Conference:  Defcon 31

Authors: Andrew Brandt Principal Researcher, Sophos X-Ops

2023-08-01

One common thread runs through a recent wave of (initially, successful) targeted malware attacks I've investigated: The attackers communicated with their targets, personally, using social engineering in real-time, in order to lay the groundwork for the rest of the attack to succeed. Throughout the course of several post-breach investigations, it became apparent that -- for a certain kind of target and a particular class of attacker -- engaging the victim in direct conversation was far more effective at assuring the target infected their computer than crafting a believable-looking "malspam" email that would "fool" the target into clicking a link or opening a file. The attackers did not need to be charismatic for the technique to succeed. In fact, so long as the attacker "got into character" and treated the interaction as a normal, everyday event (from their perspective), the targets went along for the ride, and in many cases, self-infected with malware that was capable of snooping through their most sensitive files. In this session, we'll discuss both the social engineering and technical aspects of the attacks, and why this combination of tactics is particularly dangerous and hard to defend against.

Conference:  Defcon 31

Authors: Laurie Kirk Security Researcher at Microsoft

2023-08-01

Android malware creators constantly struggle to devise innovative methods to obscure apps and impede reverse engineering. As numerous standard techniques have lost efficacy, I'll unveil the next frontier in Android obfuscation: runtime manipulation. Runtime manipulation alters standard application flow-of-control to bypass decompilers and emulators. In this talk, I'll reveal my strategy for pinpointing manipulation targets in Android's source code. I will describe how I craft manipulators in native C++ once a suitable target has been located. This is accomplished by hooking Java methods via the Java Native Interface (JNI) and typecasting the handle to a C-style pointer. Runtime manipulation can entirely remove traces of ClassLoader calls which are unavoidable for standard Dalvik Executable (DEX) packing, but are also easily discovered and hooked. This technique also effectively breaks cross-reference calculations within all Android decompilers. I will demonstrate and equip attendees with a custom Android library for devices running Android 13, providing a new tool that enables runtime manipulation experimentation. In addition, I'll demonstrate my methodology for pinpointing Java targets and modifying their underlying native data structures.

Conference:  Defcon 31

Authors: Nick Saunders Chief Cybersecurity and Data Officer, Viasat Government, he/him/his, Mark Colaluca Vice President and Chief Information Security Officer (CISO), Viasat, he/him/his

2023-08-01

In February 2022, the Viasat owned KA-SAT network experienced a significant cyberattack that resulted in a partial outage of services for thousands of users in Ukraine and tens of thousands of users in other parts of Europe. This presentation will provide detailed background on the attack, which involved the deployment of malware against terminals on the network, as well as several distinct network-based attacks that appeared focused on further denying connectivity to KA-SAT users. These network-based attacks needed to be characterized and responded to by Viasat’s operational teams in real-time, and the attacks continued with intensity for many weeks after the original malware incident. Viasat will share the story of how it responded and performed a rapid forensic on several impacted terminals to determine within 36 hours that the terminal flash memory had been overwritten with a distinctive pattern in the attack. This presentation will explain details around the forensic analysis as well as the process of reverse engineering the malicious toolkit to verify it would produce the observed flash memory effects. Viasat will also share technical details of over-the-air network attacks that were used to attack the KA-SAT network.

Conference:  Defcon 31

Authors: Patrick Wardle Objective-See Foundation

2023-08-01

As the majority of malware contains networking capabilities, it is well understood that detecting unauthorized network access is a powerful detection heuristic. However, while the concepts of network traffic analysis and monitoring to detect malicious code are well established and widely implemented on platforms such as Windows, there remains a dearth of such capabilities on macOS. This talk aims to remedy this situation by delving deeply into a myriad of programmatic approaches capable of enumerating network state, statistics, and traffic, directly on a macOS host. We will showcase open-source implementations of relatively overlooked low-level APIs, private frameworks, and user-mode extensions that provide insight into all networking activity. And, by leveraging these techniques, you will learn how to efficiently and generically detect both known and unknown threats targeting macOS!

