DOCSLIB.ORG

Analysis of SSL/TLS Handshakes in Malware Encrypted Traffic

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of SSL/TLS Handshakes in Malware Encrypted Traffic Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 Masaryk University Faculty of Informatics Analysis of SSL/TLS handshakes in malware encrypted traffic Bachelor’s Thesis Daniela Belajová Brno, Fall 2018 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniela Belajová Advisor: Mgr. Stanislav Špaček i Acknowledgements I would like to thank my advisor Mgr. Stanislav Špaček for all his guidance, patience, valuable advice and feedback through the whole process of writing this thesis. I would also like to thank my family for their support and encouragement. ii Abstract One of the current trends in cybersecurity is abusing encrypted net- work traffic to mask a malware activity and complicate its detection. Although encryption ensures the confidentiality of transmitted data, at the same time it prevents the use of some detection methods. In this bachelor’s thesis, I focus on the SSL/TLS protocol, which is one of the most widespread encryption protocols providing secure com- munication in nowadays networks. The main aim of this work is to analyze the SSL/TLS traffic gener- ated by malware in recent malware campaigns misusing encryption to hide their activity, concentrating on protocol metadata from the initial handshake of the connection and based on the results of comparison with benign encrypted traffic, find possible distinctive characteristics that would allow malware to be identified in benign encrypted traffic. iii Keywords SSL/TLS protocol, SSL/TLS handshake, encrypted traffic, analysis, malware, botnet, C&C server, pcap, detection iv Contents 1 Introduction 1 2 Encrypted network traffic 2 2.1 The present situation in encrypted network traffic ......2 2.2 Encryption protocols .....................3 2.3 SSL/TLS protocol .......................4 2.3.1 Versions . .4 2.3.2 Protocol features . .5 2.3.3 Protocol architecture . .5 2.3.4 The process of handshake . .6 2.3.5 The process of abbreviated handshake . .9 2.3.6 X.509 certificates . 10 2.3.7 Extensions . 11 3 Overview of recent malware campaigns 12 3.1 Recent malware campaigns .................. 12 3.1.1 Trickbot . 13 3.1.2 Gozi . 14 3.1.3 ZeusPanda . 15 3.1.4 IcedID . 16 3.1.5 Gootkit . 17 3.1.6 Dridex . 18 4 Malware handshakes analysis 20 4.1 Dataset ............................ 20 4.2 Wireshark ........................... 21 4.3 Results of the analysis ..................... 21 4.3.1 Trickbot . 23 4.3.2 Gozi . 24 4.3.3 ZeusPanda . 25 4.3.4 IcedID . 26 4.3.5 Gootkit . 27 4.3.6 Dridex . 28 4.4 Summary and comparison .................. 29 5 Malware and benign traffic comparison 30 v 5.1 Benign malware dataset .................... 30 5.2 Discussion about comparison results ............. 31 5.2.1 Extensions . 31 5.2.2 Cipher suites . 32 5.2.3 Certificates . 33 5.2.4 Versions . 34 5.3 Summary ........................... 35 6 Conclusion 36 6.1 Future work .......................... 37 Bibliography 38 A The summary of malware campaigns 43 B Results of SSL/TLS handshakes analysis 44 C Pcap files with analyzed samples 46 vi List of Tables 4.1 An overview of Trickbot malware samples 23 4.2 Trickbot C&C servers certificates 24 4.3 An overview of Gozi malware sample 24 4.4 Gozi C&C servers certificates 25 4.5 An overview of ZeusPanda malware samples 25 4.6 ZeusPanda C&C servers certificates 26 4.7 An overview of IcedID malware samples 26 4.8 IcedID C&C servers certificates 27 4.9 An overview of Gootkit malware samples 27 4.10 Gootkit C&C servers certificates 28 4.11 An overview of Dridex malware samples 28 4.12 Dridex C&C servers certificates 29 5.1 The occurrence of extensions in ClientHello/ServerHello messages in the benign traffic sample 31 A.1 The summary of recent malware campaigns 43 B.1 Mapping extensions to the hex code used in Table B.2 44 B.2 Malware SSL/TLS handshakes analysis results 45 vii List of Figures 2.1 TLS protocol structure - based on Source: [9] 5 2.2 The TLS full handshake - based on Source: [8] 7 2.3 The TLS abbreviated handshake - based on Source: [8] 9 4.1 Lists of malware-supported cipher suites 22 viii 1 Introduction Over the last few years, as the need to protect users’ privacy in the online world has grown, the encryption of data transmitted across networks has become nearly a standard situation. However, the adap- tation of this technology has been followed by efforts to exploit its wide usage as a security threat and malware (malicious software) dis- tribution tool. Considering the encrypted traffic poses a challenge for detecting anomalies and applying the conventional traffic monitoring methods, it is essential to develop new effective privacy-conscious ones. In this