Research Saturday 9.9.23
Ep 298 | 9.9.23

No honor in being a criminal.


Dave Bittner: Hello, everyone, and welcome to the Cyberwire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us. [ Music ]

Reece Baldwin: With all of these sort of tools, because you've seen it once, there's a possibility that if you're a threat researcher like we are or a threat intelligence team, that there might be cause for you to run some of these configuration files that you find within criminal forums. And if you are doing that as part of your work, then inspecting those prior to running them is probably -- it's probably best.

Dave Bittner: That's Reece Baldwin, Director of Threat Intelligence at Kasada. Today we're discussing their work, "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." [ Music ]

Reece Baldwin: So Kasada is an anti-bot company, and we do threat research and threat intelligence looking at criminal groups that are targeting our customers and also just seeing where those kind of financial groups are operating. So we identified some malware within OpenBot which is a tool that can be used for pane testing or web testing but is being used by cyber criminals to automate attacks against predominantly login details or login endpoints. And so we identified some malware within the configuration files in OpenBullet.

Dave Bittner: Well, let's dig into that a little bit. Can you describe to us -- what are the capabilities of the OpenBullet tool and how do these configuration files play into that?

Reece Baldwin: Configurations are kind of the heart of OpenBullet and these are typically text files that instruct OpenBullet how to call different functions, I suppose, or different endpoints on a target system. So we can think of it like if you're going to log into an account on a website, you might have to visit a login page first and there will be an API that gets called on the back end. And then you might log into that -- your account and then you might see all of your billing history or payment information. And so what the configuration files do is set out those steps within this text file and, within those text files, it will step the users of OpenBullet through all those steps. So you can load it into the OpenBullet software and then typically what you do is you then load in a credential doc. And these are typically email and password combinations. And you then test all those email/password combinations against -- oh, using that config -- against your target website. And for every combination that is successful, that gets stored in a database on your machine. And so we look at these OpenBullet configs quite regularly and test some of these for our own internal research. And while we were looking at one of these, we identified that there were some headers that were in one of the calls to an API endpoint that looked rather suspicious.

Dave Bittner: Now to be clear here, I mean OpenBullet is a legitimate tool but I guess, like a lot of pentesting tools, it's also used by folks who are up to no good?

Reece Baldwin: Yeah. Absolutely. So it is a legitimate tool and it is used for testing -- it can be used for pentesting or it can be used for testing with -- in web development and those sort of things. It is absolutely a legitimate tool, but it is one of the prime tools that's used by some of the threat groups that we monitor to do credential stuffing attacks against major groups.

Dave Bittner: So I suppose the -- the really interesting thing here is that you all detected some bad guys targeting other bad guys.

Reece Baldwin: Yeah. That's correct. So some of these criminal groups hang out in Telegram channels, and they share techniques and tactics and procedures and also they share these configuration files with each other. So one might say -- it's a bit like horse trading -- one might say I have a configuration for retailer A. And the other says, oh, I have a configuration for airline B. And so they'll swap. And there are then other communities where they will freely post configurations that people have already used, all these groups have already used and are no longer being as successful where, then, sort of new people to these communities can download and use them. These groups, when they've shared these, a threat actor has added in some maliciousness to those configuration files because OpenBullet can open browsers and do automation that way using Selenium. And so, in -- in this case, what occurred is that the maliciousness within the config file, it would make a call to a Pastebin site. And within that Pastebin site was the end of a GitHub revit. Now when that was called, it would create the GitHub URL and that would replace the Chromedriver that's used by OpenBullet to orchestrate the running of that Chrome browser on the outside of the Selenium kind of powering of that. And that's where we found -- we first found the actual malware.

Dave Bittner: Well, there's two payloads here. Can you describe them for us?

