dreambot business overview 2019 - benkowbenkow.cc/dreambotsas19.pdf · security analyst summit 2019...
TRANSCRIPT
![Page 1: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/1.jpg)
DreambotBusiness overview2019
![Page 2: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/2.jpg)
2Security Analyst Summit 2019
Who’s who
Benoît ANCEL
@benkow_
Peter KRUSE
@peterkruse
![Page 3: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/3.jpg)
3Security Analyst Summit 2019
- Crime as a service
- Based on Gozi2 (ISFB) + TOR + Bootkit
- Around since 2015
- ~ 450 000 bots (Oct-Dec 2018)
- ~ 250 000 bots (Jan-March 18)
- JP/DE/BG/PL/IT/US/CA/ES/AU/IN
- Business model:
- You rent access to Dreambot
- You obtain a non packed binary + the source code of the panel.
Dreambot
![Page 4: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/4.jpg)
Under the hood
Dreambot
4Security Analyst Summit 2019
![Page 5: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/5.jpg)
- 3 different ways to communicate:
- Hard coded domains (BrazzzzersFF)
- DGA (BrazzzzersFF)
- Onion website
- Gozi features:
- Webinjects
- Keylogger
- FormGrabber
- email grabber
- Screenshots
- Socks
- VNC
Dreambot
![Page 6: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/6.jpg)
- 2 kinds of C&C:
- Dreambot client’s C&C
- “Master” C&C
- “Master” is used for:
- Bots storage
- Banks frauds
- Targeted attacks
Dreambot
![Page 7: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/7.jpg)
7Security Analyst Summit 2019
- Servers used for a defined period of time (subscription based)
- The client can:
- Distribute Dreambot code
- Access harvested drop data
- Configure own webinjects
- Configure a stage 2
- 3 different panels are available
~ 15 different customers between 2018 and yesterday
Dreambot’s client
![Page 8: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/8.jpg)
8Security Analyst Summit 2019
Dreambot
Panel 1
![Page 9: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/9.jpg)
Security Analyst Summit 2019
Dreambot
Panel 2
![Page 10: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/10.jpg)
10Security Analyst Summit 2019
Dreambot
Panel 3
![Page 11: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/11.jpg)
11Security Analyst Summit 2019
Dreambot
![Page 12: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/12.jpg)
12Security Analyst Summit 2019
Dreambot
![Page 13: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/13.jpg)
13Security Analyst Summit 2019
Dreambot
![Page 14: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/14.jpg)
14Security Analyst Summit 2019
Dreambot
![Page 15: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/15.jpg)
Customer use case
Dreambot
15Security Analyst Summit 2019
![Page 16: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/16.jpg)
16Security Analyst Summit 2019
- The example:
The German customer:
- New client since October 2018
- ~ 210 000 infections in Germany/US/CA
(October 18 – March 19)
(EK and targeted emails)
- This client (known as Bagsu) is only interested in baning fraud and targeting 725 unique banks in Germany
Dreambot customer in Germany
![Page 17: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/17.jpg)
17Security Analyst Summit 2019
Dreambot’s client - Germany
![Page 18: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/18.jpg)
18Security Analyst Summit 2019
Dreambot’s client - Germany
![Page 19: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/19.jpg)
“Master” C&C
Dreambot
19Security Analyst Summit 2019
![Page 20: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/20.jpg)
Dreambot
- “Master” C&C
- Used to store bots after the expiration of a custumer subscription periode
- Likely controlled by the Dreambot operators
- Involved in targeted attacks
- Involved in frauds in BG in 2018-2019
![Page 21: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/21.jpg)
Dreambot
![Page 22: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/22.jpg)
Dreambot
![Page 23: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/23.jpg)
Dreambot
![Page 24: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/24.jpg)
Dreambot
![Page 25: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/25.jpg)
Dreambot
![Page 26: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/26.jpg)
Dreambot
![Page 27: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/27.jpg)
Dreambot
![Page 28: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/28.jpg)
Conclusion
28Security Analyst Summit 2019
![Page 29: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/29.jpg)
Conclusion
- Gozi still going strong and continuously being improved
- Crime as a services getting trendy
- Vector used by APT groups
- Attribution getting harder
- Gozi will never die despite of takedowns
- Thanks to:
Kafeine
Maciej Kotowicz
![Page 30: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/30.jpg)
Dreambot
30Security Analyst Summit 2019
One more thing….
![Page 31: Dreambot Business overview 2019 - Benkowbenkow.cc/DreambotSAS19.pdf · Security Analyst Summit 2019 3 - Crime as a service - Based on Gozi2 (ISFB) + TOR + Bootkit - Around since 2015](https://reader034.vdocument.in/reader034/viewer/2022042104/5e827fb4b1ed321e3943b74c/html5/thumbnails/31.jpg)
Dreambot – OSX !
31Security Analyst Summit 2019