Virus Bulletin Conference 2022 — Day 3

THE ATT&CK DARKHOTEL PLAYBOOK: HUNT AND BREACH & ATTACK SIMULATION Shengbin Bao

  • DarkHotel targets hotel internet and travelling executives mostly in Asia. Victims typically get infected through phishing emails with messages related to hotel, tourism & travel. In other cases, it was found trojaning a semi-conductor SDK.
  • The email attachment is a VBA macro containing a PowerShell script. I’m not exactly sure how this script runs the spyware dll. The spyware exfiltrates documents & images. It also searches for such files in the Trash and USB.
  • The malware affects Windows. It won’t affect Mac or Linux users. Additionally, people running Windows in VirtualBox are probably safe as the malware exits when it is running in a sandbox. I always find this funny.
  • TTP stands for “Tactics, Techniques and Procedures”. I hate acronyms 😡

KEEPING UP WITH THE EMOTETS: CONFIGURATION EXTRACTION AND ANALYSIS Jason Zhang, Oleg Boyarchuk & Stefano Ortolani

  • Emotet was taken down in 2021, but the threat actors manages to re-spawn new botnets. In 2022, there are new “epochs”, an epoch being a different set of encryption keys and hosts.
  • Emotet allocates a large buffer (100MB) to bypass weak emulators which refuse to allocate such an amount of bytes. Hadn’t ever heard of this anti-emulator method before.
  • To dump the decrypted DLL, the authors use a debugger, put a breakpoint on VirtualAlloc, and step into each line until the buffer is filled with a valid PE file. I wonder how they’d do statically.
  • Many Windows API are wrapped, with the wrapper calling FindProcAddress and supplying the correct function hash. The authors put a breakpoint on FindProcAddress to find all wrappers, and rename them depending on their function hash. By looking into allocation wrappers, they identify the config decryption algorithm.
  • I don’t know Qiling (emulator) nor JARM (TLS server fingerprinting): need to have a look 😃
  • Interesting: the new epochs use Elliptic Curve crypto algorithms to secure the network traffic key.

MODERN THREAT HUNTING Fernando Diaz Urbano

import "vt"rule bianlian_botnet
{
condition:
for any u in vt.behaviour.http_conversations : (
u.url contains "/api/v1/device/server-log"
) and vt.FileType.ANDROID
}

UNMASKING WINDTAPE Patrick Wardle

  • This is about MacOS WindTape malware.
  • To retrieve signing information on Mac, use codesign. To re-construct classes, use class-dump. ProcessMonitor is useful to observe given processes. LuLu is an open source tool to check network connections, in particular exfiltrating data through curl.
  • Oh? scp is for screen capture in Mac apps? Thought that would be SSH file copy…
  • CCCrypt is a wrapper to encrypt/decrypt data using various algorithms (DES, AES, RC4…)
  • The talk and the paper are a good tutorial to reverse engineering malware on MacOS.

Best paper IMHO

I said I would be nominating a Best Paper. As it’s only my personal opinion, this nomination is totally subjective and only for glory. It is not endorsed by my employer nor Virus Bulletin, but personal. I exclude my own paper from the list 😆. I nominate:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

162 Followers

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.