Reece Baldwin: Sure. So the first payload is a Rust binary that is downloaded and we believe that one is just a dropper. That thing calls a second payload, and these are both on the GitHub and still available now. They get updated about once or twice an hour, both of these payloads. And just changing just a small amount, we think, to bypass sort of anti-virus and -- and those sort of things -- those general sort of checks. So with -- the first one appears to be a dropper that then calls and drops the second one. And the second one is a compiled Python binary. Now this malware is only targeting Windows at the moment, so everything is compiled only for Windows. Now the -- the second one is a piece of malware that is written completely in Python and is based off other open-source Python malware, though this one is controlled through Telegram.

Dave Bittner: And -- well, what -- what are its capabilities?

Reece Baldwin: So when we -- when we looked at the original malware that we believe that this one stemmed from, it had a lot of -- a lot of capabilities that you would see in typical malware campaigns. So the ability to take screenshots, upload and download files, execute processes on a hosted chain. Those -- those typical kind of functions. But what we found was different between this one and the original was that it was now targeting cryptocurrencies. So they had written -- the threat actors had written a credential hard stop so it would decrypt/store logins from Chromium browsers and also decrypt/store cookies in those same browsers. And then it would also search for directories associated with cryptobots and they had also written a payload that was for clipjacking, so monitoring the clipboard for Pastebin or copied crypto addresses, so bitcoin addresses -- Litecoin, Dogecoin, those sort of things. And so when one of those was detected being put onto the clipboard, it would then put the attacker's -- put their address in there in place of the one that had been copied to the clipboard so that any funds would be then transferred to them. And we were able to track some of those transactions. [ Music ] [ Music ]

Dave Bittner: Yeah. It's -- it's quite interesting. I mean, how successful do you suppose that they are being here?

Reece Baldwin: Well, we saw that -- looking at the GitHub loophole, we saw that it was released in early July. So when we had a look at all the crypto transactions that were based on the -- the, a lot of the addresses that we saw in the malware, up until we released the blogpost, we looked and there was about thirteen U.S. dollars, so not a lot. But since then and since we've released our blog, that's jumped to a hefty $170. So it's -- but that's only the clipjacking part. So what this -- what we can infer from this is that it -- it's still getting run and it's still being somewhat successful. Now we can't correlate exactly that this is from the clipjacking because it could be from other -- other places and other things. But if we're looking at just those transactions as they -- as a metric for measuring success, then it is still running, it is still working. But that's about as far as we were able to go.

Dave Bittner: Does it seem odd to you that we've got threat actors targeting other threat actors?

Reece Baldwin: No, there's been a history of threat actors targeting other threat actors, so it -- it's not really something that we find overly surprising. What we're finding, though, is that, you know, you would typically find something like this where someone would provide a compiled binary. So they would provide something that there was no way for you to be able to inspect it. So you installed -- someone would give you something and say this is a crack code for whatever tool you were looking for, and that would be infected with malware, and then you would get it on your machine and -- and that's how you'd -- it would go. In -- in this case, it's quite brazen because the configuration files that are used by people are just plain text. So by simply opening that file in a text editor, reading it, and being able to follow that control flow within it, you would identify that there is some maliciousness going on.

Dave Bittner: You know, I typically ask folks like yourself, you know, what should people do to protect themselves against this? I mean, is -- is -- is step number one, you know, don't be a malicious threat actor?

Reece Baldwin: In -- in this case it is, but with all of these sort of tools, there are -- because you've seen it once, there's a possibility that if you're a threat researcher like we are or a threat intelligence team, that there might be cause for you to run some of these configuration files that you find within criminal forums. And if you are doing that as part of your work and part of your practice, then inspecting those prior to running them is probably -- is probably best, not to just trust that the configurations that you're getting are legitimate in that kind of illegitimate legitimate sort of way. So, yeah, the way to protect yourself is just to inspect those config files. [ Music ]Dave Bittner: Our thanks to Reece Baldwin from Kasada for joining us. The research is titled "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." We'll have a link in the show notes. [ Music ] [ Music ] The Cyberwire "Research Saturday" podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our Mixer is Elliott Peltzman. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.