SlideShare a Scribd company logo

Beating the Blockchain by Mapping Out Decentralized Namecoin and Emercoin Infrastructure

Priyanka Aash
Priyanka Aash

The Namecoin and Emercoin blockchains were designed to provide decentralized and takedown-resistant domain names to users with the reported goal of promoting free speech. By leveraging unofficial Top-Level Domains (TLDs) such as .bit and alternate DNS resolution methods such as the OpenNIC project, users can register and configure their own domains on these blockchains at a relatively cheap price. In recent years, cybercriminals have adopted and abused this infrastructure and implemented it into well-known malware such as Dimnie, Smoke Loader, and Necurs as well as larger, more targeted workflows. The resiliency of blockchain techology prevents researchers and ISPs from taking down or sinkholing these domains. In addition, limited public knowledge of this threat in a larger context and the constraint of alternative DNS resolution mitigates an analyst's ability to map out related domains and IP addresses when malicious activity is identified. On the other hand, blockchain-based infrastructure comes with a serious drawback: data added to or removed from these blockchains becomes a permanent record of a threat actor's activity. This talk is intended to leverage this attribute to tackle these issues, providing high and medium-confidence methodologies for mapping out these blockchains through TTP analysis, script-based transaction mapping, and index-based infrastructure correlation. In doing so, analysts will be able to generate additional intelligence surrounding a threat and proactively identify likely malicious domains as they are registered or become active on the blockchain.

