Transcript
This transcript was autogenerated. To make changes, submit a PR.
Hello everyone. Welcome this session and today we're going to talk about these malware hunting
using Python as an attack weapon, right?
So this is my contact at Twitter, at Philippiers
and my contact on social media. If you like, send me a message.
This is my homepage, philippirs.com and my GitHub by the
way. So I have some project there and my link is in and
if you'd like to change some message with me. So I really
appreciate that. Okay. And by the way, in my Twitter usually
I like to share some tools, open source tools, by the way,
about some focus on cybersecurity and
program languages and different products. And by the way about the security
stuffs, right? So let me introduce myself. I'm secure to research at
Sapporo is a company from Switzerland and
this company is responsible to provide a visibility of
the attack surface in different
cloud environments. And not only cloud environments, but on premise
as well. And Box and Microsoft and Azure, Google Cloud
and by the way in Azure
as well. And the idea behind of this product is to look in
more about these isograph vision and
how the attacker can explore different organization.
So I'm security advocates for Onsen Segura San Segura is
a global company responsible to provide some pen
solution pen. It's acronym of the privileged access management,
right. And I'm advocate from hack is not a crime.
It's an awesome project. By the way, it started in us.
The idea behind of this project is to talk more about this concept called
hacking, right? Because when you read some information
on the newspaper or on tv, usually this term
is related to about cybercriminal.
But it's wrong. The idea behind these talk about the hacking,
it's about how you can use in your creative mind when
you're looking for some software and how you can improve this specifically
software, and how you can help the companies of
course, into looking or a security perspective. But when
you look about the exposure of the information, it's not a
hacking, it's about these threat actors, it's about these Cybercriminal.
Okay, so we can find more information in my web page,
in web page from this specific project, okay. And I'm
a coordinator of the Defcon group, one of these coordinator of the DEfcoN groups in
Sao Paul. And by the way, I'm talking not from Brazil, but I'm talking from
Portugal. I'm living here, there. And I'm
leaving now, actually. And I'm instructor, writer and heavier,
those three magazines, Fantastic magazine, hack 90 and forensic.
And you can find my course about the Maura attack type with Q
chain in the Pentasy magazine. Okay, so just information about me.
So let's talk about our main topic. I would like to
explain to all of you about what is exactly
a threat because it's very important to put all those people on the same
page, okay? So it's not definition from flip, it's definition from
these specifically ISO, okay. Threat is defined as
a potential cause of the incident.
I mean in something that happened in specifically company
organization or is
a potential cause in these specific incident. Of course they
need to be the users or the
security team maybe needs to investigate more about that, but it's
specifically about the software attacks or about these death of intellectual
property or maybe identity death. It's very important.
And sabotage, it's another kind of threat.
And information, or all those information distortion are
example of information security threats. It's very important to understand those difference,
okay? Because today we are talking
about how you can use in pipe scripts in more attack
perspective. And because of that it's very important to understand
what is exactly a threat and how
is important we improve our code,
our applications, okay? As a
result, many and many organizations chose active
thready hunting practice. I mean they need to look in more
deeply about how the networks exactly
work in the organization and they need to
investigate more about all those aspects inside
of this specifically network, okay? And let me invite
you to think more about me within this specific brainstorming,
right. So today
when we talk about the threads, it's very important because we have many different researches.
And if you are a developer,
if you're working for example in DevOps team, maybe when you
need to apply something, we need to create some infrastructure, for example,
we need to research more about that. And when you talk about the security,
we can work in different ways. We can working with the research of
threads, we can discovery new kind
of attacks or specifically different in
a different views from the attacker perspective, you can
improve your team in a proactive line
of defense against advanced threads. It's acronym of
the Advanced Persistent threads in apts,
in this case, what that means in this case using
offensive techniques, because if you are again a
developer or if you are a programmer or
no matter the specifically name, you can use.
But if you know how this works in web applications
and the mobile, for example applications,
for example, you know how these applications
works. So basically you can found different
possibility to explore this specifically
software. So this is you can use in your offensive techniques, okay?
And you can work with vulnerability research.
It's the same case in the same way you can find some web applications,
you can investigate more how this application works. If you find some
bugs. If these bugs, you can explore inside of this specifically
bug, you can find a specifically vulnerability and
you can work for example with the development of exploits specifically
coded to explore this vulnerability.
And we can work with the reversing engineer.
