Demo Labs - Phirautee
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 374 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/50821 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
00:00
ZehnMenütechnikSchnittmengeApp <Programm>Virtuelle MaschineOffene MengeStrömungsrichtungPasswortMathematikMAPElektronische PublikationVollständigkeitBildschirmfensterTouchscreenAdressraumURLDigitales ZertifikatDatenfeldQuick-SortParametersystemE-MailDatenstrukturDemo <Programm>BeweistheorieInformationsspeicherungQuaderRechter WinkelMomentenproblemDienst <Informatik>SchlüsselverwaltungGoogolPrivate-key-KryptosystemElementargeometrieBrowserSensitivitätsanalyseMessage-PassingSoftwaretestEinfache GenauigkeitZweiServerNeuroinformatikComputeranimation
05:55
MathematikE-MailElektronische PublikationAdressraumParametersystemProgramm/Quellcode
06:26
Elektronische PublikationEinfache GenauigkeitComputeranimation
06:51
ZehnElektronische PublikationBimodulVirtuelle MaschineE-MailDigitales ZertifikatPublic-Key-KryptosystemMultiplikationsoperatorIdentifizierbarkeitPOKEComputeranimation
08:03
E-MailLemma <Logik>ZehnMagnettrommelspeicherElektronische PublikationAbzählenVolumenvisualisierungComputeranimation
08:21
ComputerBiegungMaßerweiterungChiffrierungWiederherstellung <Informatik>Elektronische PublikationBeweistheorieSicherungskopieSichtenkonzeptMaßerweiterungElektronische PublikationRechter WinkelVirtuelle MaschineBeweistheorieZweiGoogolProgramm/QuellcodeComputeranimation
09:46
StellenringE-MailGammafunktionDateiformatE-MailElektronische PublikationVirtuelle MaschineDigitales ZertifikatPublic-Key-KryptosystemComputeranimation
10:37
Lemma <Logik>SchlüsselverwaltungComputeranimationProgramm/Quellcode
10:54
RechenwerkPortscannerE-MailElektronische PublikationDateiformatGoogolChiffrierungPasswortE-MailSicherungskopiePOKEDrahtloses lokales Netz
12:31
MenütechnikE-MailEmulationCMM <Software Engineering>ZufallszahlenE-MailElektronische PublikationGoogolPublic-Key-KryptosystemSicherungskopiePasswortVektorraumPrivate-key-KryptosystemComputeranimation
12:55
Rechter WinkelVektorraumPrivate-key-KryptosystemHalbleiterspeicherElektronische PublikationPasswortProgramm/Quellcode
13:30
PasswortElektronische PublikationRechter WinkelChiffrierungDigitales ZertifikatComputeranimation
13:59
E-MailSchlussregelMenütechnikHill-DifferentialgleichungElektronische PublikationElektronische PublikationPopup-FensterRechter WinkelInternetworkingComputeranimation
14:34
MereologieStreaming <Kommunikationstechnik>MenütechnikMailing-ListeSummierbarkeitGleichheitszeichenE-MailSimulationRechenwerkDualitätstheorieMakrobefehlE-MailRechter WinkelMailing-ListeVirenscannerInzidenzalgebraTotal <Mathematik>Patch <Software>MakrobefehlEinfügungsdämpfungElektronische PublikationProxy ServerProjektive EbeneGeradeDemo <Programm>AdressraumExogene VariableSoftwaretestBeweistheorieEigentliche AbbildungComputeranimation
16:53
Mailing-ListeSoftwaretestElektronische PublikationPatch <Software>Virtuelle MaschineComputeranimation
17:22
RechenwerkSummierbarkeitENUMMenütechnikMakrobefehlRechter WinkelOffene MengeEreignishorizontInternetworkingElektronische PublikationVerzeichnisdienstProgramm/QuellcodeComputeranimation
17:46
MenütechnikFisher-InformationTopologieLokales MinimumRechenwerkGleichheitszeichenLemma <Logik>Ein-AusgabeElektronische PublikationMultiplikationsoperatorVirtuelle MaschineInternetworkingVerzeichnisdienstDemo <Programm>Computeranimation
18:48
Digitales ZertifikatVirtuelle MaschineElektronische PublikationComputeranimation
19:15
Lokales MinimumData MiningMenütechnikMagnettrommelspeicherSharewareInformationsspeicherungDigitales ZertifikatVirtuelle MaschinePublic-Key-KryptosystemVektorraumElektronische PublikationPOKEPhishingE-MailComputeranimation
20:12
TaskElektronisches ForumSummierbarkeitMarketinginformationssystemMenütechnikBinärdatenStrategisches SpielDigitales ZertifikatVirtuelle MaschineDemo <Programm>Elektronische PublikationBildschirmfensterWechselsprungPhishingComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:02
All right, so now what you're seeing on the screen is the set of steps for the field of the ransomware. In the first screen, what you are seeing is, it's the folder with the name tools. That's where we have got most important files.
00:20
So when I look at it, I've got two files in there for this proof of concept. One of the names is the most important file, and the second one being the sensitive passwords. So let's open one of the text files. Looking at the text file, it seems that there is some text in there for the demo purposes, but it's in plain text right now.
