Yes today, we're gonna talk about the power in cloud environment. Actually, I will explain more about this, this attacks in, in this kind of environment and how it's dangerous. And I will explain, I demonstrate actually PDF malicious or malicious PDF and how the attacker can use some codes inside of this PDF because nowadays everyone receiving on a PDF and a financial team or ATR team, it's it's part of the day, right. Receiving a CV receiving invoice. And so I would like to show how's danger to receive and some tips about this kind of file actually.
Cool. Sounds very interesting.
It's interesting then Philippe, the state is yours. Thank you.
Okay. Thank you so much. One more time, Christopher, let me share my screen here. Oops.
Let me share my screen here. Okay.
I'm seeing here in my left side, in my left side. Another monitoring just to, to see the, the picture. Yes. Can you see my screen?
I think, yes. I dunno if you can see my screen.
Yes,
Yes. Okay. So this is the top, the title of our conversation today. So more manipulating and cloud environment is, is dangerous. So here my contact and Twitter, if you like to send 'em a message and my contact and a social medias I have here, my webpage with send articles published there and send talks that I made in some events, by the way, here in company group, some events that I'm participated and might get help with some project. And yes. So let me introduce myself. So I'm a prince security engineer at talk desk. Talk desk is a Portuguese company, not Portuguese company.
It's a company from Portugal cuz Portuguese. We have many countries that is speaking, right? And I've been working with the talk desk in, from Portugal. This company's responsible to provide some contact center as a service and I'm security research at Sura and a company responsible to provide some Penn solutions and privilege access management solutions.
But my focus here is to talk about this security research is right.
So, so how the, a hacker can use this different techniques to explore the companies. And I will be published some articles about that. Okay. And I am of the hack is not a crime. This is pretty awesome project. It's a community actually. And the idea he to explain more about the hacking because it's really not a crime hacking, it's a mindset and how you look into this some software and how you implement your creative mind. And because for example, if you are a lawyer, you are not a, a bad lawyer.
Of course you can, you can have, you can know bad lawyer, but I'm talking about the, you know, no, no good lawyer, like, you know, a hacker lawyer, you know, that's simple definition, but, or it's, it's a lawyer. Okay. And it's a simple, and hacking's the same, it's a creative mind.
Yeah. It's a life cycle and, and lifestyle actually. And I'm part of the staff team groups here in SA Paul, it's a community and I'm, tructure at hacker security and it's structured and writing and from this free magazine here in, not here, but they're in Europe. Okay.
And so just, I'd like to put everything in the same page for what is thread. It's not by definition. It's the definition from this IO eyes. Okay. So threat threat is defining as a potential cause of incidents to make calls arm to the system and organization. It's pretty simple.
I mean, it's a software attack, theft of intellectual property or identity theft that we are in the middle of this event about the cloud, about identity. And so this is a print important information in your organization. Okay. So identity death. So how you can man manage it.
It, it's pretty important.
You understand that and same sabotage or information in torture are example of the information security threats. Why explain that? Because if you see here, all those things is related to a threat. Okay. It's and many things related to a software. So if you think about the cloud or how you can build your company or can, you can grow your company in the cloud environment, many company now, or any star taps, for example, are as was born in the cloud and the cloud in native, right? So all those things is related to a software. So many things is related to a thread.
It's pretty important to understand that. So when we talk about the Maer, we need to understand this life cycle, actually, when you have some malware or MOOC is a malicious softer and MOOC is a document malicious, you need to understand these steps pretty important.
Okay. The identification that, because we just have the simple, or just to have an artifact, you need to understand if is malicious or not, when you need to make some investigations. And after that, you need to choose what the best method to, to apply that or methodology. Okay.
So who can chose what the best in statist or dynamics, you can both use both of them. And we explain just a simple definition after that, when you have this environment or this team in your company or your organization, you, my recommendation to create some report based on these analysis.
Why, because you need to present, or you need to receive this report. If you are a manager, if you are a coordinator, if you are Analyst, we need to prepare the report to present your manager, to present your coordinator. Why? Because it's pretty important because you can improve your defenses mechanism, wherever environment you have.
