Conf42 Python 2022 - Online

Malware Hunting - Using python as attack weapon

Video size:

Abstract

The purpose of this presentation is to use python scripts to perform some tests of efficiency and detection in various endpoint solutions, during our demonstration we`ll show a defensive security analysis with an offensive mind performing an execution some python scripts responsible for downloading some malware in Lab environment. The first objective will be to simulate targeted attacks using a python script to obtain a panoramic view of the resilience presented by the solution, with regard to the efficiency in its detection by signatures, NGAV and Machine Learning, running this script, the idea is to download these artifacts directly on the victim’s machine. The second objective is to run more than one python script with daily malware, made available by MalwaresBazaar upon request via API access, downloanding daily batches of malwares.

With the final product, the front responsible for the product will have an instrument capable of guiding a mitigation and / or correction process, as well as optimized improvement, based on the criticality of the risks.

Article`s reference: https://pentestmag.com/product/pentest-build-your-own-pentest-lab-in-2021/ ( 2x Articles published | Exploitation with Shell Reverse and Infection with PowerShell using VBS File | Zusy Malware using MSI) https://pentestmag.com/product/pentest-powershell-for-pentesters/ ( 2x Articles published | Testing Creative Way Detection and Efficiency in Sophos Security Sensors | Outbreak Infection from Malware Bazaar, undetected by Sophos https://hakin9.org/product/malware-attacks/ (Hunting the Hunters-Detection and Efficiency Testing of Endpoint Security Sensors) https://pentestmag.com/product/pentest-ransomware-prevention/ ( 2x Articles Published | Threat Hunting Labs Engines Problems in Cybereason AV | Infection with Ransomware Using Delay in Applying Policies) https://hakin9.org/product/cyber-threat-intelligence/ (Infection with Malware By Script Python NOT Detected by AV) https://eforensicsmag.com/product/threat-hunting-what-why-how/ (Infection by Outbreak Attack Malicious)

Similar presentations: https://www.youtube.com/watch?v=mJZCNqcO10A&t=51s (NahamCon’s on RTV 2021 - Discovering C&C in Malicious PDFs) https://www.youtube.com/watch?v=nxlqxLWO16k (GrayHat - Red Team Village - 2020- US) - Malware Analysis https://www.youtube.com/watch?v=id7phzfgumg (GrayHat - Red Team Village - 2020 - US) - Pivoting Technique https://www.youtube.com/watch?v=oWkgyPgAMsg (BSIDES DFW - 2020 - US) - Malware Analysis https://youtu.be/-h34cWIf9T8?t=23973 (Hacktivity - Budapest 2020) - Dissecting Malware https://www.youtube.com/watch?v=9S41xfTGQDo (D.C. Cybersecurity Professionals - 2020 - US) - Cyber Threat Hunting: Identify and Hunt Down Intruders https://www.youtube.com/watch?v=yAjvfTYEhOw (D.C. Cybersecurity Professionals - 2020 - US) - Dissecting PDF Files to Malware Analysis https://www.youtube.com/watch?v=0pp6xcFsXgE&feature=youtu.be (HITB -2020 - Hack In The Box Security Conference - Europe) - Threat Hunting

