North Korean and other malware observed on the Black Hat network • The Register

Those tasked with defending the Black Hat conference network are seeing a lot of strange, sometimes hostile activity, and this year that included malware linked to Kim Jong-un’s operatives.

In their second year of helping protect the Network Operations Center (NOC) from the infosec event, the IronNet team said they reported 31 malicious alerts and 45 highly suspicious events, according to the post report. -mortem of the team.

Of course, not all malware detected at Black Hat is intended to infect devices and perform nefarious acts – some of them come from simulated attacks in classrooms and on the living room. So while Tor activity and DNS tunneling would and probably should set off alarms in a corporate network, at the cybersecurity conference they turned out to be regular attendee behaviors and vendor demonstrations. .

However, security firm hunters – Peter Rydzynski, Austin Tippett, Blake Cahen, Michael Leardi, Keith Li and Jeremy Miller – said they discovered “several” active malware infections on the network, including Shlayer, SHARPEXT attributed to North Korea and NetSupport. RAT.

Let’s start with the code that has ties to the Supreme Leader himself.

“During the conference, we observed numerous calls from four unique hosts to three domains associated with the North Korean SHARPEXT malware,” the threat hunters documented.

Volexity in late July linked this email-stealing malware to the Pyongyang-backed Kimsuky team, aka SharpTongue. This is notable because rather than stealing users’ email ids, the malware – which is essentially a malicious extension for Chromium-based browsers – reads messages and exfiltrates data from victims’ webmail accounts when they browse their inboxes. The SHARPEXT extension is usually installed on a victim’s Windows PC once it has been compromised through some other vulnerability or infection route.

“Given the interest shown by North Korean threat actors in compromising security researchers over the past two years, our observation of the North Korean SHARPEXT malware on the Black Hat network is remarkable in itself due to its use by so many cyber researchers and security workers,” according to the IronNet team.

However, they admit that DNS queries to SHARPEXT command and control servers remain “confusing”. Although there were successful DNS responses from these domains, there was no outbound communication after the DNS lookup.

“It’s possible geo-filtering is in play here, but that’s not how we would expect it to be done and it’s not something we frequently see done using DNS,” the hunters theorized. “Therefore, we don’t have a good answer for the reason behind this activity.”

Shlayer Malware Download

In addition to SHARPEXT, the NOC also observed a Shlayer malware infection that had completely compromised a victim’s computer, we are told. The attendee’s PC may very well have been hacked by the malware before the event. Threat hunters noted:

Further investigation revealed HTTP GET requests retrieving a ZIP archive file, flagged as malicious in VirusTotal, that did not end with “.zip”, which was likely an attempt to evade detection.

And all that “tightly matched” activity described by Kaspersky in this threat intelligence firm’s analysis of the Shlayer Trojan.

I smell a NetSupport RAT

In another case of a participant coming to the conference with an infected device, someone showed up with the NetSupport RAT (aka NetSupport Manager RAT) on their computer.

This, like many legitimate remote access tools, is frequently co-opted by cybercriminals to commandeer someone’s machine, spy on it, and steal information.

The infected device sent HTTP POST requests to an external server, and the communications closely matched Zscaler’s analysis of the information-stealing RAT’s activity.

“A concern in this case was that the C2 infrastructure was fully operational and responding,” the threat hunters noted. “This was unexpected: given the age of this malware, we frequently see old infections like this with an inactive C2 infrastructure that is unresponsive.”

Uh, it could have been worse

Overall, however, the CNO team was pleasantly surprised by the lower than expected level of malicious activity at the show.

About 20,000 people attended the annual infosec summer camp in Las Vegas this year, three times more than in 2021. But compared to last year, “we saw a relatively low amount of network traffic and a lower number of detections across the board by all organizations advocating for the NOC,” the IronNet team said.

Other Black Hat NOC advocates came from Optiv, IBM X-Force, Cisco, NetWitness, Palo Alto Networks and Gigamon.

“The ratio of network traffic volume in 2022 was 0.63 GB/second for 5,000 people versus 1.5 GB/second for 5,000 people in 2021,” the IronNet team noted.

“We also haven’t seen as much malicious activity resulting from actual malware activity as we expected this year.”

And while more participants attending more classes meant higher overall detections, “the relative volume of genuine detections was lower than expected given the massive increase in the number of in-person attendees,” they said. “We don’t know the definitive reason for this trend, but we welcome it.” ®

Comments are closed.