POC 2018 - whatever talk_ Let's go OSINT using DeepWeb

Not for public distribution • Copyright 2018 Horangi Pte Ltd
03 NOV 2018
Horangi Pte Ltd
Horangi Pte Ltd
https://www.horangi.com
Horangi ~ !!!!!
POC2018
November 8-9, 2018 Seoul, Korea

08 NOV 2018
Horangi Pte Ltd
Horangi R&D
Let’s go OSINT using Deep Web.

3Not for public distribution • Copyright 2018 Horangi Pte Ltd
Tigers
Directing
Seunggi Jeong
Developing & Analyzing
Dasom Kim
Malware analysis
Sangsu Jeong
Contributor
Nikolay Akatyev
Jiyeon Kong

1. Introduction
2. Motivation
3. Our tools
4. Research
5. Conclusion

The deep web, invisible web,
or hidden web are parts of the
World Wide Web whose
contents are not indexed by
standard web search engines
for any reason. [1]
In Deep web, mainly sell
personal information, drug,
gun and products related to
malware.
What is
DeepWeb?
Surface Web
Deep Web
Dark Web

Trip to world beard competition
ends in arrest for alleged dark web
drug dealer [2]
DarkWeb
Case
Investigators tracked the transaction
details of the Bitcoin Wallet account.
He then tracked his account on the
social network and compared the
dealers' text with his text.
According to the evidence presented in
the Florida courts, he found many
similarities between the two users,
including the use of the word "cheers",
frequent quotes, and occasional
French articles.

Motivation
Discovered Malware forum on DeepWeb
Who’s next victims?
Who’s next attackers?
“ So how to collect the critical information? ”

Focus on DeepWeb
Dark Web has useful data,
but the amount of data is less than that of deep web.
Deep Web
Dark Web

Focus on Open Source
Word
- Slang
- Nickname
- Discord Id
- Etc
Sample hashes
Time stamp
- dateparser ( python module )
Bypass anti-bot
- cfscrape ( python module )
Open source to identify user
Peerlyst, DarkWeb research 101 [3]

What is ‘Nulled’ ?
DeepWeb“
”

Why did we choose NULLED?
Famous forum on DeepWeb
It is a web that is usually difficult to discover, and is accessible
from a normal browser.
NULLED
Sinister
raidforum
HOT

NULLED - Malware forum
Product & Information
Dumps ( Database, ID & Password )
Malware ( Ransomware … etc )
Leak ( 0-day, 1-day ... etc )
Cracked software ( MS office … etc )

Payment
Unlimited access to some malware and hidden contents through pay to BTC or ETH.

Malicious Software section
RAT: Remote Access control Tool
20,365 / 120,962 [ 16% ]
Miner: silent cryptocurrency mining tool
3,206 / 120,962 [ 2% ]
Keylogger 5,742 / 120,962 [ 4% ]
Ransomware 1,281 / 120,962 [ 1% ]
Botnet 7,083 / 120,962 [ 5% ]
DDOS Tool 5,549 / 120,962 [ 4% ]
Other 77,736 / 120,962 [ 64% ]
number / 120,962 [ % ] > Based on our monitoring tool
NULLED - Leaks board

VIP Leaks & VIP Dumps
Account: eBay, amazon, Netflix, Steam, Spotify, etc
Key: express vpn, MS office, malwarebytes, etc
Coupon: eBay, amazon, Netflix, etc
NULLED - Premium board

Nulled’s characteristics
● Nulled uses the cloudflare
We need to bypass cloudflare ddos protect solution
● Nulled blocks the Users sending a lot of queries
We set the waiting times
( Tried the other way. But this way is the best way )
● Nulled opens the hidden contents for paid members
We need to buy the membership

Our tools
Web tag tracker
Web tag
tracker

Our tools
Scanner ( real time )
● The notification of changed contents based on web tag
● the malware board on Deep Web
● the specific company information on Surface Web
● the Cryptocurrency wallet address on Dark Web
Analyzer
#Keyword: ID, Sample name, e-mail, etc
● The timeline
● The frequency information
● Comments count information
● The user activity information
● The most popular sample information
● The most active user name
Web tag
tracker

Let’s jump into Demo version
Our tools“
”

Scanner

Analyzer
KIBANA, https://www.elastic.co/products/kibana

How to tracking the specific user?
SCENARIO
”
“

Specific user sharing the malicious
code related Discord.
And we need tracking his identify
information.
Timeline, activities, the most
popular sample, related user, etc.
Let’s start to tracking his identify
information using our tools.

Let’s collect the open source
about ObbedCode

Add a filter
Specific user id

Start 2017.11
First activity at 2017.11

The most popular sample is
Discord token stealer.
Discord Token Stealer is hotter than other sample

The most popular sample is
Discord token stealer.

The count & timeline
of Discord token stealer

Our tools
2018.01 - 2018.10
Discord token
stealer
The amount of data
in the graph
is rapidly increasing.

Most relevant users of
Discord token stealer
1. Felonious13Monk
2. Gayl0rd
3. RedPa456
4. TheBigGayThing

He start activity at 2017.11.
His the most popular sample is Discord token stealer.
Discord token stealer increase count on 2018.01 - 2018.10
1. Felonious13Monk wrote many comment on his post.

