Delivered at ACSC in Canberra on 11 April 2018.
Better font colours.
This presentation builds upon previous research Intel 471 has undertaken with Dhia Majoub (Cisco/OpenDNS) and Jason Passwaters (Intel 471)
Upgrading your Cyber Threat Intelligence to Track Down Criminal Hosting Infrastructure
Dhia Majoub - https://www.sans.org/summit-archives/file/summit-archive-1517343456.pdf
VB 2017: BPH exposed - RBN never left they just adapted and evolved. Did you?
Jason Passwaters / Dhia Majoub - https://www.virusbulletin.com/conference/vb2017/abstracts/bph-exposed-rbn-never-left-they-just-adapted-and-evolved-did-you
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
1. “Play the man, not the malware”
The Cybercriminal Underground
Understanding and categorising criminal marketplace activity
2. ● Token Australian at Intel 471 but haven’t lived in AU for 5+ yrs
● CEO and Founder of Intel 471
● Previously Chief Researcher at iSIGHT Partners (FireEye)
● Previously Technical Specialist at Australian Federal Police
● Over a decade of researching and tracking top tier cyber threat actors
across both government and the commercial space
2
About Me
3. ● Understand how cybercrime works by viewing it through a business lens
● Establish a common vocabulary
● Conceptualise cybercrime and all related aspects
● Show how you can map out, organise, and visualise the underground
● Remove marketing from the intelligence equation
○ “Deep and dark web” is a lame marketing term
3
Objectives
4. ● Your own attack surface ← #1 way to observe as it relates to you
● The attack surface of other people like you (sharing)
● Technical collection (botnet/campaign tracking and emulation)
● Actor communications (the underground) 4
Observing the adversary
R
E
A
C
T
I
V
E
P
R
O
A
C
T
I
V
E
--------------------------------THE PERIMETER--------------------------------
5. ● Vast majority of threat actors there are financially motivated
● Includes criminal forums, marketplaces and places where actors can be
engaged
○ “Adversary space”
● Nation states/espionage actors are in the underground but operate
quietly
5
What is the cybercriminal underground?
6. ● Criminal forums/marketplaces that anyone can register for
○ Alphabay (dead), Silkroad (dead), Dreammarket etc
● Vetted/invite only forums and marketplaces
● Information obtainable only via direct communication with
cybercriminals
6
What does the underground look like from our perspective?
7. ● Making money is the goal
● The marketplace exists so that actors can buy, sell, and talk about
buying/selling
● Reputations and brands are built over years
● Fortune 500 CEOs would be impressed
● Understand the business models, processes, and pain-points
7
Viewing cybercrime through a business lens
8. ● Decentralised and grouped by specialisation
○ Not often structured like traditional organised crime (hierarchical,
culture of trust)
● Examples:
○ Gameover/Jabber Zeus
○ “Carbanak”
8
Typical structure of cybercriminals
10. ● Financially motivated cybercrime is primarily facilitated by the
underground marketplace comprised of actors that buy, sell and talk
about products, services, and goods
10
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
11. A thing that has been
refined for sale
11
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
12. A thing that has been
refined for sale
12
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
13. A thing that has been
refined for sale
13
Underground Marketplace - Organisation
Cybercrime
Products GoodsServices
Organised system
that provides
accomodation
required by the
underground
Illicit digital
merchandise, wares,
or commodities
usually sold in bulk
14. 14
Underground Marketplace - Organisation
Tier 1
● Least number of actors
● Most significant actors
● Biggest victim impact
15. Underground Marketplace - Tier 1
Cybercrime
Products GoodsServices
Tier 1 Tier 1 Tier 1
Tier 1 products, services, and goods are core elements
and key enablers of financially motivated cybercrime
activity. They form the basis for what we consider
“financially motivated cybercrime”
19. Underground Marketplace - Tier 3
Cybercrime
Products GoodsServices
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 1
Tier 2
Tier 3
Tier 3 products, services, and goods are those tertiary
elements of financially motivated cybercrime that have
limited impact on their own
21. ● Used by cybercriminals to host malicious things and not have them
taken down
21
Introduction to Bulletproof Hosting (BPH)
23. ● Key enabler for huge amounts of cybercrime
○ Malware C&C, phishing, exploit kits etc
● Spend lots of resources tracking the malware and exploit kit IOCs (after
they are used) = lots of resources
● Track bulletproof hosters = Proactive, timely and less resources
required
● Only 8-10 tier 1 bulletproof hosters in the underground
23
Putting it into practise - Bulletproof Hosting (BPH)
24. ● RFI received from a customer
● Identified a Hancitor malspam campaign detected at their perimeter
● Provided IOCs and other info (domain WHOIS info, etc) related to the
campaign
● The ask:
○ Provide information about “WHO” (Infrastructures, Groups, Individuals,
etc)
○ Highlight any TTPs associated with the threat actors and their activity
24
Real case study
25. Visualise the flow of what happened
!
