 Welcome to my presentation about fish like an APT with the slogan phenomenal pretexting for persuasive fishing. In the next 30 minutes I'm going to pitch why we need to think about what we send in a fishing mill during adversary simulation. So first, who am I? My name is Sala Mausokers and I'm from the Netherlands. I think that's why my last name is so hard to pronounce I guess. And I work in the red team and in the research and interfusion team. So that means I do red teaming but also advise companies about threat intel and write strategic reports. If I have to think about two things in my career in the APT or fishing field, I think I have two things I'm really proud of. And first one is that I once successfully fished the white team. So during a red team we had to fish a couple of people and I also sent one of the messages to one person of the white team so they know what we were doing. And that person, well that person knew that we were going to send a fishing mill but still thought this was a real and a legit one. Instead of the fishing mill we were about to send for the for the simulation. So that's really nice I guess. And the second one is that I was the APT during the biggest cyber crisis exercise. It was last June and I had to create an attack for the well-known country, Rosberia in the Middle East. So I had to make up the TTPs myself and I had to create an attack targeting all governmental and vital organizations of the Netherlands. So that was really nice. Normally you do red teaming for one company and now it was 96 though. It was really a milestone in my career so far. So fishing during adversary simulation. Well we know that fishing is a commonly used technique to get initial access. Research showed that I think around 90% of attacks start with a fishing email with well a weaponized document for example. So if we look at the MITRE tech framework we see that they have defined technique T1566 which is fishing and has three sub techniques. So the three sub techniques are the spear fishing attachment. So it's a fishing mill with an attachment like a mildock for example or war archive which is malicious. So you send an email to the victim add an attachment that a victim opens the attachments, executes it and then you infect the victim. The next one is the spear fishing link. So the email includes a link maybe to a fishing website maybe for credential harvesting login page. Also could be a link to a known surface for example. So you host your malicious document for example on google drive or on Dropbox and the last one is spear fishing via surface. And I think you see that sometimes that attackers don't use email for delivering your payload or for your weapon delivering your weapon but also services like LinkedIn, Twitter or Telegram. And why do we do that? Why do attackers still fish because it just works every time? Well people still click on it. It has a great return on investment. So why would you not send a spear fishing email to target an organization? Because we as humans get a lot of email every day and we have to decide every time whether it's a legit email or a fishing email. And we have to decide in a split second. And in that split second we have to check if it matches everything we got during our security awareness training. So why do people click actually is because we don't know what a legit email or a fishing email is. So we didn't get security awareness trainings. Well that's really bad. I think everyone must have a basic knowledge about fishing emails. But yeah if you don't know what a fishing email is or a legit email you cannot distinguish them from each other. Well that's really bad and you don't know how to process that email. The second point was is because the email is more advanced than the awareness training coverage. So what I see is that training in security awareness is sometimes really outdated. But also sometimes email is just way more advanced and very very hard to distinguish from a legit one. So yeah your basic training is just not enough to see whether it's legit or not. And the last one is because you're just distracted at the moment. So yeah maybe you know everything about fishing emails but you're running kids around the house because you're working from home. They cannot get to school because of COVID-19. You have annoying colleagues in teams meetings all day and you still have to clear your inbox or you didn't have your morning coffee yet so you're not as sharp as you would like and in that case sometimes you click on something. So that's why fishing works. For example by influencing as an attacker influencing your your emotions you make easier decisions or a decision decision making is way easier because it associates new information with existing patterns you already know. So like a little bit like mental shortcuts and by mental shortcuts I do not mean these shortcuts of course. So if you have a fishing email you want to influence someone to click or to yeah to to to interact with the email whether it's login or download or whatever give information. So the influence is based on the email itself it's not only the text it's way more than the text in the email itself. So it's about the link or the attachment. So how do you influence clicking on the link is the link is it the domain name that is known is it something typos quoted for example is it a legit service with hosted malware does it contain an attachment is that attachment named like an attachment that should be relevant for the for the recipient for example and next to that we have the content. So next to the to the page you have the content how the mail is constructed itself so