Pikabot Malware Attack Demo

0:00 welcome to the Juniper threat Labs

0:01 attack demo series for this demo we will

0:05 be talking about peabot malware this

0:08 video will demonstrate how this malware

0:10 emerged in relation to a well-known

0:12 malware recently disrupted by

0:14 FBI afterwards we'll show you how

0:16 Juniper Network's customers can be

0:18 protected to give a background this

0:20 August of 2023 the FBI announced a

0:23 coordinated law enforcement effort code

0:26 named Operation duck hunt that disrupted

0:29 quac bot the operation involved

0:31 collaboration between law enforcement

0:33 agencies from France Germany lvia

0:36 Romania the Netherlands the UK and the

0:40 US the FBI neutralized this far-reaching

0:43 criminal supply chain cutting it off at

0:46 the knees as part of the operation the

0:49 FBI gained lawful access to Boo's

0:52 infrastructure and identified over

0:54 700,000 infected computers worldwide

0:58 including more than 200,000 ,000 in the

1:00 US to disrupt the botn net the FBI

1:04 redirected cckb but traffic to Bureau

1:06 controlled servers that instructed

1:09 infected computers to download an

1:10 uninstaller file the US justice

1:13 department announced that the malware is

1:15 being removed from victim computers to

1:17 prevent further harm and more than $8.6

1:20 million in cryptocurrency was seized as

1:23 illicit profits the takedown did not

1:25 result in any announced arrests cckb

1:28 also known as cubot initially started as

1:30 a banking Trojan in 2007 but evolved

1:33 into a versatile tool for Distributing

1:36 malicious code including ransomware

1:39 major ransomware families propagated

1:41 through kbot include kti prolok egregor

1:45 r evil Mega cortex and black Basta

1:48 following the takedown cockp has

1:50 remained dormant however different cyber

1:53 security researchers noticed an increase

1:55 activity of two malware which share

1:57 similar Behavior with first is the

2:00 darkgate malware and the other one is

2:02 peabot which we will talk about in this

2:04 video peabot is a malicious back door

2:07 that has been active since early

2:09 2023 it initially arrives as a fishing

2:12 email using hijacked email threads

2:15 enhancing the likelihood of the target

2:17 clicking on embedded malicious links the

2:20 emails were believed to be likely stolen

2:22 in an earlier campaign that targeted the

2:24 proxy log and flaw in vulnerable

2:26 Microsoft Exchange servers peabot

2:29 Implement an extensive anti-analysis and

2:31 anti- sandbox techniques to thwart

2:34 automated analysis in sandbox

2:36 environments pick abot communicates with

2:39 its command and control server it

2:41 includes commands to execute shell

2:43 commands download and execute XE dll and

2:47 Shell Code terminate current process and

2:50 collect host information such as

2:51 processes IP information and user

2:54 information in most of its campaigns

2:56 fishing emails feature malicious links

2:59 that Direct direct users to a password

3:01 protected zip file containing either a

3:03 Windows shortcut file JavaScript or HTA

3:07 file executing these files leads to the

3:09 peabot malware let's start the attack

3:12 simulation in this scenario we have a

3:15 compromised email thread featuring a

3:17 link and a password when the target user

3:20 clicks on the link it triggers the

3:22 opening of a browser initiating the

3:24 download of an archive file named yu.

3:27 zip upon examining the contents of the

3:30 zip file we find a file named tzz pdf.

3:35 lnk it's crucial to observe the double

3:37 extension a deceptive tactic aimed at

3:40 tricking the user into believing it's a

3:42 PDF file let's extract the shortcut file

3:45 and inspect its

3:47 contents in the windows environment

3:50 shortcut files don't merely serve as

3:52 shortcuts to Applications they can also

3:55 include command line

3:56 arguments this feature provides users

3:59 with the flexibility to customize how

4:01 applications or files are

4:04 executed in the context of this

4:06 situation the shortcut file may contain

4:09 system commands allowing the execution

4:11 of multiple commands sequentially

4:14 separated by

4:15 semicolons this includes potentially

4:17 malicious commands like Ping curl and

4:20 rundll32.exe

4:27 upon executing the shortcut file we

4:30 initiate a process monitor to gain

4:32 visibility into what is happening in the

4:34 background we observe the Ping process

4:36 running followed by the rundll32.exe

4:51 [Music]