Phishing email sent from
fedex@wowgreatshop.com
palmbeachmarinecontractor.com
palmbeachstrykers.com
cleanairexperts.com
palmbeachautomotive.com
gonegreensupply.com
1
Victims click on
malicious URLs
2
26. Visualise the flow of what happened
Malicious Word doc drops
Hancitor
Hancitor makes C2 call to
domains for trojans
kedmolorop.com
tttconstruction.co.za
thettertrefbab.ru
3 4
27. Visualise the flow of what happened
Trojans (Pony, Evil
Pony, Zloader, Gozi-
ISFB, etc) make C2
call for extra malware
or functionality
pahattitbut.com
Infection on device &
positioned for data
extraction
5 6
28. Patterns across a dozen Hancitor campaigns
Malspam Campaign
wowgreatshop.com
palmbeachautomotive.com
palmbeachstrykers.com
kedmolorop.com
tttconstruction.co.za
pahattitbut.com
Spoofed sender
domain
Phishing urls
Hancitor C2
Pony C2
EvilPony C2
Zloader C2
BPH 1
Tier 1 BPH
service
BPH 2
Dedicated small
time BPH and
abused hosters
29. ● Get upstream and monitor/track infrastructure providers to be proactive
against many different threats
● Track BPH services to identify infrastructure before the bad guys are using it
for badness - pre-IOCs (our marketing gimmick term)
● Understand the business models and processes to identify proactive and
more impactful courses of action
29
End result of bulletproof hosting tracking
30. ● Have been tracking the actor Alex for over a year
● The IP addresses on the previous slide tied to his bulletproof hosting
infrastructure
30
Alex
31. 31
Who are Alex’s clients?
MALWARE PHISHING
CERBER,
LOCKY/OSIRIS
SAGE
YAKES
RAZY
BARYS
KOVTER
DRIDEX
HANCITOR
NEMUCOD
PANDA BANKER
(ZEUS)
NYMAIM
ZUSY
SYMMI/GRAFTOR
GAFGYT (LINUX)
MARCHER
(ANDROID)
VALYRIA
PONY/FAREIT
MIRAI
and more
GLOBAL BANKS
AMAZON
CDN
PROVIDERS
YANDEX
MICROSOFT
LOCAL UK GOV
CROWN
PROSECUTION
HILTON
Google
and whole lot
more
EXPLOITATION
OF
CVE-2017-0199
DRUG SHOPS
CYBERCRIME
FORUMS
DUMP SHOPS
CASINOS
PIRATING/FILE
SHARING
RANSOMWARE MALWARE PHISHING OTHER
33. ● Visualize the underground marketplace in terms of products, services, and
goods (and consumers)
● Organize products, services, and goods in terms of their significance by Tier
1-3
● Understand that cybercrime is a collection of systems, processes, actors, and
groups working very similar to how businesses work to make money
● Realize that it’s possible to map out the marketplace and identify that small
amount of actors that do the most damage
33
Conclusions
At the top is things directly relevant to you
At the top is being the most reactive - like doing a boxing match with your hands tied by your back
At the bottom is being the most proactive
Ultimately cyber threat intelligence is threat focused meaning threat is a person with an intent, goal, motivation and TTPs (malware isn’t a threat, the person using it against you or your customers is)
Fortune 500 CEOs would be impressed
Marketing
Productization / Commoditization
Impressive returns on investment
Longevity in a semi-permissive environment
Sophistication
Understand the business models, processes, and pain-points
Provides a fuller understanding of the threat from a macro to micro view
Help Identify realistic and most impactful courses of action
Gameover Zeus
Slavik sold Zeus on a buy in amount of $ plus a % of every transaction that went through it
The actors who bought this service used a third party service for the management and recruiting of mules which cost a % of the $
Carbanak
Horrible name to describe this activity as Carbanak is a combination of the words Carberp and Anunak which are separate trojans
Some actors who have used Anunak have also used Carberp alongside other trojans/tools like Money Maker Banker Bot, Smoke Loader etc