the email body. So I'm talking about the language what language was used is the language also the used language in the organization does it have a design is it plain text or is it the copied corporate identity from another known organization or is it just neutral and does it contain personal information. Sometimes you see that it has the correct salutation so dear Ms. Sala Mausokers or sometimes it also has some some personal information like your email or LinkedIn profile and such so attackers also influence people by using personal information of that person they got from from open source and the last one is the context so that everything around the content and debate and the attachment so that could be who's the sender is it something somewhere you know is it someone internal in your organization is it a colleague is it from a company you know it or is the company you should know those are all the possibilities what is the theme of the email is the relevant activity or is it something you really like is it for charity you really like is it about your hobbies is it about your recent event is it the timeless activity just like here's my pay slip for example and the goal what is the goal of the attacker sending the message is it getting information by replying and sending it sending you to a login page maybe get you a payment done or download an attachment somewhere so it has different goals so if you if you combine this all you can get a great you can create a framework so that's this framework and made this framework next to these all these items are just I just named one of the most important is the principle of influence so you can apply principles of influence defined by CLD me yes define seven principles of influence you can apply to every part of an email so the content the context and and the debate for example so before I start telling about the principles of influence on APT fishing mills I'm going to introduce introduce you to five principles of influence in APT fishing mills well so you didn't define seven but I think five are only suitable for for email so I'll show you a couple with a couple of examples so the first one is reciprocation and that means that if I do something for you you do something for me back well that's nice so so that's why I want to offer you something so you do something back I think you see that a lot in emails um where they offer coupon if you register or log in or something but you also see them within more malicious mills by offering you helping you and then ask for for a favor so in this email I notified someone that the that their account was going to expire and you have to log in to reactivate it well as their recipient you're thinking okay thank you for letting me know I will definitely log in because you feel like indebted somehow so that's the first one the second one is an email and it was actually highly well it was not copied but I was highly influenced by by one of the APT groups this was an email sent by Lazarus group in the COVID times and in the email they said a package they sent out a package of temporary timely and targeted measures to support public services people and businesses through this period of disruption caused by COVID-19 so they are offering you a package to help you and the last day to register your business is June 26th 2020 by 2 p.m and this was sent in in the same week so actually they want you to do something in a short period of time and you call it scarcity so you offer something for a short period of time people think we need to do this we don't want to miss out and we should click you also see that on websites and in phishing emails oh only one day left we only have limited stock please buy from us well there's a principle of influence that is proven to to be a working principle and then the third one is authority and I think this is a really clear one if someone sends you a mail from a proven or known authority I think you're more likely to click on that link or on the attachment so in this example I used the CEO which is just like CEO fraud okay you must assure that all the pending deal of payment shall be completed by the end of the day this was an example highly inspired by TA 505 email so I saw this email several times asking if you could please do a payment and payment instructions and information was in the attachment so this is one that really works as well and then the next one is the principle of liking if someone has shared interest or you just like someone because it's a colleague it's a known person you are more likely to interact with the email so now I made an made an email it was a little bit inspired by an email of apt 28 where I say it's almost Christmas and the elves are working really hard and have a message for you and it was sent by Santa or the holiday committee committee from the organization you think I really like that person they also really like really nice Christmas branches I'm going to click on that link because I want to see my Christmas greeting and the last one but definitely not the least I really like this one is the principle of social proof I have here an example it's a it's a linked in header and maybe you would think okay but why is this principle social proof this principle of social proof is like if someone likes it you really know then you would also like it and this one is inspired by also allows us allows us attack because there was a person they created a personal LinkedIn added a lot of your colleagues and then wanted to chat with you so you check out the connections the shared connections and you see okay I have a lot of shared connections so this person should