for more constant data. 462 00:15:26,670 --> 00:15:28,049 And what you find in there, 463 00:15:29,400 --> 00:15:31,229 if you know what you're looking for, is, 464 00:15:31,230 --> 00:15:32,230 for example. 465 00:15:33,460 --> 00:15:35,129 Yes, crypto constants. 466 00:15:35,130 --> 00:15:37,529 So a yes is symmetric 467 00:15:37,530 --> 00:15:39,569 crypto algorithm. Right. 468 00:15:39,570 --> 00:15:41,669 You have these boxes in there and 469 00:15:41,670 --> 00:15:42,419 some stuff like that. 470 00:15:42,420 --> 00:15:44,339 So that's all stored, stored over there. 471 00:15:44,340 --> 00:15:46,109 And then you can also see a tiny little 472 00:15:46,110 --> 00:15:48,209 blue slice at 473 00:15:48,210 --> 00:15:48,899 the end. 474 00:15:48,900 --> 00:15:50,189 And this is where the main function 475 00:15:50,190 --> 00:15:52,169 lives. So when you start to execute, this 476 00:15:52,170 --> 00:15:54,179 binary execution starts at the main 477 00:15:54,180 --> 00:15:55,679 function, obviously, and this is where 478 00:15:55,680 --> 00:15:57,209 that main function is, which is kind of 479 00:15:57,210 --> 00:15:58,679 odd that it's at the end. 480 00:15:58,680 --> 00:15:59,759 But, you know, whatever. 481 00:16:00,840 --> 00:16:02,949 OK, and also we provide the 482 00:16:02,950 --> 00:16:05,099 the five in the Nasha 256 483 00:16:05,100 --> 00:16:06,599 hash here for you. 484 00:16:06,600 --> 00:16:08,549 So if you're interested, if you're 485 00:16:08,550 --> 00:16:10,919 curious, grab that file from 486 00:16:10,920 --> 00:16:13,109 the Internet and take a look 487 00:16:13,110 --> 00:16:14,110 at it yourself. 488 00:16:17,260 --> 00:16:19,419 OK, so we did the same thing as with 489 00:16:19,420 --> 00:16:21,699 this Excel document we first 490 00:16:21,700 --> 00:16:24,009 took a look at at that data 491 00:16:24,010 --> 00:16:26,259 that statically available and 492 00:16:26,260 --> 00:16:27,819 the first thing we looked at was 493 00:16:27,820 --> 00:16:29,919 everything that's part of the header 494 00:16:29,920 --> 00:16:30,939 of the file header. 495 00:16:30,940 --> 00:16:33,459 OK, so what you see in the in the 496 00:16:33,460 --> 00:16:35,559 header of this executable is the debug 497 00:16:35,560 --> 00:16:37,329 so-called debug directory. 498 00:16:37,330 --> 00:16:39,489 The directory is where 499 00:16:39,490 --> 00:16:41,409 debugging information is stored. 500 00:16:41,410 --> 00:16:43,329 So for those of you who are more familiar 501 00:16:43,330 --> 00:16:45,760 with the Unix world or the Linux world, 502 00:16:47,200 --> 00:16:48,729 you guys know that you can have like 503 00:16:48,730 --> 00:16:50,349 symbols in their function, names and 504 00:16:50,350 --> 00:16:51,969 stuff like that. So there is also debug 505 00:16:51,970 --> 00:16:54,159 information available in the Windows 506 00:16:54,160 --> 00:16:55,449 world P binaries. 507 00:16:55,450 --> 00:16:57,459 You have that in the debug directory. 508 00:16:57,460 --> 00:16:59,529 However, when 509 00:16:59,530 --> 00:17:01,449 you're actually debugging something, most 510 00:17:01,450 --> 00:17:03,699 of that information is not embedded 511 00:17:03,700 --> 00:17:05,799 into the binary. It's stored in an in an 512 00:17:05,800 --> 00:17:07,989 external file, a so-called PDB 513 00:17:07,990 --> 00:17:10,659 file PDB stands for program 514 00:17:10,660 --> 00:17:12,249 database. If I'm not mistaken. 515 00:17:12,250 --> 00:17:14,529 OK, so this debug 516 00:17:14,530 --> 00:17:16,689 directory that's part of the executable 517 00:17:16,690 --> 00:17:19,029 has to store a pointer, a link, 518 00:17:19,030 --> 00:17:22,149 the path of the PDF file. 519 00:17:22,150 --> 00:17:24,039 And that's what you see in blue at the 520 00:17:24,040 --> 00:17:24,848 bottom of the slide. 521 00:17:24,849 --> 00:17:27,039 So you can tell by looking at that 522 00:17:27,040 --> 00:17:29,439 again, unless it's spoofed that 523 00:17:29,440 --> 00:17:31,659 this was compiled 524 00:17:31,660 --> 00:17:33,969 in on the drive 525 00:17:33,970 --> 00:17:35,380 in that directory here 526 00:17:37,180 --> 00:17:38,709 under this name. And obviously it's a 527 00:17:38,710 --> 00:17:39,979 Win32 program. 528 00:17:39,980 --> 00:17:40,980 OK, 529 00:17:42,910 --> 00:17:44,109 OK, so that was one thing. 530 00:17:44,110 --> 00:17:46,419 But we didn't we didn't quite 531 00:17:46,420 --> 00:17:48,219 know what to what to make out of this. 532 00:17:48,220 --> 00:17:49,959 So that didn't help us much with our 533 00:17:49,960 --> 00:17:51,399 analysis. But it was interesting that 534 00:17:51,400 --> 00:17:52,509 that path was in there. 535 00:17:53,560 --> 00:17:55,149 Then the next thing we did was we looked 536 00:17:55,150 --> 00:17:56,769 at resources. 537 00:17:56,770 --> 00:17:58,869 So in a binary you can 538 00:17:58,870 --> 00:18:01,119 store additional 539 00:18:01,120 --> 00:18:02,499 arbitrary data. 540 00:18:02,500 --> 00:18:04,839 You can store, for example, Miles 541 00:18:04,840 --> 00:18:07,419 Cursus or you can store icons 542 00:18:07,420 --> 00:18:08,619 or you can store whatever. 543 00:18:08,620 --> 00:18:11,109 Right. And these additional 544 00:18:11,110 --> 00:18:12,729 chunks of data are stored in so-called 545 00:18:12,730 --> 00:18:14,079 resources. So you have an additional 546 00:18:14,080 --> 00:18:16,119 directory in such a file, which is the 547 00:18:16,120 --> 00:18:18,549 resource directory or the resource table. 548 00:18:18,550 --> 00:18:20,829 And what you can see here is 549 00:18:20,830 --> 00:18:22,899 the list of resources in that 550 00:18:22,900 --> 00:18:25,059 binary. And what's interesting is that 551 00:18:25,060 --> 00:18:27,309 each resource has a language 552 00:18:27,310 --> 00:18:28,689 code associated with it. 553 00:18:28,690 --> 00:18:30,459 That's the stuff in blue and also in 554 00:18:30,460 --> 00:18:31,859 black down there. So the stuff. 555 00:18:31,860 --> 00:18:34,089 But what's 556 00:18:34,090 --> 00:18:36,309 interesting here is that the language 557 00:18:36,310 --> 00:18:38,769 code codes in blue stand for 558 00:18:38,770 --> 00:18:42,159 Argentinian, which 559 00:18:42,160 --> 00:18:44,409 could mean perhaps 560 00:18:44,410 --> 00:18:46,599 that this binary was compiled on an 561 00:18:46,600 --> 00:18:48,130 Argentinian system, 562 00:18:49,150 --> 00:18:51,309 which might mean that the the 563 00:18:51,310 --> 00:18:53,289 person who compiled this was running the 564 00:18:53,290 --> 00:18:55,659 system or they just 565 00:18:55,660 --> 00:18:57,759 changed it to the AP when they needed to 566 00:18:57,760 --> 00:18:59,079 choose where to compile it from. 567 00:19:00,130 --> 00:19:02,199 Yeah, or that. So, I mean, of course, you 568 00:19:02,200 --> 00:19:03,309 always have to question this kind of 569 00:19:03,310 --> 00:19:04,689 stuff when you analyze it, but yeah. 570 00:19:04,690 --> 00:19:06,579 So there was this Argentinian nexus to 571 00:19:06,580 --> 00:19:07,719 the whole thing. 572 00:19:09,250 --> 00:19:11,469 But when we when I remember when says 573 00:19:11,470 --> 00:19:13,149 Nexuses Misconnection Argentinean 574 00:19:13,150 --> 00:19:14,379 connections that everybody knows. 575 00:19:14,380 --> 00:19:16,419 I was confused by that for months. 576 00:19:16,420 --> 00:19:17,559 All right. So yeah. 577 00:19:17,560 --> 00:19:19,899 But I mean, we've both been confused 578 00:19:19,900 --> 00:19:22,089 because when we first discussed this, we 579 00:19:22,090 --> 00:19:23,619 said that doesn't really make sense. 580 00:19:23,620 --> 00:19:26,799 I mean, Argentina attacking 581 00:19:26,800 --> 00:19:29,499 an Israeli, uh, 582 00:19:29,500 --> 00:19:30,969 defense and space company. 583 00:19:30,970 --> 00:19:32,619 I mean, I can see other states attacking 584 00:19:32,620 --> 00:19:35,709 Israel or that sector in Israel, but 585 00:19:35,710 --> 00:19:37,029 perhaps not Argentina. 586 00:19:37,030 --> 00:19:38,439 But I mean, I remember personally, I'm 587 00:19:38,440 --> 00:19:40,239 not a politician or anything like that. 588 00:19:40,240 --> 00:19:41,799 Right. So so. 589 00:19:41,800 --> 00:19:43,449 Yeah. So that didn't quite make sense to 590 00:19:43,450 --> 00:19:45,609 us. So we said, OK, we 591 00:19:45,610 --> 00:19:48,159 got to reverse engineer the functionality 592 00:19:48,160 --> 00:19:49,569 and understand what this thing really 593 00:19:49,570 --> 00:19:50,469 does. 594 00:19:50,470 --> 00:19:51,549 And that was our next step. 595 00:19:54,870 --> 00:19:57,089 So this slide is supposed to give 596 00:19:57,090 --> 00:19:59,099 you a high level overview, we will touch 597 00:19:59,100 --> 00:20:01,169 on some of the things that you 598 00:20:01,170 --> 00:20:03,299 see on here in the next 599 00:20:03,300 --> 00:20:04,859 few slides, but this is a high level 600 00:20:04,860 --> 00:20:06,929 overview. So the first thing we noticed 601 00:20:06,930 --> 00:20:07,930 was. 602 00:20:08,320 --> 00:20:10,419 This is more complex, 603 00:20:10,420 --> 00:20:12,279 more advanced, more sophisticated than 604 00:20:12,280 --> 00:20:13,989 the stuff that we usually get to look at. 605 00:20:13,990 --> 00:20:16,179 OK, so this was like really high 606 00:20:16,180 --> 00:20:18,369 quality code. It was well written and so 607 00:20:18,370 --> 00:20:20,499 on. And it has some interesting 608 00:20:20,500 --> 00:20:22,599 characteristics. One was the 609 00:20:22,600 --> 00:20:24,699 entire code was completely 610 00:20:24,700 --> 00:20:25,869 position independent. 611 00:20:25,870 --> 00:20:26,890 So you can load that 612 00:20:28,150 --> 00:20:30,279 at any memory offset offset 613 00:20:30,280 --> 00:20:31,749 and then run it from there. 614 00:20:31,750 --> 00:20:33,789 And it wouldn't rely on any offsets or 615 00:20:33,790 --> 00:20:35,799 relocation or stuff like that for those 616 00:20:35,800 --> 00:20:36,849 of you who are familiar with these 617 00:20:36,850 --> 00:20:38,259 concepts. Right. 618 00:20:38,260 --> 00:20:39,999 So usually you when you want when you do 619 00:20:40,000 --> 00:20:41,169 something like this, when you write 620 00:20:41,170 --> 00:20:42,879 position, independent code that can run 621 00:20:42,880 --> 00:20:44,979 anywhere in memory, you do that 622 00:20:44,980 --> 00:20:46,509 because you want to take this code and 623 00:20:46,510 --> 00:20:48,729 inject it into another process 624 00:20:48,730 --> 00:20:50,199 and because you don't know where you will 625 00:20:50,200 --> 00:20:52,569 happen, we will end up in memory. 626 00:20:52,570 --> 00:20:54,099 You have to keep the code position 627 00:20:54,100 --> 00:20:55,419 independent, OK? 628 00:20:55,420 --> 00:20:57,549 And I mean, injecting code 629 00:20:57,550 --> 00:20:59,739 into another process is always, 630 00:20:59,740 --> 00:21:00,740 let's say, 631 00:21:02,050 --> 00:21:04,179 a little hostile or, you 632 00:21:04,180 --> 00:21:05,180 know, a little 633 00:21:06,850 --> 00:21:09,279 definitely not not 634 00:21:09,280 --> 00:21:10,599 not friendly in most cases 635 00:21:12,400 --> 00:21:13,839 API calls. 