This week on the podcast, Corey Nachreiner and guest host Ryan Estes, from WatchGuard’s malware analysis team, cover the cybersecurity news for last week. We chat about AI-based site cloaking tools on the underground, how Domain Tools found potentially unwanted executables hiding in DNS TXT records, and a Chinese state-sponsored set of targeted phishing campaigns going after the Taiwanese semiconductor industry and its supply chain. Join us to learn more and discuss how we can protect ourselves from similar threats.
View Transcript
Corey Nachreiner 0:00
Hey everyone, welcome back to the 443 security simplified podcast. I'm your guest host, Corey the Chinese state sponsored actor, Nachreiner, actually not one of them. And joining me today as a guest host again today is
Ryan Estes 0:16
Ryan Estes intrusion analyst here at WatchGuard, and not a North Korean threat actor.
Corey Nachreiner 0:22
Catch me. Nice to have you again. Yeah, thanks for having me again. Cool. On today's episode, we're going to cover three stories. We'll start with new news of threat actors hiding malicious executables and DNS records. Then we'll talk about a new ways attackers are using AI to assist in malicious website cloaking. And finally, we'll end with how three Chinese state sponsored threat actors are targeting the semiconductor industry in Taiwan and their supply chain. So with that, let's go ahead and slide our way into the news. You foreign So welcome everybody, as mentioned, we have three stories today, and our guest host, as we mentioned, Ryan, but let's jump right in Ryan with the first story today, which is a company that actually is just down the street of WatchGuard technology's domain, tools finding malware embedded in DNS. So we will talk about that. But before we talk about that, let's, let's kind of back up for a second and give a little background on DNS. I presume all our users, and of course, you Ryan, know what DNS is. It stands for the domain name system, and it's basically a protocol in service that provides a actual name or URL for different systems on the internet which typically have IP addresses, IPv four, IPv six. So like when you go to www.WatchGuard.com, to check out the 443, security podcast that name uses the DNS protocol to be translated into an actual IP address where the server is. I'm sure you deal with the DNS all the time, right? Ryan, yeah,
Ryan Estes 2:10
I always think of DNS as kind of like a phone book. I don't know if I make phone books nowadays, but phone book for like, IP and domain
Corey Nachreiner 2:18
names, absolutely, I consider it the same thing. So it's really the phone book of the internet. There's a lot of information in this standard there's a lot of different resource records. You can have things like mail servers, knowing where a mail address is, is associated with DNS, with with things like MX records. But the main record I wanted to talk about real quick before we dive into the story. Is something called a text or a TXT record, pretty much stands for a text record. And this is a special type of DNS record that is specifically there to kind of add a little bit of, usually text, human readable information with something it can be used for, also machine readable data too, but generally it might provide additional text about a domain, hostname, like maybe something about the server or the network. So just think of this as an additional record DNS uses that might have a little bit of or it's intended to have a little bit of text in it. But let's get back to our story. So our story was domain tools finding malware embedded in DNS records. But really, that story starts with, you know, this is the blog post for DNS tools where they talk about this malware, but it all starts with a actual report that they read from another researcher who's known as Asher Falcon Falcon. Asher Falcon is just a 17 year old student. He appears to be a CS student that's studying, you know, computing and other stuff, but he found a new technique, which he called DNS IMG, or DNS image, that allowed him to store and retrieve images in these DNS text records. So I don't think we should spend time going into all of the details. But basically, he realizes that you can use tools like xxd to take a image and kind of store it as a hexadecimal version of that image, or even into a base 64 encoded format if you wanted to make it smaller and remember, text records just have arbitrary text, while it's meant, meant to be, probably human readable ASCII text, there's no reason you couldn't put any sort of text there at the end of the day, hexadecimal, base 64 it's all you know, described in characters. So it could be text. So he figured out, what if I could put some information that's more than text in these text records? Is there a way I can hide it there and retrieve it? And long story short, he found there was. He found a couple caveats. For instance, when he tried to upload data to a text record. So this is probably due to the DNS RFC, but he found there was a 2048 character limit. So when you're dealing with files that are an image size, or even, we'll get into executables later, it takes a lot more than 2048 characters, typically, to have them. But the cool thing is, text records allow you to have multiple test text records. You can have them associated with different sub domains are all associated with one file. So he figured out how to write a Python script to take a image, it's it's hexadecimal information, and insert it into a bunch of text records. So what does that do? Well, that allows somebody, let's pretend it's a threat actor, to hide unexpected data, you know, data that wasn't really intended for a text record in another place. Of course, his next part of this and but when he is testing this, he shows that he was able to do it. He used Cloudflare and had a whole bunch of text records that, when combined, had a bunch of data. The next step is now that he's hidden data, you know, unintentional data that wasn't originally intended for the record in a weird place. Can he recover it? And then he again, wrote another script to do that. Long story short, while he had a few issues, as he was uploading these text records to a public DNS register like Cloudflare. Sometimes it took a while for all the files to show up properly, but long story short, he was able to recover all the bits of data he hid to make an image. The first time he did it, some records were missing hadn't been actually properly uploaded and hosted quite yet, so the image was messed up the first time, but after waiting 10 minutes for Cloudflare to kind of catch up with it all, he was able to recover a full image from DNS records. So kind of an interesting way to share data, to hide data in a place that you wouldn't expected. The key thing, by the way, is you need special tools to recover this data. You know, this data is not just going to like people doing DNS are not just going to see this data. You're going to need tools to actually recover it. So it's not like a bad guy can just put stuff in DNS records and then someone looking up DNS would get it. It's just a place where you could store and hide stuff, and the fact that all of the retrieval is going to happen over the DNS protocol, it's a tricky place to hide stuff because it's kind of a back channel that you wouldn't expect to be scanning for certain files when you were looking at DNS before I dive into domain tools, part of the story. Do you have any comments on this, or any thoughts on this so far?