4:54 process further examination of the

4:57 rundll32.exe process reveals a

4:59 suspicious ul. log loaded as a

5:03 module this ul. log was downloaded as

5:06 part of the shortcut file command line

5:09 it is in fact a dll file as we can see

5:12 its imports and exports let's now look

5:14 and see whether or not this attack works

5:16 as successfully with a juniper SRX

5:18 firewall enhanced with protection from

5:20 Juniper's cloud-based Advanced

5:22 anti-malware solution Juniper

5:25 ATP for the demo Juniper threat Labs is

5:28 using the foll ing setup we have a vsrx

5:31 pictured in the

5:33 center the vsrx is a virtual SRX

5:36 firewall providing network security

5:38 protection its purpose is to inspect

5:41 Network traffic and with the assistance

5:43 of juniper ATP Cloud to detect malware

5:47 in addition to the virtual firewall and

5:49 cloud-based protections we are using

5:51 Juniper security director which is a

5:53 centralized management system it is used

5:56 to facilitate our configuring and

5:58 monitoring of the VSR RX firewall and we

6:01 are using Juniper's policy enforcer as

6:04 well Juniper's policy enforcer enforces

6:08 security policies on end points and

6:10 ensures they comply with corporate

6:12 security

6:14 standards we also have several Windows

6:16 workstations Each of which is connected

6:19 to the

6:21 vsrx finally we have an Ubuntu Server

6:24 acting as the malware download server

6:26 before we proceed an attempt to simulate

6:28 this attack with Jun connected Security

6:30 Solutions in place providing protection

6:33 let's first take a look at the threat

6:34 prevention policy that we've set up on

6:37 our security director and appli to the

6:40 vsrx to access the policy we'll navigate

6:43 to the configure Tab and then we select

6:46 threat prevention and

6:49 policies as you can see we already have

6:51 an existing policy in place let's

6:54 further inspect the protections being

6:56 enforced by the applied

6:57 policy for this demo our policies are

7:01 configured to block command and control

7:03 traffic at Threat Level 8 and

7:05 above we've also set it up to block

7:08 infected hosts at Threat Level 8 and

7:11 above additionally we've configured our

7:14 policy to use ATP cloud from malware

7:17 detection and as you can see we've

7:20 elected to scan HTTP downloads and block

7:23 threats at level seven and

7:25 above this threat prevention policy

7:28 implied to the Juniper V SRX firewall is

7:30 a critical component of our defenses

7:33 protecting our systems against malware

7:35 related attacks it allows us to detect

7:38 and block malicious traffic as well as

7:40 the activity of potentially infected

7:42 hosts which will then prevent the spread

7:45 of malware throughout our Network in the

7:47 event that one of our systems gets

7:48 compromised with that let's proceed with

7:51 the attack using Juniper connected

7:54 security to get started we'll connect to

7:57 our Target system via RDP as you can see

8:00 we have a fishing email with a link

8:02 leading to the malicious archive file

8:04 yu. zip when we click on that it opened

8:08 the browser to download the zip file but

8:11 as you can see the request has been

8:13 blocked due to malware detection we can

8:15 verify this in the security director by

8:17 navigating to

8:19 monitor threat

8:24 prevention HTTP file

8:28 download

8:30 here the file yu. zip is flagged with a

8:33 threat level of 10 according to our

8:35 policy we configured earlier threats

8:38 with Threat Level s and above will be

8:40 blocked we can find more details about

8:43 this file when we clicked on it and it

8:45 gives us more information such as

8:47 Behavior Analysis network activity and

8:50 behavior details including the client IP

8:53 address the SRX device and the URL at

8:56 this point the attack chain is already

8:58 blocked and thus thus the second stage

9:00 cannot proceed but for the purpose of

9:03 showing how SRX can block attacks

9:05 further down the attack chain we copied

9:07 the archive file and extracted the

9:09 shortcut file as you can see we will try

9:12 to execute this shortcut file but you

9:14 will notice that the execution of run

9:16 dll 32. XE fails that is because ul. log

9:21 in this case was successfully blocked by

9:28 SRX

9:29 we can verify that once again in the

9:31 security director here we can see that

9:33 the file with a sha256 hash that starts

9:36 with ABF is flagged at Threat Level 10

9:39 similarly we can also find more

9:41 information about this malware when we

9:43 clicked on it note that while the attack

9:46 was unsuccessful recall that the

9:48 security policy being enforced on the

9:51 vsrx locks host network activity when it

9:54 detects threats at level 8 and above

9:58 when we click on ATP Cloud hosts we can

10:01 see that the IP

10:03 10.0.1 161 is flagged at Threat Level 9

10:07 this Threat Level score is determined by

10:09 multiple factors such as malicious

10:11 activities by that host including

10:13 malware downloads and command and

10:15 control connections this host then is

10:18 now included in the infected hosts feed

10:21 what this means is that this host is now

10:24 isolated and disconnected from the

10:25 network

10:26 temporarily we can confirm that as we

10:29 cannot connect via RDP as

10:37 before clicking at this host provides us

10:39 with more details on why it is

10:42 blocked as shown here the host attempted

10:45 to download two malicious files with

10:47 Threat Level 10 once the admin is sure

10:49 that the host or server is indeed free

10:51 from infection he or she can first

10:53 select the host and then under the

10:55 investigation status section select

10:57 resolved fixed which changes the status

10:59 of this host to clean and exclude this

11:01 host from the infected host's feed after

11:05 a few moments this host will be

11:06 connected back to the network again we

11:09 can verify that once again by connecting

11:12 to it via RDP and browsing the

11:27 net

11:31 that completes our demo of peabot

11:32 malware check out more videos from the

11:35 Juniper threat Labs attack demo series

11:37 by visiting juniper.net thanks for

11:39 watching