Security Unlocked

Share

Re: Tracking Attacker Email Infrastructure

Ep. 19

If you use email, there is a good chance you’re familiar with email scams. Who hasn’t gotten a shady chain letter or suspicious offer in their inbox? Cybercriminals have been using email to spread malware for decades and today’s methods are more sophisticated than ever. In order to stop these attacks from ever hitting our inboxes in the first place, threat analysts have to always be one step ahead of these cybercriminals, deploying advanced and ever-evolving tactics to stop them. 

  

On today’s podcast, hosts Nic Fillingham and Natalia Godyla are joined by Elif Kaya, a Threat Analyst at Microsoft. Elif speaks with us about attacker email infrastructure. We learn what it is, how it’s used, and how her team is combating it. She explains how the intelligence her team gathers is helping to predict how a domain is going to be used, even before any malicious email campaigns begin. It’s a fascinating conversation that dives deep into Elif’s research and her unique perspective on combating cybercrime. 


In This Episode, You Will Learn:  

• The meaning of the terms “RandomU” and “StrangeU” 

• The research and techniques used when gathering intelligence on attacker email structure 

• How sophisticated malware campaigns evade machine learning, phish filters, and other automated technology 

• The history behind service infrastructure, the Netcurs takedown, Agent Tesla, Diamond Fox, Dridox, and more 


Some Questions We Ask:

• What is attacker email infrastructure and how is it used by cybercriminals? 

• How does gaining intelligence on email infrastructures help us improve protection against malware campaigns? 

• What is the difference between “attacker-owned infrastructure” and “compromised infrastructure”? 

• Why wasn’t machine learning or unsupervised learning a technique used when gathering intelligence on attacker email campaigns? 

• What should organizations do to protect themselves? What solutions should they have in place? 

  

Resources:

What tracking an attacker email infrastructure tells us about persistent cybercriminal operations: 

https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/ 


Elif Kaya:

https://www.linkedin.com/in/elifcyber/ 


Nic’s LinkedIn:  

https://www.linkedin.com/in/nicfill/   


Natalia’s LinkedIn:  

https://www.linkedin.com/in/nataliagodyla/   


Microsoft Security Blog:  

https://www.microsoft.com/security/blog/


Related:

Security Unlocked: CISO Series with Bret Arsenault

https://SecurityUnlockedCISOSeries.com


Transcript

[Full transcript can be found at https://aka.ms/SecurityUnlockedEp19]

Nic Fillingham:

Hello, and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security engineering and operations teams. I'm Nic Fillingham.


Natalia Godyla:

And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research, and data science.


Nic Fillingham:

And profile some of the fascinating people working on artificial intelligence in Microsoft security.


Natalia Godyla:

And now, let's unlock the pod.


Nic Fillingham:

Hello, Natalia. Welcome to episode 19 of Security Unlocked. How are you?


Natalia Godyla:

I'm doing great. I'm excited to highlight another woman in our series for Woman's History month, so this'll be number two. And I'm excited to talk about email infrastructures.


Nic Fillingham:

Yes, I am too. Email, we use it every day. We probably use it more than we, we want. We love it. We can't live without it. What's your first memory of email? What was your first email address?


Natalia Godyla:

I was an AOL-er. First email was glassesgirl2002@AOL.com. I'm super proud of that one.


Nic Fillingham:

What's the reference to 2002?


Natalia Godyla:

I'm pretty sure that's when I got my first pair of glasses (laughs).


Nic Fillingham:

Ah. And you-


Natalia Godyla:

I was very excited. I threw a cupcake party.


Nic Fillingham:

Oh, wow.


Natalia Godyla:

(laughs)


Nic Fillingham:

So I'm, I'm pretty old. It was sort, sort of the mid 90s, and I remember like, hitting websites where it asked for an email address, and I'm like, what is an email address?


Natalia Godyla:

(laughs)


Nic Fillingham:

I probably used the internet the best part of, you know, six months before someone explained it to me. And I worked out how to get a Hotmail address, which is called Hotmail because it was actually based on the, the acronym H-T-M-L, and they just put a couple other letters in there to expand it out to say Hotmail. And I remember being, thinking like I was the bees knees, because I was nicf12@hotmail.com.


Natalia Godyla:

(laughs)


Nic Fillingham:

We should have asked our guest Elif Kaya, who you're about to hear from, about her first email address, but we didn't. Instead, we talked about a blog that she helped co-author, uh, that was published beginning of February called, "What Tracking and Attacker email infrastructure tells us about persistent cyber criminal operations." It's a fascinating conversation, and Elif walks us through all of the research that she did here where we learn about attacker email infrastructure and how it's used and created and managed.


Nic Fillingham:

There's a bunch of acronyms you're going to hear. The first one, DGA, domain generation algorithm. You're going to hear StrangeU and RandomU, which are sort of collections of these automatically created domains. And if you sort of want to learn a bit more about them, it's obviously in the blog post as well.


Natalia Godyla:

Yes, and in addition to that, you'll hear reference to Dridex. So, as the RandomU and StrangeU infrastructure was emerging, it was parallel to the disruption of the Netcurs botnet, and those same malware operators who were running the botnet were also using malware like Dridex. And Dridex is a type of malware that utilizes macros to deliver the malware. And with that, on with the pod.


Nic Fillingham:

On with the pod.


Nic Fillingham:

Elif Kaya, welcome to the Security Unlocked podcast. Thank you for joining us.


Elif Kaya:

It's great to be here. Thanks for having me.


Nic Fillingham:

Now, you were part of the. uh, team that authored a blog post on February 1st, 2021. The blog post is "What tracking and attacker email infrastructure tells us about persistent cyber criminal operations." Loved this blog post. I've had so many questions over the years about how these malware campaigns work. What's happening behind the scenes? Where are all the, the infrastructure elements? How are they used? And this blog helped answer so much and sort of joined dots.


Nic Fillingham:

If you are listening to the podcast here and you're not sure what we're talking about, head to the Microsoft security blog. It is a post from Feb 1st. But Elif, could you sort of give us an overview? What was discussed in this blog post? What was sort of the key take away? What was the research that you conducted?


Elif Kaya:

Sure. So uh, I'm part of a, a email research and threat intelligence team, uh, that supports the defender product suite at Microsoft, and what we primarily focus on is tracking email campaigns and email trends over a long period of time and documenting those. So, this blog post kind of came along series of documentation, which we started to bubble up these trends in infrastructure, which is one of my focus areas, starting back in March and running uh, all through the end of the year, where a large series of disparate email campaigns, kind of stretching from very commodity malware that is available for like 15, 20 dollars, to things associated with big name actors, and et cetera, were being delivered with very similar characteristics, despite on the surface the malware being very different, the outcomes being very different, or the cost of the malware targets being very different.


Elif Kaya:

And so, we were able to see within each of these individual campaigns that the infrastructure supporting the email delivery was a consistent theme. So, it starts with when these domains that were used as email addresses to send these from, uh, started being registered to the current day and kind of what campaigns they helped facilitate, when they were registered, and et cetera. So, when people usually talk about infrastructure that supports malware, a lot of the terms get used overlapping. So, when people refer to infrastructure, they generally are referring to the see to addresses, call back addresses that the attacker that owns the malware owns.


Elif Kaya:

But what we've been seeing much more frequently, and what we wanted to explain with the blog post, is that in really concrete ways like you said with actual examples, is that the malware and cyber crime infrastructure is very modular. And so, when we say infrastructure we could mean who's sending the emails from their servers, who's hosting the email addresses, who's posting the phish kits, who's hosting the delivery pages that deliver the malware, and who's writing the malware. And then later, who's delivering the ransomware.


Elif Kaya:

And so these could, in any particular campaign or any particular incident that a sock is looking at, be entirely different people. And so, the reason we wanted to do this blog and detail kind of what we did here and go through each of the cam- malware campaigns that was delivered, was to kind of show like, if you're only focusing on each malware campaign, the next one's going to be right cued up and use all the same infrastructure to deliver maybe something maybe more evasive that, that you'll have to get on top of.