Ryan Estes 7:41
Ryan, yeah, I've actually seen this a few times, not in the DNS part, but the hiding images and obscuring text within images. I see that a lot, and a lot of them are they'll reverse basically the hex, so the beginning will be at the end, and it's basically just a reverse. And a lot of time it's base 64 encoded. That's the big one. But I don't think that
Corey Nachreiner 8:02
he did hex at first. But he mentioned, if he had taken the time to base 64 it would actually save twice the space. It would be smaller. So I besides just the obfuscation that base 64 adds, I think it would have helped him a lot to make it a smaller amount of files, too.
Ryan Estes 8:18
Yeah, and the 2048 I think, is like a it's like a hidden Godsend for an attacker, because, I mean, 24 eight is actually quite a bit of space for bytes. If you're, like, exfiltrating data, or something like that,
Corey Nachreiner 8:30
it's quite a bit or if you're doing, like, some sort of exploit that you need to do, show code that's actually plenty of room to probably
Ryan Estes 8:38
execute more than enough. But the fact that they can't put it all into one text, so it can be kind of scanned and saying, Oh, this is, like, obviously an obfuscated script, or, like, malware or something. It's kind of like a hidden Godsend form, because it kind of obfuscates it further without them having to do anything else. So yeah, it's an interesting one. But there's, there's precedent for it in the DNS records. I think sunburst, the solar ones attacked DNS exfiltration via text records. Oil Rig, I think, with the Iranian group, did that too. Those only
Corey Nachreiner 9:08
two, I don't remember, some C twos, some command and control channels using DNS too. I'm not sure if it was specifically text records, but they could hide commands that a botnet could retrieve in text records. Yeah, it's
Ryan Estes 9:19
mostly text draggers, because it's just arbitrary text. That's what the text field is. You can kind of put anything there, but it's mostly associated with like DKIM and DMARC for cybersecurity purposes. But yeah, you put anything in there. Really
Corey Nachreiner 9:31
cool. Well, that this was a research by a 17 year old. But actually, what happened was, of course, domain tools. If you haven't heard of domain tools, as I mentioned, they're pretty close to us here in Seattle. They're a company that does archive for domain and DNS records. They have not just the current DNS records, but they go back in history for a long time. It's a cool service for things like threat intelligence. Sometimes threat actors register. A lot of just randomized domain names, and because they have histories of patterns, they will notice when there's unusual registrations and can kind of before the bad guys even activate bad stuff, have some reputation for it. But in any case, one of their researchers found the 17 year olds, you know, post and decided to use their tools, DNS, DB, Scout, to search their records of DNS, including all the text records they had. The 17 year old was hiding images. But obviously, if you can do hex and base 32 you can store any type of file, including a hexadecimal file. So what they wanted to know were any current threat actors actually using this trick of hiding things in text records to store different types of files. So by creating a special query. Now, you guys probably know there's magic bytes that associate different types of files. A portable executable file has magic bytes at the beginning of it, Java code. There's a lot of different magic bytes, but they did some searches looking for magic bytes in all of the DNS text records from 2021 through 2022 and essentially, they eventually found executable headers in three different domains in the text headers. So they did a little bit of work to search into these, digging into one of the domains, which I'm not going to by the way, don't go to any domains, but the it was a sub domain of white tree collective.com they found several 100 text records with a lot of data. They exported the JSON of all those text records, and then they used their own generative AI, you know, tools to create a script that would take them and put the file back together. And they came up with a couple of different hashes for two different files. And it turns out these files were executable. They were the joke screenmate malware. Now I'm going to pause and say, Actually, I wouldn't call it malware. I would call it the joke screenmate Pup, you know, potentially unwanted soft software, because joke screenmate. The good news is this is kind of prank software. It will maybe pretend to be malware. It simulates pop ups that talks about some sort of destructive action, like a virus warning or making you freak out because your files are being deleted. It might interfere with you being able to control your computer and display a lot of unsolicited content. But at the end of the day, it's not like real malware. It's just a pain in the butt prank program. So pausing there, I'm not sure if you know anything about joke screenmate In your malware research, Ryan, but any thoughts so far I do,
Ryan Estes 12:53
and WatchGuard has a signature called pup slash joke, which we use for that, for all those joke ones just like that. And that would probably get that there are some that you would put malware because they kind of mess up, I guess your workflow, like they there's a lot of pop ups and stuff. So sometimes you might put malware, or my I might, and we do have two designations for malware and pups. So sometimes you we can designate something to pup and it still be a malware, aka it's removed from your computer unless it's quarantine, which is a pup. So it depends on telemetry, kind of what it does specifically, but yeah, it would most likely be a pup joke, yeah.
Corey Nachreiner 13:31
And the point of this, by the way, is it makes that 17 year old's research more dangerous, right? It's not just images you can hide there, but now this text record back channel is something that you could put executable files and again, why is this scary? I mean, malware comes down in a lot of ways. We have different scanning capabilities by we, I mean, you know, the industry with security software, but, but think about it, we may not, at least at a network level, scan DNS in the same way for malicious files, because it's not really intended to deliver those files. So this is, you know, the way this is pulled down over port 53 UDP may not be something your particular security tool is scanning. We'll get into practical tips later. I'm sure endpoint software and other things could help here. But just know it becomes a malicious back channel to be able to hide things. And we'll say
Ryan Estes 14:25
it's always open to right system connects the internet, it's gonna have DNS open almost,
Corey Nachreiner 14:30
yeah, if you're egress filtering, even heavily using as an ISP, only allowing very specific things, DNS is one of the things you simply must allow to get the Internet to work, so it's a very useful back channel for these threat actors. In finding this and in finding the other three domains, they also realized that it it can really be any type of file or code. So they explored a bit about what about malicious commands or scripts, and in short, they also found an. Encoded PowerShell script in one of those three domains. If you are watching the YouTube version, you can actually see the power script on the screen. I won't name the domain. It's in the articles that you can see that we're connecting to. But in either case, the power script, in this case, acted as a stager, and it seemed to be associated with covenants c2 server, so it seemed to be delivering next stage payloads as part of covenant. I hadn't heard of covenant. Do you know anything about that one in your Maori research? Ryan, Not off the
Ryan Estes 15:33
top of my head, and I don't want to get ahead of myself and say the wrong thing, so I'll just say, no worries.
