RedEnergy Stealer Ransomware Attack Demo

0:01 welcome to the Juniper tret Labs attack

0:03 demo series for this demo we will be

0:07 talking about Red Energy

0:09 malware this video will demonstrate how

0:12 malous threat actors conduct a new

0:14 campaign targeting multiple Industries

0:18 and install a fake browser update

0:21 afterwards we'll show you how Juniper

0:23 customers can be

0:25 protected in June

0:27 2023 cyber security resch fees

0:31 discovered a cyber campaign employing

0:33 the Red Energy malware it functions as a

0:36 data stealer aiming to extract sensitive

0:39 information like stored usernames and

0:41 passwords from web browsers while also

0:44 integrating ransomware capabilities to

0:46 encrypt user data this campaign targeted

0:50 various sectors including manufacturing

0:53 energy utilities oil gas and

0:58 Telecommunications the attackers use use

1:00 fake LinkedIn Pages employing

1:02 multi-stage tactics to disguise the

1:05 malware as browser updates in a separate

1:08 campaign they utilize search engine

1:10 optimization poisoning techniques to

1:12 Target a prominent telecommunications

1:15 company let's Now understand the

1:17 infection

1:18 chain the infection begins through

1:21 either SEO poisoning or a fake LinkedIn

1:24 page both of which direct victims to a

1:27 malicious website users are lured to

1:30 download what appears to be a browser

1:32 update with options to choose from four

1:35 different

1:37 browsers however these links ultimately

1:39 lead to the first stage

1:42 payload upon execution of this

1:44 executable by the user it proceeds to

1:47 drop and execute two distinct

1:49 files one is a harmless browser

1:52 executable while the other is the Red

1:55 Energy

1:56 malware let's begin the attack

1:58 simulation anager creates a fake

2:01 LinkedIn page resembling that of our

2:04 Target organization's page the objective

2:07 is to lure individuals interested in the

2:10 Target company to visit the fake

2:12 LinkedIn page to not arouse suspicion

2:15 the fake page includes as much

2:17 information as possible to make it

2:20 appear authentic as victims click on the

2:22 website link on the fake page they

2:25 encounter a message informing them of

2:27 the need to update your browser they are

2:30 presented with four windows-based

2:31 browser

2:33 options Edge Firefox Chrome and

2:37 Opera however all of these links direct

2:41 them to the same file Chrome

2:43 installer.exe

2:46 [Music]

2:53 when the user is Trick into running this

2:56 executable it displays a window with a

2:59 russern mees message that appears to be

3:01 downloading the Chrome

3:04 browser however behind the scenes the

3:07 malware secretly installs two

3:09 files one is a benign Chrome

3:15 [Music]

3:17 browser while the other is the Red

3:19 Energy

3:20 malware which as you can see has already

3:24 encrypted our

3:26 files it appends a distinct file

3:28 extension to distinguish the encrypted

3:31 and unencrypted

3:35 [Music]

3:45 files as we examine the files they are

3:48 indeed encrypted displaying giberish

3:51 text upon

3:58 opening let's not now look and see

4:00 whether or not this attack works as

4:02 successfully with a juniper SRX firewall

4:06 enhanced with protection from Juniper's

4:08 cloud-based Advanced anti malare

4:10 solution Juniper

4:12 ATP for the demo Juniper threat Labs is

4:16 using the following

4:18 setup we have a vsrx pictured in the

4:22 center the vsrx is a virtual SRX

4:26 Fireball providing network security

4:29 protection

4:30 its purpose is to inspect Network

4:33 traffic and with the assistance of

4:35 juniper ATB Cloud to detect

4:39 malware in addition to the virtual

4:41 firewall and cloud-based protections we

4:44 are using Juniper security director

4:47 which is a centralized management system

4:51 it is used to facilitate our configuring

4:54 and monitoring of the VR RX

4:56 firewall and we are using Juniper's pal

4:59 policy enforcer as

5:01 well Juniper's policy enforcer enforces

5:04 security policies on

5:06 endpoints and ensures they comply with

5:08 corporate security

5:10 standards we also have several Windows

5:13 workstations Each of which is connected

5:15 to

5:17 vsrx finally we have an abunto server

5:21 acting as a malware download

5:24 server before we proceed an attempt to

5:27 download Red Energy malware with junic

5:29 connected Security Solutions in place

5:31 providing protection let's first take a

5:34 look at threat prevention policy that

5:37 we've set up on our security director

5:40 and applied to the

5:42 vsrx to access the policy we'll navigate

5:45 to the configure Tab and then we select

5:49 threat

5:50 prevention and

5:53 policies as you can see we already have

5:56 an existing policy in place

6:00 [Music]

