TRENDING THE CRIMEWARE ECOSYSTEM

Kevin Stear

Threat Analysis Lead

RSA FirstWatch

@w1mp1

ABSTRACT

Capitalism and open market forces currently drive the evolution of today’s Crimeware environment, where a close-knit ecosystem of goods and services is thriving based on demand from ongoing malicious campaigns.

THE CRIMEWARE ECOSYSTEM

Underground forums currently occupy several regional network and market segments

Emerging W. Africa marketplace

− Real Nigerians?

Forums act as key exchanges for Crimeware goods and services

− Traffic/Delivery

− Hacking-as-a-Service (HaaS)

− Malware Development

− Infrastructure-as-a-Service (IaaS)

U N D E R G R O U N D F O R U M S A N D E X C H A N G E S

THE CRIMEWARE ECOSYSTEM

Graphic courtesy of Trend Micro:

https://documents.trendmicro.com/assets/wp/wp-cybercrime-and-the-deep-web.pdf

https://documents.trendmicro.com/assets/wp/wp-cybercrime-in-west-africa.pdf

Traffic

− Compromised Site

− Malvertising

− Spam Provider

− Traffic Distribution System (TDS)

Delivery

− Exploit Kit

− Drive by Download

− Droppers/Clickbait

Hacking

− Denial of Service

− Credential Harvesting

− Reconnaissance

− Bug Hunting

G O O D S & S E RV I C E S

THE CRIMEWARE ECOSYSTEM

Malware/Payloads

− Ransomware

− Info-stealer

− Miner

− Remote Access Trojan (RAT)

− Exploit Development

Infrastructure

− Bulletproof Hosting

− Shadow Domains

− Botnets

TRAFFIC

PAYLOADS

INFRASTRUCTURE

DELIVERY of EXPLOIT

SUSTAINABILITY

H O W I T W O R K S TO G E T H E R

THE CRIMEWARE ECOSYSTEM

Malvertising

Compromised Sites

Traffic Distribution System (TDS)

Bulletproof Hosting

Domain Shadowing

Botnets

Drive-by Download

Exploit Kits

Clickbait

RAT

Miner

Info-Stealer

Ransomware

Denial/Destruct

Bug Hunting

Reconnaissance

HACKING-as-a-SERVICE

New Bots

Cash Money

Credentials

TRAFFIC

PAYLOADS

HACKING-as-a-SERVICE

INFRASTRUCTURE

DELIVERY

SUSTAINABILITY

Traffic intersects operational

infrastructure Exploits target vulnerable

client devices

Legitimate traffic is herded

into designed bottlenecks

Successful payloads and hacking

services provide sustainability

H O W I T W O R K S TO G E T H E R – C R I M I N A L V I E W

THE CRIMEWARE ECOSYSTEM

Bad stuff lands on the

victim machine

TRAFFIC

PAYLOADS

HACKING-as-a-SERVICE

INFRASTRUCTURE

DELIVERY

SUSTAINABILITY

A friendly BOTNET delivers…

*DING* ‘you have mail!’ “Oooh,Pictures of my grandkids!”

*CLICK* (or facepalm)

Grandma’s email address is harvested

or purchased from a list service

Kevin re-images her machine…

H O W I T W O R K S TO G E T H E R – V I C T I M V I E W ( A K A M Y G R A N D M A )

THE CRIMEWARE ECOSYSTEM

Panicked phone call:

“Kevin, my computer

just all locked up…”

R E A L LY … B U T W H Y A R E T R E N D S I M P O R TA N T ?

CRIMEWARE TRENDS

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs: https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/

Hello all!!! Today we opened our service, into which we invested a lot of time and effort.

