 So this is called, Your Blacklist is Dead, Air Gapped Everything, and is my diatribe on why I think that the future of command and control for malware is in the cloud. Just to give a little bit of background on you. My name, oh, on you, on me. My name is Erica Lincoln. I'm a threat researcher at Netscope. I study applied mathematics at Johns Hopkins University, wear some Lib t-shirts because I'm not allowed to talk about politics in this presentation. So why am I here? Well, I'm here because I think a lot about malware and I think a lot about what malware authors are going to do and right. So what motivates malware authors? They don't want to get caught, right? That's the number one thing. If you have malware on a system, you probably don't want to get caught. Of course, there are exceptions, you know, but for the most part, you want to be surreptitious. So how do you avoid detection? You blend in, right? And so if you're talking to this sketchy server in Ukraine or you're calling out to an OVH IP, which if any of you have ever seen malicious network traffic you've probably seen, it's pretty obvious, right? But if you talk to a whitelisted domain, something that is very specifically authorized instead of a sketchy server in France or Ukraine, that's a much harder problem to solve, right? And if you've ever written IDS rules for unspecified IDSs that I'm not allowed to name, it's really, really hard to detect things that look like normal traffic but are bad, right? So you look at like Angler exploit kit, used a bunch of BBS patterns when it was trying to put out its landing pages and that made it really, really hard for me at the time to write IDS rules to mitigate it. So before we really dive into the meat of it, why do people even use SaaS applications, right? We have software as a service. I'm willing to bet that everyone here has some authorized SaaS application in their enterprise. So what's it good for, right? I mean, you don't manage the physical infrastructure. It's patched for you. Users can use it from everywhere. It's easy, it's cheap, it's effective, and it's growing, right? Small companies are using it, large companies are using it, G Suite, Slack, Dropbox, Box, you name it, someone is using it, right? And so it's everywhere and it's easy. A minor digression is I've had a lot of debate about is social media SaaS, right? Is social media software as a service? Salesforce thinks so, I think so. If you disagree, then you're wrong. And I'm so sorry, you're wrong. So Reddit is SaaS and Facebook is SaaS and again, that's not up for discussion. So is SaaS good for security? And the answer is we're a sounding maybe, right? In some sense, you wanna offload your risk to a third party. You want Microsoft to be responsible for protecting your data and encrypting it because they're probably better at protecting encryption keys than you are. So it decreases the attack surface of your actual enterprise network. And also, right? Capitalism, because we live in a society, incentivizes protecting your stuff. If somebody's really, really bad at protecting your data, you're not going to trust them with it, right? You're not going to pay them money to do it. That's kind of how the market works. So does having a bunch of whitelisted services decrease your visibility? Yeah, right? You have a bunch of network traffic outbound that you assume is good. You're not inspecting that traffic, not in any meaningful way. So yeah, it's a land of contrasts. So we'll start with a blue team perspective, right? I do wanna start with a caveat that other people are much better at this than I am. There are people here who have spoken today, whose presentations you have seen who have thought about the blue team approach to protecting against malware and things. And they're better at it than I am. So if you saw those talks, good for you, otherwise they're recorded. So I've got a timeline here and you can't read it because the text is super tiny. So I'm just displaying it so I can talk about it. But basically we've got kind of different phases of the cyber kill chain. You've got your actions on objectives. You've got command and control, delivery and exploitation. And we have seen since about 2009, every single one of these three phases used in different ways with different services to do all kinds of different things, right? So you have Google App Engine being used for command and control, Zeus Botnet using EC2 all the way back in 2009, right? Recently, Trend Micro, and we wrote about it too, but Trend Micro did it first, wrote about Slub, which uses a variety of SaaS services to do a couple of different steps of this process, right? You have Rock Group, which was using GitLab and Giddy, which is a Chinese Git clone or a GitHub clone to download follow on scripts and second stage payloads, right? So these things are happening. We had a pretty good run there in 2014 where there is a decent cluster where you've got PlugEx inception framework, right? So it's being used by cyber criminals, APTs, it's being used by everybody and it's only getting easier. And part of the reason for that is if you think about domain generation algorithms, right? So our first domain generation algorithm that we've really observed and kind of the one that we call the first is Kraken, right? That was back in 2008. So in the last 11 years, we've written over 22,500 academic papers. That's not blog posts and medium