Podcasts
Only Malware in the Building
Ep 5
Only Malware in the Building 10.1.24
Ep 5 | 10.1.24

The Dark Arts of cyber.

Show Notes
Transcript

Selena Larson: Welcome to "Only Malware in the Building", where we're diving into all things spooky and magical this Halloween season. I'm Selena, also known as the Hermione of Cybersecurity today. And with me are -- oh apparently two Harry Potters. [ Music ]

Rick Howard: Accio explanation. [Laughter] Serious, though, Dave, we talked about costumes. There's only supposed to be one chosen one, and clearly that's me. Look at my scarf, it's so lightening shaped. [Laughter]

Dave Bittner: Please, Rick, my scar is way more authentic. You look like you scribbled it on with a sharpie in a car on a bumpy road. >> [Computerized voice] Turn right on Diagon Alley. Your destination will be on the left. Your costume is expelaboring [phonetic]. [Laughter]

Rick Howard: How did you know? [Laughter]

Selena Larson: Well, it looks like we've got a bit of a horror crux situation here, two Harry Potters, one show. Honestly with the way you two are acting I'm starting to think we should check for a Polyjuice Potion mishap.

Rick Howard: Okay, let me see what I've got here. I'm putting this thing together; this potion. Eat slugs, Harry number two.

Dave Bittner: Hmm, wow, solid effort, [laughter] for a second rate Harry. Nicely done. Nicely done.

Selena Larson: Okay, okay, before you two Avada Kedavra each other over who wore it best --

Rick Howard: Avada Kedavra. [Sounds]

Selena Larson: Let's focus on the real dark arts today, malware, the Voldemort of the internet. It's like the Basilisk from Chamber of Secrets, one wrong click and you're petrified.

Rick Howard: Right, and just like with Tom Riddle's diary, Mauer hides in the shadows. It's sneaky, it's evil, and sometimes you don't even know it's there until, "boom," you are hacked.

Dave Bittner: Yes. Kind of like how I didn't know Rick here was going to steal my costume idea. [Laughter] But Selena's right, it's like needing a Marauder's Map to spot it, you need the right tools and a little Alohomora magic to unlock the truth behind those threats.

Selena Larson: Exactly. And as we enjoy October's spooky nights of trick or treats, and the annual Cybersecurity Awareness Month, remember to keep your digital defenses up too, whether against deaf ears or hackers, and maybe next time, guys, we'll plan our costumes a little bit better.

Dave Bittner: I still look better.

Rick Howard: I still look better.

Selena Larson: [Laughs] Okay, okay, you both win. Until next time, folks, remember, no matter what evil lurks in the building, we've got spells to keep you safe.

Dave Bittner: Mischief managed.

Rick Howard: Mischief managed.

Dave Bittner: Oh, that was -- [laughter] wow. I'm going to have to turn in my acting card on that one. [Laughs]

Rick Howard: I'm amazed you were ever issued one.

Dave Bittner: Well, I got it under -- in the black market, so --

Rick Howard: I see. [Laughter] It's -- I thought you got in a cereal box. [Laughter] [ Music ]

Selena Larson: Today we're talking about Voldemort malware, Accio Voldemort malware. [Laughter] This is a fun cluster of activity that has some characteristics of ecrime with malware named "Voldemort" that has the capabilities for information gathering and espionage. It's spooky season, so the perfect time to talk about the malware threat actors named after the world's most notorious dark wizard.

Rick Howard: I think I've heard this term before, but I am -- the only reason I like cybersecurity is because we get to make up those cool names. I'm like --

Selena Larson: Yes. [Laughs]

Rick Howard: Where else -

Dave Bittner: Right.

Rick Howard: In a professional setting can you name something "Voldemort", so [overlapping] --

Dave Bittner: Right.

Selena Larson: Well, this was actually named by the threat actors. It had the actual file names in their code in the malware, and we were able to spot that. And I thought, "Wow, I can't believe they did that." [Laughter] So threat actors have fun, too. [Laughs]

Dave Bittner: That is pretty bold, to be the ones who claim Voldemort.

Selena Larson: Yes. [Laughter]

Dave Bittner: Rick, I don't know if you know Voldemort is; he's kind of like this generation's version of Darth Vader.

Rick Howard: Ah, ah, true, I got that. Yes. >> [Echoing voice] Voldemort, Voldemort, Voldemort, Voldemort, Lord Voldemort.

