No Honor Among Thieves

Amit Serper was doing a routine inspection on a client's network, when he came across a suspicious-looking pen-testing tool, exhibiting RAT-like behavior. We'll follow Amit's investigation, and in the process learn the basics of cyber research.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Amit Serper

VP, Security Strategy and Principal researcher, Nocturnus group at Cybereason

Security researcher. Served for 9 years in the Israeli Army and Government, received two commendations and several certificates of excellence, Now working in an awesome startup - loves solving problems with good and talented people and innovating in the security research field.

No Honor Among Theives

[Ran] Hi, Amit!

[Amit Serper] Hi, Ran!

[Ran] Hey. Thank you for joining us. So, please introduce yourself.

[Amit Serper]: My name is Amit Serper. I am the VP of Security Strategy and Principal Security Researcher at Cybereason.

There’s a good chance you’re familiar with Amit Serper’s name. He is a frequent guest on our show, but he is also famous in his own right: in 2017, after the infamous Russian malware “NotPetya” wreaked havoc in Ukraine, Amit found a bug which disabled it entirely. Before joining Cybereason, Amit served as a senior Security Researcher at the Office of the Prime Minister of Israel, where he took part in many top-secret offensive cyber operations which he’s going to tell us all about today. (Just kidding.)

“[Amit] I always say there are two things, there are only two things that I know how to do. One is security, the other is music. One of them is – one of them pays better than the other and I am grateful to be doing something for a living which I enjoy.”

Hi and welcome to Malicious Life, in collaboration with Cybereason.

Usually in ML, we bring you ‘big’ stories about hacks to multinational organizations or major malware outbreaks. Today, however, we have a relatively small story: a minor hack of an unnamed organisation which caused no particular damage, as far as we can tell. You’re probably wondering – why bother? Maybe Ran and Nate have run out of interesting ideas for new episodes. You know they’re really starting to phone it in these days, what with all those big bags of podcast money they’ve got rolling in. Do they even care anymore?

Don’t worry listeners, we haven’t run out of ideas, and this free podcast isn’t quite enough to buy that gold pool I’ve always wanted.

So, why the small story? Well, the real purpose of today’s episode is to talk about the process of cybersecurity research: a deep dive into how cybersecurity research happens, at the ground level. The good and the bad, the tools and the tasks involved in doing it. That is why we have Amit, a veteran researcher, with us today.

Today’s story begins without much fanfare, as many cybersecurity projects do. A client was conducting penetration testing on their IT infrastructure and Amit decided to check up on it. Pretty routine stuff.

“[Amit]  we have a lot of customers that we are monitoring their environments for them. And one of those environments that we were monitoring, we knew that they had some sort of penetration testing engagement and this happens a lot for many reasons whether it’s regulation, like a routine penetration test or it’s something that was ordered especially to defense systems, et cetera.

So we knew this customer had a penetration testing engagement. Whenever there is a penetration testing engagement, it’s a good chance for us to see if we’re catching all of the new techniques. So I went over some detection data from that environment just as a routine check and the things that I saw, they’re kind of were not making sense. It did not appear to be like penetration testing engagements because of the – just the sheer weirdness of everything.

[Ran] What do you mean by weirdness, for example?

[Amit]  There was a tool that was supposed to check for some web-related vulnerabilities and SQL injections in a SQL database, but the tool that was running on one of the machines in the organization seemed to be connecting to some weird domains, and exhibiting a behaviour of a RAT, a Remote Access Trojan – even though the tool itself was not a Remote Access Trojan.”

What raised Amit’s suspicion was the fact that oftentimes, a malware will try to connect to an external domain, outside of the network it is in, to get instructions from command and control servers operated by the attacker.

“[Amit] I was actually sitting in my office that was back when we were… Remember when we were allowed to get out?

[Ran] Yeah, there was a period of time. I remember the Blue skies. The kids don’t believe me anymore.