Summary

  • Today we're going to talk about these malware hunting using Python as an attack weapon. If you like, send me a message. And by the way, in my Twitter usually I like to share some tools, open source tools.
  • Hacking is not a crime. The idea behind of this project is to talk more about this concept called hacking. It's about how you can use in your creative mind when you're looking for some software. How you can help the companies of course, into looking or a security perspective.
  • Today we are talking about how you can use in pipe scripts in more attack perspective. It's very important to understand what is exactly a threat and how is important we improve our code, our applications. Many and many organizations chose active thready hunting practice.
  • Advanced Persistent threads in apts means using offensive techniques. We can working with the research of threads, we can discovery new kind of attacks or specifically different in a different views from the attacker perspective. It's very important to give this specific vision for your organizations.
  • Using two python script or more than one, you can download many different malwares in this specific environment to test your security sensors. The idea is to bypass specifically security solutions in my environment. During our demonstrations, we all will show a defensive security analysis with these offensive perspective.
  • Python script to execute this. Basically I will download one specifically malware or real malware inside of malware environment. And as you can see, I need to set the s to select the hash of the malware. Be careful because it's a real malware.
  • Philippe: My idea is to see the behavior of the engines detected by signature. So I didn't need to execute itself the malware. When the script download the malware in my environment, after that, the engines responsible for signatures block this specific code.
  • The idea behind of these tests is to download all those malwares during this specifically date and download it to simulate a specifically infection. All those tests were reported to cyber, to Sophos and I reported to crown strike. Now in this year, in 2021, that the solutions will be improved.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hello everyone. Welcome this session and today we're going to talk about these malware hunting using Python as an attack weapon, right? So this is my contact at Twitter, at Philippiers and my contact on social media. If you like, send me a message. This is my homepage, philippirs.com and my GitHub by the way. So I have some project there and my link is in and if you'd like to change some message with me. So I really appreciate that. Okay. And by the way, in my Twitter usually I like to share some tools, open source tools, by the way, about some focus on cybersecurity and program languages and different products. And by the way about the security stuffs, right? So let me introduce myself. I'm secure to research at Sapporo is a company from Switzerland and this company is responsible to provide a visibility of the attack surface in different cloud environments. And not only cloud environments, but on premise as well. And Box and Microsoft and Azure, Google Cloud and by the way in Azure as well. And the idea behind of this product is to look in more about these isograph vision and how the attacker can explore different organization. So I'm security advocates for Onsen Segura San Segura is a global company responsible to provide some pen solution pen. It's acronym of the privileged access management, right. And I'm advocate from hack is not a crime. It's an awesome project. By the way, it started in us. The idea behind of this project is to talk more about this concept called hacking, right? Because when you read some information on the newspaper or on tv, usually this term is related to about cybercriminal. But it's wrong. The idea behind these talk about the hacking, it's about how you can use in your creative mind when you're looking for some software and how you can improve this specifically software, and how you can help the companies of course, into looking or a security perspective. But when you look about the exposure of the information, it's not a hacking, it's about these threat actors, it's about these Cybercriminal. Okay, so we can find more information in my web page, in web page from this specific project, okay. And I'm a coordinator of the Defcon group, one of these coordinator of the DEfcoN groups in Sao Paul. And by the way, I'm talking not from Brazil, but I'm talking from Portugal. I'm living here, there. And I'm leaving now, actually. And I'm instructor, writer and heavier, those three magazines, Fantastic magazine, hack 90 and forensic. And you can find my course about the Maura attack type with Q chain in the Pentasy magazine. Okay, so just information about me. So let's talk about our main topic. I would like to explain to all of you about what is exactly a threat because it's very important to put all those people on the same page, okay? So it's not definition from flip, it's definition from these specifically ISO, okay. Threat is defined as a potential cause of the incident. I mean in something that happened in specifically company organization or is a potential cause in these specific incident. Of course they need to be the users or the security team maybe needs to investigate more about that, but it's specifically about the software attacks or about these death of intellectual property or maybe identity death. It's very important. And sabotage, it's another kind of threat. And information, or all those information distortion are example of information security threats. It's very important to understand those difference, okay? Because today we are talking about how you can use in pipe scripts in more attack perspective. And because of that it's very important to understand what is exactly a threat and how is important we improve our code, our applications, okay? As a result, many and many organizations chose active thready hunting practice. I mean they need to look in more deeply about how the networks exactly work in the organization and they need to investigate more about all those aspects inside of this specifically network, okay? And let me invite you to think more about me within this specific brainstorming, right. So today when we talk about the threads, it's very important because we have many different researches. And if you are a developer, if you're working for example in DevOps team, maybe when you need to apply something, we need to create some infrastructure, for example, we need to research more about that. And when you talk about the security, we can work in different ways. We can working with the research of threads, we can discovery