Right now, we have bruteforced RDP-servers for sale at very low prices, as well as

SOCKS. Soon, we’ll be offering SSH-tunnels, VPN, and Shells for sale. We hope you

will like us, and that you will find everything you are looking for!!!! We will always be

happy to listen to your suggestions regarding the functionality and design of the

service, as well as suggestions for improvements, etc. Write using our ticket system…

P.S. Before using our service we strongly recommend that you familiarize yourself with

our rules and pricing. Just like in the real world, ignorance of the law does not absolve

you of responsibility, same here, not knowing our rules does not excuse you from

responsibility if you break them.

T H E D E C L I N E O F E X P L O I T K I T S

CRIMEWARE TRENDS

Shadowfall, a joint RSA and GoDaddy takedown

− Disrupts more than 40,000 active shadow domains supporting RIG Exploit Kit (EK) and other malicious campaigns

Decline in Exploit Kits?

− Perceived shift away from compromised sites as a traffic source for EK delivery due to increased scarcity of necessary credentials

− Industry research support*

Impact

− Malspam takes overprimary delivery

− Malvertising becomesprimary traffer

Decline in RIG Exploit Kit: https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-exploit-kit/

Fluctuation in the Exploit Kit Market – Temporary Blip or Long-term Trend?: https://www.digitalshadows.com/blog-and-research/fluctuation-in-the-exploit-kit-market-temporary-blip-or-long-term-trend/

MARKET FORCES AT WORK?

Compromised Sites

Malvertising

Traffic Distribution System (TDS)

Bulletproof Hosting

Domain Shadowing

Cash Money

Credentials

CHTHONIC Banking Trojan

Crypto Currency Miners

RAMNIT Ransomware

Exploit Kit

R I G E X P L O I T K I T

THE CRIMEWARE ECOSYSTEM

From Jun-Sep 2017, RSA FirstWatch saw the increased use of Malspam as a delivery vector:

CRIMEWARE TRENDS

Crimeware:

− JACKSBOT

− CVE-2017-8759

− XMRIG (Miner)

− ZBOT

− CVE-2017-0199

− NANOBOT

− HANCITOR/PONY

− LOCKY

− TRICKBOT

− GLOBEIMPOSTER

− BEBLOH

− CERBER

− TRICKBOT

− AGENTTESLA

− HAWKEYE

− EMOTET

− LOCKY

− LOKIBOT

− ZYKLON

− CERBER

− DRIDEX

Graphic courtesy of @james_inthe_box

2 0 1 7 S U M M E R O F M A L S PA M

Targeted:

− MOONWIND

− COBALT STRIKE

− CVE-2017-0262

− DIMNIE

− CHTHONIC/DIMNIE

− XTREME

− MONSOON

Malvertising

Malspam

Bulletproof Hosting

Botnets

CERBER Ransomware

LOCKY Ransomware

Drive-by Download

L O C K Y A N D C E R B E R

THE CRIMEWARE ECOSYSTEM

Cash Money

Credentials

CUSTOMER SERVICE!

Thanks CERBER… so thoughtful ;)

Ransomware remains a

RELIABLE REVENEUE STREAM

Backup routinely &

use DMARC people!

T H E D E S TA B I L I Z AT I O N O F U K R A I N E … B U L L E T P R O O F H O S T I N G ?

CRIMEWARE TRENDS

Graphic courtesy of wikipedia

Hey, they’re not enforcing many

laws… let’s host our Crimeware

campaign over here!?

C R E D E N T I A L & I N F R A S T R U C T U R E H A RV E S T I N G

CRIMEWARE TRENDS

Continued trend for heightened rate of scanning and brute force attacks

One of many conveniently available and botnet enabled hacking services

Chart credit: @bad_packets

SSH attacks are on the rise!

(HACKING-as-a-SERVICE)

Indicative of increased

DEMAND for scarce goods?

Why is port 22 open???

Malspam

Credentials

HANCITOR Info-stealers

TRICKBOT Banking Trojan

Clickbait

T R I C K B O T A N D H A N C I TO R

THE CRIMEWARE ECOSYSTEM

Bulletproof Hosting

Botnets

HEY, THANKS FOR THE BANK

ACCOUNT INFORMATION!