636 00:21:13,840 --> 00:21:15,969 So the Windows APIs like write fire, 637 00:21:15,970 --> 00:21:17,709 create file and so on, those are all 638 00:21:17,710 --> 00:21:18,849 resolved dynamically. 639 00:21:18,850 --> 00:21:21,159 So they are not resolved through 640 00:21:21,160 --> 00:21:23,359 import and export tables that 641 00:21:23,360 --> 00:21:24,309 usually haven't been reached. 642 00:21:24,310 --> 00:21:25,659 They are all resolved manually and 643 00:21:25,660 --> 00:21:27,909 dynamically during runtime, which 644 00:21:27,910 --> 00:21:29,589 is part of the position independent 645 00:21:29,590 --> 00:21:31,719 independence paradigm 646 00:21:31,720 --> 00:21:32,739 here. 647 00:21:32,740 --> 00:21:34,239 And there are also calls through BAPA 648 00:21:34,240 --> 00:21:37,119 functions. So, you know, whenever 649 00:21:37,120 --> 00:21:39,549 the code wants to say a file 650 00:21:39,550 --> 00:21:41,649 or send data on to the 651 00:21:41,650 --> 00:21:43,749 network or I 652 00:21:43,750 --> 00:21:45,939 don't know, change the registry key, you 653 00:21:45,940 --> 00:21:48,399 name it, it does that through a wrapper 654 00:21:48,400 --> 00:21:50,349 function that calls the actual function 655 00:21:50,350 --> 00:21:51,819 that does the thing OK. 656 00:21:51,820 --> 00:21:53,859 And we were wondering why, because it 657 00:21:53,860 --> 00:21:55,959 makes the code more complex, but 658 00:21:55,960 --> 00:21:57,189 we didn't really understand why at that 659 00:21:57,190 --> 00:21:58,190 point in time. 660 00:21:58,900 --> 00:22:00,459 And the next thing we noticed was 661 00:22:00,460 --> 00:22:02,079 whenever the code has to deal with 662 00:22:02,080 --> 00:22:03,080 immediate. 663 00:22:03,910 --> 00:22:05,979 Or Constance, as 664 00:22:05,980 --> 00:22:08,439 as you can also say, it 665 00:22:08,440 --> 00:22:10,539 would not use these constants 666 00:22:10,540 --> 00:22:12,909 directly, but it would consult 667 00:22:12,910 --> 00:22:14,109 to look up table. 668 00:22:14,110 --> 00:22:15,519 So let's say 669 00:22:17,860 --> 00:22:20,139 let's say it wants to open an 670 00:22:20,140 --> 00:22:21,609 IP socket. 671 00:22:21,610 --> 00:22:24,099 OK, so in that case, it would 672 00:22:24,100 --> 00:22:26,519 have to use the content to for 673 00:22:26,520 --> 00:22:27,670 for the socket type. Right. 674 00:22:28,840 --> 00:22:30,729 But it wouldn't use the number of two. 675 00:22:30,730 --> 00:22:33,249 It would look 676 00:22:33,250 --> 00:22:36,009 at this lookup table for another constant 677 00:22:36,010 --> 00:22:38,259 then, you know, find the mapping for 678 00:22:38,260 --> 00:22:40,149 that concert and then that would give 679 00:22:40,150 --> 00:22:41,499 them the number two and they would use 680 00:22:41,500 --> 00:22:43,779 that in the in the actual 681 00:22:43,780 --> 00:22:45,609 API call. So we said, why? 682 00:22:45,610 --> 00:22:46,659 Why is it doing that? 683 00:22:46,660 --> 00:22:49,179 And then suddenly we figured, OK, 684 00:22:49,180 --> 00:22:51,399 the code is written in a way that 685 00:22:51,400 --> 00:22:53,529 it exposes a generic 686 00:22:53,530 --> 00:22:55,779 a unified interface. 687 00:22:55,780 --> 00:22:57,879 OK, so you can easily 688 00:22:57,880 --> 00:23:00,309 take this code in ported to, say, 689 00:23:00,310 --> 00:23:02,709 a unique system or a Mac 690 00:23:02,710 --> 00:23:04,899 or BSD, which 691 00:23:04,900 --> 00:23:07,029 is also Unix and other 692 00:23:07,030 --> 00:23:08,770 systems. Right. Other platforms 693 00:23:09,970 --> 00:23:11,500 and keep the. 694 00:23:12,780 --> 00:23:15,089 The interface, 695 00:23:15,090 --> 00:23:17,399 the same right you can use to keep using 696 00:23:17,400 --> 00:23:19,379 the same constants, you can call the same 697 00:23:19,380 --> 00:23:21,479 Rappa functions that then internally call 698 00:23:21,480 --> 00:23:22,799 for different functions. 699 00:23:22,800 --> 00:23:25,229 But this is like an abstract abstraction 700 00:23:25,230 --> 00:23:27,359 layer between the system that the thing 701 00:23:27,360 --> 00:23:29,279 is running on and some other components 702 00:23:29,280 --> 00:23:30,179 that's interfacing with. 703 00:23:30,180 --> 00:23:32,429 OK, so 704 00:23:32,430 --> 00:23:34,109 there's more we found that was 705 00:23:34,110 --> 00:23:35,609 interesting. 706 00:23:35,610 --> 00:23:37,769 The whole thing has to manage, has 707 00:23:37,770 --> 00:23:39,269 to maintain some sessions. 708 00:23:39,270 --> 00:23:41,639 You can talk to it over the network. 709 00:23:41,640 --> 00:23:42,809 That means you have to establish a 710 00:23:42,810 --> 00:23:44,489 session and so on. 711 00:23:44,490 --> 00:23:45,779 Certain management is 712 00:23:46,850 --> 00:23:49,019 is tricky and 713 00:23:49,020 --> 00:23:51,179 you have to keep keep track of sessions 714 00:23:51,180 --> 00:23:52,499 of active sessions. 715 00:23:52,500 --> 00:23:54,209 This thing does it by hashing. 716 00:23:54,210 --> 00:23:55,799 But the hashing method that's used here 717 00:23:55,800 --> 00:23:57,449 is related to Blobfish. 718 00:23:57,450 --> 00:24:00,599 It uses Blobfish, the Krypto scheme 719 00:24:00,600 --> 00:24:02,669 for hashing, which is kind of unusual, 720 00:24:02,670 --> 00:24:03,899 right? 721 00:24:03,900 --> 00:24:05,939 Maybe it sounds a little overengineered, 722 00:24:05,940 --> 00:24:07,229 but you can I mean, it's alright. 723 00:24:07,230 --> 00:24:08,279 You can use billfish for that. 724 00:24:08,280 --> 00:24:10,649 That's a legitimate application, 725 00:24:10,650 --> 00:24:11,699 but it's special. 726 00:24:11,700 --> 00:24:14,039 You know, you don't usually see that 727 00:24:14,040 --> 00:24:15,689 that often. 728 00:24:15,690 --> 00:24:17,489 And then and this is probably the most 729 00:24:17,490 --> 00:24:18,490 important point. 730 00:24:20,700 --> 00:24:22,379 At some point we realized that the stuff 731 00:24:22,380 --> 00:24:24,989 that we were looking at was a generic API 732 00:24:24,990 --> 00:24:26,279 called proxy. 733 00:24:26,280 --> 00:24:28,499 And we will explain what that is 734 00:24:28,500 --> 00:24:29,849 in a minute. 735 00:24:29,850 --> 00:24:31,649 So then we took these last two. 736 00:24:31,650 --> 00:24:34,049 So originally we said Cisco, a proxy, 737 00:24:34,050 --> 00:24:35,639 and then later on we changed that to API 738 00:24:35,640 --> 00:24:37,919 call proxy in our in our notes 739 00:24:37,920 --> 00:24:39,779 so that we took these two terms, Cisco, 740 00:24:39,780 --> 00:24:42,539 our proxy, and we took Blobfish 741 00:24:42,540 --> 00:24:44,390 and we entered that into Google. 742 00:24:45,720 --> 00:24:47,069 Actually, a friend, friend of mine did 743 00:24:47,070 --> 00:24:49,049 that I am working with. 744 00:24:49,050 --> 00:24:51,119 And the first 745 00:24:51,120 --> 00:24:53,189 hit we encountered was supposed 746 00:24:53,190 --> 00:24:56,159 to be a newsletter that come from 747 00:24:56,160 --> 00:24:57,509 over 10 years ago. 748 00:24:57,510 --> 00:24:59,489 And that was an announcement by a company 749 00:24:59,490 --> 00:25:01,679 called Core Security that 750 00:25:01,680 --> 00:25:04,049 is based in Argentina, coincidentally, 751 00:25:04,050 --> 00:25:06,239 and also in America in 752 00:25:06,240 --> 00:25:08,429 Boston. And they announced a new 753 00:25:08,430 --> 00:25:10,379 technology, a new product of theirs that 754 00:25:10,380 --> 00:25:12,449 now runs on some BSD system 755 00:25:12,450 --> 00:25:13,709 as well. 756 00:25:13,710 --> 00:25:16,049 And that was a Cisco proxy and 757 00:25:16,050 --> 00:25:17,459 there was Blobfish involved. 758 00:25:17,460 --> 00:25:19,589 So with this pointer, we went 759 00:25:19,590 --> 00:25:21,839 back to our analysis and confirmed that 760 00:25:21,840 --> 00:25:23,849 the thing that we were looking at was 761 00:25:23,850 --> 00:25:26,009 their product. It was a product called 762 00:25:26,010 --> 00:25:28,109 core impact for those 763 00:25:28,110 --> 00:25:29,259 of you who are familiar with it. 764 00:25:29,260 --> 00:25:31,379 So this is a 765 00:25:31,380 --> 00:25:33,869 little bit odd. We have seen the adapters 766 00:25:33,870 --> 00:25:35,069 using crime. 767 00:25:35,070 --> 00:25:36,989 Where we've seen it after is developing 768 00:25:36,990 --> 00:25:39,129 their own special crafty 769 00:25:39,130 --> 00:25:41,189 tools. But using compact is just 770 00:25:41,190 --> 00:25:42,599 something we have not seen before. 771 00:25:42,600 --> 00:25:43,889 And we've talked to many other 772 00:25:43,890 --> 00:25:45,329 researchers who have not seen that 773 00:25:45,330 --> 00:25:46,859 before. We encounter two others. 774 00:25:46,860 --> 00:25:47,860 We suspected it. 775 00:25:48,780 --> 00:25:50,879 So No. One core security is based 776 00:25:50,880 --> 00:25:52,049 out of Argentina. And based on the 777 00:25:52,050 --> 00:25:54,539 general information, they are completely 778 00:25:54,540 --> 00:25:56,159 white hat. They're good people. 779 00:25:56,160 --> 00:25:57,479 They've been around for a long, long 780 00:25:57,480 --> 00:25:59,789 time. They are very, very innovative. 781 00:25:59,790 --> 00:26:01,859 They did point 782 00:26:01,860 --> 00:26:03,179 in pantheist or point ad hoc, if you 783 00:26:03,180 --> 00:26:04,679 like. But when nobody even thought about 784 00:26:04,680 --> 00:26:06,899 it, at least not on that 785 00:26:06,900 --> 00:26:08,999 level of a scale of a tool that 786 00:26:09,000 --> 00:26:10,199 is so automated 787 00:26:11,280 --> 00:26:12,280 and out there 788 00:26:13,530 --> 00:26:15,609 next, there have been this sounds a 789 00:26:15,610 --> 00:26:16,979 bit corny, but seriously, these guys have 790 00:26:16,980 --> 00:26:19,079 been helping organizations out there 791 00:26:19,080 --> 00:26:21,839 for more far more than a decade 792 00:26:21,840 --> 00:26:23,549 to protect themselves and get better at 793 00:26:23,550 --> 00:26:24,550 security. 794 00:26:25,290 --> 00:26:27,209 They have a patent on this Cisco thing, 795 00:26:27,210 --> 00:26:28,379 which is important to say, and they even 796 00:26:28,380 --> 00:26:29,729 lectured about it in Blacket, there are 797 00:26:29,730 --> 00:26:30,989 very, very open and visible. 798 00:26:30,990 --> 00:26:32,609 But what they do now. 799 00:26:33,970 --> 00:26:36,399 We talk to them and they 800 00:26:36,400 --> 00:26:37,809 helped us throughout this process. 801 00:26:37,810 --> 00:26:39,879 They really tried 802 00:26:39,880 --> 00:26:42,009 to be 803 00:26:42,010 --> 00:26:43,989 as straightforward as they can and as 804 00:26:43,990 --> 00:26:45,549 visible as they can with us in responding 805 00:26:45,550 --> 00:26:47,199 to this incident. 806 00:26:47,200 --> 00:26:49,029 And that's their statement, which we 807 00:26:49,030 --> 00:26:50,739 promised to include. 808 00:26:50,740 --> 00:26:52,869 But the important part is for me and 809 00:26:52,870 --> 00:26:54,010 everybody read that statement, 810 00:26:55,210 --> 00:26:57,609 please. The important part for me is 811 00:26:57,610 --> 00:26:59,139 that these are good guys. 812 00:26:59,140 --> 00:27:00,669 Somebody took their tool like we have 813 00:27:00,670 --> 00:27:02,739 seen happen before and used it for 814 00:27:02,740 --> 00:27:04,119 malicious purposes. 