new kind of attacks or specifically different in a different views from the attacker perspective, you can improve your team in a proactive line of defense against advanced threads. It's acronym of the Advanced Persistent threads in apts, in this case, what that means in this case using offensive techniques, because if you are again a developer or if you are a programmer or no matter the specifically name, you can use. But if you know how this works in web applications and the mobile, for example applications, for example, you know how these applications works. So basically you can found different possibility to explore this specifically software. So this is you can use in your offensive techniques, okay? And you can work with vulnerability research. It's the same case in the same way you can find some web applications, you can investigate more how this application works. If you find some bugs. If these bugs, you can explore inside of this specifically bug, you can find a specifically vulnerability and you can work for example with the development of exploits specifically coded to explore this vulnerability. And we can work with the reversing engineer. Sometimes these is more related to not only a mobile because you can work with a reversal engineer in a specifically app or EZDK or another APK or other different specifically binary, but you can work with malware analysis for example using different methodology like analysis staticy and statistical analysis and dynamic analysis. And you can use it in a reversion engineering inside of this specifically methodology to looking more deeply about how the binary works. I mean the portable executable like a PE or alpha binary or PDF or document word or excel or another different document offset. Okay, we can work in an intrusion detected. I mean we can work in security providers and you can discover how this vulnerability which works. And after that you can create a specific signature for this specific IDS intrusion detection system, providing intelligence from these specific product. Okay. And you can work with a forensic analysis, it's more related to a post attacks. So when you can collect this specific evidence, you can investigate more deeply about that. So we have many possibilities to working in our cyber cybersecurity evangelist way. Again, if you are a developer, you have a good advantage because you know how the applications works, you know how the mobile applications, web applications and whatever application works. This is the good advantages. Okay, so first of all, we have a thread and after that, usually when you investigate something about that, no, you can, but you see if it's non thread like for example patcha or remsor or kind of ransomware. It's for example when a cry or patcha or another is specifically attacks using specifically malware or it is an unknown threat, it's totally like a zero day. So the security providers don't have any signatures to protect itself specifically against this attack. So basically we have, it's almost basically, of course it's only basically two different threads, a no and a no. Okay. And after that you can create a report if you execute some investigations about that. So it's very important because when you describe that you can improve your knowledge about how the threads works. And of course you can provide this to your coordinator, your tech lead, your manager, because it's very important to give this specific vision for your organizations. And after that you can improve your defensive mechanism because when you see how is exactly the path using by the attack, you can see what is exactly the technology based from the attacker or by the attacker. You can see exactly these is exactly the path. So this is the creative mind. So you investigate how these attack works in your environment, or you can think more about how is the new possibilities you can using to explore this specific environment. That's very nice. And after that you can create this specifically cyber threat intelligence. I mean, even if you are a big company or a small company, no worries about that. Because you can use indifference tool to help you to give this specifically vision about how the cyber thread intelligence works. You can use in different frameworks to give this big visibility. Okay, that's very important. And if you perform in specific clan arts, you can look in more deeply about that. Okay. And of course we need to have this specifically strengthening cyber resilience, because the threads are changing all the time. Okay, so nice. So let's talk about the creative or creating a creative mind. Okay, so that's the point here and the main topic about our conversation in these event. So I will explain more about this pyramid called purpose or the idea behind all that. Okay, so the purpose of that is in this test I was to run not only, but more than one pipe script to perform various efficient detected risks. And the idea is to bypass specifically security solutions in my environment, when I worked in these specifically organization. But you can use in this, in your environment now, no worries. And this is my suggestion. During our demonstrations, we all will show a defensive security analysis with these offensive perspective. That's the point here. Using two python script or more than one, you can download many different malwares in this specific environment to test your security sensors. Okay, so that's the idea. The first test is to simulate target attacks. The idea behind of this test is to download different malwares and to understand what is exactly these behavior from the security vendors. Of course about the signatures, about the next generation antivirus, and about machine learning, because usually these security sensor have a different technology to protect it, to protect these organization. So the idea is to simulate a real malwares to download in this specific environment. These is the first purpose. And the second purpose is to download more than one. I mean my idea these is to download the daily batches of these malwares. It means in the end of the days we have a specific malware bazaar repository. I will explain more about our conversation today. We can download more than one malware, is a simulation specifically how to break infections in your environment. So that's the idea. And this second task, because my thinking about that is how should be the behavior of the using provided for this protection organization. So if I infected with these kind of outbreak infection in my environment, so what should be the behavior of the using. So that's the aging and by the way, not here, sorry. But here is the website, Maurer Bazaar. It's a bazaar a boost. You can find these, you can put in for example Mauer Bazaar. It's pretty