CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution...
Transcript of CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution...
![Page 1: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/1.jpg)
Windows Malware Hot 5
HITCON GIRLS 短短
CYBERSEC 2020 臺灣資安大會
![Page 2: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/2.jpg)
議程簡介
我會介紹 5 個 2020 年備受關注的 Windows 惡意程式和它們的近況,也
會介紹 2019 年較常使用的 techniques,是平易近人的議程唷
目標受眾
對今年 Windows 惡意程式的更新有興趣、有點資安意識的你們,如果聽
過 ATT&CK、知道惡意程式的種類更好
這個議程會講什麼?
2
![Page 3: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/3.jpg)
3
![Page 4: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/4.jpg)
Disclaimer
榜單為個人看一些 vendor blog、Twitter、report 歸納出來的
全部都是個人觀感
純屬娛樂性質
不要太較真
不代表 HITCON GIRLS 立場
4
![Page 5: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/5.jpg)
短短 (Yi Chin)曾在資安公司的分析 Team 實習一年
想要去印度理工學院當交換學生卻碰
上疫情...
於是就留在家閉關修煉了!HITCON GIRLS 讀書會成員
5
![Page 6: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/6.jpg)
今年因為新冠肺炎...
6
![Page 7: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/7.jpg)
除了資安大會延期
7
![Page 8: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/8.jpg)
沒有交換學生
8
![Page 9: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/9.jpg)
不能去國外讀研
9
![Page 10: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/10.jpg)
沒有畢旅
10
![Page 11: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/11.jpg)
11
![Page 12: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/12.jpg)
那我們開始吧!
12
![Page 13: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/13.jpg)
Dridex513
![Page 14: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/14.jpg)
今年 3 月激增! Ransomware 的好朋友
● 2020 年 3 月 有幾波惡意郵件攻擊行動夾帶惡意 Excel 檔案,利用 Macro 下載 Dridex 後,還可能繼續下載針對性 Ransomware,例如 BitPaymer、DoppelPaymer
● 近期因為 Covid-19,大家特別仰賴物流運送生活物資
,Dridex 的釣魚主題多為 FedEx、UPS 的帳單
14
![Page 15: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/15.jpg)
今年 3 月激增! Ransomware 的好朋友
● 2020 年 3 月 有幾波惡意郵件攻擊行動夾帶惡意 Excel 檔案,利用 macro 下載 Dridex 後,還可能繼續幫你下載針
對性 Ransomware,例如 BitPaymer、DoppelPaymer● 近期因為 Covid-19,大家特別仰賴物流運送生活物資
,Dridex 的釣魚主題多為 FedEx、UPS 的帳單(invoice)
15
![Page 16: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/16.jpg)
Dridex
● 第一隻野生 Dridex 出現在 2011 年,它是 Banking Trojan,會盜轉受害者網路帳戶的金錢
● BaaS (Botnet as a service),常由多個 Botnet 組成
● 常利用釣魚郵件誘使使用者下載惡意 Microsoft Office 文件,再透過啟用 Macro 下載 Dridex
16
![Page 17: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/17.jpg)
Dridex
● 第一隻野生 Dridex 出現在 2011 年,它是 Banking Trojan,會盜轉受害者網路帳戶的金錢
● BaaS (Botnet as a service),常由多個 Botnet 組成
● 常利用釣魚郵件誘使使用者下載惡意 Microsoft Office 文件,再透過啟用 Macro 下載 Dridex
17
![Page 18: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/18.jpg)
Dridex asscoiated gang - Evil Corp
18
![Page 19: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/19.jpg)
Sodinokibi419
![Page 20: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/20.jpg)
這是 2019 跨年發生的事情...
20
![Page 21: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/21.jpg)
英國 Travelex 用自身經驗來提醒大家有 patch 快上的重要性
21
![Page 22: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/22.jpg)
2019 跨年 Travelex 大失血事件
● 2019 跨年時,英國外匯交易公司 Travelex 被 Sodinokibi 感染,駭客要求 600 萬美元才會返還客戶資料。
● 原因是有弱點的 Pulse Secure VPN servers 沒有 patch (CVE-2019-11510),這個弱點在 2019 年 4 月已經出 patch。
● 整個服務癱瘓了幾個禮拜,最後還是付了 230 萬美元了
事
22
![Page 23: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/23.jpg)
Sodinokibi (REvil)
● Sodinokibi 是 2020 上半年最囂張的勒索軟體之首
● 擅長利用釣魚信件 、已知安全漏洞 (i.e. Oracle WebLogic Server 的 CVE-2019-2725)入侵
23
![Page 24: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/24.jpg)
Sodinokibi (REvil)
● Sodinokibi 是 2020 上半年最囂張的勒索軟體之首 ● 擅長利用釣魚信件 、已知安全漏洞
(i.e. Oracle WebLogic Server 的 CVE-2019-2725)入侵
24
![Page 25: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/25.jpg)
Sodinokibi (REvil) v2.2 熱騰騰!