Deep analysis about ObbedCode
Research“
”

1. Target
ObbedCode
2. Abstract
It is the user who showed the most number
of activities recently and showed a rapid change
in a short period.
This user mainly produces malware
related to discord and updates it frequently.
In addition, he share samples of cracked malware,
and he is actively releasing his Discord ID.
ObbedCode’s status
Overview
3. Sample List
● SkyWyder RAT
● DynAmite
● Discord token stealer

The samples of open source
Research“
”

Resource
Sample Name MD5
SkyWyder RAT F1083F240EFC99D8C3DEEC8A1A062815
DynAmite FCF4F7FDCE4BC49F307E048B13936D1F
Discord token stealer 427B959EA59621459BA6BA8DA81953C6

Sample list
Sample Name Virus Total Hybrid Analysis Malwares.com
SkyWyder RAT 5 / 54 No result No result
DynAmite 43 / 67 73 / 100 100 / 100
Discord token stealer 2 / 66 No result No result

Focus on “SkyWyder RAT ”
Research“
”

SkyWyder RAT
Open Source
Created
May 10 2016
url
[1] Hack tool stuff, SkyWyder RAT Cracked Full and Final Edition [HackToolStuff]
https://hacktoolstuff.blogspot.com/2016/10/skywyder-rat-cracked-full-and-final.html
[2] Reddit, Slithx-Team
https://www.reddit.com/user/Slithx-Team/

SkyWyder RAT
Overview - PE
Version:
● Visual Basic 6.0[Native]
Section:
● .text, .sedata, .idata, .rsrc
More
● BotKill, AVKiller, AntiVM,
Keylogger, Miner etc

SkyWyder RAT
What is your intention?

SkyWyder RAT
Not working
Trial or Error

SkyWyder RAT
Codejock.ocx
COMDLG32.ocx
MSCOMCTL.ocx
resourcehacker

SkyWyder RAT

SkyWyder RAT
available
FTP,SMTP

SkyWyder RAT

Focus on “DynAmite ”
Research“
”

DynAmite
Open Source
Created
DEC 09 2010
url
[1] aaa

DynAmite
Overview - PE
Version:
● .Net (MPRESS)
Section:
● .text, .rsrc, .reloc
More
● Unprotect
● Entropy 91%
● LOC 6086

DynAmite
Before After

DynAmite
Let’s do deep analysis about this
● Abstracted Files
● The issue of http://darkerdyna.blogspot.com
● MS Office Macro
● CryptoLocker

DynAmite
Abstract file

DynAmite
Issue URL

DynAmite Ms office macro

DynAmite
Detracted file
● .bat
● .zip
● .crt
● .xml
● .exe

DynAmite

DynAmite
SSL

Focus on “Discord token stealer ”
Research“
”

Open Source
Created
APR 07 2018
url
[1] aaa

Overview - PE
Version:
● .NET
Section:
● .text, .rsrc, .reloc
More
● Send to Email
● Infected case

Possible to send Email

Who is ObbedCode?
Research“
”

Result
ObbedCode
Alone? Group?

Result
Quick analysis of the forum is possible.
It is possible to check quickly user's sharing data that a specific.
In addition to data for specific users, overall monitoring is also
possible.
For example, monitoring for specific malware, monitoring for
malware uploaded on a specific date, monitoring for
Cryptocurrency wallet addresses that are open on the dark web,
and so on.

What is next step?
Our future plan“
”

Conclusion
Horangi OSINT Service
1. Support for Investigate specific target on Deep Web
• Keep collect the critical information from DeepWeb & SurfaceWeb
• Threat intelligence for find the next victims & the find next attackers
2. Expand the function of our tools
• More add the visualizing module
• Upgrade the bypass module for Deep Web

Reference
[1] wikipedia, Deep Web https://en.wikipedia.org/wiki/Deep_web
[2] the guardian, Trip to world beard competition ends in arrest for alleged dark web drug dealer
https://www.theguardian.com/us-news/2017/sep/28/world-beard-moustache-competition-dru
g-dealer
[3] Peerlyst, DarkWeb research 101 - Dasom Kim
https://www.peerlyst.com/posts/darkweb-research-101-release-dasom-kim?trk=user_notificati
on#comment-okw5QwAfWcD4yhneL
[4] intsight, THE DARK SIDE OF ASIA: AN INSIDE LOOK INTO ASIA'S GROWING UNDERGROUND WORLD
https://www.intsights.com/dark-side-of-asia-research-report
[5] Recorded future, Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums
https://www.blackhat.com/docs/eu-16/materials/eu-16-Ahlberg-Chasing-Foxes-By-The-Numbe
rs-Patterns-Of-Life-And-Activity-In-Hacker-Forums.pdf

POC 2018 - whatever talk_ Let's go OSINT using DeepWeb

Recommended

Recommended

More Related Content

Similar to POC 2018 - whatever talk_ Let's go OSINT using DeepWeb

Similar to POC 2018 - whatever talk_ Let's go OSINT using DeepWeb (20)

Recently uploaded

Recently uploaded (20)

POC 2018 - whatever talk_ Let's go OSINT using DeepWeb