thesis, I focus on Secure Sockets Layer/Transport Layer Se- curity (SSL/TLS) encryption protocol which secures data transmission for most of the known application protocols in today’s networks. The aim of this work is to investigate the possibility of differen- tiating encrypted traffic generated by malware in recent malware campaigns from benign encrypted traffic based on SSL/TLS hand- shake parameters which are exchanged in unencrypted form while establishing a connection between the communicating parties. The thesis is divided into six chapters. Chapter 1 and Chapter 2 introduce the current issue of encrypted network traffic. Chapter 2 also constitutes the behavior process of SSL/TLS protocol and thus creates the theoretical basis for the analysis. Chapter 3 overviews the selected recent campaigns of malware families which benefit from encrypted traffic to hide their activities. The practical part of this work begins with Chapter 4, which out- lines the analysis results of collected pcap files with encrypted traffic generated by malware families described in Chapter 3. Chapter 5 dis- cusses the comparison of obtained data from malware analysis and the acquired benign traffic sample. Samples of regular and malware traffic are the output of the thesis together with the results oftheir analysis. Chapter 6 provides the summary of achieved outcomes and suggests a possible direction for further research. 1 2 Encrypted network traffic This chapter in Section 2.1 and Section 2.2 provides an explanation of the current trend in encrypted network traffic and a basic survey ofthe encryption protocols occurring in today’s networks. The essential part of the chapter consists of a description of SSL/TLS encryption protocol in Section 2.3, where I focus on SSL/TLS subprotocols responsible for the initial handshake and parameters exchanged and established during this process. 2.1 The present situation in encrypted network traffic Nowadays, encryption is one of the most effective and most commonly used techniques to secure stored or transmitted sensitive information. Encryption provides data confidentiality by converting any type of data to an encoded form which is readable only to an entity with an appropriate secret, a decryption key. Currently, we can label any information as sensitive whose collection and analysis can lead to tracking, profiling or other crimes against the network services user. It includes passwords, banking credentials, and email or another type of electronic communication theft. That is why in today’s Internet world, the number of websites using encryption protocols, especially the SSL/TLS protocol, to ensure the protection of their activities, is significantly rising. On the other hand, the properties of encrypted traffic have be- come very popular in the last years among cybercriminals who have started misusing them to hide malware activity and to prevent mal- ware detection based on pattern matching. Companies that have been in the network security market for many years, like SonicWall, have seen a growing number of attacks hidden by the SSL/TLS protocol [1]. Zscaler announces that it has blocked an average of 800,000 SSL transactions a day in the half-year period at the turn of 2017 and 2018 that hide some form of attack [2]. So the main question is: How to differentiate between legitimate and malicious encrypted traffic? One of the possible ways can be decryption of the communication’s packets followed by packet’s content analysis and their re-encryption. However, this method is too expensive and ineffective. Therefore, 2 2. Encrypted network traffic scientists are developing methods that do not require this approach and preserve user privacy. The majority of encryption protocols comprise of two main phases. Encrypted data transmission is preceded by an unencrypted hand- shake, the initial setting of parameters for further communication and possible authentication of the communicating parties [3]. Because packets are sent as a plaintext during the handshake, they are simply accessible and therefore they can be analyzed. 2.2 Encryption protocols The main function of encryption protocols is the use of cryptographic principles and methods to ensure secure data transfer between com- municating parties. In today’s networks, this feature is implemented on multiple layers. On the network layer of the ISO/OSI model operates IPSec proto- col suites. IPSec was designed as an improvement of security over the internet because the IPv4 protocol does not offer sufficient security features. It is currently an optional component of IPv4 protocol and the part of IPv6 protocol. The significant feature of IPSec is that it provides security of all traffic at IP level and does not require modifi- cation of each application.