It's on prime, sorry, it's a cloud, but you need to improve your defenses mechanism. So how you can manage your identity policies, for example. So how you can manage it, your w web application far.
So how you can improve your, for example, IPS IRU provision system. So how you can improve your security sensors. Why? Because when you discover how is the correctly or what exactly path that ma using your organization or through the network, you can improve your defenses mechanism. Okay. And you can create, of course the cyber threat intelligence. It's a pretty nice word. Okay. But it's pretty important. You have this environ, I dunno if you're in company, it's speak or small, but it's pretty important. You have this kind of intelligence because you can protect yourself about the new attacks.
Okay. And of course you need to strain cyber resilience because the threats are changing all the time.
Okay. That's a simple life cycle. So what is exactly statistical analysis? Just a simple definition. Usually the first step using a more analysis it's important because describe the process that you are analyzing during the program code or the structure of the code. So exactly. If you find some, for example, GLL right. So how this DLL works in your system operation. So how is how this works in this, in your environment.
So in this case, the program itself doesn't run, invest in, in, at this time, of course, depend off the program because you can using different tools to help you or your Analyst can use different tools to help. Right. And this paring process, it's more safe, right? Because you don't as a could, or you don't run the Mo at this time. Okay. On your other hand, when you talk about the dynamic analysis you have, it's only based on behavior.
I mean, the analysis is based on the rent time analysis, you need to perform, you need to run the model in some control environment. This is the suggestion of course, and you can see the behavior, right? So of course you can in different tools to help you. And many times the many companies or organization using this concept, call it sandbox. When you have some controlled environment and you pick up this model and you as itself inside of this sandbox and you see the behavior inside of that. But the point is, when you have some sandbox, you need to have some engines inside of this sandbox.
Of course we have many different security players or security vendors, actually that you can present you some solution. It's pretty important. You have some engines inside of this sandbox to see the behavior, but this is the different between dynamic can and statistics.
I like to use the statistics Analyst, first of all, to see the behavior and minimally. And after that, it's, it's nice to, to put it in this dynamic Analyst to see if this conclusion is correct or not. If you have some new points to analyze, okay. And let's talk about the physical and logical structure of the PDF files. Right?
So before I would like to explain more about in a practical way here and before to explain more about this physical, I would like to show you here in my virtual machine, I have here many different samples, right? I think you can see my screen here. Let me putting here. Okay. And I have here, for example, invoice doc PDF.
If I said, for example, file invoice, take a look. This it's just to see about what exactly document we have here in this case, it's a PDF document to analyze, right?
So if you, as a good, this, another common model file to see more, it's just a, it's not a title. Okay. As you can see here, it's, it's just a text. Okay. So if I read, for example, take a look. This it's it's I have here, the script. Okay. And some letter like a recommendation lab tools. That means it could apply them here to explain more about the model, just to see it's some, a simple scripting pattern, right.
But when I using this tools file, okay. To identify, remember the first step, remember the first step. It is an identification step. When I using this file, common to identify what is exactly this file. Take a look. This is ask, it's not a title, but I can manipulate this and I can change this document. Let me change here.
If I put, for example, three, the quotes here, I will save.
Okay. If I change the some information in the beginning of the file. Okay. And if I see here, take a look this for now, I have the PDF on not PDF the patent script because I manipulate something in this primary, in this file. I can manipulate one more time here, take a look. This I will get this. And I will put here the first PDF. It's what is the person? PDF dash one five example. You save and take a look that we have. Now we have now a PDF document.
Take a, look, this in this version, by the way, I don't have more. What it, but at extension, it's a pattern, but I have here the PDF. Let me try as I could here. The patent three, take a look.
This, I have some problem in the six syntax. Why? Because in the beginning I have some informations about the patent.
Explain me that.
