SlideShare una empresa de Scribd logo

Operation Grand Mars

I
isc2-hellenic

ISC2 Hellenic Chapter 25/10/2016

Tecnología
1 de 14
Descargar para leer sin conexión
Grand Mars Operation Defending against Anunak Thanassis Diogos, Trustwave MC for EMEA IR MSc Infosec, CISSP trainer
Agenda • APT Detection • Entry point • Persistence • Public services • Malicious software • Motivation • Conclusions
APT Detection • AV Alerts • Weird event log entries
• Email followed by phone call (social engineering vector) • Word attachment containing encoded VBS Entry Point
Analysis • Several malicious files/scripts generated
Persistence & lateral movement • Files in user’s %temp% folder • Registry autorun location • Scheduled tasks • Backdoor exe & scripts (VB, PS) as memory resident code • Pass-the-hash HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunTransbaseOdbcDriver
Google Docs, Pastebin • Register/Update Bots • Flow of operation based on Pastebin
Hosts distribution/location
Anunak • Spawns into a new svchost.exe process • Gathers information of the system • Anti-reversing, terminates specific AVs • Privilege escalation • Enables RDP • POS malware functions • Local password stealer • Scrounging Outlook PST files • Target iFobs banking application • Backdoor commands (downloads and executes additional malware)
Cobalt’s Strike Beacon • Covert channel • Metepreter • Downloading Eicar test file
AdobeUpdateManagementTool (VBScript) • Downloads & executes files, VBScripts or PowerShell files • Collects and communicates • OS Name, Version, Service Pack, Install Directory • Physical Memory Available/Total, Available Virtual Memory • System Name, Model, Manufacturer • Locale ,Time Zone • BIOS Version, Processor System Type • Computer/user name & Domain
Motivation • Bots collection • Financial • Control of victim organizations • Multiple groups involved (assumption)
Conclusions • Victims • Weak detection security controls • Missing or poor readiness for security incidents • AV detection low to zero scores • Reluctant to cooperate with authorities • Features of the operation indicating to organized crime activities • Targeted social engineering • Several malicious software used • Attacking methods such as pass-the-hash • Purchase of certificates • Multiple hosts used in Europe mainly • Usage of public cloud services, Google Docs and Pastebin • Investigation of malicious software and activities give the impression that distinct parties involved • Underground cooperation or trading
Questions? Thank you!

Recomendados

penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Automate: The Globus Vision (GlobusWorld Tour - UMich)
Automate: The Globus Vision (GlobusWorld Tour - UMich)Automate: The Globus Vision (GlobusWorld Tour - UMich)
Automate: The Globus Vision (GlobusWorld Tour - UMich)Globus
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker ContainersBlack Duck by Synopsys
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 
Timelines
TimelinesTimelines
Timelinesprimeteacher32
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 

Recomendados

penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Automate: The Globus Vision (GlobusWorld Tour - UMich)
Automate: The Globus Vision (GlobusWorld Tour - UMich)Automate: The Globus Vision (GlobusWorld Tour - UMich)
Automate: The Globus Vision (GlobusWorld Tour - UMich)Globus
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker ContainersBlack Duck by Synopsys
 
Dev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformDev Ops Geek Fest: Automating the ForgeRock Platform
Dev Ops Geek Fest: Automating the ForgeRock PlatformForgeRock
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 
Timelines
TimelinesTimelines
Timelinesprimeteacher32
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Teamisc2-hellenic
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 
Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016isc2-hellenic
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IThhuihhui
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Topic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptxTopic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptxMorningstar90
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!Security BSides London
 

Más contenido relacionado

Destacado

Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Teamisc2-hellenic
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IThhuihhui
 

Destacado (10)

Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpected
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Team
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 
Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Disaster Recovery Plan for IT
Disaster Recovery Plan for ITDisaster Recovery Plan for IT
Disaster Recovery Plan for IT
 

Similar a Operation Grand Mars

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationSam Bowne
 
Topic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptxTopic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptxMorningstar90
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collectiongagan deep
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 

Similar a Operation Grand Mars (20)

BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
CNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident PreparationCNIT 121: 3 Pre-Incident Preparation
CNIT 121: 3 Pre-Incident Preparation
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Topic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptxTopic 2 - Ransomware Techniques.pptx
Topic 2 - Ransomware Techniques.pptx
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
Examining computer and evidence collection
Examining computer and evidence collectionExamining computer and evidence collection
Examining computer and evidence collection
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 

Más de isc2-hellenic

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0isc2-hellenic
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentationisc2-hellenic
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosisc2-hellenic
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1isc2-hellenic
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2isc2-hellenic
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0isc2-hellenic
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attackisc2-hellenic
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & updateisc2-hellenic
 

Más de isc2-hellenic (12)

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatos
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & update
 
1. Welcome Note
1. Welcome Note1. Welcome Note
1. Welcome Note
 

Último

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Operation Grand Mars

  • 1. Grand Mars Operation Defending against Anunak Thanassis Diogos, Trustwave MC for EMEA IR MSc Infosec, CISSP trainer
  • 2. Agenda • APT Detection • Entry point • Persistence • Public services • Malicious software • Motivation • Conclusions
  • 3. APT Detection • AV Alerts • Weird event log entries
  • 4. • Email followed by phone call (social engineering vector) • Word attachment containing encoded VBS Entry Point
  • 5. Analysis • Several malicious files/scripts generated
  • 6. Persistence & lateral movement • Files in user’s %temp% folder • Registry autorun location • Scheduled tasks • Backdoor exe & scripts (VB, PS) as memory resident code • Pass-the-hash HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunTransbaseOdbcDriver
  • 7. Google Docs, Pastebin • Register/Update Bots • Flow of operation based on Pastebin
  • 9. Anunak • Spawns into a new svchost.exe process • Gathers information of the system • Anti-reversing, terminates specific AVs • Privilege escalation • Enables RDP • POS malware functions • Local password stealer • Scrounging Outlook PST files • Target iFobs banking application • Backdoor commands (downloads and executes additional malware)
  • 10. Cobalt’s Strike Beacon • Covert channel • Metepreter • Downloading Eicar test file
  • 11. AdobeUpdateManagementTool (VBScript) • Downloads & executes files, VBScripts or PowerShell files • Collects and communicates • OS Name, Version, Service Pack, Install Directory • Physical Memory Available/Total, Available Virtual Memory • System Name, Model, Manufacturer • Locale ,Time Zone • BIOS Version, Processor System Type • Computer/user name & Domain
  • 12. Motivation • Bots collection • Financial • Control of victim organizations • Multiple groups involved (assumption)
  • 13. Conclusions • Victims • Weak detection security controls • Missing or poor readiness for security incidents • AV detection low to zero scores • Reluctant to cooperate with authorities • Features of the operation indicating to organized crime activities • Targeted social engineering • Several malicious software used • Attacking methods such as pass-the-hash • Purchase of certificates • Multiple hosts used in Europe mainly • Usage of public cloud services, Google Docs and Pastebin • Investigation of malicious software and activities give the impression that distinct parties involved • Underground cooperation or trading