Elif Kaya:

And so, by doing this tracking you can kind of up level it once more, and instead of spending all you time trying to evade one particular malware strain that's going through constant development, you could put a higher focus at stopping kind of the delivery itself, which, we actually detail through the blog, was very consistent over nine months or so, but had a lot less attention focused on it.


Elif Kaya:

So, some of the cases that we discuss in the blog are cases like Makop, which was used very heavily, and in especially South Korea, all throughout April and all throughout the spring, and is still pretty prevalent in terms of direct delivery ransomware in that region. It's usually delivered through other means, but what we saw and what we theorized is that whenever the standard delivery mechanisms for those malware are interrupted, they'll kind of sample other infrastructure delivery providers, which is what we describe as StrangeU and RandomU in the blog.


Elif Kaya:

We use the term StrangeU and RandomU to differentiate two sets of DGA, or domain generation algorithm domain structures that we saw. StrangeU always uses the word strange. Not always, but nearly about 95% of the time. And Random U, couldn't find a better name, but it's just a standard random DGA algorithm, where it's just a bunch of letters and characters. We don't really have a fancy name to give it, but we were able to kind of coalesce around what that was internally, and track the domains as they were registered there. And then, shortly after they would be registered, they would start sending mail from those domains.


Nic Fillingham:

Elif, were you and the team surprised by how much interconnected overlap, agility, and sharing, for one of a better term, they were across these different groups and campaigns and techniques? Were you expecting to see lots of disconnected siloed activities, techniques, groups, et cetera, et cetera? Or were you expecting this amount of overlap, which we'll get to when we sort of explain the, the stuff in the blog?


Elif Kaya:

So, I think it was less that it was a bit of a surprise, and more that we don't often get a pristine example like this. Frequently, when we look at the connected infrastructure, they don't use domains necessarily. They'll use the botnet itself and IP addresses for delivery or other things. So, when we came across this one, we do normally handle and really do a deep dive in individual incidents and cases, so this was a little bit more of a unique example of like, hey, there's really clear patterns here. What can we learn by tracking it over a long period of time, in ways that other metrics are a little harder to track?


Elif Kaya:

But yeah, I, I would say that in general, most email campaigns and phishing campaigns, malware campaigns that you kind of run across, they are gonna have these threads of interconnectivity. They're just going to be at different levels. So, whether that's going to be a level that is kind of more visible for uh, blue teams like the email addresses, the domains themselves, or whether that's going to be something more femoral like IP addresses and hosting providers, or whether that's going to be something that's proxy even more so, like a cluster of compromised domains, similar to, to, you know, what Emotet uses, uh, or use to use, collected in a botnet that has a different way of clustering itself.


Elif Kaya:

And so for these, we were able to just kind of have something that bubbled to the top and made it easy to connect the dots, as well as other items in the header in the malware that we were able to identify. But I think through tracking this, we were able to kind of reaffirm and make a good piece of public example for blue teams that this is a very common method. This is a very common modular technique,


Elif Kaya:

... And it's very simple for attackers to stand this kind of thing up and offer their services to other places. And that's part of why we reference the Necurs botnet as well. Dridex makes a big appearance in the StrangeU and RandomU deliveries, especially later on in our tracking of them, and Dridex is also a prominent, um, delivery from a lot of other of these types of delivery botnets that have happened in the future, whether that's CutWail or, uh, Necurs or other, um, botnets like that. So it, it's very common but it's sometimes very hard to kind of keying in on all of the distinct components of it and evaluate like, is it worth it in this instance to key in on it, um, when our main goal is like, what is the most effective thing we can do to stop the deliveries?


Natalia Godyla:

I'd love to talk a little bit about the history that was described in the blog for the service infrastructure. So from what I understand, the Necurs takedown created a gap in the market where StrangeU and RandomU were able to step in and provide that in- necessary infrastructure. So why was that the replacement? Was there any connection there? And as a second part to that question, what does the evolution of these infrastructures look like? How are they accessible to operators that want to leverage them?


Elif Kaya:

Right. So in this one I can delve a little more into kind of just intuition and, and doing that, because my full-time role is not specifically to, you know, track all the, all the delivery botnets there are and active. The reason that we made the connection to Necurs wasn't because there was an actual connection in terms of affirming this is filling the same role that it was, or this is filling a hole. Because we don't have necessarily a clear picture of every delivery botnet there is. Because the timeframe was very close and because we were able to see shortly after, uh, StrangeU and RandomU started delivering, they initially only had pickup from commodity malware that we could find. So very cheap malware for the first few months of their delivery, such as Makop. Uh, we saw some Agent Tesla, we saw some Diamond Fox.


Elif Kaya:

But as it progressed on, it started picking up the bigger names like Dridex and doing larger campaigns that were more impactful as well. And so by the time that Necurs had ended, we had also seen them doing a lot of those bigger name malwares as well. And so the reason why we tried to make that comparison was largely to show that something very simple and kind of perhaps much less sophisticated and lasting for a lot less length of time as Necurs in the environment can get customers quickly. And so while we didn't do a deep dive into any of the amount of like, how is it being advertised, how are they getting the customers, what we wanted to show is that regardless of what methods they're using to get the customers, they're able to get-


Elif Kaya:

Basically the, the amount of research that was done for Necurs was much more in depth than the amount of research that was necessarily done here. And it was also done from a different angle, that angle was much more operator focused and our angle was much more, what was delivered, what was the impact, what were the trends between all of the different mails? And so we're mostly trying to just position it as, this fulfilled a similar, uh, outcome and got a lot of coverage of something that was very big, lasted for a very long time, many years, and something where somebody just started registering some domains, setting up some mail servers, was able to kind of get off the ground and running in just a few months for relatively low cost.


Nic Fillingham:

So El, if we normally start with an introduction or, or I, I got so excited about this topic that I jumped straight into my first question and I didn't give you an opportunity to introduce yourself. And I wondered, could you do that for us? I know you're, I believe you're a threat analyst or a threat hunter, is that correct?


Elif Kaya:

Yeah, so I'm currently a threat analyst, and you've actually had other people, I think, from my team on here already before. But yeah, I, I'm a threat analyst at Microsoft. I've been on this particular team for about a year now, specifically focusing in email threats, web threats, and I do have especially some focus in infrastructure tracking and domain, uh, generation algorithms in general and trying to make sure that our emails and campaigns that we're tracking are properly scoped and that we're able to kind of extract as many TTPs as we can from them.


Elif Kaya:

And so the role of our team and the role of myself in particular on the team is, when we do these individualized campaigns we look for the IOCs and things like that in it. We scope it, but what we're really looking for is, um, the trends of what's happening so that we can kind of try and pinpoint and escalate to the other teams internally the most impactful changes we could make to the product, or the most impactful changes we could recommend that customers do, if it's something that we don't have a product for or we don't have a protection for, in order to protect against the campaign. And so in this particular instance with this infrastructure, our goal here was to kind of really reiterate to customers that despite all this complexity, the spaghetti-like nature of this, at the end of the day all these different campaigns used kind of a lot of the same both delivery to deliver the email, but the Word documents that they delivered were also very similar.


Elif Kaya:

There, there were a lot of configurations that can be made on the endpoint to kind of really nullify a lot of these campaigns despite what we were able to see and some really evasive techniques that they were developing, the malware operators, over the time.


Nic Fillingham:

Yeah, I, I wonder if you could talk a little bit about how the research was actually conducted. A lot of these domains were not hosted by Microsoft infrastructure, as I, as I understand it. I think you sort of cover that a little bit in the blog. So how do you as a, in, you know, in your role, how do you go about conducting this research? Are you setting up honey pots to try and, uh, receive some of these, these emails and just sort of be a part of the campaign, and then you, you conduct your analysis from there? What, how do you go about, uh, performing this research?


Elif Kaya:

So the bulk of the research I think is performed with various, like some of it is honey pots and some of it's that. A lot of the research that is covered in the blog after we, uh, analyze the malware campaigns, which is a service we offer through, um, MTE, which I think there have been people from MTE that have come on as well, as well as analysis that we do, again, based on, uh, the malware samples that we receive and the email samples that we receive from reports, from externally as well as from open source intelligence. A lot of the domain research here, though, is actually done from, uh, open information. So any domain registrations that there are, the registration fingerprint, as I like to call it, which is all the metadata related to the registration, is publicly available. And so we collect a lot of that information and search it internally.