Not a PDF, right? It's it's actually, it's not a patent. It's a PDF. As we can see here in the log, we received some error of the syntax. So why this works, why did happen in my binary? Now it's pretty simple information. When we look into the, the file manual, we can see here how this works and this simple explanation that I will show you now about how the binary works here. We have the information. This file have a magic number is storage in a particular PA place near the beginning of the file. Here is the explanation. I manipulated the magic number in the beginning of the file.
This is a particular place in the beginning because of this. I changing this magic number in the beginning and I receiving the different results. So just to show you how it's possible to manipulate this magic number in different bins, like a PDF, as I mentioned, like a Biden binary, like a PE and portable is curable from Microsoft, for example, and P or L from platform, for example, and we have here different ways to changing the magic number.
Okay. So let's return into our presentation just to explain how this information in the magic number in the beginning of the fireworks. Okay.
So let's talk about the physical and logical structure of the PDF file. Okay. In general, a PDF document has a four mainly parts. Okay. The first is the header. It's not just only a PDF. We have it's in general main, all those binary has a header. Okay. And the second is a body and the third is a cross reference table or X table and the four it's a trailer. So four parts to analyze in the PT.
In, in this picture, you can see here, the four parts and here is some explanation in part about how the structure of the PDF works. So we have here, the number, take a look, this the version and the number. If you remember, when I, as the file comment, we see the, the PDF and the version.
Remember one doc five. I think I have here. This file ma the PDF document and the version one doc one five.
If I use here, for example, for example, PDF ID, to see this, I can see here, the PDF, Heather and the version, take a look, this, and here, this is of course, in, in a tool using in Unix platform, this tool is created by DDA Steven. It's a researcher. Okay. And we can see here, the version, this is information is in the it's exactly in the header, as I mentioned. Okay. So this is the version of the header, right? So we have, and the board, so we have a page image font.
It's like a, you know, a brilliant, like I'm not brilliant, but you know, an information like a page is emoji or stuff like that. Okay. And other important information, nice structure of the PDF is a cross reference table here.
The locations of objects, Ethan, take a look, this the file for a render access. Okay. And you have here the locations of the certain objects in the boring. So as we can see here, many information is inside of that. And let me, let me do the demo to explain these analyze when I received some PDF.
And then after that, I started to realize I perform and actually this analysis in this PDF. So I, we using the PDF ID. So I have here, the CV, it's a resume from that HR received. Okay. So the HR team received in a CV and it was suspicious. And first step is to identify if this binary is malicious or not. And after that, I execute this PDF. I did to see about the, what is exactly information I have here. So I have here the version one, three, and we have 15 object.
And inside of this object, we have an two extreme and take a look. Information is important.
We have five jobs tripped as we can see here. Okay. So it's a suspicious because if you have some job scripting side of PDF, maybe it's suspicious behavior, right? Because the PDF don't have this exactly as a question or this function. Okay. And if you see here, we have another important information. It's a open action or AA in this case, I just have the open action, the open action.
I mean, it means when the user receive this PDF or this CV, this resume, and the only action the user needs to do is to download this file in our environment. The user don't need to do nothing more. Okay.
The, the next steps is the more it's is, will be as good itself in the machine because they have the open actions.
Okay. So when you have some open action, the PDF, it means that the user don't need to click twice.
The click, the user does just need to download the new environment. And after that, the user don't need to click. For example, if you download the file, the file will be where in the download page, in the load folder. Okay. In a page folder in download, download a folder. But for this model, for example, it's enough because they have this function, they open connections. Okay. But I have here two suspicious things, JavaScript and open action. So I need to investigate more about this two things to, if I found some other informations or more informations about that.
So after that they using the PDF bar it's tool, pretty nice created tool create as well by DDA Steven. Okay. It's another research. So here's some flags that you can use, or we can use it when we, as a good sum analyze.
So are you sat here, first of all, the search to find some Java creep and what is exactly object I have here. So as we can see here, we have an object.
One, we have a job keeping object, seven object 12. So three object. Remember that, but I have now more two jobs script. Okay. So we have here another reference in object 12 and object one once a time. So we have five, as we see in the PDF ID. So makes sense. We have five reference actually, but remember we have 15 objects to investigate more deeply, more informations about that. So after that, the next steps is to, is a good, this JavaScript based on more informations, about the real, real information about the PDF. And I find here the route output for data and filters.