posts and like shitty things you wrote and marked down but never published. These are academic papers that are on Google Scholar, right? This is a well researched, well trodden topic and if you've spent any time in malware analysis or blue teaming, some of these names are familiar. You may have heard of ConFicker. You may have heard of the ZooSpotnet. Those are things you might have heard of. Or if you're new, you probably haven't and that's fine. But so we've spent a lot of time on domain generation algorithms, right? And we've spent a lot of resources researching how to detect domain generation algorithms. And what's the point of a domain generation algorithm? It's to make sure that you can't blacklist a domain and kill the CNC, right? It's to evade IDS detection that depends on the domain. It's to evade firewalls. Well, if you're just calling out to api.slack.com, you don't need to write a DGA and when somebody figures out your DGA, you have to write a whole new DGA. You can just use api.slack.com, right? So it may not get rid of domain generation algorithms forever and always, but it is an alternative to domain generation algorithms that serves the same purpose. And I wanna talk a little bit about Slub, which again, Trendmicro wrote about and then we wrote about as well, we being NetScope. So one of the things that Slub did was it got commands from GitHub Gists, posted command responses in Slack and then exfiltrated files when it would upload files, right? It would upload them to file.io, which doesn't require any authentication or API keys, right? And there are really good blog posts about this if you're interested in the technical details of Slub and they've actually really, the Slub authors have released a new version that kills GitHub, which I personally don't think is super great, but I understand it and they use Slack a lot more. They use Slack for passing commands and for returning responses. And it's a beautiful piece of malware. It really is. If you don't love malware, you're probably at the wrong conference, honestly. Right, so why was Slub so effective? Okay, it used a bunch of different SaaS services, right? And file.io in particular is an anonymous upload. So it just uploads it. It doesn't ask you for a key. You don't log in. There's nothing. You just pass the binary bit, or you pass, not the binary, you pass the hex bytes of the file to the upload path and that's it. That's the API, file.io slash upload. That's all, just a post. So that's really hard to detect, right? Unless you're looking at the content of the payload. And of course, looking at the content of the payload is difficult because all of these things have TLS, right? That's one of the other beauties of using SaaS services as CNC is that they all provide TLS by default. You don't need to create your own cert. You don't need to get your let's encrypt cert every 30 days. It just uses Dropbox, file.io, whoever. It uses their TLS cert. And again, it's sneaky. It looks like API calls. API calls to legitimate websites don't look like CNC traffic. So you're not gonna blacklist these domains. You're not gonna blacklist these IPs. And if you write an IDS signature, you're probably not going to key off of that. You're going to have to key off of something in the content of the body, right? And that's assuming that you get through the TLS encryption, meaning that you're probably in line and you're stripping SSL, which not everybody does. So how do you defend against sassy malware? Well, DLP solutions are pretty good. If you upload a sensitive file to Dropbox and you have a DLP solution in line that looks at your files as you upload them to Dropbox or as an attacker uploads them to Dropbox, it's gonna say, hey, and these are a bunch of social security numbers. It's probably not good and you'll get an alert. Careful monitoring of traffic, which is really just a generic thing that doesn't mean anything. I'm just saying it so that I cover my ass when one of you asks me, what about IDS? Aggressive user education, right? Not just like don't click links unless you trust them, but like ask yourself why you trust a link. If you're clicking a link that was messaged to you in Slack that goes to a Dropbox, maybe make sure. And then of course endpoint detection, right? Endpoint detection doesn't care what method you use for command and control, it just cares about whether or not it's detecting the malware. So it can use domain generation algorithms or call out over port 666 or listen on port 777, which is sub seven for the 11 of you who are old enough to remember that, right? So that's a good way to do it. And one thing I wanna do while I have a soapbox to stand on, one of my hobbies horse is there's nothing new under the sun. All of these services, if you're a blue teamer, you need to think about Dropbox, you need to think about Slack, you need to think about all of these things, the way that you think about ports on your server, right? If you're hardening a server and you've got FTP open, and you say, well, we don't run enough, we don't need FTP open on this server. We've got FTPD running, but like this isn't an FTP server. What do you do? You kill FTPD forever. You block port 24, three, four, shit, whatever. You know what I mean. It's been a long day. I yelled at most of you, right? But the point is you block that port, you kill that service. If you don't run Dropbox in your enterprise, don't let people