be a nice person or I could trust this person so this is the way that they wanted to influence the person receiving the connection request from Wilson I think in the real life you also see this a lot on the website booking.com they are really good influencers because it's also known that the principle of social proof is used on the website by saying 40 people of your country book this room today hurry up hurry up that's also the principle of social proof because you know that a lot of people from the same country also booked that hotel so it should be right right so these are the principles of influence and now I'm going to apply those principles of influence and everything what is in an email on emails of an APT so first I need emails of an APT of course so I needed an adversary the email dataset so first okay I need adversaries which ones are the most suitable for my research so first check out all the adversaries who have a phishing procedure defined well you can check out the micro attack framework and you see that there are a lot of adversaries using spear phishing so that's really nice second is okay I need to choose what kind of groups are interesting for my adversary emulation so during a sea best or a tide where you have to select a real threat for the organization so I need a real threat for the organization what are the most what are the most likely threats for an organization that's the inside of threat a crime group a nation state and a proc a nation to a state slash proxy well inside the threat is not going to work if I want to do an adversary simulation so I have crime groups and nation states left so with this information and choosing multiple groups over the world I came with TA 505, APT 28, APT 40 and APT 38 so these are the four groups I selected for my research because these are really good groups we should use during our next adversary emulation so how do I do the research then I got a lot of emails I got some from my threat intel colleagues which are really badass in gathering these but I also found a lot on fire custodial because you can find for attachments with attack attachment and if you know the IOCs of the or the hashes of the malware docs you can find the parent email parent of that of those documents as well on fire custodial if you do some advanced searching so that's why that's how I found 200 emails of APTs and the next one is getting screenshots from research a lot of companies did already a lot of research on this one not on this topic but fishing of APTs so they presented it in a research report okay we saw a full attack of this APT and it started with this email so I gathered all the screenshots of those of those fishing emails and also used it to enrich my first data set and the last one is finding the associated IOCs of these APTs for example domains will tell you how the fishing domains are constructed if you find mulldogs you see how they use the principle principle of influence in the mulldogs etc so find also other information in other sources about these APTs so now we're going to apply the research of principles of influence on those groups so first my first one is Russia so groups from Russia and I start with the least advanced to the most advanced so I start with TA-505 that's not really an APT but I guess you also have to emulate crime groups during cvessler divers so that's why I choose this one it's TA-505 located in Russia and I would call this group hashtag lazy mode it's really a lazy mode because they're not really an influencer to be honest so what I see is that they use they don't use really they don't use influencing techniques in their mail they just say this email is sent automatically or please see attachment or please pay this by the end of the day so maybe a little bit of scarcity but not really that they are using they are using the the principles of influence in their meals um also what I saw is that emails are impersonal can be sent to anyone so there is no right information personal information right salutation or whatever in the email next one and I think that's really funny the sender email address is not matching the sender name what TA-505 does is compromise a lot of email accounts and send emails from those compromised email accounts so that they have to decam and a d-mark set correct so it won't definitely end up in your spam folder so they send emails from those compromised account but they change the sender names a bit so it looks like it's the sender um and what they do is that they um add html attachments uh or moduxes attachments and sometimes they also host it uh on the website I see this more nowadays uh with TA-505 because it's really hard to if a dspam filter is in the fire skin and stuff like that so uh I have three examples of those emails where you can see the lazy mode with the sender email address and the sender name so this is the first one the second one and the third one and you see it's and all the three emails it sent from Krishna Krasat but the email addresses are different every time so this is what TA-505 does let's go to a more advanced advanced one and that's apt-28 and what I see in apt-28 that they use two main principles of influence and that's principle of liking and and authority because they are they are using an external company a known company copy everything from that and send emails so they send with spoofed domain and spoofed email addresses for example or they use authority by spoofing from an internal colleague or internal CEO or something so they use the corporate uh they use the corporate identity of another organization like google or they just use plain text or use the um