Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… 
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Robert talks about the challenge of mapping out the adversary infrastructure at scale...it's like a game of whack-a-mole, and to have an impact, you have to take down as much of the infrastructure as possible. It may be more or less challenging based on the botnet.
Here are the botnets they'll discuss today - #Andromeda #Gamarue #Wauchos #Trickbot #Windigo - each operation was a little different, the #Windigo analysis was largely manual. @ESETresearch
Here's how @ESETresearch processes malware samples....this is an awesome diagram to help any teams think through how they action malware! It should be a combo of automation + human analysis.
A nice breakdown of the process of tracking botnets
This is often what happens when malware is shared among adversaries...we see this with ransomware operators and other criminals, and it makes our jobs tough and confusing!
.@adorais discussing a challenge of takedowns - not taking down legitimate researcher infrastructure, for example. This is a real concern that not many people consider. @ESETresearch worked with many partners to create a list for #Andromeda disruption.
The #Andromeda bots were redirected to a sinkhole - this allowed researchers to identify victims and notify them. Over a MILLION victim machines connected to the sinkhole. They saw an immediate decline in detections so considered it a success.
Interestingly, a few days later the operator behind it was arrested - they weren't aware this was going on so watched it like everyone else. @adorais commenting on how arrests like this are part of the overall approach to stopping adversaries...arrests matter too.
MUCH SUCCESS!
Oooo yeah @Robert_Lipovsky talking about the #Trickbot takedown....really excited to hear this. This operation was a huge team effort with Microsoft, ESET, and others.
Robert reminding us how pervasive Trickbot was for quite a while - a global impact. Interesting tidbit - #Trickbot has been dropped on systems already infected with #Emotet, showing how adversaries are "business partners".
Trickbot's modular architecture lets it do various things with plugins - it can steal creds and recently it's been observed acting as a delivery mechanism for other malware like ransomware
Web injects let operators change what victims see when they visit a website. This is a decrypted config that contains the malicious C2 URLs the bot would contact.
The team collected thousands of configs to see how many websites were targeted. There was a big drop in March - that's when the #Trickbot operators dropped a plugin. This drop suggests they switched to focus more on ransomware... like #Ryuk
This is AWESOME analysis and a great visualization!! These are unique identifiers ("gtags") in the hardcoded #Trickbot configs that identify different campaigns. "mor" is the campaign believed to be Trickbot compromises due to #Emotet. Tracking by campaigns is so powerful.
#Windigo is a large-scale operation discovered in 2013 and is one of the largest ops @ESETresearch has tackled. It started with analysis of a Linux backdoor. Really glad to hear about this because this community doesn't focus enough on Linux IMHO. welivesecurity.com/wp-content/upl…
This op involved a few families - #Ebury, #Cdorked, and #Calfbot. This was some of the most complex infrastructure they have seen...as you can see from this diagram! 😂 After they published a whitepaper, the FBI reached out to ask for more info. Very cool result of sharing.
They reached out to #Windigo victims, and even got access to a few compromised servers by asking nicely. I've found asking nicely is a great approach in this community! They saw thousands of creds over just *five days*...including thousands of root creds. 😬
I never realized #Glupteba was dropped in this op - it was dropped by #CDorked. Just adding to the complexity of campaigns like this - a lot of shared malware and exploit kits involved, making analysis confusing as heck.
Everything was quiet for a few months until they heard a Russian citizen was arrested. People often say it's not worth going after adversaries because they'll be safe in their home country, but being indicted is life-altering, says @adorais
...arrests happen during travel!
...arrests happen during travel!
Now researchers had a new challenge...trying to figure out how to explain a massively complex operation in plain language. I think this is one of the biggest challenges we face in this community. Luckily they didn't have to be an expert witness since an indictment happened.
Private orgs have to trust law enforcement - that they will action the information. Law enforcement also has to trust private partners. The only way they've found to reach that level of trust is to start with small cooperation and build up over time. 💯💯💯
• • •
Missing some Tweet in this thread? You can try to
force a refresh