Not a good idea to name a group after the malware they have used especially when said malware is used by multiple actors
Of the 17M actors in the underground, probably less than 2,500 actually are doing most of the real damage
Of the 17M you have lots of duplicates, researchers, LE, skids, and scammers too
There’s a good bit of effort up front to do this, but it’s a bell curve basically
Once completed efforts are focused on the threat actors that matter for most impact and valuable intelligence collection
You build an intimate knowledge of the underground marketplace that new actors are quickly noticed, actors that are assuming other’s identities are easily sniffed out, legitimate and scammers are easily identified, etc.
In the end this provides true intelligence value to the teams you can support
This marketplace facilitates actors involved with buying, selling, or talking about products, services and good
A lot of analysts don’t realize that if you listen to what the criminals say they’ll tell you some interesting stuff...of course criminals are lying scum as well so we need to assess the info appropriately. This ability comes with time.
Examples:
Malware authors announce new releases and functionality
BPH providers provide descriptions of their services
Actor’s complain about others
You can elicit information from actors (HUMINT/engagements)
We can divide the underground marketplace up into 3 primary areas
Products, Services, and Goods...these are all business terms for the most part
Products are basically just stuff that you can buy
Actor’s have productized this stuff into a solid product
The market is the judge
Services play an enabling role in cybercrime
These folks are the hidden hand of cybercrime
As is expected, service providers interact with more cybercriminals than any other
Easy to quantify impact a product or good, but very hard to quantify the impact of services
This is your bulk data that’s often advertised in the marketplace, but sold in custom shops
Before we get into some examples I want to organize the marketplace 1 step further
Think of “Tiers” as a measure of significance some product, service, or good plays in the cybercrime ecosystem
1 - most significant, 3- least significant
Tier 1 is the top tier actors
Tier 1 is often the most sophisticated and mature in a business sense
Impacting Tier 1 has more of a downstream effect on the entire model essentially making things harder or even impossible
Most impact can be realized when you affect key enabling services
Tend to involve more sophisticated actors and business models/setups - front companies, large amounts of money, etc
This is usually where your Top tier and most impactful actors like to hang out
Now we start mapping in the actors and making sense of things
Our job starts to get much easier as we build that clarity on the “who’s who”
We can even categorize the actor’s in terms of significance within their respective area/specialty, but we’ll leave that for another day
Lastly we start to target the actor’s specifically to answer key questions and fill gaps in knowledge
This is where we really start to understand the business models, processes, and identify pain-points where max impact can be realized
Yalishanda is a Russian actor who spends his time between Russia and China and is a tier 1 bulletproof hoster
Huge amounts of badness has been hosted by him including ransomware (cerber, locky), malware (dridex, Panda banker, Pony, Mirai and more), phishing (banks, CDNs, retail companies) and other things like exploits, drug shops, cybercrime forums, CC dump shops etc