Load more

Recommended publications
  • Mid-Year Report Cyber Attack Trends 2017
    MID-YEAR REPORT CYBER ATTACK TRENDS 2017 TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Major Cyber Breaches ................................................................................ 5 Americas ................................................................................................. 5 Europe, the Middle East and Africa (EMEA)............................................ 6 Asia-Pacific (APAC) ................................................................................. 6 Global Malware Statistics ........................................................................... 7 Top Malware Families ............................................................................. 7 Top Ransomware ..................................................................................... 9 Top Banking Malware .............................................................................. 10 Top Mobile Malware ................................................................................ 11 Cyber Attack Categories by Region ............................................................ 12 Global Threat Index Map ............................................................................. 13 Additional Observations .............................................................................. 14 Recommendations .....................................................................................
    [Show full text]
  • (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used In
    UNCLASSIFIED//FOR OFFICIAL USE ONLY 26 January 2017 (U//FOUO) Cyber Actors Alter Tactics, Techniques & Procedures Used in Persistent Dridex Malware Campaigns, Continue Affecting New England Critical Infrastructure (U//FOUO) Prepared by the DHS Office of Intelligence and Analysis (I&A) in collaboration with the Connecticut Intelligence Center and Massachusetts Commonwealth Fusion Center. (U//FOUO) Scope: This Field Analysis Report (FAR) is intended to provide an assessment of the evolution of tactics, techniques, and procedures (TTPs) used by cyber actors engaged in Dridex malware phishing campaigns impacting critical infrastructure in the New England region. This FAR provides insight into how Dridex indicators have recently evolved to help public and private sector computer network defenders strengthen their cybersecurity posture. (U) Key Judgments • (U//FOUO) Despite a significant disruption to a major malware distribution network in 2016, cyber actors continued to spread Dridex to New England critical infrastructure systems. • (U//FOUO) Cyber actors continually alter Dridex malware code to evade detection by signature-based antivirus software. • (U//FOUO) Cyber actors use the command-line program Certutil and Personal Information Exchange (.PFX) files to deliver Dridex malware, allowing it to pose as a legitimate security certificate. (U//FOUO) Overview of Dridex Malware Activity in New England (U//FOUO) Dridex is distributed via phishing e-mails targeting specific business departments, predominantly accounting, budget, and finance
    [Show full text]
  • Fortinet Threat Landscape Report Q3 2017
    THREAT LANDSCAPE REPORT Q3 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction . 4 Highlights and Key Findings . 5 Sources and Measures . .6 Infrastructure Trends . 8 Threat Landscape Trends . 11 Exploit Trends . 12 Malware Trends . 17 Botnet Trends . 20 Exploratory Analysis . 23 Conclusion and Recommendations . 25 3 INTRODUCTION INTRODUCTION Q3 2017 BY THE NUMBERS: Exploits nn5,973 unique exploit detections nn153 exploits per firm on average nn79% of firms saw severe attacks nn35% reported Apache.Struts exploits Malware nn14,904 unique variants The third quarter of the year should be filled with family vacations and the back-to-school hubbub. Q3 2017 felt like that for a nn2,646 different families couple of months, but then the security industry went into a nn25% reported mobile malware hubbub of a very different sort. Credit bureau Equifax reported nn22% detected ransomware a massive data breach that exposed the personal information of Botnets approximately 145 million consumers. nn245 unique botnets detected That number in itself isn’t unprecedented, but the public nn518 daily botnet comms per firm and congressional outcry that followed may well be. In a congressional hearing on the matter, one U.S. senator called nn1.9 active botnets per firm the incident “staggering,” adding “this whole industry should be nn3% of firms saw ≥10 botnets completely transformed.” The impetus, likelihood, and extent of such a transformation is yet unclear, but what is clear is that Equifax fell victim to the same basic problems we point out Far from attempting to blame and shame Equifax (or anyone quarter after quarter in this report.