815 00:27:04,120 --> 00:27:05,349 So far, so good. 816 00:27:05,350 --> 00:27:07,869 What June is starting to say now, 817 00:27:07,870 --> 00:27:10,179 new threat tangent to my starting 818 00:27:10,180 --> 00:27:12,549 to say is that, yes, this 819 00:27:12,550 --> 00:27:13,550 is to impact. 820 00:27:14,550 --> 00:27:16,050 But it's also extremely advanced. 821 00:27:17,220 --> 00:27:19,079 It's hot off the shelf technology. 822 00:27:20,120 --> 00:27:22,609 And it is used by a nation state level 823 00:27:22,610 --> 00:27:23,610 threat actor. 824 00:27:24,550 --> 00:27:26,739 That is the first twist in our story 825 00:27:26,740 --> 00:27:28,539 where we really realized something 826 00:27:28,540 --> 00:27:29,540 different is going on. 827 00:27:30,970 --> 00:27:33,879 Yeah, so to give you an idea, I mean, 828 00:27:33,880 --> 00:27:35,859 when we first looked at the thing, 829 00:27:35,860 --> 00:27:37,269 nothing really made sense. 830 00:27:37,270 --> 00:27:39,339 We said, well, Argentina, Argentina 831 00:27:39,340 --> 00:27:41,649 probably not doesn't 832 00:27:41,650 --> 00:27:42,639 sound reasonable. 833 00:27:42,640 --> 00:27:44,949 And then we were speculating maybe, 834 00:27:44,950 --> 00:27:47,799 you know, there are other states or other 835 00:27:47,800 --> 00:27:50,319 advanced threat actors that are known for 836 00:27:50,320 --> 00:27:52,539 knowing how to implement cryptography 837 00:27:52,540 --> 00:27:53,469 properly. 838 00:27:53,470 --> 00:27:55,569 And we saw cryptography being 839 00:27:55,570 --> 00:27:57,459 being implemented properly here in here. 840 00:27:57,460 --> 00:27:59,679 So we said maybe it's coming from that 841 00:27:59,680 --> 00:28:01,239 corner and then we had to change our 842 00:28:01,240 --> 00:28:03,279 assessment again and so on until we 843 00:28:03,280 --> 00:28:05,379 figured, OK, it's this it's 844 00:28:05,380 --> 00:28:05,979 this thing. 845 00:28:05,980 --> 00:28:08,679 It's the core impact agent. 846 00:28:08,680 --> 00:28:10,029 And I will explain what that means in 847 00:28:10,030 --> 00:28:11,030 just a second. 848 00:28:11,860 --> 00:28:14,169 And then it also became 849 00:28:14,170 --> 00:28:16,329 clear to us why we thought 850 00:28:16,330 --> 00:28:18,099 this is like enterprise quality code that 851 00:28:18,100 --> 00:28:19,059 we were looking at because it's a 852 00:28:19,060 --> 00:28:19,809 commercial product. 853 00:28:19,810 --> 00:28:21,669 So just listen to what you just said, 854 00:28:21,670 --> 00:28:23,349 enterprise level code. 855 00:28:23,350 --> 00:28:24,609 When have we last seen 856 00:28:25,870 --> 00:28:27,489 too many malware samples out there that 857 00:28:27,490 --> 00:28:29,709 were actually enterprise level code? 858 00:28:29,710 --> 00:28:31,959 I did not come from a nation state. 859 00:28:31,960 --> 00:28:33,579 That's just the beginning of what's 860 00:28:33,580 --> 00:28:34,580 interesting about this. 861 00:28:36,000 --> 00:28:37,979 All right, so I guess we have to talk a 862 00:28:37,980 --> 00:28:39,269 little bit about your impact and then 863 00:28:39,270 --> 00:28:40,919 I'll continue with that slide here. 864 00:28:40,920 --> 00:28:42,449 So for those of you who aren't familiar 865 00:28:42,450 --> 00:28:44,189 with it and I haven't been familiar we 866 00:28:44,190 --> 00:28:45,689 haven't been familiar with it before this 867 00:28:45,690 --> 00:28:46,690 analysis either 868 00:28:48,210 --> 00:28:51,239 it's a penetration testing framework 869 00:28:51,240 --> 00:28:52,769 and what you do with the 870 00:28:54,000 --> 00:28:55,919 control panel or the console or whatever 871 00:28:55,920 --> 00:28:57,819 you want to call it, that's the software 872 00:28:57,820 --> 00:29:00,549 you're operating. 873 00:29:00,550 --> 00:29:03,659 What you do with that is you deploy 874 00:29:03,660 --> 00:29:05,759 a tiny component, which is called 875 00:29:05,760 --> 00:29:08,729 the agent on a target system. 876 00:29:08,730 --> 00:29:10,859 That's a system you want to test 877 00:29:10,860 --> 00:29:12,269 or one of the systems you want to 878 00:29:12,270 --> 00:29:13,369 penetration test. 879 00:29:13,370 --> 00:29:15,479 OK, and the power 880 00:29:15,480 --> 00:29:18,089 of the tool lies in the ability 881 00:29:18,090 --> 00:29:20,549 to pivot from that system 882 00:29:20,550 --> 00:29:22,469 onto other systems behind it. 883 00:29:22,470 --> 00:29:24,539 OK, so you you 884 00:29:24,540 --> 00:29:26,339 deploy the agent on one system and then 885 00:29:26,340 --> 00:29:28,949 you use that system as a stepping stone 886 00:29:28,950 --> 00:29:31,019 to reach through it to other 887 00:29:31,020 --> 00:29:31,939 systems behind it. 888 00:29:31,940 --> 00:29:34,559 OK, and that's as far as I understand, 889 00:29:34,560 --> 00:29:36,809 I haven't used the product ever. 890 00:29:36,810 --> 00:29:38,279 But that as far as I understand or we 891 00:29:38,280 --> 00:29:39,479 understand, this is the 892 00:29:40,860 --> 00:29:43,109 main feature that makes 893 00:29:43,110 --> 00:29:44,109 our impact so powerful. 894 00:29:44,110 --> 00:29:46,019 In other words, check their websites. 895 00:29:46,020 --> 00:29:47,020 Right. 896 00:29:47,520 --> 00:29:49,649 All right. So we want to talk 897 00:29:49,650 --> 00:29:51,299 about some of the technical I mean, we 898 00:29:51,300 --> 00:29:52,709 could talk talk about the technical 899 00:29:52,710 --> 00:29:53,849 details and the technical 900 00:29:54,930 --> 00:29:55,930 specialties forever. 901 00:29:57,090 --> 00:29:58,709 You can talk about the technical details 902 00:29:58,710 --> 00:30:00,779 forever if you say so. 903 00:30:00,780 --> 00:30:01,799 So, yeah. 904 00:30:01,800 --> 00:30:03,889 So but we don't want to bore you 905 00:30:03,890 --> 00:30:05,759 with too much of it. But there are some 906 00:30:05,760 --> 00:30:08,069 stuff that we that we chose 907 00:30:08,070 --> 00:30:10,169 just to show you how advanced this 908 00:30:10,170 --> 00:30:11,170 is. 909 00:30:12,030 --> 00:30:13,979 This is the the code that you see down 910 00:30:13,980 --> 00:30:15,519 here. This is a lookup table for 911 00:30:15,520 --> 00:30:18,839 constants. So you can see it takes 912 00:30:18,840 --> 00:30:21,089 a key or the lookup 913 00:30:21,090 --> 00:30:23,039 value as an argument and then iterate 914 00:30:23,040 --> 00:30:25,229 over the map and looks 915 00:30:25,230 --> 00:30:27,029 for that other I mean, that's how you how 916 00:30:27,030 --> 00:30:28,499 you perform lookups in a lookup table. 917 00:30:28,500 --> 00:30:29,500 Right. 918 00:30:30,660 --> 00:30:32,879 So that is that is that 919 00:30:32,880 --> 00:30:33,629 part here. 920 00:30:33,630 --> 00:30:35,159 There is another one, there's one for 921 00:30:35,160 --> 00:30:37,019 status codes or area codes, as they're 922 00:30:37,020 --> 00:30:39,929 called here. And there is another one for 923 00:30:39,930 --> 00:30:42,449 for actual constants like the IP socket, 924 00:30:42,450 --> 00:30:43,799 one I just talked about. 925 00:30:45,810 --> 00:30:46,810 OK, 926 00:30:47,910 --> 00:30:50,099 but really the 927 00:30:50,100 --> 00:30:52,979 key feature is this API call proxy, 928 00:30:52,980 --> 00:30:54,659 so quick show of hands, maybe. 929 00:30:54,660 --> 00:30:55,949 How many of you are familiar with the 930 00:30:55,950 --> 00:30:57,989 concept of so-called proxy? 931 00:30:57,990 --> 00:30:59,239 Anybody? 932 00:30:59,240 --> 00:31:00,389 OK, a few people. 933 00:31:00,390 --> 00:31:02,459 So who is familiar with 934 00:31:02,460 --> 00:31:04,379 the concept of userspace and kernel 935 00:31:04,380 --> 00:31:05,380 space? 936 00:31:06,080 --> 00:31:06,979 Awesome. 937 00:31:06,980 --> 00:31:08,239 So that is great. 938 00:31:09,950 --> 00:31:12,109 So the idea behind Cisco, a proxy 939 00:31:12,110 --> 00:31:14,209 thing is to have. 940 00:31:16,090 --> 00:31:18,159 The colonel to use the colonel space of 941 00:31:18,160 --> 00:31:20,079 one system, and that's the system that 942 00:31:20,080 --> 00:31:21,999 I'm penetration testing or attacking or 943 00:31:22,000 --> 00:31:24,249 whatever, but this 944 00:31:24,250 --> 00:31:26,379 system is only running a small step 945 00:31:26,380 --> 00:31:28,629 executable and the userspace 946 00:31:28,630 --> 00:31:31,299 is offloaded to another system. 947 00:31:31,300 --> 00:31:33,129 And this system communicates over the 948 00:31:33,130 --> 00:31:35,499 network with the stop component here. 949 00:31:35,500 --> 00:31:37,989 So you basically offload 950 00:31:37,990 --> 00:31:40,089 the userspace onto another system and 951 00:31:40,090 --> 00:31:41,769 then this userspace and this colonel 952 00:31:41,770 --> 00:31:44,139 space communicate over the network. 953 00:31:44,140 --> 00:31:45,819 Why do you want to do something like 954 00:31:45,820 --> 00:31:47,169 that? Sounds really crazy, right? 955 00:31:48,580 --> 00:31:50,859 If you if you implement such a generic 956 00:31:50,860 --> 00:31:53,199 stuff binary that just takes a musical 957 00:31:53,200 --> 00:31:54,639 identifier and some parameters and then 958 00:31:54,640 --> 00:31:56,739 runs it here, you can keep all the 959 00:31:56,740 --> 00:31:58,749 logic outside of the stuff binary. 960 00:31:58,750 --> 00:32:00,279 The stuff binary can be really, really 961 00:32:00,280 --> 00:32:02,439 tiny and you can 962 00:32:02,440 --> 00:32:04,479 implement all the logic here on your 963 00:32:04,480 --> 00:32:06,439 console, on your system. 964 00:32:06,440 --> 00:32:08,679 OK, so if you want to add another feature 965 00:32:08,680 --> 00:32:10,749 to your attack tool, you only have to do 966 00:32:10,750 --> 00:32:11,679 that here. 967 00:32:11,680 --> 00:32:13,869 You can leave that part alone and you're 968 00:32:13,870 --> 00:32:14,349 not. 969 00:32:14,350 --> 00:32:16,389 It's also obsequies less risky for the 970 00:32:16,390 --> 00:32:18,369 operation. You don't necessarily need to 971 00:32:18,370 --> 00:32:19,869 put everything in one place. 972 00:32:19,870 --> 00:32:21,669 You can change it up. 973 00:32:21,670 --> 00:32:22,779 Exactly. 974 00:32:22,780 --> 00:32:25,329 So you end up with a very tiny executable 975 00:32:25,330 --> 00:32:27,729 that generically proxy's system 976 00:32:27,730 --> 00:32:30,069 calls from your userspace 977 00:32:30,070 --> 00:32:31,599 somewhere else in the world to your 978 00:32:31,600 --> 00:32:32,289 target. 979 00:32:32,290 --> 00:32:34,329 One thing that's not very technical, if 980 00:32:34,330 --> 00:32:36,129 you consider modular malware, if you want 981 00:32:36,130 --> 00:32:37,899 to, if you're in operation nation state 982 00:32:37,900 --> 00:32:39,639 or somebody very serious, you'd create 983 00:32:39,640 --> 00:32:40,599 something modular. 984 00:32:40,600 --> 00:32:42,699 And as you compile new agents, 985 00:32:42,700 --> 00:32:44,139 you'd put different aspects of it 986 00:32:44,140 --> 00:32:45,499 depending on the target. 