simple, you can click here. This is the idea, okay, Mawer is a project from abboost CH with the goal is sharing malware sample with the infosec security. So here you can see more than one specifically malwares, okay, it's many different malwares, different using tag signatures. For example, you can see an excel file, doc file. For example dlls is a quotable from Microsoft out from Linux. For example you can looking from, for example, you have here how you can search for a tag. For example you can put in here, for example tag and PDF, click enter. You can see more than one PDF and different malware as you can see here. And you can do some testing, for example you can use in here my pdf. By the way, I download this in 2020. This is specifically malware PDF. I have some talks that I explain more about this specifically malware. But here is the main top. We have here the API. And if you see here different API queries or different queries to using. And you can use in here the example of the Python three example of the Python script. I using those specifically from this specifically repository here is the guy responsible to create that, okay, Corsin Camichelle, I don't know if I'm pronounced correct, but it's a very nice guy. And he creates specifically those tool that I am using here in these demonstration, I explain more about this specifically, okay, nice. Let me return here. And this is the first python code, okay, so the idea about this code, as you can see here, this is I import different requests and systems and argument. It's pretty simple Python script to execute this. Basically I will download one specifically malware or real malware inside of malware environment. And as you can see, I need to set the s to select the hash of the malware. So basically I need to see here, I need to find it, for example here in Bomber bazaar, this is for example, let's check, let me show you here. This is the hash, okay, the identity from this specifically malware. So basically in this code I need to set s and after that I need to set this specifically hash. And after that I need to set another argument like a u to unzip this file. Why? Because usually when you talk about these specifically malware repositories, usually when you download some malware, as you can see, I will click here just to show you download. Take a look. This is specifically explanation. So usually the malware when you download is a zippet like this. And usually they're using the same password and fact that. So that's the idea not only in malware bazaar, but you can find in another like for example Philip 86 this is my GitHub. You can find in this specific repository here repository and you can click here in repository and after that you can click here in these zoo. Basically this is another repository you can find here, many others mauer as you can see here malwares, you can click here. It's not my repository, it's from the community. You can see here these binaries or source and take a look at many different real malware. So be careful because it's a real malware. Okay, so different ram servers. So if you would like to make some tests, you can use in here, for example in the zoo or you can use in here the malware bazaar. Okay, so let me return here. So remember, first of all I need to execute in the pyri scripts and after that s to set the hash, and after that u to unzip the file. Okay, so basically this is the beginning of the file and after that I need to set the password as you can see here. In fact that I need to set here the API provided maui bazaar because when you made your registration in mauibaza, basically you need to have a specifically twitter account and after that you have this one of this specifically API. So you need to put in here and after that you can execute itself the code to download, and after that unzip the file as you can see here and execute the malware. And in this case not executing. I just download the malware in these environment. Why I just download? Because my idea is to see the behavior of the engines detected by signature. So I didn't need to execute itself the malware. Okay, so basically you execute here Python in Windows platform, as you can see set malwaresbazaar py here. Maybe it's a small I set here s because I need to put in here the hash, as you can see a big hash, I think it's 256 or this is the hash and u because I need to unpack it or unzip this specifically files. So as you can see here, it's a wanna cry? Very known ram summer. Okay. And as you can see here, detected this specifically script. This is the malware I download in this environment. And after that, the pyri scripts unzipped that this is specifically called. Okay, so after that, the idea is the cyber reason to block. This is the security solutions, okay? And as you can see here, the mauer, it was blocked. So good, nice. Because the solutions it works based on signatures. I didn't need to click to execute the malware, because when the script download the malware in my environment, after that, the engines responsible for signatures block this specific code. Okay. And as you can see, these log is blocked. Okay. These second task I detected in Sofall's secure solution, it's another different solution, the same case. And now I'm using another hash. As you can see, starting to started with two, two ed different hash. It's another different malwares, okay. And as you can see, these same behavior. So as you can see, the first downloaded zip it file. And after that, the code unzipped, or in this case, unpacket, is specifically sample. Not sample, is mal in these case. But as you can see, these security engine block. And these is specifically malware. So very nice. And the third test executing in this case, in a cloud strike. So I customize a specifically code here. It's just for fun. And I put here another name, by the way, based underscore bazaar s. As you can see, it's another hash u. Those three hashes are Mauer. But in this case, Calder strike didn't detect why. And that time, when I performed this tests in 2020, that time, the cloud strike explained me that the solution just work with a machine learning, not work with signatures. I will explain the only way to detect this specifically malware. This is an explanation from crown strike. After these user click in these specifically Mauer. I mean, the user need to interact with the Mauer, okay. But from my perspective, these is the opinion from Philippe. It's very important to have the signatures, because why I need to investigate. So why I need to verify if the malware is malicious or not, when I know that this malware is malware. Okay, makes sense for me. So I don't need to wait for the curse, the client or the user. Actually, I don't need to wait the user clicking these specifically binary to see