Dave Bittner: Well, let's dig in here, Selena. I mean, what do we need to know here? I guess the obvious question is -- you kind of touched on it here, how -- why Voldemort? Is there any reason behind them naming it that, or is it just for bragging rights? [ Music ]

Selena Larson: Literally no reason that we could figure out at all. It was the only Harry Potter reference, or really the only pop culture reference at all in the entire attack chain. But what I thought was pretty interesting about this campaign, and I called it out in the report that we wrote about it was it was suspected APT activity with cybercrime vibes. So the espionage objective but using tactics, techniques, and procedures that we typically see from cybercrime financially motivated threat actors. So this was a real head scratcher for me and the rest of the team.

Rick Howard: Well, Dave, only you would try to ascribe some kind of serious motive to naming Mauer "Voldemort". [Laughter] Too many curses, you -- everything you do is like so self-important, gees.

Dave Bittner: Hmm. Selena, I tried to watch "Harry Potter" with Rick, but halfway through he asked, "So which one is Gandalf again?" [Laughter] [ Music clip plays ]

Rick Howard: It's the guy with the beard and the hat, right, that's --

Dave Bittner: Yes, we --

Rick Howard: Good, though.

Dave Bittner: Had to take the remote away. [Laughter]

Selena Larson: Dumbledore goes to the Mines of Moria. [Laughter] That's the third book.

Rick Howard: He might have done better there than Gandalf. I don't know, just say that. [Laughter]

Dave Bittner: Yes. Rick thinks Hogwarts is a rash you get from kissing a pig. [Sound effects]

Rick Howard: It's not? Hmm. [Laughter]

Dave Bittner: All right, so back on topic here, Selena, let's dig in here. What are we talking about with this group? [ Music ]

Selena Larson: Yes, so we don't actually know necessarily who is behind it, but the activity itself is very, very interesting. It was quite high-volume, tons of thousands of messages. They impersonated tax authorities from various governments all over the world, including UK, France, the United States, and some others. And they pretended to be the tax authority to kick off this very interesting attack chain that ultimately delivered this information gathering type of malware. In fact, it was pretty clever the attack chain that was used, and we can get into it a little bit. But so much so between the lures, the attack chain, and then this very weird malware we initially thought it was a red team; like, "Oh, this is like very interesting sort of like red team activity." But just ultimately the shear volume of it we were like, "Oh, no, this is real. But this is very strange." [Laughs]

Dave Bittner: Now, my understanding reading through the research here is that they were using Google Sheets for commanding control?

Selena Larson: Yes.

Dave Bittner: Is it -- how unusual is that?

Selena Larson: It was pretty unusual. So I don't see it all that often. I mean, when we were looking over it, it was pretty interesting. Essentially they were using Google Sheets for command and control to be able to sort of like exfil and list all of the data that they were potentially be stealing or getting from victim hosts. And it was very odd the way that it was set up.

Dave Bittner: So they were writing code inside of Google Sheets to grab information and dump it into a spreadsheet; that's what they were doing?

Selena Larson: So they were dumping it into a spreadsheet, but they were using a different functionality once it was all -- once the communication was established it would post to Google Sheets. But yes, it was very interesting; not something that we typically see, but kind of harkens back to what we talked about in our last episode about the abuse of legitimate services. I mean, again, obviously Google Sheets is a very useful enterprise software and can be used by really anyone with a Google account and a clever way of creating something and using a legitimate service maliciously. And we saw that actually with a few components of this campaign in general, right, like the Tricloud player, again, this temporary tunnel established by the threat actor. That's something that, again, is like a legitimate service, a temporary tunneling service. And then you have WebDAV as a file hoster. And then search-ms which is a way for being able to create file shortcuts, essentially to be able to access various malicious content, and then ultimately downloading a malware that used Google Sheets for command and control. So a very interesting use of a variety of things that we see in the ecrime landscape with increasing frequency and this adoption by a potentially espionage actor was a very, very interesting and kind of a little bit of a cocktail mix, if you will. [Laughs]

Rick Howard: They just cut out the middleman, right, Dave, because what they normally do is dump it down to a data file and then they put it into a spreadsheet. They just said, "We're going to eliminate that step and just dump it right in."

Dave Bittner: That's right. What makes you confident that espionage is the objective here rather than a financial gain or a traditional cybercrime?