987 00:32:45,500 --> 00:32:47,709 Now, if you can do it on the fly after 988 00:32:47,710 --> 00:32:49,299 you're in the target without risking 989 00:32:49,300 --> 00:32:51,399 anything to begin with or much, 990 00:32:51,400 --> 00:32:52,400 that is pretty cool shit. 991 00:32:53,440 --> 00:32:55,329 I said, just because this is C.C.C. 992 00:32:55,330 --> 00:32:56,470 and it's obligatory to say that. 993 00:32:58,630 --> 00:33:01,029 OK, so does that make sense to people? 994 00:33:01,030 --> 00:33:03,279 All right, so what what they have 995 00:33:03,280 --> 00:33:05,469 in their in their tool, what 996 00:33:05,470 --> 00:33:07,569 we have seen in the tool is not quite 997 00:33:07,570 --> 00:33:09,999 as this proxy because it's one level 998 00:33:10,000 --> 00:33:11,649 above the Cisco level. 999 00:33:11,650 --> 00:33:13,599 I mean, when you write code for the 1000 00:33:13,600 --> 00:33:15,009 Windows system, you don't usually call it 1001 00:33:15,010 --> 00:33:17,469 is called you call 1002 00:33:17,470 --> 00:33:20,049 API functions that are more high level, 1003 00:33:20,050 --> 00:33:22,149 like bright file is a high level API 1004 00:33:22,150 --> 00:33:23,679 function that translates users call 1005 00:33:23,680 --> 00:33:25,329 maybe, but there are other high level 1006 00:33:25,330 --> 00:33:28,299 ones. So what they did was they 1007 00:33:28,300 --> 00:33:29,979 implemented the same concept, but on the 1008 00:33:29,980 --> 00:33:31,719 API level. So you have the control panel 1009 00:33:31,720 --> 00:33:33,939 over there, you have the agent 1010 00:33:33,940 --> 00:33:36,369 deployed over here, the box and loop, and 1011 00:33:36,370 --> 00:33:38,439 then an underlying winner system 1012 00:33:38,440 --> 00:33:40,749 that exposes an API and 1013 00:33:40,750 --> 00:33:42,909 all the communication takes place over 1014 00:33:42,910 --> 00:33:44,659 the network or whatever. 1015 00:33:44,660 --> 00:33:46,809 OK, and then 1016 00:33:46,810 --> 00:33:48,099 can you switch back to the previous slide 1017 00:33:48,100 --> 00:33:50,199 for one second? So and then as I've 1018 00:33:50,200 --> 00:33:52,449 said before, this agent can 1019 00:33:52,450 --> 00:33:54,189 then be instructed to channel 1020 00:33:54,190 --> 00:33:56,649 connections, basically to proxy 1021 00:33:56,650 --> 00:33:58,749 connections or channel is maybe a 1022 00:33:58,750 --> 00:34:00,819 better word because otherwise 1023 00:34:00,820 --> 00:34:02,679 we can confuse it with the proxy term 1024 00:34:02,680 --> 00:34:03,999 over there. Then you can tunnel 1025 00:34:04,000 --> 00:34:06,339 connections to a third system 1026 00:34:06,340 --> 00:34:07,599 and do the same thing. 1027 00:34:07,600 --> 00:34:09,549 So we can basically I don't know if I 1028 00:34:09,550 --> 00:34:11,379 should use the term onion routing routing 1029 00:34:11,380 --> 00:34:12,339 because. 1030 00:34:12,340 --> 00:34:13,658 But yet you can do something like that. 1031 00:34:13,659 --> 00:34:16,209 OK, so that's really cool 1032 00:34:16,210 --> 00:34:18,009 and off. Of course, they also implemented 1033 00:34:18,010 --> 00:34:19,658 their own network protocol for that. 1034 00:34:19,659 --> 00:34:22,299 So we called this in our PC 1035 00:34:22,300 --> 00:34:24,309 network protocol because really this 1036 00:34:24,310 --> 00:34:26,379 reminded us of remote procedure calls or 1037 00:34:26,380 --> 00:34:27,908 right. Files turned into a remote 1038 00:34:27,909 --> 00:34:29,439 procedure call in this case. 1039 00:34:32,739 --> 00:34:35,259 So Gary said we have to include an 1040 00:34:35,260 --> 00:34:36,829 either pro screenshot, so here it is, 1041 00:34:36,830 --> 00:34:39,189 this is either pro this is the send 1042 00:34:39,190 --> 00:34:40,779 payload function. That's what we labeled 1043 00:34:40,780 --> 00:34:41,859 it as. 1044 00:34:41,860 --> 00:34:43,359 You can either send it encrypted or you 1045 00:34:43,360 --> 00:34:45,339 can send it unencrypted the code. 1046 00:34:45,340 --> 00:34:46,689 Don't you guys think I know I'm just 1047 00:34:46,690 --> 00:34:47,859 disturbing you right now, heckling him, 1048 00:34:47,860 --> 00:34:49,299 but that's part of the fun. It's 11 p.m. 1049 00:34:49,300 --> 00:34:50,259 11, 30. 1050 00:34:50,260 --> 00:34:51,939 So don't you guys think that if we just 1051 00:34:51,940 --> 00:34:54,039 put assembly code up there or 1052 00:34:54,040 --> 00:34:56,229 if we took out a pro screenshot that 1053 00:34:56,230 --> 00:34:57,230 looks cooler? 1054 00:34:58,230 --> 00:35:00,329 No, seriously, hands up, everybody thinks 1055 00:35:00,330 --> 00:35:01,949 it looks cooler. 1056 00:35:01,950 --> 00:35:02,969 OK, let's do it another way. 1057 00:35:02,970 --> 00:35:04,979 Everybody take your hand up with me. 1058 00:35:04,980 --> 00:35:06,329 Everybody take your end up. 1059 00:35:06,330 --> 00:35:07,889 Now, everybody who doesn't think it's 1060 00:35:07,890 --> 00:35:08,890 cool. 1061 00:35:11,680 --> 00:35:12,680 Go ahead. 1062 00:35:14,890 --> 00:35:15,890 All right, but 1063 00:35:17,710 --> 00:35:19,149 let's talk about the cryptography they 1064 00:35:19,150 --> 00:35:21,369 use. So what they do is for every 1065 00:35:21,370 --> 00:35:23,529 session they generate a 1066 00:35:23,530 --> 00:35:26,409 ASUDA random session, Kicillof, 256 1067 00:35:26,410 --> 00:35:28,569 bits, and they 1068 00:35:28,570 --> 00:35:30,309 use this for as encryption. 1069 00:35:30,310 --> 00:35:31,779 So that's their. 1070 00:35:31,780 --> 00:35:33,879 But in order to securely transfer 1071 00:35:33,880 --> 00:35:35,979 that key to the other system 1072 00:35:35,980 --> 00:35:38,229 they're talking to, they have 1073 00:35:38,230 --> 00:35:40,479 to use something like, you know, some 1074 00:35:40,480 --> 00:35:42,219 some asymmetric crypto. 1075 00:35:42,220 --> 00:35:44,349 In this case, they use RSA, they 1076 00:35:44,350 --> 00:35:46,989 use 1024 bit RSA, 1077 00:35:46,990 --> 00:35:49,239 which means there must be a public key 1078 00:35:49,240 --> 00:35:50,199 in the binary. 1079 00:35:50,200 --> 00:35:51,939 And in fact, there is a hard coded key in 1080 00:35:51,940 --> 00:35:54,309 the binary and that public key 1081 00:35:54,310 --> 00:35:56,449 changes across campaign. 1082 00:35:56,450 --> 00:35:58,149 So you can by looking at the public key, 1083 00:35:58,150 --> 00:36:00,429 you can say this is a sample that belongs 1084 00:36:00,430 --> 00:36:01,839 to this campaign and this is a sample 1085 00:36:01,840 --> 00:36:02,919 that belongs to another campaign. 1086 00:36:03,970 --> 00:36:04,970 All right. 1087 00:36:05,550 --> 00:36:06,959 One more thing to note here, we have seen 1088 00:36:06,960 --> 00:36:09,329 malware before that uses three beat RSA, 1089 00:36:09,330 --> 00:36:10,739 if that makes any sort of sense. 1090 00:36:10,740 --> 00:36:13,109 But but still using 1091 00:36:13,110 --> 00:36:15,209 this small key is kind of 1092 00:36:15,210 --> 00:36:17,189 weird in a way. 1093 00:36:17,190 --> 00:36:18,989 I personally don't really see how weird 1094 00:36:18,990 --> 00:36:20,339 it is, but Tullman insists and he just 1095 00:36:20,340 --> 00:36:21,539 forgot. So I'm reminding him. 1096 00:36:25,630 --> 00:36:27,699 All right, so let's skip over this 1097 00:36:27,700 --> 00:36:28,959 rather quickly, so this is the blowfish 1098 00:36:28,960 --> 00:36:30,549 harshing that they use to track and keep 1099 00:36:30,550 --> 00:36:32,589 track of sessions you can see down there. 1100 00:36:32,590 --> 00:36:34,089 They use this low level blobfish function 1101 00:36:34,090 --> 00:36:36,969 to hash an integer, 1102 00:36:36,970 --> 00:36:39,129 which is the I think if 1103 00:36:39,130 --> 00:36:40,359 I remember correctly, the five 1104 00:36:40,360 --> 00:36:41,829 descriptor, a number of the socket that 1105 00:36:41,830 --> 00:36:43,149 the session relates to. 1106 00:36:43,150 --> 00:36:44,260 OK, next slide. 1107 00:36:46,270 --> 00:36:47,409 So here's some more assembly 1108 00:36:48,670 --> 00:36:50,389 there is I told you that the code is 1109 00:36:50,390 --> 00:36:52,569 position independent, but 1110 00:36:52,570 --> 00:36:53,979 the problem with position independent 1111 00:36:53,980 --> 00:36:56,709 code is that you cannot really 1112 00:36:56,710 --> 00:36:58,119 very easily configure it. 1113 00:36:58,120 --> 00:37:00,189 You cannot easily pass 1114 00:37:00,190 --> 00:37:01,779 parameters to it. 1115 00:37:01,780 --> 00:37:03,909 But they need to have some kind 1116 00:37:03,910 --> 00:37:06,099 of configuration data like the 1117 00:37:06,100 --> 00:37:08,259 RSA key, maybe 1118 00:37:08,260 --> 00:37:10,480 command controls over IP address or. 1119 00:37:13,120 --> 00:37:14,559 Command control server sounds so 1120 00:37:14,560 --> 00:37:16,839 offensive. Maybe you should say a 1121 00:37:16,840 --> 00:37:19,359 control panel, IP address 1122 00:37:19,360 --> 00:37:20,739 and then also maybe a campaign I.D., 1123 00:37:20,740 --> 00:37:22,539 something like that. So there is are some 1124 00:37:22,540 --> 00:37:24,489 parameters that are used to configure the 1125 00:37:24,490 --> 00:37:25,630 dashboard dashboard. 1126 00:37:27,070 --> 00:37:28,070 Dashboard, yet 1127 00:37:29,170 --> 00:37:31,329 operators interface, so what 1128 00:37:31,330 --> 00:37:33,819 they do is they they the blue 1129 00:37:33,820 --> 00:37:35,889 blue box down there is the code is 1130 00:37:35,890 --> 00:37:37,629 the entry point that they really want to 1131 00:37:37,630 --> 00:37:39,339 call or that where they really want to 1132 00:37:39,340 --> 00:37:41,259 start. But before they do, they need to 1133 00:37:41,260 --> 00:37:42,249 prepare an environment. 1134 00:37:42,250 --> 00:37:44,709 They need to push some 1135 00:37:44,710 --> 00:37:46,599 some arguments on the stack, so to speak. 1136 00:37:46,600 --> 00:37:46,989 Right. 1137 00:37:46,990 --> 00:37:48,549 So what they do is they started the gray 1138 00:37:48,550 --> 00:37:50,829 box up there, jump down 1139 00:37:50,830 --> 00:37:53,349 to the second red box, then call back up 1140 00:37:53,350 --> 00:37:55,509 and then do some more stuff and then 1141 00:37:55,510 --> 00:37:56,829 jump down to the blue box. 1142 00:37:56,830 --> 00:37:59,169 And you can you can see some assembly 1143 00:37:59,170 --> 00:38:00,399 code that relates to this chart. 1144 00:38:00,400 --> 00:38:02,679 So you can see the jump at the very top 1145 00:38:02,680 --> 00:38:04,809 and that takes us down and that's on 1146 00:38:04,810 --> 00:38:06,439 the slide anymore. And then you can see 1147 00:38:06,440 --> 00:38:08,379 you call back up. And then that second 1148 00:38:08,380 --> 00:38:10,809 line there, the Poppea basically 1149 00:38:10,810 --> 00:38:12,879 then pops the instruction point off 1150 00:38:12,880 --> 00:38:15,159 from the stack into the register. 1151 00:38:15,160 --> 00:38:16,419 For those of you who are familiar with 1152 00:38:16,420 --> 00:38:16,899 that. 1153 00:38:16,900 --> 00:38:18,519 Right. And then you can see these 1154 00:38:18,520 --> 00:38:20,889 putschists there of the long, 1155 00:38:20,890 --> 00:38:23,259 these long, immediately, these 1156 00:38:23,260 --> 00:38:24,519 are ASCII strings. 1157 00:38:24,520 --> 00:38:26,409 So if you would take these and render 1158 00:38:26,410 --> 00:38:27,909 them as ASCII strings, you would see that 1159 00:38:27,910 --> 00:38:29,769 the first one is an IP address. 