[Amit] Yeah, yeah, remember… Remember taking your wallet? Remember forgetting your keys? So, I was sitting in my office and I was like – and I was going over all of the raw data that came out of our system. After this incident, I was like wow, this is interesting. I wonder what this domain is. I wonder if there is any other malware associated with this domain. So I sort of had this thread that I really – I wasn’t obligated on pulling this thread because the customer, you know they were fine with what we gave them but I had this kind of hunch that, well, it’s a hacked hacking tool. I wonder if there is any more of them.”

Amit had found the software conducting the penetration tests for his client. But it certainly didn’t appear to be acting like an ordinary security tool. It was communicating with domains that didn’t appear to be owned by either the company itself, or the vendor they’d hired to do the pen testing for them.

“[Amit] So at that phase, I wasn’t really sure what was going on. I just saw a bunch of weird connections and behavior. And I started pulling on this thread by doing what’s called passive DNS research or queries.”

Passive DNS

DNS – or Domain Name System – is a key part of the Internet. It’s job is to translate the human-readable domain names we use to access websites – such as ‘malicious.life’, for example – into numeric IP addresses, such as ‘104.26.4.163’, which is malicious.life’s address. This translating is why some people call DNS ‘the phonebook of the Internet’.

By design, DNS records – the entries that specify which domain name is mapped to what IP address – are ephemeral. Once a DNS record is modified – the old record is lost forever. This makes it hard for security researchers to track the history of a particular domain name.

Passive DNS was invented in 2004 to address that difficulty: It’s basically a huge database that keeps a detailed history of DNS records. Using Passive DNS I can tell, for example, that the malicious.life domain was once upon a time associated with an IP address belonging to GoDaddy.com, and then at a later date changed to an address associated with Cloudflare.

Why track the history of domain names in the first place? Well, say you have the IP address of a server which is known to host malicious software. Using Passive DNS, we can find all the domain names that were associated with that malicious server in the past – and so track down the history and evolution of malicious campaigns.

The malware that Amit uncovered in his client’s network was communicating with two different domains. The first was apparently a legitimate and innocent-looking website, belonging to an office supply manufacturer in India. It appeared to be a hacked WordPress site that was being used as a command & control server – a fairly common occurrence, and not so useful for a researcher trying to hunt down an attacker.

The second domain, however, was much more interesting. It’s name was capeturk.com, and querying the Passive DNS database revealed an important clue: the history of the domains connecting to the pen test tool suggested that they did not belong to a security company at all.

“[Amit] I started looking at the history of that domain and I started looking at what it was and it appeared to be that up to a certain date, this website was actually a website in Turkish, in the Turkish language that the website was about the Minecraft computer game. So, it was a Turkish-speaking website about Minecraft. And then the domain expired and about a day after it was expired, it was registered by a Vietnamese individual.”

This Vietnamese individual, it seems, created several new subdomains.

“[Amit] with the first domain, with Capeturk, what’s interesting is that it had a bunch of sub-domains. So it had sub-domains like bank.capeturk.com, blog.capeturk.com, checkout.capeturk.com, and so on and so forth, And every one of these sub-domains was also serving malware. […] So what I did is I took all of those domains, and I started resolving their IPs and I started looking at the history of those IP addresses and domains and see what they were associated with. What I ended up having was these three domains and I started cross-correlating them in VirusTotal.”

VirusTotal & YARA

VirusTotal is another important tool in a researcher’s toolbox.

“[Amit] VirusTotal is a company that was acquired by Google a few years ago and they are basically… think of them as this storage unit full of files. These files could be malware. They could be legitimate files. They’re not infected with anything what’s called goodware. It’s just a giant database of files. And these files are scanned by over 30 something antivirus engines. So when you upload, when you go to virustotal.com and you upload a file there, it’s immediately scanned by a 30 something different antivirus products and you can see the result of each one of those scans by these antiviruses.

[Ran] What’s the point of that scan?

[Amit] So let’s say for the average Joe, let’s say that someone emailed you a file and you don’t know if this file is safe to run or not and you don’t necessarily trust your antivirus or you don’t have an antivirus. So you’d go to virustotal.com and you would upload that file there. And within a matter of seconds you’d be able to know if this file is malicious or not according to the verdict of 30 something if not more by now antivirus engines.

