 All right, well, it's 2 o'clock. 2 o'clock, welcome to the Packet Hacking Village Talks. And it is absolutely my pleasure to introduce to you from Recorded Future, when I was a soundbite. Thanks, Ming. Hi, everyone. Thank you guys so much for coming out. Also, a special thanks to Wallachiep and especially Ming, a personal mentor of mine, wonderful guy. Definitely get to know him if you don't already. So make sure you're in the right room. We're definitely going to be talking about malware popularity by forum. So a little bit about me. My name is Winona. It's this nice little pose that I'm doing here. I'm a threat and tell researcher, like Ming said. I also do a bunch of really cool security and policy related stuff in the Boston area. If you like what you hear today, you can follow me on Twitter. But I mostly talk about China and cyber criminal stuff. Talking a little bit about this paper that I've written, that's the content of this presentation. And the thoughts are my own, but the gifts are not. But there aren't going to be any gifts because this presentation is in PDF format. Thanks, Linux. So why monitor criminal underground forums to begin with? There's quite a few reasons. These are the main threat intelligence related reasons. For one, you as a company or you as somebody working in a company can best understand whether or not you've been breached in some way by figuring out if your company's credentials have been leaked online. In addition to that, some criminals will actually advertise that they're about to hit a company or an industry before it occurs. But my favorite reason of all of them is by looking at how these criminals talk on forums, you can figure out how they are changing their tactics, tools, and procedures, especially when it comes to malware. So with that in mind, I had a couple of questions when starting this research. The first one was, what's actually interesting on underground forums when it comes to malware? What is the most talked about family category of malware out there? In conjunction with that, there's also the category section, right? So we're hearing a lot of hype about ransomware. What does that look like on underground forums? Is the reporting in the news that ransomware is kind of the next big thing really something that we should believe in? And then finally, people on the internet are just that, they're people, even if they are buying and selling and operating malware, right? So what is actually occurring on these forums that is causing malware itself to rise and fall in popularity? All of these questions are kind of encompassed by this umbrella question that I really like to answer when it comes to cyber threat intelligence. And that is, how can we take something that's specific to this field? So cyber threat intelligence, you have that underground criminal forum monitoring. And how do we take that and translate it into something that's actionable for defenders and red teamers alike? There are a couple misconceptions when it comes to the cyber criminal underground, one of which is where we look. I will say that deep and dark web is not really an accurate focus here, primarily because criminals conduct activity anywhere that they can communicate with each other online, or even in person, as it says at the bottom here. So talking a little bit about the organization, though, even though you have a different set of sourcing, you also have very overarching similarities in terms of how these people conduct themselves online. So you have vendors and buyers and how they interact with each other is as follows. You usually have sales posts where a vendor is interacting with a buyer, or two buyers or multiple buyers that are interacting with each other in terms of asking questions, or discussing certain news articles that come up, et cetera. So taking these discussions and questions over the last year and aggregating them all together to about 4 million posts was the research that I did. And I took all of the mentions of any type of malware, family, or category, and racked and stacked them every time they were mentioned. So like I said, this encompassed things like tour forums, third-party chat applications, social media, open web, et cetera. And when I talk about malware families and categories, obviously you have various aliases for a single family of malware. So NJRAV, for example, is also called Blotta Bindi and other names in various languages. So I took all of those using my company's software and aggregated those together as well. When we're talking about the definitions within this data set, like I said, there are 4 million posts in here. So what makes this data set relatively unique? The first thing about it is that the definition of malware that I used is not really the definition that you'll see out there when it comes to technical reporting. So things like operational pieces of code is very broad and encompasses things like exploit kits, which isn't necessarily something that you would relate to as malware or crypters, which is a piece of software that takes malware and encrypts it or packs it such that it's fully undetectable by antivirus. Those things are also included in this data set. And the reason why that's the case is because they're actually talked about similarly to malware on these criminal forums. In addition to that, there's also things like the nature of these posts. So reposts of security articles are commonly found on criminal forums, mainly because, this podium's shaking a little, mainly because a lot of criminals actually get inspiration from these articles. And then there's certain spam posts that relate to vendors basically trying to post in as many forums as they can, as many times as they can to advertise their product. So there were three main insights into this particular data set that I want to talk about. The first one is malware mentions