if it's malicious, because I know based on signatures that it is malicious. But I heard something about that, that now in this year, in 2021, that the solutions will be improved. So I think now they work with signatures. And the second Python script, remember this is the first test. So cyber reason and soaps had a good result, but cloudstrike didn't have a good result, okay. Because it's these behavior conference. So these again. But in this case, the second task, remember, in this second task, I simulate alti breaking factor. I will explain more about that. As you can see here, I import specifically libraries these, as you can see here. Okay, Python ziper to again uncompressed the zip file and the zip file actually and here, as I mentioned, there's a simple customization and that time I worked in supernovation. It's a global company, it's a brazilian company, actually responsible to provide different consulting developer solutions. I think it's an explanation here. And as you can see here, these downloading of this specifically API. I call this specifically API, as you can see here in the code setting here, the daily malware badges, as you can see. So remember, the community is responsible to provide many malwares per day. In the end of the day, the malware bazaar collect all those maus and pivoting in a specifically directory and put in this directory the name of the daily branches, as you can see here. So basically it's download these data specifically of the day as you can see here. And so the idea behind of this tests is to download all those malwares during this specifically date and download it to simulate a specifically infection, altibrake altbreak infection. So these is the idea behind of this code. So this is the second code. And again daily bazaar I call here mauer underscore download. As you can see using the data specifically in 10 September in 2020, I downloading, calling specifically data tests using this specifically URL from API from Maurbazar. Using the API from our bazaar download is completed. After that I saving data tests, as you can see here, is completed because I called this specifically directory from Maurbazar. And after that, as you can see here, a data set unpacket. So in this case, I downloaded more than, if I remember correctly, more than 300 malwares in this specifically day. Okay. And as you can see here, so many malwares were detected. And by the way, all those tests I reported to cyber, to Sophos and I reported to crown strike. And basically in these specifically task, the cyber reason didn't attacks for Maverick, but I reported that to the cybersecurity solutions. And after that I had some conversation with them with there and they improved the solutions. It's very nice conversation with the cyber. The second task is I performing in Sophos environment. And as you can see here, in this case I saw a different behavior because Sophos has more than one binaries using this solution. Remember, in the beginning of the purpose of these tests is to simulate an efficient and detection test. So the idea is to simulate a behavior from the engines providing detection from signatures, machine learning and next generation antivirus. So in some solutions we have all those protections in these same binary, but in this case in Sophos, as you can see here, we have more than one services, or actually not services, but binary inside of the machine, the user machine. Because of that, when I try to simulate this specifically tests, we have high, high cpu as you can see here, and high, high memory to protect. So that remember when I had this idea, my idea is it was understand what is exactly the behavior of the engines. So maybe I could broke the engine. And when I broke this engine, because it's totally the many infections in the user machine, I can block the protection. So from the attacker perspective it's very nice because I could gain the access in environment because I don't have any antivirus protections to protect against the threats. Okay, spoiler alert. Just a few other code, I don't have idea to explain during this session, but I would like to show you something very simple like this. You can find this on the Internet very easy, okay, it's a simple import some specifically libraries to open a socket here. Because in this case my idea is to gain the reverse shell in a specifically victim machine, as you can see here, I import a specific socket setting here my web server, and after that I set my port to open a reverse port to using my local port, okay, and very simple. And I using here to infect and specifically vicro machine, as you can see here. So I made these specifically task in enclosed strike. So first of all I download the binary here, because of that it's a spoiler, because maybe I can talk more about that in another event and just a simple spoiler about that. So I enable all those security policies here. And I go to the specifically I open the netcat to receive this specifically reverse shell, as you can see here. And after that I need to download this specifically file inside of the victims machine. And I need to execute this files in these victims machine, okay? And after that I will receive this specifically reverse these shell. So as you can see here, this is my machine and this is the port, actually the attacker port. And here is the attacker machine. Okay, so let me return here in the vitamin machine, let me click here and I need to execute here the python script, that python script that I show you. So I call it shell Python. Open the service here. As you can see the CMD in green color, but nothing happened here and nothing blocked here. But as you can see here, I gained the reverse shell in the big burn machine. So now I have the access and this specific environment. So I have all those access. I'm a local domain I can use in different things to do, and by the way, I execute in different comments here and I explore different things. But it's an expo so I need to show you this in other events. So if you have any question everyone, so please let me know. And thank you again for this time here during the session. I hope this session should be useful for you. Again, I show you more about this specifically python code, but I just to give you this specifically creative mind and when you work in your organization, so how you can look in your security sensor using the Python script, because it's easy to create that and how you can use in python script to improve your security environment. Okay, so that's my idea during the session. So again, thank you so much for being here with me and see you in the next event.
...

Filipi Pires

Cyber Security Evangelist @ senhasegura

Filipi Pires's LinkedIn account Filipi Pires's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)