Selena Larson: Yes, so that's a good question. And I think it kind of speaks to what we think about when we talk about how we do attribution and what we are able to decipher from motivation. So one piece of it was that the Voldemort malware was extremely custom. It was something that we hadn't seen before, only used by this particular activity cluster. Also, it's capability, so it very much seems to be mostly just trying to get information from whatever the host was, and then also the targeting and the specificity in their targeting, although it was very high-volume, they had some interesting characteristics of their targeting to make sure that they were going after people in a language they would be typically speaking. They appeared to do some little bit of research on who they would be targeting at various organizations. And then finally, just the activity and the lures themselves were more typical of something that we might see with a state actor. They were pretty sleek, well done. And then ultimately the function of Voldemort appears to be exclusively for information gathering, and potentially could include a Cobalt Strike delivery down the road. We did observe that Cobalt Strike on the adversaries infrastructure, so a potential additional piece to that puzzle. But I do want to point out, we did say moderate confidence in the report, so we have different various levels of confidence that we do suspect that this is espionage. [ Music ]

Rick Howard: So, Dave, let me explain what that means. They don't know. [Laughter] Okay, they don't know who this is about.

Dave Bittner: I see. [Laughter]

Selena Larson: In --

Dave Bittner: So in the --

Selena Larson: Cyber threat intelligence -- [Laughter]

Dave Bittner: Oh, boy, here we go.

Selena Larson: There are --

Dave Bittner: Here we go, --

Selena Larson: Words that are used to convey --

Dave Bittner: "Sit down --

Selena Larson: Information.

Dave Bittner: See, here's our lecture, Rick, here's our lecture." [Laughter]

Rick Howard: Let me get my notepad out.

Dave Bittner: Yes, we're about to be schooled. [Laughter]

Selena Larson: Wow, I have to say, I think everyone who works in cyber threat intelligence whenever they're asked a question the answer is always, "It depends." No matter the question --

Dave Bittner: Yes, sir.

Selena Larson: No matter what their answer is --

Dave Bittner: Yes.

Selena Larson: The answer is always, "It depends."

Rick Howard: "It depends" with moderate confidence, okay but -- [Laughs]

Dave Bittner: Yes. Yes. See, you'll have to forgive Rick for his questioning here. He's so outdated the last time he saw a server it was a person carrying a tray at Denny's.

Rick Howard: It was so good, too, oh, man.

Dave Bittner: It was his early bird special. [Laughter] At his last job Rick thought "full-stacked developer" meant you get free pancakes at work. [Laughter]

Rick Howard: I'm still disappointed that that didn't turn out to be true. [Laughter]

Dave Bittner: Let me ask you this, Selena. In the research you and your proof point colleagues there, there were multiple verticals that you established that were being targeted in this campaign. It struck me that insurance companies are the largest group? Why do you suppose they were a big target here?

Selena Larson: So that's a really great question. And it does go back to the questioning of what is the ultimate goals and objectives? So we initially saw the delivery and then the potential communication with the command and control and not really any follow-on objectives. What was interesting was the lures were essentially impersonating tax agencies, so things like the revenue in customs in the UK or the IRS, so things that would be associated potentially with financial information or insurance in many cases. And so I think that the targeting kind of did align a little bit with some of their words that were used. But yes, I did think that that was actually pretty interesting because it's not a typical vertical that you see oftentimes targeted especially at sort of like these types of more high volumes by APT espionage threat actors, aerospace transportation, and more sort of university or academia. That was a lot more aligned with what you typically see from APT actors. And that's something that they were the ones that made up the sort of top 50% of targets. So yes, the targeting was super interesting to take a look and sort of break down some of the verticals. It was a really weird campaign. [ Singing ] Stay tuned. There's more to come after the break. [ Music ]

Dave Bittner: So they were impersonating government tax offices, and then going after insurance companies; and what kind of information were they stealing?

Selena Larson: So the -- sorry I'm going to have to cheat and look at my notes, you guys; it was literally like a 35-page block. [Laughs]

Dave Bittner: Excuses, excuses.

Selena Larson: I want to make sure that --

Dave Bittner: If we want it to be more than moderately confident, she has to look at her notes, okay? [Laughter]

Rick Howard: You don't have it memorized?