Technology
1 of 38
Download to read offline
Beating the Blockchain Mapping Out Decentralized Namecoin and Emercoin Infrastructure Kevin Perlow
3 About Me • Reverse Engineering, Threat Intelligence • Spoke at SANS DFIR in 2016 and 2017 – https://www.youtube.com/watch?v=DdkLY99HgAA (Yara/VT) – https://www.youtube.com/watch?v=1iwsouV8ouQ (Bitcoin Transactions) • If you’re from the future and just need the IOCs: – https://github.com/kevinperlow/BlackHat2018_Blockchain
4 Objectives and Goals  Understand “Decentralized” Infrastructure  Namecoin (and Emercoin) Blockchains  Transactions, Blocks, TTPs  Track “Decentralized” Domains  Scripting  Splunk
5 Decentralized Domain Name Systems  Namecoin/Emercoin each sit on a “blockchain”  Distributed database  Each block holds hash of previous block  DNS Query via OpenNIC (typically)
6 Transactions Address 1 Transaction Address 2 Transaction • Name_New • Name_FirstUpdate • Name_Update Address 3 Owner Owner Fee • You can also use Namecoins as a normal cryptocurrency • Domain names and IP addresses significantly reduce anonymity
7 Example (Slavaukraine) http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/
8 Slavaukraine Transaction
9 Comparing Infrastructure
10
11 Identified Domains: • d/slavaukraine • d/healthshop • d/klyatiemoskali • d/contentdeliverynet • d/foreveral0ne • d/clientdata • d/forevery0ung • d/beautyforum • d/freedomfornadya • d/microurl • d/windata • d/osdata • d/ktoneskachettotmoskal • d/clusterdata Mapping Relationships
12 Using Splunk (or any other indexing/searching mechanism…)
13 Fields • Block # • Time • Hash • Operation Type • Domain • Data • IP vs Non-IP • Blockchain
14 Analytics and Pivoting  Domains With Many IPs  Close “Block Proximity”  High “Block Count”  Odd/Rare Nameserver Delegation ***Key Technique: Splunk Subsearch
15 Red Boxes • Smoke Loader • d/Makron (22) • d/Makronwin (20) • d/quitsmokings (17) • Dimnie: • d/sectools (15) • ????? • d/vpnvirt (15)
16 Identified a malware sample communicating with this domain as well as a similarly named domain… Now what?
17 Shared Blocks • 292242 • 298988 • 299344 • 306131 • 317342 Shared IPs • 185.61.149.70 • 185.128.42.237 • 91.215.153.31 • 213.252.247.94 • 185.25.51.25 • 213.252.246.115 • 185.25.51.221 “Close” IPs • 103.208.86.* • 185.99.132.* • 169.239.129.* Do we know anything about these IPs?
18 Next Steps • IPs Appear in ESET’s “Read The Manual” Report • 185.61.149.70 • 185.128.42.237 • 91.215.153.31 We will take a brief look at the malware shortly; in the meantime, can we “fill in the blanks” on domain relationships?
19 index=* [search index=* [search index=* (103.208.86.122 OR 103.208.86.158 OR 103.208.86.254 OR 169.239.129.100 OR 169.239.129.25 OR 173.242.124.228 OR 185.128.42.237 OR 185.2.82.209 OR 185.203.118.168 OR 185.25.51.221 OR 185.25.51.25 OR 185.61.149.70 OR 185.99.132.10 OR 185.99.132.51 OR 213.252.246.115 OR 213.252.247.94 OR 91.215.153.31) | table Domain | dedup Domain] type=iptype | table DataInput| regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1." ] type=iptype| table block Domain DataInput • Blue- Domains mapped to the IPs we discovered • Red- IPs for each of those domains • Green- Domains for each of those IPs
20 Relationships • d/vpnomnet and d/vpnkeep • Share IPs with each other • Share block updates with each other • Share IPs with d/vpnrooter and d/vpnvirt • Updated in “close block proximity” More Importantly • d/vpnomnet and d/vpnkeep • Are listed in ESET’s “Read the Manual” IOC table
21 Examining the Malware Why do we care? 1. Disclosed in 2017, reported to be narrowly scoped 2. Used same blockchain infrastructure through 2018 3. Targets accounting and remote banking software 4. Activity is still happening • Late July: Sent to head of finance for government organization in a Russian administrative district as part of a larger campaign as well as three companies associated with energy supply and transfer.
22 Examining the Malware How do we know we are looking at the same malware? Key Facts from ESET Report: • Targets specific list of accounting software, bank URLs • Specific DLL Export • Unique strings, configuration data • Botnet-prefix, cc.url.1, dbo-detector-off… • Functionality • Window titles, class names
23 Decrypted Strings
24 Window/Class Check E-Plat refers to a B&N Bank (БИНБАНК) platform for account and salary management. “MDM” marker if E-Plat is found. This refers to MDM (МДМ) bank. B&N acquired/merged with MDM between 2015 and 2016.
25 DNS Requests- Method 1 Sends a DNS request for the .bit domain to a hardcoded OpenNIC server. Pretty standard.
26 DNS Requests- Method 2 The brute force approach…
27 Expanding the List of IOCs We have four domains now: 1. What are the IPs for the additional domains? 2. What new domains share those IPs 3. What are the IPs for those domains? 4. Keep repeating process. Alternatively: 1. We can do this using other known domains from the ESET report. We will take the alternate route to demonstrate identifying false positive connections.
28 index=* [search index=* type=iptype [search index=* [search index=* cash-money-analitica type=iptype| table DataInput | regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."] | table Domain ] | regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."| table DataInput ] | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."| table block Domain DataInput • Blue: IPs of Base Domain(s) • Red: Domains for those IPs • Green: IPs for the red domains • Black: Domains for the Green IPs Expanding the List of IOCs (Query)
29 • xoonday, volstat, lookstat, sysmonitor, leomoon, firststat, fooming • feb96eb2aa59 (previously disclosed domain) connected • Are these really connected?
30 • Only one IP overlap between ESET RTM domains and the newly identified domains • Newly identified domains created nearly a year later Splunk Transforms
31 Strengthening Assessment Reverse Engineering • Map out infrastructure • Compare samples using unreported domains Xoonday subset: • “CHESSYLITE” from FireEye article • Shares code with SOCKS5 module in Trickbot, socks5systemz, SmokeLoader (huge rabbit hole) • Will brute force/connect to various APIs (Twitter, Uber, Amazon) • “heyfg645fdhwi” – RC4 key from “BackDoor.TeamViewer.49” report
32 Xoonday References • http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html • https://www.hybrid- analysis.com/sample/68c746df7df35b3379a4d679fc210abdb2032b3c076ec51a463 abe1e0e18345f?environmentId=100 • https://www.reverse.it/sample/eecfb451b2cf0f4043c8d27be443f69164eae22e05e ed098d7bc1f7c90c692c9?environmentId=100 • https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber- crime-blockchain-infrastructure-use.html • https://vms.drweb.com/virus/?i=8161714&lng=en
33 Emercoin
34 Emercoin Blockchain • Similar concept • Supports .emc, .coin, .lib, .bazar • Significantly less active • Not that exciting • **Most well-known domain: Jstash[.]bazar
35 Jstash[.]bazar • 185.61.137.166 • 185.61.137.177 • 185.62.190.164 • 190.115.27.130 Pivoting • cvv[.]bazar • cvv2[.]bazar • dumps[.]bazar • j-stash[.]bazar • joker-stash[.]bazar • jokerstash[.]bazar • stash[.]bazar • track2[.]bazar
36 Odd Nameservers, Other Tidbits • crdpro[.]emc, ns1.dnscontrolfff[.]to • nomoreransom[.]coin, ns1.sinkhole.it • Gandcrab C2 (nomoreransom[.]bit is also Gandcrab infrastructure) • PCAP data: dns1[.]soprodns[.]ru • You can pivot off of this nameserver on both blockchains • Failed attempt to sinkhole? Source: https://isc.sans.edu/forums/diary/GandCrab+Ransomware+Now+Coming+From+Malspam/23321/ • Brownsloboz - .bit, .emc, .bazar, .lib • You can actually pivot across both blockchains to find data here.
37 Nameserver Delegation • Gandcrab, Shifu, etc. • Record looks something like: • {"ns":["dns1.soprodns[.]ru","dns2.soprodns[.]ru"]} • {"ns":["a.dnspod.com", "b.dnspod.com", "c.dnspod.com"]} • Simple solution: Map out infrastructure, script a twice-daily nslookup
38 Concluding Thoughts You now know how to: 1. Identify potentially malicious decentralized domains. 2. Use two different methods to map out infrastructure on decentralized blockchains. 3. Search for IOCs across two blockchains. You’ve also learned: 1. About a group using malware that targets accounting and banking software users. 2. That this group is continuing to do this nearly a year after public disclosure. IOCs from some of the clusters I’ve mapped out (including RTM) will be available in the white paper and on my Github page (https://github.com/kevinperlow/BlackHat2018_Blockchain)