Corey Nachreiner 15:39
It's a c2 it's probably a botnet of some sort. And sometimes different security companies call the same botnet a different thing. But either way, at the end of the day, the point of this whole thing is bad guys can hide malicious crap in text records. Now just the reminder that the reminder is this is just data that's being hidden somewhere. It needs software to recover it. So again, just doing the DNS lookup to the wrong place is not going to deliver this to your computers. What would hap have to happen is the threat actor would already have to have some sort of access to one of your your your customers or your users endpoints, and they would have to run the script or software that used this, this back channel to retrieve a file. So it's not going to help them automatically deliver malware to a computer. What it will help them to do is potentially, you know, use evasion by grabbing a file over DNS rather than a more direct file transfer mechanism, they may be able to evade security software. So I found it interesting story. We've already talked a bit about it, but have you seen anything? I think you mentioned a few things similar you've seen with this, but any other interesting things you've seen in DNS, in your research as a malware analyst here at WatchGuard?
Ryan Estes 16:59
Yeah. Personally, I haven't seen anything like this in the wild. It's mostly just research like this. And yeah, like the ones I said, oil rig was a big one, they use that as data exfiltration. I don't remember the other one, but there's, there's precedent for it, like it's been happening for a long time, that people use DNS as data exfiltration, or stagers or stuff like that. So it's really nothing new. And I'm not trying to take away from their research, but it is definitely something to look out for. For sure.
Corey Nachreiner 17:26
Do you have any thoughts on the effectiveness of this back channel for threat actors, or more about let's talk about two, I would say, from a network. Let's talk about, like, how you can catch and prevent this. As a defender, I will say, I'm going to let you answer the question from an endpoint level, because I will say, from a network level, this could go past some of the scanning. We have multiple AV scanning on the network side of things here at WatchGuard, but I don't think we apply it to the DNS channel. So and especially because when you were capturing. When the script on a victim's machine was going out to get these text records, it would get little bits of data, one at a time, that weren't the full threat on the endpoint. It would be combining those datas to make the full executable file. But what you would see on a network level is just little pieces of base 64 code that wouldn't really represent the full threat until it was completed on the other end. So I do think this might be an effective way to evade network security. But that said again, just to repeat you have do you have any thoughts on how effective this channel is for threat actors, and what you would do to make sure that you caught malware being delivered this way? Yeah,
Ryan Estes 18:46
I think the story here is that it most likely is going to evade network. That's kind of the point of this is that it evades network, DNS filtering, all that stuff, and that it ends up on your endpoint. So the effectiveness of your endpoint behavioral heuristics is going to be big here, because the payload is going to be delivered, but once it's ran, or if it's scanned before it's ran, then that's where you're going to catch it the most. So I would say, yeah, the chance
Corey Nachreiner 19:09
are the script would have to as it's putting the pieces together to make the file. At the end of that, it would actually try to write the file to the hard drive even before it ran the file, and maybe the endpoint could even catch it right when it first got written to the hard drive as a fully remade file, hopefully. But either way, as you mentioned, even if not Luckily, our tools like WatchGuard eptr would catch it during runtime as well, or would have chances to Yep, cool. Well, interesting, as you mentioned, maybe not the newest story despite the headline, because we've seen people use DNS before, but I found it was interesting, definitely. So let's move on to cloaking. I'll talk about what Cloaking is. But there's another interesting story that came out this week that talks about how threat actors are using. Using AI cloaking tools to enable harder to detect cyber attacks. Again, let's actually pause for a second and do a little definition and background. What is cloaking? Cloaking is just a term that we use for when threat actors are trying to hide their malicious web content. Or, by the way, this is often used with both shady ad malvert ad sites, meaning it could even be legitimate out advertising, but advertising that's using shady techniques to get in front of you a lot, or malvertising. Malvertising are when threat actors use kind of affiliate ad sites where they can place ads to actually deliver a malicious JavaScript code. Anyways, what has happened is obviously threat actors over time know that there's researchers, there's people like you, and people at many security organizations that scan the web to try to tell the difference between malicious, you know, good sites, legitimate, normal sites and sites that are delivering malicious stuff via JavaScript or any other vulnerabilities. So and same with search engines, right? Search Engine people crawl, use robots to crawl the internet and over time, because malicious sites do pop up, they use their systems to automatically try to figure out reputation of these sites to see if they're doing anything bad. So obviously, website reputation is a big thing. It's how we drive a lot of our Threat Intelligence for things like our DNS firewall and stuff. So that has caused really, this is not new. Over the past 10 years, attackers have started to use cloaking techniques at the highest level. These are kind of manual techniques where, if I'm running some sort of web page a malicious server, one of the things I can do is pay attention to everything about the the traffic coming in from my visitors. Let's call my visitors victims, because I'm a malicious site. I can do things like JavaScript fingerprinting. I can I can use JavaScript to look at the agent header, figure out what the browser is, right. A normal user would use things like Chrome, edge, Firefox, but if I see a really weird browser client that's used by an automated service or use. You know, there's lots of web clients that are used in automation to do things, and if I think about it, a security researcher or a robot wouldn't be coming from a real browser. They would be coming from some sort of unusual automated browsing platform that might be a sign that the person coming to me is not human. It's some sort of, you know, search robot or or researcher. I can pay attention to geolocation. What is the IP address of the client? Why is that important? If I'm a threat actor, I, you know, I might want to, I might have a list of known IP ranges that the FPI or law enforcement or government or security companies, including security research organizations, come from. So it might be able to tell me, Oh, this is probably a security researcher or some sort of authority that's coming to my site. And that's just some obvious things you could look for. There's all kinds of other things that a web server could look for in that client's headers and IP address to try to figure out where they're coming from. And so what is cloaking? If I'm a malicious person hosting a page, I do those things, and if I see, Oh, this looks like it might be an automated service, or maybe it's a country. Maybe I'm a Russian