Selena Larson: I know, I know. Well, so essentially, they were looking for information about the host. They could potentially observe various files, had commands to download or upload, stop the malware. You could see that they were potentially using things for information gathering. Initially, actually, they did some filtering on who was going to be able to click or interact with the actual malware. So they did base off a user agent, for example. So they were definitely targeting Windows users. So they wanted to make sure some -- from the very beginning the malware was going to be going after potentially victims that had Windows, and if they weren't then they were filtered to something else and just kind of collected very high-level sort of logging of top-level host information. But yes, in terms of the actual capabilities in malware, very kind of typical info gathering, potentially espionage types of capabilities and downloads and uploads features.

Dave Bittner: Did the target victims have to do anything special to defend against this, Selena, like -- or can this standard keep your antivirus up to date, kind of stuff, that would solve this?

Selena Larson: So that's a really good question. And I actually thought it was really interesting because it was a little bit noisy, right? So again, they use these things, for example, like the tripods [phonetic] or tunnels. That's not something that is typically observed in a network, right? So if you saw that traffic in your network, you would be like, "Oh, this is weird." That might flag some alerts if it's even allowed within the network, blocking some of these, like for example, tripods or if it's not e-services purposes is pretty good especially now that we see it from a variety of different actor clusters. But then there was also the external web dev, so that connection to that external web dev is another thing that a lot of organizations might have restrictions on not being able to access external resources that aren't safe-listed with a new organization. So it's kind of interesting. That's why when we talk about this actor using more sort of typical ecrime threat behaviors, right, so it has these things that we've seen with a lot of other sort of cybercrime threat actors to deliver really commodity malware. And so in this case, they were using some things that were very similar and some that weren't. So while we have seen, for example, search-ms, which is a feature within Windows -- it's the Windows search protocol that locally displays files hosted on a remote machine. So it's kind of like the user saw this little pop-up, they would look like the file is actually on their host when it was really in the web dev. But in this case, they used a.search MS file. So that was actually a little bit of a twist on the sort of search-ms functions or the technique that we see typically. So essentially, using it as a search-ms files saves the search, and so the TryCloudflare-tunnel essentially ended their URI with that search-ms, which was the safe search, which was displayed locally on the host when in fact, it was actually on the web dev share. So it's kind of interesting because it uses social engineering to make the user think, "Oh, this is on my computer. This might be okay," so trying to hide some of this activity. There's also a decoy PDF that was displayed to the user, so again, showing something that might seem trustworthy while activity is happening in the background, but also using kind of a little bit noisy techniques. So yes, it was just kind of like a -- I called it a "Frankenstinian amalgamation of chaotic activity", which I feel is very appropriate for October. [ Music ]

Dave Bittner: I'll have to look all those words up in a dictionary, so I'll be right back.

Rick Howard: Yes.

Selena Larson: A mess --

Rick Howard: Yes.

Selena Larson: A mess. [Laughter]

Dave Bittner: Yes. Rick is so old.

Rick Howard: They didn't invent those words yet? Is that where you were going with that? [Laughs]

Dave Bittner: Well, I -- so I'll give you some perspective here, that last -- his boss asked him to create a container and he asked if Tupperware was okay. [Laughter] And now a word from our sponsor. [ Music and singing ]

Rick Howard: And only I would have containers from a company that's out of business, okay --

Dave Bittner: That's right.

Rick Howard: That's how old I am.

Dave Bittner: That's right. That's right. His first experience with a computer was when it had punch cards. Now the most complicated punch card he uses is the one where he gets free coffee at the local diner. [Laughter] Well, let me ask you this, Selena, because all those tactics, techniques, and procedures you were outlining, they all seem unique in some way. And your team of researchers couldn't associate that with any known adversary campaign, neither a nation state or crime, right, it's all kind of a mishmash of things.

Selena Larson: Yes. A mishmash is a good way to describe it. So we've sort of classified them right as UNK, right? We talked --

Dave Bittner: UNK.

Selena Larson: We talked about that before.

Dave Bittner: My favorite.

Selena Larson: UNKs, yes, that sort of unknown. It might graduate to a TA when we have some more data available or if other folks find similar activity and publish on this in the community, we would love to see other folks' thoughts on this. Not a known TA, but based off on some of the activity that we observe from it, their objectives, the malware itself, we do believe that this is APT/espionage activity. But yes I mean, it's definitely fun. And I have to give a shoot-out to my colleague Tommy Majar [phonetic], who initially found it and it was like, "WTF is this," like, "What's going on here?" [Laughs]

Dave Bittner: That's kid slang, Rick. "WTF" is kid slang. They shorten things into just like letters and it means things to them. [Laughter] Just so you know.