Elif Kaya:

And this is always something that I like to advise and encourage blue teams at any particular organization, you know, if they have a little bit of extra funding, to try and invest in as well. Because it's definitely, even though it's free and publicly available, you're generally gonna have to get a subscription or set up some kind of collection order to query the "who is" databases and the passive DNS databases that you'll need in order to do some of these pivots. But it kind of starts with finding the malware campaigns and then finding the emails, and then pivoting up towards everything else we can do. And once you have kind of a net of what you're looking for, sender domains and et cetera, you can then kind of go backwards and say, "Okay, now show, show me all the malware campaigns that we have investigated that, that have these components to them. Show me all the phishing campaigns that have these components to them."


Elif Kaya:

And so it's kind of going up and then going back down, but all clustered around that registration data and that domain data. Uh, because whether an attacker decides to use IP addresses or whether they decide to do domains, there's usually always some component of their campaign that they have to use attacker-owned infrastructure for, if that makes sense. We see a lot and it's very common for attackers to u- use compromised infrastructure, so WordPress sites, things like that, to host a lot of their architecture. But especially for things like C2s for mail delivery and other things, they're gonna want some resilient infrastructure that they'll own themselves. And so at what point in the chain they decide to do that is usually an opportunity for us to be able to see if there's any OPSEC errors on their part, and also see if they've conducted other campaigns with that same infrastructure. Yeah, and so differate- differentiating between attacker-owned infrastructure and compromised infrastructure is an additional critical component.


Natalia Godyla:

Now I'm trying to decide which question to go forward with. Can you describe the distinction between those two?


Elif Kaya:

Right. So attacker-owned infrastructure would be something the attacker sets up themselves. So they have to think of the, and populate the data in the domain address and the registration and the tenant themselves. So this encompasses both when attackers use free trial subscriptions for cloud services, it's whenever they go log into Namecheap and they register their own domains, as well as when they have dedicated IP hosting or bulk group hosting as well that they have decided like, "For this portion of my campaign," whether that's command and control, whether that's delivery or et cetera, "I need to make sure that I'm in control of this." We have seen examples where compromised infrastructure, which is the reverse of that where especially small businesses, parked domains, and other insecure WordPress sites, sites that have other types of vulnerabilities, will be compromised and used to, again, do any, any component of that kill chain, whether that's sending mails, hosting the malware, and will be used to do those things as well.


Elif Kaya:

So compromised infrastructure is when the attacker will utilize someone else. The benefit for attackers is it's definitely a lot harder for defenders to identify or take action against that, especially because they don't know how long it'll be compromised for, if it'll ever not be compromised, if the attacker's only leasing access to the compromised domain through a, a kind of, uh, cyber crime as a service provider or not. It becomes harder for the defenders to defend against and detect, because it has less points of contact and familiarity with other compromised domain. If somebody compromises a blog about kittens and a blog about race cars, it's gonna be pretty hard for a lot of things to pick up exactly what's similar about them, because some


Elif Kaya:

... other human worlds apart has made the whole blog but if one attacker has-


Nic Fillingham:

Probably Natalia Godyla


Elif Kaya:

... made five to 15 different sites in a day. (laughs) Yeah, it's a, it's going to have a lot more in common. But the downside of compromised domains for attackers is a, they often have to lease them from the people that initially compromise them and c, those compromised domains could become uncompromised, they have to now maintain access to something they didn't make. And we did also see that with OMO Tech, over the summer when it had come back after being quiet for very long, and people had replaced their payloads on compromised sites with, uh, I think chips with CAATs, something like that. We're back to CAATs.


Nic Fillingham:

You're speaking our language here, like we're, we're, we're on the edge of our seat, you said CAAT like twice in like a minute.


Natalia Godyla:

(laughs)


Elif Kaya:

But when an attacker comprises a lot of their infrastructure on compromised infrastructure, other attackers could compromise it, defenders could compromise it, anyone can kind of... They have to now protect it, whereas if they made it from nowhere and no one owned it, except for them, it's kind of a lot easier for them to just hang out. Because then the kind of only person that's looking out for them a lot of the time, is if somebody is connecting the dots on the infrastructure or the hosting providers, like I think the ones that we cover here is like, IronNet, Namecheap, et cetera, if they're looking out for somebody hosting on their, their infrastructure. But if somebody is just sitting there, they're just being quiet, they're just sending mail, nobody's going to notice that they're compromised probably. Whereas if you're a small business owner and your site ends up on a block list, you're going to go start asking questions, you're going to start trying to get that fixed or take your site down.


Nic Fillingham:

Elif, I'd love to come back to what you talked about with the way that you conducted this research and you, you, you said that getting subscriptions to Huawei Services and DNS records, this is all public record. But there is still some tools required to pass through that information and, and create the pivots. We were talking offline, before we started recording, I'll paraphrase here and please correct me, that you didn't utilize really machine learning as a tool to discover this techniques. Is that, is that correct? Can you talk more about what techniques you did use and didn't use and why something like machine learning or unsupervised learning was not either necessary in this space or wasn't necessary to discover these techniques?


Elif Kaya:

Yeah, I mean, I could talk to the, the techniques that I used and well, I can't say explicitly like why machine learning would or would not be helpful here because I'm not an expert on machine learning. I think in the different campaigns that I've worked on in my career in security, whether it's this one or before I came to Microsoft, I did some more independent research on a large set of Chrome extensions that were also connected by various, uh, commonalities to get those taken down. A lot of this research that can be pretty impactful and pretty widespread doesn't require ML in order to parse and to navigate. And I think part of the reason that ML is a bit unsuited for this at the moment, is because there hasn't been as much manually focused research. And there's been a lot of research done by independent researchers and people in the security community but I have seen a lot less focus in terms of data from tech companies in doing and making publicly available some of this infrastructure surrounded research.


Elif Kaya:

And so what I mean by that is that a lot of security companies focus a lot on the actor name. They focus a lot on the reverse engineering of the malware and those are critical components. In part because that's what the products that they're sometimes selling is AV Surfaces and things like that and that's the point in time that they are protecting against the threat. But when it comes to the infrastructure, companies that would be the most positioned to protect against that threat or have products to protect against that threat, aren't necessarily doing the manual body of research currently necessary I think, in order to guide ML to kind of identify this work. And so right now to say, " Oh, would this be something that ML would be suited to step in?"


Elif Kaya:

And I think that it could in the future be suited to step in slightly but I also think that the way that this works, is currently operating at a level that actually does benefit from, from manual analysis at this time. In part, because it, it doesn't actually take tools that are generally above or beyond what is in a lot of analyst tool set with basic scripting and things like that. Because right now there has been such a non focus from security companies and blue teams, I think on infrastructure and infrastructure commonalities and the way that these campaigns are so modular that, for lack of a better word, there's not a lot of sophistication in it. Most of the sophistication we see in these campaigns are designed to evade automated technology. They're designed to evade ML. They're designed to evade phish filters. They're not really designed to evade humans looking at them, because I think you and me looking at those strange new domains, like you can look at a cluster of them and be like, "These aren't real sites, they're not real."


Natalia Godyla:

(laughs)


Nic Fillingham:

Yeah. I'm not, I'm not going to visit a website called, I'm gonna pick one up here like, eninaquilio.u... Maybe I would actually, that, that looks really cool. (laughs) Okay, gonesa.usastethkent, it's got like no vowels, like he replies strange secure world.


Elif Kaya:

And so we don't actually see a lot of, I guess, advancement in that space from attackers. A lot of the advancement is there in different parts that aren't necessarily bubbled up, but it's happening in the malware itself, in order to evade AV in order to not get alerts that fire on them. It's not necessarily happening to use something other than a macro or send from something other than an obvious phishing email or if obvious phishing source. And a lot of times, uh, one part that's one of my favorite part is these, these registrations frequently use the, .us domain. Many top level domains actually prohibit different parts of obfuscation for the registration record. And so when you register a domain, obviously the attacker kind of doesn't want to use real data, it's not the real name. But they'll use like memes and other things in the registration information, because it's fake data but then you can go and pivot and find where they've used the same meme before. And so-


Nic Fillingham:

Look for old domains registered by Rick Astley.