6:01 let's further inspect the protections

6:03 being enforced by the applied

6:07 policy for this demo our policies

6:10 configured to block command and control

6:12 traffic at Threat Level 8 and

6:15 above we've also set it up to block

6:18 infected hosts at Threat Level 7even and

6:21 above additionally we've configured our

6:25 policy to use ATP cloud from malware

6:28 detection and as you can see we've

6:31 elected to scan HTTP downloads and block

6:34 threats at level seven and above this

6:36 threat prevention policy implied to the

6:39 juper vsrx firewall is a critical

6:42 component of our

6:44 defenses protecting our systems against

6:46 malware related attacks including Red

6:49 Energy malware it allows us to detect

6:51 and block malicious traffic as well as

6:54 the activity of potentially infected

6:56 hosts which will then prevent the spread

6:58 of Mal Ware through our Network in the

7:01 event that one of our system gets

7:04 compromised with that let's proceed with

7:07 the attack using Juniper connected

7:09 security to get started we'll log in Via

7:13 RDP as the

7:18 user please make a note of the host IP

7:21 address as the policy enforcer will

7:23 isolate this host as soon as the SRX

7:25 detects a

7:28 tra

7:32 we're navigating to the fake LinkedIn

7:35 page as the user browses the target site

7:39 they encounter the same message designed

7:41 to D them into downloading Red Energy

7:44 malware this guys as a fake browser

7:49 [Music]

7:58 update when the user clicks on the file

8:01 the SRX promptly displays a message in

8:04 the browser indicating that the request

8:06 has been blocked due to malware

8:12 detection we can verify this in the

8:14 security director by navigating to

8:17 monitor threat prevention HTTP file

8:23 download here the file Chrome

8:26 installer.exe is flagged with a threat

8:29 level of

8:30 10 clicking on the hash provides

8:33 additional details including static

8:36 analysis which offers insights gleaned

8:39 from analyzing the files static

8:49 properties network activity reveals that

8:53 the file has communicated with two

8:56 domains behavioral details shows the

8:59 processes phoned and their behaviors in

9:03 this case the red enger malware is

9:05 dropped as temp a3b exe while the benign

9:09 Chrome browser is strapped as stemp a7e

9:14 exe each processes behavior is

9:18 documented such as the files

9:28 encrypts

9:30 [Music]

9:32 and finally miter attack framework it is

9:36 important to note that Juniper ATP

9:38 identifies whether a file is a threat or

9:41 not using machine learning as well as

9:43 the information just discussed thus

9:47 without the need for any signatures now

9:50 we switch back to security

9:53 director note that while the attack was

9:56 unsuccessful recall that the security

9:58 policy being force on the vsrx locks

10:01 host network activity when it detects

10:04 threats at level 8 and

10:06 above this host 10 is now included in

10:09 the infected host

10:10 speed what this means is that this host

10:14 10.

10:16 0.176 is now isolated and disconnected

10:19 from the network

10:21 temporarily clicking at this host

10:23 provides us with more details on why it

10:26 is block which in this case the host

10:29 attempted to download the malicious

10:38 file we can confirm that this host is

10:40 disconnected as we cannot ping or

10:42 connect via RDP as

10:51 [Music]

10:58 before

10:59 [Music]

11:12 [Music]

11:19 once the admin is sure that the host or

11:21 server is indeed free from infection she

11:24 can first select the host and then under

11:27 the investigation stat to section she

11:30 can then select resolve fix which

11:33 changes the status of these host to

11:38 clean after a few moments this Hol will

11:42 be connected back to the network

11:49 again we can verify that once again by

11:52 connecting to it via RDP and browsing

11:55 the

11:55 [Music]

11:57 net

11:59 [Music]

12:22 that completes our demo of Red Energy

12:24 malware check out more videos from the

12:26 juner trat labs attack demo series by

12:29 visiting juniper.net thanks for watching