Selena Larson: What the firewall --

Rick Howard: Yes, exactly.

Dave Bittner: Nice. Good save, Selena, good save.

Rick Howard: So Dave, this mishmash of our -- of TTPs is kind of like your dips when you get ready for the evening meal, right, you get a mishmash of all kinds of flavors.

Dave Bittner: That's true, that's true, and that's -- and as we speak, I am sitting here, right in front of me, I have a sun-dried tomato and basil pesto --

Rick Howard: Ooh.

Selena Larson: Mmm.

Dave Bittner: Which I would describe as a vibrant dip combining sun-dried tomatoes, fresh basil, Parmesan cheese, pine nuts, and garlic. It is bursting with Italian flavor.

Rick Howard: [Laughs] Yummy.

Dave Bittner: Selena, let me ask you this. So the research talks about 20,000 phishing emails sent all over the world, which I think is a pretty impressive scale. Is there any chance that when you're talking about that kind of volume that it's kind of -- like it's a misdirection to try to -- you talk about things being noisy, is it trying to cover a smaller more focused set of targets? Is that kind of strategy in play here or am I off-base?

Selena Larson: Yes, I mean, that's definitely one possible hypothesis, right? So if a threat actor is trying to target a small handful of individuals, they might kind of just blast it out to Mr. X from what they are doing, similar in some ways to potentially covering up an espionage operation or a wiper operation as ransomware. It's like when an espionage actor, an APT actor might pretend to be a ransomware actor when really their objective might be a little bit different, have different motivations, but kind of cloaking it as something else. So it's one possibility. Again, we don't have enough data to say for sure that's what happened, but absolutely a sound hypothesis.

Dave Bittner: Hmm. So what are your recommendations here? I mean in terms of mitigations for organizations to protect themselves against this kind of thing, what do you suggest?

Selena Larson: There are a few things, so certainly like we mentioned, restrict the access to external file-sharing services. We've seen a lot of web devs, a lot of SMB all across the landscape, not just from espionage in this case, but definitely ecrime actors as well. So you want to make sure that the only communications are to those safe-listed servers. Certainly, blocking networks to try Cloudflare if it's not required. Again, that's something -- it's like a temporary Cloudflare tunnel, so probably not typically used in business operations. Once you sort of upgrade to the paid service, that's a lot more legitimate. If you're looking for things that like are using search-ms functionality, we've seen not just in this case, but the interesting.search-ms files, the safe searches, but also just monitoring for an alerting on the use of search-ms in scripts, as well as suspicious follow-on activity like LNK power shot [phonetic] execution, so the stuff that we see stemming from the search-ms execution, accessing the external servers, LNK running unknown, unidentified scripts; so a lot of really, I mean, goodies in there for accident responders or for stalk [phonetic] managers to take a look at and protect their own environment. [ Music ] We'll be right back. [ Music ] I feel like after this conversation, I am going to need to drown myself in butter beer after today's conversation, maybe pair it with that tomato basil dip. [Laughter]

Dave Bittner: Couldn't hurt. Couldn't hurt. Well, thank you, Selena, interesting stuff. And I think Rick and I are going to run along here. We need to synchronize our pacemakers before we get on with the rest of the day; but interesting stuff.

Rick Howard: Wait, wait, is naptime soon, Dave? That's what I want to know.

Dave Bittner: Oh, Rick, when you're as old as you are, anytime is naptime.

Rick Howard: That's exactly right, sir.

Dave Bittner: Rick just nods off in the middle of a meeting and everybody just smiles and nods, and it's fine. It's all fine.

Selena Larson: And yet somehow still absorbs everything in a dreamlike trance. [Laughter]

Dave Bittner: Oh, yes, no he can snap, too, right away and he's as good as he ever was, which, I mean --

Rick Howard: Which it wasn't that good, yes.

Dave Bittner: Yes. [Laughter] Your words, not mine. [ Music ]

Selena Larson: And that's "Only Malware in the Building", brought to you by N2K Cyberwire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced Liz Stokes, mixing and sound design by Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher.

Dave Bittner: I'm Dave Bittner.

Rick Howard: And I'm Rick Howard.

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K