Natalia Godyla:

(laughs)


Elif Kaya:

Yeah, I think there was one-


Nic Fillingham:

You might be too young for that, me and my friend-


Elif Kaya:

There was, there was one that I think was used, I forget for which one of these malware campaigns where a lot of the registrations were actually happening under a registered email, that was something like, hiIhateantiviruspleaseleavemealone@gamer.com or something (laughs)or like, youcan'ttakethisdown.com. And I was like-


Nic Fillingham:

Try me.


Natalia Godyla:

Challenge accepted.


Nic Fillingham:

It's like a big red, a big red arrow pointing at them.


Elif Kaya:

What is happening in the infrastructure space for a lot of these things is happening pretty rapidly, it's happening at pretty low costs. And it's also happening and looking a lot different and is in a way a lot less glamorous, than a lot of the reverse engineering that is necessarily done but it's very critical. Or the more nation state tracking that is, uh, very popular when or companies are selling threat intelligence products to customers. But when it comes to like security, kind of in a sock, a lot of put is going to get through the doors, regular phishing emails.


Natalia Godyla:

So if the campaigns are targeting the automation that's built in, like you said, the phishing filters, what should organizations be doing to protect themselves? What solution should they have in place, processes?


Elif Kaya:

So some of the big things that I remember from these particular campaigns, um, is if you are rolling any kind of mail protection service or mail service in general, please periodically check your allow lists. The allow lists will frequently have entire IP ranges, entire domain ranges and so even domains like these ones that are very randomized and they're strange and you've never received an email before in your life. Sometimes the configurations of your allow lists for emails can completely cause the mails to bypass other filters. So definitely whether you're running Microsoft for your mail protection or not, please periodically check your allow lists and your filters and kind of have a good understanding of like, do I have any instances where phishing or malware would bypass other protections? Have I set that up? So that's one thing that I think does cut down a lot on some of these, making it to inboxes.


Elif Kaya:

And other as we... And part of the reason why we highlighted at each of the malware campaigns involved here is, uh, the suite of... I always forget the acronym, ASR rules, advanced security rules or configurations that Microsoft offers for office in particular for macro executions and malicious office executions, routinely outside of this blog and other, it's still office word documents, it's still Office Excel documents, it's still macro buttons. And so re-evaluating your controls there and your protections there, especially looking at some of the automatic configurations that we have available now to just turn on, that is going to help there a lot as well. I think are the two biggest like controls that I would recommend people for these kind of items, is checking kind of your allow lists pretty periodically and what your filtering policies are. And checking your, specifically, if you are using Office 365 internally, whether you have configurations set up to not necessarily even just restrict but there are more granular configurations now that you can set up to specifically restrict DLL and other execution from office macros as well.


Nic Fillingham:

Elif, in the section of the blog where it talks about the dry decks campaigns big and small June to July and beyond. It reads here, that it feels like you uncovered a section of sort of experimentation and testing of sort of new techniques. There's references to Shakespeare, there's something I've never heard of called, VBA stomping. Can you talk a little bit about what kinds of experimentation and creativity that you stumbled upon as part of this research? First of all, and what is VBA stomping?


Elif Kaya:

Uh, so VBA stomping, I think we might've actually met VBA purging in the blog. I'm trying to remember


Elif Kaya:

...whether, I think it might've been VBA purging, but surprisingly VBA stomping and purging are separate, but they fulfill the same kind of function, which is to try and make that macro, that like spicy button that everybody wants to press a little harder for malware detection engines to detect. So VBA stomping and purging both operate a little bit differently, but their main goal is to kind of obfuscate the initial VBA code from the actual amount malicious code in general. So that when antivirus engines try and examine it, they're going to see all that Shakespeare text and they're not going to see the malware. And as for the Shakespeare text, (Laughs) it's actually still on virus total. I think if people go and check for any of the files that reach out to the bethermium.com and DFIR, the blog did a great writeup called I believe "Tried X toward dominance" which actually covers in their sandbox what happened after they ran this doc. Which was eventually moved to a PowerShell empire attempts within their sandbox.


Elif Kaya:

But yeah, as far as I can tell from the Shakespeare use for this, it's actually not the first time that poetry (Laughs) and kind of Shakespeare has been used to obfuscate malware. There have been other rats in the past that have used this. Uh, we couldn't find any similarity like this, this was not those. But oddly enough, there is occasionally every now and then poetry or Shakespeare, other things that is used as obfuscation techniques to kind of pat out documents. And in this case, what we actually found is every iteration of the word document that we could find, had all of the functions and pretty much all the code within the document was replaced by different random lines.


Elif Kaya:

So there wasn't actually any contiguous lines within it. So if you looked at two docs, one might have some lines from Hamlet, one might have some lines from some other kind of literature document as well. But I imagine that it was more so just additional stuff to make it. If you're looking for a function in this document, it's gonna look different in this one. If I had to guess, I would say it's probably something similar to an actual defensive technique that we, we being, I guess, myself-


Nic Fillingham:

(Laughs)


Elif Kaya:

...had a few talks on conferences before called I believe Polyverse the company, um, coined the term, but Poly scripting where you use each iteration of something is gonna have a different function name and a different code. But it's all internally, um, it's all going to, the interpreter is going to still interpret it, even though it's random text from externally. In order to help protect against in the case of polyverse and polyscripting, protect WordPress sites from easy exploit. But in the case of the Shakespeare document, probably to prevent against easy YARA rules and things to detect their code, don't click the spicy button. (Laughs)


Nic Fillingham:

Elif. What do we know about these domains that have all been identified? The StrangeYou, the RandomYou, are, they still active? Have they been shut down? Do they get sent back to the DNS registrar? What's the process? What does it look like?


Elif Kaya:

So we have made sure that at least on our end, and turn to our products, that these domains and any new iterations of them, of these particular strains that we identify are blocked, as well as the malware we cover in the report. Those are within our products. As for the domains, because they're not hosted on Microsoft infrastructure, we kind of report them and that's, that's about as much as we can do in terms of their activity. I have no doubt that the operators behind this, will probably just create a new strain, but is also not necessarily set in stone, that the operators behind RandomYou and StrangeYou are the same operators. It could be that they are just operating in a similar kind of space and time to fulfill similar functions.


Elif Kaya:

There was a few campaigns where they both sent the same campaign, which lends a bit of credence to them potentially being at least similarly operated, but nothing concrete. So it is very highly likely that, that they'll just continue to operate under new strains. Uh, and probably the next strain that they'll have will either be more of these, uh, or they'll create a new one. And by a new one, I mean, instead of the word strange, maybe they'll use the word. I don't know, doc.


Nic Fillingham:

How about cat?


Elif Kaya:

Could be cat.


Nic Fillingham:

Or has that been exhausted.


Elif Kaya:

It could be cat. We haven't exhausted the number of cat domains that there could be.


Nic Fillingham:

So it sounds like, uh, you know, one of the things you said in the blog, and I think you mentioned it earlier that paying attention to infrastructure can actually allow uh, Defenders, SOCs, Blue teams to get ahead of a new campaign if a campaign is leveraging existing infrastructure. And so is that the takeaway from this blog post for those folks listening to the podcast right now and reading the blog, is your one sentence takeaway here, like pay attention to infrastructure? Don't forget about the infrastructure? Is that, is that sort of what you'd like folks to come away with?


Elif Kaya:

Yeah, I absolutely. And that's kind of my secret wish with the blog and my secret wish with most of the work that I do, is that it'll make Defenders and Blue teams focus less on the glamor and less on the kind of actor attribution and more on what is working right now. What do I need in my environment? What do I not need environment, my environment? And one of the key points I'll hone in on in order to kind of demonstrate that is these .us domains .us is a, a t- top level domain frequently used, uh, maliciously, but it's also frequently used for reasonable good purposes. What some of our tracking internally does and tracking that I've done before I went to Microsoft, is that attackers have trends of top level domains that they prefer to use from month to month. Certain malware strains, like using some top level domains, other, over others for a variety of reasons.


