Virus Bulletin Conference 2022 — Day 3

Personal notes and comments of the last day of Virus Bulletin. This conference is a treasure + I like the fact that if I miss something during the talk, I can read the paper and understand.

• The att&ck DarkHotel playbook [..]
• Keeping up with the Emotets [..]
• Modern threat hunting (VT)
• Unmasking WindTape
• Best Paper: my personal selection

THE ATT&CK DARKHOTEL PLAYBOOK: HUNT AND BREACH & ATTACK SIMULATION Shengbin Bao

• DarkHotel targets hotel internet and travelling executives mostly in Asia. Victims typically get infected through phishing emails with messages related to hotel, tourism & travel. In other cases, it was found trojaning a semi-conductor SDK.
• The email attachment is a VBA macro containing a PowerShell script. I’m not exactly sure how this script runs the spyware dll. The spyware exfiltrates documents & images. It also searches for such files in the Trash and USB.
• The malware affects Windows. It won’t affect Mac or Linux users. Additionally, people running Windows in VirtualBox are probably safe as the malware exits when it is running in a sandbox. I always find this funny.
• TTP stands for “Tactics, Techniques and Procedures”. I hate acronyms 😡

KEEPING UP WITH THE EMOTETS: CONFIGURATION EXTRACTION AND ANALYSIS Jason Zhang, Oleg Boyarchuk & Stefano Ortolani

• Emotet was taken down in 2021, but the threat actors manages to re-spawn new botnets. In 2022, there are new “epochs”, an epoch being a different set of encryption keys and hosts.
• Emotet allocates a large buffer (100MB) to bypass weak emulators which refuse to allocate such an amount of bytes. Hadn’t ever heard of this anti-emulator method before.
• To dump the decrypted DLL, the authors use a debugger, put a breakpoint on VirtualAlloc, and step into each line until the buffer is filled with a valid PE file. I wonder how they’d do statically.
• Many Windows API are wrapped, with the wrapper calling FindProcAddress and supplying the correct function hash. The authors put a breakpoint on FindProcAddress to find all wrappers, and rename them depending on their function hash. By looking into allocation wrappers, they identify the config decryption algorithm.
• I don’t know Qiling (emulator) nor JARM (TLS server fingerprinting): need to have a look 😃
• Interesting: the new epochs use Elliptic Curve crypto algorithms to secure the network traffic key.

MODERN THREAT HUNTING Fernando Diaz Urbano

• This wasn’t a talk but a workshop on using VirusTotal’s threat hunting.
• Useful documentation: https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt
• To search on VT metadata, import “vt” in Yara rules. For example, vt.behaviour.http_conversations. To search on activity names, use androguard: tags. To restrict results to APKs, use tag:apk.
• I was able to write a quick Android/BianLian Yara rule during the session:

import "vt"
rule bianlian_botnet
{
  condition:
      for any u in vt.behaviour.http_conversations : (
        u.url contains "/api/v1/device/server-log"
      ) and vt.FileType.ANDROID
}

UNMASKING WINDTAPE Patrick Wardle

• This is about MacOS WindTape malware.
• To retrieve signing information on Mac, use codesign. To re-construct classes, use class-dump. ProcessMonitor is useful to observe given processes. LuLu is an open source tool to check network connections, in particular exfiltrating data through curl.
• Oh? scp is for screen capture in Mac apps? Thought that would be SSH file copy…
• CCCrypt is a wrapper to encrypt/decrypt data using various algorithms (DES, AES, RC4…)
• The talk and the paper are a good tutorial to reverse engineering malware on MacOS.

Best paper IMHO

I said I would be nominating a Best Paper. As it’s only my personal opinion, this nomination is totally subjective and only for glory. It is not endorsed by my employer nor Virus Bulletin, but personal. I exclude my own paper from the list 😆. I nominate:

KEEPING UP WITH THE EMOTETS: CONFIGURATION EXTRACTION AND ANALYSIS Jason Zhang, Oleg Boyarchuk & Stefano Ortolani

Congratulations to the authors! Note it was a Reserve paper. I liked it very much, and in my opinion, it was better than several other Full papers. Reviewing is a difficult art!

— Cryptax