Recommended

What happens when I press enter?
What happens when I press enter?What happens when I press enter?
What happens when I press enter?
tobiassjosten
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf Conference
 
Bitcoin Addresses
Bitcoin AddressesBitcoin Addresses
Bitcoin Addresses
ashmoran
 
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas FittlMonitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Citus Data
 
Solr sparse faceting
Solr sparse facetingSolr sparse faceting
Solr sparse faceting
Toke Eskildsen
 
Test-Driven Design Insights@DevoxxBE 2023.pptx
Test-Driven Design Insights@DevoxxBE 2023.pptxTest-Driven Design Insights@DevoxxBE 2023.pptx
Test-Driven Design Insights@DevoxxBE 2023.pptx
Victor Rentea
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Large-Scale Malicious Domain Detection with Spark AI
Large-Scale Malicious Domain Detection with Spark AILarge-Scale Malicious Domain Detection with Spark AI
Large-Scale Malicious Domain Detection with Spark AI
Databricks
 

Recommended

What happens when I press enter?
What happens when I press enter?What happens when I press enter?
What happens when I press enter?
tobiassjosten
 
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf 2011: Что такое Sphinx, зачем он вообще нужен и как его использовать с...
ZFConf Conference
 
Bitcoin Addresses
Bitcoin AddressesBitcoin Addresses
Bitcoin Addresses
ashmoran
 
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas FittlMonitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Monitoring Postgres at Scale | PGConf.ASIA 2018 | Lukas Fittl
Citus Data
 
Solr sparse faceting
Solr sparse facetingSolr sparse faceting
Solr sparse faceting
Toke Eskildsen
 