overall. The second one is referenced by language. So what are the top pieces of malware that Chinese speakers versus Russian speakers versus English speakers talk about? And then finally, what are those correlations? Like what is the real life implication to this malware research? So let's talk overall. When it comes to categories, so 61 categories, 101,000 malware family names, with the categories ransomware very clearly comes out on top. The next one being cryptor, likely because cryptors can be matched with pretty much any type of malware. But the interesting part is when you look at the family names, only one of these is ransomware. So where's that discrepancy here? Why is it such that malware forums have such high frequencies of ransomware broadly? But when it comes to families, there's only one in the top 10. Looking a little bit further into that, of the top 150, only 11 families of malware were ransomware. So what's happening here? When I looked into the actual data, so the actual content of the posts, what I saw was really interesting and it's that 50% of these mentions of ransomware in general are from a buyer side, somebody asking for any ransomware. So it's a new buyer, they don't really know where to look. And then from a vendor perspective, you have vendors either correlating tons of lower level, non-branded ransomware, or seeing something like, hey, I'm gonna try my hand at this whole ransomware thing. Here's a piece of ransomware that I've written myself. I don't know if it's any good. So you have this ecosystem of buyers and sellers that are interested in ransomware, but don't know where to look yet. This one's just my favorite post that I had seen thus far, where the guy is saying he wants to, or excuse me, they, they want a family of Gankrab or some sort of ransomware related and they'll sell it to you, they'll sell some cocaine for you or something. I guess, whatever, whatever floats your boat. So moving past overall and into malware by language, something that has come up a couple of times I've been asked questions when conducting this research and they go, Winona, why are you looking at it by language? Why does that make any sense? And I like to mention some of the other research that I've done and that's racking and stacking how different communities in these forums interact with each other and basically the revelations from that research is that different communities, so different forums written specifically for a language-centered audience, so like Chinese speakers versus Russian forums versus English language forums, they're not only organized differently, but the culture and interactions between forum members online differ drastically based off of what language forum you're dealing with. So I wanted to see, does that actually shape how the malware is advertised and what malware they're focusing on? And as it turns out, they do. They do focus on very different types of malware and very different families. One of my favorite examples, the easiest one to pick out is the prevalence of mobile malware. So when you talk about Chinese forums, these are the top 10 in Chinese from May 2018 to 2019. And as you can see, Spine Note is the top one by a lot, followed by Ameth and then Droid Jack kind of down below in the top 10, but these are all Android malware. And it's really interesting to have three very different pieces of Android malware in the top 10 malware families writ large. Moving into English, two of those top three exist in the top 10 here, but at far fewer quantities. And then when you look in Russian, there's no mobile malware to be found. So this means that if you are an adversary, depending on which forum you're on, you're probably going to focus on different malware, which also includes if you are a forum member in China or in Korea, you're probably looking at different malware or buying different malware than someone who operates solely on Russian language forums. I will say though, that there were some similarities across all forums in general. So no matter what language, these were fairly holding true. The first one is that no matter what language the top 10 malware families were in, all of them had at least one family of malware that was older than three years, that had been around for over three years, which is interesting because that means that this piece of malware is still successful. People still want to talk about it, which means that there are hosts out there that are still infectable with these either completely open sourced or incredibly antiquated families of malware. You also see dual use tools, and what I mean by that is common pen testing tools like Metasploit or things like John the Ripper or Hashcat that are commonly used by red teams are also being sold and traded on criminal forums. There was some forum specific malware, and by that I mean mainly forum spamming, and everyone wanted to talk about Gandcrab. And for those of whom aren't familiar with Gandcrab, it is a piece or excuse me, a family of ransomware that was only available on a single Russian forum until the namesake vendor also named Gandcrab, decided that they were going to retire in June of this year because they had earned too much money. So everyone on various languages of forums either wanted to figure out how they could get their hands on Gandcrab or how they could make something similar. So, now that we've kind of laid out the foundations, let's talk about these vendors and buyers and how they're correlated with the rise and fall of certain families of malware. Going back to the top 10 malware mentions, I kind of glossed over the specific families, but when we sort them out by type, a large majority of them are remote access Trojans. You have Spy Note back up there, like the Android malware. You also see Gandcrab. And then NL Brut is a brute-forcer and ex-rumor is a forum spammer. Sorry about