12 Takeaways from BotConf 2022 Malware Conference (Nantes, France)
1) Welcome to the world of voice-activated malware…
We’re all heard of malware that can log keystrokes, record audio, take screenshots. Well, here’s a new twist. FlowCloud, the remote access trojan (RAT) first discovered in 2020, now comes with voice activation functionality. Its processes hook to the device’s microphone driver and once sound levels reach over 65dB – it activates. Who needs Alexa or Siri when you’ve got FlowCloud…?
2) Email Thread Hijacking
Trojans (such as from the Qbot family) now have the ability to parse .PST (Outlook) files and exfiltrate data. This is one of the reasons explaining the prevalence of email thread hijacking attacks.
3) Malspam continues to be a significant delivery channel for malware
Let’s face it, most end-users still can’t differentiate between phishing and malspam. And this works out great for cyber-criminals because while spam is perceived as annoying, it’s rarely perceived as dangerous. Framing your malware as a harmless email advertising prescription pills or erotic services means your malicious URLs and attachments are much more likely to be opened.
4) Malware is getting stealthier…
An over-arching theme at Botconf 2022 is the stealthiness of modern malware. The “See Ya Sharp” malware loader module is a case in point. This sophisticated loader is usually encrypted or heavily obfuscated. Moreover, it’s sensitive to VMs, sandboxes and AV suites. If See Ya Sharp believes that it’s being scanned or under investigation, it won’t budge. Stealthier than a leopard and cuter than a pet fox – you really don’t want See Ya Sharp get anywhere near your PC as it’s a precursor to some deadly payloads. More and more malware families (such as Zloader) are now using Domain Generation Algorithms (DGA). These algorithms produce random looking domains for their C2 servers every few minutes making detection difficult. In the case of Zloader, it typically generates 32 domains.
5) Traffic Distribution Systems
Traffic Distribution Systems (TDS) are now widely used by cyber-criminals. These services (offered on the Dark Net) sell access to intermediary websites which are seen as “safe” by URL filtering services, email gateways and of course the sandboxes of malware researchers. Such services can also defeat common “file checking” services such as Virus Total. TDS makes malware much more difficult to detect. While end-users don’t have to understand about this, they need to understand that no matter how sophisticated their AV software, their email gateway or firewall is – sometimes cyber criminals are a step ahead.
6) No, 2FA is not bullet-proof…
Many end-users believe that 2FA is a bullet-proof authentication mechanism. This, alas, is not always the case. One researcher mentioned how deploying just one piece of socks-proxy malware on a device can collect 2FA tokens and initiate an authenticated user session - totally defeating any 2FA mechanisms. Users need to be continually reminded that 2FA is not infallible.
7) From Account Shops to Bot Shops…
To some users’ horror, they discover that when they get hacked, they really get hacked. Their Facebook, Twitter, Amazon, Google, Instagram iCloud and Spotify accounts, etc. all get compromised simultaneously. For most users this invokes some gut-wrenching feelings. While this might seem like the work of a very busy hacker, it can usually be attributed to a Bot Shop which has sold their device fingerprint.
8) Hacker marketplaces and hacking tools are vertically integrating
One researcher gave a fascinating presentation on how cyber-criminal marketplaces have evolved. First generation marketplaces offered stolen usernames and passwords. Second generation marketplaces offered usernames, passwords and proxies. While today, market places offer whole digital fingerprints for sale bundled with proxies. Genesis Market is one such example. Here a nefarious actor can use a Genesis browser plug-in to import data directly from the Genesis marketplace. Turnkey services such as this make it much easier to mimic a genuine user. The streamlining of these malware tools means they are much more effective at evading technical defences.
9) Scammers scamming Scammers
“Card Shops” are part of the cyber-criminal eco-system which buy and sell stolen credit card information. However, one researcher revealed how some of these cyber-criminal marketplaces are now being typo-squatted to create fake marketplaces. Scammers scamming the scammers. Is there any hope for the ordinary user…?
10) Detecting the many-headed Hydra of Polymorphic malware
Traditionally, malware uses a signature. This signature could be referenced against a database of signatures and the malware could be detected fairly easily. This is still how a substantial number of anti-virus, email gateway and firewall products work. However, with polymorphic malware, the signature keeps on changing or mutating. This makes signature-based detection much more difficult. However, now clustering techniques such as fuzzy hash similarity functions (such as Ssdeep or LZJD) can used to detect such sneaky malware by grading the hash similarities of samples on a scale of 0.00 to 1.00.
11) We need to talk about CVEs…
Cyber criminals are still exploiting the old chestnut that is CVEs (Common Vulnerabilities and Exposures). If a hardware or software vendor discovers a vulnerability in their product, they will / should issue a CVE notice. This is like a company standing up and saying “Look, we’ve found a vulnerability in our product which could be exploited by hackers” And sometimes there is a gap between the announcement and release of a patch. And, sometimes there can be a gap between the release of a patch and the application of the patch by the user. In both cases, unfortunately, there is usually a cohort of cyber-criminal ready to exploit a CVE. This is why users need to be informed about the importance of applying software updates as soon as they are released.
12) The use of decoy domains…
Just like ET, malware often needs to phone home to its C2 server. This allows the malware to receive updates, send back reconnaissance data and of course exfiltrate your data. But here’s the problem. A device that’s communicating with a strange remote IP address is going to stick out like a sore thumb. So, malware like Formbook (which has infected an estimated 4.5% of European organisations) uses decoy domains. The malware will start communicating with popular services from Google, Microsoft etc. but hidden in the shuffle is the real IP address back to the C2 server. And here’s the really sneaky thing - it’s C2 communication processes operate a 8-10 minute time-delay to further thwart any detection attempts.
It's all goes back to the user…The first step in the attack chain for many of the attacks detailed during BotConf 2022 unfortunately involved the user. They opened a malicious attachment or malicious URL. Or, they inadvertently downloaded trojanised software. This tiny action sets in train a highly sophisticated process of loaders, proxies and potent payloads being downloaded onto a system. The user plays a more important role than ever in protecting the IT security of the organisation. A user informed about the cyber criminal mindset and basic mechanics such attacks is much more likely to detect and thwart them.