Test-Driven Design Insights@DevoxxBE 2023.pptx
Test-Driven Design Insights@DevoxxBE 2023.pptxTest-Driven Design Insights@DevoxxBE 2023.pptx
Test-Driven Design Insights@DevoxxBE 2023.pptx
Victor Rentea
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Large-Scale Malicious Domain Detection with Spark AI
Large-Scale Malicious Domain Detection with Spark AILarge-Scale Malicious Domain Detection with Spark AI
Large-Scale Malicious Domain Detection with Spark AI
Databricks
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
Felipe Prado
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryBreach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Uptycs
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
Mini-Training: Redis
Mini-Training: RedisMini-Training: Redis
Mini-Training: Redis
Betclic Everest Group Tech Team
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Kyle Davis
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
Priyanka Aash
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
bartzon
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
Leo Loobeek
 
Consul administration at scale
Consul administration at scaleConsul administration at scale
Consul administration at scale
Pierre Souchay
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
tieleman
 
Bitcoin developer guide
Bitcoin developer guideBitcoin developer guide
Bitcoin developer guide
承翰 蔡
 
25 things i’ve learned about c#
25 things i’ve learned about c#25 things i’ve learned about c#
25 things i’ve learned about c#
phildenoncourt
 
Webinar: Index Tuning and Evaluation
Webinar: Index Tuning and EvaluationWebinar: Index Tuning and Evaluation
Webinar: Index Tuning and Evaluation
MongoDB
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
Wim Godden
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Rails israel 2013
Rails israel 2013Rails israel 2013
Rails israel 2013
Reuven Lerner
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 

More Related Content

Similar to Beating the Blockchain by Mapping Out Decentralized Namecoin and Emercoin Infrastructure

Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
bartzon
 
25 things i’ve learned about c#
25 things i’ve learned about c#25 things i’ve learned about c#
25 things i’ve learned about c#
phildenoncourt
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 

Similar to Beating the Blockchain by Mapping Out Decentralized Namecoin and Emercoin Infrastructure (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with OsqueryBreach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
Breach > ATT&CK > Osquery: Cross-platform Endpoint Monitoring with Osquery
 
DEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot webDEFCON 23 - Jason Haddix - how do i shot web
DEFCON 23 - Jason Haddix - how do i shot web
 
Mini-Training: Redis
Mini-Training: RedisMini-Training: Redis
Mini-Training: Redis
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
Probabilistic Data Structures (Edmonton Data Science Meetup, March 2018)
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Consul administration at scale
Consul administration at scaleConsul administration at scale
Consul administration at scale
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Bitcoin developer guide
Bitcoin developer guideBitcoin developer guide
Bitcoin developer guide
 
25 things i’ve learned about c#
25 things i’ve learned about c#25 things i’ve learned about c#
25 things i’ve learned about c#
 
Webinar: Index Tuning and Evaluation
Webinar: Index Tuning and EvaluationWebinar: Index Tuning and Evaluation
Webinar: Index Tuning and Evaluation
 
Beyond php - it's not (just) about the code
Beyond php - it's not (just) about the codeBeyond php - it's not (just) about the code
Beyond php - it's not (just) about the code
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Rails israel 2013
Rails israel 2013Rails israel 2013
Rails israel 2013
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Beating the Blockchain by Mapping Out Decentralized Namecoin and Emercoin Infrastructure