Elif Kaya:

But if you are running SOC and you were running Blue team get kind of creative about how you can take different steps to either monitor track or block infrastructure that is unnecessary to your organization. Not to impede or cause any kind of interference from productivity, but to kind of keep an eye on attacks and trends that you don't know about yet. For example, .su domains or .icu domains, uh, you might not have almost any benign presence for that in your environment. And so you might want to create custom alerts or custom rules to say like, "Hey, if I see this, maybe this could be the next malware campaign that Microsoft or somebody else hasn't written about but I'm a target of." And so kind of get creative about that, uh, especially if you have those kinds of capabilities within your network to filter on a mail comes in or mail comes out.


Natalia Godyla:

So just stepping away from the block for a minute, what about yourself personally speaking, what are you most passionate about in your work right now? What are you looking to achieve? What is your big goal I guess?


Elif Kaya:

So for myself and the reason that I, I'm still kind of in this field and at Microsoft doing the job that I'm doing right now is, I, I would really like to use these kinds of examples to bubble up what Blue teams that have less funding that are less glamorous and individual people can use in order to find threats. So I really want to try and shift the focus away from big groups or big actors or attribution and more towards what I consider the end goal for security. For me, which is how can I stop people from getting impacted. And so for myself and my own passions and interests insecurity outside of just what I do for work, I'm very focused in web security and browser security, I think there is a big gap that a lot of people focused as well as consumer security.


Elif Kaya:

A lot of these issues that we consistently pop up over and over again, kind of happen in part because of a lack of focus in consumer security. And by consumer, I kind of mean individual non corporations or small corporations. And so kind of the lack of focus in that and leaves a lot of people with the knowledge, but without the tools and resources easily available in order to kind of set themselves up for success. That's kind of a state of compromised websites that are used for botnets and et cetera. Right now, as well as, you know, privacy and security issues that individual users face in their regular day-to-day life with browser extensions and et cetera, where a lot of times browser extension research and browser research in general might get deprioritized due to its focus on individual consumer privacy versus things like malware, which focus a lot of the time on enterprise.


Elif Kaya:

But at least from my perspective, I'm very passionate about malvertising and, and the ways the advertising and web security and email security kind of coalesce around using a lot of the success that they have on individual people in order to leverage those attacks against bigger corporations later. That's where I like to focus a lot of my energy and research.


Nic Fillingham:

Uh, Elif Kaya, thank you so much for your time and thank you for, uh, contributing this great blog posts and helping us wrap our heads around email infrastructure.


Elif Kaya:

Thanks for having me.


Natalia Godyla:

Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.


Elif Kaya:

And don't forget to tweet us at msftsecurity or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then stay safe.


Natalia Godyla:

Stay secure.

More Episodes

6/2/2021

Pearls of Wisdom in the Security Signals Report

Ep. 30
It’s our 30thepisode! And in keeping with the traditional anniversary gift guide, the 30thanniversary means a gift of pearls.Sofrom us to you, dear listener, we’ve got an episode with somepearlsofwisdom!On today’s episode, hostsNic FillinghamandNataliaGodylabringback returning champion,Nazmus Sakib, to take us through the newSecurity Signals Report. Sakib walks us through why the reportwasdoneand then helps us understand the findings and what they mean for security.In This Episode You Will Learn:How pervasive firmware is in our everyday livesWhy many people were vulnerable to firmware attacksHow companies are spending the money they allocate towards digitalprotectionSome Questions We Ask:What was the hypothesis going into the Security Signals Report?How do we protect ourselves from vulnerabilities that don’t exist yet?Wereany of the findings from the report unexpected?ResourcesNazmusSakib’sLinkedIn:https://www.linkedin.com/in/nazmus-sakib-5aa8a6123/Security Signals Report:https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/26/2021

Securing Hybrid Work: Venki Krishnababu, lululemon

Ep. 29
On this week’s Security Unlocked we’re featuring for the second and finaltime,a special crossover episode of our sister-podcast, Security Unlocked: CISO Series with Bret Arsenault.Lululemon has been on the forefront of athleisure wear since its founding in 1998,but while many of its customers look atitexclusively as a fashionbrand,ata deeper level thisfashion empire is bolstered by a well thought out and maintained digital infrastructure that relies on ahard workingteam to run it.On today’s episode, Microsoft CISO Bret Arsenault sits down with VenkiKrishnababu, SVP of Global Technology Services at Lululemon.Theydiscuss the waysin whichtechnology plays into the brand, how Venkileada seamless transition into the remote work caused by the pandemic, and how he’s using the experiences of the past year to influence future growth in the company.In This Episode You Will Learn:Why Venkifeels sopassionatelyabout leading withempathyWhy Venki saw moving to remote work as only the tip of the iceberg; and how he handled whatlaidbelow.Specific tools and practices that haveleadto Venki’ssuccessSome Questions We Ask:What is the biggest lesson learned during the pandemic?How doesone facilitate effective management during this time?Howdoes Lululemonviewthe future of in-person versus remote work?Resources:VenkiKrishnababu’sLinkedIn:https://www.linkedin.com/in/vkrishnababu/Brett Arsenault’s LinkedIn:https://www.linkedin.com/in/bret-arsenault-97593b60/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/19/2021

Contact Us; Phish You!