use Dropbox, right? What personal Dropbox do they need to use for your corporate files? And I know that's such an awful thing to say at DEF CON, but seriously, if you're a blue teamer, really give thought to how you manage these services and be false positive tolerant on them, because it will screw you. Now for the more fun part, right? If you're a red teamer, or if you just like red team things, how do we use these sorts of services to do stuff? Well, as always, getting in is the hard part, right? And all of these slide titles are references to music, and you might not get any of them, and that's okay. This is Tom Petty, yeah. Right, but how do you get in in the first place? You abuse lax IAM permissions, you brute force logins, social engineering, old fashioned exploit exploitation, endpoints have vulnerabilities, people don't patch everything. People run ancient versions of VLC, which is so weird. People run just the weirdest stuff. Somebody had FileZilla open like two months ago, two months ago, why? I don't know. And then you've got whatever blue you want, because people still haven't patched MS-17010, which if you're in this room and you have a box that you know of that hasn't applied that patch, leave. The whole conference, leave the state of Nevada, go home and patch it. It's been two years. Right, and so then once you have the access, then you can get by IDS, right? And you can pull your tools from Dropbox, you can pull your tools from S3, you can pull scripts from Pastebin. Seriously, just put the Python in Pastebin and make a curl request to the raw, and then pipe it to Python, it's that easy. And it runs and it works, and I don't know. Some people aren't mitigating this in any way, shape, or form, and it's nuts. And GitHub, GitHub is such an underutilized way to abuse trust relationships that companies have. Most places, if you have a GitHub repo and you make a pull from another GitHub repo or a clone from another GitHub repo, they just let you, nobody's blocking GitHub traffic, right? Because what if it breaks your Jenkins pipeline? Yeah, that one guy found it funny. That was good, thank you, you specifically. But seriously, you can just pull code, you can pull whatever from GitHub, and if you have file storage, forget about it. You can pull executables, you can do whatever you want, right? Nobody gets this one, that's okay. Carol King had a song called, I Can't Hear You No More. It's fine. And then there's tried and true techniques for doing exfiltration over these sorts of services, right? You make a draft email and Gmail and attach something to it, but you don't send it, so it never trips like an ESA, which is something I wasn't supposed to say. You know, Slack has an upload feature, Twitter, Dropbox, whatever. You can send data over these things and they are usually trusted. You can create a private Reddit and just post whatever in there and nobody will ever see it and nobody will ever block it. It is a great way for you as a red teamer to exfiltrate data in a way that is super surreptitious. And one more thing I wanted to talk about, before I talk about it, I do wanna pay homage. This is not new. People have done this before. I am just demoing my version of it. So Gcat, Twitter, Slackor, Slub, all did this really well, right? Slackor in particular is real nice. Coalfire put that out, so huge props to them. And like a little bit of a shout out to the Slub authors because A, I jacked their program flow and B, it's a sweet piece of malware. Like it's really good. It was fun to reverse. It was fun to reverse the second time. It was like, it was a real friend, you know? So I wanna demonstrate something that we have been calling Sassy Boy, which is, I've got this shirt. That guy has a shirt too because he works with me. And I'm going to pause it like six times and you probably can't see it. So I'm really sorry, which is why I'm gonna talk you through it. So let's do that. Okay, right? So we run the, oh, Jesus. Okay, there we go, right? So we run the agent, okay. And this is not full screened, not well enough. That's fine, right? And so you can see on the right, we've got our Slack and on the left, we have a terminal. And in real life, your malware is not going to be so cooperative and provide you with the terminal, but I have done it so that I can know when things start and end. Also because I like recording my screen this way. So play, there we go, right? So we run the agent, okay? And the first thing that happens is it checks in here and it tells you some basic information. So down at the bottom, which you can't read, and I should have tried this on a big screen, says current user is not admin, username is Eagle Lincoln, computer name, maxcope.local, OS version is macOS 10, right? So what's it doing? It is checking who the current user is, what their UID is, what their OS is and what the computer name is. And you see, we pop calc because you have to. It did download the actual calc.app and run it, right? So it is downloading and executing code. That's just a law of demos. If anybody gave you a demo today and didn't pop calc, they're fired, right? And so then what did it do? It listed this directory. It listed the current directory that it's running out of because I'm lazy and didn't wanna move it around or compile it into an executable. But you can do that with pants or whatever you want. So what do we have here, right? We've got some stuff