Conference:  Black Hat Asia 2023

Authors: Gerardo Fernandez Navarrete

2023-05-11

The attackers actively use techniques to disguise malware files as legitimate, including reliable distribution channels, stolen certificates, hiding malicious files in legitimate applications, or using system tools to deploy malicious activity. At VirusTotal, we have explored the evolution of these and other techniques. In fact, it was surprising to realize that more than one million signed files were sent in the past 12 months to our service, dozens of legitimate domains belonging to the Alexa Top 1k ranking were used to distribute malware, and there is a growing trend of mimicking legitimate applications when building malware, with Skype, Acrobat Reader, and VLC being the top 3. During this talk, we will analyze the evolution of these types of techniques, showing some examples of how they are being implemented and providing tools for monitoring them.

Conference:  Global AppSec San Francisco 2022

Authors: Andrew Krug, Ellen Wang

2022-11-18

Software packages are a juicy target for attackers to compromise. They allow malicious actors to access machines and production environments to steal sensitive data, or perform cryptojacking. In the last few months alone, multiple malicious Python packages have been reported to steal credentials from their victims and were subsequently removed. In the worst case, these packages are an attractive target for advanced threat actors to gain access to victims to steal intellectual property or carry out nation state objectives, as seen in CodeCov and SUNBURST.What makes a “bad” package? How can we identify software packages that look malicious? In this talk, we start by showcasing some real-world malicious Pypi packages and the techniques they use to spread and execute code in victims’ environments. We then discuss how we use Semgrep, a static analysis tool designed for vulnerability detection, to scan the source code of Pypi packages and identify suspicious patterns characteristic of malware. Finally, we demonstrate the concept by dissecting malicious Pypi packages we found in the wild.Introduction- Explanation of SLSA threat model with focus on dependency- Short history of malicious Pypi packages - Why it’s a real problem, mention that most existing tools look for previously detected malware and cannot identify never-before-seen malicious software- Problem statement: How to identify malicious packages at scale?Techniques used by Pypi malware (with illustration with real-world examples)- Quick explanation of data analyzed to find techniques: 30-40 PyPI packages removed from PyPI- Explanation of most common patterns found in malware:- Initial access: typosquatting, compromising the maintainer account, compromising the maintainer email domain- Execution: Using a setup script, hooking a function, evaluating dynamic code- Exfiltration: Using url shorteners, stealing environment variables, using an unusual domain extension- Goal: cryptomining, stealing credentialsWriting Semgrep rules to catch malicious Pypi packages:- Quick intro to Semgrep (30s)- Semgrep taint analysis mode- Explanation of detection heuristics created:- Execution of base64-encoded strings- Exfiltration over HTTP of sensitive information- Download and execution of an executable file- Executing commands in setup.py- Putting it all together in a CLI- Results overview: real-world malicious packages we caught and false positive rateConclusion- Brief summary- Future work: Running it at scale and continuously in AWS Lambda

Conference:  Global AppSec San Francisco 2022

Authors: Michael Bargury

2022-11-17

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going.In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue.Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.

Conference:  SupplyChainSecurityCon 2022

Authors: Daniel Elkabes

2022-06-22

Malicious packages are a growing threat to organizations and communities, costing billions of dollars in damages. Attackers use various techniques to exfiltrate private information and evade detection. The community is exploring solutions such as Salsa and S-BOM to reduce the risk, but categorizing malicious packages is still a challenge.

• Malicious packages are a significant threat, costing billions of dollars in damages
• Attackers use various techniques such as dependency hijacking, typo squatting, and brain jacking to exfiltrate private information and evade detection
• Solutions such as Salsa and S-BOM are being explored to reduce the risk of malicious packages
• Categorizing malicious packages is a challenge for the community

Conference:  SupplyChainSecurityCon 2022

Authors: Brian Fox

2022-06-21

The presentation discusses the evolving threat landscape in software supply chains and the need for developer-first security tools.

• Organized attackers are exploiting vulnerabilities in open source ecosystems by making their malware appear legitimate.
• Security and development teams need to understand the cascading impacts and changing landscapes of these exploitations.
• The supply chains of open source ecosystems are everywhere in the software development process.
• The attacks are focused on the developers and the development infrastructure itself.
• The development infrastructure can be a significant way into the rest of the organization.
• The presentation emphasizes the need for developer-first security tools to address the evolving threat landscape.