● 2020 年 5 月,Sodinokibi 進化了,使用 Windows Restart Manager 來關掉 lock 住檔案的 process 或 service,就可
以加密本來已經被 lock 住的檔案
25
![Page 26: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/26.jpg)
Agent Tesla326
![Page 27: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/27.jpg)
Stalker 的最愛:偷看訊息的 Agent Tesla
● 2014 年開始活躍的 .NET based Spyware / RAT / Key logger,會螢幕截圖、偷看瀏覽器紀錄、擷取剪貼簿內容等
,可說是 stalker 的好幫手
● 各大通路熱烈販售中
● 最近用 Covid-19 為主題散播釣魚郵件,例如:URGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST/RESULT UPDATE.
27
![Page 28: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/28.jpg)
擷取密碼寄到自己信箱
MD5:6ef18708f51ace44e6b6c2fe7a3668ce28
![Page 29: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/29.jpg)
Agent Tesla 使用偷 Wi-Fi 密碼模組
● 2020 年 4 月,Malwarebytes 發現 Agent Tesla 會蒐集受
害者的 Wi-Fi profile,應該也是為了散播,類似 Emotet
29source:https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
![Page 30: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/30.jpg)
Trickbot230
![Page 31: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/31.jpg)
Trickbot
● 2016 年發現的模組化 Banking Trojan,會將受害者導向假
的銀行頁面以竊取身份驗證資訊,時常換目標銀行,常常
更新獲得新功能,也盜取過加密貨幣
● 通常透過釣魚郵件散佈惡意 Microsoft Office 檔案,使用 Macro 來下載 Trickbot,也會利用 Eternal Blue 漏洞來散
播
31
![Page 32: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/32.jpg)
● 2020 年 2 月底,Malware Traffic 發現 Trickbot 以 DLL 形式散播
Trickbot 以 DLL 形式散播
32
![Page 33: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/33.jpg)
Trickbot 針對 Win 10
1. 2020 年 1 月底,MORPHISEC 發報告說 Trickbot 會根據
不同的 Windows Distribution,採取不同的 UAC bypass 方式
33
![Page 34: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/34.jpg)
Trickbot 針對 Win 10
● 2020 年 1 月底,MORPHISEC 發報告說 Trickbot 會根據
不同的 OS,採取不同的 UAC bypass 方式
34
![Page 35: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/35.jpg)
Trickbot 針對 Win 10
2. 2020 年 2 月底,MORPHISEC 也發現 Trickbot 下載器 OSTAP 的 activeX 控制項使用了 Win 10 的 MsRdpClient10NotSafeForScript class 進行遠端控制
35
![Page 36: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/36.jpg)
Trickbot 針對 Win 10
2. 2020 年 2 月底,MORPHISEC 也發現 Trickbot 下載器 OSTAP 的 activeX 控制項使用了 Win 10 最新的 MsRdpClient10NotSafeForScript class 進行遠端控制
36
![Page 37: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/37.jpg)
Trickbot 針對 Win 10
2. 2020 年 2 月底,MORPHISEC 也發現 Trickbot 下載器 OSTAP 的 activeX 控制項使用了 Win 10 最新的 MsRdpClient10NotSafeForScript class 進行遠端控制
37source:https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows
![Page 38: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/38.jpg)
Trickbot 會檢查螢幕解析度
38
![Page 39: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/39.jpg)
Emotet139
![Page 40: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/40.jpg)
Emotet
● 2014 年發現擁有客製化模組的 Banking Trojan,現在常用
來散播其他惡意程式
● 維持 Persistence、防止被偵測分析的技巧高明
● 常常以釣魚郵件散播
● 有垃圾郵件模組
40
![Page 41: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/41.jpg)
Emotet 進化:透過 Wi-Fi 來散播
● 2020 年 2 月,Emotet 被發現會蒐集附近 Wi-Fi 的 SSID、
信號強度、加密方式等,然後嘗試登入
● 成功後,會列舉連到這個 Wi-Fi 的設備,再嘗試去猜測並
連接其他設備來散播 Emotet
41
![Page 42: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/42.jpg)
Emotet 進化:透過 Wi-Fi 來散播
42source:https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
![Page 43: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/43.jpg)
43
![Page 44: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/44.jpg)
沉寂 5 個月,Emotet Qbot Duo
● 2020 年 7 月底,一波 Emotet 安裝 Qbot 的攻擊行動
44
![Page 45: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/45.jpg)
簡單介紹 TTPs
45
![Page 46: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/46.jpg)
TTPs?