the same image. I stopped being as creative, I guess. But when you split out the references on forums by month, you can see it's a little bit messy, but you could definitely see that there are clear spikes in references in certain months for certain pieces of malware. So what I was able to do was every time there was a large enough spike in a certain family of malware, I was able to go in and look at the nature of the posts to see what was causing that spike in mentions and references. And what I found were largely three correlated events. So you wanna be a good malware vendor. You wanna sell malware and set sometimes, so kind of a buy one, get one free situation. And then the distribution of cracked malware versions is also what I like to refer to as malware piracy. And that made malware a lot more popular whenever it was pirated. So going a little bit deeper into all of these, being a good malware vendor, what does that even mean? So when you are a vendor of a certain type of software, you want to advertise regular updates. You want to make sure that your customers are happy with their product and you also want to advertise your product. So whenever there was an advertised update on a forum, especially with proprietary malware or even contributing to open source malware, that family of malware would get a rise in mentions because people started to get interested in it again. You also saw advertisements in correlation to real world news articles. And what I mean by that is this example right here with Gantt Crabb, they were really effective at using security news articles to advertise their product. So this is a security intelligence article that says Gantt Crabb is now the most powerful threat of its kind whether directed at a single person or an entire company, which is the best software review I think I've ever read, just ever, right? And then finally you have things like customer service and customer engagement. Like I said, being a good vendor, you want to make sure your customers are happy. And so that included things like answering frequently asked questions on these forums, offering free copies of their software malware, excuse me, in exchange for reviews or commenting and apologizing if they hadn't gotten to a certain question fast enough. Moving on to malware being sold as a set, I do literally mean a buy one, get one or five free situation in which by buying a single bundle of malware all compressed into a zip file, individuals are able to play with certain types of malware that they wouldn't have been able to otherwise. This was especially effective when the pieces of malware sold as a set were complimentary. And what I mean by that is these two examples kind of below where XRumer, which is a forum spamming tool was often sold with a CAPTCHA breaker called XEvil. So by putting these two things together, forum members would be able to effectively spam posts on forums, even if there were CAPTCHAs involved. Another really good example goes back to the crypters in which Warzone Rat, which is an incredibly popular proprietary piece of malware was being sold alongside a cryptor made specifically for that rat. So you knew that as a buyer, if you bought the two together, you wouldn't have to deal with any software compatibility issues. If something went wrong, you could contact the vendor, things like that that made it more compatible and easy to use. And then finally, cracked versions or malware piracy, so to speak. So what do I mean by pirating malware? Who does that, right? So when you're talking about cracked software, usually that refers to proprietary software in which, like for Office 365, for example, you usually get a license key and when you first install that piece of software, it asks you for the license key so that way it can activate your use of that software as a registered buyer or a registered user. So similarly to cracking software, cracking malware takes up a proprietary piece of malware that usually asks for a license key and either finds a way to circumvent that license key check or creates a close enough version of that piece of malware that it's almost indistinguishable from the proprietary malware in the first place. This here is one of my favorite timelines in terms of vendor-to-vendor interactions with this example. So AsoRULT was one of the top 10 remote access Trojans. It is a proprietary stealer, or it was until it was pirated. In October of last year, a completely separate vendor started posting about a cracked version of AsoRULT that they called Gazorp. I love these names, they're so great. And because this person was adding to the supply of this type of malware and not just adding to it on a single forum, but multiple forums, popularity of this malware began to increase, just demand supply relationship here. This actually caused the original vendor of AsoRULT to update their software because they wanted to differentiate themselves from the cheaper, less proprietary version of AsoRULT on the market. Eventually, though, that didn't end up working and they shut themselves down. And then the cracked version, so Gazorp actually updated that version of the software as well. So you see this really interesting battling of a piracy and proprietary malware vendor. So we've learned a lot about malware today. But how much of a risk is this to a company environment? And I like to answer this question with the lower threat higher frequency model. So because a lot of this malware is very old, it's not effective without a delivery vehicle because it is commodity malware. And there are plenty of antivirus rules that usually catch these, like this table over here actually shows you how many virus total hashes with those families of malware have been uploaded in the last year. They are going to be a lower threat to an environment than something that is a little rarer, right? However, because