    [Show full text]
  • Cyren Globalviewtm Threat Trends Q3 2016
    JANUARY 2017 CYBERTHREAT Report Botnets The Clone Armies of Cybercrime TABLE OF CONTENTS Botnets Rising ......................................................................................................................................2 Botnets 101: How A Botnet Works .........................................................................................................3 Botnet Anatomy .....................................................................................................................................4 The Growing Threat: Internet of Things Botnets ....................................................................................5 ET Phone Home: Legitimate Botnets .....................................................................................................5 Build, Buy, or Lease? The 15-Minute Botnet ..........................................................................................6 All-Purpose Networks: What Botnets Do ..............................................................................................9 The Evolution of Botnets: A Timeline ...................................................................................................11 Interview with a Botnet Hunter ............................................................................................................12 24 Hours in the Life of a Necurs Bot ....................................................................................................16 Hiding in the Shadows: How Botnets Obscure Communications ..........................................................19
    [Show full text]
  • Threat Landscape Report Q2 2019
    QUARTERLY THREAT LANDSCAPE REPORT Q2 2019 nuspire.com Table of Contents About Nuspire.............................................................................. 3 Methodology and Overview............................................................4 Datasets at a Glance.....................................................................5 Highlights from the Headlines.......................................................6 Trending Malware.........................................................................7 Trending Botnets.......................................................................... 12 Trending Exploits..........................................................................16 Conclusions and Recommendations..............................................20 www.nuspire.com 2 About Nuspire Nuspire is the Managed Security Services (MSS) provider of choice, delivering the greatest risk reduction per cyber-dollar spent. The company’s 24x7 Security Operations Centers (SOCs) and managed detection and response (MDR) service combines award-winning threat detection and response technology with human intervention and analysis, providing end-to-end protection across the gateway, network and endpoint ecosystem. Nuspire pioneered distributed, managed security services within the enterprise and franchise market and today protects thousands of locations globally. CONTACT US TODAY TO DISCUSS YOUR UNIQUE SECURITY CHALLENGES. www.nuspire.com 3 METHODOLOGY AND OVERVIEW Data referenced throughout this report is gathered from thousands
    [Show full text]
  • THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED a PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA
    THE RANSOMWARE REVOLUTION: HOW EMERGING ENCRYPTION TECHNOLOGIES CREATED A PRODIGIOUS CYBER THREAT Matthew S. Ryan BA, MA, MPICT, MCSSD This thesis is submitted in partial fulfilment for the degree of Doctor of Cyber Security School of Engineering and Information Technology, The University of New South Wales at the Australian Defence Force Academy 20 December 2019 Surname : Ryan Given Name : Matthew Abbreviation for degree : DCybSec - Doctor of Cyber Security (Research) Faculty : UNSW Canberra School : Engineering and Information Technology (SEIT) The ransomware revolution: how emerging encryption technologies created a Thesis Title : prodigious cyber threat Abstract The increasing public availability of encryption technologies, and the parallel emergence of cryptocurrencies, have elevated ransomware to become the most prodigious cyber threat that enterprises now confront. The advent of cryptocurrencies provided the catalyst for increased profitability from ransomware, sparking a phenomenal rise in the number and complexity of ransomware attacks. This thesis is among the first academic works to analyse what has been dubbed the ‘ransomware revolution’ after a series of major attacks beginning in 2013. This threat is compounded by a disconnect between academia, the professional services industry, and vendors. This research brings together two strands of analysis. First, it documents the emergence of encryption-centric technologies that have created an environment conducive to undertaking this type of cyber-attack. The ease of public access to advanced encryption techniques has allowed malicious actors to operate with increased anonymity across the internet. This has enabled increased collaboration between attackers, which has aided the development of new ransomware attacks, and led to an increasing level of technical complexity in ransomware attacks.