This is the information that I would like to see when I investigate this PDF.
Right? So if you see here is a good place, PDF parts, dash w. And after that, I have here some information. Interesting. Remember when I talked to about the, the, the location of this information inside the board, because the board, we have just only phones and marks of the PDF. Remember that I explain in the structure, when we talk about the cross reference table or, or X table, remember it's a location each, then the fire access hand on from another object. So here is the explanation.
So we have the object one, and these object one is, is accessed from the more others object, like object two and three and 4, 5, 6, and seven access random. Remember that? Okay. But in this object we have a 15 remember that 15 objects. Okay. So let's continue to see. So we have seven object here and one at seven, and we have here then open actions and take a look this more information about the open actions.
Remember my explanations about what is exactly open action. So it's as a Christian automatically without the action from the user. Remember that? Okay.
So in this case, take a look at this, the open action it's totally related or link it a what to the Java script. I mean, so if I have an open actions, link it to a JavaScript is totally suspicious because the user will receive an N PDF. And after that is including itself automatically, but it's based on what, based on this Java script. Okay. Which for now it's we, we can agree that it's totally malicious. Okay. And perfect. Let's continue to see this analysis. So we have the job script. We have an open actions and we have many different actions here, inside, out the SP. Okay.
So let's continue to see here. So we have a different object, two and three.
Let's see here four and take a look at this object.
Four, we have a two different reference object, eight and nine more, two reference. Okay. So let's continue to see and object seven. We have another reference object. 10. Remember we have a 15 object here. So what exactly object is more suspicious. So how I can investigate more? So here we can see more image and object nine. We have other reference here. Object 11. Okay. So of course we have the same reference because all those or get it is linked. Okay. And object 10. We have another reference object 12, and take a look. This the first we have an streaming here.
When you have some extreme containing stream, it means that you need to investigate more deeply because you can have some content inside of this, this stream. Usually they are targeted using this content or this streaming to put some malicious content.
Okay.
When, of course you can check this, according, this left, it's the sizing of the content. Okay. And usually you have the flat decode.
I mean, you need to decode this information inside of this PD, or this is streaming. Okay. So the left in this case, it's, it's small object, 12 rather reference in, in object 13 and take a, look this in object 13, we have a job script, as we can see here, and you have the streaming, but the size it's, it's bigger. It's different. So I need to investigate more the object 13, because we have here the streaming and it's too bigger. It's different when you compare to another streaming. Okay. So here is my point. Let me go to, and another, object's just a reference.
So let's investigate more about the, this information inside of this PDF and this PDF, no inside of this object in object 13.
So first of all, I will explain about these tools. It's a PDF guy. It's a handle tool for a manipulating PDF.
If you, if you see guys and the latest, I always show up about the man, the manual, because it's very important. You understand about the tool that you can, that you use in this case.
I, you using the, the simples, the simple function uncompress and then recompress page streaming my case. I, you will compress. Okay. Because I would like to see about the content inside of this streaming, because of this, I, you uncompress this information. So many times I see different, you know, Analyst or researchers or people using tools, but the people don't understand how the tools works because of this. I like to show about the manual. It's pretty important to read. Maybe you don't like to read the manual, but it's important.
Okay.
And here is the information that we found inside of this treatment. Take a look at the all ran data. The here we had the first technique using by the attacker here, we have the JavaScript. Remember that we have a JavaScript inside of this is streaming. And here we have the Java script of Fu this is the first technique using by the attacker. Okay. The attacker has using this JavaScript of Fu so the next step is what the ZFU this code. And of course I have here, I recorded this them to be more easier for us to explain more details. And I have here some evil parameters.
And of course it's more technical explanation. But just to clarify to you, I will, if I have some Java script probably is related to some web applications because of, of these I using the at year, because my idea here is to publish this information in what, in a browser to see more information about what kind of information I have in this are printed in this browser.
