Cisco Blogs
Share

Black Hat Asia 2019: Watch Out for the Secondary Payload


April 15, 2019 - 0 Comments

Black Hat 2019 returned to Singapore with Black Hat Asia with four days of Trainings and Briefings, with the Business Hall. Cisco Security is proud to be a Technology Partner of Black Hat in the Network Operations Center’s (NOC) Security Operations. The focus of the NOC is to provide secure and open Internet access to the conference presenters, attendees and sponsors. Many of the trainings, briefings and demonstrations require access to malicious files and domains; so the NOC does not block such traffic. Rather, we focus on the security of the conference assets and ensuring there are no internal or external attacks that would disrupt the educational and collaborative conference.

Tighter Inter-Vendor Integration

The NOC team continues to work on deeper product integration and workflow, getting better with each conference. Sean Ennis of RSA Security has been working on a NOC integration platform using the APIs of the security products, including Ruckas wireless access points, NetWitness Packets, NetWitness Orchestrator, Palo Alto Firewall, Cisco Umbrella, Cisco Threat Grid and a honeypot.

In the interface, the SOC team could search for IPs, Users, MAC and Domain for threat intelligence and start an investigation in the top tool bar. Priority alerts would scroll on the timeline, the classroom map was interactive for security events and a Cookie Monster ran in the upper right corner. If someone entered the honeypot, the Cookie Monster would go red and start eating cookies, a fun visual clue.

DashyMcDashboardFace

The NOC team thwarted a ransomware attack on the conference registration computers. We are excited to see where the Black Hat NOC “Dashy McDashFace” evolves for Black Hat USA in August 2019.

 

Crypomining Continues

At Black Hat Asia 2018, we saw a major spike in cryptomining; where one can make money by consensually using or stealing the processing power of unsuspecting users who visit infected websites. Often the mining software will run as a javascript while the browser is open. With the fluctuation of cryptocurrency making hosted farms unprofitable, using the electricity and resources of others is a way to continue to make illicit profits, without the scrutiny of ransomware attacks. The victims rarely know they have been a victim, and can be exploited over and over.

In 2019, we saw much less cryptomining activity; however, there was still activity that warranted investigation and response. For example, in Cisco Umbrella, we noticed cryptomining activity at a domain pinkvilla[.]com.

Cryptomining - Umbrella

We used the glovebox feature of Cisco Threat Grid to investigate the domain and found it provided news on the Bollywood industry, along with scripts used for crypto.

Cryptomining - Threat Grid

 

However, it also attempted to exploit Windows machines with HyperLink buffer overflow exploit

Cryptomining - Threat Grid Report

 

We alerted the RSA NetWitness team, who replayed the session and found an iPhone user went to www[.]editpv[.]com

Net Witness 1

And, was then served content from pinkvilla[.]com. The device was not exploited because the attack was for Windows.

Net Witness 2

 

Like we started at Black Hat Europe, in Singapore we deployed a security alert captive portal to warn users if their devices showed cryptomining activity.

 

Unsuspecting Malicious Payload

Cisco Threat Grid is integrated with RSA NetWitness Packets, for network forensics and investigation. The RSA team does full packet capture and its Malware Analysis component sends potentially malicious .exe, .dll, .pdf and .rtf files to Threat Grid for dynamic malware analysis.

 

Threat Grid Submissions

During the Business Hall, the Cisco Security team observed an executable enter Threat Grid. The threat score returned 95, which is confirmed malware on a scale of 0-100.

Ramnit Secondary Payload

Investigation noted the artifact was known by many antivirus services, but that it is not enough for a conviction. Adding a machine learning model determined that one or more artifacts are likely malicious. The machine learning model is trained on a very large number of samples. The output of the training is a decision engine that takes static features of executables as input and returns a verdict on whether it is malicious or unknown. In general, a single feature of an artifact will not cause it to be determined as malicious, but rather the decision engine uses all features about the artifact together to come up with a verdict.

The Cisco team conducted further research and noted the executable was a secondary payload for the ramnit trojan. Ramnit is a worm that spreads to removable drives, steals sensitive information such as saved banking and FTP credentials and browser cookies. Ramnit has evolved into a banking trojan capable of injecting victims’ web browsers to conduct and conceal fraudulent wire transfers.

Correlation to Ramnit

With enough information to know that something wasn’t right, the team enabled the Black Hat NOC Captive Portal for malicious activity for the device. Working together they were able to take action in less than seven minutes from the initial “infection”! Researching further, the team noted that the file seen was one of five files used in this Ramnit campaign. They were able to identify one other payload being used but could not find any trace of the remaining three. Digging into the network traffic, they also noted a lack of command and control traffic and some other behaviors indicative of the campaign. The next morning a vendor from the Business Hall came over and excitedly showed the NOC team a picture of their booth with the NOC Captive Portal on the screen. The vendor team thought they were using a benign “simulation” version of a “malware” infection and were unaware that it was actually downloading the ramnit payload to their demonstration machine.

To understand the depth and breadth of the Ramnit infrastructure, Michael Auger utilized the Maltego integration to query Threat Grid intelligence database and visualize the relationships. Starting from the initial payload he queried for associated samples. From there he queried for domains, then selecting the domains queried for samples again. This resulted in 300 Ramnit samples. The final two queries were for domains and URLs from the 300 samples. This resulted in 1268 domains and 93 URLs,

300 Samples 1268 Domains 93 URLS

Another sample of note was communicating with a domain known by Cisco Umbrella as malicious.

Threat Grid Downloader

With all samples, we were able to pivot to Cisco Threat Response for a global intelligence viewpoint.

Threat Grid to Threat Response

Having a global understanding of a threat allows the NOC to assess if it is a unique or modified sample, or a common threat.

Threat Response

Pivoting into Umbrella Investigate, we could see how the domain had low global activity until right around the Black Hat Asia conference.

Umbrella Malware

 

Less DNS Requests

Like many training events, we saw a lot of Newly Seen Domains, created just for the excellent training. Total DNS requests for the conference were over 4.3 million, down from 5.1 million in 2018.

Top DNS Request Volume

 

Top Domains for the week:

DNS Top Domains

Top categories:

Top Domain Categories

 

Black Hat USA 2019 will be 3-8 August 2019. See you in Vegas!

 


Acknowledgements: Thank you Michael Auger, for your work at the NOC and on the Threat Grid and Threat Response DevNet pages for integrations and open community on GitHub.

 



Leave a comment

We'd love to hear from you! Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.