[Ran] And what about you as a researcher, what do you use VirusTotal for?

[Amit] Exactly. So if you are a researcher and you pay VirusTotal a substantial amount of money, you get access to pretty much every single file that was ever uploaded to VirusTotal. And you also gain access to a bunch of their tools. They’re always improving that allows you to run massive and very intricate queries across all of the files that’s in their databases and these really unimaginable amounts of data.”

Virus Total, for cybersecurity researchers, is like the background check tool police use when they pull you over on the road and ask for your driver’s license. The problem is that VirusTotal has, as Amit put it – unimaginable amounts of data: roughly 2.4 Billion files, according to VirusTotal itself. Finding a specific malware sample in this enormous haystack is not an easy task, to say the least.

“[Amit] This is where yet another important tool in the researcher’s arsenal comes into play: YARA. YARA is a language that is used to describe and classify malware. Each YARA entry holds the unique information that is used to identify a malware sample, such as strings or binary patterns.

So YARA is the sort of like – think of it like almost a language in which you can craft queries about data that’s inside of files. So you could craft a query to VirusTotal and which can say, give me all – show me all of the files that are for example, Windows executables that have these particular strings in them or files that have this row of bits in them. And you can basically create elaborate queries.”

By the way, If you’re trying to figure out what the acronym YARA stands for – don’t strain yourself too much. According to Victor Alvarez, its creator, YARA stands for Yet Another Ridiculous Acronym, or alternatively – YAYA: Another Recursive Acronym.

Using YARA queries, Amit ran the Cape Turk domains through VirusTotal to see if they had any priors.

“[Amit] I saw three connections to three different domains and I started looking at those domains in all of our threat intelligence resources and then I saw that one of those domains had like over a thousand malicious file hashes associated within a VirusTotal.”

Over 1,000 malicious hashes. That’s a lot of viruses. Almost too much. One hacker with over 1,000 viruses would be prolific, ridiculous–you’d be looking at the Stephen King of hackers. Obviously, there had to be some sort of automation involved.

“[Amit] The thing that was impressive in – to me, at least, in this campaign was just the sheer amount of the samples uploaded. Every day, there were like more and more samples, like sometimes dozens of samples uploaded everyday, fresh samples of the same tools as if there was like some sort of an automated process that was just generating them and uploading them to various websites.”

The question is, then – Who could have possibly created so many malicious programs, and what would have even been the point?

“[Amit] So the way that a lot of the antivirus or security products work is that they are using all sorts of hashing tricks to create a unique identifier of a file. So you basically – what it means is you take all of the data that’s inside the file and you basically run some sort of a mathematical equation on the collection of bits inside the file and depending on which equation you use, which algorithm you use, you end up with what’s called the hash, which is the series. It’s basically a string, the series of numbers and letters and they – and that series of numbers and letters are a unique identifier to that file.

If you will change even one single bit in that file and you’ll run the hashing algorithm on the file again, you will get a completely different identifier. So this is how we, as security researchers or malware analysts or security vendors, this is how we basically can tell the difference between files. The file names or their file extensions or the file types usually don’t mean a lot to us because what we’re looking for is the uniqueness of the file. This is how we identify it.

So the process of compiling different samples everyday, I assume that they were meant to basically keep security vendors from identifying and blocking these samples because instead of going over a single file that will always have the same hash, the same hash value, they would generate dozens of these files everyday. And by the time that these files will be blacklisted in all sorts of antivirus engines, it will already be the next day and there will be like dozens of new files.”

So the Cape Turk hacker was automatically generating slightly altered versions of the same malware, so that each one would look like different programs to an antivirus program. It’s one big game of cat and mouse.

“[Amit] So what I did is I took all of those 100 and something files they originally found and I compared between them and I looked at only – I look only at the things that they have in common. So I discarded all of the differences and I was left with a bunch of bits that they were all sharing. And then I built a YARA query that iterated over the data that’s in VirusTotal and gave all of the files that had those similarities.