they're so popular on these underground forums, they're likely to be used more often than other types of commodity malware. So they will be hitting an endpoint or a company environment with a higher level of frequency. And also in some cases, these Steelers and other sorts of malware have been used as a jumping off point for larger campaigns. So aside from SAMSAM and also like APTC 36 using imminent monitor, there's also been cases of Iranian threat groups like APT 33 using things like NJRAT, dark comet and imminent monitor as well. So a couple takeaways from this really is first off, the landscape is going to change very frequently. These are people we're talking about buying and selling malware and interest fades over time in certain malware. And like I showed in the graph earlier, it spikes and falls. So this is actually a graph from June to, excuse me, January to June of this year or middle of July actually. And the top 10 here is different from the top 10 from May to May. There's six of the top 10 from the initial graph that are still here, but they're also in different orders, which is kind of cool. When it comes to things like dual use tools, because they are frequently talked about on underground forums, this actually provides an additional data point for members of the blue team and red team to communicate more. I'm sure that's been a common denominator when it comes to these sorts of talks in Vegas, but this just provides an additional data point so that SOCs can communicate more with the red team to figure out what tools are being used and what the newest version of Metasploit is or whatnot. Additionally, finding the baselines of these different actors because they are different based off of what language form there and is important, especially for companies operating internationally. So for example, if you are a company in Japan, you're likely to be more targeted by the malware more present on Chinese language forums, whereas if you're a company operating in Ukraine, that might be a very different situation. I also hope that some of the add-on additional research that I've done in this paper can provide a small baseline for patching. Like I said before, because these are a lower threat malware, this is a lot of commodity stuff. People who have a very robust security team or environments that have a robust security team are probably already defending against these sorts of threats, but for newer security teams, for newer people that are entering the field, I really hope that this becomes a baseline to start from. And what I've done for the paper is take the discussed malware, find all of the delivery vehicles in the last year and list out all of the vulnerabilities that those delivery vehicles have exploited. So I'll refer back to the paper. I thank you guys for coming out and I hope you guys have a great rest of DEF CON and I'll take questions. So when you're talking about odays and end days, I will say that that's more applicable to delivery vehicles and not for commodity malware. A lot of the malware that you would see on these forums, if they use an ode, they're likely going to be a little bit more secretive about it. These are types of individuals that just want to make as much money as possible using the skills that they have. And if they had an ode, they would likely use it for a delivery vehicle rather than for the malware itself. I would say that the availability of delivery vehicles, that was a little bit outside the scope of this research, especially when we're talking about malware to begin with. A lot of the delivery vehicles that were associated with the malware, however, were just generally available exploit kits. So you're talking about, I have a list of like eight, but for some reason I'm blanking. But yeah, it's more related to the exploit kits themselves rather than the commodity malware. There's a little bit of a split because when you're talking about the discussion around malware, usually unless it works particularly well with a certain exploit kit, you don't really see the two discussions overlapping. You're welcome. It comes to kind of the, are you more referring to, I guess, to repeat the question kind of the relationship between the cyber criminal malware sphere and the state sponsored areas? Okay. So usually a general rule of thumb is if somebody is a state sponsored individual, they're not going to say so on these forums. But what I can say is that when you're looking at the technical indicators rising out of nation state operations, the fact that they're using certain types of commodity malware, like for example, I said dark comment, excuse me, dark comment, imminent monitor being used by Elfin or APT33, right? That's an Iranian threat group. That means that they've either interacted with a pirated malware vendor or the original proprietary malware vendor themselves because those two that I just mentioned are proprietary and only sold on certain forums. So you can actually figure out with a small degree of likelihood that there are nation state actors operating on these cyber criminal forums. All right, anything else? If not, thank you guys. Oh, yeah. So I will say that you can, but only when it comes to that buyer-to-buyer relationship. So you will see certain things that are either more proprietary or secretive being talked about on malware forums in which that malware is not necessarily sold. So kind of like Gankrab, for example, it's only sold by one or was only sold by one Russian individual operating on a single Russian forum. But the fact that there were so many news articles referencing it and there were so many buyers that were reposting this online allowed you to kind of gauge, oh, it's not just popular on this one forum, it's actually popular kind of across the globe in various different languages. All right, thank you guys so much for coming out. Thank you.