Okay? So because of this, I using this Des and I save the document. As you can see here, the file actually in doc, at E L and I using this parameter, no, no need to understand about all those parameters.
It's just important to understand that are using the, the sophistication techniques in these Java script. So I save the file here and I give the permission to execute itself in the browser because my ideas to Theo case is this Java description to see the behavior inside of this symbol. So as we can see, now I have inside of this object, 13, the JavaScript and I using the another technique. ZFU sophisticated this information, and I published this in a browser. As you can see here in a Firefox, by the way, and take a look, what information I found here.
I, I found the VA or variable payload.
I mean, this information or payload, this response is a package. This package, its loaded in the machine. And this package is responsible to do a call back to this, the attacker server in this case, in the command and controller manager for the attack. Okay. So this is the payload. So we have here, the payload, the packaging, responsible to call back the machine from the attack. So the next steps I see some standard in this code. So I see the percent and number and ladders.
I, I see this behavior standard and I will investigate more deeply about that. So I have here this, this, using this sad tools to cut basically this percent, because I see many informations, this is the standard, as I mentioned. And as you can see here, I have the letters numbers, but I have, I had the percent, I just cut the percent because here they attacker using another techniques, E C as two basin on the UN code techniques they view using the UN code.
It's basing the two bites, another technique explanation, but no words about that. The point is they attacker using another techniques.
They, they attacker pick up this code and using this code and using another techniques, another technique code uni code technique. Right? So as we can see here, I have the real Unicode, not is you C is a U S C two. It's another, it's old base that we have the evolution of this Unicode. Now the name is UTF 16, probably already heard about that. Okay.
So let me go to, for and I using here the same, the same code, as you can see here, the percent in another tool, but in windows machine, because I would like to explain you if that you can use in this analysis and different system operations like a Unix platform, and you can check this and the windows platform.
So I, I passed here as you can see the standard, as I mentioned, remember percents and number. And I copy this and take a look what the next step. I remember that the technique using by JTA here is a, you, you C S two. Remember it's a old technique.
It's only cold technique, but we have the evolution OTF 16. Okay. And I generate here the X two file X, a binary. Why I do that? Because it's simple. Remember we have a PDF, the PDF, I have a job script. This job script call a payload. This payload is responsible to fact that in fact, the machine and, and perform and run the call back to the attacker. Okay. But usually the power 90, more than 90% is from it's. The focus is in the I windows platform. Okay. So I using these tools to show you how the binary works in the windows platform.
So because of this, I generated this X file here.
And as you can see here, the, I called CNC, commanding controller, okay. Doc binary, or it's a binary. Okay. Because I didn't generate this binary two is a good, decent to see about this information. So by using the, the DJ Steven suite, it's many tools from DJ Stevens. As you can see here, I call this binary and the next action is to call if I found any ATTP protocol. And as you can see here, what I found here, I found the commanding controller from the attack.
So in this analysis, as we can see here, we found what we found the Java script, this Java script, using the JavaScript of SCD, this JavaScript download the payload in the victim machine. This payload has a code technique. Okay? And this code has IP address, right? From the attacking this case.
This IP address is from Estonia as I show you here. And if you see, of course, so we have just only aging detected for, for in that time when I'm recording this demo. But as you can see here, many other players didn't detect his IP has a malicious, as we can see here.
So if you see more informations, so all those IP addresses related to this attack. If you read here in the community, you can see more informations about this attacks. So how this works and how many URLs using this attacks. So this is a basically Bruce total is some antivirus is scanning. Okay. And as you can see here, the, some information about this exploit using a PDF attack. Okay? So now this is some books that I I'm recommending you about this talk more analysis, Friday, hunting, threat intelligence.
And, and by the way, I have one of this, it's pretty nice to read. It's more technical, of course, but usually the, the attendings in my events asking me about the book. So this is some reference that I can recommend you if you'd like, and now I finish my presentation. I hope this presentation be useful for you. And thanks a lot, Chris and the team and the staff for, for having me here. And if you have any questions, please let me know.