[…] I started downloading a few of those samples and I looked at them and I executed them in a controlled environment and I actually saw that they were exhibiting the same behavior that this penetration testing tool was exhibiting. It basically looked like a remote access Trojan that’s called njRat.”

njRat

njRat isn’t a particularly unique trojan. It spreads by phishing attachments or infected flash drives, sets up a web shell on the host computer and receives instructions from a remote hacker. Pretty straightforward.

“[Amit] njRat has been around for a few years now. It’s a RAT that was being used mostly in the Middle East. A lot of its operators were Arab-speaking – from Arab-speaking countries. That’s where it originated from, at least, as what we think. But now, a lot of hackers out there are using this fairly prevalent RAT.:

nJRat, by itself, wasn’t a very interesting malware. What was interesting were the files that the malware was hiding in.

“[Amit] so what we did was basically from one file hash and one domain that we’ve had, we were able to extrapolate more domains from it over 1,000 samples and all of them were hacking tools, not all of them but most of them were hacking tools that were laced with nJRat.”

Hacking tools – like the ones used by the company who was hired to do the penetration testing for Amit’s client.

No Honor Among Theives

“[Amit] I spent a few hours in trying to track where were these files downloaded. And I ended up finding a blog that’s called, “Share Tools 99”.

And I went into that blog and this blog had like a whole bunch of hacking tools and all sorts of tools just like this SQLi Injector Dumper thing. And all of them, every single tool that I downloaded from there and it doesn’t matter which tool it was, whether it was a database hacking tool or a… whatever it was, it was all infected with the same variant of njRat, connecting the same server. So pretty much every single file that this Share Tools 99 blog was sharing was infected with the same variant of njRat, it was connecting to the same servers.”

Now we can finally understand what this whole campaign is about.

[Ran] Hmm. Why would somebody have an interest in lacing penetration tools with RAT, with malware? What’s the game here?

[Amit] So it’s pretty great. Think of it. I mean if you were someone that doesn’t really understand how the dynamics of hacking work and your what’s called the script kiddie and all you want to do is get some tools and hack some places, then you go on Google and you just… you know you start Google-ing, “Where can I download this?” “How do I get a njRat builder?” or “How do I get these tools?” You would often get to websites that offer you some sort of a tutorial or they will offer you access to a large collection of these tools.

it’s basically like hey, here’s a bunch of free tools for you to use to hack to other places. And then whoever put these tools online, gets immediate access to wherever those script kiddies if you will wherever they are hacking.”

In summary, experienced hackers are putting hacking tools online for script kiddies to use. These tools are useful for people who aren’t good enough to create their own malware – but, as they say, nothing in life is free. In downloading these tools the script kiddies are also unwittingly infecting their own computers. This is hackers hacking hackers. No honor among thieves.

“[Amit] So it’s sort of like a waiting game. You’re putting the tools out there and you’re waiting for them to phone back home and then you have access to wherever these hackers have access to.

[Ran] Smart. So you’re saying that it is a common practice of lacing these kinds of tools with malware?

[Amit] It’s not a new thing. This technique is probably as old as the internet itself.”

Reversing The Noobs

Now that we finally understand the hacker’s motives – the only thing left for Amit is to try to uncover the hacker’s real identity. As is often the case in cyber research, this is the hardest part of the investigation.

“[Amit] So when I was running a lot of these hacked hacking tools in a controlled environment, I saw that a lot of them say hacked by RTN. And then I started looking for information about who is RTN because RTN is a fairly common three-letter acronym for lots of companies and a bunch of things. But I ended up getting into a web forum that was called RTN, “Reversing the Noobs” which was a hacking forum , a forum that deals with hacking and hacking tools.

I tried to sign up to this forum because I wanted to see what’s in there because you can’t get access unless you have a user there. But whenever I tried to sign up I would get an error, so I couldn’t – I think that something was wrong with their forum at the time and I was never able to actually sign up to their forum . So I honestly don’t know if this is someone from this forum who takes all of these tools and laces them with njRat or this is something unrelated.”