    [Show full text]
  • Threat Landscape Report Q4 2016 Table of Contents
    THREAT LANDSCAPE REPORT Q4 2016 TABLE OF CONTENTS TABLE OF CONTENTS Foreword . 3 Q4 2016 Highlights and Key Findings . 4 Sources and Measures . .5 Infrastructure Trends . 7 Global Threat Landscape . 10 Exploits . 11 Mini Focus: IoT . 13 Malware . 14 Mini Focus: Mobile Malware . 16 Botnets . 17 Mini Focus: Ransomware . 19 Regional Threat Landscapes . 20 Industry Threat Landscapes . 23 Exploratory Analysis: Holiday Threat Trends . 26 Conclusion and Recommendations . 28 2 FOREWORD FOREWORD Everything worth doing involves some degree of risk, and this is especially true when it comes to commerce. From ancient expeditions into uncharted territories to modern forays into digital connections and clicks, fame and fortune go to those who understand the risks and manage them well. But at the edge of the unknown, understanding tends to be a scarce commodity and is often replaced with fear, uncertainty, and doubt—a trio so intertwined they’re better known simply as “FUD.” This tendency is illustrated beautifully in the “monster maps” of This report seeks to draw an accurate representation of the cyber old, such as the famous Carta Marina shown here. Real dangers threat landscape in Q4 2016 leveraging the vast information experienced at land and sea were often represented as fantastical resources and expertise of FortiGuard Labs. We seek to share beasts as a warning to fellow travelers. It offers an excellent our perspective on the threats that exist, how often they occur, example of how FUD can lead to a mythical view of legitimate what differs across sectors and regions, and what’s changing over threats. Before chalking this tendency up to primitive ignorance, time.
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • 2017 Global Cyber Attack Trends Report TABLE of CONTENTS | 2
    2017 Global Cyber Attack Trends Report TABLE OF CONTENTS | 2 TABLE OF CONTENTS Introduction ................................................................................................. 3 Global Trends .............................................................................................. 4 Global Malware Statistics ........................................................................... 8 Top Malware Families ............................................................................. 8 Top Ransomware ..................................................................................... 10 Top Banking Malware .............................................................................. 11 Top Mobile Malware ................................................................................ 12 Top Crypto Mining Malware..................................................................... 13 Cyber Attack Categories by Region ............................................................ 14 Global Threat Index Map ............................................................................. 14 Global Top Exploited Vulnerabilities ........................................................... 15 Yearly Data Breaches Timeline ............................................................... 16 Top Predictions for 2018 ............................................................................. 17 Additional Observations/Conclusions ........................................................ 19 Appendix 1 – Major Cyber Breaches .........................................................
    [Show full text]
  • The Malware-As-A-Service Emotet
    TLP:WHITE THE MALWARE-AS-A-SERVICE EMOTET 1.1 12/02/2021 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet Table of contents 1 Emotet origins ................................................... 3 2 Evolution of Emotet’s activity .......................................... 4 2.1 From a banking trojan to a loader of malwares on behalf of other attackers .............. 4 2.2 Emotet associated chain of infection .................................... 5 2.2.1 Possible vectors of infection ..................................... 5 2.2.2 Proceeding an attack after receiving a phishing email ...................... 6 3 Links with other groups of attackers ...................................... 7 3.1 Customers ................................................... 7 3.2 Links between Emotet and Dridex, Gozi ISFB and QakBot operators .................. 9 4 Conclusion ...................................................... 10 5 Means of detection and monitoring ....................................... 10 6 Appendix : TA542’s customer base over the period 2017-2018 ........................ 11 7 Bibliography .................................................... 12 12/02/2021 Page 2 of 15 TLP:WHITE TLP:WHITE The malware-as-a-service Emotet 1 Emotet origins Emotet (aka Heodo) first appeared in March 2017 and is the fourth iteration of the Geodo malware. The origin of Geodo can be traced back to the Business Club, a cybercriminal group whose activity began around 2008, in collaboration with M. Bogatchev, creator of ZeuS malware [1]. This group successively operated Jab- berZeuS and GameOverZeuS (GoZ). [2, 3]. In parallel to the activities of the Business Club, one of its members, M. Yakubets, and an operator of its bullet- proof hoster1, A. Ghinkul, appear to have operated, or even developed, Bugat malware (aka Cridex, Feodo), which appeared in 2010. One month after the FBI takedown of GoZ’s infrastructure in May 2014, Dridex and Geodo banking trojans emerged.