Ep. 28
Threat actors arepeskyand, once again,they’reup to no good.A newmethodologyhas schemers compromising onlineformswhere userssubmittheir information like their names, email addresses,and, depending on the type of site, some queries relating totheir life.This new methodindicatesthat the attackers have figured out away around the CAPTCHA’s that have been making us all provewe’renot robotsbyidentifyingfire hydrantssince 1997.Andwhat’smore,we’renot quite surehowthey’vedone it.In this episode, hosts NataliaGodylaand Nic Fillingham sit down with Microsoftthreat analyst, Emily Hacker, to discuss what’s going on behind the scenes as Microsoft begins todigintothis new threat and sort through how best to stop it.In This Episode You Will Learn:Why this attack seems to be more effective against specificprofessionals.Why this new method of attack has a high rate ofsuccess.How to better prepare yourself for this method of attackSome Questions We Ask:What is the endgame for these attacks?What are we doing to protect againstIceIDin these attacks?Are we in need of a more advanced replacementforCAPTCHA?Resources:Emily Hacker:https://www.linkedin.com/in/emilydhacker/Investigating a Unique ‘Form’ of Email Delivery forIcedIDMalwarehttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.comTranscript[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp26]Nic Fillingham: (00:08)Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nick Fillingham.Natalia Godyla: (00:20)And I'm Natalia Godyla. In each episode we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.Nic Fillingham: (00:30)And profile some of the fascinating people working on artificial intelligence in Microsoft Security.Natalia Godyla: (00:36)And now, let's unlock the pod.Nic Fillingham: (00:40)Hello, the internet. Hello, listeners. Welcome to episode 28 of Security Unlocked. Nic and Natalia back with you once again for a, a regular, uh, episode of the podcast. Natalia, how are you?Natalia Godyla: (00:50)Hi, Nic. I'm doing well. I'm stoked to have Emily Hacker, a threat analyst at Microsoft back on the show today.Nic Fillingham: (00:58)Yes, Emily is back on the podcast discussing a blog that she co-authored with Justin Carroll, another return champ here on the podcast, called Investigating a Unique Form of Email Delivery for IcedID Malware, the emphasis is on form was, uh, due to the sort of word play there. That's from April 9th. Natalia, TLDR, here. What's, what's Emily talking about in this blog?Natalia Godyla: (01:19)In this blog she's talking about how attackers are delivering IcedID malware through websites contact submission forms by impersonating artists who claim that the companies use their artwork illegally. It's a new take targeting the person managing the submission form.Nic Fillingham: (01:34)Yeah, it's fascinating. The attackers here don't need to go and, you know, buy or steal email lists. They don't need to spin up, uh, you know, any e- email infrastructure or get access to botnets. They're, they're really just finding websites that have a contact as form. Many do, and they are evading CAPTCHA here, and we talk about that with, with, with, uh, Emily about they're somehow getting around the, the CAPTCHA technology to try and weed out automation. But they are getting around that which sort of an interesting part of the conversation.Nic Fillingham: (02:03)Before we get into that conversation, though, a reminder to Security Unlock listeners that we have a new podcast. We just launched a new podcast in partnership with the CyberWire. It is Security Unlocked: CISO Series with Bret Arsenault. Bret Arsenault is the chief information security officer, the CISO, for Microsoft, and we've partnered with him and his team, uh, as well as the CyberWire, to create a brand new podcast series where Bret gets to chat with security and technology leaders at Microsoft as well as some of his CISO peers across the industry. Fantastic conversations into some of the biggest challenges in cyber security today, some of the strategies that these big, big organizations are, are undertaking, including Microsoft, and some practical guidance that really is gonna mirror the things that are being done by security teams here at Microsoft and are some of Microsoft's biggest customers.Nic Fillingham: (02:52)So, I urge you all to, uh, go check that one out. You can find it at the CyberWire. You can also go to www.securityunlockedcisoseries.com, and that's CISO as in C-I-S-O. CISO or CISO, if you're across the pond, securityunlockedcisoseries.com, but for now, on with the pod.Natalia Godyla: (03:12)On with the pod.Nic Fillingham: (03:18)Welcome back to the Security Unlocked Podcast. Emily Hacker, thanks for joining us.Emily Hacker: (03:22)Thank you for having me again.Nic Fillingham: (03:24)Emily, you are, uh, coming back to the podcast. You're a returning champion. Uh, this is, I think your, your second appearance and you're here-Emily Hacker: (03:30)Yes, it is.Nic Fillingham: (03:30)... on behalf of your colleague, uh, Justin Carroll, who has, has also been on multiple times. The two of you collaborated on a blog post from April the 9th, 2021, called Investigating a Unique Form-Emily Hacker: (03:43)(laughs)Nic Fillingham: (03:43)... in, uh, "Form", of email delivery for IcedID malware. The form bit is a pun, is a play on words.Emily Hacker: (03:51)Mm-hmm (affirmative).Nic Fillingham: (03:51)I- is it not?Emily Hacker: (03:53)Oh, it definitely is. Yeah.Nic Fillingham: (03:54)(laughs) I'm glad I picked up on that, which is a, you know, fascinating, uh, campaign that you've uncovered, the two of you uncovered and you wrote about it on the blog post. Before we jump into that, quick recap, please, if you could just reintroduce yourself to the audience. Uh, what, what do you do? What's your day-to-day look like? Who do you work with?Emily Hacker: (04:09)Yeah, definitely. So, I am a threat intelligence analyst, and I'm on the Threat Intelligence Global Engagement and Response team here at Microsoft. And, I am specifically focused on mostly email-based threats, and, as you mentioned on this blog I collaborate with my coworker, Justin Carroll, who is more specifically focused on end-point threats, which is why we collaborated on this particular blog and the particular investigation, because it has both aspects. So, I spend a lot of my time investigating both credential phishing, but also malicious emails that are delivering malware, such as the ones in this case. And also business email, compromise type scam emails.Nic Fillingham: (04:48)Got it. And so readers of the Microsoft Security Blog, listeners of Security Unlocked Podcast will know that on a regular basis, your team, and then other, uh, threat intelligence teams from across Microsoft, will publish their findings of, of new campaigns and new techniques on the blog. And then we, we try and bring those authors onto the podcast to tell us about what they found that's what's happened in this blog. Um, the two of you uncovered a new, a unique way of attackers to deliver the IcedID malware. Can you walk us through this, this campaign and this technique that you, you both uncovered?Emily Hacker: (05:21)Yeah, definitely. So this one was really fun because as I mentioned, it evolved both email and endpoint. So this one was, as you mentioned, it was delivering IcedID. So we initially found the IcedID on the endpoint and looking at how this was getting onto various endpoints. We identified that it was coming from Outlook, which means it's coming from email. So we can't see too much in terms of the email itself from the endpoint, we can just see that it came from Outlook, but given the network connections that the affected machines were making directly after accessing Outlook, I was able to find the emails in our system that contains emails that have been submitted by user 'cause either reported to junk or reported as phish or reported as a false positive, if they think it's not a phish. And so that's where I was actually able to see the email itself and determined that there was some nefarious activity going on here.Emily Hacker: (06:20)So the emails in this case were really interesting in that they're not actually the attacker sending an email to a victim, which is what we normally see. So normally the attacker will either, you know, compromise a bunch of senders and send out emails that way, which is what we've seen a lot in a lot of other malware or they'll create their own attacker infrastructure and send emails directly that way. In this case, the attackers were abusing the contact forms on the websites. So if you are visiting a company's website and you're trying to contact them a lot of times, they're not going to just have a page where they offer up their emails or their phone numbers. And you have to fill in that form, which feels like it goes into the void sometimes. And you don't actually know who it went to in this case, the, the attackers were abusing hundreds of these contact forms, not just targeting any specific company.Emily Hacker: (07:08)And another thing that was unique about this is that for some of the affected companies that we had observed, I went and looked at their websites and their contact form does require a CAPTCHA. So it does appear that the attackers in this case have automated the filling out of these contact forms. And that they've automated a way around these CAPTCHAs, just given the, the sheer volume of these emails I'm seeing. This is a good way of doing this because for the attacker, this is a much more high fidelity method of contacting these companies because they don't have to worry about having an incorrect email address if they have gotten a list off of like Pastebin or a list, you know, they purchased a list perhaps from another criminal. Emily Hacker: (07:52)A lot of times in those cases, if they're emailing directly, there's gonna be some, some false emails in those lists that just don't get delivered. With the contact form, they're designed to be delivered. So it's gonna give the attacker a higher chance of success in terms of being delivered to a real inbox.Natalia Godyla: (08:11)And so when we, we talk about the progression of the attack, they're automating this process of submitting to these contact forms. What are they submitting in the form? What is the, and what is the end goal? So there's malware somewhere in their-Emily Hacker: (08:27)Mh-mm-hmm (affirmative).Natalia Godyla: (08:27)... response. What next?Emily Hacker: (08:29)Yeah. It's a really good question. So the emails or rather the contact form submissions themselves, they're all containing a, a lore. So the contents themselves are lore that the attacker is pretending to be a, um, artist, a photographer, and illustrator, something along those lines. There's a handful of different jobs that they're pretending to be. And they are claiming that the company that they are contacting has used an image that belongs to the artist, illustrator, photographer on their website without permission. And so the attacker is saying, "You used my art without permission. I'm going to sue you if you don't take this down, if you wanna know what aren't talking about, click on this link and it'll show you the exact art that I'm talking about or the