and then we're gonna give it a command, we're gonna tell it to list dir, we're gonna have it list our home directory, users, eagle, Lincoln. And it takes a couple seconds to think about it and then it comes back, right? And we've got a bunch of files and directories there because I don't keep my home dir clean. But we have one in particular that's pretty neat and that's .ssh. I'm assuming that everyone here knows what lives in .ssh. So we're gonna go ahead and upload our .ssh private key to Dropbox. All we pass it, right? So this, all of this functionality is not hard coded. We are passing it a path for a file and we're passing it in oauth key for Dropbox. The Dropbox is not hard coded. The only thing that lives in the malware is the upload API call for Dropbox. And then it creates a folder called MaxCope which is the name of the computer. And hey, there's my RSA private key, right? And we love it. And yeah, I'm not gonna show you my RSA private key. I thought about it. And then I remembered that that's my actual production laptop for work. And that would just, that would be a mistake to display at Depcon. Yeah, there would be like 45 people taking pictures, right? And then we tell it destroy and then when it destroys, it kills the whole thing. So it just dies. That's it, that's the whole demo. Thank you. Thank you. Great, so code is available. That's not the correct address anymore. It's at NetScope OSS. I can modify it. I'll make it available. We have a blog post that links to the code too. NetScope OSS slash sassy underscore boy, S-A-A-S-Y. But I've open sourced the whole thing. You can see my crappy Python and you can run it and you can test your own security stuff against it and see what your logs say, which is why I'm opening it. My caveat is it ran on my Mac. It ran on my Windows VM and it ran on my Linux installation. I am not promising it will work on yours. Whatever your environment looks like, I hope it works or not. I hope it doesn't work if you don't want this running. But anyway, what have we learned? You guys sat here and listened to me talk for however long it's been. So what have we learned? What are the lessons you should take away? SAS applications can increase your attack surface even though you are not running an NFS that is exposed to the internet and you're running Dropbox instead. Now you are trusting Dropbox, which means if you are not making sure that it is your Dropbox that is being used, you're increasing your exposure. SAS applications move data very surreptitiously. One thing I thought about demoing but didn't know what fun commands to run is that sassy boy is basically a reverse shell over Slack. And he uses Twitter too, by the way. That's another thing it does. It's got fallback methods. I got you. But it opens a reverse shell. So you can run whatever command you want. If you want a RMRF slash, go for it. I'm not doing it. I was going to do a live demo and let you guys give me commands but then I realized that somebody would want to run that and then it would be over. And APIs make it really easy to use one or two or eight services to do bad stuff and to do bad stuff in a way that has built-in TLS, built-in IDS evasion and is just genuinely hard to detect with traditional things. As is customary, I also want to do props and slops. Props to Slack for having super easy to use REST API and props to Facebook. Because I tried to use Facebook instead of Slack and they made it really, really difficult to build a chatbot that abuses their TOS. It's an absolute nightmare to use and it requires you to jump through way too many hoops. So I just didn't do it. You probably could if anybody here is determined. You can definitely, it's possible. It just sucks and like they'll kill it. Props to Palsack, Coalfire, Trend Micro and anybody who sat through this whole presentation is like, yeah, obviously idiot. You can use Slack for CNC. And props to Janko who took a seat from somebody in the hallway because he doesn't love or care about you who made the timeline for this graphic and a paper that we're releasing about a related topic made it far nicer because my original one was hideous. Also, slops to Slack for having a really easy to abuse REST API. Somebody maybe not in this room because now you are the enlightened few is going to have a really nasty piece of malware which is probably gonna be Emo-Tet because it's always frigging Emo-Tet. They're so good. If any of you know the Emo-Tet authors, please introduce me. I want to meet them so bad. Right, somebody's gonna get popped with malware and it's gonna use Slack and it's gonna go undetected for like 230 days and a CISO's gonna get fired and they're gonna be like, oh my God, it ruined our TTR. Whatever. You've all been warned. Slops to Facebook for making it really hard for me to have a chat bot that abuses their TOS. I really wanted to use Facebook Messenger. There were allegedly people coming here who are from Facebook. Maybe none of you made it because you heard that I wasn't doing it anymore. I don't know. But yeah, that really sucked and was really frustrating and Slops to my cat Dasha who spilled coffee on my keyboard when I was trying to write the malware and cost me like an hour drying out my laptop. That really sucked. So thank you all for listening to my talk. That's my Twitter and my personal blog. We also have a blog at Netsco. That's it, that's all. You can applaud now. Thank you.