    [Show full text]
  • Crimeware in the Modern Era: a Cost We Cannot Ignore Brandon Levene, Chronicle
    1 Crimeware in the Modern Era: A Cost We Cannot Ignore Brandon Levene, Chronicle Executive Summary Chronicle researchers conducted an investigation into the evolution of crimeware from 2013 through 2018. Researchers have concluded that crimeware, traditionally considered a “commodity threat,” has evolved into a highly lucrative business as criminals are constantly improving their techniques and law enforcement activity grows increasingly ineffectual. Attackers and defenders are entrenched in a longstanding game of cat and mouse, resulting in a rapid expansion of the crimeware threat landscape, and growing sophistication of attacks and malware infrastructure. This research examines the rise of financially motivated malware and the impact of attempted countermeasures. The report details the emergence and growth of banking trojans, ransomware, infostealers and cryptomining malware, the impact of a wide variety of crimeware including: GameOver Zeus, Cryptolocker, Dridex, Dyre, Trickbot, Ramnit, and attacks including the targeted attacks on the SWIFT messaging network, the Mirai botnet, the WannaCry ransomware outbreak, and others. Key findings from the investigations include: ● Crimeware risk is underestimated -- Misconceptions around the severity of risk from ​ financially motivated threat actors has hobbled enterprise defense efforts. Rates of losses due to crimeware are climbing, and countermeasures are decreasing in efficacy. Crimeware as a financial risk quantifiably outranks more sophisticated threats such as APTs. The ability of crimeware to disrupt businesses is tremendous and if efforts are not increased, there will be attacks greater in impact, scale and cost. ● Crimeware growth is enduring - Instances of crimeware have grown steadily, year over year. ​ The prevalence and frequency of crimeware has desensitized security teams and crimeware fatigue is a threat to organizations.
    [Show full text]
  • The Malware Dridex: Origins and Uses Sommaire
    TLP:WHITE THE MALWARE DRIDEX: ORIGINS AND USES 17/07/2020 TLP:WHITE TLP:WHITE The malware Dridex: origins and uses Sommaire 1 The malware Dridex ................................................ 3 1.1 Changes in functionality since 2014 ..................................... 3 1.1.1 Functionality ............................................. 3 1.1.2 Modularity ............................................... 3 1.1.3 Development ............................................. 4 1.2 Botnet use ................................................... 4 1.3 Affiliate model ................................................. 5 2 Dridex’ developers: Evil Corp ........................................... 7 2.1 The group’s origins: ZeuS, JabberZeuS and GameOverZeuS ....................... 7 2.2 Evil Corp .................................................... 7 2.2.1 2014: from JabberZeuS to Evil Corp ................................. 7 2.2.2 Evil Corp’s development since 2017 ................................. 9 3 Distribution of Dridex by the main affiliates ................................. 11 3.1 Phishing emails ................................................ 11 3.1.1 The botnet CraP2P (alias Necurs) .................................. 11 3.1.2 The botnet Cutwail .......................................... 11 3.1.3 The botnet Andromeda ........................................ 12 3.2 As a second payload .............................................. 12 3.3 Watering hole ................................................. 13 3.4 Exploit kits ..................................................
    [Show full text]