1160 00:38:29,770 --> 00:38:32,319 The second one is a campaign identifier, 1161 00:38:32,320 --> 00:38:34,389 and the third one is the 1162 00:38:34,390 --> 00:38:36,099 what we call the R parameter. 1163 00:38:36,100 --> 00:38:37,480 But we don't know what the purpose is. 1164 00:38:39,390 --> 00:38:41,759 OK, so once you're able to 1165 00:38:41,760 --> 00:38:43,889 extract this kind of information, 1166 00:38:43,890 --> 00:38:45,360 you can collect samples. 1167 00:38:46,590 --> 00:38:48,869 And, you know, and 1168 00:38:48,870 --> 00:38:51,089 mine that data a little bit, and we did 1169 00:38:51,090 --> 00:38:53,069 that and we came across this command and 1170 00:38:53,070 --> 00:38:54,869 control server IP addresses. 1171 00:38:54,870 --> 00:38:57,029 Now you can see that or at least 1172 00:38:57,030 --> 00:38:59,519 the first four kind of live in the same, 1173 00:38:59,520 --> 00:39:01,619 you know, in the same 1174 00:39:01,620 --> 00:39:02,219 proximity. 1175 00:39:02,220 --> 00:39:04,229 They live in related network ranges. 1176 00:39:04,230 --> 00:39:06,479 In fact, each of them belongs 1177 00:39:06,480 --> 00:39:08,679 to its own very tiny network range 1178 00:39:08,680 --> 00:39:10,799 of 27 or 28 or something 1179 00:39:10,800 --> 00:39:12,989 like that. And these ranges are 1180 00:39:12,990 --> 00:39:14,909 all operated by a German company. 1181 00:39:14,910 --> 00:39:17,189 In fact, it's called IBG. 1182 00:39:17,190 --> 00:39:18,719 I forget what that stands for. 1183 00:39:18,720 --> 00:39:20,849 But there there are a technology 1184 00:39:20,850 --> 00:39:23,039 company in Munich and 1185 00:39:23,040 --> 00:39:25,349 they also offer satellite 1186 00:39:25,350 --> 00:39:27,479 services. So they're probably operating 1187 00:39:27,480 --> 00:39:29,069 some satellite or something like that, 1188 00:39:29,070 --> 00:39:31,259 and they're offering satellite links 1189 00:39:31,260 --> 00:39:33,239 as a service. So Internet connectivity 1190 00:39:33,240 --> 00:39:35,429 through satellites, which means 1191 00:39:35,430 --> 00:39:37,619 when you do geolocation lookups for those 1192 00:39:37,620 --> 00:39:39,119 IP addresses, you get something like 1193 00:39:39,120 --> 00:39:40,120 this. 1194 00:39:41,990 --> 00:39:44,259 Yeah, and 1195 00:39:44,260 --> 00:39:46,519 an interesting note about the crowd, 1196 00:39:46,520 --> 00:39:48,799 you're not many of you are not 1197 00:39:48,800 --> 00:39:50,689 operating your networks because only a 1198 00:39:50,690 --> 00:39:52,969 couple of you took up a camera and took 1199 00:39:52,970 --> 00:39:54,409 a photo of these irises. 1200 00:39:55,970 --> 00:39:57,190 Interesting. The other crowd. 1201 00:39:59,560 --> 00:40:01,809 OK, so we got to give props 1202 00:40:01,810 --> 00:40:03,879 to a friend of ours called 1203 00:40:03,880 --> 00:40:04,880 much lesser, 1204 00:40:06,490 --> 00:40:08,799 much lesser runs, Internet wide 1205 00:40:08,800 --> 00:40:10,569 scans for interesting data. 1206 00:40:10,570 --> 00:40:12,909 For example, he does Internet sweeps 1207 00:40:12,910 --> 00:40:15,129 for SSL certificates, 1208 00:40:15,130 --> 00:40:16,629 and that's the reason why we reached out 1209 00:40:16,630 --> 00:40:18,789 to him. So we 1210 00:40:18,790 --> 00:40:20,859 figured that one of the IP addresses was 1211 00:40:20,860 --> 00:40:22,869 or one of the the campaigns from the 1212 00:40:22,870 --> 00:40:25,239 previous slide used 1213 00:40:25,240 --> 00:40:27,549 an SSL enabled version of Compact's. 1214 00:40:27,550 --> 00:40:29,709 So the command control connection was 1215 00:40:29,710 --> 00:40:31,899 as well protected, which means 1216 00:40:31,900 --> 00:40:33,189 there must be a certificate involved. 1217 00:40:33,190 --> 00:40:35,619 So we talk to Mark and said, hey, 1218 00:40:35,620 --> 00:40:37,689 can you because that IP 1219 00:40:37,690 --> 00:40:40,509 address was no longer online, can you 1220 00:40:40,510 --> 00:40:42,489 dig into your database? 1221 00:40:42,490 --> 00:40:44,109 Can you see if you had the certificate 1222 00:40:44,110 --> 00:40:45,459 from that IP address? 1223 00:40:45,460 --> 00:40:47,619 And he found the certificate 1224 00:40:47,620 --> 00:40:49,509 and as you can see there, it's a 1225 00:40:49,510 --> 00:40:51,849 certificate that was issued to 1226 00:40:51,850 --> 00:40:54,369 two core security technologies. 1227 00:40:54,370 --> 00:40:56,619 This is the Isaac Isidore's 1228 00:40:56,620 --> 00:40:57,620 a I think so 1229 00:40:58,930 --> 00:41:00,699 in 2009. 1230 00:41:00,700 --> 00:41:01,779 It's not valid anymore. 1231 00:41:01,780 --> 00:41:03,309 But I mean, of course, you can still use 1232 00:41:03,310 --> 00:41:04,310 it. 1233 00:41:04,570 --> 00:41:07,089 Turns out whenever you use compact 1234 00:41:07,090 --> 00:41:08,589 or at least as far as we know 1235 00:41:09,610 --> 00:41:12,609 with SSL, you will 1236 00:41:12,610 --> 00:41:14,439 end up using this certificate here. 1237 00:41:14,440 --> 00:41:16,959 So by scanning for SSL services 1238 00:41:16,960 --> 00:41:18,819 that use the certificate or offer this 1239 00:41:18,820 --> 00:41:20,919 certificate, you can identify compact's 1240 00:41:20,920 --> 00:41:23,469 youchoose. So we asked Mark, hey, 1241 00:41:23,470 --> 00:41:25,269 can you give us any other IP addresses 1242 00:41:25,270 --> 00:41:26,769 that were hosting this certificate? 1243 00:41:26,770 --> 00:41:28,509 And he did. And that's how we identified 1244 00:41:28,510 --> 00:41:29,560 some more of the campaign's. 1245 00:41:32,420 --> 00:41:34,609 So thank you, Mark, for that. 1246 00:41:34,610 --> 00:41:35,599 So let's talk a little bit, what 1247 00:41:35,600 --> 00:41:37,659 campaigns do you want to take over again? 1248 00:41:40,620 --> 00:41:43,229 Sure, you take this load out. 1249 00:41:43,230 --> 00:41:45,509 OK, so first thing 1250 00:41:45,510 --> 00:41:47,639 we did was we took a look at all the 1251 00:41:47,640 --> 00:41:50,159 law documents, the Excel 1252 00:41:50,160 --> 00:41:51,689 spreadsheets that we found that we 1253 00:41:51,690 --> 00:41:54,119 collected. OK, as you remember, 1254 00:41:54,120 --> 00:41:56,129 hopefully from one of the first slides, 1255 00:41:56,130 --> 00:41:57,599 there is this metadata in there that 1256 00:41:57,600 --> 00:41:58,979 gives you the create data and that gives 1257 00:41:58,980 --> 00:42:00,359 you the modification date. 1258 00:42:00,360 --> 00:42:02,789 And then there is also the the handle 1259 00:42:02,790 --> 00:42:04,859 of the creator and the handle of the last 1260 00:42:04,860 --> 00:42:06,389 modifier. And that's what you see in this 1261 00:42:06,390 --> 00:42:07,319 table. 1262 00:42:07,320 --> 00:42:09,329 Now, the create data isn't very telling 1263 00:42:09,330 --> 00:42:11,069 because you can take a document that was 1264 00:42:11,070 --> 00:42:13,229 created 10 years ago and then modify 1265 00:42:13,230 --> 00:42:14,969 it and use it for this campaign. 1266 00:42:14,970 --> 00:42:15,970 Thank you. 1267 00:42:17,520 --> 00:42:19,889 So that is the third column, 1268 00:42:19,890 --> 00:42:21,299 the modification dates and that 1269 00:42:21,300 --> 00:42:22,579 chronologically order. 1270 00:42:22,580 --> 00:42:24,809 As you can see, the first attack 1271 00:42:24,810 --> 00:42:27,119 we came across occurred in April. 1272 00:42:27,120 --> 00:42:29,249 Twenty Third World, 1273 00:42:29,250 --> 00:42:30,509 that was the guy. 1274 00:42:30,510 --> 00:42:32,639 And it was targeting this 1275 00:42:32,640 --> 00:42:34,259 Israeli target that we talked about. 1276 00:42:34,260 --> 00:42:36,299 And then on the same day, there was 1277 00:42:36,300 --> 00:42:38,309 another attack against another Israeli 1278 00:42:38,310 --> 00:42:39,929 target and so on and so on. 1279 00:42:39,930 --> 00:42:42,929 So then in in 1280 00:42:42,930 --> 00:42:45,179 July, you can see various attacks 1281 00:42:45,180 --> 00:42:47,009 against European targets. 1282 00:42:47,010 --> 00:42:48,299 And we will talk more about those in a 1283 00:42:48,300 --> 00:42:49,229 second. 1284 00:42:49,230 --> 00:42:51,239 And the last one was actually from this 1285 00:42:51,240 --> 00:42:53,519 month, we had to redact 1286 00:42:53,520 --> 00:42:55,559 some of the operator names, creator 1287 00:42:55,560 --> 00:42:57,809 names, because they were they identified 1288 00:42:57,810 --> 00:42:59,159 the target, the victim. 1289 00:42:59,160 --> 00:43:01,319 They probably the thing is, we didn't 1290 00:43:01,320 --> 00:43:03,629 really know whether somebody used 1291 00:43:03,630 --> 00:43:04,889 this is metadata. 1292 00:43:04,890 --> 00:43:06,419 Right. So we can we don't really think 1293 00:43:06,420 --> 00:43:08,609 somebody tried to use metadata 1294 00:43:08,610 --> 00:43:10,109 to pass through scanners or to pass 1295 00:43:10,110 --> 00:43:11,939 through the human eye to what we think 1296 00:43:11,940 --> 00:43:13,109 happened. Some of these documents were 1297 00:43:13,110 --> 00:43:15,509 created specifically as laws 1298 00:43:15,510 --> 00:43:17,069 and some of the others. What other ones 1299 00:43:17,070 --> 00:43:19,259 were stolen from 1300 00:43:19,260 --> 00:43:21,029 the victim, whether it's open source or 1301 00:43:21,030 --> 00:43:22,499 not, we can't we're not sure. 1302 00:43:22,500 --> 00:43:24,690 We didn't find them and 1303 00:43:26,070 --> 00:43:27,119 put their names. 1304 00:43:27,120 --> 00:43:29,159 Their names were on the document. 1305 00:43:29,160 --> 00:43:31,169 Now, if you want to see one thing that we 1306 00:43:31,170 --> 00:43:33,329 didn't redact a second from 1307 00:43:33,330 --> 00:43:35,459 the bottom, the name NOM, it 1308 00:43:35,460 --> 00:43:37,949 actually is really just as a say. 1309 00:43:37,950 --> 00:43:39,089 So moving on. 1310 00:43:43,400 --> 00:43:44,749 I would take that one, too. 1311 00:43:44,750 --> 00:43:46,969 All right, so the next thing, 1312 00:43:46,970 --> 00:43:49,159 of course, was the impact Darians 1313 00:43:49,160 --> 00:43:50,839 that we came across. I told you earlier 1314 00:43:50,840 --> 00:43:53,059 that there is this this is anarchy 1315 00:43:53,060 --> 00:43:55,009 in there. There is a campaign identifier. 1316 00:43:55,010 --> 00:43:56,389 So we did the same thing. 1317 00:43:56,390 --> 00:43:57,889 We met them onto the document 1318 00:43:57,890 --> 00:43:59,089 modification dates. 1319 00:43:59,090 --> 00:44:01,429 So these are the dates, the first column 1320 00:44:01,430 --> 00:44:03,859 that we found in the documents that drop 1321 00:44:03,860 --> 00:44:05,330 the respective executables. 1322 00:44:06,360 --> 00:44:07,979 In the second column, we have the IP 1323 00:44:07,980 --> 00:44:09,380 addresses that you already saw, 1324 00:44:10,470 --> 00:44:12,689 then we have a campaign identifier 1325 00:44:12,690 --> 00:44:14,789 and then we have the Arzak and you can 1326 00:44:14,790 --> 00:44:16,769 see there is a clear correlation between 1327 00:44:16,770 --> 00:44:19,349 RSA key campaign ad agency to IP address. 