● Tactics - why?● Techniques - how?● Procedures - a sequence of actions
Pyramid of Pain 46
![Page 47: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/47.jpg)
Mitre ATT&CK
47
![Page 48: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/48.jpg)
聽起來有點抽象
48
![Page 49: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/49.jpg)
49
![Page 50: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/50.jpg)
12 Tactics● TA0001 Initial Access● TA0002 Execution● TA0003 Persistence● TA0004 Privilege Escalation● TA0005 Defense Evasion● TA0006 Credential Access● TA0007 Discovery● TA0008 Lateral Movement● TA0009 Collection● TA0011 Command and Control● TA0010 Exfiltration● TA0040 Impact
https://attack.mitre.org/tactics/enterprise/
50
![Page 51: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/51.jpg)
Collection - T1185 Man in the Browser
● Agent Tesla has the ability to use form-grabbing to extract data from web data forms.
● TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.
● Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.
51
![Page 52: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/52.jpg)
Sub-techniques
52
![Page 53: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/53.jpg)
.001 Credentials In Files
● TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP.
● Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.
Credential Access - T1552 Unsecured Credentials
53
![Page 54: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/54.jpg)
Credential Access - T1552 Unsecured Credentials
.002 Credentials in Registry
● TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key.
54
![Page 55: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/55.jpg)
Top 5 ATT&CK Techniques in Action for 2019
1. T1063: Security Software Discovery2. T1027: Obfuscated Files or Information3. T1055: Process Injection4. T1082: System Information Discovery5. T1057: Process Discovery
Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
55
![Page 56: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/56.jpg)
來個總結
56
![Page 57: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/57.jpg)
1. 釣魚散播不變真理
2. a 下載 b,例如 Emotet 載 Trickbot3. 惡意程式都很積極,更新再更新
總結
57
![Page 58: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/58.jpg)
58
![Page 59: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/59.jpg)
Sodinokibi
● Ransomware Payments Up 33% As Maze and Sodinokibi Proliferate in Q1 2020● Changes in REvil ransomware version 2.2
Dridex
● March 2020’s Most Wanted Malware: Dridex Banking Trojan Ranks On Top Malware List For First Time
Emotet
● Emotet Evolves With New Wi-Fi Spreader
Reference
59
![Page 60: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/60.jpg)
Trickbot
● TRICKBOT DELIVERY METHOD GETS A NEW UPGRADE FOCUSING ON WINDOWS 10
● Trickbot Malspam Leveraging Black Lives Matter as Lure● TRICKBOT TROJAN LEVERAGING A NEW WINDOWS 10 UAC BYPASS
● TrickBot malware now checks screen resolution to evade analysis
Agent Tesla
● New AgentTesla variant steals WiFi credentials
Reference
60
![Page 61: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/61.jpg)
Reference
Top Techniques of 2019
● Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
Report
● Cyber Attack Trends: 2020 Mid-Year Report by Check Point
61
![Page 62: CYBERSEC 2020 臺灣資安大會 Windows Malware Hot 5TrickBot malware now checks screen resolution to evade analysis Agent Tesla New AgentTesla variant steals WiFi credentials Reference](https://reader036.fdocuments.net/reader036/viewer/2022081600/6041e7a678be890bd62efb11/html5/thumbnails/62.jpg)
Resources
Top 10 Malware Jan to June by CIS
● https://www.cisecurity.org/blog/top-10-malware-january-2020/
● https://www.cisecurity.org/blog/top-10-malware-february-2020/
● https://www.cisecurity.org/blog/top-10-malware-march-2020/
● https://www.cisecurity.org/blog/top-10-malware-april-2020/
● https://www.cisecurity.org/blog/top-10-malware-may-2020/
● https://www.cisecurity.org/blog/top-10-malware-june-2020/
Others
● M-trends 2020 by FireEye
62