corporate identity used in the organization they uh are sending from sending from um and what I see is that they use domain names uh which are typosquoted with predictable patterns so for example when you have a subdomain they use the full name but replace the subdomain by a dash so if you have the website one drive dot office 365 dot com they use the domain name office 365 dash one drive dot com so that's one um and they use the tld's of a domain name in the domain name itself so for example when it's nato dot int they use nato dash int dot com uh to make it look legit and next to that they also use the the the regular type of squad kind of things like using an r and n to b and m for example so these are two examples this is the first one it's by google uh this is the one used to to disrupt the uh i've learned cleansing campaign a couple of years ago in usa and this is the second one here you see that you use the principle of liking someone has the same interest this is really on your um it's a known authority in the same area as where you work in so um they use it this kind of way then the next one going over to china i chose apt 40 well i don't know if they're still active uh if you see the news from last weeks um so what do they use they use the principle of liking and they pick relevant themes for the recipient um so they use the local news they use activities and events in their emails and those are the main theme of the fishing mills so uh to do that in order to do that they do profiling of the victim by using open sources to get more information about the victim and then reach the email with that kind of information to make it more relevant um and what i see that the level of the fishing mill is really diverse so i see typos all the way everywhere and i see really well crafted emails so um well maybe it's because there are a couple of people with uh uh diverse levels of sending emails but it could also be that they have someone for creating the well crafted emails and when you interact they don't have that person so it's uh it's not that good anymore and what i see that they use mild oxen attachment or hosted on google drive for example and when they send you to their own website or compromise website you can download uh you can download one of their uh their droppers and it downloads a payload for you and redirects it to uh to a legit document they also packed with it and the last one and that's north korea uh and it's it's apd 38 or lazarus group and i think this is my favorite as long as you can if you can have a favorite apd but this is definitely my favorite apd because it knows how to social engineer uh they're building full characters or impersonating real people to influence a person they literally use every principle of uh of influence in their um in their campaigns so they're using email linkedin telegram or twitter uh for communicating with the people so first do your initial uh chat on linkedin then go to telegram uh that was uh described in the camp in the dream job campaign research uh they always use a important value for their recipient um they do a lot they target a lot of military organizations so they very read a lot about military operations in order to make it more uh legit uh they spoof email addresses or create an unknown company uh so if you are a recruitment company you can also just register a new domain name and call your recruitment company that way uh so that's what they do and they use uh dropbox on one right for delivering malware as well and uh they are adapting to the language and form of speech uh but it's not always flawless so um a couple of slides earlier i showed you the rob wilson linkedin profile i uh created based on information in research and this is um how it um which these are the next steps after someone connected with that rob wilson you see that it sends a message i like to chat with you for a job opportunity and then bonds with the person and then add them on on telegram and have some uh have some conversations this one is one is about an assessment someone needs to do in order to check if it has the right expertise um and send someone to a website uh this was um this was covered in in the research of this company so concluding during your next adversary emulation i would please ask you just not grab the default scenario from the shelf you have you always use because it just works please use your creativity and create something that's really like the the adversary you have to emulate during uh during uh um the assignment um check or influence by using the content of the of the email and the context so not only uh change the um the text of the email but make it a full package check if there's a design check if they um uh they use uh type of squad domains etc but keep in mind when you're performing an adversary emulation you have maybe a couple of weeks maybe a couple of months a real adversaries have like a couple of months or years to perform the attack so keep this in mind sometimes you have to make choices based on the time you have so sometimes you have to have to make it a little bit more advanced in order to have someone click uh on the link or execute or open uh your attachment so if you want to read a little bit more about this research uh or you want to use it during your next adversary emulation you can go to uh to my blog uh it's here with the link and i made for the four um uh adversaries i made a full list with examples what to use or what not to use during your next fishing campaign so this was my presentation i hope you liked it and if you have some questions please drop it in the chat and for now thank you very much