1328 00:44:19,350 --> 00:44:22,019 So it seems like they keep 1329 00:44:22,020 --> 00:44:24,299 their infrastructure, meaning 1330 00:44:24,300 --> 00:44:26,939 command control servers for 1331 00:44:26,940 --> 00:44:28,749 the different campaigns separate. 1332 00:44:28,750 --> 00:44:30,929 OK, so they use different key to 1333 00:44:30,930 --> 00:44:32,519 a different Arzak and a different 1334 00:44:33,660 --> 00:44:35,819 campaign ID for each campaign 1335 00:44:35,820 --> 00:44:36,509 that they're running. 1336 00:44:36,510 --> 00:44:38,239 Intelligence wise, if you go to previous 1337 00:44:38,240 --> 00:44:39,599 slide for a second and you look at the 1338 00:44:39,600 --> 00:44:41,789 operation, you can see the creation 1339 00:44:41,790 --> 00:44:44,159 date of the actual allures 1340 00:44:44,160 --> 00:44:46,319 is usually earlier a little bit than 1341 00:44:46,320 --> 00:44:47,579 the actual attack. 1342 00:44:47,580 --> 00:44:49,949 So if you can identify 1343 00:44:49,950 --> 00:44:52,289 these modifiers 1344 00:44:52,290 --> 00:44:54,389 and you can detect the law ahead of time, 1345 00:44:54,390 --> 00:44:55,589 you can probably prevent the attack 1346 00:44:55,590 --> 00:44:57,539 altogether depending on your operational 1347 00:44:57,540 --> 00:44:59,129 security. And if you have this type of 1348 00:44:59,130 --> 00:45:01,439 intelligence capability in-house, 1349 00:45:01,440 --> 00:45:02,879 whether from your own intelligence or 1350 00:45:02,880 --> 00:45:04,049 something, trying to get it into your 1351 00:45:04,050 --> 00:45:05,969 network or from outside of it. 1352 00:45:07,580 --> 00:45:09,889 And just to be just to be very clear, we 1353 00:45:09,890 --> 00:45:12,409 limited ourselves to 1354 00:45:12,410 --> 00:45:14,689 law documents that fit 1355 00:45:14,690 --> 00:45:16,849 into our pattern or into 1356 00:45:16,850 --> 00:45:18,919 this this modus operandi, 1357 00:45:18,920 --> 00:45:21,199 we didn't consider any other core impact 1358 00:45:21,200 --> 00:45:22,519 samples we came across because, of 1359 00:45:22,520 --> 00:45:24,889 course, it's possible to find others, 1360 00:45:24,890 --> 00:45:26,509 but they are not related to activity by 1361 00:45:26,510 --> 00:45:28,629 this by this threat actor here. 1362 00:45:28,630 --> 00:45:29,630 OK. 1363 00:45:30,920 --> 00:45:32,719 Um, so we're going to look at some decoy 1364 00:45:32,720 --> 00:45:33,720 spreadsheets. 1365 00:45:34,880 --> 00:45:37,059 This one is against an Israeli target. 1366 00:45:37,060 --> 00:45:39,349 We are the first target, as we discussed, 1367 00:45:39,350 --> 00:45:41,509 with an organization adjacent to 1368 00:45:41,510 --> 00:45:43,769 the defense and aerospace industries, 1369 00:45:43,770 --> 00:45:46,189 but very quickly spread through Europe 1370 00:45:46,190 --> 00:45:48,019 and through Israel, some academic 1371 00:45:48,020 --> 00:45:50,509 institutions and some defense agencies 1372 00:45:50,510 --> 00:45:52,009 across Europe. 1373 00:45:52,010 --> 00:45:54,139 So this is one of the lures just 1374 00:45:54,140 --> 00:45:56,149 looking very real. 1375 00:45:56,150 --> 00:45:58,399 Colgrove, I don't know how accurate 1376 00:45:58,400 --> 00:46:00,619 the data is for the organization, 1377 00:46:00,620 --> 00:46:02,029 but still pretty impressive. 1378 00:46:02,030 --> 00:46:03,439 And you will not see something impressive 1379 00:46:03,440 --> 00:46:05,629 like that. Again, their graphic designer 1380 00:46:05,630 --> 00:46:06,630 sucks. 1381 00:46:07,670 --> 00:46:10,549 So, I mean, the data, the data on there, 1382 00:46:10,550 --> 00:46:13,099 I mean, like this table up there is not 1383 00:46:13,100 --> 00:46:14,629 really interesting. What's interesting 1384 00:46:14,630 --> 00:46:16,549 for us from an intelligence perspective 1385 00:46:16,550 --> 00:46:18,679 is we take a look at this and 1386 00:46:18,680 --> 00:46:20,899 we try to figure out who the target was 1387 00:46:20,900 --> 00:46:22,969 because obviously the the 1388 00:46:22,970 --> 00:46:25,069 decoy has 1389 00:46:25,070 --> 00:46:28,459 been designed for a specific target. 1390 00:46:28,460 --> 00:46:30,649 And that's why we are going to show you 1391 00:46:30,650 --> 00:46:32,959 some of the other spreadsheets here now. 1392 00:46:32,960 --> 00:46:35,269 So, for example, this one 1393 00:46:35,270 --> 00:46:37,759 is listing Israeli holidays 1394 00:46:37,760 --> 00:46:40,129 or other types of observance 1395 00:46:40,130 --> 00:46:42,469 days. Nothing very interesting, 1396 00:46:42,470 --> 00:46:43,969 more than open source for the past 1397 00:46:43,970 --> 00:46:45,889 several thousand years. 1398 00:46:45,890 --> 00:46:46,890 But 1399 00:46:48,230 --> 00:46:49,429 if you want to go to the Bible, 1400 00:46:50,840 --> 00:46:52,199 well, to be pedantic, some of these are 1401 00:46:52,200 --> 00:46:54,079 not in the Bible, but still, it's pretty 1402 00:46:54,080 --> 00:46:56,179 clear, nothing very, very special, 1403 00:46:57,290 --> 00:46:59,059 not a very good lure, but it does have 1404 00:46:59,060 --> 00:47:01,279 information, looks very, 1405 00:47:01,280 --> 00:47:02,839 I guess, safe. 1406 00:47:02,840 --> 00:47:04,549 Next up, this is really horrible 1407 00:47:04,550 --> 00:47:05,509 graphically. 1408 00:47:05,510 --> 00:47:07,189 I mean, who is the graphic designer? 1409 00:47:07,190 --> 00:47:08,959 Seriously, would anybody click on Enable 1410 00:47:08,960 --> 00:47:10,980 after they see this, would you? 1411 00:47:12,350 --> 00:47:13,679 So that's another example, which are 1412 00:47:13,680 --> 00:47:14,680 pretty nice. 1413 00:47:16,230 --> 00:47:17,829 So we didn't figure out the target of 1414 00:47:17,830 --> 00:47:19,689 this one, by the way, so this is this is 1415 00:47:19,690 --> 00:47:21,669 an attack from May. 1416 00:47:21,670 --> 00:47:23,320 We don't know who the target was. 1417 00:47:25,020 --> 00:47:27,059 So if you're in the audience, got this 1418 00:47:27,060 --> 00:47:29,009 message and got past the horrible the 1419 00:47:29,010 --> 00:47:30,419 graphic design, please tell us 1420 00:47:33,210 --> 00:47:34,679 this is really boring yet again, 1421 00:47:36,360 --> 00:47:38,549 not very impressive, but 1422 00:47:38,550 --> 00:47:40,859 maybe they were you know, if I was them, 1423 00:47:40,860 --> 00:47:42,569 I would actually play with human beings 1424 00:47:42,570 --> 00:47:43,880 to try and see what they would click. 1425 00:47:45,440 --> 00:47:46,609 What other reason have they got to do 1426 00:47:46,610 --> 00:47:47,610 this? 1427 00:47:48,830 --> 00:47:51,169 This is from an Israeli target. 1428 00:47:51,170 --> 00:47:53,419 You can see that it's, again, innocuous 1429 00:47:53,420 --> 00:47:54,919 information, nothing very special there, 1430 00:47:54,920 --> 00:47:56,989 but it seems to be internal to the 1431 00:47:56,990 --> 00:47:57,990 organization. 1432 00:47:59,700 --> 00:48:02,039 Um, this is a little bit interesting 1433 00:48:02,040 --> 00:48:04,289 that it took us a while, we went to town, 1434 00:48:04,290 --> 00:48:05,759 I went to reverse image search, we 1435 00:48:05,760 --> 00:48:07,919 searched Google for any logos 1436 00:48:07,920 --> 00:48:10,199 with triangles and circles. 1437 00:48:10,200 --> 00:48:11,489 We did everything we possibly could 1438 00:48:11,490 --> 00:48:13,019 eventually and found it. 1439 00:48:13,020 --> 00:48:15,299 Does anybody know what what this who this 1440 00:48:15,300 --> 00:48:17,039 is is going to know what they know? 1441 00:48:17,040 --> 00:48:19,529 What is it? Nobody's going to tell us 1442 00:48:19,530 --> 00:48:21,959 anybody, huh? 1443 00:48:21,960 --> 00:48:24,029 So if we had time, 1444 00:48:24,030 --> 00:48:25,379 I would say let's play a really annoying 1445 00:48:25,380 --> 00:48:26,879 game and try to find it on Google and 1446 00:48:26,880 --> 00:48:29,639 whoever wins gets a beer or something, 1447 00:48:29,640 --> 00:48:31,739 but or pizza in our 1448 00:48:31,740 --> 00:48:32,489 case. 1449 00:48:32,490 --> 00:48:35,159 But this is actually a Georgian 1450 00:48:35,160 --> 00:48:37,589 organization that's related to Naito. 1451 00:48:37,590 --> 00:48:38,880 You can read the Wikipedia page. 1452 00:48:40,700 --> 00:48:42,559 Again, not very interesting, except for 1453 00:48:42,560 --> 00:48:43,560 the logo. 1454 00:48:44,130 --> 00:48:46,199 But there is this military, you know, 1455 00:48:46,200 --> 00:48:48,299 this you've always seen, it's one 1456 00:48:48,300 --> 00:48:51,059 of the more elaborate documents 1457 00:48:51,060 --> 00:48:53,249 it's convincing, even has a little 1458 00:48:53,250 --> 00:48:54,449 bit of graphic design, although I don't 1459 00:48:54,450 --> 00:48:56,249 know who the designer is again. 1460 00:48:56,250 --> 00:48:59,309 And that's probably a stolen document. 1461 00:48:59,310 --> 00:49:00,659 I find it hard to believe they actually 1462 00:49:00,660 --> 00:49:01,660 created it. 1463 00:49:03,570 --> 00:49:05,639 Now, again, we must stress 1464 00:49:05,640 --> 00:49:07,499 there is some there are some things in 1465 00:49:07,500 --> 00:49:08,820 there that look like they're from 1466 00:49:10,110 --> 00:49:12,479 Venice and Vienna, but this is a German 1467 00:49:12,480 --> 00:49:13,619 language law. 1468 00:49:13,620 --> 00:49:15,059 We don't know who the actual target is. 1469 00:49:15,060 --> 00:49:17,279 Could be anywhere that speaks German, 1470 00:49:17,280 --> 00:49:19,350 but it is a defense organization. 1471 00:49:22,250 --> 00:49:24,319 Um, this 1472 00:49:24,320 --> 00:49:26,539 is just a list of names it 1473 00:49:26,540 --> 00:49:28,909 generals, capitán, 1474 00:49:28,910 --> 00:49:31,099 admiral, calling major what is 1475 00:49:31,100 --> 00:49:32,100 called a major 1476 00:49:33,350 --> 00:49:34,350 made up rank. 1477 00:49:35,000 --> 00:49:37,309 Again, not very impressive, but it was 1478 00:49:37,310 --> 00:49:38,899 targeting the same organization as the 1479 00:49:38,900 --> 00:49:41,119 previous one. So it's obvious 1480 00:49:41,120 --> 00:49:42,499 that. Thank you. 1481 00:49:42,500 --> 00:49:44,689 It's obvious that they were targeting 1482 00:49:44,690 --> 00:49:46,879 the military sector, the 1483 00:49:46,880 --> 00:49:48,709 German speaking military organization. 1484 00:49:50,360 --> 00:49:51,859 This one is also probably a stolen 1485 00:49:51,860 --> 00:49:52,860 document. 1486 00:49:53,500 --> 00:49:54,969 Also, German speaking, 1487 00:49:55,990 --> 00:49:58,179 you can look at the logo, 1488 00:49:58,180 --> 00:50:00,519 which is kind of nice, but doesn't that 1489 00:50:00,520 --> 00:50:01,520 look very interesting? 1490 00:50:04,520 --> 00:50:06,529 Yet another lure, we can start skipping 1491 00:50:06,530 --> 00:50:07,889 them, unless you really want to see 1492 00:50:07,890 --> 00:50:10,099 what's interesting here is that that this 1493 00:50:10,100 --> 00:50:12,440 seems to target embassies. 1494 00:50:13,530 --> 00:50:15,779 German speaking at so embassies 1495 00:50:15,780 --> 00:50:17,070 in the German speaking country. 