threat actor, and I don't want to infect Russian people. If I see it coming from places I don't like or don't want to infect, I will give it a clean page. What my web server will do, will give it a result that's a very benign kind of blank white you know, it could be whatever the fake content is, but it is a page with no maliciousness at all. So if it is a researcher looking for malicious code, it gets back a cloaked page that has nothing wrong with it. On the flip side, obviously, if you know I detect it's coming from a bad play or from a place I don't like as a threat actor, I will give it my or place a normal victim. If it looks like a normal human, someone I do want to affect, then I would give it my real malicious page, the page that I really want the victim to go to to do something bad. So I'm going to pause there, by the way, let's talk. I'm sure in your research and malware analysts, you've seen threat actors use cloaking techniques. So I'm curious, Ryan, any cloaking, any other ways that bad guys try to recognize security machines or something like that, and how often do you see when you find malicious urls threat actors actually picking whether or not to show a. Clean or malicious page?
Ryan Estes 25:03
Yeah, you know where I see this the most actually, is personally I get so I'm you probably do too. I get so many texts like, hey, click this link. Your package is late, a you know, your taxes are due. And you click it, and you go to the website. It's like, clean or something, or where I go out of band, like, on my work computer, I'm like, Okay, what's this website doing? It's a fresh, clean website. I get it often, like so often, and that's where I see it the most, like smishes and fishes. But yeah, malvertizing is a big one, and that's fancy term for you've probably seen research that you go to Google and there's a sponsored page on top that mimics the page below it, but the sponsored page they like boosted the SEO to make it high up on the list, and you click it and it delivers malware. But if you're on the wrong machine, if they fingerprint it wrong, that it's just like a fresh white web page sometimes into the status, like a 200 code, but those where I see it most, it's actually irks me. That's why I'm laughing, because it just it makes me so mad. I have to silence my phone every day because it's just constant Ding, ding dings going off, and it's usually those smishes. And
Corey Nachreiner 26:06
it is a useful technique for the threat actors, because obviously, if they if the authorities, can find the malicious side of the page, they can either take it down, or, more importantly, they can just put it in the blacklist. And the threat actors don't want their malicious site to be blacklisted. So the ability for them to try to figure out if it's undesirable from their perspective, like a good guy, and hide the malware from the good guy really helps them keep their actual malicious content up longer. And it does mean that researchers have to take extra steps. You know, Brian mentioned sometimes when you suspect there's cloaking going on, you have to come from another IP address or set up a virtual machine that has. You have to start faking your headers with Burp suite to try to give it information that makes it think you really are a human, so that it will display the right content
Ryan Estes 26:58
to use suite, because that's, yeah, that's yeah, that's pretty much what you use is just change user agents and stuff like that to try to see if it's
Corey Nachreiner 27:04
doing something that maybe come from a different IP and all that jazz. So there are ways researchers use to still get the black content, but they have to do work to get past this. This does get us back to today's story, which, again, again, the new none of Cloaking is new, but the news story that was really mostly discovered by an organization called slash net, who deal with email security and put up a blog post on this, slash net claims that they're seeing threat actors start to use AI to improve their cloaking capabilities. So I've already described cloaking to you, so you know what it is. But what they basically did is, on the underground, they found two platforms, one called hoax tech and the other one called JS click Cloaker, that were being sold on the underground. And by the way, these are advertised as these aren't just advertised as malicious tools to hide malware. These are also advertised as cloaking solutions to shield traffic and boost conversion rate for marketers. So, you know, there are use cases for marketers to also change their content depending on who they think the person visiting is. So they advertise these tools in marketing, but the truth is, they're used quite a bit, just in Black Hat malware. But they looked at two tools, and they noticed that they're starting to get machine learning and AI functions. For instance, hoax Tech is one of them. Hoax Tech uses some of the traditional things I've been talking about, like JavaScript fingerprinting and, by the way, some obscure ways they can figure out if you're a human or automation is they can also see your screen size, like if your screen size is tiny, they know it's probably an automated system, versus if you're a normal browser. But they noticed in hoax tech, they are now using machine learning to spot patterns too. So taking advantage of machine learning and the fact that these the people making these technologies, have created databases of of what a normal human looks like versus what different types of automated crawling technology looks like, and the machine learning helps them self learn, so that they're just not analyzing the patterns we already know as humans to look for, like the user agent, but they're analyzing all kinds of patterns in that header and traffic based on the people, based on systems in the past. So anyways, hoax Tech uses something called match X, AI, and it also. The other thing these technologies are looking for is to avoid crawlers and bots, whether they're security research crawlers that try to get web content to see if it's bad or not, or search engine, these bots are often updated and change their behavior. So it really is a cat and mouse game for these cloaking people versus. Just the actual crawling and security people to change up what their clients look like, to try to become a normal victim, so that they can see the black site. But match x ai allows hoax tech to adapt over time. JS, click, Cloaker, same thing. It's something that advertises as bulletproof track traffic filtering with AI. They call it a bulletproof Cloaker. But long story short, they too, have a lot of you know, traditional manual ways to identify if a visitor is bad or good. But they specifically mentioned they have a huge database of historical queries, and their machine learning pays attention to 900 plus parameters that come from a visitor. And thus, even if you know the software the good guys use, or the bots the good guys use to try to become a normal human change, this machine learning helps them detect whether it's a human or something more automated. So really, it comes down to a slash net found a couple of tools that do cloaking, and these tools are starting to use AI in a more malicious way to help them as bad guys. If you're interested, be sure to check out their blog post on it. It has a lot more information, but at the end of the day, we understand cloaking pretty well. So let's talk about this. Ryan first, do you think the AI is going to improve this? I mean, how bad is this as a security researcher, when you're just trying to figure out code on a web page, is it hard to get the black page? And do you think AI is going to make it worse if they use these AI tools to identify you as a researcher?