So, no luck there. Amit’s final clue were the names and addresses that were used when the capeturk.com domain was re-registered in June 2018. It’s a very very long shot, since these details can be easily faked – but that’s all that he had at this point.

“[Amit]  Yeah. His name… I can pull it up. It’ll take me a second. His name is listed there. Let’s see, which is also strange because usually, these domains are registered with some sort of privacy protection so you won’t see the name, but the name is Nguyen Cong. It’s a Vietnamese name. There’s even an address here, 12 Hai Ba Trung in the City of Thanh Xuan. I don’t know even if I’m… Oh, it’s in Hanoi. Yeah. So it’s in a district called Thanh Xuan in Hanoi in Vietnam.”

This was the point in the interview where I, a seasoned internet user myself, had a brilliant idea – if I may say so myself.

“[Ran] Did you try looking in Google Maps to see that address?

[Amit] Hmm. Actually, I did not. But let’s do it right now.

[Ran] It could be interesting.

[Amit] Let’s see. There’s no street view there. I mean the address exists. Oh, there’s a street view? Hold on. Yeah, it looks like – oh, it actually looks like Allenby Street in Tel Aviv. Amazing. Wow.

[Ran] And I don’t see any computer shop specifically. I see lots of bikes which is pretty common I guess in Southeast Asia but not something that says this is a computer shop of some sort.

[Amit] Oh, there’s a Western Union upstairs you can see.

[Ran] Hmm, interesting. But these kinds of names or details, so usually, I’m guessing made up, right?

[Amit] Well, yeah. But it’s hard to know because again, without really knowing what’s going on there, you can’t really guess because this individual could have genuinely acquired this domain and then someone else hacked this individual. So we don’t have any evidence that like tie this individual directly to this malware tech other than the fact that some of the samples were uploaded to VirusTotal from Vietnam and that this person’s name is on the domain. But other than that, there is nothing more that ties this whole thing to this individual’s name.”

Ok, maybe my idea wasn’t that brilliant after all…

Ultimately, as is usually the case in cyber research, Amit wasn’t able to uncover the hacker’s real identity. The best he can hope for, at this point, is that someday in the future the Cape Turk hacker will make the fatal mistake that will expose his true identity to the world – and when that day comes, Amit’s research will help future researchers connect all the dots. He published his findings about Cape Turk and the infected pen test tool online, last month, in a blog post.

“[Amit] We add the IOCs which stand for Indicators of Compromise though these blogs. So this – the IOCs in this case are the domain name’s IP addresses’ file hashes. So we released a PDF with hundreds of file hashes, hoping that these will propagate across the security community into threat intelligence data sources. And eventually, we would be able to help contain this attack that way. So it propagates to all sorts of threat intelligence exchanges. It propagates to antivirus companies. It propagates to firewall companies, to VirusTotal. In that way, you can help blacklist, not stop it completely but sort of contain it.”

The Pen-Testing Company

So there’s the client, and there’s the attacker – and there’s one last character in this play to whom we didn’t pay too much attention so far: the penetration testing company, the ones who apparently were caught red handed using laced hacking tools they probably downloaded from some blog on the internet. Not very professional, to say the least.

“[Ran] I have a feeling that it might have been a bit embarrassing for these guys. I mean they were – it seems as if they were using tools which were kind of lifted off the internet?

[Amit] Yeah, yeah. I would be… if it was me dealing with a company like that, I would be very… I want to say very upset. Because part of the thing like when you are hiring a company to do some penetration testing or retaining for you, in many cases, a lot of companies are doing it just for deregulation, just to get that check mark. And they often don’t have a lot of – they don’t have quite and deep enough of a scope in those engagements. So they would just tick all the right boxes and carry on. So this is… I would be embarrassed for myself, embarrassed for that penetration company and also furious with them.”

I’m guessing you’re probably dying to know who these guys are – the “security professionals” who were so easily hacked, like the script kiddies they actually are. Well, I asked – but Amit wasn’t willing to reveal their name. He knows, the client knows – and that’s probably enough. You see, there might not be honor among thieves, but there’s still some honor between security professionals.