Scribd Logo
Upload

Welcome to Scribd!

  • A Pretty Trojan PDF

    Uploaded by

    parrese
    123 views101 pages
    A Middle East tale (Malware, Russians and Exploit kits) far, far, really far in Dubai 6 far, far. Really far in. Dubai 6 exfiltration test Social Engineering Targeted Attack Desktop users Exploit kits 7 7 Our team mate got access Meanwhile in. London Email Excel files PDF Metasploit Sakura 8 8 but no exfiltration! Help the company to avoid it Two weeks Adventure Time Back to the Future 16 Back to the Future 16 Same payloads Same exploits Patterns in.

    Original Description:

    Original Title

    A-pretty-trojan.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A Middle East tale (Malware, Russians and Exploit kits) far, far, really far in Dubai 6 far, far. Really far in. Dubai 6 exfiltration test Social Engineering Targeted Attack Desktop users Exploit kits 7 7 Our team mate got access Meanwhile in. London Email Excel files PDF Metasploit Sakura 8 8 but no exfiltration! Help the company to avoid it Two weeks Adventure Time Back to the Future 16 Back to the Future 16 Same payloads Same exploits Patterns in.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    123 views101 pages

    A Pretty Trojan PDF

    Uploaded by

    parrese
    A Middle East tale (Malware, Russians and Exploit kits) far, far, really far in Dubai 6 far, far. Really far in. Dubai 6 exfiltration test Social Engineering Targeted Attack Desktop users Exploit kits 7 7 Our team mate got access Meanwhile in. London Email Excel files PDF Metasploit Sakura 8 8 but no exfiltration! Help the company to avoid it Two weeks Adventure Time Back to the Future 16 Back to the Future 16 Same payloads Same exploits Patterns in.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 101

    APT - A Pretty Trojan

    Iaki Rodrguez
    APT - A Pretty Trojan
    Iaki Rodrguez
    And the thanks goes to
    3
    4
    About me
    4
    - Security Manager at Wuaki TV
    - Ex-Pentester at SensePost
    - Founder member of Mlw.re
    - @virtualminds_es
    !
    "
    A Middle East tale
    A Middle East tale
    (Malware, Russians and Exploit kits)
    Far, far, really far in Dubai
    6
    Far, far, really far in Dubai
    6
    Exfiltration test
    Social Engineering
    Targeted Attack
    Desktop users
    Exploit kits
    7
    7
    Our team mate got access
    Meanwhile in London
    Email
    Excel files
    PDF
    Metasploit
    Sakura
    7
    Our team mate got access
    Meanwhile in London
    Email
    Excel files
    PDF
    Metasploit
    Sakura
    8
    8
    But no exfiltration!
    Almost there but
    First stage executed
    Meterpreter downloaded
    No reply
    9
    9
    Give me baby one more time
    10
    10
    Help! I need somebody
    The characters
    12
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    12
    Barcelo Dub
    Starring
    Russian wettest
    13
    Russian wettest
    13
    Russian wettest dream
    Exploit kit for campaigns
    Phishing
    Trainings
    Impossible Mission?
    14
    Impossible Mission?
    14
    Exfiltration of information
    Help the company to avoid it
    Two weeks
    Adventure Time
    Back to the Future
    16
    Back to the Future
    16
    Same payloads
    Same exploits
    Patterns in Splunk
    Growing Pains
    17
    Growing Pains
    17
    Meterpreter
    First stage: A kind of client
    Second stage: The real meterpreter
    Problems: Protocol and DLL
    Crypters useless
    My TODO
    18
    My TODO
    18
    Endpoint protection
    Proxy
    Antispam/AV solution
    Firewall/IDS/IPS
    Flight under the radar
    Custom Malware
    Bypassing SEP (I)
    19
    Bypassing SEP (I)
    19
    Macro execution
    Shellcodes
    Dropper
    First Irat version
    Because anything with I is cool
    Bypassing SEP (II)
    20
    Bypassing SEP (II)
    20
    EXE to VBS
    Bypassing Websense (I)
    21
    Bypassing Websense (I)
    21
    Content classification
    Financial content
    No executables
    Mirroring
    Hidden commands
    Bypassing Websense (II)
    22
    Bypassing Websense (II)
    22
    Bypassing Message Labs
    23
    Bypassing Message Labs
    23
    Zip files
    Antivirus
    Password protected
    SPF
    Controlled SMTP server
    Bypassing PaloAlto
    24
    Bypassing PaloAlto
    24
    Next-gen firewall
    No ports
    Based on Application recognition
    RFC
    Meterpreter HTTP(s) caught!
    IRAT to the rescue
    Pretty simple GET and POST
    No SSL
    ASCII to HEX encoding
    Bypassing IDS
    25
    IRAT: Iakis Remote Administration Tool
    26
    IRAT: Iakis Remote Administration Tool
    26
    KISS
    No dependencies
    C (Nightmare)
    No crypters (Sorry Abraham)
    Proxy Support
    HTTP(s)
    Ascii to Hex
    Commands into simple HTML files
    C&C panel with templates
    FUD (Full undetectable)
    IRAT: Communication
    27
    IRAT: C&C (I)
    28
    IRAT: C&C (II)
    29
    IRAT: C&C (II)
    29
    IRAT: C&C (II)
    29
    The attack
    Bypassing Humans
    31
    Bypassing Humans
    31
    Top 120 lusers
    Emails with a predefined message
    Excel attached (.xls)
    HHRR Impersonation
    With my own smtp server
    Client threatened by employees
    Not my fault :)
    You've Got Mail
    32
    /con/cat
    33
    /con/cat
    33
    /con/cat
    33
    Facts!
    34
    Facts!
    34
    Results
    35
    Results
    35
    First try
    Results
    35
    First try
    Results
    35
    First try
    Second try
    Results
    35
    First try
    Second try
    And now what?
    The hangover
    37
    The hangover
    37
    Patterns on logs
    Splunk logging everything
    Under the radar
    User agent
    One guy on SecurityFocus
    Looking for mainframe exploits
    The hangover
    37
    Patterns on logs
    Splunk logging everything
    Under the radar
    User agent
    One guy on SecurityFocus
    Looking for mainframe exploits
    Weakness
    38
    Weakness
    38
    SPF
    Check your own domains!
    Logging
    Too much, too useless
    Antivirus
    In AVs we trust
    Yet another Cuckoo deployment
    39
    Yet another Cuckoo deployment
    39
    Exchange mailboxes
    Attachments to Cuckoo
    VBS
    Logs sent to Splunk
    Custom Signatures
    Mail2Cuckoo
    40
    Mail2Cuckoo
    40
    Mail2Cuckoo
    40
    Mail2Cuckoo
    40
    Ok, Ok I finish. But
    41
    Ok, Ok I finish. But
    41
    PowerPoint Engineering
    Expectations
    Security By Default
    Investment on people
    THANKS!!
    Q/A

    You might also like