TAG ME IF YOU CAN

Ido NaorSr. Researcher, Kaspersky Lab Tw: @idonaor1

Dani GolandFounder & CEO, Undot Tw: @danigoland

GReAT - Kaspersky Lab Elite Team Of Researchers

Global Research & Analysis Team, Since 2008

Threat Intelligence, research and innovation leadership

Focus: APTs, critical infrastructure threat, banking threats, sophisticated targeted attacks.

• A decade in security eco• Manage regional research in

Israel• ExpertiZ

• Malware analysis• Reverse Engineering• Penetration Testing

• HobbiZ Responsible Disclosure:

Undot – Uncovering Ideas

• Founder & CEO, Undot

• ExpertiZ• Full-Stack Developer• Entrepreneur• Data Science Freak

• HobbiZOrganizing and competing

in Hackathons

UndotExpertswith

Control It – Remotes Unified!

~500K downloads

Front

Mobile

Back

Cloud

IN THE NEWS…

RECAP

Ido Naor

ido

MENTIONED BY A FRIEND

WINDOWS DESIGNATED

• File: comment_27734045.jse• Language: JScript• Size: ~5.31 KB• MD5: 9D3DF2A89FDB7DA40CEB4DE02D605CFA• SHA1: 6D658331FE6D7F684FEE384A29CE95F561A5C2EA

JScript is Microsoft's dialect of the ECMAScript standard[2] that is used in Microsoft's Internet Explorer.

JScript is implemented as an Active Scripting engine. This means that it can be "plugged in" to OLE Automation

applications that support Active Scripting, such as Internet Explorer, Active Server Pages, and Windows Script Host.[3] It

also means such applications can use multiple Active Scripting languages, e.g., JScript, VBScript or PerlScript.

GLIMPSE INTOTHE JSE TROJAN

1) Domain name2) Msxml2.XMLHTTP3) ADODB.Stream4) Wscript.Shell5) JPG ext?6) %AppData%7) Autoit.exe8) Manifest.json9) Run.bat10) Ping.js

WHO IS REALLY AMONG US?

/Stats/history/pingjse3462

BACKGROUND CHECK

• Emerged: January 2015 on• Turkish variables and comments in its files• Threat actor: BePush/Killim• Innovative techniques to spread malware through social networks• Favor multi-layered obfuscation, mainly in JavaScript, and utilize

multi-layered URL shorteners, third-party hosting providers and multi-stage payloads.

• Obfuscate their infrastructure using Cloudflare

INITIAL INFECTION

DYNAMIC ANALYSIS

CHROME EXTENSION AS A MITM

?A HIDDEN VULNERABILITY

THE MISSING PIECE

OBFUSCATED DROPPER

DEOBFUSCATION

ANTI-ANALYSIS

• Debugger;

ANTI-ANALYSIS

• Code hashes

INITIATING THE CODE CRASH

GOOGLE TOKEN HIJACK

• Google URL Shortner• Google Drive API

GOOGLE DRIVE AS A MALWARE HUB

VICTIM INFO STEALERDropper → Chrome Takeover → Malicious JS → Google Permissions → Uploading malware to storage → HERE

VICTIM INFO STEALER

VICTIM INFO STEALER

GOOGLE DRIVE PERMISSION MODIFICATION

CREATING MALICIOUS CALLERS

FACEBOOK TOKEN HIJACK

HOW TO FAIL SAFE

HOW TO FAIL SAFE

VULNERABILITY IN THE WILD

1) Initialize a request to the comment plugin

2) Get api_key & comment data3) Create a comment on the

plugin, containing url to Google Drive

4) Post is now posted – get its ID5) Create a new comment on the

web platform6) Inject the ID from the FB plugin

to the web FB comment ID 7) Notification generated8) FB debug check9) Set privacy to public10) Set comment text to null

deleting the traces.

this.commentData["share_id"] = globalFunction["between"]('"commentIDs":["', '"', f["responseText"])["split"]("_")[1]; // 400539608410_10153962897128411

post_params = {"ft_ent_identifier": this["commentData"]["share_id"], ← injection!!"comment_text": gF["chain"](10)["toLowerCase"](),"source": 21,"client_id": Date["now"]() + ":" + Math["floor"](U2e[F](Date["now"](), 1000)),"session_id": globalFunction["chain"](8)["toLowerCase"](),"comment_text": "Array of tagged friends"}url: "https://www.facebook.com/ufi/add/comment/?dpr=1",type: "POST",async: true,headers: {  "content-type": "application/x-www-form-urlencoded"}

www.facebook.com/plugins/feedback.php?api_key=<ID>&href=https://<GOOGLE_DRIVE>/<JSE_FILE>

ALL IN ALL

QUESTIONS?

THANK YOU!Follow us on Twitter:

@IdoNaor1@DaniGoland