Also indicative of increased

DEMAND for scarce goods?

Weird, that PNG file is

really an EXE…

B O T N E T S

CRIMEWARE TRENDS

Current Threats− NECURS

• Mixed personal computers, servers, other devices…

− MIRAI/PERSAI

• Internet of Things (IoT) devices

− REAPER

• IoT devices

− SCHOOLBELL

• Schools, Libraries, and more

Just who controls these capabilities?

How are they being weaponized?− Malspam (e.g., Locky)

− Malvertising (e.g., Methbot)

− Hacking services (e.g., DDoS)

− Operational Relay Botnet (ORB)

T H E D D O S T H R E AT

CRIMEWARE TRENDS

Distributed Denial of Service (DDoS)

DDoS Extortion

Arbor Networks 12th Worldwide Infrastructure Security Report: https://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf

Help Net Security: https://www.helpnetsecurity.com/2017/09/25/large-ddos-attacks/

INFRASTRUCTURE INVESTMENT: DDoS

now comes with pulse wave attacks to to

increase your attack surface!!

DDoS Protection &

Fallback Comms Plan

R I S E O F T H E M I N E R S

CRIMEWARE TRENDS

The idea of a mathematically secure chain of blocks began in 1991 and was first conceptualized as digital currency in 1998 as ‘Bit Gold’. Bitcoin was the first decentralized digital currency and was implemented in 2009.

Blockchain - a chronological series of transactions/records that reference previous blocks to create a immutable and distributed digital ledger.

RSA FirstWatch tracks actors use of Monero mining and drive-by-mining via coin-hive

Malvertising

Traffic Distribution System (TDS)

Bulletproof Hosting

Domain Shadowing

Cash Money

Coinminer

Ransomware

TERROR Exploit Kit

THE CRIMEWARE ECOSYSTEM

T E R R O R E X P L O I T K I T NEW REVENUE STREAM: Mining

malware and Drive-by-mining represent

CAPITAL innovation by threat actors

Threat Intelligence & Domain

Reputation Services

P R E VA L E N C E O F S S L A N D C O D E - S I G N I N G C E R T S

CRIMEWARE TRENDS

‘Borrowing Microsoft Code Signing Certificates’: https://blog.conscioushacker.io/index.php/2017/09/27/borrowing-microsoft-code-signing-certificates/

‘Subverting Trust in Windows – A Case Study of the “How” and “Why” of Engaging in Security Research’: https://pages.arbornetworks.com/rs/082-KNA-

087/images/12th_Worldwide_Infrastructure_Security_Report.pdf

This trend speaks to the growing complexity of not just advanced persistent threat (APT) but also crimeware actors, and directly adds to the mounting challenges faced by defenders, who now increasingly encounter signed malware and encrypted malicious traffic.

What can you do?• Certificate whitelisting/blacklisting

• Care about SSL cert meta data

• Know what’s in your root store!

3

4

5

2

1

MOVING FORWARD

M A LV E R T I S I N G A N D M A L S PA M R E M A I N P R I M A R Y D E L I V E R Y V E C T O R S

‘ D A R K N E T ’ I S N ’ T G O I N G A W AY & E M P H A S I S O N C R E D E N T I A L H A R V E S T I N G P E R S I S T S

R A N S O M W A R E & C R Y P T O -C U R R E N C Y A R E I M P O R TA N T R E V E N U E S T R E A M S

B O T N E T C A PA B I L I T I E S A N D B U L L E T P R O O F H O S T I N G P R O V I D E R S I N C R E A S E

I N C R E A S E D A D O P T I O N O F

E N C R Y P T I O N W I L L B R I N G

M O R E C O M P L E X I T Y T O

D E F E N D I N G N E T W O R K S

CRIMEWARE TRENDS

@RSASecurity

THANK YOU