Sometimes these is more related to not only a mobile
because you can work with a reversal engineer in a specifically
app or EZDK or another APK or other different specifically
binary, but you can work with malware analysis for example using
different methodology like analysis staticy and
statistical analysis and dynamic analysis. And you can use it in a reversion
engineering inside of this specifically methodology to
looking more deeply about how the binary works. I mean
the portable executable like a PE or alpha binary or
PDF or document word or excel
or another different document offset. Okay, we can
work in an intrusion detected. I mean we can work
in security providers and you can discover how
this vulnerability which works. And after that you can create
a specific signature for this specific IDS
intrusion detection system, providing intelligence from these specific
product. Okay. And you can work with a forensic analysis,
it's more related to a post attacks. So when you can
collect this specific evidence, you can investigate more deeply
about that. So we have many possibilities to working in our cyber
cybersecurity evangelist way. Again, if you are a developer, you have a
good advantage because you know how the applications
works, you know how the mobile applications, web applications and
whatever application works. This is the good advantages.
Okay, so first of all, we have a thread and after
that, usually when you investigate something about that,
no, you can, but you see if it's non
thread like for example patcha
or remsor or kind of ransomware.
It's for example when a cry or patcha
or another is specifically attacks using
specifically malware or it is an unknown threat, it's totally
like a zero day. So the security
providers don't have any signatures to protect itself
specifically against this attack. So basically we
have, it's almost basically, of course it's only
basically two different threads, a no and a no. Okay.
And after that you can create a report if you execute some investigations
about that. So it's very important because when you describe
that you can improve your knowledge about how the threads works.
And of course you can provide this to your coordinator, your tech
lead, your manager, because it's very important to
give this specific vision for your organizations.
And after that you can improve your defensive mechanism because when
you see how is exactly the path using by the attack, you can
see what is exactly the technology based
from the attacker or by the attacker. You can see exactly these is
exactly the path. So this is the creative mind. So you investigate
how these attack works in your environment, or you can think
more about how is the new possibilities you
can using to explore this specific environment. That's very nice.
And after that you can create this specifically cyber threat intelligence.
I mean, even if you are a big company or a small company, no worries
about that. Because you can use indifference tool to help you to give this
specifically vision about how the cyber thread
intelligence works. You can use in different frameworks to give this
big visibility. Okay, that's very important. And if you
perform in specific clan arts, you can look in more deeply about that. Okay.
And of course we need to have this specifically strengthening cyber resilience,
because the threads are changing all
the time. Okay, so nice.
So let's talk about the creative or creating a creative
mind. Okay, so that's the point here
and the main topic about our conversation
in these event. So I will explain more about
this pyramid called purpose or the idea behind all that.
Okay, so the purpose of that is in this
test I was to run not only, but more than one
pipe script to perform various efficient detected risks.
And the idea is to bypass specifically security solutions
in my environment, when I worked in these specifically organization.
But you can use in this, in your environment now, no worries. And this is
my suggestion. During our demonstrations, we all
will show a defensive security analysis with these offensive perspective.
That's the point here. Using two python script or
more than one, you can download many different malwares in this
specific environment to test your security sensors.
Okay, so that's the idea. The first test is to simulate target
attacks. The idea behind of this test is to download different
malwares and to understand what is exactly these behavior
from the security vendors. Of course about the signatures,
about the next generation antivirus, and about machine learning,
because usually these security sensor have a different technology
to protect it, to protect these organization. So the idea is
to simulate a real malwares to download in this specific environment.
These is the first purpose. And the second purpose is to download more than
one. I mean my idea these is to download
the daily batches of these malwares. It means
in the end of the days we have a specific malware bazaar repository. I will
explain more about our conversation today. We can download more
than one malware, is a simulation specifically how to break
infections in your environment. So that's the idea. And this second
task, because my thinking about
that is how should be the behavior of
the using provided for this protection organization.
So if I infected with these kind of outbreak
infection in my environment, so what should be
the behavior of the using. So that's the aging and by the way,
not here, sorry. But here is the website, Maurer Bazaar.
It's a bazaar a boost.
You can find these, you can put in for example Mauer
Bazaar. It's pretty simple, you can click here. This is the
idea, okay, Mawer is a project from abboost CH
with the goal is sharing malware sample with
the infosec security. So here you
can see more than one specifically malwares,
okay, it's many different malwares, different using tag signatures.
For example, you can see an excel file,
doc file. For example dlls is a quotable
from Microsoft out from Linux. For example you
can looking from, for example, you have here how you can
search for a tag. For example you can put in here, for example tag and
PDF, click enter. You can see more than one PDF
and different malware as you can see here. And you can do
some testing, for example you can use in here my pdf. By the way,
I download this in 2020. This is specifically
malware PDF. I have some talks that I explain more about this
specifically malware. But here is the main top. We have here
the API. And if you see here different API queries
or different queries to using. And you can use in here the example
of the Python three example of the Python script.
