The folks tasked with defending the Black Hat conference network see a lot of weird, sometimes hostile activity, and this year it included malware linked to Kim Jong-un’s agents.
In their second year of helping protect the infosec event’s Network Operations Center (NOC), IronNet’s team said it flagged 31 malicious alerts and 45 highly suspicious events, according to the team’s postmortem report.
Of course, not all of the malware detected at Black Hat is intended to infect devices and perform nefarious acts — some of it stems from simulated attacks in classrooms and on the show floor. So while Tor activity and DNS tunneling likely would, and should, raise alarms in an enterprise network, at the cybersecurity conference they turned out to be regular attendee behavior and vendor demos.
However, the security firm’s hunters – Peter Rydzynski, Austin Tippett, Blake Cahen, Michael Leardi, Keith Li, and Jeremy Miller – said they did uncover “several” active malware infections on the network including Shlayer, North Korean-attributed SHARPEXT, and NetSupport RAT.
Let’s start with the code that has ties to the Supreme Leader himself.
“During the conference, we observed numerous callouts from four unique hosts to three domains associated with the North Korean malware SHARPEXT,” the threat hunters documented.
Volexity, in late July, linked this email-stealing malware to the Pyongyang-backed Kimsuky crew, aka SharpTongue. It’s notable because rather than stealing users’ email credentials, the malware – which is basically a malicious extension for Chromium-based browsers – reads messages and exfiltrates data from victims’ webmail accounts as they leaf through their inboxes. The SHARPEXT extension is typically installed on a victim’s Windows PC once it’s been compromised via some other vulnerability or infection route.
“Given North Korean threat actors’ demonstrated interest in compromising security researchers over the past two years, our observation of the North Korean SHARPEXT malware on the Black Hat network is notable in itself due to its use by so many cyber researchers and security employees,” according to IronNet’s team.
However, they admit the DNS queries to SHARPEXT command-and-control servers remains “puzzling.” While there were successful DNS responses from these domains, there wasn’t any outbound communication after the DNS lookup.
“It’s possible that geographic filtering was at play here, but this is not how we would expect to see it done and not something we frequently see done using DNS,” the hunters theorized. “Therefore, we do not have a good answer for the reason behind this activity.”
Shlayer malware download
In addition to SHARPEXT, the NOC also observed a Shlayer malware infection that had fully compromised a victim’s computer, we’re told. The attendee’s PC may well have been hijacked by the software nasty prior to the event. The threat hunters noted:
Further investigation uncovered HTTP GET requests retrieving a ZIP archive file, flagged as malicious in VirusTotal, that didn’t end in “.zip,” which was likely an attempt to evade detection.
And all of this “closely matched” activity outlined by Kaspersky in that threat intel firm’s analysis of the Shlayer Trojan.
I smell a NetSupport RAT
In another case of an attendee coming to the conference with an infected device, someone showed up with the NetSupport RAT (aka NetSupport Manager RAT) on their computer.
This, like many legitimate remote access tools, is frequently co-opted by cybercriminals to commandeer someone’s machine, snoop on them, and steal information.
The infected device made HTTP POST requests to an outside server, and communications matched closely to Zscaler’s analysis of the info-stealing RAT’s activity.
“A concerning element about this case was that the C2 infrastructure was fully operational and responding,” the threat hunters noted. “This was unexpected: given the age of this malware, we frequently see old infections like this with inactive C2 infrastructure that does not respond.”
Eh, could have been worse
Overall, however, the NOC team was pleasantly surprised by the lower-than-expected level of malicious activity at the show.
About 20,000 people attended the annual infosec summer camp in Las Vegas this year, which is three times more than in 2021. But compared to last year, “we saw a relatively low amount of network traffic and a lower number of detections across the board by all of the organizations defending the NOC,” the IronNet team said.
Other Black Hat NOC defenders came from Optiv, IBM X-Force, Cisco, NetWitness, Palo Alto Networks, and Gigamon.
“The ratio of network traffic volume in 2022 was 0.63 Gb/second per 5,000 people versus 1.5Gb/second for 5,000 people in 2021,” the IronNet team noted.
“We also did not see as much malicious activity stemming from real malware activity as we expected this year.”
And while more attendees attending more classes did mean higher overall detections, “the relative volume of authentic detections was lower than expected given the massive increase in the number of in-person attendees,” they said. “We don’t know the definitive reason behind this trend, but we do welcome it.” ®