Ryan Estes 31:43
Yeah, personally, it is hard because I don't see it a lot, so I don't really have a ton of experience doing it. A lot of my experiences on like web development or web application hacking, like just kind of research wise. But yeah, it's a lot of it's just like user agent guessing and IP address changing and site inspection, it's like the three main one. But I think you mentioned earlier, we use a lot of website reputation tools. That's a big one. It's the low hanging fruit. Is like, I don't know this website does Virus Total have anything on it? Does any of these feeds we use have anything on it? That's kind of like my first step. And then I'll go into like, site inspection and Burp suite stuff like that. But it is difficult to detect it. And the more I see stuff like this, the more I feel like AI is advantageous more to attackers, to be honest, because the cat and mouse game relies on the mouse cybersecurity being reactionary. We're a very reactionary industry. We react to basically what attackers do, and so it's giving them more tools to basically perform their attacks before we can react to it. So it doesn't mean AI is not good for defense and you can't detect things, but I think it just makes the attackers faster in doing what they want to do, and so we have to react faster, and I don't think we're there yet, to be honest.
Corey Nachreiner 32:55
Cool. Do you have any like? I will say this is something that I hope that the listeners like if you're a normal computer browser person, you shouldn't have to worry about this, because the truth is, by the way, you would probably get the black page right away. This is more something security companies like me have to worry about, because we want to give you the threat intelligence. We want to make it so when you click on a bad link, you never have a chance to get the black page because we already know it's there, and we prevent you from going to the bad page in the first place. So I do think this is more an issue for the security community trying to help give threat intelligence on bad sites. But do you have any thoughts on like, I think we've talked about ways we might defeat this manually, like using burp proxy, which most people can't do, but to change our headers and look more like a normal victim. But do you have any other thoughts on how you might combat this as a security group? I'll go into some tips that slash net shared as well. Yeah,
Ryan Estes 33:57
I was gonna say I think it comes down to the end point, mostly because it's going to be a thing of, if you are the targeted victim, it's most likely going to be downloaded unless it's blocked by firewall or something. So again, it comes down to heuristics. And, like I said, kind of AI on the defense side, but we're still working our way up there. Yeah,
Corey Nachreiner 34:18
some of the tips slash net gives are pretty good. One of them is like real time scanning, like, if you're just running a normal web browser, and what happens you visit this page? It's running some code on its back end that's paying attention to your header, and it sees that you might be a researcher. It's just going to redirect you. You're going to eventually get a link, or that redirects you to get a clean page versus a black one. But the cool thing is, if you have additional software that's doing real time scanning when it's doing that when it's actually running code that it creates a path where it's going to go one way or the other, you can at least catch real time when it's trying to redirect you somewhere else, and maybe then. And that is a where you could learn, as a security person, that, Oh, this has two paths. Let's figure out how to go the other path. One thing they talk about is something you and I already talked about, which is multiple vantage points. You know, if I'm a researcher, I probably use my research network to go to web pages just to be safe because it's been sandboxed. But if that research network is one that's already a research IP that the bad guys know they're serving me white pages. So multiple vantage points means just having multiple different ways, you know, different browsers, different places, different research networks, different tools that you're visiting the web page with and that way, and maybe once in a different country, you're using cloud or virtualization to come from a different place. And that way, even if your primary research sandbox sees a white page, if you automatically try it from multiple places and see any sort of difference, you know something's happening, and you might be able to get the black page from the other one. And the last thing is heuristic signals. There are. I mean, the cool thing about web traffic is the client is, you know, at least, if it's local client based JavaScript, you're going to see things that run, and you're going to be able to maybe realize, oh, this site is doing things to try to fingerprint me, so some more advanced tools might be able to recognize sites that are looking for indicators or running scripts or doing things that might be a sign that this site is cloaking something, and maybe I need to do something to look at it deeper. But either way, I found it was interesting. AI is big in as far as a buzzword for both security and malicious use. And I did think this is an interesting new way threat actors are using it that could make cloaking a little better. But as you said, I do think we will figure it out in the security community. Yeah. I think any closing thoughts on that one, yeah. Number three, interesting the heuristic signals, because I feel like a lot of websites do some fingerprinting already of sensation. So, I mean, what are you going to false positive? Can you be sure it really is malicious? And that's absolutely sure that, for sure, I that's one of the issues with this. Is Cloaking is actually sold to marketers too. They want to know who you they want to they they're doing it for a different reason. They're not necessarily trying to sell, send a black page to you, but they want to know where you're from, who you are. They want to know lots of analytics so that they can deliver custom pages to you, to market to you. Well, there's even things like, if you go to buy airline tickets, and you have a safari user agent header, and you have a Mac they realize you might make more money, and instead of a black or a white page, they might show you a higher price if they suspect you're a rich visitor, then they they would quote you the lowest possible price if they suspected you were A less affluent visitor. So you're absolutely right that legitimate sites might use these same fingerprinting techniques for a quote, unquote legitimate reason. So how do you tell the difference of if you really have to research it as a bad site? It's difficult. I guess we'll find out as we continue to find sites that use AI to cloak themselves.
Ryan Estes 38:22
Yeah, they'll be more ubiquitous, probably, as time goes on.
Corey Nachreiner 38:27
So let's go to the last story, which I find kind of interesting, which is about Chinese hackers, specifically state sponsored attackers targeting Taiwan's semiconductor sector. So this actually comes from a nice bit of research released by Proofpoint, an email security company at the highest level. Their findings found that between March and June of this year, three different Chinese state sponsored threat actors have been targeting using targeted fishing, primarily to go after Taiwanese semiconductor companies and their supply chain. And talking about the supply chain the organizations range from the manufacturing to design of semiconductors to the testing companies, but also wider equipment and service supply chain entities, including financial investment analysts, which we'll get into. And I think the takeaway proof point makes is that, you know, right now, China's strategic priority is to to achieve self sufficiency with semiconductor creation and intellectual property. And in light of the US and Taiwanese adding more export control, they're trying to get as much information as possible so that they can continue to be self sufficient with creating their own semiconductors. But let's dive into it. Basically, I think because Proofpoint has. High level information, you know, high level ability to see into email. They really started recognizing a number of different phishing campaigns happening, and there were essentially three different threat actors. They found most of these campaigns, or at least the primary one of these campaigns was used to deliver something called cobalt strike. I'm sure you've heard of it, Ryan, if you have. Do you want to describe what cobalt strike is? If not, I will,
Ryan Estes 40:27
yeah, it's kind of like a an all in one swiss army knife tool for basically, it's a legitimate tool, but a lot of cracked versions are out there that threat actors use, and I see it all time ransomware. Basically, it allows you to, kind of like, do see to command and control communications. You can download more payloads. Yeah. I mean, you create payloads, and it's kind of just like an all in one. You can do everything, and it's used as a backdoor tool. So it's kind of,
Corey Nachreiner 40:53
I call it an exploit framework, and really the easiest way to describe it is metasploit. If you know what Metasploit is, cobalt strike is very similar. It's just a very it's a commercial one made by a company that has more up to date kit, you know, more up to date exploits and capability, because you you pay for it, and you even pay for a service to get new exploits. As you mentioned, it's sold legitimately, really, for the good guys, red teams, like it's a pen testing tool. We use it to, you know, if you're doing a pen test, active pen test against the organization, besides, once you've identified there's some flaw there, you can actually use cobalt strike. If it has the exploit in its pack. You can use it to actually exploit that flaw with, as you mentioned, different types of payloads that happen same, you know, same with metasploit. If you ever played with Metasploit, it's like that, but commercial. But as you said, malicious threat actors use Metasploit and cobalt strike just as much as good guys. And in short, at the end of the day, the main campaign was designed to either deliver a cobalt strike package or a custom version of something called Voldemort. Voldemort is a backdoor that Proofpoint saw before. You mentioned. Have you heard of Voldemort
Ryan Estes 42:09
before? No, this first time. It's a great name, though they
Corey Nachreiner 42:12
I think Proofpoint came up with the name. So it may have other names from different antivirus companies, but it's a C based backdoor that can do a bunch it has the basic information gathering like it. When you first get on a victim computer, you're going to want to do some basic information system analysis to figure out what kind of system you are, and maybe do a little enumeration and lateral movement. But it's the first type of payload you would get that can then drop additional payloads on top of it. So Proofpoint observed a couple of Chinese aligned threat actors. They claim their Chinese aligned based on the tools, techniques and procedures that were used that were similar to other ones they'd seen before. And ultimately, there were three different actors, UNK, I don't know if that stands for unknown, but UNK underscore, drop pitch was the first actor they talked about. Then they have UNK underscore, Sparky carp and also UNK or, I should say the first one is UNK underscore, fist bump. So three different groups doing different things. Fist bump is the one that was actually trying to drop the cobalt strike packages or the custom back door on the actual supply chain associated companies. However, drop pitch is one that targeted multiple major investment firms. So they're going after investment firms. However, these were specifically investment firms that that invested and analyzed the Taiwanese semiconductor industry. So it seems related to the fist bump thing. And finally, un case Sparky carp was just a credential phishing campaign that seemed to come from Chinese thing, Chinese state backed, sponsored attackers, and is a pretty normal targeted phishing activity that had a adversary in the middle kit designed to basically capture credentials. So presumably Sparky cart might have been what captured some credentials that the group fist bump might have used to actually deliver some of the cobalt strike packages if phishing didn't work. But let's first talk about Phish bump, which is the main campaign. Fist bump was targeting the semiconductor manufacturing and supply chain itself. This was a targeted phishing email, and really it was someone posing as a graduate student. So the email would come from a actual Taiwanese University. It appears that they got a compromised account from this university. So it would come from a university, and it would be a student that you might want to hire at a semiconductor i. Company, and by the way, it was in Chinese, but on the side I'm showing you can see the English translation of the email, but it's basically saying, Hey, I work at this university. I have a great background in what you need Enclosed is my CSV and introduction. Grab that and check it out. The first interesting thing, though, by the way, is this quote, unquote student is delivering his email with what was typically either a password protected zip file or archive or a PDF attachment. The PDF attachment, by the way, if it was that going to the PDF attachment, would contain URLs that also went to a zip file that was password protected. So the first kind of giveaway to any smart person is, I don't think most people send resumes or CVs ZIP archives, let alone a PDF that downloads one and second password protected right away. If you they're putting a password on a archive, you should be concerned. I heard you speak up. Any thoughts there so far,
Ryan Estes 46:01
no, I was just last time I was in zip. But it also says they're either hosted on Zendesk, which I think is very interesting, or a file sharing service. But the Zendesk is actually interesting because it gives it a little
Corey Nachreiner 46:11
legitimacy. Yeah, we use Zendesk so it makes it seem like the download is coming from a place that's not that dangerous. Yeah, in reality, though, if they actually open the PDF and follow one of the links to get the file, and they get this archive file, the archive file actually includes a bunch of things. I mean, it starts with a lnk, a shortcut, so this is obviously targeting Windows. It will contain some executables it will contain, and it's usually called Intro dot zip. It contains a link file, which is really what you click on the shortcut. It's a PDF dot link file. So to you, you might think you're opening a PDF, but really you're opening a shortcut that can execute additional things. And it also includes some benign executables, but some malicious DLLs. And in short, there were two infection paths, and some of them contained both at the same time. You know, it would choose which to do, but if you open one of these link files, it would execute some visual basic script. The Visual Basic script would still open a PDF, so that you thought you were just opening a PDF, but in the background, it would use a benign executable. The benign executable is actually probably, in this case that you could see it was a version of Java, but it was a legitimate executable, but an old version of a legitimate executable that suffered from something that was, you know, called DLL hijacking, where you can actually side load another DLL so they're purposely sending a vulnerable but legitimate executable which they can then use to side load a dynamic link library that's malicious. The link library decrypts contents from other files and essentially either loads the cobalt strike beacon or loads Voldemort the back door. Why don't we? Why don't I pause here? Is this? This seems like a pretty typical type of infection chain. Do you see things like this a lot in your malware research? Ryan,
Ryan Estes 48:16
yeah, a lot. Lnk, see a lot because they're they're simple. They're basically just a shortcut with a string that's almost always a downloader or a dropper, usually downloader because it's short script, and then the JLI dot DLL. I've actually seen that firsthand recently, malicious versions of it, and I couldn't attribute it to anything, but I wonder if it was part of this Dlo. And that looks like they're abusing Cisco services. I think I see. So that's pretty
Corey Nachreiner 48:41
on the other side, if they're doing Voldemort, I believe it's the same thing. Cisco collab host is probably a legit Cisco but in this case, the benign executable, its main thing is to be an older one. It has to be vulnerable to the DLL hijacking. That's its only purpose, is to be a legitimate thing that's vulnerable to something that allows it to launch. In this case, they named the DLL Cisco Spark launcher, to make it sound Cisco y, but this is really a malicious DLL. Yeah, I
Ryan Estes 49:09
wonder if they're doing some kind of checking before they try to run these, because I'm trying to decide how they choose which one to run. And obviously they're trying to check for Cisco and Java before.
Corey Nachreiner 49:18
Yeah, I they do mention that, you know, some of these contain two distinct infection chains so it can go down two paths. I will say, if you check out the Proofpoint blog post on this, they have a whole I'm skipping a lot of the technical detail, but they go into what files things are run from. They talk about the c2 profile. They talk about all the reasons they attribute it to Chinese based, state sponsored actors. So hard to describe all of the tech detail on the podcast, but you can get a lot of information there.
Ryan Estes 49:50
Oh, let's see what's going on here. It's basically so the UN k is, is proof points. Way of saying we haven't attributed to a specific group yet, but it just mentioned AP. 41 so it looks like these are three clusters. Is what they call three clusters within apt 41 that all have the same task, but they're using different methods to get like,
Corey Nachreiner 50:09
yeah. They if you read further in, they actually think the three different ones are different known, state sponsored actors, but they actually talk about this one. You know, fist bump seems to be associated with the tools and techniques of of brass typhoon. So a lot of if you actually follow the state sponsored actors, they're named different things by different vendors. You can get why they're they're attaching certain tools and techniques to being a certain state sponsored actor. And it really comes down to the processes that they use that they're seeing being used in the malware again, and as you can see, UNK fist bump seems to overlap with ta, 415, that Google has found before. Some the additional things now this is a different campaign, and presumably might be a different Chinese threat actor, because they say there's three distinct ones, but the other campaign was again targeted phishing, but this time against multiple large investment banks, but especially banks that are specializing in investing into semiconductor industry. So really kind of a similar thing, in this case, drop pitch. You know, also had a email that a hyperlink in the PDF that downloads intro dot zip again, they were using benign executables that would side load, but this time, it included a backdoor called Health. Kick this back door. You know, they go into a lot of detail of where the command and control IPs are. This backdoor happens to connect over TCP port 465, but the point is, it's just a backdoor that has control of your computer, and they can use that control to, you know, really do almost anything they want on your computer and gain information. I believe what happens is healthkick basically adds as a reverse shell that the threat actors were using to kind of just do initial who, what victim at this financial organization that I get, who are they, and is there anything of interest? If there was something of interest, they would then use their access of the backdoor to install a legit remote management tool, RMM, remote monitoring and management tool called Intel endpoint management. And once they installed endpoint, Intel endpoint management on your system, they basically have remote control of your system and can do what, and at that point, steal data, figure out whatever they wanted to get from you. So again, an email that either through a PDF or some other way, has a URL to a zip file, just like before, there was a executable that was benign, that would side load a malicious DLL that installed a very basic backdoor, and if they wanted to do more, if they thought you were important, they would manually, selectively drop a legitimate RMM tool. I don't know if everyone uses different names. Does any of this seem familiar? Familiar to any of your research? Ryan, I've never heard of health. Kick, no. Yeah, interesting, though. I mean, if it's a state sponsored to this would probably would probably be low volume. When we're talking about very targeted attacks like this, you know, you're not going to see them to computers all over the world, so you'd have to get malware from a very specific victim. The last one's pretty simple. I'm not going to cover it in as much detail, but the last one, Sparky carp, was something that started in March 2025 these, again, were phishing emails, a phishing campaign, but the phishing campaign had custom adversary in the middle software that was targeting the semiconductor industry. The phishing email, if you followed its links, you would get a pop up like the one we're showing in the video version of our podcast that really is an Account Login security warning that is warning you to, you know, something's up, to sign in again to Microsoft. But of course, like any other phishing, even though it looks semi legit, if you signed into it, they're grabbing your credentials. And the key thing here, by the way, this, this Chinese threat actor was also aligned to other ones they've seen in past campaigns before, but because this one was targeting the semiconductor industry, they believe they may have been gathering credentials for use by these other threat actors too. So anyways, it's just interesting to see China is targeting Taiwanese semiconductor industries and using some pretty common malware delivery techniques. Talking about it, how often do you see, by the way, legitimate tools being used in attacks, whether we're talking about the benign the executable, which is actually executable, oftentimes it was things like a Cisco thing or a Windows thing that is normal. It's just an old version used to sideload something. Or how often do you see them actually, once they have a basic backdoor on a computer delivering something like a legitimate RMM tool? Ryan,
Ryan Estes 55:12
a lot. Yeah, a lot. So I feel like more and more attacks are basically just leveraging trusted tools to further their their goals. Yeah, remote, big one. Yeah, we see those all the time, and it's actually tricky, because a lot of our our user base, our customers, they use remote management as legitimate purposes. So we can't if we block those that's really inhibiting their workflow. So we really have to bring in telemetry, and a lot of times we we sometimes let them through, not attackers, but like remote management tools that we think are kind of suspicious. Sometimes we do err on the side of caution, but if they are used a lot remote management, specifically
Corey Nachreiner 55:57
on the flip side, hopefully the things like when they're doing that side loading with legit executables, that's where our endpoint software can probably help. And you mentioned before cobalt like cobalt strike, is also a legitimate tool. But whether it's Metasploit or cobalt strike, we see that used just as much, if not more, in malicious activity than we do actual real security organizations and pen testers. So it's not unusual to see the tools that we as the security community make for red teaming show up in the bad guys hands. Kind of easy,
Ryan Estes 56:32
by the way, because you get legitimate versions, and obviously not like cracked versions, and almost every time the cracked versions malware are related to a malware group.
Corey Nachreiner 56:41
Absolutely, this is why we tell people to be besides just the legal reasons and the ethical reasons, not the pirate stuff. You know, nothing in life is often free. Piracy often funds the fact that they can spread piracy on different servers by hiding malicious content in it as well, so be careful with cracks out there. Do you have any thoughts on let's just talk about the first one where the lure seems to be. We're seeing a lot of either fake jobs or fake employees as a way to lure victims, either a victim from an organization or a job seeker. In this case, they were targeting HR organizations in these semiconductor industries with fake job seekers. Any advice for HR, besides, of course, obviously having our software, both network and endpoint that would have caught that malicious zip file? Any thoughts for how you avoid this type of thing?
Ryan Estes 57:37
Poor HR, I would say if the position is important enough, like if it's high level position, then you want to gear towards in person interviews. I think we're getting back to that because of the remote nature of our work. And you can AI, can spoof someone. You can be a North Korean, IT person, or something. But I feel like you have to do like an in person interview at least once, especially for
Corey Nachreiner 57:59
in person is probably the important part there, because we know that no before accidentally hired a North Korean employee, because they had set up enough back end in the US state that they seemed to be there. And even on a video interview, the help used AI deep fake technology to help them seem like a local, you know, a person that matched the rest of the resume despite the fact that they were really North Korean. So it is tricky. I will say in this in specific, though it's email and security awareness for your entire organization, especially HR and accounting is important that would also help those people at the investment firms, because that emailed an email with a zip file that has a password. If you do even that, that's a freaking dead I mean me and Ryan laugh. It's such a obvious dead giveaway I've seen definitely resume people send PDFs or or Word documents with their resume but a zip file. It's their indicators there that HR person should know just not to interact with that email at all. You could
Ryan Estes 59:09
also, you know, create, like a simple tool that you upload the resume to, like a web tool that scans it beforehand, too. That could be another solution,
Corey Nachreiner 59:19
any other protections you can think of to avoid attacks like this one?
Ryan Estes 59:25
No, this is like a mostly geopolitical. It's impossible to talk about the China, Taiwan hacking stuff without talking about like geopolitics.
Corey Nachreiner 59:33
What are your thoughts? I mean, do you agree with the proof points conclusion on why do you think China is going after the semiconductor industry? Where we can speculate and just share our opinion.
Ryan Estes 59:42
Yeah, I mean, it's the logical explanation, is that they want to be more self sufficient, and we're the US, and Taiwan and other western countries are putting a lot of export controls with the AI movement now that everyone wants to try to get the best chip, the best software on it, and so it's just a race right now. Wow, and that's part of it, or a lot of it, really?
Corey Nachreiner 1:00:02
Yeah, I agree. We're probably going to see a lot more of this from Chinese state sponsored actors. So if you're an industry they're interested in, beware. Well, that's it. Thanks for being here, Ryan,
Ryan Estes 1:00:14
yeah, thanks for bringing me back. Hey
Corey Nachreiner 1:00:21
everyone, thanks again for listening. For listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for future episodes, you can reach out to us on blue sky. I'm at secadapt, at B sky, dot social, and you can find Marc at it's marc.me which will also redirect the blue sky. We're both also on Instagram at WatchGuard underscore technologies and Ryan, unfortunately, is a smart security researcher who avoids social media. But if you want to send any questions to him, reach out to me and Marc, and we'll be sure to forward them. Thanks again for listening, and we'll see you next time. Thank you, everyone.