1496 00:50:18,300 --> 00:50:20,460 I mean, there are not that many, but that 1497 00:50:22,200 --> 00:50:24,269 just to be clear, the attacks, as we 1498 00:50:24,270 --> 00:50:25,739 saw in the time earlier, were not just 1499 00:50:25,740 --> 00:50:27,809 against Israeli targets and 1500 00:50:27,810 --> 00:50:28,769 German speaking targets. 1501 00:50:28,770 --> 00:50:30,569 There are also ones in Eastern Europe and 1502 00:50:30,570 --> 00:50:31,749 others all over the place. 1503 00:50:33,720 --> 00:50:34,720 Another one. 1504 00:50:36,560 --> 00:50:38,239 And this one is interesting a little bit, 1505 00:50:38,240 --> 00:50:39,469 because we tried to find out how to 1506 00:50:39,470 --> 00:50:41,649 decode this thing and 1507 00:50:41,650 --> 00:50:42,650 we think 1508 00:50:44,150 --> 00:50:45,619 we think they're just messing with us and 1509 00:50:45,620 --> 00:50:47,179 did this on purpose because everything 1510 00:50:47,180 --> 00:50:48,180 repeats. 1511 00:50:48,760 --> 00:50:50,809 I think they mess this up. 1512 00:50:50,810 --> 00:50:52,279 It is well used to call this Chinese 1513 00:50:52,280 --> 00:50:54,139 whenever it wouldn't decode the Hebrew 1514 00:50:54,140 --> 00:50:55,140 and just say, 1515 00:50:57,950 --> 00:50:59,029 oh, don't take the microphone that 1516 00:50:59,030 --> 00:51:00,030 Cyrillic. 1517 00:51:01,050 --> 00:51:03,059 Cyrillic, but it does what Russian looks 1518 00:51:03,060 --> 00:51:04,949 like if you if you select the wrong code 1519 00:51:04,950 --> 00:51:07,769 page, so it could be Cyrillic, but 1520 00:51:07,770 --> 00:51:10,139 if it is fake and not the court page 1521 00:51:10,140 --> 00:51:12,959 for Windows for Carelink, but in 1522 00:51:12,960 --> 00:51:14,849 Latin one, it looks like this, but it 1523 00:51:14,850 --> 00:51:15,899 still doesn't. 1524 00:51:15,900 --> 00:51:17,219 I don't know, maybe you need to try this, 1525 00:51:17,220 --> 00:51:18,629 but it still have an accent that is 1526 00:51:18,630 --> 00:51:20,609 repeating over the whole spreadsheet. 1527 00:51:20,610 --> 00:51:22,499 But if you take we have Russian enabled 1528 00:51:22,500 --> 00:51:23,729 on my laptop and I didn't see it, but 1529 00:51:23,730 --> 00:51:25,379 we'll try anyway. 1530 00:51:25,380 --> 00:51:27,569 Well, but if you if you take the title 1531 00:51:27,570 --> 00:51:29,579 column and you search for that on the 1532 00:51:29,580 --> 00:51:31,229 Internet, you will find that this is a 1533 00:51:31,230 --> 00:51:33,569 table of missile 1534 00:51:33,570 --> 00:51:35,639 launch events 1535 00:51:35,640 --> 00:51:36,719 that is on Wikipedia. 1536 00:51:36,720 --> 00:51:38,789 So they probably try to use 1537 00:51:38,790 --> 00:51:40,409 that as a lure or a decoy. 1538 00:51:43,000 --> 00:51:44,319 This last one is personally not very 1539 00:51:44,320 --> 00:51:45,339 interesting to me, do you have anything 1540 00:51:45,340 --> 00:51:47,559 to say about that? No, but it did 1541 00:51:47,560 --> 00:51:49,479 say if you want all the information NSA 1542 00:51:49,480 --> 00:51:51,819 started putting in instructions. 1543 00:51:51,820 --> 00:51:53,259 They didn't just want people to click 1544 00:51:53,260 --> 00:51:54,519 enable anymore. 1545 00:51:54,520 --> 00:51:55,989 If you like. If you want to see more, 1546 00:51:55,990 --> 00:51:57,129 please click, click, enable. 1547 00:51:57,130 --> 00:51:58,389 And they actually misspelled the view, 1548 00:51:58,390 --> 00:51:59,390 which is kind of nice. 1549 00:52:01,550 --> 00:52:03,230 I guess their conversion rates were low. 1550 00:52:05,710 --> 00:52:07,209 This one is interesting for several 1551 00:52:07,210 --> 00:52:09,309 reasons. Number one, again, it's a stolen 1552 00:52:09,310 --> 00:52:11,859 document, it's against an Israeli target. 1553 00:52:11,860 --> 00:52:13,359 But what's more interesting for me is 1554 00:52:13,360 --> 00:52:15,579 that it was sent around the date of 1555 00:52:15,580 --> 00:52:17,529 an actual event happening in Israel. 1556 00:52:17,530 --> 00:52:19,719 So if you sell it to academia, 1557 00:52:19,720 --> 00:52:21,759 which was some of the targets, you can 1558 00:52:21,760 --> 00:52:24,209 actually notice that it 1559 00:52:24,210 --> 00:52:25,359 improves your conversion rate. 1560 00:52:25,360 --> 00:52:27,339 If they know of the event, they might 1561 00:52:27,340 --> 00:52:29,439 click on it more. But that's just a 1562 00:52:29,440 --> 00:52:30,999 wild guess about trying to time the 1563 00:52:31,000 --> 00:52:33,099 events in real life to something 1564 00:52:33,100 --> 00:52:34,749 else, which showed a little bit more 1565 00:52:34,750 --> 00:52:36,459 operational sophistication. 1566 00:52:36,460 --> 00:52:38,559 It shows there this is one of the later. 1567 00:52:38,560 --> 00:52:39,579 I believe it's one of the later 1568 00:52:39,580 --> 00:52:40,269 campaigns. 1569 00:52:40,270 --> 00:52:42,399 Yeah. So this is from 1570 00:52:42,400 --> 00:52:43,329 December 1st. 1571 00:52:43,330 --> 00:52:45,849 This is from this month just now. 1572 00:52:45,850 --> 00:52:48,039 So it shows they are really, really 1573 00:52:48,040 --> 00:52:49,599 interested in the academic sector in 1574 00:52:49,600 --> 00:52:51,519 Israel. And they're trying to their 1575 00:52:51,520 --> 00:52:53,409 operational capability is growing, even 1576 00:52:53,410 --> 00:52:56,019 if a little bit trying to tie in 1577 00:52:56,020 --> 00:52:57,489 to something that will convert people by 1578 00:52:57,490 --> 00:52:58,839 their interests. 1579 00:52:58,840 --> 00:53:00,309 There's another example of that, which is 1580 00:53:00,310 --> 00:53:02,709 the same conference, once again, 1581 00:53:02,710 --> 00:53:05,619 just an agenda. 1582 00:53:05,620 --> 00:53:06,819 And they once again try to give you 1583 00:53:06,820 --> 00:53:08,799 instructions to increase conversion. 1584 00:53:08,800 --> 00:53:09,849 I don't know if it's related to the 1585 00:53:09,850 --> 00:53:11,199 previous one, what their conversion rates 1586 00:53:11,200 --> 00:53:12,999 were. We'll discuss that a little bit 1587 00:53:13,000 --> 00:53:14,000 later. 1588 00:53:14,500 --> 00:53:15,909 But it's interesting nonetheless. 1589 00:53:18,590 --> 00:53:19,590 This is you. 1590 00:53:20,060 --> 00:53:22,159 OK, so just one more 1591 00:53:22,160 --> 00:53:24,499 thing, we 1592 00:53:24,500 --> 00:53:26,209 know there is a very old rule in the 1593 00:53:26,210 --> 00:53:28,849 antivirus world of do not use 1594 00:53:28,850 --> 00:53:31,369 the attackers name nowadays. 1595 00:53:31,370 --> 00:53:32,569 You don't really follow it. 1596 00:53:32,570 --> 00:53:33,799 But for me, it was still important. 1597 00:53:33,800 --> 00:53:34,999 We didn't really want to call it what the 1598 00:53:35,000 --> 00:53:36,000 attacker called us. 1599 00:53:37,160 --> 00:53:38,329 So we start thinking of a name. 1600 00:53:38,330 --> 00:53:39,529 And I just said, let's call it name 1601 00:53:39,530 --> 00:53:41,029 credential stealer. 1602 00:53:41,030 --> 00:53:42,030 And we went with that. 1603 00:53:43,140 --> 00:53:45,209 All right, so I think we need 1604 00:53:45,210 --> 00:53:46,289 to hurry up a little bit because we're 1605 00:53:46,290 --> 00:53:47,819 running out of time, so you need to come 1606 00:53:47,820 --> 00:53:49,079 here for a while. 1607 00:53:49,080 --> 00:53:51,389 So this this threat of this group 1608 00:53:51,390 --> 00:53:53,459 here doesn't only use court impact. 1609 00:53:53,460 --> 00:53:56,489 They also have their own custom tools. 1610 00:53:56,490 --> 00:53:57,599 And this is one of them. 1611 00:53:57,600 --> 00:53:59,939 And this has one purpose and one purpose 1612 00:53:59,940 --> 00:54:02,009 only, and that is stealing 1613 00:54:02,010 --> 00:54:04,139 credentials. And instead of showing 1614 00:54:04,140 --> 00:54:06,239 you more more white 1615 00:54:06,240 --> 00:54:08,219 background slides with black text on it, 1616 00:54:08,220 --> 00:54:10,229 we said, let's show you some code, 1617 00:54:10,230 --> 00:54:12,959 because this thing here is written 1618 00:54:12,960 --> 00:54:15,089 in that language, which means you 1619 00:54:15,090 --> 00:54:17,369 can decompiled it back 1620 00:54:17,370 --> 00:54:19,649 into some form of the original source 1621 00:54:19,650 --> 00:54:21,629 code. You can recover some form of the 1622 00:54:21,630 --> 00:54:22,559 original source code. 1623 00:54:22,560 --> 00:54:23,639 And of course, that's what we did. 1624 00:54:23,640 --> 00:54:25,619 And then you can read source code instead 1625 00:54:25,620 --> 00:54:27,869 of machine code assembly 1626 00:54:27,870 --> 00:54:28,469 code. 1627 00:54:28,470 --> 00:54:31,469 So we'll 1628 00:54:31,470 --> 00:54:33,689 skip over this really quickly. 1629 00:54:33,690 --> 00:54:35,609 So there's some stuff happening here that 1630 00:54:35,610 --> 00:54:36,629 we're not going to talk about. 1631 00:54:36,630 --> 00:54:38,879 But then here you can see, 1632 00:54:38,880 --> 00:54:40,289 first of all, there is this e-mail 1633 00:54:40,290 --> 00:54:41,579 address here. Right? 1634 00:54:41,580 --> 00:54:43,290 And we already know that handle. 1635 00:54:45,090 --> 00:54:47,399 Right. So this was not only 1636 00:54:47,400 --> 00:54:49,469 dropped by a law document 1637 00:54:49,470 --> 00:54:51,929 that followed the same the same 1638 00:54:51,930 --> 00:54:54,149 concept, it also contained that handle 1639 00:54:54,150 --> 00:54:55,679 up there. So it's pretty obvious that 1640 00:54:55,680 --> 00:54:58,259 this is related to the same threat. 1641 00:54:58,260 --> 00:55:00,929 What this does is it takes a look at the 1642 00:55:00,930 --> 00:55:03,059 Firefox profile directory and then 1643 00:55:03,060 --> 00:55:04,199 steals these two files. 1644 00:55:04,200 --> 00:55:06,809 The Cylons escalated and Keith RDB, 1645 00:55:06,810 --> 00:55:08,279 these are the files were different 1646 00:55:08,280 --> 00:55:10,559 Firefox versions, store 1647 00:55:10,560 --> 00:55:12,239 browser credentials, usernames, 1648 00:55:12,240 --> 00:55:13,319 passwords. Right. 1649 00:55:13,320 --> 00:55:15,089 And if you use your browser to log into 1650 00:55:15,090 --> 00:55:17,909 your Gmail or whatever 1651 00:55:17,910 --> 00:55:20,249 web mail 1652 00:55:20,250 --> 00:55:22,349 portal, then you 1653 00:55:22,350 --> 00:55:23,249 you know, not you. 1654 00:55:23,250 --> 00:55:25,349 But some people store their credentials 1655 00:55:25,350 --> 00:55:26,429 in those files. 1656 00:55:26,430 --> 00:55:28,109 And by sealing those, you get access to 1657 00:55:28,110 --> 00:55:29,489 these things. And then you can use that 1658 00:55:29,490 --> 00:55:31,499 data, for example, to design another 1659 00:55:31,500 --> 00:55:33,119 spearfishing campaign. 1660 00:55:33,120 --> 00:55:35,879 And then it sends that off to this exact 1661 00:55:35,880 --> 00:55:37,139 this very address here, 1662 00:55:38,940 --> 00:55:40,019 which is a Gmail address. 1663 00:55:40,020 --> 00:55:41,349 And that's why it's talking to SMPTE, 1664 00:55:41,350 --> 00:55:42,359 Gmail dot com. 1665 00:55:42,360 --> 00:55:43,469 And it even has. 1666 00:55:46,590 --> 00:55:48,599 Yeah. And we call it credential, which is 1667 00:55:48,600 --> 00:55:50,579 we have to take those out. 1668 00:55:50,580 --> 00:55:51,749 So moving on quickly. 