  • 1.
  • 2. Beating the Blockchain Mapping Out Decentralized Namecoin and Emercoin Infrastructure Kevin Perlow
  • 3. 3 About Me • Reverse Engineering, Threat Intelligence • Spoke at SANS DFIR in 2016 and 2017 – https://www.youtube.com/watch?v=DdkLY99HgAA (Yara/VT) – https://www.youtube.com/watch?v=1iwsouV8ouQ (Bitcoin Transactions) • If you’re from the future and just need the IOCs: – https://github.com/kevinperlow/BlackHat2018_Blockchain
  • 4. 4 Objectives and Goals  Understand “Decentralized” Infrastructure  Namecoin (and Emercoin) Blockchains  Transactions, Blocks, TTPs  Track “Decentralized” Domains  Scripting  Splunk
  • 5. 5 Decentralized Domain Name Systems  Namecoin/Emercoin each sit on a “blockchain”  Distributed database  Each block holds hash of previous block  DNS Query via OpenNIC (typically)
  • 6. 6 Transactions Address 1 Transaction Address 2 Transaction • Name_New • Name_FirstUpdate • Name_Update Address 3 Owner Owner Fee • You can also use Namecoins as a normal cryptocurrency • Domain names and IP addresses significantly reduce anonymity
  • 10. 10
  • 11. 11 Identified Domains: • d/slavaukraine • d/healthshop • d/klyatiemoskali • d/contentdeliverynet • d/foreveral0ne • d/clientdata • d/forevery0ung • d/beautyforum • d/freedomfornadya • d/microurl • d/windata • d/osdata • d/ktoneskachettotmoskal • d/clusterdata Mapping Relationships
  • 12. 12 Using Splunk (or any other indexing/searching mechanism…)
  • 13. 13 Fields • Block # • Time • Hash • Operation Type • Domain • Data • IP vs Non-IP • Blockchain
  • 14. 14 Analytics and Pivoting  Domains With Many IPs  Close “Block Proximity”  High “Block Count”  Odd/Rare Nameserver Delegation ***Key Technique: Splunk Subsearch
  • 15. 15 Red Boxes • Smoke Loader • d/Makron (22) • d/Makronwin (20) • d/quitsmokings (17) • Dimnie: • d/sectools (15) • ????? • d/vpnvirt (15)
  • 16. 16 Identified a malware sample communicating with this domain as well as a similarly named domain… Now what?
  • 17. 17 Shared Blocks • 292242 • 298988 • 299344 • 306131 • 317342 Shared IPs • 185.61.149.70 • 185.128.42.237 • 91.215.153.31 • 213.252.247.94 • 185.25.51.25 • 213.252.246.115 • 185.25.51.221 “Close” IPs • 103.208.86.* • 185.99.132.* • 169.239.129.* Do we know anything about these IPs?
  • 18. 18 Next Steps • IPs Appear in ESET’s “Read The Manual” Report • 185.61.149.70 • 185.128.42.237 • 91.215.153.31 We will take a brief look at the malware shortly; in the meantime, can we “fill in the blanks” on domain relationships?
  • 19. 19 index=* [search index=* [search index=* (103.208.86.122 OR 103.208.86.158 OR 103.208.86.254 OR 169.239.129.100 OR 169.239.129.25 OR 173.242.124.228 OR 185.128.42.237 OR 185.2.82.209 OR 185.203.118.168 OR 185.25.51.221 OR 185.25.51.25 OR 185.61.149.70 OR 185.99.132.10 OR 185.99.132.51 OR 213.252.246.115 OR 213.252.247.94 OR 91.215.153.31) | table Domain | dedup Domain] type=iptype | table DataInput| regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1." ] type=iptype| table block Domain DataInput • Blue- Domains mapped to the IPs we discovered • Red- IPs for each of those domains • Green- Domains for each of those IPs
  • 20. 20 Relationships • d/vpnomnet and d/vpnkeep • Share IPs with each other • Share block updates with each other • Share IPs with d/vpnrooter and d/vpnvirt • Updated in “close block proximity” More Importantly • d/vpnomnet and d/vpnkeep • Are listed in ESET’s “Read the Manual” IOC table
  • 21. 21 Examining the Malware Why do we care? 1. Disclosed in 2017, reported to be narrowly scoped 2. Used same blockchain infrastructure through 2018 3. Targets accounting and remote banking software 4. Activity is still happening • Late July: Sent to head of finance for government organization in a Russian administrative district as part of a larger campaign as well as three companies associated with energy supply and transfer.
  • 22. 22 Examining the Malware How do we know we are looking at the same malware? Key Facts from ESET Report: • Targets specific list of accounting software, bank URLs • Specific DLL Export • Unique strings, configuration data • Botnet-prefix, cc.url.1, dbo-detector-off… • Functionality • Window titles, class names