I using those specifically from this
specifically repository here is the guy responsible
to create that, okay, Corsin Camichelle, I don't know if
I'm pronounced correct, but it's a very nice guy. And he creates
specifically those tool
that I am using here in these demonstration, I explain more about this specifically,
okay, nice. Let me return here.
And this is the first python code, okay,
so the idea about this code, as you can
see here, this is I import different requests
and systems and argument. It's pretty simple Python
script to execute this. Basically I will download
one specifically malware or real malware inside of malware environment.
And as you can see, I need to set the s to select
the hash of the malware. So basically I need to
see here, I need to find it, for example here in Bomber bazaar,
this is for example, let's check, let me show you here.
This is the hash, okay, the identity from this specifically malware.
So basically in this code I need to set s and
after that I need to set this specifically hash.
And after that I need to set another argument like a u to
unzip this file. Why? Because usually when you talk about these specifically
malware repositories, usually when
you download some malware, as you can see, I will click here just to show
you download. Take a look. This is specifically explanation.
So usually the malware when you download is a zippet
like this. And usually they're using the same password and fact that.
So that's the idea not only in malware bazaar, but you can find in
another like for example Philip 86 this is my GitHub.
You can find in this specific repository here repository
and you can click here in repository and after that
you can click here in these zoo. Basically this
is another repository you can find here, many others mauer
as you can see here malwares, you can click here. It's not my repository,
it's from the community. You can see here these binaries or source and
take a look at many different real malware. So be careful because it's
a real malware. Okay, so different ram servers. So if
you would like to make some tests, you can use in here,
for example in the zoo or you can use in here the malware bazaar.
Okay, so let me return here. So remember, first of all I need
to execute in the pyri scripts and after that s
to set the hash, and after that u to
unzip the file. Okay, so basically this is
the beginning of the file and after that I need to set the
password as you can see here. In fact that I need to set here the
API provided maui bazaar because when you made
your registration in mauibaza, basically you need to have a specifically twitter
account and after that you have this one of this specifically
API. So you need to put in here and after that you can execute
itself the code to download, and after that unzip
the file as you can see here and execute the malware.
And in this case not executing. I just download the
malware in these environment. Why I just download? Because my idea is to see the
behavior of the engines detected by signature.
So I didn't need to execute
itself the malware. Okay, so basically you execute here Python in
Windows platform, as you can see set malwaresbazaar py
here. Maybe it's a small I set here s
because I need to put in here the hash, as you can see a big
hash, I think it's 256
or this is the hash and u because I
need to unpack it or unzip this specifically files.
So as you can see here, it's a wanna cry? Very known ram summer.
Okay. And as you can see here, detected this specifically
script. This is the malware I download
in this environment. And after that, the pyri
scripts unzipped that this is specifically called. Okay,
so after that, the idea is the cyber reason to
block. This is the security solutions, okay? And as you can see
here, the mauer, it was blocked. So good,
nice. Because the solutions it works based on signatures.
I didn't need to click to
execute the malware, because when the script download
the malware in my environment, after that, the engines responsible for signatures
block this specific code. Okay. And as you can see, these log is blocked.
Okay. These second task I detected in Sofall's secure
solution, it's another different solution, the same case.
And now I'm using another hash. As you can see, starting to started
with two, two ed different hash.
It's another different malwares, okay. And as you can see,
these same behavior. So as you can
see, the first downloaded zip it
file. And after that, the code unzipped,
or in this case, unpacket, is specifically sample.
Not sample, is mal in these case. But as you can see, these security
engine block. And these is specifically malware. So very nice.
And the third test executing in this case, in a cloud strike.
So I customize a specifically code here.
It's just for fun.
And I put here another name, by the way, based underscore bazaar
s. As you can see, it's another hash u.
Those three hashes are Mauer.
But in this case, Calder strike didn't detect why.
And that time, when I performed this tests in 2020,
that time, the cloud strike explained me that the
solution just work with a
machine learning, not work with signatures.
I will explain the only way to detect this
specifically malware. This is an explanation from crown strike.
After these user click in these
specifically Mauer. I mean,
the user need to interact with the Mauer, okay. But from my
perspective, these is the opinion from Philippe. It's very important to
have the signatures, because why I need to investigate.
So why I need to verify if
the malware is malicious or not, when I know that this malware is
malware. Okay, makes sense for me. So I don't need to wait
for the curse, the client or the user. Actually,
I don't need to wait the user clicking these specifically binary to
see if it's malicious, because I know based on signatures that it is
malicious. But I heard something
about that, that now in this year, in 2021,
that the solutions will be improved. So I think now
they work with signatures. And the second Python script, remember this
is the first test. So cyber reason and soaps had
a good result, but cloudstrike didn't have
a good result, okay. Because it's these behavior conference.