1669 00:55:53,250 --> 00:55:54,599 Moving on quickly. 1670 00:55:54,600 --> 00:55:55,799 We have conclusion's. 1671 00:55:55,800 --> 00:55:58,109 So this is likely again, we 1672 00:55:58,110 --> 00:55:59,819 are not going to commit to the 20 percent 1673 00:55:59,820 --> 00:56:01,889 because we believe attribution is never 1674 00:56:01,890 --> 00:56:03,959 100 percent until somebody comes out and 1675 00:56:03,960 --> 00:56:05,009 says we did it. 1676 00:56:05,010 --> 00:56:06,929 But this is very likely a nation state. 1677 00:56:06,930 --> 00:56:08,279 We have other reasons to believe this as 1678 00:56:08,280 --> 00:56:09,599 well, which we can't disclose at this 1679 00:56:09,600 --> 00:56:10,679 stage. 1680 00:56:10,680 --> 00:56:11,969 They have limited operational and 1681 00:56:11,970 --> 00:56:13,499 technical capabilities, although they're 1682 00:56:13,500 --> 00:56:14,500 getting better. 1683 00:56:15,480 --> 00:56:17,969 We have seen a remote, sophisticated 1684 00:56:17,970 --> 00:56:19,349 remote access tool. We want to say even 1685 00:56:19,350 --> 00:56:20,969 very advanced. But you can't really 1686 00:56:20,970 --> 00:56:22,139 compare these things. Some things are 1687 00:56:22,140 --> 00:56:24,159 very advanced and one thing, others are 1688 00:56:24,160 --> 00:56:25,160 other another. 1689 00:56:26,820 --> 00:56:28,889 The implant itself is a legitimate 1690 00:56:28,890 --> 00:56:30,299 production tool. It's off the shelf, 1691 00:56:30,300 --> 00:56:33,239 though, it's advanced and it's misused. 1692 00:56:33,240 --> 00:56:35,219 And the big thing is everybody can now 1693 00:56:35,220 --> 00:56:38,039 use this. They know that is out there. 1694 00:56:38,040 --> 00:56:39,209 They should have known before. 1695 00:56:39,210 --> 00:56:41,009 But honestly, this is instead of just 1696 00:56:41,010 --> 00:56:43,499 being yet 1697 00:56:43,500 --> 00:56:45,719 another crime, we're think now it's 1698 00:56:45,720 --> 00:56:47,999 a nation state level tool 1699 00:56:48,000 --> 00:56:50,399 that has been used once actively, 1700 00:56:50,400 --> 00:56:52,199 more than once in many, many campaigns. 1701 00:56:52,200 --> 00:56:53,579 And other people can now have this 1702 00:56:53,580 --> 00:56:55,709 capability for a certain amount, money or 1703 00:56:55,710 --> 00:56:56,789 stealing it. 1704 00:56:56,790 --> 00:56:58,499 Although quarterback does their best to 1705 00:56:58,500 --> 00:56:59,500 keep this safe. 1706 00:57:00,330 --> 00:57:03,209 We want to give some quick props. 1707 00:57:03,210 --> 00:57:04,469 We stand on the shoulders of giants. 1708 00:57:04,470 --> 00:57:05,759 There's been some research on one of 1709 00:57:05,760 --> 00:57:07,889 these campaigns was called Gauley 1710 00:57:07,890 --> 00:57:09,809 by removing all the Sky. 1711 00:57:09,810 --> 00:57:11,399 And there are some others worked on this. 1712 00:57:11,400 --> 00:57:12,839 We want to give them an anonymous credit 1713 00:57:12,840 --> 00:57:14,070 right now because they deserve it. 1714 00:57:15,700 --> 00:57:17,879 But if you want somebody else's, you 1715 00:57:17,880 --> 00:57:19,469 can also e-mail us or check the report in 1716 00:57:19,470 --> 00:57:20,909 a few days. 1717 00:57:20,910 --> 00:57:22,979 We want to thank the Israeli air strike, 1718 00:57:22,980 --> 00:57:25,109 N.S.A. for all their help, 1719 00:57:25,110 --> 00:57:27,359 our appreciation to search pwned because 1720 00:57:27,360 --> 00:57:28,499 they helped us all in the incident 1721 00:57:28,500 --> 00:57:29,500 response. 1722 00:57:30,050 --> 00:57:32,489 And that's about it. Now, questions 1723 00:57:32,490 --> 00:57:33,779 we know what the first question is going 1724 00:57:33,780 --> 00:57:35,339 to be. Don't a lot of to just skip that 1725 00:57:35,340 --> 00:57:36,340 one. 1726 00:57:36,720 --> 00:57:38,009 Did you mention the report? 1727 00:57:38,010 --> 00:57:39,659 What did you mention to report it? 1728 00:57:39,660 --> 00:57:40,649 Yes, we're going to release it in a few 1729 00:57:40,650 --> 00:57:41,369 days. 1730 00:57:41,370 --> 00:57:43,559 So there is a technical so we 1731 00:57:43,560 --> 00:57:45,719 have way more information then than 1732 00:57:45,720 --> 00:57:47,369 we're able to touch on during this 1733 00:57:47,370 --> 00:57:49,679 presentation. We have a technical report, 1734 00:57:49,680 --> 00:57:52,139 a very technical report, I should say, 1735 00:57:52,140 --> 00:57:54,239 50 pages, something that 1736 00:57:54,240 --> 00:57:56,309 we are going to release to the 1737 00:57:56,310 --> 00:57:56,669 public. 1738 00:57:56,670 --> 00:57:59,099 And just very soon now, 1739 00:57:59,100 --> 00:58:00,479 I'm going to skip the first question. 1740 00:58:00,480 --> 00:58:02,249 We want this to be theatrical. 1741 00:58:02,250 --> 00:58:04,709 We don't know who the nation state, what 1742 00:58:04,710 --> 00:58:06,569 the nation state is or whatever. 1743 00:58:06,570 --> 00:58:08,699 And one does not simply you like the 1744 00:58:08,700 --> 00:58:10,949 text right after the text based 1745 00:58:10,950 --> 00:58:11,950 on this alone. 1746 00:58:13,170 --> 00:58:14,170 That said, 1747 00:58:15,750 --> 00:58:17,039 we don't know who's behind this. 1748 00:58:17,040 --> 00:58:18,779 Right. We don't know it is right. 1749 00:58:18,780 --> 00:58:19,709 We can't really tell you. 1750 00:58:19,710 --> 00:58:20,710 Come on, come here. 1751 00:58:21,900 --> 00:58:22,900 So you folks take a picture. 1752 00:58:31,710 --> 00:58:34,049 So we probably have time for one more 1753 00:58:34,050 --> 00:58:35,879 question. Does anybody have questions at 1754 00:58:35,880 --> 00:58:36,880 this stage? 1755 00:58:37,740 --> 00:58:39,899 First of all, thank you, God, 1756 00:58:39,900 --> 00:58:41,639 plenty 22 W.. 1757 00:58:41,640 --> 00:58:42,989 We do have one question from the 1758 00:58:42,990 --> 00:58:44,729 Internet. And for those in the room, 1759 00:58:44,730 --> 00:58:46,049 please leave in front of the microphones 1760 00:58:46,050 --> 00:58:48,029 if you do have questions. 1761 00:58:48,030 --> 00:58:50,489 So did you log into the Gmail account? 1762 00:58:50,490 --> 00:58:52,859 No, we did not think 1763 00:58:54,690 --> 00:58:56,789 that we probably could get some 1764 00:58:56,790 --> 00:58:58,109 victim data from there about their 1765 00:58:58,110 --> 00:58:59,699 success, but we decided not to break the 1766 00:58:59,700 --> 00:59:00,700 law. 1767 00:59:01,020 --> 00:59:02,099 Somebody else is going to do that. 1768 00:59:02,100 --> 00:59:03,319 We can break the law because they are the 1769 00:59:03,320 --> 00:59:04,209 law. 1770 00:59:04,210 --> 00:59:06,299 I am the law. OK, any other questions 1771 00:59:06,300 --> 00:59:07,800 anybody left microphone to? 1772 00:59:09,210 --> 00:59:11,219 I think it's a smart move that you can 1773 00:59:11,220 --> 00:59:13,349 see spammers do 1774 00:59:13,350 --> 00:59:15,329 to focus on really dumb people and they 1775 00:59:15,330 --> 00:59:16,649 try to scam you. 1776 00:59:16,650 --> 00:59:18,449 They make it really obvious that it's a 1777 00:59:18,450 --> 00:59:20,609 scam so that the people who do fall for 1778 00:59:20,610 --> 00:59:22,679 it are really dumb and it's 1779 00:59:22,680 --> 00:59:24,569 not going to be noticed for a while. 1780 00:59:24,570 --> 00:59:26,579 So maybe we'll see some pickup of that 1781 00:59:26,580 --> 00:59:28,619 tactic in the AP world. 1782 00:59:28,620 --> 00:59:30,809 Now, the idea is that this is now, 1783 00:59:30,810 --> 00:59:32,189 even though it was widely used in the 1784 00:59:32,190 --> 00:59:33,089 90s, it's new. 1785 00:59:33,090 --> 00:59:34,289 We have only been seeing it. 1786 00:59:34,290 --> 00:59:35,279 Tullman can speak of this more in the 1787 00:59:35,280 --> 00:59:37,799 past year, but right now it's putting 1788 00:59:37,800 --> 00:59:39,869 filters and it's getting work done. 1789 00:59:41,100 --> 00:59:43,139 Yeah, I didn't get the question, by the 1790 00:59:43,140 --> 00:59:45,089 way, how you're going to see that. 1791 00:59:45,090 --> 00:59:47,489 So, yeah, no, we actually 1792 00:59:47,490 --> 00:59:49,229 talked to all the victims that we could 1793 00:59:49,230 --> 00:59:51,119 identify and some of them have been aware 1794 00:59:51,120 --> 00:59:51,989 of this activity. 1795 00:59:51,990 --> 00:59:52,990 Fortunately, 1796 00:59:54,360 --> 00:59:55,169 not all. 1797 00:59:55,170 --> 00:59:57,269 Any other questions, please, for number 1798 00:59:57,270 --> 00:59:58,710 three, I think you'll end up first. 1799 00:59:59,960 --> 01:00:02,429 Hi. I was wondering who controls 1800 01:00:02,430 --> 01:00:04,379 the U.S. servers? 1801 01:00:04,380 --> 01:00:06,649 Is it compact or is it the. 1802 01:00:06,650 --> 01:00:08,189 No, no impact. It's very important to 1803 01:00:08,190 --> 01:00:10,499 say, again, Quarrie impact is not related 1804 01:00:10,500 --> 01:00:11,879 to this. They're good guys. 1805 01:00:11,880 --> 01:00:13,409 The attackers are controlling. 1806 01:00:13,410 --> 01:00:15,629 But I mean, there 1807 01:00:15,630 --> 01:00:18,029 is probably the 1808 01:00:18,030 --> 01:00:20,129 the controller component of impact 1809 01:00:20,130 --> 01:00:22,499 running somewhere. 1810 01:00:22,500 --> 01:00:24,599 I think we think that these IP 1811 01:00:24,600 --> 01:00:25,949 addresses that we showed, they're 1812 01:00:25,950 --> 01:00:27,899 probably just acting as proxies, as 1813 01:00:27,900 --> 01:00:30,119 network proxies and relay traffic to 1814 01:00:30,120 --> 01:00:31,679 the real back end. But the Republicans is 1815 01:00:31,680 --> 01:00:33,989 probably running the impact console 1816 01:00:33,990 --> 01:00:35,729 and we can't really say it is at this 1817 01:00:35,730 --> 01:00:36,749 stage. 1818 01:00:36,750 --> 01:00:39,069 And the reason I'm asking is because the 1819 01:00:39,070 --> 01:00:40,649 certificates were signed by court 1820 01:00:40,650 --> 01:00:41,909 security. Right. 1821 01:00:41,910 --> 01:00:43,739 That's difficult for the actual size of 1822 01:00:43,740 --> 01:00:46,199 the same security is the same certificate 1823 01:00:46,200 --> 01:00:48,599 for any inefficiency 1824 01:00:48,600 --> 01:00:51,569 or do they sign each one specifically? 1825 01:00:51,570 --> 01:00:53,789 So we only saw an 1826 01:00:53,790 --> 01:00:56,039 SSL enabled version in one case, 1827 01:00:56,040 --> 01:00:58,169 all the others didn't use 1828 01:00:58,170 --> 01:00:59,170 as encryption 1829 01:01:01,380 --> 01:01:01,889 arrived. 1830 01:01:01,890 --> 01:01:03,089 Thank you very much. 1831 01:01:03,090 --> 01:01:04,619 This guy is really important to your 1832 01:01:04,620 --> 01:01:06,059 question. Yes, I understand. 1833 01:01:06,060 --> 01:01:08,219 But we are we are out of time 1834 01:01:08,220 --> 01:01:10,319 and that talk will actually start or 1835 01:01:10,320 --> 01:01:11,619 some thirty seconds. 1836 01:01:11,620 --> 01:01:12,989 Thanks a lot. 1837 01:01:12,990 --> 01:01:14,339 If you're kind enough, please handle this 1838 01:01:14,340 --> 01:01:16,049 question. I'll start and give them, uh, 1839 01:01:16,050 --> 01:01:17,849 give them some applause. 1840 01:01:17,850 --> 01:01:18,850 Thank you.