  • 24. 24 Window/Class Check E-Plat refers to a B&N Bank (БИНБАНК) platform for account and salary management. “MDM” marker if E-Plat is found. This refers to MDM (МДМ) bank. B&N acquired/merged with MDM between 2015 and 2016.
  • 25. 25 DNS Requests- Method 1 Sends a DNS request for the .bit domain to a hardcoded OpenNIC server. Pretty standard.
  • 26. 26 DNS Requests- Method 2 The brute force approach…
  • 27. 27 Expanding the List of IOCs We have four domains now: 1. What are the IPs for the additional domains? 2. What new domains share those IPs 3. What are the IPs for those domains? 4. Keep repeating process. Alternatively: 1. We can do this using other known domains from the ESET report. We will take the alternate route to demonstrate identifying false positive connections.
  • 28. 28 index=* [search index=* type=iptype [search index=* [search index=* cash-money-analitica type=iptype| table DataInput | regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."] | table Domain ] | regex DataInput!="^0." | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."| table DataInput ] | regex DataInput!="^10." |regex DataInput!="^192.168." | regex DataInput!="^127." | regex DataInput!="^1."| table block Domain DataInput • Blue: IPs of Base Domain(s) • Red: Domains for those IPs • Green: IPs for the red domains • Black: Domains for the Green IPs Expanding the List of IOCs (Query)
  • 29. 29 • xoonday, volstat, lookstat, sysmonitor, leomoon, firststat, fooming • feb96eb2aa59 (previously disclosed domain) connected • Are these really connected?
  • 30. 30 • Only one IP overlap between ESET RTM domains and the newly identified domains • Newly identified domains created nearly a year later Splunk Transforms
  • 31. 31 Strengthening Assessment Reverse Engineering • Map out infrastructure • Compare samples using unreported domains Xoonday subset: • “CHESSYLITE” from FireEye article • Shares code with SOCKS5 module in Trickbot, socks5systemz, SmokeLoader (huge rabbit hole) • Will brute force/connect to various APIs (Twitter, Uber, Amazon) • “heyfg645fdhwi” – RC4 key from “BackDoor.TeamViewer.49” report
  • 32. 32 Xoonday References • http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html • https://www.hybrid- analysis.com/sample/68c746df7df35b3379a4d679fc210abdb2032b3c076ec51a463 abe1e0e18345f?environmentId=100 • https://www.reverse.it/sample/eecfb451b2cf0f4043c8d27be443f69164eae22e05e ed098d7bc1f7c90c692c9?environmentId=100 • https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber- crime-blockchain-infrastructure-use.html • https://vms.drweb.com/virus/?i=8161714&lng=en
  • 34. 34 Emercoin Blockchain • Similar concept • Supports .emc, .coin, .lib, .bazar • Significantly less active • Not that exciting • **Most well-known domain: Jstash[.]bazar
  • 35. 35 Jstash[.]bazar • 185.61.137.166 • 185.61.137.177 • 185.62.190.164 • 190.115.27.130 Pivoting • cvv[.]bazar • cvv2[.]bazar • dumps[.]bazar • j-stash[.]bazar • joker-stash[.]bazar • jokerstash[.]bazar • stash[.]bazar • track2[.]bazar
  • 36. 36 Odd Nameservers, Other Tidbits • crdpro[.]emc, ns1.dnscontrolfff[.]to • nomoreransom[.]coin, ns1.sinkhole.it • Gandcrab C2 (nomoreransom[.]bit is also Gandcrab infrastructure) • PCAP data: dns1[.]soprodns[.]ru • You can pivot off of this nameserver on both blockchains • Failed attempt to sinkhole? Source: https://isc.sans.edu/forums/diary/GandCrab+Ransomware+Now+Coming+From+Malspam/23321/ • Brownsloboz - .bit, .emc, .bazar, .lib • You can actually pivot across both blockchains to find data here.
  • 37. 37 Nameserver Delegation • Gandcrab, Shifu, etc. • Record looks something like: • {"ns":["dns1.soprodns[.]ru","dns2.soprodns[.]ru"]} • {"ns":["a.dnspod.com", "b.dnspod.com", "c.dnspod.com"]} • Simple solution: Map out infrastructure, script a twice-daily nslookup
  • 38. 38 Concluding Thoughts You now know how to: 1. Identify potentially malicious decentralized domains. 2. Use two different methods to map out infrastructure on decentralized blockchains. 3. Search for IOCs across two blockchains. You’ve also learned: 1. About a group using malware that targets accounting and banking software users. 2. That this group is continuing to do this nearly a year after public disclosure. IOCs from some of the clusters I’ve mapped out (including RTM) will be available in the white paper and on my Github page (https://github.com/kevinperlow/BlackHat2018_Blockchain)