exact photo." What have you, all of the emails were virtually identical in terms of the content and the lore.Emily Hacker: (09:21)The attacker was using a bunch of different fake emails. So when you fill out a contact form, you have to put your email so the, the company can contact you, I guess, in reply, if they need to. And the attackers, almost every single email that I looked at had a different fake attacker email, but they did all follow a really consistent pattern in terms of the, the name, Mel and variations on that name. So they had like Melanie, I saw like Molina, like I said, there was hundreds of them. So the email would be Mel and then something relating to photography or illustration or art, just to add a little bit more credence, I think to their, to their lore. It made it look like the email address was actually associated with a real photographer. The, the attacker had no need to actually register or create any of those emails because they weren't sending from those emails. They were sending from the contact form. So it made it a lot easier for the attacker to appear legitimate without having to go through the trouble of creating legitimate emails. Emily Hacker: (10:16)And then the, um, the email itself from the recipients view would appear other than the fact that it felt fishy, at least to me, but, you know, I literally do this for a living. So maybe just everything feels fishy to me. Other than that, the email itself is going to appear totally legitimate because since it's coming through the contact form, it's not going to be from an email address. They don't recognize because a lot of times these contact forms are set up in a way where it'll send from the recipient's domain. So for example, a contact form, I don't know if this is how this works, but just as an example at Microsoft might actually send from Microsoft.com or the other large percentage of these that I saw were sent from the contact form hosting provider. So there are a lot of providers that host is kind of content for companies. And so the emails would be coming from those known email addresses and the emails themselves are gonna contain all of the expected fields, all in all. It's basically a legitimate email other than the fact that it's malicious.Nic Fillingham: (11:17)And, and just reading through the sample email that you, that you have in the blog post here, like sort of grammatically speaking it's, it reads very legitimately like, the-Emily Hacker: (11:26)Mh-mm-hmm (affirmative).Nic Fillingham: (11:27)... you know, the s- the, the grammar and the spelling is, it's colloquial, but it's, but it seems, you know, pretty legitimate. The idea of a photographer, a freelance photographer, stumbling upon their images being used without permission. You know, you hear stories of that happening. That seems to be somewhat plausible, not knowing how to contact the, the infringing organization. And then therefore going to the generic contact us form like this all, this all seems quite plausible. Emily Hacker: (11:52)And, definitely. And it's als one of those situations where even though, like I said, I do this for a living, so I read this and I was like, there's no way that's legit. But if my job was to be responsible for that email inbox, where stuff like this came in, it would be hard for me to weigh the consequences of like, is it more likely that this is like a malicious email? Or is it yeah. Is it possible that this is legit? And if I ignore it, my company is gonna get sued. Like, I feel like that kind of would give the recipient that, that weird spot of being like, "I don't want to infect the company with malware, or, you know, I don't wanna click on a phishing link if that's what this is, but also if I don't and then we get sued, is it my fault?"Emily Hacker: (12:33)I just, I, I feel for the recipient. So I, I understand why people would be clicking on this one and infecting themselves. And speaking of clicking on that is the other thing that's included in this email. So that was the last bit of this email that turns us from just being weird/legitimate, to totally malicious. All of the emails contain a link. And, um, the links themselves are also abusing legitimate infrastructure. So that's, uh, the next bit of abused, legitimate infrastructure that just adds that next bit of like believability if that's a word to this campaign.Nic Fillingham: (13:05)It is a word.Emily Hacker: (13:06)Okay, good believability. Is that the, the links, you know, we're, if you don't work insecurity, and even if you do work in security, we're all kind of trained like, "Oh, check the links, hover over the links and make sure it's going somewhere that you expect and make sure it's not going to like bad site dot bad, dot bad or something," you know, but these don't do that. All of the emails contained a sites.google.comm link. And I've looked at literally hundreds of these, and they all contain, um, a different URL, but the same sites.google.com domain. If you click on the link, when you receive the email, it'll take you actually to a legitimate Google authentication page that'll ask you to log in with your Google credentials, which again, every step along the way of this, of the email portion of this, of this attack, the attacker just took extra steps to make it seem as real as possible, or to almost like every piece of security advice. Emily Hacker: (14:01)I feel like they did that thing. So it seemed more legitimate because it's not a phishing page. It's not like a fake Google page that's stealing your credentials. It's a real where you would log in with your real Google credentials. Another thing that this does outside of just adding an air of legitimacy to the emails, it also can make it difficult for some security automation products. So a product that would be looking at emails and detonating the link to see if they're malicious and this case, it would detonate the link and it would land on, you know, a real Google authentication page. And in some cases it may not be able to authenticate. And then it would just mark these as good, because it would see what it expected to see. So, outside of just seeming legit, it also makes, you know, security products make this think it's more legit as well. But from there, the, uh, user would be redirected through a series of attacker own domains and would eventually download a zip file, which if they unzipped, they would find the IcedID payload.Emily Hacker: (15:06)So in this case, it's delivering IcedID, although this technique could be used to deliver other stuff as well, but it's not necessarily surprising that it's delivering IcedID right now, because pretty much everything I feel like I'm seeing lately as I study. And I don't think I'm alone in that there's murmurings that IcedID might be replacing Emotets now that you Emotet has been taken down in terms of being, you know, the annoyingly present malware. (laughs) So this is just one of many delivery methods that we've seen for IcedID malware lately. It's certainly in my opinion, one of the more interesting ones, because in the past, we've seen IcedID delivered a lot via email, but, um, just delivered via, you know, the normal type of malicious email if you will, with a compromised email sending with a, a zip attachment, this is much more interesting.Emily Hacker: (15:56)But in this case, if the user downloaded the payload, the payload would actually do many things. So in this case, it was looking for machine information. It was looking to see what kind of security tools were in place to see what kind of antivirus the machine was running. It was getting IP and system information. It was getting, you know, domain information and also looking to access credentials that might be stored in your browser. And on top of that, it was also dropping Cobalt Strike, which is another fun tool that we see used in every single incident lately. It feels like, um, which means that this can give attacker full control of a compromised device.Natalia Godyla: (16:38)So, what are we doing to help protect customers against IcedID? In the blog you stated that we are partnering with a couple of organizations, as well as working with Google.Emily Hacker: (16:52)Yes. So we have notified Google of this activity because it is obviously abusing some of their infrastructure in terms of the sites at Google.com. And they seem to be doing a pretty good job in terms of finding these and taking them down pretty quickly. A lot of times that I'll see new emails come in, I'll go to, you know, click on the link and see what it's doing. And the site will already be taken down, which is good. However, the thing about security is that a lot of times we were playing Catch Up or like, Whack-A-Mole, where they're always just gonna be a step ahead of us because we can't pre block everything that they're going to do. So this is still, um, something that we're also trying to keep an eye on from, from the delivery side as well. Emily Hacker: (17:34)Um, one thing to note is that since these are coming from legitimate emails that are expected is that I have seen a fair bit like, uh, a few of these, uh, actually, um, where the, the customers have their environment configured in a way where even if we mark it as phish, it still ends up delivered. So they have a, what is like a mail flow rule that might be like allow anything from our contact form, which makes sense, because they wouldn't wanna be blocking legitimate requests from co- from customers in their contact form. So with that in mind, we also wanna be looking at this from the endpoint. And so we have also written a few rules to identify the behaviors associated with the particular IcedID campaign. Emily Hacker: (18:16)And it will notify users if the, the behaviors are seen on their machine, just in case, you know, they have a mail flow rule that has allowed the email through, or just in case the attackers change their tactics in the email, and it didn't hit on our rule anymore or something, and a couple slipped through. Then we would still identify this on the endpoint and not to mention those behaviors that the rules are hitting on are before the actual IcedID payload is delivered. So if everything went wrong in the email got delivered and Google hadn't taken the site down yet, and the behavioral rule missed, then the payload itself is detected as I study by our antivirus. So there's a lot in the way of protections going in place for this campaign.Nic Fillingham: (18:55)Emily, I, I wanna be sort of pretty clear here with, with folks listening to the podcast. So, you know, you've, you've mentioned the, the sites.google.com a, a couple of times, and really, you're not, you're not saying that Google has been compromised or the infrastructure is compromised simply that these attackers have, uh, have come up with a, a, you know, pretty potentially clever way of evading some of the detections that Google, uh, undoubtedly runs to abuse their, their hosting services, but they could just evasively has been targeting OneDrive or-Emily Hacker: (19:25)Mh-mm-hmm (affirmative).Nic Fillingham: (19:25)... some other cloud storage.Emily Hacker: (19:25)That's correct. And we do see, you know, attackers abusing our own infrastructure. We've seen them abusing