SESSION ID: TTA-R03 New Ways of Emerging Actors: India, South Africa, Nigeria, and Indonesia Wayne Huang Sun Huang VP Engineering Senior Threat Researcher, Proofpoint, Inc. Proofpoint, Inc. [email protected] @waynehuang [email protected] [email protected] #RSAC #RSAC Agenda TTP summary u  Crimeware adoption u  Monetization u  Current C2 vulnerabilities u  Actor attribution methodology u  Those targeted and u  compromised Nigerian gang’s strategy change u  Conclusion u  2 #RSAC TTP summary #RSAC Actors overview Tracked nine actors, unique 1200+ nodes (C2 panels) during the u  past year Actors located in Nigeria (most), India, South Africa, and u  Indonesia One actor changed TTP significantly in March 2015 u  One of the Zeus panels includes a backdoor (undisclosed) u #RSAC Overview of the nine actors Group  # 9 Vic+m  # 12,953 Stolen  creden+als pop3:7,671   -p:1,137   h/p:1,538 Malware  used Zeus/IceIX/Citadel/Betabot/Solarbot/Syndicate  Keylogger/ISR  Stealer Server  owned 1,200+ Technique Spear  phishing  -­‐-­‐  a/achment   Phishing Tactics, Techniques and Procedures (TTP) #RSAC Summary Objectives u  Compromise endpoints u  Collect data and intelligence u  Credentials (POP3, FTP, HTTPS forms), client-side certs, screenshots u  #1: Obtain online banking accounts u  #2: Sell off data & intelligence u  Motivation u  Purely financial u  Not state-backed u Tactics, Techniques and Procedures (TTP) #RSAC Summary Target individuals u  Attack vector into endpoints u  Mostly via email messages u  URLs pointing to exploit kits, zips (containing exes), or jars u  Attached exploits (Office, PDF) or malware executables u Tactics, Techniques and Procedures (TTP) #RSAC Summary Endpoint ownership, data extraction & exfiltration u  Are NOT capable of developing own trojans u  Use whatever off-the-shelf trojans they can get hold of u  Most used trojan features: u  Web inject – steals specific banking accounts u  Wallet stealer – steals virtual currencies u  Also phish for credentials – seen daily u Tactics, Techniques and Procedures (TTP) #RSAC Summary Command and control (C2) servers u  Do NOT rent or maintain own servers u  C2s entirely run on compromised shared hosting servers u  ARE capable of and dedicate to compromising servers u  Do NOT buy cPanel credentials u  Rely entirely on own-compromised servers u  Installs C2 scripts mostly via cPanel u Tactics, Techniques and Procedures (TTP) #RSAC Summary Vector into shared hosting accounts u  Stage 1: acquire remote access to ONE shared hosting account u  Mass-scale scanning + manual intrusion u  Stage 2: acquire multiple cPanel credentials on this shared hosting u  Via acquiring (DB) credentials from config files u  Via cPanel vulnerabilities and privilege escalation u  Via brute forcing MySQL credentials using usernames from /etc/passwd u