CyberWire Daily - No honor in being a criminal. [Research Saturday]
Episode Date: September 9, 2023This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently ...identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks. This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved." The research can be found here: No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
With all of these sort of tools, because you've seen it once, there's a possibility that if you're
a threat researcher like we are, or a threat intelligence team, that there might be cause for you to run some of these configuration files
that you find within criminal forums.
And if you are doing that as part of your work,
then inspecting those prior to running them is probably best.
That's Rhys Baldwin, Director of Threat Intelligence at Casada.
Today we're discussing their work,
No Honor Amongst Thieves,
unpacking a new open-bullet malware campaign.
So Casada is an anti-bot company,
and we do threat research and threat intelligence, looking
at criminal groups that are targeting our customers and also just seeing where those
kind of financial groups are operating.
So we identified some malware within OpenBullet, which is a tool that can be used for pen testing or web testing,
but it's being used by cyber criminals to automate attacks against predominantly login
details or login endpoints.
And so we identified some malware within the configuration files in OpenBullet.
Well, let's dig into that a little bit.
Can you describe to us what are the capabilities of the OpenBullet tool
and how do these configuration files play into that?
Configurations are kind of the heart of OpenBullet.
And these are typically text files that instruct OpenBullet
how to call different functions, I suppose,
or different endpoints on a target system.
So we can think of it like if you're going to log in
to an account on a website,
you might have to visit a login page first
and there'll be an API that gets called in the back end.
And then you might log into that, your account, and then you might see all of your
billing history or payment information. And so what the configuration files do is it sets out
those steps within this text file. And within those text files, it'll step the users of Open
Bullet through all those steps.
So you can load it into the OpenBullet software.
And then typically what you do is you then load in a credential dump.
And these are typically email and password combinations.
And you then test all those email and password combinations
using that config against your target website.
And for every combination that is successful, that gets stored in a database on your machine.
And so we look at these open bullet configs quite regularly and test some of these for
our own internal threat research.
test some of these for our own internal threat research.
And while we were looking at one of these,
we identified that there was headers that were in one of the calls to an API endpoint
that looked rather suspicious.
Now, to be clear here, I mean, OpenBullet is a legitimate tool,
but I guess like a lot of pen testing tools,
it's also used by folks who are up to no good?
Yeah, absolutely.
So it is a legitimate tool and it is used for testing.
It can be used for pen testing
or it can be used for testing in web development
and those sort of things.
It is absolutely a legitimate tool,
but it is one of the prime tools that's used
by some of the threat groups that we monitor to do credential stuffing attacks against major enterprises.
So I suppose the really interesting thing here is that you all detected some bad guys
targeting other bad guys.
Yeah, that's correct. So some of these criminal groups hang out in telegram channels and they share techniques and tactics and procedures and also they share these configuration files with each other.
a configuration for retailer A and the other says, oh, I have a configuration for airline B and so they'll swap.
And there are then other communities where they will freely post configurations that
people have already used or these groups have already used and are no longer being as successful
where then sort of new people to these communities can download and use them.
These groups where they've shared these, a threat actor has added
in some maliciousness to those configuration files
because OpenBullet can open browsers and do automation
that way using Selenium.
And so in this case, what occurred is that the maliciousness
within the config file, it would make a call to a pastebin site.
And within that pastebin site was the end of a GitHub repo.
end of a GitHub repo. Now, when that was called, it would create the GitHub full URL,
and that would replace the Chrome driver that's used by OpenBullet to orchestrate the running of that Chrome browser on there. So the Selenium kind of powering of that. And that's where we first found the actual malware.
Well, there's two payloads here.
Can you describe them for us?
Sure.
So the first payload is a Rust binary that is downloaded,
and we believe that one is just a dropper
that then calls a second payload.
And these are both on GitHub and still available now.
They get updated about once
or twice an hour both of these payloads and just changing just a small amount we think to
bypass sort of antivirus and and those sort of things those general sort of checks so
with the first one appears to be a dropper that then calls and drops the second one.
And the second one is a compiled Python binary.
Now, this malware is only targeting Windows at the moment,
so everything is compiled only for Windows.
Now, the second one is a piece of malware that is written
completely in Python and is based off other open source Python malware.
But this one is controlled through Telegram.
And what are its capabilities?
So when we looked at the original malware
that we believe that this one stemmed from,
it had a lot of capabilities
that you would see in typical malware campaigns. So
the ability to take screenshots, upload and download files, execute processes on the host
machine, those typical kind of functions. But what we found was different between this one
and the original was that it was now targeting cryptocurrencies.
So they had written, the threat actors had written a credential harvester.
So it would decrypt stored logins from Chromium-based browsers and also decrypt stored cookies in those same browsers.
And then it would also search for directories associated with crypto wallets
and they had also written a payload that was for clip jacking so monitoring the clipboard
for pasted or copied crypto addresses so bitcoin addresses litecoin dogecoin
crypto addresses. So Bitcoin addresses, Litecoin, Dogecoin, those sort of things. And so when one of those was detected being put onto the clipboard, it would then put the attacker's crypto
address in there in place of the one that had been copied to the clipboard so that any funds
would be then transferred to them. And we were able to track some of those transactions.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with
AI-powered automation, and detecting threats using AI to analyze over 500 billion daily
transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler
Zero Trust and AI. Learn more at zscaler.com security.
Yeah, it's quite interesting.
I mean, how successful do you suppose that they are being here?
Well, we saw that looking at the GitHub repo,
we saw that it was released in early July.
So when we had a look at all the crypto transactions that were based on the wallet addresses that we saw in the malware, up until we released the blog post, we looked and
there was about 13 US dollars. So not a lot. But since then and since we've released our blog,
that's jumped to a hefty $170.
So it's, but that's only the clipjacking part.
So what we can infer from this is that it is still getting run
and it's still being somewhat successful.
Now, we can't correlate exactly that this is from the clip checking
because it could be from other places and other things.
But if we're looking at just those transactions as a metric
for measuring the success, then it is still running,
it is still working, but that's about as far as we were able to go.
Does it seem odd to you that we've got
threat actors targeting other threat actors? No, there's been a history of threat
actors targeting other threat actors. So it's not really
something that we find overly surprising.
What we're finding, though, is that you would typically
find something like this where
someone would provide a compiled binary so they would provide something that there was no way for
you to be able to inspect it so you installed someone would give you something and say this
is a cracker for whatever tool you were looking for and that would be infected with malware and
then you would get it on your machine and that's how you go.
In this case, it's quite brazen because the configuration files that are used by OpenBullet
are just plain text. So by simply opening that file in a text editor and reading it and being
able to follow that control flow within it, you would identify that there is some maliciousness going on.
I typically ask folks like yourself, what should people do to protect themselves against this?
I mean, is step number one, don't be a malicious threat actor?
In this case, it is. But with all of these sort of tools, because you've seen it once,
there's a possibility that if you're a threat researcher like we are or a threat intelligence team, that there might be cause for you
to run some of these configuration files that you find
within criminal forums.
And if you are doing that as part of your work and part
of your practice,
then inspecting those prior to running them is probably best,
not to just trust that the configurations that you're getting are legitimate in that kind of illegitimate, legitimate sort of way.
So the way to protect yourself is just to inspect those config files.
Our thanks to Rhys Baldwin from Casada for joining us.
The research is titled No Honor Amongst Thieves,
Unpacking a New Open Bullet Malware Campaign.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening.