Trojans in the Real World (BEAST)

We’re going to talk about BEAST in this video. BEAST was a Trojan that came out in the early 2000s. So BEAST came out, and it was first seen, at least, around 2002, and the thing that kind of got it to become well known was it was the first example of a RAT, or remote access tool, that we’ve seen. And what a RAT is, what a remote access tool is, is once it’s on the system, it makes a connection back to the attacker’s machine and allows an attacker to continue performing operations and exploitations against the target system.

This is a bit of an older Trojan, so it was first seen affecting Windows 95, and kind of ended around the Windows XP era. We don’t really see it too often nowadays. And one of the other things that made it a little bit more dangerous than some of the other ones that we’d seen around that time, some of the other pieces of malware, was the added ability to disable local firewalls and antivirus applications. So if you think about how this thing works is it gets sent to you as some sort of legitimate-looking application or part of phishing or some other basic social engineering kind of attack.

Once you download it and run it and the Trojan executes, it opens up a remote backdoor– opens up a remote connection to the attacking system. That system then connects back to your system, performing additional actions. And all this while it’s disabled local firewalls and antivirus applications, so it goes kind of hidden. So what I want to do now is instead of just getting the hash for BEAST and throwing that into VirusTotal like we’ve done the last few sections, I want to take an Office document with a malicious macro in it and just look what that looks like real quick. So you can see here, we have, It’s a resume from someone named Bobby Droptables. He’s a hacker.

It’s got his different typical resume things, his work experience and skills, et cetera. If we just open this for the first time, we would also have a banner at the top here that would say something about “Macros have been disabled” or “Please enable content,” and it would have a security warning on it. This is something that is pretty easy to get around if the content is something that people need. It’s also not something that is enabled in all locations. So for example, it’s possible to have a document where it’s kind of blurred, and it says in order to unblur this you’ll need to run the macro.

So then that’s kind of a social engineering attack to get a user to run that macro. Once that macro runs, it will do who knows what. So what we want to do here is because we see this is a hacker’s resume, we want to go ahead and see if he has any macros embedded in it. So we go over here to Macros, which is under the View. You’ll see there are a bunch of them. If we go into Edit, it opens up Visual Basic here for us.

And then within Visual Basic you can see that what is done is there’s a malicious macro in here that will attempt to drop an interpreter payload onto our target system. So what this would do is someone would receive the resume from Bobby Tables. They would open it. They would run the macro. The macro then would drop an interpreter session, which is kind of the payload that is most typically used with Metasploit. And then once the interpreter session was on the system, it would call back to the attacker’s machine, and they would have that backdoor into the victim’s computer.

This looks like it’s got a lot of gibberish in it, and that’s because what’s happening here is a very basic form of obfuscation for variable names and function names. So when we see stuff like kqmm equals this long string of x here, it’s a variable that’s getting set to this value, and then that variable here is going to get called here again, and it gets called a couple different places. And all that is, is if you were to de-obfuscate that, it’s just going to be the explanation of the interpreter shell, how it’s called. So this is just a basic, very, very typical form of obfuscation.

So anyways, if we run that macro, if we open up that thing and we run that macro, we will actually get caught, because it’s a fairly basic, low sophistication type of attack. It’s using interpreter, which is well known and well documented by most, if not all of, your antivirus software. So the antivirus software that’s running on this machine is Bitdefender free version, and you can see here that it just got blocked. And then it’s got a Visual Basic Trojan valyria447. It shows the path where it saw it and where it blocked it at.

So what we can do now is we’re going take this Visual Basic Trojan .valyria447, and we’re going to take that into VirusTotal and see what it says.

OK. So here we are at VirusTotal. We’ve got our VB colon trojan.valyria.447, and we’ve got it in the search field there. We can go ahead and hit Enter, and we see there’s no matches found. So what we’re going to do now is we’re going to take that same value. We’re going to go over to the other best search engine for malicious stuff in the world, and that is just Google. We toss it in Google here. We’ll do a fresh one. And we can see that it returns a lot of different stuff.

If we were to start clicking through these, we would find that a lot of things point towards interpreter, a lot of things to point towards it as a Trojan dropper. We talked about that a little bit. So basically it’s meaning that if the Trojan’s going to get on the machine, it’s going to drop that payload, which is an interpreter payload. That interpreter payload’s going to create that backdoor, and that’s going to give our attacker more access to do more things. So now we’ve got that information about what it is, what that valyria stuff is. We know what it’s supposed to be. We can go ahead and start looking for ways to clear it out, get rid of it.

So in this section we talked about BEAST, which was this early form of a RAT around 2002, and some of its capabilities. And then we showed you what a malicious Office document can look like. It may not look as obvious as Bobby Droptables and hacks, or it may be something as benign as like an invitation to a wedding or something like that, whatever the social engineering campaign is or whatever the theme is that they need, the story that they need, to get the highest chance of their targets clicking and opening and running their malicious stuff. We talked about malicious Office documents.

We showed what it will look like when one of these viruses is detected by your antivirus and then how to investigate a little further when you get that alert. Just toss it into Google or VirusTotal or whatever other application of your choice is and just start looking around and see what it is. More often than not, you’ll stumble across somebody that’s come across this, and they’ll have some information on what you can do next. So in the next video we’re going to start talking about ransomware.

We’re going to go over what it is, what it does, and we’re going to talk about some of the more common, or I should say the most famous, in my opinion, and significant incidents of ransomware in history.