00:47
So let's close this file, and let's look at the second file, which is sensitive password files. This contains some dummy passwords in there in plain text. So I'm going to close this file now.
01:02
So now you know that these are the important files on the machine, which we are going to encrypt through Firoti. What I've got on the right is the C drive of the machine, which we are going to infect it with ransomware.
01:25
And what I'm going to show here is, this is the folder structure. And remember that right now we have configured our ransomware to encrypt files in the tools folder. However, this can be customized to encrypt the full folder, or complete C drive, or the whole document folder, or pictures, or whatever you like.
01:53
So let's keep it open and see how things are changing when you run the ransomware on the infected machine.
02:01
The third folder I've opened here is the temporary folder. That is where all the certificates and the symmetric keys are going to get dropped, and then it's going to get exfiltrated out to the attacker. In the fourth window I've got browser open.
02:23
In the first tab I've got the Google Drive. Right now if you look at this Google Drive, there is only one folder and a file. However, there is no other thing available here. So Firoti uses, for the exfiltration purposes, when you have big files, it's going to get exfiltrated to Google Drive.
02:48
So I tried it with this testmp4 file, which is 126 MB, and it works perfect. So what is going to happen is, these files over here are going to get copied into the Google Drive when you run the ransomware.
03:11
And remember that we have distributed our text infrastructure in a way that we are not relying on one single service.
03:25
So the symmetric keys are going to come to PolkMail. And how do you set up PolkMail? I'm going to show you in a moment. But before that, let's look at what sort of UAC controls we have on the infected machine.
03:47
So let's look at the UAC settings. It seems that the highest level of UAC is always notify. Whenever the app tries to install a software or make any changes to the computer, this is going to notify the user.
04:08
So this is currently set on always notify. Let's minimize this and look at the current certificate store, which is the local store on the box.
04:23
So the current store has got only one certificate in here. However, when the ransomware is going to get deployed, you will see one of the other certificates is going to get installed and then it's going to get removed afterwards.
04:44
Once you exfiltrate and encrypt these files inside the tools folder. OK, let's minimize this now. So let's set up our ransomware with the email address where you wanted to exfiltrate the keys for the certificate.
05:03
So right now I've chosen the Statue of Liberty as a location. So I'm going to click on this and then get the geographic coordinates and I'm going to paste it in here. So this geographic coordinates is for the Statue of Liberty.
05:26
I'm going to set this as my location. So once I set this as a location, you'll see that it has created a unique location for me and then it has generated a random looking email account for me.
05:43
And then it has got one email in it as of now. OK, so you have to copy this email and then put it inside your ransomware file and have to make changes in the email address parameters.
06:03
I'm going to do that now. So I've modified the email address for one in here and the other place where you want to make changes is email one parameter over here. So after you make those changes, save the file.
06:23
So I'm going to save this file and I'm going to minimize this for now. And I have opened a PowerShell file and I'm going to run the ransomware. To run the ransomware, all you need to do is just run one single PowerShell file.
06:41
Once this is going to run, you'll start seeing files going to get dropped inside the temporary folder. And then in Gmail drive, you're going to see a zip encrypted file containing the exfiltrated data.
07:04
So I'm going to hit enter. So it is going to create a base64 encoded certificate. This is going to be the public key and then it's identifying. Then it's going to install the 7-zip module onto the machine.
07:27
However, let's see if this has already installed the certificate on the machine. Not as of now, but let's give it some time and then you'll see another certificate being installed in here on the machine.
07:43
So once that is done, it's going to start encrypting the files. So right now it is zipping the files. So if you look at this, it has already created the certificate. It is creating files and now the files are already zipped and email has been sent to an attacker on the poke mail.
08:05
So if we go here and refresh it, it has created the still.zip file. It is running some enumeration on the files, on what are the files the ransomware needs to encrypt.
08:21
And then it's going to start uploading the files to the Google drive. So once it's going to upload the large files, it's going to delete it from the temporary folder. And then you'll see that it is going to start encrypting the files.
08:41
If you look at here, you'll see that the files have already been encrypted and we have successfully deployed the Ferrotti ransomware onto the machine. So once this is done, it gives you a notification on the infected machine that they have been rinsed and the files are encrypted.
09:06
So as of now, I have put 30 seconds for the proof of concept, but then you can set this timer for however long you want.
09:22
So once this is going to be done, it's going to close the UI and then it's going to change the desktop of the infected machine. Right now, if you have a quick look at the folder where we had sensitive files, the files have been changed with .ferotti extension.
09:47
The file type is again changed with Ferotti. And then once you see here, the background gets changed as well with the Ferotti background.
10:05
So that's been done as well. And if you look at it here, you have received emails containing the private key for the certificates. The certificate is already deleted from the infected machine.
10:23
And then if you try to open the tools folder again and try to access the files, you'll see that it's no longer accessible. So if you open it, you know, there is just junk characters in it and it's been encrypted with .ferotti.