OneDrive, we've seen them abusing SharePoint. And at Microsoft, we have teams, including my team devoted to finding when that's occurring and remediating it. And I'm sure that Google does too. And like I said, they're doing a pretty done a good job of it. By the time I get to a lot of these sites, they're already down. But as I mentioned, security is, is a game of Whack-A-Mole. And so for, from Google point of view, I don't envy the position they're in because I've seen, like I mentioned hundreds upon hundreds of these emails and each one is a using a unique link. So they can't just outright block this from occurring because the attacker will just go and create another one.Natalia Godyla: (20:05)So I have a question that's related to our earlier discussion. You, you mentioned that they're evading the CAPTCHA. I thought that the CAPTCHA was one of the mechanisms in place to reduce spam. Emily Hacker: (20:19)Mh-mm-hmm (affirmative).Natalia Godyla: (20:19)So how is it doing that? Does this also indicate that we're coming to a point where we need to have to evolve the mechanisms on the forms to be a little bit more sophisticated than CAPTCHA?Emily Hacker: (20:33)I'm not entirely sure how the attackers are doing this because I don't know what automation they're using. So I can't see from their end, how they're evading the CAPTCHA. I can just see that some of the websites that I know that they have abused have a CAPTCHA in place. I'm not entirely sure.Nic Fillingham: (20:52)Emily is that possible do you think that one of the reasons why CAPTCHA is being invaded. And we talked earlier about how the, sort of the grammar of these mails is actually quite sophisticated. Is it possible? This is, this is a hands on keyboard manual attack? That there's actually not a lot of automation or maybe any automation. And so this is actually humans or a human going through, and they're evading CAPTCHA because they're actually humans and not an automated script?Emily Hacker: (21:17)There was another blog that was released about a similar campaign that was using the abusing of the contact forms and actually using a very similar lore with the illustrators and the, the legal Gotcha type thing and using sites.google.com. That was actually, it was very well written and it was released by Cisco Talos at the end of last year, um, at the end of 2020. So I focused a lot on the email side of this and what the emails themselves looked like and how we could stop these emails from happening. And then also what was happening upon clicks over that, like I said, we could see what was happening on the endpoint and get these to stop. Emily Hacker: (21:55)This blog actually focused a lot more on the technical aspect of what was being delivered, but also how it was being delivered. And one thing that they noted here was that they were able to see that the submissions were performed in an automated mechanism. So Cisco Talos was able to see that these are indeed automated. I suspected that they were automated based on the sheer volume, but I Talos is very good. They're very good intelligence organization. And I felt confident upon reading their blog that this was indeed automated, how it's being captured though, I still don't know.Natalia Godyla: (22:35)What's next for your research on IcedID? Does this round out your team's efforts in understanding this particular threat, or are, are you now continuing to review the emails, understand more of the attack?Emily Hacker: (22:52)So this is certainly not the end for IcedID. Through their Microsoft Security Intelligence, Twitter account. I put out my team and I put out a tweet just a couple of weeks ago, about four different IcedID campaigns that we were seeing all at the same time. I do believe this was one of them. They don't even seem related. There was one that was emails that contained, um, zip files. There was one that contained emails that contained password protected zip files that was targeting specifically Italian companies. There was this one, and then there was one that was, um, pretending to be Zoom actually. And that was even a couple of weeks ago. So there's gonna be more since then. So it's something that, like I mentioned briefly earlier, IcedID almost feels to be kind of, it feels a little bit like people are calling it like a, the next wave of replacement after Emotech are taken down. Emily Hacker: (23:43)And I don't know necessarily that that's true. I don't know that this will be the new Emotech so to speak, Emotech was Emotech And IcedID is IcedID but it does certainly feel like I've been seeing it a lot more lately. A lot of different attackers seem to be using it and therefore it's being delivered in different ways. So I think that it's gonna be one that my team is tracking for awhile, just by nature of different attackers using it, different delivery mechanisms. And it'll be, it'll be fun to see where this goes.Nic Fillingham: (24:13)What is it about this campaign or about this particular technique that makes it your Moby Dick-Emily Hacker: (24:17)(laughs) Nic Fillingham: (24:17)... if I may use the analogy.Emily Hacker: (24:20)I don't know. I've been thinking about that. And I think it has to do with the fact that it is so, like, it just feels like a low blow. I don't know. I think that's literally it like they're abusing the company's infrastructure. They're sending it to like people whose job is to make sure that their companies are okay. They're sending a fake legal threat. They're using legit Google sites. They're using a legit Google authentication, and then they're downloading IcedID. Like, can you at least have the decency, descend to crappy like unprotected zip attachment so that-Nic Fillingham: (24:49)(laughs)Emily Hacker: (24:49)... we at least know you're malicious, like, come on. It's just for some reason it, I don't know if it's just 'cause it's different or if it's because I'm thinking back to like my day before security. And I, if I saw this email as this one that I would fall for, like maybe. And so I think that there's just something about that and about the, the fact that it's making it harder to, to fully scope and to really block, because we don't want to block legitimate contact emails from being delivered to these companies. And obviously they don't want that either. So I think that's it.Nic Fillingham: (25:22)What is your guidance to customers? You know, I'm a security person working at my company and I wanna go run this query. If I run this, I feel like I'm gonna get a ton of results. What do I do from there?Emily Hacker: (25:33)That's a good question. So this is an advanced hunting query, which can be used in the Microsoft Security portal. And it's written in advanced hunting query language. So if a customer has access to that portal, they can just copy and paste and search, but you're right. It is written fairly generically to a point where if you don't have, you know, advanced hunting, you can still read this and search and whatever methodology, whatever, you know, searching capabilities you do have, you would just have to probably rewrite it. But what this one is doing the top one, 'cause I, I have two of them written here. The first one is looking specifically at the email itself. So that rejects that's written there is the, um, site.google.com.Emily Hacker: (26:16)All of the emails that we have seen associated with this have matched on that rejects. There was this morning, like I said, I was talking to a different team that was also looking into this and I'm trying to identify if she found, um, a third pattern, if she did, I will update the, um, AHQ and we have, we can post AHQ publicly on the Microsoft advanced hunting query, get hub repo, which means that customers can find them if we, if we change them later and I'll be doing that if that's the case, but point being this rejects, basically it takes the very long, full URL of this site.google.com and matches on the parts that are fairly specific to this email.Emily Hacker: (27:02)So they all contain, you know, some of them contain ID, some of them don't, but they all contain that like nine characters, they all contain view. It's just certain parts of the URL that we're seeing consistently. And that's definitely not by itself going to bubble up just the right emails, which is why have it joined on the email events there. And from there, the, I have instructed the users to replace the following query with the subject line generated by their own contacts, their own websites contact submission form. What I have in there are just a few sample subject lines. So if your website contact form generates the subject line of contact us or new submission or contact form, then those will work. But if the website con-, you know, contact form, I've seen a bunch of different subject lines. Then what this does is that it'll join the two. So that it's only gonna bubble up emails that have that sites.google.com with that specific pattern and a subject line relating to the contact form. Emily Hacker: (28:02)And given the searching that I've done, that should really narrow it down. I don't think there's going to be a ton in the way of other contact emails that are using sites.google.com that are showing up for these people. I wouldn't be surprised if this did return one email and it turned out to be a malicious email related to this campaign. But if the contact form generates its own subject line per what the user inputs on the website, then, you know, the screenshots that are in the blog may help with that, but it might be more difficult to find in that case. There's a second advanced hunting query there, which we'll find on the endpoint.Natalia Godyla: (28:37)And I know we're just about at time here, but one quick question on endpoint security. So if a customer is using Microsoft Defender for endpoint, will it identify and stop IcedID?Emily Hacker: (28:49)Yes, it will. The IcedID payload in this case, we're seeing Defender detecting it and blocking it. And that was what, one of the things I was talking about earlier is that Defender is actually doing such a good job. That it's a little bit difficult for me to see what's, uh, gonna happen next because I'm limited to, um, seeing kind of what is happening on customer boxes. And so, because our products are doing such a good job of blocking this, it means that I don't have a great view of what the attacker was going to do next because they can't, 'cause we're blocking it. So it's of mostly a win, but it's stopping me from seeing if they are planning on doing, you know, ransomware or whatever, but I'd rather not know if it means that our customers are protected from this.Nic Fillingham: (29:32)Well, Emily Hacker, thank you so much for your time. Thanks to you and Justin for, for working on this. Um, we'd love to have you back again on Security Unlocked to learn more about some of the great work you're doing.Emily Hacker: (29:41)Definitely, thank you so much for having me.Natalia Godyla: (29:47)Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.Nic Fillingham: (29:54)And don't forget to tweet us @msftsecurity or email us at securityunlockedatmicrosoft.com, with topics you'd like to hear on a future episode. Until then, stay safe.Natalia Godyla: (30:05)Stay secure.