So these again. But in this case, the second task, remember,
in this second task, I simulate alti breaking factor.
I will explain more about that. As you can see here, I import specifically
libraries these, as you can see here. Okay, Python ziper to
again uncompressed the zip file and the zip
file actually and here, as I mentioned, there's a simple customization
and that time I worked in supernovation. It's a global company,
it's a brazilian company, actually responsible to
provide different consulting developer solutions.
I think it's an explanation here. And as you can
see here, these downloading of this specifically API.
I call this specifically API, as you can see here in the code setting
here, the daily malware badges, as you can see. So remember,
the community is responsible to provide many malwares
per day. In the end of the day, the malware bazaar collect
all those maus and pivoting in a specifically directory
and put in this directory the name of the daily
branches, as you can see here. So basically it's
download these
data specifically of the day as you can see here.
And so the idea behind of this tests is to download all
those malwares during this specifically
date and download it to simulate a specifically infection,
altibrake altbreak infection. So these is the idea
behind of this code. So this is the second code. And again
daily bazaar I call here mauer underscore download.
As you can see using the data specifically in 10 September
in 2020, I downloading, calling specifically
data tests using this specifically URL from API from Maurbazar.
Using the API from our bazaar download is completed.
After that I saving data tests, as you can see here, is completed because I
called this specifically directory from Maurbazar.
And after that, as you can see here, a data set unpacket.
So in this case, I downloaded more than,
if I remember correctly, more than 300 malwares
in this specifically day. Okay. And as you can see
here, so many malwares were detected.
And by the way, all those tests I reported to cyber,
to Sophos and I
reported to crown strike. And basically in these specifically task,
the cyber reason didn't attacks for Maverick,
but I reported that to the cybersecurity solutions. And after that
I had some conversation with them with there and they
improved the solutions. It's very nice conversation with
the cyber. The second task is I performing in Sophos environment.
And as you can see here, in this case I saw a different
behavior because Sophos has more than one binaries
using this solution. Remember, in the beginning of the purpose of these
tests is to simulate an efficient and detection
test. So the idea is to simulate a
behavior from the engines providing detection from
signatures, machine learning and next generation antivirus.
So in some solutions we have all those protections
in these same binary, but in this case in Sophos,
as you can see here, we have more than one services,
or actually not services, but binary inside of the machine,
the user machine. Because of that, when I try to
simulate this specifically tests, we have high,
high cpu as you can see here, and high, high memory
to protect. So that remember when
I had this idea, my idea
is it was understand
what is exactly the behavior of the engines.
So maybe I could broke the engine.
And when I broke this engine, because it's totally
the many infections in the user machine,
I can block the protection. So from
the attacker perspective it's very nice because
I could gain the access in environment because I don't have any antivirus
protections to protect against the threats.
Okay, spoiler alert. Just a few
other code, I don't have idea to explain during this session,
but I would like to show you something very simple like
this. You can find this on the Internet very easy, okay, it's a simple import
some specifically libraries to open a socket here.
Because in this case my idea is to gain
the reverse shell in a specifically victim machine, as you can see
here, I import a specific socket setting here my
web server, and after that I set my port to open a
reverse port to using my local port, okay,
and very simple. And I using here to infect and
specifically vicro machine, as you can see here. So I made these specifically
task in enclosed strike. So first of all I
download the binary here, because of that it's a spoiler, because maybe
I can talk more about that in another event and just
a simple spoiler about that. So I
enable all those security policies here.
And I go to the specifically
I open the netcat to receive this specifically
reverse shell, as you can see here. And after that
I need to download
this specifically file inside
of the victims machine. And I need to execute this files in these
victims machine, okay? And after that I will receive this
specifically reverse these shell. So as you can
see here, this is my machine and this is the
port, actually the attacker port. And here is the attacker
machine. Okay, so let me return here in the vitamin
machine, let me click here and I need to execute here the python
script, that python script that I show you. So I call it shell
Python. Open the service here. As you can see the CMD in
green color, but nothing happened here and nothing
blocked here. But as you can see here, I gained
the reverse shell in the big burn machine. So now I
have the access and this specific environment. So I have
all those access. I'm a local domain
I can use in different things to do, and by the
way, I execute in different comments here and I
explore different things. But it's an expo so I
need to show you this in other events. So if you have any question everyone,
so please let me know. And thank you again for this time
here during the session. I hope this session should be
useful for you. Again, I show you more about
this specifically python code, but I just to
give you this specifically creative mind and
when you work in your organization, so how you can look in
your security sensor using the Python script, because it's
easy to create that and how you can use in python script to improve
your security environment. Okay, so that's my idea
during the session. So again, thank you so much for being here with me and
see you in the next event.