10:47
So that's what the ransomware does. So the next step is to actually go ahead and download the encryption keys.
11:01
So I'm going to download the backup1.zip file. And if I go back to Inbox, I'm going to download the other file as well. So I'm going to copy this. I'm going to backup this as well.
11:26
So once downloaded, you can go to your Google Drive and you'll see that the .zip file is already in there. And if you try to open this, you'll see that you've got the same two files in there.
11:42
The most important file .txt and the sensitive passwords .txt. These files were actually on the infected host in .txt format, which is now converted to .ferotti. So if you try to open this, you won't be able to open this.
12:02
The reason is, but however, let's download this. So it is scanning for wireless. And once it's going to download, let's go to the download folder. Oh, it's not downloaded yet. So let's go to the download folder and see if we can open this.
12:21
So if we can try to open this, it requires the password. And this password for these files are actually inside the poke mail. And in the backup.zip file. So if you try to open the backup.zip file and look at the .zip.txt
12:44
file, that's the private key for the zip encrypted file, which is on the Google Drive. However, it requires the password. This password is encrypted using this initialization vector over here, which is using the symmetric key.
13:03
So this is the symmetric key for the very first file, which is sys.txt. So this initialization vector, as an attacker, you are the only one who holds this. And since this is running inside the memory, and as you rotate your infrastructure, no one else would be able to gain access to this.
13:29
So let's verify and put this as a password in there. And sure enough, this is the password for the stolen file.
13:43
So this is the password for the certificates using which the files have been encrypted. So when you want to send this decryption key, this is what you are going to send it to the user. So that's how the attack works.
14:02
And if you look at it, there is going to be a feroti.txt file on the desktop, such as this. And if you try to open it, it's going to give you the same note which you saw in your pop-up window.
14:20
Your files have been encrypted, they are asking for 0.10 Bitcoin. If you don't pay it, they are going to release your files to the internet. So the same can be done with the phishing emails.
14:40
So let's go to Gmail and see how this attack can be done via phishing emails. So one thing I'm going to show you here is how do you bypass antivirus. Because that's not the scope of the project. We are purely looking at the ransomware and how you can create a proof of concept
15:05
and make your incident response team work for it to see the behavior and identify the gaps. So supposingly you receive emails like this with a subject line, important promotion list for 2020.
15:25
And supposingly you receive this from your colleague whose email is compromised using various other means. And since you trust your colleague and internal email addresses, you think this is an important file to work with.
15:48
So once downloaded, the files look like this and this looks very legit. An attacker can generate this kind of data and use someone to download files and run it.
16:11
So once you have downloaded this, there is a note here saying that click on the chart to display the insights. Suddenly you'll see that the data is good, however the issue is the chart is not getting loaded properly.
16:26
So let's look at the macros and what an attacker has done in here. So the macro looks like this. So it's going to download the test.patch file from the GitHub and then it's going to run demo.patch file.
16:45
It's going to save it in the temporary folder and then it's going to run it. So let's see what's in the GitHub and how it's going to pull this stuff.
17:00
So right now I'm in the test.patch file. This is what it is getting pulled. So once things are getting pulled, it's going to run our ransomware which can be downloaded on the machine itself. Like the way we are downloading this patch file. So let's try to run this and see if it is actually working.
17:25
So since it says click on the chart to display the insight, and what I've done is onClick event for this chart is going to call the macro and it's going to run it. So let's see if this is working. So once I click on this, it has open.cmd and it's going to pull the file from the internet into the temporary directory.
17:58
of this machine.
18:00
So let's go to tmp directory and the demo file has already been downloaded. So if you look at the timing, it's 11.16 and just now the file has been downloaded. It is creating the sys.txt file. The ransomware is running in the background. You can confirm this by the way this cmd has opened.
18:25
But if you don't want the cmd file to pop up, you can hide that as well. So it is creating different files. It has created backup.zip file and it's going to perform the same attack again.
18:43
And what it's going to do this time, it's going to repeat exactly the same send steps on the machine but without even user realizing that something is happening on the account. So if you see that still.zip file has already been created, zip file has been created.
19:05
Let's see if there is actually the certificate created on the machine. Yes, cert.css c-e-r has been created just now. But you can verify the same stuff by actually downloading by looking at the personal certificate store.
19:25
So this store is going to create a self-signed certificate on the user machine even though we have a usc of always notify. So if you double click on this certificate, you know that we have got a private key
19:41
which is getting sent to an attacker via poke mail. So once the attack is going to be successful, it's going to delete this self-signed certificate and the private key from the machine
20:02
and then the user won't have a chance to encrypt their files. So that's how the attack vector works even with the phishing.
20:21
So the attack has already been finished, it is refreshing the window and that's why the windows got closed. You can confirm this by going into the same tools folder and see if the files are encrypted already.
20:42
So the files are encrypted and then the certificate is going to get deleted. So if you keep refreshing it, the certificate is already deleted and that's how the attack works through phishing.
21:01
And that's how the ransomware gets sprayed from one machine to the other. I hope you like this demo and you have learned something new out of it. So let's jump back to the presentation and see some mitigation strategies now.